This is the accessible text file for GAO report number GAO-09-518 entitled 'Military Readiness: DOD Needs to Strengthen Management and Oversight of the Defense Readiness Reporting System' which was released on September 25, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Subcommittee on Readiness and Management Support, Committee on Armed Services, U.S. Senate: United States Government Accountability Office: GAO: September 2009: Military Readiness: DOD Needs to Strengthen Management and Oversight of the Defense Readiness Reporting System: Military Readiness: GAO-09-518: GAO Highlights: Highlights of GAO-09-518, a report to the Subcommittee on Readiness and Management Support, Committee on Armed Services, U.S. Senate. Why GAO Did This Study: The Department of Defense (DOD) reports data about the operational readiness of its forces. In 1999, Congress directed DOD to create a comprehensive readiness system with timely, objective, and accurate data. In response, DOD started to develop the Defense Readiness Reporting System (DRRS). After 7 years, DOD has incrementally fielded some capabilities, and, through fiscal year 2008, reported obligating about $96.5 million. GAO was asked to review the program including the extent that DOD has (1) effectively managed and overseen DRRS acquisition and deployment and (2) implemented features of DRRS consistent with legislative requirements and DOD guidance. GAO compared DRRS acquisition disciplines, such as requirements development, test management, and DRRS oversight activities, to DOD and related guidance, and reviewed the system’s current and intended capabilities relative to legislative requirements and DOD guidance. We did not evaluate DOD’s overall ability to assess force readiness or the extent that readiness data reflects capabilities, vulnerabilities, or performance issues. What GAO Found: DOD has not effectively managed and overseen the DRRS acquisition and deployment, in large part because of the absence of rigorous and disciplined acquisition management controls and an effective governance and accountability structure for the program. In particular, system requirements have not been effectively developed and managed. For example, user participation and input in the requirements development process was, until recently, limited, and requirements have been experiencing considerable change, are not yet stable, and have not been effectively controlled. In addition, system testing has not been adequately performed and managed. For example, test events for already acquired system increments, as well as currently deployed and operating increments, were not based on well-defined plans or structures, and test events have not been executed in accordance with plans or in a verifiable manner. Moreover, DRRS has not been guided by a reliable schedule of work to be performed and key activities to occur. These program management weaknesses can, in part, be attributed to long- standing limitations in program office staffing and program oversight and accountability. Despite being a DOD-wide program, until April, 2009 DRRS was not accountable to a DOD-wide oversight body, and it was not subject to DOD’s established mechanisms and processes for overseeing business systems. Collectively, these acquisition management weaknesses have contributed to a program that has fallen well short of expectations, and is unlikely to meet future expectations. DOD has implemented DRRS features that allow users to report certain mission capabilities that were not reported under the legacy system, but these features are not fully consistent with legislative requirements and DOD guidance; and DOD has not yet implemented other features. The geographic combatant commands are currently reporting their capabilities to execute most of their operations and major war plans in DRRS, and DOD is reporting this additional information to Congress. However, because DRRS does not yet fully interface with legacy systems to allow single reporting of readiness data, the military services have not consistently used DRRS’s enhanced capability reporting features. For example, as of May 2009, the Army and Navy had developed interfaces for reporting in DRRS, while the Marine Corps required units to only report in their legacy system. Recently, the Marine Corps also began developing an interface and has done limited reporting in DRRS. In addition, DRRS has not fully addressed the challenges with metrics that led Congress to require a new readiness reporting system. DRRS metrics are less objective and precise, and no more timely than the legacy system metrics. Users have also noted that DRRS lacks some of the current and historical data and connectivity with DOD’s planning systems necessary to manage and deploy forces. Until these limitations are fully addressed, DRRS will not have the full complement of features necessary to meet legislative and DOD requirements, and users will need to rely on legacy reporting systems to support mission-critical decisions. What GAO Recommends: GAO is making recommendations to address the risks facing DOD in acquiring and developing DRRS and increase the chance of success. DOD agreed or partially agreed with three of our eight recommendations, and disagreed with the remaining five because it stated that it was already taking actions in these areas. View [hyperlink, http://www.gao.gov/products/GAO-09-518] or key components. For more information, contact Sharon Pickup at (202) 512- 9619 or pickups@gao.gov, or Randolph C. Hite at (202) 512-3439 or hiter@gao.gov. [End of section] Contents: Letter: Background: DOD Disagreed with GAO's Prior Recommendation to Develop an Implementation Plan to Guide DRRS Development: DOD Has Not Effectively Managed and Overseen the Acquisition and Deployment of DRRS: Some DRRS Features Are Operational but Are Not Fully Consistent with Legislative Requirements and DOD Guidance: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: Detailed Analysis of DRRS Acquisition and Deployment Management and Oversight: Appendix III: Comments from the Department of Defense: Appendix IV: GAO Contacts and Staff Acknowledgments: Tables: Table 1: DRRS Capability Modules: Table 2: Organizations Interviewed during Our Review: Table 3: DRRS Satisfaction of Nine Schedule-Estimating Key Practices: Figures: Figure 1: Air Force and Marine Corps Dual Reporting Requirements to Meet Readiness Reporting Guidelines: Figure 2: Schedule for Developing and Implementing DRRS Capabilities: Figure 3: Changes in Estimated Dates for DRRS Capabilities: Abbreviations: CJCSI: Chairman of the Joint Chiefs of Staff Instruction: DIO: DRRS Implementation Office: DOD: Department of Defense: DRRS: Defense Readiness Reporting System: ESORTS: Enhanced Status of Resources and Training System: GSORTS: Global Status of Resources and Training System: JITC: Joint Interoperability Test Command: MAIS: Major Automated Information System: OSD: Office of the Secretary of Defense: SIPRNet: Secure Internet Protocol Router Network: TEMP: Test and Evaluation Master Plan: USD (P&R): Under Secretary of Defense for Personnel and Readiness: [End of section] United States Government Accountability Office: Washington, DC 20548: September 25, 2009: The Honorable Evan Bayh: Chairman: The Honorable Richard Burr: Ranking Member: Subcommittee on Readiness and Management Support: Committee on Armed Services: United States Senate: To assess the ability of U.S. forces to execute the wartime missions for which they were designed, as well as other assigned missions, and to make decisions about deploying forces, the Department of Defense (DOD) relies heavily on readiness information derived from multiple information systems. Over the years, we and others have identified shortcomings in DOD's readiness assessment and reporting, such as limitations in the completeness and precision of readiness data and a tendency to focus on examining the status of personnel, equipment, and other resources rather than broader capabilities. Congress addressed DOD's readiness reporting in the Strom Thurmond National Defense Authorization Act for Fiscal Year 1999[Footnote 1] by adding section 117 to Title 10 of the U.S. Code, directing the Secretary of Defense to establish a comprehensive readiness reporting system to measure, in an "objective, accurate, and timely manner," the capability of the armed forces to carry out the National Security Strategy prescribed by the President, the defense planning guidance provided by the Secretary of Defense, and the National Military Strategy prescribed by the Chairman of the Joint Chiefs of Staff. In June 2002, the Deputy Secretary of Defense directed[Footnote 2] the Under Secretary of Defense for Personnel and Readiness (USD P&R) to develop, field, maintain, and fund the Enhanced Status of Resources and Training System (ESORTS), which is the automated readiness reporting system within the Defense Readiness Reporting System (DRRS).[Footnote 3] He also directed that DRRS build upon existing processes and readiness assessment tools to establish a capabilities-based, adaptive, near-real-time readiness reporting system. In addition, in June 2004, the Secretary of Defense directed USD (P&R) to develop DRRS in a manner that would support the data requirements of various users of readiness information, such as the Chairman of the Joint Chiefs of Staff, the combatant commanders, the Secretaries of the military departments, and the Chief of the National Guard Bureau, including their requirements for data on the availability, readiness, deployment, and redeployment of forces.[Footnote 4] USD (P&R) established a DRRS Implementation Office (DIO) to manage the system's acquisition, including managing system development and engaging the user community. The DIO has used support contractors to develop the system and reported obligating about $96.5 million for DRRS from fiscal year 2001 through fiscal year 2008. Some fielded system capabilities are currently being used to varying degrees by the user community. The DIO originally estimated that DRRS would achieve full operational capability in fiscal year 2007, but currently expects DRRS to reach full capability in 2014. In September 2008, the DIO projected that it would spend about $135 million through fiscal year 2014. Recognizing that DRRS was not yet fully deployed or operational and in light of our prior work on readiness-related issues, you asked us to review DOD's efforts to develop and implement DRRS, including the program's status, and the extent that DRRS addresses the challenges that led Congress to require a new system, such as the availability of information on capabilities, and the precision, timeliness, reliability, and objectivity of readiness metrics. In addressing these issues, we assessed the extent to which (1) DOD has effectively managed and overseen DRRS acquisition and deployment, and (2) features of DRRS have been implemented and are consistent with legislative requirements and DOD guidance. To determine the extent that DOD has effectively managed and overseen DRRS acquisition and deployment, we analyzed a range of program documentation and interviewed cognizant program and contractor officials relative to the following acquisition management disciplines: requirements development and management, test management, schedule reliability, and human capital. For each discipline, we compared key program documentation, such as a requirements management plan, test and evaluation master plans, and test reports to relevant DOD, federal, and related guidance, and we analyzed a statistical sample of individual requirements and test cases to determine consistency among them. In addition, we attended meetings of organizations established to monitor or govern DRRS development and reviewed information from meetings that we did not attend and interviewed officials associated with these meetings. To determine the extent to which the features of DRRS have been implemented and are consistent with legislative requirements and DOD guidance, we reviewed criteria such as the legislation that mandated a comprehensive DOD readiness reporting system, the DOD directive that established DRRS, program documentation and USD (P&R) guidance memorandums, DIO briefings to the readiness community, other departmental instructions, and directives and memorandums related to DRRS requirements and implementation. From these documents, we identified desired features of DRRS and compared them to documentary and testimonial evidence concerning system performance during meetings with a full range of officials responsible for developing and using the system. To obtain the developer's perspective, on numerous occasions throughout our review we met with officials from USD (P&R), the DIO, and the three current DRRS contractors. To obtain user perspectives, we met with and surveyed by questionnaire officials from the Joint Staff, the geographic and functional combatant commands, and the services, and also met with officials from USD (P&R). We also attended meetings of organizations established to monitor or govern DRRS development and analyzed information from meetings that we did not attend. We also directly observed the system's capabilities through our own limited use of the system and by observing others using the system. We did not evaluate the department's overall ability to assess the readiness of its forces or the extent that data contained in any of its readiness reporting systems, including DRRS and GSORTS, reflect capabilities, deficiencies, vulnerabilities, or performance issues. Our review focused on acquisition and program management issues, such as requirements management, schedule and human capital requirements, the current usage of DRRS, and the extent to which DRRS' features address legislative requirements and DOD guidance. We conducted this performance audit from April 2008 through August 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Additional details on our scope and methodology are in appendix I. Background: Historically, DOD has used its readiness assessment system to assess the ability of units and joint forces to fight and meet the demands of the national security strategy. DOD's readiness assessment and reporting system is designed to assess and report on military readiness at three levels--(1) the unit level; (2) the joint force level; and (3) the aggregate, or strategic, level. Using information from its readiness assessment system, DOD prepares and sends legislatively mandated Quarterly Readiness Reports to Congress. DRRS is DOD's new readiness reporting system that is intended to capture information from the previous system, as well as information about organizational capabilities to perform a wider variety of missions and mission essential tasks. DRRS is also intended to capture readiness information from defense agencies and installations, which were not required to report under the previous system. Some DRRS features are currently fielded and being used to varying degrees by the user community. DOD Collects a Wide Range of Readiness Information to Support Decision Makers Within and Outside DOD: Laws, directives, and guidance, including a DOD directive, Chairman of the Joint Chiefs of Staff Instruction (CJCSI), Secretary of Defense and USD (P&R) memorandums, and service regulations and messages, show that readiness information and data are needed to support a wide range of decision makers. These users of readiness data include Congress, the Secretary of Defense, the Chairman of the Joint Chiefs of Staff, the combatant commanders, the Secretaries of the military departments, and the Chief of the National Guard Bureau. The directives and guidance also list roles and responsibilities for collecting and reporting various types of readiness data. For example, CJCSI 3401.02A[Footnote 5] assigns the service chiefs responsibility for ensuring required global status of resources and training system (GSORTS) reports are submitted. GSORTS is DOD's legacy, resource-based readiness reporting system that provides a broad assessment of unit statuses based on units' abilities to execute the missions for which they were organized or designed as well as the current missions for which they may be employed. The information in the required GSORTS reports includes units' abilities to execute the missions for which they were organized or designed, as well as the status of their training, personnel, and equipment.[Footnote 6] In addition, DOD directive 7730.65, which established DRRS as DOD's new readiness reporting system, assigns the Secretaries of the military departments and the commanders of the combatant commands responsibilities for developing mission essential tasks for all of their assigned missions. [Footnote 7] Requirements and Intended Characteristics of DOD's New Readiness Reporting System: Prior to 1999, we identified challenges with DOD's existing readiness reporting system, GSORTS, and in 1999, Congress directed the Secretary of Defense to establish a comprehensive readiness reporting system. [Footnote 8] The legislation requires the system to measure in an objective, accurate, and timely manner the capability of the armed forces to carry out (1) the National Security Strategy prescribed by the President, (2) the defense planning guidance provided by the Secretary of Defense, and (3) the National Military Strategy prescribed by the Chairman of the Joint Chiefs of Staff. To address the requirements established by Congress, the Office of the Deputy Under Secretary of Defense (Readiness) began in 2001 to build consensus among DOD's senior readiness leaders for an improved readiness assessment system. For example, the Deputy's office distributed a list of key characteristics of the improved readiness assessment system to the leaders in advance of scheduled meetings. The system's key desired characteristics included allowing near-real-time access to readiness data and trends, enabling rapid, low-cost development using classified Internet technology, and reducing the reporting burdens on people. Since then various directives and memorandums have been issued regarding DRRS responsibilities, requirements, and related issues. For example: * On June 3, 2002, the Deputy Secretary of Defense established DOD's new readiness reporting system, as directed by Congress, by signing DOD Directive 7730.65. According to this directive, DRRS is intended to build upon DOD's existing processes and readiness assessment tools to establish a capabilities-based, near-real-time readiness reporting system. The DRRS directive assigned USD (P&R) responsibilities for developing, fielding, maintaining, and funding ESORTS (the tool to collect capability, resource, and training information) and overseeing DRRS to ensure accuracy, completeness, and timeliness of its information and data, its responsiveness, and its effective and efficient use of modern practices and technologies. In addition, the USD P&R is responsible for ensuring that ESORTS information, where appropriate, is integrated into DOD's planning systems and processes. The directive also states that until ESORTS becomes fully operational, the Chairman of the Joint Chiefs of Staff shall maintain the GSORTS database. * On June 25, 2004, the Secretary of Defense issued a memorandum, which directed USD (P&R) to develop DRRS to support data requirements identified by the Chairman of the Joint Chiefs of Staff, the combatant commanders, the Secretaries of the Military Departments, and the Chief, National Guard Bureau to include availability, readiness, deployment, and redeployment data.[Footnote 9] * On November 2, 2004, USD (P&R) issued a DRRS interim implementation guidance memorandum.[Footnote 10] In this memorandum, the undersecretary noted that he had established a DIO to provide reporting assistance for units. The memorandum also stated that combatant commanders would begin reporting readiness by mission essential tasks by November 30, 2004. The memorandum also directed the services to develop detailed implementing guidance for reporting and assessing mission essential task readiness in ESORTS within their respective services, and set a goal for the services to implement the mission essential task reporting process by September 30, 2005. To meet these mission essential task reporting requirements, USD (P&R) directed commanders to rate their organizational capabilities as (1) yes or "Y", (2) qualified yes or "Q", or (3) no or "N." A "Y" indicates that an organization can accomplish the rated tasks or missions to prescribed standards and conditions in a specified environment. It should reflect demonstrated performance in training or operations. A "Q" indicates that performance has not been demonstrated, and, although data may not readily support a "Y," the commander believes the organization can accomplish the rated task or mission to standard under most conditions. An "N" indicates that an organization cannot accomplish the rated task or mission to prescribed standards in the specified environment at the time of the assessment. * The November 2004 memorandum also stated that the expected transition from GSORTS to ESORTS was scheduled to begin in fiscal year 2005. According to the 2004 memorandum, the ESORTS module of DRRS would provide, among other things, visibility of the latest GSORTS information reported by units, and detailed resource information from authoritative data sources with the capability to aggregate or separate the data. This memorandum signaled a change in program direction. Although the 2002 DOD directive stated that DRRS is intended to build upon DOD's existing processes and readiness assessment tools, the 2004 memorandum indicated that DRRS was to replace GSORTS, as the ESORTS module of DRRS captured both capabilities and resource data. Overview of DRRS Program Management and Oversight Structure: Since its establishment, the DIO has operated within the Office of USD (P&R) and has relied on multiple contractors. To provide governance of DRRS, and enhance communication between the development community, represented by the DIO and contractors, and the user community, which includes the Joint Staff, military services, and combatant commands, USD (P&R) established various bodies with representatives from the user community, including military services, combatant commands, and the defense agencies. Representatives from the Office of USD (P&R) and the Joint Staff currently serve as cochairs of the various bodies. DRRS Battle Staffs comprise colonels, Navy captains, and similar-graded civilians. They track DRRS development and identify issues with the system. At the one-star level, the DRRS General and Flag Officer Steering Committee discusses issues raised by the Battle Staff. In December 2007, USD (P&R) created a committee at the three-star level, referred to as the DRRS Executive Committee. Its charter, finalized about a year later in January 2009, calls for the committee to review and approve proposals and plans to establish policy, processes, and system requirements for DRRS, including approving software development milestones required to reach objectives. To ensure that leadership is provided for the direction, oversight, and execution of DOD's business transformation efforts, including business systems modernization efforts such as DRRS, DOD relies on several entities. These entities include the Defense Business Systems Management Committee, which is chaired by the Deputy Secretary of Defense and serves as the department's highest-ranking governance body and the approval authority for business systems modernization activities; the Investment Review Boards, which are chartered by the Principal Staff Assistants--senior leaders from various offices within DOD--and serve as the review and certification bodies for business system investments in their respective areas of responsibility;[Footnote 11] and the Business Transformation Agency, which is responsible for supporting the Investment Review Boards and for leading and coordinating business transformation efforts across the department. Among other things, the Business Transformation Agency supports the Office of the Under Secretary of Defense, Acquisition, Technology and Logistics in conducting system acquisition risk assessments.[Footnote 12] Disciplined System Acquisition and Oversight Are Keys to Program Success: Our research and evaluations of information technology programs, including business systems modernization efforts within DOD, have shown that delivering promised system capabilities and benefits on time and within budget largely depends on the extent to which key program management disciplines are employed by an adequately staffed program management office. Among other things, these disciplines include a number of practices associated with effectively developing and managing system requirements, adequately testing system capabilities, and reliably scheduling the work to be performed. They also include proactively managing the program office's human capital needs, and promoting program office accountability through executive-level program oversight. DOD acquisition policies and guidance, along with other relevant guidance, recognize the importance of these management and oversight disciplines.[Footnote 13] As we have previously reported, not employing these and other program management disciplines increases the risk that system acquisitions will not perform as intended and require expensive and time-consuming rework. DOD Disagreed with GAO's Prior Recommendation to Develop an Implementation Plan to Guide DRRS Development: In 2003, we reported that, according to USD (P&R) officials, DRRS was a large endeavor, and that development would be challenging and require buy-in from many users.[Footnote 14] We also reported that the program was only a concept without detailed plans to guide its development and implementation. Based on the status of the program at that time and DOD's past record on readiness reporting initiatives, we recommended that the Secretary of Defense direct the Office of USD (P&R) to develop an implementation plan that identified: * performance goals that are objective, quantifiable, and measurable; * performance indicators to measure outcomes; * an evaluation plan to compare program results with established goals; and: * milestones to guide DRRS development to the planned 2007 full capability date. DOD did not agree with our recommendation, stating that it had established milestones, cost estimates, functional responsibilities, expected outcomes, and detailed plans for specific information technology requirements and progress indicators. In evaluating the DOD comments, we noted that DOD had established only two milestones-- initial capability in 2004 and full capability in 2007--and did not have a road map explaining the steps needed to achieve full capability by 2007.[Footnote 15] DOD Has Not Effectively Managed and Overseen the Acquisition and Deployment of DRRS: DOD has not effectively managed and overseen the acquisition and deployment of DRRS in accordance with a number of key program management disciplines that are recognized in DOD acquisition policies and guidance, along with other relevant guidance, and are fundamental to delivering a system that performs as intended on time and within budget. In particular, DRRS requirements have not been effectively developed and managed, and DRRS testing has not been adequately performed and managed. Further, DRRS has not been guided by a reliable schedule of the work needed to be performed and the key activities and events that need to occur. These program management weaknesses can be attributed in part to long-standing limitations in program office staffing and oversight. As a result, the program has not lived up to the requirements set for it by Congress, and the department has not received value from the program that is commensurate with the time and money invested--about 7 years and $96.5 million. Each of these weaknesses are summarized below and discussed in detail in appendix II. DRRS Requirements Have Not Been Effectively Developed and Managed: According to DOD and other relevant guidance, effective requirements development and management includes, among other things, (1) effectively eliciting user needs early and continuously in the system life-cycle process, (2) establishing a stable baseline set of requirements and placing the baseline under configuration management, (3) ensuring that system requirements are traceable backward to higher level business or operational requirements (e.g., concept of operations) and forward to system design documents (e.g., software requirements specification) and test plans, and (4) controlling changes to baseline requirements. However, none of these conditions have been met on DRRS. Specifically, key users have only recently become fully engaged in developing requirements, and requirements have been experiencing considerable change and are not yet stable. Further, different levels of requirements and related test cases have not been aligned with one another, and changes to requirements have not been effectively controlled. As a result, efforts to develop and deliver initial DRRS capabilities have taken longer than envisioned and these capabilities have not lived up to user expectations. These failures increase the risk of future DRRS capabilities not meeting expectations and increase the likelihood that expensive and time-consuming system rework will be necessary. Recent Actions Have Been Taken to Address Limited User Involvement in Developing and Managing Requirements: Until recently, key users were not fully or effectively engaged in DRRS requirements development and management. One of the leading practices associated with effective requirements development is engaging system users early and continuously in the process of defining requirements. However, DIO officials and representatives from the military services and the Joint Staff agree that until recently, key users were not effectively engaged in DRRS requirements development and management, although they disagree at to why user involvement has suffered. Regardless, DRRS Executive Committee direction has improved the situation. Specifically, in January 2008, the committee directed the Joint Staff to conduct an analysis of DRRS capabilities, referred to as the "capabilities gap analysis," which involved the entire readiness community and resulted in 530 additional user requirements. In our view, this analysis is a positive step in addressing long-standing limited involvement by key DRRS users in defining requirements that has contributed to significant delays in the program, as discussed later in the report. DRRS Requirements Are Not Stable: As of April 2009, DRRS requirements continued to be in a state of flux. Establishing an authoritative set of baseline requirements prior to system design and development provides a stable basis for designing, developing, and delivering a system that meets its users' operational needs. However, the fact that these 530 user requirements have recently been identified means that the suite of requirements documentation associated with the system, such as the detailed system requirements, will need to change and thus is not stable. To illustrate, these 530 requirements have not been fully evaluated by the DIO and the DRRS governance boards and according to program officials, have not yet been approved, and thus their impact on the program is not clear. Compounding this instability in the DRRS requirements is the fact that additional changes are envisioned. According to program officials, the changes resulting from the gap analysis and reflected in the latest version of the DRRS Concept of Operations, which was approved by the DRRS Executive Committee in January 2009, have yet to be reflected in other requirements documents, such as the detailed system requirements. Although defining and developing requirements is inherently an iterative process, having a baseline set of requirements that are stable is a prerequisite to effective and efficient system design and development. Without them, the DIO has not been able to deliver a system that meets user needs on time, and it is unlikely that future development and deployment efforts will produce better results. Alignment among Requirements and Related System Design and Testing Artifacts Has Not Been Demonstrated: During our review, DIO officials could not demonstrate that requirements and related system design and testing artifacts are properly aligned. One of the leading practices associated with developing and managing requirements is maintaining bidirectional traceability from high-level operational requirements through detailed lower-level requirements and design documents to test cases. We attempted on three separate occasions to verify the traceability of system requirements backwards to higher-level requirements and forward to lower-level software specifications and test cases, and each time we found that traceability did not exist. DIO and contractor officials attributed the absence of adequate requirements traceability to the ongoing instability in requirements and efforts to update program documentation. Without traceable requirements, the DIO does not have a sufficient basis for knowing that the scope of the design, development, and testing efforts will produce a system solution on time and on budget and that will meet users' operational needs and perform as intended. As a result, the risk is significant that expensive and time- consuming system rework will be required. Changes to Requirements Are Not Being Effectively Controlled: Since the inception of the program in 2002, DRRS has been developed and managed without a formally documented and approved process for managing changes to system requirements. Adopting a disciplined process for reviewing and accepting changes to an approved baseline set of requirements in light of the estimated costs, benefits, and risk of each proposed change is a recognized best practice. However, requirements management and change-control plans developed in 2006 by the DRRS software development contractor, according to DIO officials, were not adequate. To address this, the Joint Staff developed what it referred to as a conceptual requirements change-control process in February 2008, as a basis for the DIO to develop more detailed plans that could be implemented. In January 2009, the DIO drafted more detailed requirements management and configuration management plans, the latter of which the DIO updated in March 2009. However, the plans have yet to be approved and implemented. Until the DIO effectively controls requirements changes, it increases the risk of needed DRRS capabilities taking longer and costing more to deliver than necessary. DRRS Testing Has Not Been Adequately Performed and Key Test Management Structures and Controls Have Not Been Established: According to DOD and other relevant guidance, system testing should be progressive, meaning that it should consist of a series of test events that first focus on the performance of individual system components, then on the performance of integrated system components, followed by system-level tests that focus on whether the system (or major system increments) are acceptable, interoperable with related systems, and operationally suitable to users. For this series of related test events to be conducted effectively, each test event needs to be executed in accordance with well-defined test plans, the results of each test event need to be captured and used to ensure that problems discovered are disclosed and corrected, and all test events need to be governed by a well-defined test management structure. However, the DIO cannot demonstrate that it has adequately tested any of the DRRS increments, referred to as system releases and subreleases, even though it has already acquired and partially deployed a subset of these increments. Moreover, the DIO has yet to establish the test management structures and controls needed to effectively execute DRRS testing going forward. More specifically, the test events for already acquired, as well as currently deployed and operating, DRRS releases and subreleases were not based on well-defined plans. For example, the test plan did not include a schedule of activities to be performed or defined roles and responsibilities for performing them. Also, the test plan did not consistently include test entrance and exit criteria, a test defect management process, and metrics for measuring progress. Further, test events have not been fully executed in accordance with plans, or executed in a verifiable manner, or both. For example, although increments of DRRS functionality have been put into production, the DIO has not performed system integration testing, system acceptance testing, or operational testing on any DRRS release or subrelease. Moreover, the results of all executed test events have not been captured and used to ensure that problems discovered were disclosed to decision makers, and ultimately corrected. For example, the DIO has not captured the test results for at least 20 out of 63 DRRS subreleases. Test results that were captured did not include key elements, such as entrance/exit criteria status and unresolved defects and applicable resolution plans. The DIO has also not established an effective test management structure to include, for example, a clear assignment of test management roles and responsibilities, or a reliable schedule of planned test events. Compounding this absence of test management structures and controls is the fact that the DIO has yet to define how the development and testing to date of a series of system increments (system releases and subreleases) relate to the planned development and testing of the 10 system modules established in January 2009. (See table 1 for a list and description of these modules.) Collectively, this means that it is unlikely, that already developed and deployed DRRS increments can perform as intended and meet user operational needs. Equally doubtful are the chances that the DIO can adequately ensure that yet-to-be developed DRRS increments will meet expectations. Table 1: DRRS Capability Modules: Module: 1. Joint Mission Readiness; Definition: Enables selected users to see and assess the highest strategic-level "joint" readiness data. Module: 2. Unit Mission Readiness; Definition: Captures unit-level readiness data, as well as authoritative resources data (e.g., personnel, equipment) fed from external systems owned by military services. Module: 3. Asset Visibility; Definition: Allows authoritative resources data from military services to be provided in near-real-time, and certifies them. Module: 4. Business Intelligence; Definition: Provides the ability to query and analyze readiness and asset visibility data, based on the desires and needs of the user. Module: 5. Installation Readiness; Definition: Allows readiness reporting by installations, training/firing ranges and other infrastructure facilities. Module: 6. Readiness Reviews; Definition: Enables forcewide readiness reviews to be conducted, such as the Joint Combat Capability Assessment review process. Module: 7. Planning/Execution Support; Definition: Allows DRRS to interact with other planning systems and processes, such as the Global Force Management and Adaptive Planning and Execution communities. Module: 8. Historical Data; Definition: Focuses on the historical collection and presentation of information. Also includes the Continuity of Operations (COOP) capability. Module: 9. System Architecture; Definition: Meets the underlying information technology system specifications, such as standards for information assurance, interoperability, bandwidth, and other issues. Module: 10. End-User Usability; Definition: Fulfills end-user support of the DRRS application to include training, customer support, and documentation. Source: DOD. [End of table] DRRS Has Not Been Guided by a Reliable Schedule: The success of any program depends in part on having a reliable schedule that defines, among other things, when work activities will occur, how long they will take, and how they are related to one another. From its inception in 2002 until November 2008, the DIO did not have an integrated master schedule, and thus has long been allowed to proceed without a basis for executing the program and measuring its progress. In fact, the only milestone that we could identify for the program prior to November 2008 was the date that DRRS was to achieve full operational capability, which was originally estimated to occur in fiscal year 2007, but later slipped to fiscal year 2008 and then fiscal year 2011, and is now fiscal year 2014--a 7-year delay. Moreover, the DRRS integrated master schedule that was first developed in November 2008, and was updated in January 2009 and again in April 2009 to address limitations that we identified and shared with the program office, is still not reliable. Specifically, our research has identified nine practices associated with developing and maintaining a reliable schedule.[Footnote 16] These practices are (1) capturing all key activities, (2) sequencing all key activities, (3) assigning resources to all key activities, (4) integrating all key activities horizontally and vertically, (5) establishing the duration of all key activities, (6) establishing the critical path for all key activities, (7) identifying float between key activities, (8) conducting a schedule risk analysis, and (9) updating the schedule using logic and durations to determine the dates for all key activities.[Footnote 17] The program's latest integrated master schedule does not address three of the practices and only partially addresses the remaining six. For example, the schedule does not establish a critical path for all key activities, nor does it include a schedule risk analysis, and it is not being updated using logic and durations to determine the dates for all key activities. In addition, the schedule introduces considerable concurrency across key activities and events for several modules, which introduces increased risk. These limitations in the program's latest integrated master schedule, coupled with the program's 7-year slippage to date and continued requirements instability, make it likely that DRRS will incur further delays. DIO Lacks Adequate Staffing and an Effective Approach to Meeting Its Human Capital Needs: The DIO does not currently have adequate staff to fulfill its system acquisition and deployment responsibilities, and it has not managed its staffing needs in an effective manner. Effective human capital management should include an assessment of the core competencies and essential knowledge, skills, and abilities needed to perform key program management functions, an inventory of the program's existing workforce capabilities, an analysis of the gap between the assessed needs and the existing capabilities, and plans for filling identified gaps. DIO performs a number of fundamental DRRS program management functions, such as acquisition planning, performance management, requirements development and management, test management, contractor tracking and oversight, quality management, and configuration management. To effectively perform such functions, program offices, such as the DIO, need to have not only well-defined policies and procedures and support tools for each of these functions, but also sufficient human capital to implement the processes and use the tools throughout the program's life cycle. However, the DIO is staffed with only a single full-time government employee--the DIO Director. All other key program office functions are staffed by either contractor staff or staff temporarily detailed, on an as-needed basis, from other DOD organizations. In addition, key positions, such as performance manager and test manager, have either not been established or are vacant. According to DIO and contractor officials, they recognize that additional program management staffing is needed but stated that requests for additional staff had not been approved by USD (P&R) due to competing demands for staffing. Further, they stated that the requests were not based on an assessment of the program's human capital needs and the gap between these needs and its onboard workforce capabilities. Until DIO adopts a strategic, proactive approach to managing its human capital needs, it is unlikely that it will have an adequate basis for obtaining the people it needs to effectively and efficiently manage DRRS. DOD Executive Oversight of DRRS Has Been Limited: A key principle for acquiring and deploying system investments is to establish a senior-level governance body to oversee the investment and hold program management accountable for meeting cost, schedule, and performance commitments. Moreover, for investments that are organization wide in scope and introduce new ways of doing business, like DRRS, the membership of this oversight body should represent all stakeholders and have sufficient organizational seniority to commit their respective organizations to any decisions reached. For significant system investments, the department's acquisition process provides for such executive governance bodies. For example, Major Automated Information Systems, which are investments over certain dollar thresholds or that are designated as special interest because of, among other things, their mission importance, are reviewed at major milestones by a designated milestone decision authority.[Footnote 18] These authorities are supported by a senior advisory group, known as the Information Technology Acquisition Board, which comprises senior officials from the Joint Staff, the military departments, and staff offices within the Office of the Secretary of Defense. In addition, all business system investments in DOD that involve more than $1 million in obligations are subject to review and approval by a hierarchy of DOD investment review boards that comprise senior DOD leaders, including the Defense Business Systems Management Committee, which is chaired by the Deputy Secretary of Defense. Through these executive oversight bodies and their associated processes, programs are to be, among other things, governed according to corporate needs and priorities, and program offices are to be held accountable for meeting cost, schedule, and performance expectations. Until April 2009, DRRS was not subject to any of DOD's established mechanisms and processes for overseeing information technology systems. As previously discussed, USD (P&R) established the DRRS Battle Staff, which is a group of midlevel military officers and civilians from DRRS stakeholder organizations, and it established a higher-ranked General and Flag Officer Steering Committee, consisting of stakeholder representatives. However, neither of these entities had specific oversight responsibilities or decision-making authority for DRRS. Moreover, neither was responsible for holding the program office accountable for results. According to meeting minutes and knowledgeable officials, these entities met on an irregular basis over the last several years, with as much as a 1-year gap in meeting time for one of them, to discuss DRRS status and related issues. In December 2007, USD (P&R) recognized the need for a more senior-level and formal governance body, and established the DRRS Executive Committee. Since January 2008, this committee, which consists of top- level representatives from stakeholder organizations, has met at least seven times. In January 2009, the DRRS Executive Committee's charter was approved by the Deputy Under Secretary of Defense (Readiness) and the three-star Director of the Joint Staff. According to the charter, the committee is to review and approve proposals and plans to establish policy, processes, and system requirements for DRRS, including approving software development milestones required to reach objectives. Consistent with its charter, the committee has thus far made various program-related decisions, including approving a DRRS concept of operations to better inform requirements development, and directing the Joint Staff to conduct an analysis to identify any gaps between DRRS requirements and user needs. However, the committee has not addressed the full range of acquisition management weaknesses previously discussed in this report, and it has not taken steps to ensure that the program office is accountable for well-defined program baseline requirements. More recently, the DOD Human Resources Management Investment Review Board and the Defense Business Systems Management Committee reviewed DRRS and certified and approved, respectively, the program to invest $24.625 million in fiscal years 2009 and 2010. These entities comprise senior leadership from across the department, including the Deputy Secretary of Defense as the Defense Business Systems Management Committee Chair, military service secretaries, the defense agency heads, principal staff assistants, and representatives from the Joint Staff and combatant commands. However, neither the Investment Review Board's certification nor the Defense Business Systems Management Committee's approval was based on complete and accurate information from USD (P&R). Specifically, the certification package submitted to both oversight bodies by the USD (P&R) precertification authority (Office of Readiness Programming and Assessment) stated that DRRS was on track for meeting its cost, schedule, and performance measures and highlighted no program risks despite the weaknesses discussed in this report. According to the chairwoman of the Investment Review Board, the board does not have a process or the resources to validate the information received from the programs that it reviews.[Footnote 19] Moreover, the chairwoman stated that program officials did not make the board aware of the results of our review that we shared with the DIO prior to either the Investment Review Board or Defense Business Systems Management Committee reviews. Since we briefed the chairwoman, the Investment Review Board has requested that the DIO provide it with additional information documenting DRRS compliance with applicable DOD regulations and statutes. According to USD (P&R) and DIO officials, DRRS was not subject to department executive-level oversight for almost 6 years because, among other things, they did not consider DRRS to be a more complex information technology system. Furthermore, because of the nature of the authority provided to the USD (P&R) in the DRRS charter, they did not believe it was necessary to apply the same type of oversight to DRRS as other information systems within DOD. This absence of effective oversight has contributed to a void in program accountability and limited prospects for program success. Some DRRS Features Are Operational but Are Not Fully Consistent with Legislative Requirements and DOD Guidance: DOD has implemented DRRS features that allow users to report certain mission capabilities that were not reported under the legacy system, but these features are not fully consistent with legislative requirements and DOD guidance; and DOD has not yet implemented other envisioned features of the system. While some users are consistently reporting enhanced capability information, reporting from other users has been inconsistent. In addition, DRRS has not fully addressed the challenges with metrics that were identified prior to 1999 when Congress required DOD to establish a new readiness reporting system. Users have also noted that DRRS lacks some of the current and historical data and connectivity with DOD's planning systems necessary to manage and deploy forces. DOD Is Providing Congress with DRRS Capability Data from the Combatant Commands, but Services Have Not Consistently Reported Capability Data: The geographic combatant commands are capturing enhanced capability data in DRRS, and DOD's quarterly readiness reports to Congress currently contain this information, as well as information that is drawn from DOD's legacy readiness reporting system, GSORTS. However, the military services have not consistently used the enhanced capability reporting features of DRRS. Because DRRS does not yet fully interface with legacy systems to allow single reporting of readiness data, the Army and Navy developed additional system interfaces and are reporting in DRRS. Until May 2009, the Marine Corps directed its units to report only in the legacy system to avoid the burden of dual reporting. The Air Force chose not to develop an interface and instructed its units to report in both DRRS and the legacy system. DRRS and GSORTS both contain capabilities information and resource (numbers of personnel, equipment availability, and equipment condition) and training data. However, DRRS currently provides more capabilities data than GSORTS. When Congress directed DOD to establish a new readiness reporting system, GSORTS was already providing capability information concerning unit capabilities to perform the missions for which they were organized or designed.[Footnote 20] More recently, some of the military services began reporting limited capability information on unit capabilities to perform missions other than those that they were organized or designed to perform into GSORTS.[Footnote 21] However, DRRS is designed to capture capabilities on a wider variety of missions and mission essential tasks. For example, organizations can report their capabilities to conduct missions associated with major war plans and operations such as Operation Iraqi Freedom into DRRS, as well as their capabilities to perform the missions for which they were organized or designed. DRRS also captures capability information from a wider range of organizations than GSORTS. Although the primary (monthly) focus is on operational units and commands, DRRS collects and displays readiness information from defense agencies and installations. Geographic combatant commands--such as U.S. Central Command, U.S. Pacific Command, and U.S. Northern Command--are currently reporting their commands' capabilities to execute most of their operations and major war plans in DRRS. DOD reports this enhanced capability information from the geographic combatant commands in its Quarterly Readiness Report to Congress. The geographic combatant commands are also using DRRS to report their capabilities to perform headquarters- level, joint mission essential tasks, and some of these commands utilize DRRS as their primary readiness reporting tool. For example, U.S. Northern Command uses DRRS to assess risk and analyze capability gaps, and U.S. Pacific Command identifies critical shortfalls by evaluating mission essential task assessments that are captured in DRRS. While DRRS currently has the necessary software to collect and display these enhanced capability data from organizations at all levels throughout DOD, a variety of technical and other factors have hindered service reporting of capability data.[Footnote 22] As a result, the services have either developed their own systems to report required readiness data or have delayed issuing implementing guidance that would require their units to report standardized mission essential task data in DRRS. By 2005, DRRS was able to collect and display mission essential task information from any organizations that had access to a Secure Internet Protocol Router Network (SIPRNet) workstation.[Footnote 23] In August 2005, USD (P&R) issued a memorandum that directed the services to ensure that all of their GSORTS-reporting units were reporting mission essential task capabilities in DRRS by September 30, 2005.[Footnote 24] The memorandum stated that, for tactical units, mission essential tasks were to be drawn from the Service Universal Task List and standardized across like-type entities, such as tank battalions, destroyers, or F-16 squadrons.[Footnote 25] However, two factors that have hindered compliance with the memorandum's direction to report mission essential task capabilities in DRRS are discussed below. Lack of Direct Access to DRRS: While DRRS has been able to collect and display mission essential task data since 2005, some Army and Navy users did not have the means to directly access DRRS and update mission essential task assessments. For example, some ships lacked hardware necessary to be able to transmit their mission essential task data directly into DRRS while at sea. In addition, many National Guard units lacked, and still lack, direct access to the SIPRNet workstations that are necessary to directly input mission essential task data directly into DRRS. However, the Army and the Navy have developed systems, respectively designated DRRS-A and DRRS-N that interface with DRRS and thus allow all of their units to report mission essential task data. After Army and Navy units report mission essential task data in their respective DRRS-A and DRRS-N service systems, the services transmit these data to DRRS. As a result, Army and Navy officials told us that they are currently complying with the requirement to ensure that all their GSORTS-reporting units report mission essential task data in DRRS. Delays in Developing Software Tools to Input Data: Unlike the Army and the Navy, the Marine Corps and the Air Force have not developed their own systems to allow their units to use a single tool to enter readiness data to meet Office of the Secretary of Defense, Chairman of the Joint Chiefs of Staff, and service readiness reporting requirements. While the DIO has developed the software for users to enter mission essential task data into DRRS, the DIO has been unsuccessful in attempts to develop a tool that would allow Air Force and Marine Corps users to enter readiness data to meet all of their readiness reporting requirements through DRRS. As a result, rather than reducing the burden on reporting units, DRRS has actually increased the burden on Air Force and Marine Corps units because they are now required to report readiness information in both DRRS and GSORTS. On September 29, 2005, USD (P&R) issued a memorandum stating that DRRS is the single readiness reporting system for the entire Department of Defense and that legacy systems, such as GSORTS and associated service readiness systems, should be phased out.[Footnote 26] Since that time, officials have discussed whether to phase out GSORTS and tentative dates for this action have slipped several times. In 2001, the Office of the Deputy Undersecretary of Defense (Readiness) listed reducing reporting burdens as a key characteristic of its envisioned improved readiness assessment system. In an effort to eliminate this burden of dual reporting, the DIO began to develop a "current unit status" tool as a means for users to manage unit-specific readiness data and submit required reports in support of all current reporting guidelines.[Footnote 27] The tool was to minimize the burden associated with dual reporting by collecting, displaying, and integrating resource data from service authoritative data sources with GSORTS and DRRS. However, in December 2007, the DIO reported that it was unable to deliver the intended functionality of the "current unit status" tool. Instead, the DIO decided to develop an interim reporting tool, known as the SORTSREP tool, which would not provide the type of new capabilities envisioned for the "current unit status" tool, but would simply replicate the functionality of the input tool that the Air Force and Marines already used to input data into GSORTS. After delays, and 10 months of effort, the DIO delivered the SORTSREP tool to the Marine Corps for review. Based on this review, in December, 2008, the Marine Corps provided the developers and the DIO with 163 pages of detailed descriptions and graphics to explain the SORTSREP tool's deficiencies. It then informed the DIO that it would no longer expend energy and resources to review future versions of the SORTSREP tool and would instead look at leveraging the Army's or Navy's DRRS-A or DRRS-N systems. The Air Force also informed the DIO that it was no longer interested in the SORSTSREP tool, and said efforts should be focused on the "current unit status" tool instead. As a result, the Air Force and Marine Corps are currently faced with dual reporting requirements, as illustrated in figure 1. Figure 1: Air Force and Marine Corps Dual Reporting Requirements to Meet Readiness Reporting Guidelines: [Refer to PDF for image: illustration] Air Force units: RAS-IT: *GSORTS (Designed mission capabilities, resources, and training); DRRS (Missions and mission essential tasks). Marine Corps units: RAS-IT: *GSORTS (Designed mission capabilities, resources, and training); DRRS (Missions and mission essential tasks). TRAS-IT: Readiness Assessment System Input Tool. Source: GAO based on Air Force and Marine Corps information. [End of figure] On March 3, 2009, the Air Force Deputy Chief of Staff (Operations, Plans and Requirements) issued a memorandum that updated the Air Force's previous implementing guidance and directed all GSORTS- reporting units to begin assessing readiness in DRRS based on standardized core task lists within 90 days.[Footnote 28] As a result, Air Force units will report readiness in both DRRS and GSORTS until the DIO is able to deliver the intended functionality of the "current unit status" tool. While some Marine Corps units are reporting their capabilities in DRRS, the Marine Corps had not yet directed its units to report in the system as of May 2009. The Commandant of the Marine Corps had stated that he supported the development and implementation of DRRS, but that he would not direct units to assess mission essential tasks in DRRS until the system met its stated requirements and was accepted as the single readiness reporting system of record. Marine Corps officials said that they did not want to place a burden on operational units, which were fighting or preparing to fight a war, by requiring that they report readiness in two different systems. After we completed our audit work, on May 12, 2009, the Marine Corps issued an administrative message that required that units assess their mission essential tasks and missions in DRRS. The message stated that doing so would improve familiarity with DRRS, which will lead to an easier transition when the Marine Corps fields DRRS-Marine Corps (DRRS-MC).[Footnote 29] Without a viable tool for inputting data, DRRS is not fully integrated with GSORTS or with the service readiness reporting systems and it is not capable of replacing those systems since it does not capture the required data that are contained in those systems. DRRS Enhanced Capability Data Are Not Likely to Fully Address the Challenges with Metrics That Existed Prior to the Establishment of the System: While DRRS is being used to provide Congress with enhanced capability information, the quality of DRRS metrics still faces the same challenges, including limitations in timeliness, precision, and objectivity that existed prior to 1999 when Congress directed DOD to establish a new readiness reporting system. Section 117 of Title 10 of the U.S. Code directed the Secretary of Defense to establish a comprehensive readiness reporting system to measure the capability of the armed forces in an "objective, accurate, and timely manner." However, the enhanced capability data that are captured in DRRS and reported to Congress are no more timely than the readiness data that were being provided to Congress in 1999 using GSORTS. Furthermore, the metrics that are being used to capture the enhanced capability information are less objective and precise than the metrics that were used to report readiness in 1999. Timeliness: The statute directing the development of a new readiness reporting system requires that the reporting system measure in a timely manner the capability of the armed forces to carry out the National Security Strategy, the Secretary of Defense's defense planning guidance, and the National Military Strategy. The legislation also lists a number of specific requirements related to frequency of measurements and updates. For example, the law requires that the capability of units to conduct their assigned wartime missions be measured monthly, and that units report any changes in their overall readiness status within 24 hours of an event that necessitated the change in readiness status.[Footnote 30] In its DRRS directive, DOD assigned USD (P&R) responsibility for ensuring the timeliness of DRRS information and data, and it specified that DRRS was to be a near-real-time readiness reporting system. While DOD is reporting readiness information to Congress on a quarterly basis as required, and units are measuring readiness on a monthly basis, DRRS is not a near-real-time reporting system. Specifically, in DRRS, as in GSORTS, operational commanders assess the readiness of their organizations on a monthly basis or when an event occurs that changes the units' overall reported readiness. Thus, DRRS has not improved the timeliness of the key readiness data that are reported to Congress. According to USD (P&R) officials, DRRS data will be more timely than GSORTS data because DRRS will update underlying data from authoritative data sources between the monthly updates.[Footnote 31] However, DRRS is not yet capturing all the data from the authoritative data sources, and according to service officials, the service systems that support GSORTS also draw information from their service authoritative data sources between the monthly updates. Furthermore, the source and currency of some of the authoritative data that are currently in DRRS are not clearly identified. As a result, some users told us that they are reluctant to use DRRS data to support their decisions. Precision and Objectivity: We previously reported that the readiness information that DOD provided to Congress lacked precision, noting that GSORTS readiness measures that differed by 10 percentage points or more could result in identical ratings, with DOD often not reporting the detailed information behind the ratings outside of the department.[Footnote 32] For example, units that were at 90 and 100 percent of their authorized personnel strengths both were reported as P-1 in DOD's reports to Congress. In 2003, USD (P&R) recognized the imprecision of the reported metrics from GSORTS and noted that its efforts to develop DRRS would allow enhancements to reported readiness data. As previously noted, the DRRS capability information that DOD is reporting to Congress covers a broader range of missions than the GSORTS information that was provided in the past. However, when comparing the DRRS and GSORTS assessments of units' capabilities to perform the missions for which the units were organized or designed, DRRS assessments are actually less precise than the GSORTS assessments. Specifically, within GSORTS, overall capability assessments are grouped into four categories based on four percentage ranges for the underlying data. For example, commanders compare on-hand and required levels of personnel and equipment. Within DRRS, mission essential task assessments are reported on a scale that includes only three ratings-- "yes", "no", and "qualified yes," which can include any assessments that fall between the two extremes. The law directing DOD to establish a new readiness reporting system also requires that the system measure readiness in an objective manner. GSORTS assessments of units' capabilities to execute the missions for which they were organized or designed are based on objective personnel and equipment data and training information that may include both objective and subjective measures. Furthermore, the overall capability assessment in GSORTS is based on an objective rule that calls for the overall assessment to be the same level as the lowest underlying resource or training data level. For example, if a unit reported the highest personnel level (P-1) and the lowest training level (T-4), the rules in the GSORTS guidance instruct the commander to rate the unit's overall capability at the C-4 level. Because GSORTS contains these objective measures and rules, it is easy to evaluate reported readiness to see if it aligns with established reporting criteria.[Footnote 33] Within DRRS, organizations rate their capabilities based on mission essential tasks. These mission essentials tasks have conditions and standards associated with them. The conditions specify the types of environments that units are likely to face as they execute the tasks, such as weather conditions and political or cultural factors. Standards describe what it means for the unit to successfully execute the task under specified conditions. For example, a unit may have to achieve a 90 percent success rate for measures associated with the task being assessed. In spite of these conditions and standards, DRRS mission assessments are often subjective rather than objective. In DRRS program guidance, DOD has defined mission essential tasks as tasks that are approved by the commander and that, based on mission analysis, are "absolutely necessary, indispensable, or critical to mission success." In prior briefings and reports to Congress, we have noted examples that highlight the subjective nature of DRRS mission assessments. For example, we noted that one commander used his professional judgment to decide that his command was "qualified" to execute a mission even though the preponderance of the "indispensable" tasks that supported that mission were rated as "no." In contrast, other commanders used their professional judgments to rate missions as "qualified" based on one or more "qualified" tasks among many "yes" tasks. DRRS Lacks the Complete Resource and Training Data and System Connectivity Some Users Need to Manage and Deploy Forces: DRRS does not have all of the resource, training, readiness data, and connectivity with the department's operations planning and execution system that the services, Joint Staff, and certain combatant commands need to manage and deploy forces. As a result, DRRS is not yet able to operate as the department's single readiness reporting system, as intended. The Secretary of Defense's and the Under Secretary of Defense's guidance documents recognize that DRRS needs to support the data requirements of multiple users. For example, the Secretary of Defense's June 25, 2004, memorandum directed USD (P&R) to develop DRRS to support the data requirements identified by the Chairman of the Joint Chiefs of Staff, the combatant commanders, the Secretaries of the military departments, and the Chief of the National Guard Bureau. [Footnote 34] Furthermore, the 2002 DRRS directive noted that DRRS was to build upon DOD's existing processes and readiness assessment tools and that ESORTS information (capability, resource, and training), where appropriate, is integrated into DOD's planning systems and processes. It also directed the Chairman of the Joint Chiefs of Staff to maintain the GSORTS database until key capabilities of DRRS become fully operational. Complete and Accurate Current and Historical Data: Officials with U.S. Joint Forces Command and U.S. Special Operations Command reported that historical data are needed to manage forces and provide users the ability to analyze readiness trends.[Footnote 35] Similarly, service officials stated a need for historical data so they can manage their forces and take action to address readiness issues. In 2005, USD (P&R) reported that unit resource data, including detailed inventory and authorization data on personnel, equipment, supply, and ordnance were available in DRRS. However, in response to a survey we conducted in December 2008, the services and certain combatant commands stated that necessary current and historical resource and training data were not available in DRRS. For example, officials from all four services responded that DRRS, at that time, contained less than half of their GSORTS resources and training data. In addition, officials from U.S. Joint Forces Command, U.S. Special Operations Command, the U.S. Strategic Command, and the U.S. Transportation Command all responded that historical resource data were not available in DRRS. We confirmed that this information was still not available when we concluded our review, and in April, 2009, the DIO said it was still working on this data availability issue. Furthermore, user organizations have reported inaccuracies in the data that are available in DRRS. Marine Corps and U.S. Special Operations Command officials stated that inconsistencies between DRRS data and the data in other readiness systems have caused them to adjudicate the inconsistencies by contacting their subordinate units directly. Army officials noted that searches of DRRS data can produce different results than searches in the Army's data systems. For example, they noted that a DRRS search for available personnel with a particular occupational specialty produced erroneously high results because DRRS did not employ the appropriate business rules when conducting the search. Specifically, DRRS did not apply a business rule to account for the fact that an individual person can possess multiple occupational specialty codes but can generally fill only one position at a time. DIO officials informed us that they intend to correct issues with the accuracy of data drawn from external databases. However, the current version of the DRRS Integrated Master Schedule indicates that the ability of DRRS to provide the capability to correctly search, manipulate, and display current and historical GSORTS and mission essential task data will not be complete until June 2010. As a result, the reliability of the DRRS data is likely to remain questionable and a number of DOD organizations will likely continue to rely on GSORTS and other sources of readiness data to support their decision making. Connections to Planning Systems: One important DRRS function is integration with DOD's planning systems. Specifically, the 2002 DRRS directive requires USD (P&R) to ensure that, where appropriate, ESORTS information (capability, resource, and training) is compatible and integrated into DOD's planning systems and processes. Global force management is one of the DOD planning processes that is to be integrated with DRRS. Global Force Management is a process to manage, assess, and display the worldwide disposition of U.S. forces, providing DOD with a global view of requirements and availability of forces to meet those requirements. The integration of DRRS with global force management planning processes is supposed to allow DOD to link force structure, resources, and capabilities data to support analyses, and thus help global force managers fill requests for forces or capabilities. Officials from the four organizations with primary responsibilities for providing forces (U.S. Joint Forces Command, U.S. Special Operations Command, U.S. Strategic Command, and U.S. Transportation Command) all stated that they are unable to effectively use DRRS to search for units that will meet requested capabilities. These commands also reported that DRRS does not currently contain the information and tools necessary to support global force management. For example, officials from U.S. Northern Command told us that when they used DRRS to search for available helicopters of a certain type, they found thousands, but when U.S. Joint Forces Command did the same DRRS search they found hundreds. The current version of the DRRS Integrated Master Schedule indicates that DRRS will not be able to fully support global force management until March 2011. As a result, these commands continue to rely on GSORTS rather than DRRS to support their planning and sourcing decisions. Conclusions: DRRS is not currently and consistently providing timely, objective, and accurate information, and it is not exactly clear where the department stands in its efforts to meet this expectation because system requirements remain in a state of flux, and the program office lacks disciplined program management and results information due to a long- standing lack of rigor in its approach to acquiring and deploying system capabilities. This situation can be attributed, in part, to long- standing limitations in the program office's focus on acquiring human capital skills needed to manage such a complex initiative. It can also be linked to many of years of limited program office oversight and accountability. Although program oversight has recently increased, oversight bodies have not had sufficient visibility into the program's many management weaknesses. DRRS is providing Congress and readiness users with additional mission and mission essential task capability data that were not available in GSORTS. However, after investing about 7 years and about $96.5 million in developing and implementing DRRS, the system's schedule has been extended, requirements are not stable, and the system still does not meet congressional and DOD requirements for a comprehensive readiness reporting system to assess readiness and help decision makers manage forces needed to conduct combat and contingency operations around the world. Given DRRS performance and management weaknesses, it is critical that immediate action be taken to put the program on track and position it for success. Without this action, it is likely that DRRS will cost more to develop and deploy than necessary and that DOD will not have a comprehensive reporting system that meets the needs of all the decision makers who rely on accurate, timely, and complete readiness information. Recommendations for Executive Action: To address the risks facing DOD in its acquisition and deployment of DRRS, and to increase the chances of DRRS meeting the needs of the DOD readiness community and Congress, we recommend that the Secretary of Defense direct the Deputy Secretary of Defense, as the Chair of the Defense Business Systems Management Committee, to reconsider the committee's recent approval of DRRS planned investment for fiscal years 2009 and 2010, and convene the Defense Business Systems Management Committee to review the program's past performance and the DIO's capability to manage and deliver DRRS going forward. To fully inform this Defense Business Systems Management Committee review, we also recommend that the Secretary direct the Deputy Secretary to have the Director of the Business Transformation Agency, using the appropriate team of functional and technical experts and the established risk assessment methodology, conduct a program risk assessment of DRRS, and to use the findings in our report and the risk assessment to decide how to redirect the program's structure, approach, funding, management, and oversight. In this regard, we recommend that the Secretary direct the Deputy Secretary to solicit the advice and recommendations of the DRRS Executive Committee. We also recommend that the Secretary, through the appropriate chain of command, take steps to ensure that the following occur: 1. DRRS requirements are effectively developed and managed with appropriate input from the services, Joint Staff, and combatant commanders, including (1) establishing an authoritative set of baseline requirements prior to further system design and development; (2) ensuring that the different levels of requirements and their associated design specifications and test cases are aligned with one another; and (3) developing and instituting a disciplined process for reviewing and accepting changes to the baseline requirements in light of estimated costs, benefits, and risk. 2. DRRS testing is effectively managed, including (1) developing test plans and procedures for each system increment test event that include a schedule of planned test activities, defined roles and responsibilities, test entrance and exit criteria, test defect management processes, and metrics for measuring test progress; (2) ensuring that all key test events are conducted on all DRRS increments; (3) capturing, analyzing, reporting, and resolving all test results and test defects of all developed and tested DRRS increments; and (4) establishing an effective test management structure that includes assigned test management roles and responsibilities, a designated test management lead and a supporting working group, and a reliable schedule of test events. 3. DRRS integrated master schedule is reliable, including ensuring that the schedule (1) captures all activities from the work breakdown structure, including the work to be performed and the resources to be used; (2) identifies the logical sequencing of all activities, including defining predecessor and successor activities; (3) reflects whether all required resources will be available when needed and their cost; (4) ensures that all activities and their duration are not summarized at a level that could mask critical elements; (5) achieves horizontal integration in the schedule by ensuring that all external interfaces (hand-offs) are established and interdependencies among activities are defined; (6) identifies float between activities by ensuring that the linkages among all activities are defined; (7) defines a critical path that runs continuously to the program's finish date; (8) incorporates the results of a schedule risk analysis to determine the level of confidence in meeting the program's activities and completion date; and (9) includes the actual start and completion dates of work activities performed so that the impact of deviations on downstream work can be proactively addressed. 4. The DRRS program office is staffed on the basis of a human capital strategy that is grounded in an assessment of the core competencies and essential knowledge, skills, and abilities needed to perform key DRRS program management functions, an inventory of the program office's existing workforce capabilities, and an analysis of the gap between the assessed needs and the existing capabilities. 5. DRRS is developed and implemented in a manner that does not increase the reporting burden on units and addresses the timeliness, precision, and objectivity of metrics that are reported to Congress. To ensure that these and other DRRS program management improvements and activities are effectively implemented and that any additional funds for DRRS implementation are used effectively and efficiently, we further recommend that the Secretary direct the Deputy Secretary to ensure that both the Human Resources Management Investment Review Board and the DRRS Executive Committee conduct frequent oversight activities of the DRRS program, and report any significant issues to the Deputy Secretary. Agency Comments and Our Evaluation: In written comments on a draft of this report, signed by the Deputy Under Secretary of Defense (Military Personnel Policy) performing the duties of the Under Secretary of Defense (Personnel and Readiness), DOD stated that the report is flawed in its assessment of DRRS, noting that DRRS is a net-centric application that provides broad and detailed visibility on readiness issues, and that achieving data sharing across the DOD enterprise was groundbreaking work fraught with barriers and obstacles, many of which have now been overcome. In addition, DOD stated that it was disappointed that the report did not address cultural impediments that it considers to be the root cause of many of the issues cited in the report and of many previous congressional concerns on readiness reporting. DOD further stated that the report instead focuses on past acquisition process and software development problems that it believes have now been remedied According to the department, this focus, coupled with inaccurate and misleading factual information included in the report, led us to develop an incomplete picture of the program. Notwithstanding these comments, DOD agreed with two of our recommendations and partially agreed with a third. However, it disagreed with the remaining five recommendations, and provided comments relative to each recommendation. DOD's comments are reprinted in their entirety in appendix III. In summary, we do not agree with DOD's overall characterization of our report or the positions it has taken in disagreeing with five of our recommendations, finding them to be inconsistent with existing guidance and recognized best practices on system acquisition management, unsupported by verifiable evidence, and in conflict with the facts detailed in our report. Further, we recognize that developing DRRS is a significant and challenging undertaking that involves cultural impediments. As a result, our report explicitly focuses on the kind of program management rigor and disciplines needed to address such impediments and successfully acquire complex systems, including effective requirements development and management and executive oversight. We also disagree that our report focuses on past issues and problems. Rather, it provides evidence that demonstrates a long- standing and current pattern of system acquisition and program oversight weaknesses that existed when we concluded our audit work and that DOD has not provided any evidence to demonstrate has been corrected. In addition, we would emphasize that we defined our objectives, scope, and methodology, and executed our audit work in accordance with generally accepted government auditing standards, which require us to subject our approach as well as the results of our audit work to proven quality assurance checks and evidence standards that require us to seek documentation rather than relying solely on testimonial evidence. While we support any departmental efforts, whether completed or ongoing, that would address the significant problems cited in our report, we note that DOD, in its comments, did not specifically cite what these efforts are or provide documentation to support that they have either been completed or are ongoing. Therefore, we stand by our findings and recommendations. Moreover, we are concerned that in light of the program's significant and long-standing management weaknesses, the department's decision not to pursue recommendations aimed at corrective actions for five of our eight recommendations will further increase risk to achieving program success, and is not in the best interests of the military readiness community or the U.S. taxpayer. Accordingly, we encourage the department to reconsider its position when it submits its written statement of the actions taken on our recommendations to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Oversight and Government Reform , as well has the House and Senate Committees on Appropriations, as required under 31 U.S.C. 720. DOD's specific comments on each recommendation, along with our responses to its comments follow. * The department did not agree with our recommendation for the Deputy Secretary of Defense, as the Chair of the Defense Business Systems Management Committee, to reconsider the committee's recent approval of DRRS planned investment for fiscal years 2009 and 2010, and to convene the Defense Business Systems Management Committee to review the program's past performance and the DIO's capability to manage and deliver DRRS going forward in deciding how best to proceed. In this regard, DOD stated that the Investment Review Board certification and Defense Business Systems Management Committee approval were granted in compliance with the established processes. It also added that oversight of the specific issues identified in this report are the responsibility of the DRRS Executive Committee, which it stated has and will continue to provide appropriate governance for this effort. It also stated that USD (P&R) will ensure that the program is compliant with all acquisition requirements prior to submission for further certifications. We do not question whether the Investment Review Board certification and Defense Business Systems Management Committee approval were provided in accordance with established processes, as this is not relevant to our recommendation. Rather, our point is that the Investment Review Board and Defense Business Systems Management Committee were provided, and thus based their respective decisions, on erroneous and incomplete information about DRRS progress, management weaknesses, and risks. Moreover, neither the Investment Review Board nor the Defense Business Systems Management Committee were informed about the findings in our report, even though we shared each of them with the DRRS program director and other DIO officials prior to both the Investment Review Board and the Defense Business Systems Management Committee deliberations. Therefore, while the Investment Review Board certification and the Defense Business Systems Management Committee approval were granted in accordance with established processes, they were not based on a full disclosure of facts. Moreover, while we support DOD's comment that it will ensure that the program is in compliance with all acquisition requirements prior to further certifications, nothing precludes the board or the committee from reconsidering their respective decisions in light of our report. With respect to DOD's comment that the DRRS Executive Committee has and will continue to provide appropriate governance for this effort, we do not disagree that the DRRS Executive Committee has an oversight role. However, the DRRS Executive Committee should not be solely responsible for oversight of the specific issues in our report. Both the Investment Review Board and the Defense Business Systems Management Committee provide additional layers of oversight pursuant to law[Footnote 36] and DOD policy.[Footnote 37] Accordingly, we stand by our recommendation as it appropriately seeks to have the Investment Review Board and Defense Business Systems Management Committee, in collaboration with the DRRS Executive Committee, act in a manner that is consistent with their respective roles as defined in law. In doing so, our intent is to promote accountability for DRRS progress and performance, and prompt action to address the many risks facing the program. * The department agreed with our recommendation for the Deputy Secretary of Defense, as the chair of the Defense Business Systems Management Committee, to have the Business Transformation Agency conduct a risk assessment of DRRS, and with the advice and recommendation of the DRRS Executive Committee, to use the results of this assessment and the findings in our report to decide how to redirect the program. In this regard, the department stated that this assessment will be complete by the middle of fiscal year 2010. * The department did not agree with our recommendation for ensuring that DRRS requirements are effectively developed and managed. In this regard, it stated that the program has an authoritative set of baseline requirements established with an effective governance process for overseeing the requirements management process, to include biweekly reviews as part of the DRRS configuration control process. We do not agree. At the time we concluded our work, DRRS requirements were not stable, as evidenced by the fact that an additional 530 requirements had been identified that the DIO was still in the process of reviewing and had yet to reach a position on their inclusion, or process them through the DRRS change control governance process. Moreover, when we concluded our work, this change control process had yet to be approved by the DRRS governance structure. As we state in our report, the introduction of such a large number of requirements provided a compelling basis for concluding that requirements had yet to progress to the point that they could be considered sufficiently complete and correct to provide a stable baseline. Our recommendation also noted that the Secretary should take steps to ensure that the different levels of requirements be aligned with one another. DOD's comments did not address this aspect of our recommendation. * The department did not agree with our recommendation for ensuring that DRRS testing is effectively managed. In this regard, it stated that DRRS testing is already in place and performing effectively, and stated, among other things, that (1) the DIO goes through a rigorous testing regimen that includes documenting test plans with user test cases for each incremental release to include utilizing system integration, acceptance, interoperability, and operational testing; (2) user test cases and functionality are validated by designated testers independent of the developers prior to a deployment; and (3) for interoperability testing the DIO has a designated test director and the Joint Interoperability Test Command (JITC) is the designated interoperability and operational test activity. We do not agree. As our report concludes, DRRS testing has not been effectively managed because it has not followed a rigorous testing regimen that includes documented test plans, cases, and procedures. To support this conclusion, our report cites numerous examples of test planning and execution weaknesses, as well as the DIO's repeated inability to demonstrate through requisite documentation that the testing performed on DRRS has been adequate. Our report shows that test events for already acquired, as well as currently deployed and operating, DRRS releases and subreleases were not based on well-defined plans and DOD had not filled its testing director vacancy. Further, our report shows that test events were not fully executed in accordance with plans that did exist, or executed in a verifiable manner, or both. For example, although increments of DRRS functionality had been put into production, the program had no documentation (e.g., test procedures, test cases, test results) to show that the program office had performed system integration testing, system acceptance testing, or operational testing on any DRRS release or subrelease, even though the DIO's test strategy stated that such tests were to be performed before system capabilities became operational. Moreover, evidence showed that the results of all executed test events had not been captured and used to ensure that problems discovered were disclosed to decision makers, and ultimately corrected. With respect to DOD's comments that JITC is the designated lead for interoperability and operational testing, our report recognizes that JITC is to conduct both interoperability and operational testing before the system is deployed and put into production (i.e., used operationally). However, during the course of our audit, the DIO could not produce any evidence to show that interoperability and operational testing of all operating system increments had been conducted. * The department did not agree with our recommendation for ensuring that the DRRS integrated master schedule is reliable. In this regard, it stated that a process is already in place to ensure that the schedule is current, reliable, and meets all the criteria outlined in the recommendation. We do not agree. As our report states, an integrated master schedule for DRRS did not exist until November 2008, which was 2 months after we first requested one. Moreover, following our feedback to the DIO on limitations in this initial version, a revised integrated master schedule was developed in January 2009, which was also not reliable. Subsequently, a revised integrated master schedule was developed in April 2009. However, as we detail in our report, that version still contained significant weaknesses. For example, it did not establish a critical path for all key activities or include a schedule risk analysis, and was not being updated using logic and durations to determine the dates for all key activities. These practices are fundamental to producing a sufficiently reliable schedule baseline that can be used to measure progress and forecast slippages. In addition, the schedule introduced considerable concurrency across key activities and events for several modules, which introduces increased risk. Therefore, we stand by our recommendation. * The department partially agreed with our recommendation for ensuring that it has an effective human capital strategy. In this regard, it stated that actions are underway to add more full-time civilian support to the DIO, and that plans exist to convert some contractor to civilian billets during the 2010/2011 time frame. We support the department's actions and plans described in its comments to address the DIO human capital management limitations discussed in our report, but would note that they do not go far enough to systematically ensure that the program has the right people with the right skills to manage the program in both the near term and the long term. To accomplish this, the department needs to adopt the kind of strategic and proactive approach to DRRS workforce management that our report describes and our recommendation embodies. As our evaluations and research show, failure to do so increases the risk that the program office will not have the people it needs to effectively and efficiently manage DRRS. Therefore, we believe that the department needs to fully implement our recommendation. * The department did not agree with our recommendation to take steps to ensure that DRRS is developed and implemented in a manner that does not increase the reporting burden on units and addresses the timeliness, precision, and objectivity of metrics that are reported to Congress. In this regard, it stated that one of the primary tenets of DRRS has been to reduce reporting requirements on the war fighter. It also stated that DRRS is already using state-of-the-art technology to ensure that near-real-time data are available for the war fighters. Finally it stated that the DRRS governance structure that is currently in place ensures that DRRS development does not deviate from these core principles. While we recognize that a goal of DRRS is to reduce a reporting burden on the war fighter, we disagree with the department's position because the system has not yet achieved this goal. As our report states, while the DIO has developed the software for users to enter mission essential task data into DRRS, the DIO has been unsuccessful in attempts to develop a tool that would allow Air Force and Marine Corps users to enter readiness data to meet all of their readiness reporting requirements through DRRS. As a result, rather than reducing the burden on reporting units, DRRS actually increased the burden on Air Force and Marine Corps units because they were required to report readiness information in both DRRS and GSORTS. Without a viable tool for inputting data, DRRS is not fully integrated with GSORTS or with the service readiness reporting systems and it is not capable of replacing those systems since it does not capture the required data that are contained in those systems. In addition, the DRRS readiness data that are currently reported to Congress are not near-real-time data. Specifically, the periodicity for DRRS capability assessments is the same as the legacy GSORTS system's readiness reports--monthly or when an event occurs that changes a unit's overall readiness. Furthermore, our report shows that DRRS mission assessments are often subjective and imprecise because they are reported on a scale that includes only three ratings--"yes," "no," and "qualified yes," which can include any assessments that fall between the two extremes. Therefore, because additional actions are still needed to reduce reporting burdens and improve the timeliness, precision, and objectivity of the DRRS data that are reported to Congress, we stand by our recommendation. * The department agreed with our recommendation for ensuring that both the Human Resources Management Investment Review Board and the DRRS Executive Committee conduct frequent oversight activities of the DRRS program and report any significant issues to the Deputy Secretary of Defense. In this regard, the department stated that the USD (P&R) component acquisition executive is working with the program to ensure that it becomes fully compliant with all acquisition requirements. In addition, it stated that the acquisition executive will certify to the Human Resources Investment Review Board and the Deputy Chief Management Officer of compliance prior to submission of future certification requests. Further, it stated that the current DRRS governance process will provide sustained functional oversight of the program and that issues that arise in any of these areas will be elevated for review, as appropriate. We believe these are positive steps. We are sending copies of this report to the appropriate congressional committees; the Secretary of Defense; and the Director, Office of Management and Budget. The report will also be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you or your staffs have questions about this report, please contact us at pickups@gao.gov or hiter@gao.gov or at our respective phone numbers, (202) 512-9619 and (202) 512-3439. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix IV. Signed by: Sharon L. Pickup: Director, Defense Capabilities and Management: Signed by: Randolph C. Hite: Director, Information Technology Architecture and Systems Issues: [End of section] Appendix I: Objectives, Scope, and Methodology: Our objectives were to assess the extent to which (1) the Department of Defense (DOD) has effectively managed and overseen DRRS acquisition and deployment, and (2) features of the Defense Readiness Reporting System (DRRS) have been implemented and are consistent with legislative requirements and DOD guidance. We did not evaluate the department's overall ability to assess the readiness of its forces or the extent that data contained in any of its readiness reporting systems, including DRRS and the Global Status of Resources and Training System (GSORTS), reflect capabilities, deficiencies, vulnerabilities, or performance issues. Our review focused on acquisition and program management issues, such as requirements management, schedule, and human capital requirements; the current usage of DRRS; and the extent to which DRRS' features address legislative requirements and DOD guidance. To determine the extent to which the DRRS acquisition and deployment has been effectively managed and overseen, we focused on the following acquisition management areas: (1) requirements development and management, (2) test planning and execution, (3) DRRS schedule reliability, and (4) human capital planning. In doing so, we analyzed a range of program documentation, such as high-level and detailed-level requirements documentation, test plans and reports, the current DRRS schedule, and program management documentation and interviewed cognizant program and contractor officials. * To determine the extent to which the program had effectively implemented requirements development and management, we reviewed relevant program documentation, such as the concept of operations document, capability requirements document, software requirements document, requirements traceability matrix, configuration management plan, and the program management plan, as well as minutes of change control board meetings, and evaluated them against relevant guidance.[Footnote 38] Moreover, we reviewed briefing slides from meetings of DRRS oversight bodies in order to identify concerns about DRRS expressed by representatives from the DRRS community of users, as well as the efforts by the Joint Staff (at the direction of DRRS Executive Committee) to identify and address any gaps identified by users in the development of DRRS requirements. To determine the extent to which the program has maintained traceability backward to high-level business operation requirements and system requirements, and forward to system design specifications and test plans, we randomly selected 60 program requirements and traced them both backward and forward. This sample was designed with a 5 percent tolerable error rate at the 95 percent level of confidence so that, if we found zero problems in our sample, we could conclude statistically that the error rate was less than 5 percent. In addition, we interviewed program and development contractor officials to discuss the requirements development and management process. * To determine if the DRRS Implementation Office (DIO) is effectively managing DRRS testing, we reviewed relevant documentation, such as the DRRS Test and Evaluation Master Plans and test reports and compared them to DOD and other relevant guidance.[Footnote 39] Further, we reviewed developmental test plans and procedures for each release/ subrelease that to date has either been developed or fielded and compared them with best practices to determine whether test activities had been adequately documented. We also examined test results and reports for the already acquired, as well as currently deployed and operating, DRRS releases and subreleases and compared them against plans to determine whether they had been executed in accordance with plans. Moreover, we reviewed key test documentation, such as the Software Version Descriptions, and compared them against relevant guidance to determine whether defect data were being captured, analyzed, prioritized, and reported. We also interviewed program and contractor officials to gain clarity beyond what was included in the program documentation, including the Defense Information Systems Agency's Joint Interoperability Test Center in order to determine the results of their efforts to independently test DRRS interoperability. In addition, to determine the extent to which the program had effectively tested its system requirements, we observed the DIO's efforts to demonstrate the traceability of 60 program requirements to test cases and results. This sample was designed with a 5 percent tolerable error rate at the 95 percent level of confidence so that, if we found zero problems in our sample, we could conclude statistically that the error rate was less than 5 percent. * To determine the extent to which the program's schedule reflects key estimating practices that are fundamental to having a reliable schedule, we reviewed the DRRS integrated master schedules and schedule estimates and compared them with relevant guidance.[Footnote 40] We also used schedule analysis software tools to determine whether the latest schedule included key information, such as the activities critical to on-time completion of DRRS, a logical sequence of activities, and evidence that the schedule was periodically updated. We also reviewed the schedule to determine the time frames for completing key program activities and to determine any changes to key milestones. In addition, we shared the results of our findings with program and contractor officials and asked for clarifications. We then reviewed the revised schedule, prepared in response to the weaknesses we found, and compared it with relevant guidance. * To evaluate whether DOD is adequately providing for the DRRS program's human capital needs, we compared the program's efforts against relevant criteria and guidance, including our own framework for strategic human capital management.[Footnote 41] In doing so, we reviewed key program documentation, such as the program management plan and the DIO organizational structure to determine whether it reflected key acquisition functions and identified whether these functions were being performed by government or contractor officials. We interviewed key officials to discuss workforce analysis and human capital planning efforts. * To determine the level of oversight and governance available to the DRRS community of users, we attended relevant meetings, met with officials responsible for program certification, and reviewed relevant guidance and program documentation. Specifically, we attended Battle Staff meetings and analyzed briefing slides and meeting minutes from the DRRS Executive Committee, General and Flag Officer's Steering Committee, and Battle Staff meetings--the main DRRS governance bodies. In addition, we reviewed key DRRS certification and approval documentation provided by the Human Resources Management Investment Review Board, such as economic viability analyses and the business system certification dashboard and met with Investment Review Board officials to determine the basis for certifying and approving DRRS. To determine the extent to which the features of DRRS have been implemented and are consistent with legislative requirements and DOD guidance, we first examined the language of Section 117 of Title 10 of the United States Code, which directs the Secretary of Defense to establish a comprehensive readiness reporting system. We identified criteria for this system in DOD's directive formally establishing the system.[Footnote 42] We evaluated the system by conducting interviews-- see table 2 below for a list of these organizations--and receiving system demonstrations from members of the readiness community to determine how they used DRRS and how their usage compared with the criteria established for the system. We also conducted content and data analysis of system documents and briefing packages provided by the DIO and Joint Staff. In order to capture the broadest amount of data about the system we conducted a survey of readiness offices at all of the service headquarters, combatant commands, and the National Guard Bureau regarding how DRRS was currently being used and the types and amount of data available in the system.[Footnote 43] In addition, to track the development of DRRS capabilities, we attended Battle Staff meetings and analyzed documentation from meetings of all the DRRS governance bodies. We also searched for and extracted information from DRRS in order to support other GAO ongoing readiness reviews. While our usage of the system was not intended as a formal test of the system, our general observations concerning system functionality and the range of available data were consistent with the observations of most other users, which were noted in our survey. Table 2: Organizations Interviewed during Our Review: Office of the Under Secretary of Defense (Personnel & Readiness), Arlington, Virginia: U.S Army: * Office of the Deputy Chief of Staff (Operations), Arlington, Virginia. * U.S. Army Forces Command, Fort McPherson, Georgia. * U.S. Army Pacific, Fort Shafter, Hawaii. * Installation Management Command, Pacific Region Office, Fort Shafter, Hawaii. U.S. Navy: * Headquarters Navy, Integrated Fleet Readiness, Arlington, Virginia. * Fleet Forces Command, Norfolk, Virginia. * U.S. Pacific Fleet, Pearl Harbor, Hawaii. U.S. Air Force: * Headquarters, U.S. Air Force (Readiness), Arlington, Virginia. * Air Combat Command, Langley Air Force Base, Virginia. * U.S. Pacific Air Forces, Readiness Branch, Hickam Air Force Base, Hawaii. * 13th Air Force, Hickam Air Force Base, Hawaii. U.S. Marine Corps: * Headquarters Marine Corps (Readiness), Arlington, Virginia. * Marine Forces Command, Norfolk, Virginia. * Marine Forces Pacific, Camp Smith, Hawaii. * Combat Logistics Battalion 3, Kaneohe Bay, Hawaii. U.S. Central Command, MacDill Air Force Base, Florida. U.S. Joint Forces Command, Norfolk, Virginia. U.S. Northern Command, Colorado Springs, Colorado. U.S. Pacific Command, Camp Smith, Hawaii. U.S. Special Operations Command, MacDill Air Force Base, Florida. Source: GAO. [End of table] We conducted our work from April 2008 through August 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Detailed Analysis of DRRS Acquisition and Deployment Management and Oversight: Our research and evaluations of information technology programs have shown that the ability to deliver promised system capabilities and benefits on time and within budget largely depends on the extent to which key program management disciplines are employed by an adequately staffed program management office. Among other things, these disciplines include a number of practices associated with effectively developing and managing system requirements, adequately testing system capabilities, and reliably scheduling the work to be performed. They also include proactively managing the program office's human capital needs, and promoting program office accountability through effective program oversight. Department of Defense (DOD) acquisition policies and guidance, along with other relevant guidance, recognize the importance of these management and oversight disciplines.[Footnote 44] As we have previously reported, not employing these and other program management disciplines increases the risk that system acquisitions will not perform as intended and require expensive and time-consuming rework. Defense Readiness Reporting System (DRRS) acquisition and deployment has for years not been effectively managed in accordance with these key program management disciplines that are recognized in DOD and other relevant guidance, and are fundamental to delivering a system that performs as intended on time and within budget. DRRS Requirements Have Not Been Effectively Developed and Managed: Well-defined and well-managed requirements are a cornerstone of effective system development and acquisition. According to recognized guidance, documenting and implementing a disciplined process for developing and managing requirements can help to reduce the risks of producing a system that is not adequately tested, does not meet user needs, and does not perform as intended.[Footnote 45] Effective requirements development and management includes, among other things, (1) effectively eliciting user needs early and continuously in the system life-cycle process, (2) establishing a stable baseline set of requirements and placing this baseline under configuration management, (3) ensuring that system requirements are traceable backward to higher level business or operational requirements (e.g., concept of operations) and forward to system design documents (e.g., software requirements specification) and test plans, and (4) controlling changes to baseline requirements. DRRS requirements have not been effectively developed and managed. Specifically, (1) key users have only recently become engaged in developing requirements, (2) requirements have been experiencing considerable change and are not yet stable, (3) different levels of requirements and related test cases have not been aligned with one another, and (4) changes to requirements have not been effectively controlled. As a result, efforts to develop and deliver initial DRRS capabilities have taken longer than envisioned and these capabilities have not lived up to the readiness communities' expectations. These failures increase the risk of future DRRS capabilities not meeting expectations and ensure that expensive and time-consuming system rework will be necessary. Recent Actions Have Been Taken to Address Limited User Involvement in Developing and Managing Requirements: One of the leading practices associated with effective requirements development is engaging system users early and continuously in the process of defining requirements. As we have previously reported, assessing user needs early in the process increases the probability of success in defining, designing, and delivering a system that meets user needs and performs as intended.[Footnote 46] To the DRRS Implementation Office's (DIO) credit, the October 2008 DRRS Risk Management Plan recognizes this by stating that the success of DRRS depends on participation and support from the broad readiness community, which includes combatant commands, Joint Staff, and the military services. However, until recently, key users were not effectively engaged in DRRS requirements development and management, although reasons vary why they have not. Specifically, DIO officials told us that beginning in 2002, they reached out to all user groups-- combatant commands, Joint Staff, and the military services--in defining requirements. For example, they cited a July 2002 memorandum issued by the Office of the Under Secretary of Defense for Personnel and Readiness (USD P&R) that encouraged the Director of the Joint Chiefs of Staff, Deputy Commanders of the Combat Commands, Service Operations Deputies, and Directors of Defense Agencies to actively support the DRRS effort by ensuring that their organizations are represented at Battle Staff meetings.[Footnote 47] However, these officials told us that the military services and Joint Staff chose not to participate. In contrast, officials from these user groups told us their involvement had been limited by what they characterized as difficulties in submitting requirements through the DRRS governance boards that were in place at that time. For example, an official from the Joint Forces Command said that the Forces Battle Staff governance board did not meet for about a year between 2005 and 2006. Further, the official said that the meetings that were held did not offer users the opportunity to discuss their concerns or influence the requirements process. Similarly, an official from the Marine Corps cited a lack of clear and transparent communication from the DIO as a significant impediment. Notwithstanding this lack of stakeholder involvement in setting requirements, the Office of USD (P&R) developed and issued a DRRS concept of operations in 2004, which DIO officials told us was based on input from the combatant commands, relevant departmental directives, [Footnote 48] and DRRS governance boards (e.g., Battle Staff). In our view, this document provided a high-level overview of proposed DRRS capabilities from which more detailed requirements could be derived. However, the concept of operations was not approved by all key players in the readiness community. Specifically, DIO officials stated that the document had not been approved by the military services and the Joint Staff. According to these officials, the reason for not seeking all stakeholders' approval, and the decision to begin developing more detailed requirements in the absence of an approved concept of operations, was that the 2002 DRRS DOD directive provided a sufficient basis to begin developing and deploying what they anticipated being the initial versions of DRRS.[Footnote 49] In 2008, after 6 years of effort to define DRRS requirements and develop and deploy system capabilities, the Joint Staff, at the direction of the DRRS Executive Committee, conducted an analysis of DRRS capabilities--referred to as the "capabilities gap analysis." To the Joint Staff's credit, this analysis has appropriately focused on soliciting comments from the entire readiness community and on identifying any gaps between the DRRS requirements and the needs of this community. As will be discussed in the next section, this analysis resulted in 530 additional user requirements. The extended period of limited involvement by key DRRS users in defining a concept of operations and related capabilities and requirements has impeded efforts to develop a clear understanding of DRRS expectations, constraints, and limitations, which, in turn, has contributed to significant delays in providing the readiness community with needed system support. While the recent Joint Staff action to engage the entire DRRS user community is a positive step towards overcoming this long-standing problem, it remains to be seen whether this engagement will produce agreement and commitment across the entire readiness user community around DRRS requirements. DRRS Requirements Are Not Stable: As previously noted, establishing an authoritative set of baseline requirements prior to system design and development is necessary to design, develop, and deliver a system that performs as intended and meets users' operational needs.[Footnote 50] In general, a baselined set of requirements are those that are defined to the point that extensive changes are not expected, placed under configuration management, and formally controlled.[Footnote 51] DRRS requirements are currently in a state of flux. Specifically, the fact that 530 new user requirements have recently been identified means that the suite of requirements documentation associated with the system will need to be changed and thus are not stable. To illustrate, program officials told us that, as of late February 2009, these 530 new requirements had not been fully evaluated by the DIO and DRRS governance boards and thus not yet approved. As a result, their impact on the program is not clear. Compounding this instability in the DRRS requirements is the fact that additional changes are envisioned. According to program officials, the changes resulting from the gap analysis and reflected in the latest version of the DRRS concept of operations, which was approved by the DRRS Executive Committee in January 2009, have yet to be reflected in other requirements documents, such as the detailed system requirements. Although defining and developing requirements is inherently an iterative process, having a baseline set of requirements that are stable is a prerequisite to effective and efficient development of an operationally capable and suitable system. Without them, the DIO will not be able to deliver a system that meets user needs on time, and it is unlikely that future development and deployment efforts will produce better results. Alignment among Requirements and Related System Design and Testing Artifacts Has Not Been Demonstrated: One of the leading practices associated with developing and managing requirements is maintaining bidirectional traceability from high-level operational requirements (e.g., concept of operations and functional requirements) through detailed lower-level requirements and design documents (e.g., software requirements specification) to test cases. Such traceability is often accomplished through the use of a requirements traceability matrix, which serves as a crosswalk between different levels of related requirements, design, and testing documentation. The DRRS program management plan recognizes the importance of traceability, stating that requirements are to be documented and linked to acceptance tests, scripts, and criteria. Despite the importance of traceability, DIO officials could not demonstrate that requirements and related system design and testing artifacts are properly aligned. Specifically, we attempted on three separate occasions to verify the traceability of system requirements backward to higher-level requirements and forward to lower-level software specifications and test cases, and each time we found that traceability did not exist. Each attempt is discussed here: * In November 2008, our analysis of the requirements traceability matrix and the software requirements specification showed significant inconsistencies. For example, the traceability matrix did not include 29 requirements that were included in the software requirements specification. As a result, we did not have an authoritative set of requirements to use to generate a random sample of requirements to trace. Program officials attributed the inconsistencies to delays in updating all the documents to reflect the aforementioned capability gap analysis. They also stated that these documents would be updated by December 2008. * In December 2008, we used an updated requirements traceability matrix to generate a randomized sample of 60 software requirements specifications and observed a DIO demonstration of the traceability of this sample. However, DIO officials were unable to demonstrate for us that these specifications could be traced backward to higher-level requirements and forward to test cases. Specifically, attempts to trace the first 21 requirements forward to test cases failed, and DIO officials stated that they could not trace the 60 requirements backward because the associated requirements documents were still being updated. According to the officials, 11 of the 21 could not be traced forward because these were implemented prior to 2006 and the related test information was not maintained by the program office but rather was at the development contractor's site. They added that the remaining 10 either lacked test case information or test results. * In February 2009, we used an updated DIO-provided requirements traceability matrix, a capabilities requirement document, and software requirements specification to generate another randomized sample of 60 detailed specifications. We then observed the development contractor's demonstration of traceability using the contractor's requirements management tool. Because of time constraints, this demonstration focused on 46 of the 60 requirements, and it showed that adequate traceability still did not exist. Specifically, 38 of the 46 could not be traced backward to higher-level requirements or forward to test cases. This means that about 83 percent of the DRRS specifications (95 percent degree of confidence of being between 72 and 91 percent) were not traceable. Of the 38, 14 did not trace because of incomplete traceability documentation; 5 due to inconsistent traceability documentation; 3 due to requirements not being resident in the tracking tool; and 16 due to no actual development work being started. In addition, none of the 46 requirements were traceable to the January 2009 concept of operations. According to contractor officials, this is because the newly developed capability requirements document is considered to be a superset of the concept of operations, and thus traceability to this new document is their focus. However, they were unable to demonstrate traceability to the requirements in either the capability requirements document or the concept of operations. Further, we also found numerous inconsistencies among the capabilities requirements document, software requirements specification, and the requirements traceability matrix. For example, 15 capabilities requirements listed on the traceability matrix were not listed in the capabilities requirements document, but were listed in the updated software requirements specification, dated February 2009. Further, one requirement listed in the traceability matrix was not listed in either of these documents. One possible reason for these inconsistencies is that the traceability matrix was prepared manually, rather than being automatically generated from the tool, which would increase the probability of these and other discrepancies caused by human error. Another reason cited by program officials is that test results that occurred prior to October 2006 had yet to be fully recorded in the contractor's tracking tool. DIO and contractor officials attributed the absence of adequate requirements traceability to the ongoing instability in requirements and magnitude of the effort to update the chain of preexisting and new requirements documentation. They added that they expect traceability to improve as requirements become more stable and the documentation is updated. Regardless, the DIO has and continues to invest in the development of DRRS in the absence of requirements traceability. Without traceable requirements, the DIO does not have a sufficient basis for knowing that the scope of the design, development, and testing efforts will produce a system solution on time and on budget and that will meet users' operational needs and perform as intended. As a result, the risk is significant that expensive and time-consuming system rework will be required. Changes to Requirements Are Not Being Effectively Controlled: Adopting a disciplined process for reviewing and accepting changes to an approved and authoritative baseline set of requirements in light of the estimated costs, benefits, and risk of each proposed change is a recognized best practice. Elements of a disciplined process include: (1) formally documenting a requirements change process; (2) adopting objective criteria for considering proposed changes, such as estimated cost or schedule impact; and (3) rigorously adhering to the documented change control process. Since the inception of the program in 2002, DRRS has been developed and managed without a formally documented and approved process for managing changes to system requirements. Further, while requirements management and change control plans were developed in 2006 by the DRRS software development contractor, according to DIO officials, the plans were not adequate. For example, the plans did not detail how DRRS user requirements were collected or how objective factors, such as cost, impacted development decisions. To address these problems, the Joint Staff developed what it referred to as a conceptual requirements change control process in February 2008, which was to serve as a basis for the DIO to develop more detailed plans that could be implemented. Eleven months later, in January 2009, the DIO drafted more detailed plans--a DRRS requirements management plan and a DRRS requirements configuration management plan, the latter of which the DIO updated in March 2009. Specifically, the draft plans call for new DRRS requirements to be collected using an online tool and reviewed by the DIO to determine whether the requirement constitutes a major change to DRRS. Once approved, the DIO and the contractor are to provide the Battle Staff with a formatted report specifying the anticipated benefit of each new requirement and an initial analysis of the cost and performance impact. The Battle Staff then is to prioritize the requirement based on the DIO's impact analysis. If the issue cannot be resolved by the Battle Staff, it is to be elevated to the senior oversight bodies (i.e., the General Officer's Steering Committee and the DRRS Executive Committee). After a requirement has been approved, the software developer may prepare a more detailed "customer acceptance document" that analyzes the potential cost, schedule, and quality impact to DRRS objectives, which is then to be reviewed by the DIO at subsequent Change Control Board meetings. However, according to the user community and the DIO Director, the revised plans have not been submitted for review and approval to the DRRS community. Specifically, they stated that only a proposed process flow diagram was briefed at the Battle Staff, and according to them, the change control process was still being evaluated. Moreover, the DIO has yet to implement key aspects of its draft plans. For example, the DRRS Chief Engineer stated that until recently, the DIO had continued to accept changes to DRRS requirements that were submitted outside of the designated online tool. In addition, the reports that the Battle Staff are to use in making their requirement change determination do not include the anticipated benefit and estimated cost or schedule impact of new requirements. Rather, these reports only include the estimated number of hours necessary to complete work on a proposed requirement. Moreover, contractor officials and users from the Special Operations Command told us that cost or schedule impacts have rarely been discussed at the Battle Staff or Change Control Board meetings. Our analysis of minutes from change control meetings confirmed this. Furthermore, the DRRS Chief Engineer stated that the customer acceptance documents have only recently been used. Until the DIO effectively controls requirements changes, it increases the risk of needed DRRS capabilities taking longer and costing more to deliver than necessary. DRRS Testing Has Not Been Adequately Performed and Key Test Management Structures and Controls Have Not Been Established: Effective system testing is essential to successfully developing and deploying systems like DRRS. According to DOD and other relevant guidance, system testing should be progressive, meaning that it should consist of a series of test events that first focus on the performance of individual system components, then on the performance of integrated system components, followed by system-level tests that focus on whether the system (or major system increments) are acceptable, interoperable with related systems, and operationally suitable to users. [Footnote 52] For this series of related test events to be conducted effectively, (1) each test event needs to be executed in accordance with well- defined test plans, (2) the results of each test event need to be captured and used to ensure that problems discovered are disclosed and corrected, and (3) all test events need to be governed by a well- defined test management structure. Despite acquiring and partially deploying a subset of DRRS increments, the DIO cannot demonstrate that it has adequately tested any of these system increments, referred to as system releases and subreleases. Specifically, (1) the test events for already acquired, as well as currently deployed and operating, DRRS releases and subreleases were not based on well-defined plans, and test events have not been fully executed in accordance with plans or executed in a verifiable manner, or both; (2) the results of executed test events have not been captured and used to ensure that problems discovered were disclosed to decision makers and ultimately corrected; and (3) the DIO has not established an effective test management structure to include, for example, a clear assignment of test management roles and responsibilities, or a reliable schedule of planned test events. Compounding this absence of test management structures and controls is the fact that the DIO has yet to define how the series of system releases and subreleases relate to its recent restructuring of DRRS increments into a series of 10 modules. Collectively, this means that it is unlikely that already developed and deployed DRRS capabilities can perform as intended and meet user operational needs. Equally doubtful are the chances that the DIO can adequately ensure that yet-to-be developed DRRS capabilities will meet expectations. DIO Has Not Adequately Planned and Executed Key Test Events: Key tests required for already developed and partially fielded DRRS increments either did not have well-defined test plans, or these tests have yet to be conducted. According to program documentation, system releases and subreleases have been subjected to what are described as 30-day test cycles, during which: (1) a Software Test Plan is updated if applicable, (2) test procedures are developed and incorporated in the Software Test Description, (3) a series of developmental tests on each release/subrelease is performed, (4) weekly meetings are held to review software defects identified during testing, (5) final test results are summarized within the Software Test Report and Software Version Description, and (6) the release/subrelease is made available to users. However, the program office has yet to provide us with the developmental test plans and procedures for each release/subrelease that to-date has either been developed or fielded. Instead, it provided us with a Software Test Plan and two Software Test Descriptions that it said applied to two subreleases within release 4.0. However, available information indicates that DRRS subreleases total at least 63, which means that we have yet to receive the test plans and procedures for 61. Further, the test plan that we were provided is generic in nature, meaning that it was not customized to apply specifically to the two subreleases within Release 4.0. Moreover, the plan and procedures lack important elements specified in industry guidance.[Footnote 53] For example, the test plan does not include a schedule of activities to be performed or defined roles and responsibilities for performing them. Also, the test plan does not consistently include test entrance and exit criteria, a test defect management process, and metrics for measuring progress. Moreover, the DIO has yet to demonstrate that it has performed other key developmental and operational test events that are required before the software is fielded for operational use. According to DIO officials, developmental testing concludes only after system integration testing and system acceptance testing, respectively, are performed. Further, following developmental testing, the Joint Interoperability Test Command (JITC), which is a DOD independent test organization, is to conduct both interoperability and operational testing before the system is deployed and put into production (i.e., used operationally). Although increments of DRRS functionality have been put into production, the DIO has not performed system integration testing, system acceptance testing, or operational testing on any DRRS release or subrelease. Further, JITC documentation shows that while an interoperability test of an increment of DRRS functionality known as ESORTS was conducted, this test did not result in an interoperability certification.[Footnote 54] According to JITC and Joint Staff officials, this was because the DIO did not address JITC's identified limitations to the program's Information Support Plan, which identifies essential information-exchange sharing strategies between interdependent systems that are needed for interoperability certification. Without interoperability certification, the ability of the DRRS to exchange accurate and timely readiness data with other critical systems, such as the Joint Operation Planning and Execution System, cannot be ensured. Similarly, while DIO officials stated that acceptance testing has occurred for one increment of DRRS functionality known as SORTSREP, the DIO does not have either a finalized acceptance test plan or documented test results. [Footnote 55] Furthermore, the integrated master schedule (last updated in April 2009) shows that acceptance testing is not to occur until the July/August 2009 time frame, which is about 15 months later than originally envisioned. Moreover, this delay in acceptance testing has in turn delayed interoperability and operational testing by 16 months (May/June 2008 to September/November 2009), according to the latest schedule. Program officials attributed the delays to Marine Corps and Air Force concerns about the quality of SORTSREP. Until the DIO has effectively planned and executed the series of tests needed to demonstrate the readiness of DRRS increments to operate in a production environment, the risk of fielded system increments not performing as intended and requiring expensive rework to correct will be increased, and DOD will continue to experience delays in delivering mission-critical system capabilities to its readiness community. DIO Has Not Adequately Documented and Reported Test Results: Available results of tests performed on already developed and at least partially deployed DRRS releases/subreleases show that the test results have not been effectively captured and analyzed, and have not been fully reported. Moreover, test results for other releases/subreleases do not exist, thus minimizing the value of any testing that has been performed. According to relevant guidance, effective system testing includes recording the results of executing each test procedure and test case as well as capturing, analyzing, correcting, and disclosing to decision makers problems found during testing (test defects). [Footnote 56] It also includes ensuring that test entry and exit criteria are met before beginning and ending, respectively, a given test event. The DIO does not have test results of all developed and tested DRRS releases and subreleases. Specifically, program officials provided us with the Software Test Reports and Software Version Descriptions that, based on program documentation, represent the full set of test results for three subreleases and a partial set of test results for 40 subreleases within releases 1.0, 3.0, and 4.0. However, as noted earlier, DRRS subreleases total at least 63, which means that test reports and results for at least 20 subreleases do not exist. Moreover, the test reports and version descriptions that we received do not consistently include key elements provided for in industry guidance, such as a documented assessment of system capabilities and limitations, entrance/exit criteria status, an assessment as to whether the applicable requirements/thresholds were met, and unresolved defects and applicable resolution plans. [Footnote 57] This information is important because it assists in determining and disclosing to decision makers current system performance and efforts needed to resolve known problems, and provides program officials with a needed basis for ensuring that a system increment is ready to move forward and be used. Without this information, the quality and readiness of a system is not clear. Furthermore, the DIO does not have detailed test defect documentation associated with all executed DRRS test events. According to relevant guidance, defect documentation should, among other things, identify each issue discovered, assign each a priority/criticality level, and provide for each a strategy for resolution or mitigation. [Footnote 58] In lieu of detailed test defect documentation, program officials referred us to the above-mentioned Software Version Descriptions, and stated that additional information is available in an automated tool, known as the ISI BugTracker, that it uses to capture, among other things, defect data. However, these documents do not include the above- cited defect information, and defect data for each test event do not exist in the ISI BugTracker. Compounding the absence and limitations of test results are weaknesses in the program office's process for collecting such results during test execution. According to relevant guidance, test results are to be collected and stored according to defined procedures and placed under appropriate levels of control. [Footnote 59] Furthermore, these test results are to be reviewed against the source data to ensure that they are complete, accurate, and current. For DRRS, the program office is following a partially undocumented, manual process for collecting and storing test results and defects that involves a database and layers of documentation. As explained by program officials and documentation, the DIO initially documents defects and completed test case results manually on paper forms, and once the defect is approved by the test lead, it is input into a database. However, it does not have written procedures governing the entire process, and thus key controls, such as assigned levels of authority for database read/write access, are not clearly defined. Moreover, once the test results and defects are input into the database, traceability back to the original test data for data integrity checks cannot be established because the program office does not retain these original data sets. Program officials acknowledged these internal control weaknesses and stated that they intend to adopt a new test management tool that will allow them to capture in a single database test cases, test results, and test defects. Furthermore, the DIO's process for analyzing and resolving test defects has limitations. According to relevant guidance and the draft SORTSREP Test and Evaluation Master Plan (TEMP), defects should be analyzed and prioritized.[Footnote 60] However, the program office has not established a standard definition for defect priority levels identified during testing. For example, the various release/subrelease test reports (dated through January 2009) prioritize defects on a scale of 1- 3, where a priority 2 means critical but with a viable workaround. In contrast, the SORTSREP TEMP (dated January 2009) prioritizes defects on a scale of 1-5, where a priority 2 means an error that adversely affects the accomplishment of an operational or mission essential function in accordance with official requirements so as to degrade performance and for which no alternative work around solution exists. By not using standard priority definitions for categorizing defects, the program office cannot ensure that it has an accurate and useful understanding of the scope and magnitude of the problems it is facing at any given time, and it will not know if it is addressing the highest priority issues first. In addition, the DIO has not ensured that critical defects are corrected prior to concluding a given test event. According to relevant guidance and the draft SORTSREP TEMP, all critical and high defects should be resolved prior to the conclusion of a test event, and all test results should be reviewed for validity and completeness.[Footnote 61] However, the DRRS release/subrelease test reports show that the DIO concluded five test events even though each had at least 11 open critical defects (priority 1 defects with no workaround). Moreover, these numbers of open critical defects are potentially higher because they do not include defects for which a solution was identified but the solution failed during regression testing and do not include defects that were dismissed because the program official was unable to recreate it. Until the DIO adequately documents and reports the test results, and ensures that severe problems discovered are corrected prior to concluding a given test event, the probability of incomplete test coverage, and insufficient and invalid test results, is increased, thus unnecessarily increasing the risk of DRRS not meeting mission needs or otherwise not performing as intended. DIO Has Not Established an Effective Test Management Structure: The DIO does not have an effective test management structure, to include a well-defined overall test management plan that clearly assigns test management roles and responsibilities, a designated test management lead and a supporting working group, and a reliable schedule of planned test events. According to relevant guidance, these aspects of test management are essential to adequately planning, executing, and reporting a program's series of test events. [Footnote 62] Although the program has been underway for 8 years, it did not have an overarching DRRS TEMP until very recently (February 2009), and this plan is still in draft and has yet to be approved. Further, this draft TEMP does not clearly define DRRS test management roles and responsibilities, such as those of the test manager, and it does not include a reliable schedule of test events that reflect the program's recent restructuring of its software releases/subreleases into 10 modules. According to DIO officials, they recently decided not to approve this overarching TEMP. Instead, they said that they now intend to have individual TEMPs for each of the recently defined 10 modules, and to have supporting test plans for each module's respective developmental and operational test events. According to program documentation, three individual TEMPs are under development (i.e., SORTSREP tool and the Mission Readiness and Readiness Review modules). However, drafts of these TEMPs also do not clearly define test entrance and exit criteria, test funding requirements, an integrated test program schedule, and the respective test management roles and responsibilities. For example, while the draft SORTSREP TEMP identifies the roles and responsibilities of some players, such as the test manager, the personnel or organization that is to be responsible is not always identified. In addition, while the various players in the user community are identified (i.e., military services, combatant commands), their associated roles or responsibilities are not. Furthermore, the DIO has yet to designate a test management lead and establish an effective test management working group. According to relevant guidance, test management responsibility and authority should be assigned to an individual, and this individual should be supported by a working integrated product team that includes program office and operational testing representatives.[Footnote 63] Among other things, the working integrated product team is to develop an overall system test strategy. However, DIO officials told us that the test manager position has been vacant, and this position is now being temporarily filled by the program's chief engineer, who is a contractor. Furthermore, although DRRS system development began prior to 2004, a charter for a test and evaluation working integrated product team was not issued until February 2009. According to DIO officials, the delay in establishing the team has not had any impact because of corresponding delays in finalizing the program's overall test strategy. However, this statement is not consistent with the Defense Acquisition Guidebook, which states that two of the key products of the working integrated product team are the program's test strategy and TEMP. Further, JITC officials stated that the lack of a test manager and an active test and evaluation working integrated product team have reduced the effectiveness of DRRS testing activities. As a result, they stated that they have had to compensate by conducting individual meetings with the user community to discuss and receive documentation to support their operational and interoperability test planning efforts. Moreover, the DIO has yet to establish a reliable schedule of planned test events. For example, the schedule in the TEMPs is not consistent with either the integrated master schedule or the developmental test plans. Specifically, the draft SORTSREP TEMP (last updated in January 2009) identifies SORTSREP developmental testing occurring through January 2009 and ending in early February 2009, while the integrated master schedule (last updated in April 2009) shows SORTSREP development testing as occurring in the July/August 2009 time frame. In addition, while program officials said that development testing for SORTSREP has occurred, the associated development test plans (e.g., system integration and system acceptance test plans) had no established dates for test execution, and are still in draft. As another example, a module referred to as "Mission Readiness" had no established dates for test execution in its TEMP, and while program documentation indicates that this module completed development testing in December 2008, the associated development test plans (e.g., system integration and system acceptance test plans) do not exist[Footnote 64].: In addition, the DIO has yet to define in its draft TEMPs how the development and testing to date of at least 63 subreleases relate to the development and testing of the recently established 10 system modules. According to Joint Staff and JITC officials, they do not know how the releases/subreleases relate to the modules, and attributed this to a lack of an approved description for each module that includes what functionality each is intended to provide. Furthermore, the high-level schedule in the TEMP does not describe what test events for the DRRS releases/subreleases that have already been developed and deployed relate to the development test efforts planned for the respective modules. These problems in linking release/subrelease test events to module test events limit the DIO and JITC in leveraging the testing already completed, which in turn will impact the program's ability to meet cost, schedule, and performance expectations. Collectively, the weaknesses in this program's test management structure increase the chances that the deployed system will not meet certification and operational requirements, and will not perform as intended. DRRS Has Not Been Guided by a Reliable Schedule: The success of any program depends in part on having a reliable schedule that defines, among other things, when work activities will occur, how long they will take, and how they are related to one another. As such, the schedule not only provides a road map for the systematic execution of a program, but also provides the means by which to gauge progress, identify and address potential problems, and promote accountability. From its inception in 2002 until November 2008, the DIO did not have an integrated master schedule. Moreover, the only milestone that we could identify for the program prior to November 2008 was the date that DRRS was to achieve full operational capability, which was originally estimated to occur in fiscal year 2007, but later slipped to fiscal year 2008 and then fiscal year 2011, and is now fiscal year 2014--a 7-year delay. In addition, the DRRS integrated master schedule that was developed in November 2008, and was updated in January 2009 and again in April 2009 to address limitations that we identified and shared with the program office, is still not reliable. Specifically, our research has identified nine practices associated with developing and maintaining a reliable schedule.[Footnote 65] These practices are (1) capturing all key activities, (2) sequencing all key activities, (3) assigning resources to all key activities, (4) integrating all key activities horizontally and vertically, (5) establishing the duration of all key activities, (6) establishing the critical path for all key activities, (7) identifying float between key activities, (8) conducting a schedule risk analysis, and (9) updating the schedule using logic and durations to determine the dates for all key activities.[Footnote 66] However, the program's latest integrated master schedule does not address three of the practices and only partially addresses the remaining six. For example, the schedule does not establish a critical path for all key activities, include a schedule risk analysis, and it is not being updated using logic and durations to determine the dates for all key activities. Further, it does not fully capture, sequence, and establish the duration of all key work activities; fully assign resources to all key work activities; fully integrate all of these activities horizontally and vertically; and fully identify the amount of float-- the time that a predecessor activity can slip before the delay affects successor activities--between these activities. These practices are fundamental to producing a sufficiently reliable schedule baseline that can be used to measure progress and forecast slippages. (See table 3 for the results of our analyses relative to each of the nine practices.) Table 3: DRRS Satisfaction of Nine Schedule-Estimating Key Practices: Practice: Capturing all activities; Explanation: The schedule should reflect all key activities (e.g., steps, events, outcomes, etc.) as defined in the program's work breakdown structure, to include activities to be performed by both the government and its contractors; Practice met? Partially; GAO analysis: The schedule reflects many key activities as defined in the program's work breakdown structure. However, key activities are identified only as milestones rather than in terms of work to be performed and accomplished to achieve the milestones. Thus, the schedule does not account for all work to be performed. As a result, the reliability of the milestones is questionable. Practice: Sequencing all activities; Explanation: The schedule's activities need to be logically sequenced in the order that they are to be carried out. In particular, activities that must finish prior to the start of other activities (i.e., predecessor activities) as well as activities that cannot begin until other activities are completed (i.e., successor activities) should be identified. By doing so, interdependencies among activities that collectively lead to the accomplishment of key events or milestones can be established and used as a basis for guiding work and measuring progress; Practice met? Partially; GAO analysis: The schedule identifies some predecessor and successor activities, but not all. Specifically, out of 290 key activities, 139 do not identify predecessor activities and 121 do not identify successor activities. DIO officials stated that this is because interdependencies are discussed and addressed at various meetings, and thus do not need to be in the schedule. However, recognition of such interdependencies in the schedule is necessary to logically link tasks and events and thereby calculate dates and predict changes in the future. Without proper linkages, tasks that slip early in the schedule do not transmit delays to tasks that should depend on them. By not logically linking all key activities, the schedule does not provide a sufficient basis for understanding the program as a whole, and confidence that the right dates or critical paths are represented is low. This means that the DIO cannot use its schedule to identify disconnects as well as hidden opportunities, and cannot otherwise promote efficiency and accuracy, and control the program by comparing actual to planned progress. Practice: Assigning resources to all activities; Explanation: The schedule should realistically reflect what resources (i.e., labor, material, and overhead) are needed to do the work, whether all required resources will be available when they are needed, and whether any funding or time constraints exist; Practice met?: Partially; GAO analysis: The schedule identifies 15 resources that are assigned to various activities. However, important information is not included, which hampers its usefulness. For example, one benefit of loading resource information is to ensure that resources in short supply will not be overscheduled in any time period. However, the schedule does not define the amount of each resource that is available, but instead assumes only one unit of each resource is available. As a result, 10 of the 15 types of resources (e.g., information assurance and test and evaluation) in the schedule are overscheduled and thus estimated completion dates are not realistic. Further, the schedule does not identify the costs of the resources. Knowing the cost of resources is important, because some resources, such as labor, can cost more if the program takes longer. Practice: Establishing the duration of all activities; Explanation: The schedule should realistically reflect how long each activity will take to execute. In determining the duration of each activity, the same rationale, historical data, and assumptions used for cost estimating should be used for schedule estimating. Further, these durations should be as short as possible, and they should have specific start and end dates. Excessively long periods needed to execute an activity (i.e., greater than 2-3 months) should prompt further decomposition of the activity so that shorter execution durations will result; Practice met? Partially; GAO analysis: The schedule establishes the duration of key activities and includes specific start and end dates. However, the activities are not always of short duration. For example, 23 activities have remaining durations that exceed 100 days (108 to 551 days). By having a schedule summarized at too high a level, the program runs the risk of masking critical work elements within the key activities associated with executing the program and fails to show the risk management approaches being used. Further, it risks masking the schedule's true critical path. Practice: Integrating schedule activities horizontally and vertically; Explanation: The schedule should be horizontally integrated, meaning that it should link the products and outcomes associated with already sequenced activities. These links are commonly referred to as "hand offs" and serve to verify that activities are arranged in the right order to achieve aggregated products or outcomes. The schedule should also be vertically integrated, meaning that traceability exists among varying levels of activities and supporting tasks and subtasks. Such mapping or alignment among levels enables different groups to work to the same master schedule; Practice met? Partially; GAO analysis: The schedule is not horizontally integrated, meaning that the activities are not arranged in the right order to achieve aggregated products or outcomes. This is because, as previously noted, many activities do not identify interdependencies (predecessor and successor activities). As a result, management lacks information on how a slippage in completing one activity will affect others. In contrast, the schedule is vertically integrated, meaning that for those key activities that are identified, traceability exists among varying levels of activities and that lower-level activities are within the constraints of higher-level activities. Practice: Establishing the critical path for all activities; Explanation: The critical path--the longest duration path through the sequenced list of key activities--should be identified using scheduling software. The establishment of a program's critical path is necessary for examining the effects of any activity slipping along this path. High-risk activities along or near the critical path should also be identified and associated time impacts of these risks should be reflected in the schedule; Practice met?: No; GAO analysis: The schedule does not identify a valid critical path because there is no logical link between the program's key activities. Instead, the activities are presented as being independent from one another. Without a critical path, management cannot know the activities critical to the on-time completion of DRRS, or the impact of any changes to activities on the path. Practice: Identifying float between activities; Explanation: The schedule should identify float time so that schedule flexibility can be determined. As a general rule, activities along the critical path typically have the least amount of float time; Practice met? Partially; GAO analysis: The schedule identifies the amount of float allocated to key activities. However, the amount of float associated with 56 of these activities is unusually large (100 - 461 days). Such large amounts of float time can be attributed to the fact that many of the activities do not identify linkages to other activities (predecessor or successor activities). In addition, the amount of float between activities is of questionable accuracy because activity dependencies (predecessor or successor activities) are often not identified. Instead, the start and completion dates for many activities are imposed, rather than based on logic, such as an activity not starting until its predecessor is completed. Further, it is unclear whether activities along the critical path have the least amount of float because, as previously noted, the schedule does not have a valid critical path. Practice: Conducting a schedule risk analysis; Explanation: A schedule risk analysis uses a good critical path method schedule and data about project schedule risks as well as Monte Carlo simulation[A] techniques to predict the level of confidence in meeting a program's completion date, the amount of time contingency needed for a level of confidence, and the identification of high-priority risks. This analysis focuses not only on critical path activities but also on other schedule paths that may become critical. Schedule reserve for contingencies should be calculated by performing a schedule risk analysis. As a general rule, the reserve should be held by the project or program manager and applied as needed to those activities that take longer than scheduled because of the identified risks. Reserves of time should not be apportioned in advance to any specific activity since the risks that will actually occur and the magnitude of their impact is not known in advance; Practice met? No; GAO analysis: The program office did not perform a schedule risk analysis. Without this analysis, the office cannot sufficiently understand the level of confidence in meeting the program's completion date and identifying reserves for contingencies. Practice: Updating the schedule using logic and durations to determine the dates; Explanation: The schedule should use logic and durations in order to reflect realistic start and completion dates for program activities. The schedule should be continually monitored to determine when forecasted completion dates differ from the planned dates, which can be used to determine whether schedule variances will affect downstream work. Maintaining the integrity of the schedule logic is not only necessary to reflect true status, but is also required before conducting a schedule risk analysis. The schedule should avoid logic overrides and artificial constraint dates that are chosen to create a certain result on paper. To ensure that the schedule is properly updated, individuals trained in critical path method scheduling should be responsible for updating the schedule's status; Practice met? No; GAO analysis: The realism of start and completion dates for some activities is questionable because, as previously noted, some activities do not identify logical relationships (i.e., interdependencies with other activities) or are of unusually lengthy duration. In addition, there is no "status date" information in the schedule (i.e., evidence the overall schedule is updated on a regular basis to capture actual start and completion dates). Without this information, the impact of deviations on downstream work cannot be fully understood and proactively addressed. In addition, some dates in the schedule were updated erroneously. For example, the schedule shows 25 activities as having actual start dates in the future, including 6 starting in 2010, even though the updated schedule was developed in April 2009. Likewise, there are 12 activities with actual 100 percent complete finish dates that range from May 2009 to July 2010. Source: GAO analysis of DOD data. [A] A Monte Carlo simulation allows the model's parameters to vary simultaneously according to their associated probability distribution. The result is a set of estimated probabilities of achieving alternative outcomes, given the uncertainty in the underlying parameters. [End of table] The limitations in the program's latest integrated master schedule, coupled with the program's 7-year slippage to date, make it likely that DRRS will incur further delays. Compounding these limitations is the considerable concurrency in the key activities and events in the schedule associated with the 10 recently identified system modules (see figure 2). For example, in 2010 alone, the program office plans to complete development testing on 2 modules and operational testing on 3 modules, while also reaching initial operational capability on 3 modules and full operational capability on 2 modules. By way of comparison, the program office had almost no concurrency across a considerably more modest set of activities and events over the last 5 years, but nevertheless has fallen 7 years behind schedule. As previously reported, such significant overlap and concurrency among major program activities can create contention for limited resources and thus introduce considerable cost, schedule, and performance risks. [Footnote 67] Figure 2: Schedule for Developing and Implementing DRRS Capabilities: [Refer to PDF for image: illustrated table] Modules: Joint Mission Readiness: Begin planning, design, and development: Mid-2004; Complete developmental testing and evaluation: Late 2008; Complete operational testing and evaluation: Late 2009; Complete initial operational capability: Late 2004; Complete final operational capability: Early 2011. Modules: Unit Mission Readiness: Begin planning, design, and development: Mid-2004; Complete developmental testing and evaluation: Mid-2009; Complete operational testing and evaluation: Late 2009; Complete initial operational capability: Late 2009; Complete final operational capability: Mid-2010. Modules: Asset Visibility: Begin planning, design, and development: Early 2007; Complete developmental testing and evaluation: Mid-2010; Complete operational testing and evaluation: Late 2010; Complete initial operational capability: Late 2010; Complete final operational capability: Mid-2011. Modules: Business Intelligence: Begin planning, design, and development: Late 2008; Complete developmental testing and evaluation: Early 2011; Complete operational testing and evaluation: Mid-2011; Complete initial operational capability: Mid-2010; Complete final operational capability: Mid-2011. Modules: Installation Readiness: Begin planning, design, and development: Early 2009; Complete developmental testing and evaluation: Mid-2010; Complete operational testing and evaluation: Mid-2011; Complete initial operational capability: Mid-2009; Complete final operational capability: Mid-2011. Modules: Readiness Reviews: Begin planning, design, and development: Mid-2006; Complete developmental testing and evaluation: Late 2009; Complete operational testing and evaluation: Mid-2010; Complete initial operational capability: Mid-2007; Complete final operational capability: Mid-2010. Modules: Planning/Execution Support: Begin planning, design, and development: Early 2006; Complete developmental testing and evaluation: Late 2012; Complete operational testing and evaluation: Mid-2013; Complete initial operational capability: Mid-2013; Complete final operational capability: Late 2013. Modules: Historical Data: Begin planning, design, and development: Late 2008; Complete developmental testing and evaluation: Mid-2011; Complete operational testing and evaluation: Early 2012; Complete initial operational capability: Early 2012; Complete final operational capability: Late 2012. Modules: System Architecture: Begin planning, design, and development: Mid-2004; Complete final operational capability: Early 2012. Modules: End-User Usability: Begin planning, design, and development: Late 2004; Complete final operational capability: Mid-2009. Source: GAO analysis based on DOD data. [End of figure] In addition, the schedule remains unstable as evidenced by the degree of change it has experienced in just the past few months. For example, the January 2009 schedule had a full operational capability milestone of October 2011. By contrast, the April 2009 schedule has a December 2013 milestone (see figure 3 below). Moreover, some milestones are now to occur much earlier than they were a few months ago. For example, the January 2009 schedule shows initial operational capability for "readiness reviews" to be June 2010. However, the April 2009 schedule shows that this milestone was attained in August 2007. Overall, multiple milestones for four modules were extended by at least 1 year, including two milestones that were extended by more than 2 years. Such change in the schedule in but a few months suggests a large degree of uncertainty, and illustrates the importance of ensuring that the schedule is developed in accordance with best practices. Figure 3: Changes in Estimated Dates for DRRS Capabilities: [Refer to PDF for image: illustration] Modules: Joint Mission Readiness; Complete final operational capability: Late 2009 to Early 2001. Modules: Unit Mission Readiness; Complete operational testing and evaluation: Early 2009 to Mid-2009. Modules: Asset Visibility; Complete developmental testing and evaluation: Late 2009 to Mid-2010; Complete operational testing and evaluation: Early 2010 to Late 2010; Complete initial operational capability: Early 2010 to Late 2010; Complete final operational capability: Late 2011 to Mid-2011. Modules: Business Intelligence; Complete developmental testing and evaluation: Mid-2010 to Early 2011; Complete operational testing and evaluation: Mid-2010 to Mid-2011; Complete initial operational capability: Mid-2010; Complete final operational capability: Mid-2011. Modules: Installation Readiness; Complete developmental testing and evaluation: Mid-2010; Complete operational testing and evaluation: Mid-201; Complete initial operational capability: Mid-2011 to Mid-2009; Complete final operational capability: Mid-2011 to Late 2011. Modules: Readiness Reviews; Complete operational testing and evaluation: Late 2009; Complete initial operational capability: Mid-2010 to Mid-2007; Complete final operational capability: Mid-2010. Modules: Planning/Execution Support; Complete developmental testing and evaluation: Early 2011 to Late 2012; Complete operational testing and evaluation: Mid-2011 to Mid-2013; Complete initial operational capability: Mid-2011 to Mid-2013; Complete final operational capability: Mid-2011 to Late 2013. Modules: Historical Data; Begin planning, design, and development: Mid-2009 to Early 2009; Complete developmental testing and evaluation: Late 2009 to Mid-2011; Complete operational testing and evaluation: Mid-2010 to Early 2012; Complete initial operational capability: Mid-2010 to Early 2012; Complete final operational capability: Mid-2010 to Late 2012. Modules: System Architecture; Complete final operational capability: Mid-2011 to Early 2012. Modules: End-User Usability; Complete final operational capability: Late 2008 to Mid-2009. Source: GAO analysis based on DOD data. [End of figure] DIO Lacks Adequate Staffing and an Effective Approach to Meeting its Human Capital Needs: As we have previously reported, effective human capital management is an essential ingredient to achieving successful program outcomes. [Footnote 68] Among other things, effective human capital management involves a number of actions to proactively understand and address any shortfalls in meeting a program's current and future workforce needs. These include an assessment of the core competencies and essential knowledge, skills, and abilities needed to perform key program management functions, an inventory of the program's existing workforce capabilities, and an analysis of the gap between the assessed needs and the existing capabilities. Moreover, they include explicitly defined strategies and actions for filling identified gaps, such as strategies for hiring new staff, training existing staff, and contracting for support services. The DIO is responsible for performing a number of fundamental DRRS program management functions. For example, it is responsible for acquisition planning, performance management, requirements development and management, test management, contractor tracking and oversight, quality management, and configuration management. To effectively perform such functions, program offices, such as the DIO, need to have not only well-defined policies and procedures and support tools for each of these functions, but also sufficient human capital to implement the processes and use the tools throughout the program's life cycle. Without sufficient human capital, it is unlikely that a program office can effectively perform its basic program management functions, which in turn increases the risk that the program will not deliver promised system capabilities and benefits on time and on budget. The DIO does not currently have adequate staff to fulfill its system acquisition and deployment responsibilities. In particular, the DIO is staffed with a single full-time government employee--the DIO Director. All other key program office functions are staffed by either contractor staff or staff temporarily detailed, on an as-needed basis, from other DOD organizations (referred to as "matrixed" staff). As a result, program management positions that the DIO itself has identified as critical to the program's success, such as configuration manager and security manager, are being staffed by contractors. Moreover, these contractor staff report to program management positions also staffed by contractors. Other key positions, such as those for performing acquisition management, requirements development and management, and performance management, have not even been established within the DIO. Furthermore, key positions, such as test manager, are vacant. These human capital limitations were acknowledged by the DRRS Executive Committee in November 2008. According to DIO and contractor officials, they recognize that additional program management staffing is needed. They also stated that while DRRS has been endorsed by USD (P&R) leadership and received funding support, past requests for additional staff have not been approved by USD (P&R) due to other competing demands for staffing. Further, DIO officials stated that the requests for staff were not based on a strategic gap analysis of its workforce needs and existing capabilities. Specifically, the program has not assessed its human capital needs and the gap between these needs and its onboard workforce capabilities. Until the program office adopts a strategic, proactive approach to managing its human capital needs, it is unlikely that it will have an adequate basis for obtaining the people it needs to effectively and efficiently manage DRRS. [End of section] Appendix III: Comments from the Department of Defense: Office Of The Under Secretary Of Defense: Personnel And Readiness: 4000 Defense Pentagon: Washington, DC 20301-4000: September 3, 2009: Ms. Sharon Pickup: Director Defense Capabilities and Management: U.S. Government Accountability Office: Washington, D.C. 22548: Dear Ms. Pickup: This is the Department of Defense (DoD) response to the GAO draft report, GAO-09-518, "Military Readiness: DoD Needs to Strengthen Management and Oversight of the Defense Readiness Reporting System," dated July 1, 2009 (GAO Code 351217). Thank you for the opportunity to review this draft report. However, in our view, the report is flawed in its assessment of the Defense Readiness Reporting System (DRRS). DRRS is a true net-centric application that provides broad and detailed visibility on readiness issues. Achieving this data sharing across the DoD enterprise was groundbreaking work, fraught with barriers and obstacles - many of which have now been overcome. We were disappointed to learn that the report did not address the cultural impediments that are the root cause of many of the issues it cites, and the cause of so many previous congressional concerns on readiness reporting. Instead, the report focused on past issues and problems in the software development and acquisition processes that have now been remedied. We believe that this focus, coupled with inaccurate and misleading factual information included in the report, has lead the GAO to develop an incomplete picture of the program. Attached, please find the Department's detailed comments in response to the GAO's specific recommendation. Sincerely, Signed by: William J. Carr: Deputy Under Secretary of Defense (Military Personnel Policy): Performing the Duties of the Under Secretary of Defense (Personnel and Readiness): Attachment: As stated: [End of letter] GAO Draft Report - Dated July 1, 2009: GAO Code 351217/GAO-09-518: "Military Readiness: DoD Needs to Strengthen Management and Oversight of the Defense Readiness Reporting System" Department Of Defense Comments To The Recommendations: Recommendation 1: The GAO recommends that the Secretary of Defense direct the Deputy Secretary of Defense, as the Chair of the Defense Business Systems Management Committee, to reconsider the committee's recent approval of the Defense Readiness Reporting System (DRRS) planned investment for fiscal years 2009 and 2010, and convene the Defense Business Systems Management Committee to review the program's past performance and the DRRS Implementation Office's capability to manage and deliver DRRS going forward. DOD Response: Non-Concur. The IRB and DBSMC certifications were granted in compliance with the established certification process, which is designed to not be overly redundant with the acquisition process. Consistent with the Department's concept of tiered accountability, oversight of the specific issues identified by the GAO in this report are the responsibility of component responsible for the system. In this case, USD (P&R) chartered a DRRS Executive Committee (DEXCOM) to provide for governance of the effort in the readiness community, The DEXCOM has and will continue to provide appropriate governance for this effort. Additionally, the USD (P&R) will ensure that the program is compliant with all acquisition requirements prior to submission for further certifications. Recommendation 2: The GAO recommends that the Secretary of Defense direct the Deputy Secretary of Defense to have the Director of the Business Transformation Agency, using the appropriate team of functional and technical experts and the established risk assessment methodology, conduct a program risk assessment of DRRS, and to use the findings in GAO's report and the risk assessment to decide how to redirect the program's structure, approach, funding, management, and oversight. In this regard, GAO recommends that the Secretary of Defense direct the Deputy Secretary of Defense to solicit the advice and recommendations of the DRRS Executive Committee. DOD Response: Concur. The Department accepts the GAO's recommendation that a program risk assessment would be constructive. The Business Transformation Agency (BTA) will work with the DRRS Executive Committee (DEXCOM) to determine the scope of the assessment and will subsequently work with the DEXCOM to analyze its results. This assessment will be complete by the middle of Fiscal Year 2010. Recommendation 3: The GAO recommends that the Secretary of Defense through the appropriate chain of command, take steps to ensure that DRRS requirements are effectively developed and managed with appropriate input from the Services, Joint Staff, and Combatant Commanders, including: (a) establishing an authoritative set of baseline requirements prior to further system design and development; (b) ensuring that the different levels of requirements and their associated design specifications and test cases, are aligned with one another, and; (c) developing and instituting a disciplined process for reviewing and accepting changes to the baseline requirements in light of estimated costs, benefits, and risk. DOD Response: Non-Concur. The DRRS program has an authoritative set of baseline requirements already established. The current DRRS governance process, which includes membership from all CoComs, Services, Combat Support Agencies (CSAs), Joint Staff, and OSD oversees the DRRS requirements management process. These requirements are reviewed bi- weekly as part of the DRRS configuration control process. Recommendation 4: The GAO recommends that the Secretary of Defense through the appropriate chain of command, take steps to ensure that DRRS testing is effectively managed, including: (a) developing lest plans and procedures for each system increment test event that include a schedule of planned test activities, defined roles and responsibilities, test entrance and exit criteria, test defect management processes, and metrics for' measuring test progress, (b) ensuring that all key lest events are conducted on all DRRS increments, (c) capturing, analyzing, reporting, and resolving all test results and test defects of all developed and tested DRRS increments; and, (d) establishing an effective test management structure that includes assigned test management roles and responsibilities, a designated test management lead and a supporting working group, and a reliable schedule of test events. DoD Response: Non-Concur. DRRS testing is already in place and performing effectively. The DIO goes through a rigorous testing regimen that includes documenting test plans with user test cases for each incremental release. The DRRS program utilizes System Integration Testing (SIT), System Acceptance Testing (SAT), Interoperability Testing (IOT) and Operational Testing (OT) with System Integration Test Plans and System Acceptance Test Plans. There are designated testers independent of the developers that validate the user test cases and functionality prior to a deployment decision. Finally, the D10 conducts a release review with the developers and the testers to determine if the increment is ready for release and meets all the exit criteria. For interoperability testing with systems external to DRRS, the DIO has a designated test director and the Joint Interoperability Test Command (JITC) is the designated Interoperability Test Activity and the Operational Test Activity. JITC is responsible for developing the Interoperability Test Plan and the Operational Test Plan. Recommendation 5: The GAO recommends t oat the Secretary of Defense through the appropriate chain of command, take steps to ensure that the DRRS integrated master schedule is reliable, including ensuring that the schedule: (a) captures all activities from the work breakdown structure, including the work to be performed and the resources to he used; (b) identifies the logical sequencing of all activities, including defining predecessor and successor activities; (c) reflects whether all required resources will he available when needed and their cost; (d) ensures that all activities and their duration are not summarized at a level that could mask critical elements; (e) achieves horizontal integration in the schedule by ensuring that all external interfaces (hand-offs) are established and interdependencies among activities are defined; (f) identifies float between activities by ensuing that the linkages among all activities are defined; (g) defines a critical path that runs continuously to the program's finish date; (h) incorporates the results of a schedule risk analysis to determine the level of confidence in meeting the program's activities and completion date, and; (i) includes the actual start and completion dotes of work activities per formed so that the impact of deviations on downstream work can he proactively addressed. DOD Response: Non Concur. A process is already in place to ensure the DRRS integrated master schedule is current, reliable, and meets all of the criteria outlined in the recommendation, With the approval of the DEXCOM charter and the renewed/refined Battle Staff and General Officer Steering Committee (GOSC), many of the program issues regarding Plan of Action and Milestones (POA&M) software development, integration, and testing in the GAO report are being address or have been corrected. Recommendation 6: The GAO recommends t nit the Secretary of Defense through the appropriate chain of command, take steps to ensure that the DRRS program office is staffed on the basis of a human capital strategy that is grounded in an assessment of the core competencies and essential knowledge, skills, and abilities needed to perform key DRRS program management functions, an inventory of the program office's existing workforce capabilities, and an analysis of the gap between the assessed needs and the existing capabilities. DOD Response: Partially concur. The DIO was intentionally kept small in order to maximize flexibility and responsiveness to customer requirements as well as to implement commercial best practices for agile software development. However, due to increase demands on DRRS through additional requirements and capabilities requested by users, additional billets, both military and civilian are needed to expedite the implementation of DRRS. To that end, the USD (P& R) is planning on adding full time civilian acquisition support for the DIO and the conversion of contractor to civilian billets during 2010/2011 timeframe as part of the Department's in-sourcing initiative. Recommendation 7: The GAO recommends brat the Secretary of Defense through the appropriate chain of command, take steps to ensure that DRRS is developed and implemented in a manner that does not increase the reporting burden on units and addresses the timeliness. precision, and objectivity of metrics that are reported to Congress. DOD Response: Non-Concur. One of the primary tenets for DRRS development has always been to reduce the reporting requirements on the war fighter. DRRS is already using state of the art technology in order to ensure that data which already exists is available within the DRRS enterprise in near-real time for the war fighters. The MRS governance structure that is currently in place ensures that DRRS development does not deviate from these core principles. Recommendation 8: The GAO recommends that the Secretary of Defense direct the Deputy Secretary of Defense to ensure that both. he Human Resources Management Investment Review Board and the DRRS Executive Committee conduct frequent oversight activities of the DRRS program. and report any significant issues to the Deputy Secretary of Defense. DOD Response: Concur. The Department is committed to ensuring that the proper level of oversight of the DRRS program is adhered to. As an Acquisition Category Ill level program, DRRS will be managed from an acquisition perspective by the Component Acquisition Executive (CAE) within USD(P&R). The USD (P&R) CAE is already working with the program to ensure that they become fully compliant with all acquisition requirements. This is consistent with tiered accountability. The CAE will certify to the IIRM IRB and the DCMO of compliance prior to submission of future certification requests. Finally, the current DEXCOM governance process will continue to provide sustained functional oversight of the DRRS program. Issues that arise in any of these areas will be elevated for review as appropriate. [End of section] Appendix IV: GAO Contacts and Staff Acknowledgments: GAO Contacts: Sharon L. Pickup, (202) 512-9619 or pickups@gao.gov Randolph C. Hite, (202) 512-6256 or hiter@gao.gov: Staff Acknowledgments: In addition to the contacts named above, key contributors to this report were Michael Ferren (Assistant Director), Neelaxi Lakhmani (Assistant Director), April Baugh, Mathew Butler, Richard J. Hagerman, Nicole Harms, James Houtz, John Lee, Stephen Pruitt, Terry Richardson, Karen Richey, Karl Seifert, and Kristy Williams. [End of section] Footnotes: [1] Pub. L. No. 105-261, §373 (1998). Codified at 10 U.S.C. §117. [2] Department of Defense Directive 7730.65, Department of Defense Readiness Reporting System (DRRS) (June 3, 2002). [3] ESORTS is an automated readiness reporting tool designed to collect capability and resource data, while DRRS is the broader system that, according to the 2002 DRRS Directive, measures and reports on the readiness of military forces and the supporting infrastructure to meet missions and goals assigned by the Secretary of Defense. However, ESORTS is now viewed as a tool within DRRS. [4] Secretary of Defense Memorandum, Policy Implementation to Establish Commander, USJFCOM (CDRUSJFCOM), as the Primary Joint Force Provider (JFP) (June 25, 2004). The U.S. military organizes its global presence into a series of geographic and functional combatant commands. The geographic combatant commands--U.S. Central Command, U.S. European Command, U.S. Northern Command, U.S. Pacific Command, U.S. Southern Command, and U.S. Africa Command --have authority over all U.S. military forces operating within a specified area of operation and are directly responsible for the performance of missions assigned to the command. The functional combatant commands--U.S. Joint Forces Command, U.S. Special Operations Command, U.S. Strategic Command, and U.S. Transportation Command--possess worldwide functional responsibilities, such as joint training, force provision, and global command and control. [5] Chairman of the Joint Chiefs of Staff Instruction 3401.02A, Global Status of Resources and Training System (GSORTS) (Feb. 27, 2004). [6] All combat, combat support, and combat service support units that have the potential to support an: operations, contingency, or single integrated operational plan; or a contingency operation are required to report. [7] A mission is a task or a series of tasks with a purpose. Mission essential tasks are those tasks that are absolutely necessary, indispensable, or critical to mission success. DRRS' capability data are based on commanders' assessments of their organizations' capabilities to carry out their missions and mission essential tasks. [8] The Strom Thurmond National Defense Authorization Act for Fiscal Year 1999, Pub. L. No. 105-261 §373 (1998), codified at 10 U.S.C. §117. Section 373 initially directed the Secretary to establish and implement the readiness reporting system no later than January 15, 2000. An amendment in the National Defense Authorization Act for Fiscal Year 2000, Pub. L. No. 106-65, §361 changed the date from January 15, 2000, to April 1, 2000. [9] Secretary of Defense Memorandum, Policy Implementation to Establish Commander, USJFCOM (CDRUSJFCOM), as the Primary Joint Force Provider (JFP), (June 25, 2004). The memorandum's primary purpose was to direct the Commander of the U.S. Joint Forces Command to assume the duties of DOD's primary joint force provider. [10] Under Secretary of Defense for Personnel and Readiness Memorandum, Department of Defense Readiness Reporting System (DRRS) Interim Implementation Guidance (Nov. 2, 2004). USD (P&R) issued three subsequent memorandums between August 10, 2005, and August 23, 2006, which expanded and clarified reporting requirements. [11] The four Investment Review Boards are for (1) Financial Management, established by the Deputy Under Secretary of Defense for Financial Management; (2) Weapon Systems Lifecycle Management and Materiel Supply and Services Management; (3) Real Property and Installations Lifecycle Management, both established by the Under Secretary of Defense for Acquisition, Technology and Logistics; and (4) Human Resources Management, established by USD (P&R). [12] The purpose of a risk assessment is to reduce systemic risk and support informed decision making by focusing on delivering business capabilities rapidly and at a reduced cost, and identifying program vulnerabilities and assisting in developing mitigation solutions. The assessment is generally performed prior to major acquisition decisions, although assessments may be requested for other reasons. [13] See for example, Department of Defense Instruction 5000.02, Operation of the Defense Acquisition System (Dec. 8, 2008); Defense Acquisition University, Test and Evaluation Management Guide, 5th ed. (Fort Belvoir, Va.: January 2005); Institute of Electrical and Electronics Engineers, Standard 1012-2004 for Software Verification and Validation (New York, N.Y.: June 8, 2005); GAO, GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs, [hyperlink, http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March 2009); and GAO, A Model of Strategic Human Capital Management, GAO-02-373SP (Washington, D.C.: Mar. 15, 2002). [14] The users of readiness data include the Secretary of Defense, the military services, the Chairman of the Joint Chiefs of Staff, the combatant commands, defense agencies, and field activities. [15] GAO, Military Readiness: New Reporting System Is Intended to Address Long-Standing Problems, but Better Planning Is Needed, [hyperlink, http://www.gao.gov/products/GAO-03-456] (Washington, D.C.: Mar. 28, 2003). [16] GAO, GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs, [hyperlink, http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March 2009). [17] Float is the amount of time an activity can slip before affecting the critical path. [18] A Major Automated Information System is a program or initiative that is so designated by the Assistant Secretary of Defense (Networks and Information Integration)/Chief Information Officer or that is estimated to require program costs in any single year in excess of $32 million, total program costs in excess of $126 million, or total life- cycle costs in excess of $378 million in fiscal year 2000 constant dollars. [19] As previously noted, the Investment Review Board is responsible for all business system investments in DOD that involve more than $1 million in obligations. [20] The primary GSORTS metric--the "C" rating--is a mission-focused metric that is based not only on a unit's resources but also on the unit's capabilities to execute training to standards, in a specified environment. [21] The GSORTS metric that captures information concerning a unit's capability to execute these other assigned or directed missions is the percent effective metric. This percent effective rating is a subjective assessment that is based on a commander's professional military judgment. It is based on a number of considerations but not strictly tied to resources or training performance. [22] The software to collect and display this enhanced capability data has been in place for several years and the DIO has stated that DRRS reached its initial operating capability when the system was able to collect and display this information. [23] The SIPRNet is operated by the Defense Information Systems Agency and is DOD's largest interoperable command and control data network. In addition to supporting the input of data to DRRS, the SIPRNet supports the Global Command and Control System, the Defense Message System, collaborative planning, and numerous other classified warfighter applications. [24] The memorandum--Under Secretary of Defense for Personnel and Readiness Memorandum, Department of Defense Readiness Reporting System (DRRS) Interim Implementation Guidance, (Aug. 10, 2005)--directed units report mission essential task capabilities in DRRS through the automated ESORTS reporting tool. [25] When missions or mission essential tasks are not standardized, capability searches may not yield desired results because similar units are measuring their capabilities against different task conditions and standards. [26] Under Secretary of Defense for Personnel and Readiness Memorandum, Status of Defense Readiness Reporting System (DRRS) Implementation (Sept. 29, 2005). [27] Current reporting guidelines require the services to report both in the Chairman of the Joint Chiefs of Staff's GSORTS and in OSD's DRRS. [28] Department of the Air Force Memorandum, Defense Readiness Reporting System (DRRS) Core Unit Mission Essential Task List (METL) Implementation Guidance (Mar. 3, 2009). [29] Marine Corps Administrative Message 0307//09, Update to Interim Defense Readiness Reporting System (DRRS) Policy and Procedures for Marine Corps Units and Installations (May 12, 2009). [30] The law also lists annual requirements for training establishments, defense installations, and facilities to report their capabilities, and a number of other monthly, quarterly, and annual requirements. [31] While certain data, such as personnel data, are captured in multiple data systems, the services or OSD designate a single data system as the authoritative database for each type of information. [32] [hyperlink, http://www.gao.gov/products/GAO-03-456]. [33] Chairman of the Joint Chiefs of Staff Instruction 3401.02A, Global Status of Resources and Training System (GSORTS) (Feb. 27, 2004), permits commanders to subjectively upgrade or downgrade their units' overall assessment, although not their individual resource levels. However, these changes are easy to identify and commanders are required to provide justifications for any changes. A recent GAO review of Army data found that commanders' subjective changes constituted less than 10 percent of the total assessments. [34] The memorandum's primary purpose was to provide policy implementation establishing the Commander of the U.S. Joint Forces Command to assume the duties as DOD's primary joint force provider. [35] These historical data would include training data, personnel data, and equipment supply and condition data as well as data concerning unit capabilities to perform the missions they were organized and designed to perform. [36] Ronald W. Reagan National Defense Authorization Act for Fiscal Year 2005, Pub. L. No. 108-375, § 332 (2004) (codified at 10 U.S.C. §§ 186 and 2222). [37] Department of Defense Instruction Number 5000.02, Operation of the Defense Acquisition System, Enclosure 11 (December 8, 2008). [38] The Capability Maturity Model® Integration for Development, developed by the Software Engineering Institute of Carnegie Mellon University, defines key practices that are recognized hallmarks for successful organizations that, if effectively implemented, can greatly increase the chances of successfully developing and acquiring software and systems. Carnegie Mellon Software Engineering Institute, Capability Maturity Model® Integration for Development, version 1.2 (Pittsburgh, Pa.: August 2006). [39] See for example, Department of Defense Instruction 5000.02, Operation of the Defense Acquisition System (Dec. 8, 2008); Defense Acquisition University, Test and Evaluation Management Guide, 5th ed. (Fort Belvoir, Va.: January 2005); Institute of Electrical and Electronic Engineers, Standard 1012-2004 for Software Verification and Validation (New York, N.Y.: June 8, 2005); and Software Engineering Institute, Capability Maturity Model Integration for Acquisition version 1.2 (Pittsburgh, Pa.: November 2007). [40] GAO, GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs, [hyperlink, http://www.gao.gov/products/GAO-09-3SP] (Washington D.C.: March 2009). [41] GAO, A Model of Strategic Human Capital Management, [hyperlink, http://www.gao.gov/products/GAO-02-373SP] (Washington, D.C.: Mar. 15, 2002). [42] Department of Defense Directive 7730.65, Department of Defense Readiness Reporting System (DRRS) (June 3, 2002). [43] The reporting officer for U.S. Pacific Command indicated that he felt that the GAO's survey did not "accurately and fully assess the usefulness and functionality of DRRS" and provided additional written information to support his survey answers. After consultation with GAO's office of Applied Research and Methods we determined the survey did assess DRRS functionality. In order to capture U.S. Pacific Command's concerns, we incorporated the information it provided into the report sections describing current DRRS usage. [44] See for example, Department of Defense Instruction 5000.02, Operation of the Defense Acquisition System (Dec. 8, 2008); Defense Acquisition University, Test and Evaluation Management Guide, 5th ed. (Fort Belvoir, Va.: January 2005), Institute of Electrical and Electronic Engineers, Standard 1012-2004 for Software Verification and Validation (New York, N.Y.: June 8, 2005); GAO, GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs, [hyperlink, http://www.gao.gov/products/GAO-09-3SP] (Washington D.C.: March 2009); and GAO, A Model of Strategic Human Capital Management, [hyperlink, http://www.gao.gov/products/GAO-02-373SP] (Washington, D.C.: Mar. 15, 2002). [45] The Capability Maturity Model® Integration for Development, developed by the Software Engineering Institute of Carnegie Mellon University, defines key practices that are recognized hallmarks for successful organizations that, if effectively implemented, can greatly increase the chances of successfully developing and acquiring software and systems. Carnegie Mellon Software Engineering Institute, Capability Maturity Model® Integration for Development, version 1.2 (Pittsburgh, Pa.: August 2006). [46] GAO, Secure Border Initiative: DHS Needs to Address Significant Risks in Delivering Key Technology Investment, [hyperlink, http://www.gao.gov/products/GAO-08-1086] (Washington, D.C.: Sept. 22, 2008). [47] Office of the Under Secretary of Defense for Personnel and Readiness Memorandum, Implementing the Defense Readiness Reporting System (July 1, 2002). [48] Department of Defense Directive 7730.65, Department of Defense Readiness Reporting System (DRRS) (June 3, 2002). Additional requirements for DRRS have been established in DOD directives and instructions that govern information systems including information assurance, net-centric architecture, net-centric data strategy, and information system interoperability and supportability. [49] Department of Defense Directive 7730.65, Department of Defense Readiness Reporting System (DRRS) (June 3, 2002). [50] [hyperlink, http://www.gao.gov/products/GAO-08-1086]. [51] The Capability Maturity Model® Integration for Development, developed by the Software Engineering Institute of Carnegie Mellon University, defines key practices that are recognized hallmarks for successful organizations that, if effectively implemented, can greatly increase the chances of successfully developing and acquiring software and systems. Carnegie Mellon Software Engineering Institute, Capability Maturity Model® Integration for Development, Version 1.2 (Pittsburgh, Pa.: August 2006). [52] See for example, Department of Defense Instruction 5000.02, Operation of the Defense Acquisition System; Defense Acquisition University, Test and Evaluation Management Guide; Institute of Electrical and Electronics Engineers, Standard 1012-2004 for Software Verification and Validation; and Software Engineering Institute, Capability Maturity Model Integration for Acquisition version 1.2 (Pittsburgh, Pa.: November 2007). [53] See for example, Institute of Electrical and Electronics Engineers, Standard 829-2008 Standard for Software and System Test Documentation (New York, N.Y.: July 18, 2008) and Software Engineering Institute, Capability Maturity Model Integration for Acquisition, version 1.2. [54] According to the Concept of Operations, ESORTS is to provide current readiness status for operational forces and defense support organizations in terms of their ability to perform their mission essential tasks. [55] According to the draft SORTSREP Test and Evaluation Master Plan, SORTSREP is a tool to capture and input military departments' readiness data requirements into a readiness reporting database. [56] See for example, Defense Acquisition University, Defense Acquisition Guidebook (Arlington, Va.: November 2006); Institute of Electrical and Electronics Engineers, Standard 1012-2004 for Software Verification and Validation; Software Engineering Institute, Capability Maturity Model Integration for Acquisition, version 1.2. [57] See for example, Institute of Electrical and Electronics Engineers, Standard 829-2008 Standard for Software and System Test Documentation and Software Engineering Institute, Capability Maturity Model Integration for Acquisition version 1.2. [58] See for example, Institute for Electrical and Electronics Engineers, Standard 829-2008 Standard for Software and System Documentation. [59] See for example, Software Engineering Institute, Capability Maturity Model Integration for Acquisition, version 1.2. [60] See for example, GAO, Office of Personnel Management: Improvements Needed to Ensure Successful Retirement Systems Modernization, [hyperlink, http://www.gao.gov/products/GAO-08-345] (Washington, D.C.: January 2008); Institute of Electrical and Electronics Engineers, Standard 1012-2004 for Software Verification and Validation; and Institute of Electrical and Electronics Engineers, Standard 1012-1986 for Software Verification and Validation Plans (New York, N.Y.: Nov. 14, 1986). [61] See for example, [hyperlink, http://www.gao.gov/products/GAO-08-345]; Institute of Electrical and Electronics Engineers, Standard 1012-2004 for Software Verification and Validation; and Institute of Electrical and Electronics Engineers, Standard 1012-1986 for Software Verification and Validation Plans. [62] See for example, Department of Defense Instruction 5000.02, Operation of the Defense Acquisition System; Defense Acquisition University, Defense Acquisition Guidebook; Software Engineering Institute, Capability Maturity Model Integration for Acquisition, version 1.2; Institute for Electrical and Electronics Engineers, Standard 829-2008 Software and System Test Documentation (New York, N.Y.: July 18, 2008). [63] See for example, Defense Acquisition University, Defense Acquisition Guidebook; Software Engineering Institute, Capability Maturity Model Integration for Acquisition, version 1.2; Institute for Electrical and Electronics Engineers, Standard 829-2008 Software and System Test Documentation. [64] According to the Mission Readiness TEMP, Mission Readiness is to create a common standard metric for assessing readiness by capability that can be uniformly applied throughout the department. [65] GAO, GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs, [hyperlink, http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March 2009). [66] Float is the amount of time an activity can slip before affecting the critical path. [67] GAO, Information Technology: Improvements for Acquisition of Customs Trade Processing System Continue, but Further Efforts Needed to Avoid More Cost and Schedule Shortfalls, GAO-08-46 (Washington, D.C.: Oct. 25, 2007) and Secure Border Initiative: SBInet Planning and Management Improvements Needed to Control Risks, [hyperlink, http://www.gao.gov/products/GAO-07-504T] (Washington, D.C.: Feb. 27, 2007). [68] GAO, A Model of Strategic Human Capital Management, [hyperlink, http://www.gao.gov/products/GAO-02-373SP] (Washington, D.C.: Mar. 15, 2002). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: