Information Technology: Executive office for U.S. Attorneys Needs to Institutionalize Key IT Management Disciplines

GAO-03-751 Published: Jul 25, 2003. Publicly Released: Aug 12, 2003.
Jump To:
Skip to Highlights
Highlights

The Executive Office for United States Attorneys (EOUSA) of the Department of Justice is responsible for managing information technology (IT) resources for the United States Attorneys' Offices. GAO was asked to determine the extent to which EOUSA has institutionalized key IT management capabilities that are critical to achieving Justice's strategic goal of improving the integrity, security, and efficiency of its IT systems.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Justice To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of enterprise architecture (EA) management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for EA management, establish a committee or group representing the enterprise that is responsible for directing, overseeing, or approving the EA.
Closed – Implemented
EOUSA's Enterprise Architecture Program Management Plan (dated April 2004) specifies that the IT Investment Review Board is to approve the enterprise architecture.
Department of Justice To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for EA management, ensure that EA products are under configuration management.
Closed – Implemented
According to officials, EOUSA uses PVCS as its configuration management tool. The baseline and target enterprise architecture products have been placed under configuration management using this tool. EOUSA provided screen shots of the tool showing the enterprise architecture items under configuration management as evidence of this.
Department of Justice To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for EA management, define, approve, and implement a policy for IT investment compliance with the EA.
Closed – Implemented
EOUSA's policy for IT investment compliance with the enterprise architecture is defined in Section 3-16.100 of the U.S. Attorneys' Manual. According to EOUSA's Acting CIO and senior investment management analyst, the IT Investment Review Board has implemented this policy. As evidence, efforts to align investments with the enterprise architecture are reflected in the investment management guide which directs the Investment Review Board's operations.
Department of Justice To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for EA management, specify metrics for measuring EA benefits.
Closed – Implemented
EOUSA's Enterprise Architecture Project Management Plan specifies metrics for measuring EA benefits. They include metrics for development and maintenance, quality, and compliance.
Department of Justice To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for EA management, define, approve, and implement a policy for maintaining the EA.
Closed – Implemented
EOUSA's policy for maintaining the enterprise architecture is defined in section 3-16.100 of the U.S. Attorneys' Manual. It specifies that the EA is to be updated on at least an annual basis. At the time of our review, the agency was using the Enterprise Architecture Management System as their EA tool. When we followed up with EOUSA in November 2004, the IT analyst responsible for coordinating EA development/maintenance activities told us the agency had switched to the Systems Architect tool to maintain the EA.
Department of Justice To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for IT investment management, regularly oversee each IT project's progress toward cost and schedule milestones, using established criteria, and require corrective actions when milestones have not been achieved.
Closed – Implemented
EOUSA's Information Technology Investment Process guide defines procedures for the board to regularly projects' progress toward cost and schedule milestones and to take action to correct deficiencies when necessary. According to the EOUSA analyst responsible for coordinating investment management activities, the Investment Review Board reviews existing and proposed IT projects as part of its normal course of business and requires corrective actions when necessary. When we followed up with the agency in November 2004, we were told that the Board had met 5 times since our review since it was instituted. Meeting minutes had not been documented but we were provided with the agenda for 2 meetings indicating that projects' status would be discussed.
Department of Justice To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for IT investment management, define and implement a policy for using the IT project and systems inventory for managerial decision making.
Closed – Implemented
EOUSA's IT investment management process guide calls for the use of the IT project and systems inventory for managerial decision making. According to the analyst responsible for coordinating investment management activities, the Investment Review Board has implemented this, in particular in the selection process.
Department of Justice To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for IT investment management, ensure that an established, structured process is used to select new IT proposals.
Closed – Implemented
EOUSA established a formalized, structured scoring process to select new investments. Specifically, the Investment Management Process guide defines procedures and criteria for (1) screen new IT project proposals, (2) analyze proposed project risks, benefits, and costs; (3) prioritize projects based on risk and return, and (4) determine the right mix of projects and make the final cut. According to the EOUSA analyst responsible for coordinating investment management activities, the process was used by the Investment Review Board in the Spring of 2004 to select projects for the FY2006 budget. While the board did not have any meeting minutes to support this, we were provided with board meeting agendas with showed the budget review and submission as discussion items.
Department of Justice To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for IT security management, allocate the appropriate resources to enable the responsibilities of the security officer to be fully performed.
Closed – Implemented
According to the Acting CIO, EOUSA allocated resources to enable the responsibilities of the security officer to be fully performed, including two full time GS-14 level positions, and over $2.8 million dollars in IT security development and operations in fiscal year 2004.
Department of Justice To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of enterprise architecture (EA) management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for IT security management, ensure that risk assessments are performed on all existing and future systems.
Closed – Implemented
According to the Assistant Director for Information Security, risk assessments have been performed on all existing systems, as required by EOUSA's certification and accreditation process and Department of Justice Information Technology Standards. As a case in point, documentation shows that its enhancement intrusion detection systems were accredited. Moreover, the Assistant Director for Information Security told us that the Department of Justice had mandated the early adoption of the National Institute of Standards and Technology Special Publication 800-35 (NIST 800-53), which requires that all systems undergo risk assessments to evaluate security controls and that, in accordance with this, EOUSA performs risk assessments of its systems on a regular basis. According to EOUSA's "report card" system that tracks compliance with NIST 800-53 requirements, security controls have been evaluated as part of risk assessments for each EOUSA system.
Department of Justice To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for IT security management, implement intrusion detection devices to monitor activity at the routers, firewalls, and virtual private network devices, and implement other network security controls as noted in the report.
Closed – Implemented
On June 23, 2006, EOUSA's Assistant Director for Information Security and Program Manager for Intrusion Detection Systems reported that EOUSA has intrusion detection systems on all network segments that have a router, firewall, or VPN device. They demonstrated their system for monitoring activity on all sensors associated with these intrusion detection systems and provided a summary report generated by this system. They also demonstrated how they keep track of events outside the network to anticipate and prepare for potential incidents and threats.
Department of Justice To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for IT security management, develop and implement a centralized approach to security education and training.
Closed – Implemented
EOUSA developed a web-based centralized security awareness training program, which it began implementing in November 2005. EOUSA's Assistant Director for Information Security provided the memorandum announcing the training to all employees as well as the course slides as evidence of this. A system used by EOUSA to keep track of staff who have taken the course showed that, as of June 23, 2006, 99% of the agency's employees had been trained with the program.
Department of Justice To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for IT security management, perform regular tests to determine compliance with policies and procedures and the effectiveness of security controls.
Closed – Implemented
EOUSA uses an audit tool called Security Expressions to perform routine and ad hoc compliance tests for several security policies and controls, including password management, screen savers, and other configuration settings. In June 2006, EOUSA's Assistant Director for Information Security and IT Specialist responsible for compliance activities demonstrated the use of the tool. They noted that EOUSA's entire network is scanned nights a week and that the Security Expressions tool is run against the scans to check for compliance with specific security parameters. They also noted that monthly summary reports of these scans are provided to Justice and provided the most recent report submitted. The Assistant Director and IT Specialist also said that compliance with security policies and controls is also checked as part of the agency's comprehensive Evaluation and Review Staff (EARS) program at every site once every three years (we were informed of this program during our review).
Department of Justice To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for system acquisition management, develop and implement a policy for contract tracking and oversight.
Closed – Implemented
Section 3 16.100 of the U.S. Attorneys' Manual defines policy for systems acquisition, including contract oversight. When we followed up on this recommendation with EOUSA in November 2004, officials stated that the agency had not acquired any systems since our review and therefore they could not demonstrate implementation of the policy. They noted, however, that the policy would help ensure that systems acquisition practices be implemented when a system was acquired.
Department of Justice To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for system acquisition management, develop and implement a policy for system acquisition planning.
Closed – Implemented
Section 3-16.100 of EOUSA's US Attorneys' Manual states that systems acquisitions shall be documented and executed in accordance with industry-standard capability maturity model practices and procedures. When we followed up on this recommendation with EOUSA in November 2004, officials stated that the agency had not acquired any systems since our review and therefore they could not demonstrate implementation of the policy. They noted; however, that the policy would help ensure that systems acquisition practices be implemented when a system was acquired.
Department of Justice To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for system acquisition management, address the remaining key practices associated with evaluation as the Enterprise Case Management System progresses in the life cycle.
Closed – Not Implemented
This recommendation is no longer applicable as EOUSA is no longer pursuing its Enterprise Case Management System. On November 19, 2004, EOUSA officials told us that the Justice Department was developing a departmentwide case management system into which ECMS would be subsumed.
Department of Justice To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for system acquisition management, ensure that the Software Engineering Institute acquisition practices identified in this report are used in future system acquisitions.
Closed – Implemented
On November 19, 2004, EOUSA officials stated that no systems were being procured by EOUSA. They noted that the policies addressing the various key practices we reviewed; however, would help in ensuring these practices are used in future system acquisitions.
Executive Office for United States Attorneys In developing these plans, the Director of EOUSA should ensure that each plan (1) is integrated with the other three plans; (2) defines clear and measurable goals, objectives, and milestones; (3) specifies resource needs; and (4) assigns clear responsibility and accountability for implementing the plan. In implementing each plan, the Director should ensure that the needed resources are provided and that progress is measured and reported periodically to the Attorney General.
Closed – Implemented
On 11/11/2004, EOUSA provided GAO a plan defining key actions and dates to address our recommendations for improving its practices for enterprise architecture management, IT investment management, information security, and systems acquisition. According to EOUSA's analyst responsible for coordinating enterprise architecture and investment management activities, the plan was approved by the Acting CIO.

Full Report