Skip to Highlights
Highlights

What GAO Found

The Department of Defense (DOD) has made progress in complying with most legislative provisions for managing its defense business systems, but additional actions are needed. For example, the National Defense Authorization Act (NDAA) for Fiscal Year 2016 required DOD and the military departments to issue guidance to address five requirements for reviewing and certifying the department's business systems. While DOD has issued guidance addressing all of these requirements, as of February 2018, the military departments had shown mixed progress.

DOD's and Military Departments' Progress in Issuing Guidance that Addressed Fiscal Year 2016 NDAA Business System Management Requirements

Certification Requirement

DOD

Air Force

Navy

Army

Sufficient business process reengineering

Business enterprise architecture compliance

Valid requirements and a viable plan to implement them

Acquisition strategy to eliminate or reduce the need to tailor commercial off-the-shelf systems

Compliance with the department's auditability requirements

● Fully addressed: The department provided evidence that it fully addressed this requirement.

◐ Partially addressed: The department provided evidence that it addressed some, but not all, portions of this requirement.

◌ Not addressed: The department did not provide any evidence that it addressed this requirement.

Source: GAO analysis of Department of Defense documentation. | GAO-18-130

The military departments' officials described plans to address the gaps in their guidance; however, none had defined when planned actions are to be completed. Without guidance that addresses all five requirements, the military departments risk developing systems that, among other things, are overly complex and costly to maintain.

DOD has efforts underway to improve its business enterprise architecture, but its information technology (IT) architecture is not complete. Specifically, DOD's business architecture includes content called for by the act. However, efforts to improve this architecture to enable the department to better achieve outcomes described by the act, such as routinely producing reliable business and financial information for management, continue to be in progress. In addition, DOD is updating its IT enterprise architecture, which describes, among other things, the department's computing infrastructure. However, the architecture lacks a road map for improving the department's IT and computing infrastructure for each of the major business processes. Moreover, the business and IT enterprise architectures have yet to be integrated, and DOD has not established a time frame for when it intends to do so. As a result, DOD lacks assurance that its IT infrastructure will support the department's business priorities and related business strategies.

Why GAO Did This Study

DOD spends billions of dollars each year on systems that support its key business areas, such as personnel and logistics. For fiscal year 2018, DOD reported that these business system investments are expected to cost about $8.7 billion. The NDAA for Fiscal Year 2016 requires DOD to perform activities aimed at ensuring that business system investments are managed efficiently and effectively, to include taking steps to limit their complexity and cost.

The NDAA also includes a provision for GAO to report every 2 years on the extent to which DOD is complying with the act's provisions on business systems. For this report, GAO assessed, among other things, the department's guidance for managing defense business system investments and its business and IT enterprise architectures (i.e., descriptions of DOD's current and future business and IT environments and plans for transitioning to future environments). To do so, GAO compared the department's system certification guidance and architectures to the act's requirements. GAO also interviewed cognizant DOD officials.

Skip to Recommendations

Recommendations

GAO is making six recommendations, including that DOD and the military departments establish time frames for, and issue, required guidance; and that DOD develop a complete IT architecture and integrate its business and IT architectures. DOD concurred with three and partially concurred with three recommendations. GAO continues to believe all of the recommendations are warranted as discussed in this report.

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of the Secretary of Defense 1. The Secretary of Defense should define a specific time frame for finalizing, and ensure the issuance of (1) policy requiring full consideration of sustainability and technological refreshment requirements for its defense business system investments; and (2) policy requiring that best systems engineering practices are used in the procurement and deployment of commercial systems, modified commercial systems, and defense-unique systems to meet DOD missions. (Recommendation 1)
Closed - Implemented
DOD has implemented this recommendation. In August 2019, the Office of the Chief Management Officer (CMO) provided a written response stating that it had verified existing policy for both requirements. Specifically, the Office of the CMO stated that department policy requires full consideration of sustainability and technological refreshment requirements for its defense business systems investments. In addition, the department provided us its DOD Instruction 5000.75, DOD Directive 5000.01, and DOD Financial Management Regulation Volume 2B, which include policy requiring consideration of sustainability and technological refreshment. DOD also stated that department policy requires best systems engineering practices be used in the procurement and deployment of commercial systems, modified commercial systems, and defense-unique systems to meet DOD missions. In addition, the office of the CMO provided us its DOD Directive 5000.01, which includes policy to help ensure that best systems engineering practices are used in the procurement and deployment of commercial systems, modified commercial systems, and defense-unique systems.
Office of the Secretary of the Air Force 2. The Secretary of the Air Force should define a specific time frame for finalizing, and ensure the issuance of guidance for certifying the department's business systems on the basis of (1) having an acquisition strategy designed to eliminate or reduce the need to tailor commercial off-the-shelf systems to meet unique requirements, incorporate unique requirements, or incorporate unique interfaces to the maximum extent practicable; and (2) being in compliance with DOD's auditability requirements. (Recommendation 2)
Closed - Implemented
The Department of the Air Force has implemented this recommendation. The department's April 2018 updated guidance states that the Air Force Deputy CMO has approval authority for any defense business system below $250 million over the current future-years defense plan, and that the Air Force Deputy CMO will assert compliance with auditability requirements. In addition, the department's May 2019 Air Force guidance memo states that the Deputy CMO or the DOD CMO will certify that a system satisfies the requirements outlined in the memo, which include ensuring that each defense business system developed, deployed, or operated by the Air Force must continue to satisfy the requirement to have an acquisition strategy and utilize an acquisition and sustainment strategy that prioritizes commercial software and business practices. In addition, Air Force's August 2019 OEP guidebook for defense business systems states that each defense business system developed, deployed or operated by the Department of Defense must utilize an acquisition and sustainment strategy that prioritizes commercial software and business practices.
Department of the Navy 3. The Secretary of the Navy should define a specific time frame for finalizing, and ensure the issuance of guidance for certifying the department's business systems on the basis of (1) having a viable plan to implement the system's requirements; (2) having an acquisition strategy designed to eliminate or reduce the need to tailor commercial off-the-shelf systems to meet unique requirements, incorporate unique requirements, or incorporate unique interfaces to the maximum extent practicable; and (3) being in compliance with DOD's auditability requirements. (Recommendation 3)
Closed - Implemented
In March 2018, the Department of the Navy issued updated guidance for certifying business systems that addressed this recommendation. Specifically, this guidance addressed certifying business systems on the basis of having a viable plan to implement the system's requirements; having an acquisition strategy designed to eliminate or reduce the need to tailor commercial off-the-shelf systems to meet unique requirements, incorporate unique requirements, or incorporate unique interfaces to the maximum extent practicable; and being in compliance with DOD's auditability requirements. As a result, the Department of the Navy is better positioned to help ensure that its systems have valid requirements and a viable plan to implement them; limit unnecessary systems complexity; and support the Department of Defense's efforts to meet its auditability requirements.
Department of the Army 4. The Secretary of the Army should define a specific time frame for finalizing, and ensure the issuance of guidance for certifying the department's business systems on the basis of (1) being reengineered to be as streamlined and efficient as practicable, and determining that implementation of the system will maximize the elimination of unique software requirements and unique interfaces; (2) being in compliance with the business enterprise architecture; (3) having valid, achievable requirements and a viable plan to implement the requirements; (4) having an acquisition strategy designed to eliminate or reduce the need to tailor commercial off-the-shelf systems to meet unique requirements, incorporate unique requirements, or incorporate unique interfaces to the maximum extent practicable; and (5) being in compliance with DOD's auditability requirements. (Recommendation 4)
Closed - Implemented
The Department of the Army has implemented the recommendation. As of 2018, the department's policy addressed two elements of the recommendation but did not address the other three elements. Specifically, it included policy for certifying the department's business systems on the basis of (1) being reengineered to be as streamlined and efficient as practicable, and determining that implementation of the system will maximize the elimination of unique software requirements and unique interfaces; and (2) being in compliance with the business enterprise architecture. However, it did not address certifying the department's business systems on the basis of (1) having valid, achievable requirements and a viable plan to implement the requirements; (2) having an acquisition strategy designed to eliminate or reduce the need to tailor commercial off-the-shelf systems to meet unique requirements, incorporate unique requirements, or incorporate unique interfaces to the maximum extent practicable; and (3) being in compliance with DOD's auditability requirements. In August 2019, Army issued its Fiscal Year 2020 Defense Business Systems Annual Certification and Portfolio Review Guidance. This updated guidance addressed the remaining three elements of the recommendation.
Office of the Secretary of Defense 5. The Secretary of Defense should ensure that the DOD Chief Information Officer (CIO) develops an IT enterprise architecture which includes a transition plan that provides a road map for improving the department's IT and computing infrastructure, including for each of its business processes. (Recommendation 5)
Open
In October 2019, the DOD CIO developed a report on the first increment of version 3 of the department's information enterprise architecture (IEA). The report includes high-level descriptions of the current and target architectures, and high-level plans and schedules for transitioning from the current to the target architecture. The report states that because of the incremental approach to developing the architecture, the plans and schedules are notional and depend on several factors over which the DOD CIO has limited or no control, such as funding and changing world events, priorities, and technology. The report also describes plans to integrate the IEA with the department's business enterprise architecture. However, the report did not define a specific time frame for integrating the architectures. According to the report, for the next increment of the architecture, the department plans to develop compliance criteria and plans for developing an ontology, database, and tool suite. The department did not provide a time frame for completing the next increment. We will continue to monitor the department's efforts to implement the recommendation.
Office of the Secretary of Defense 6. The Secretary of Defense should ensure that the DOD CIO and Chief Management Officer work together to define a specific time frame for when the department plans to integrate its business and IT architectures and ensure that the architectures are integrated. (Recommendation 6)
Open
In October 2019, the DOD CIO developed a report on the first increment of version 3 of its information enterprise architecture (IEA). The report described planned efforts related to integrating the IEA and the business enterprise architecture. However, the report did not define a specific time frame for when the department plans to integrate the architectures.

Full Report

GAO Contacts