Skip to main content

Customs Service Modernization: Ineffective Software Development Processes Increase Customs System Development Risks

AIMD-99-35 Published: Feb 11, 1999. Publicly Released: Feb 11, 1999.
Jump To:
Skip to Highlights

Highlights

Pursuant to a congressional request, GAO reviewed the Customs Service's software development maturity and improvement activities, focusing on: (1) the maturity of Customs' software development processes; and (2) whether Customs has an effective software process improvement program.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Directorate of Border and Transportation Security After ensuring that its mission-critical systems are year 2000 compliant, but before investing in major software development efforts like ACE, the Commissioner of Customs should direct the Customs Chief Information Officer to assign responsibility and authority for software development process improvement.
Closed – Implemented
In January 1999, Customs' Office of Information and Technology was reorganized. This reorganization included establishment of the technology and architecture group that is responsible, among other things, for developing and communicating software process improvement policies and plans. Additionally, the software development division was designated as responsible for implementing software process improvement (development and acquisition).
Directorate of Border and Transportation Security After ensuring that its mission-critical systems are year 2000 compliant, but before investing in major software development efforts like ACE, the Commissioner of Customs should direct the Customs Chief Information Officer to develop and implement a formal plan for software development process improvement that is based on the software capability evaluation results contained in this report and specifies measurable goals and timeframes, prioritizes initiatives, estimates resource requirements (trained staff and funding), and defines a process improvement management structure.
Closed – Implemented
Customs (now known as the Bureau of Customs and Border Protection or CBP) agreed with this recommendation and in mid-1999 prepared a software process improvement plan for achieving Software Engineering Institute Capability Maturity Model (CMM) level 2. Later that year, CBP formed a Software Engineering Process Group (SEPG) that prioritized initiatives, estimated resources, and defined an overall management structure for software process improvement activities. Further, the four individual software development groups in CBP's Software Development Division (SDD) established their own action plans, specifying measurable goals and timeframes for achieving software CMM level 2. CBP's progress toward implementing its software process improvement plans is reflected in the results of an April 2003 assessment in which SDD was rated at software CMM level 2.
Directorate of Border and Transportation Security After ensuring that its mission-critical systems are year 2000 compliant, but before investing in major software development efforts like ACE, the Commissioner of Customs should direct the Customs Chief Information Officer to ensure that every new software development effort in Customs adopts processes that satisfy at least software capability maturity model level 2 requirements.
Closed – Implemented
Customs (now known as the Bureau of Customs and Border Protection or CBP) agreed with this recommendation and has taken steps to ensure that its new software development efforts satisfy Software Engineering Institute Capability Maturity Model (CMM) level 2. Specifically, CBP revised its system development life-cycle (SDLC) policy to require consistency with level 2 processes. Further, the Chief Information Officer mandated that every new software development project comply with the SDLC. To determine whether individual projects, including all new software development efforts, satisfy level 2 processes, CBP has conducted three assessments of software development process maturity in its Software Development Division (SDD) from March 2001 to April 2003. The assessment in March 2001 showed that one of four SDD groups was CMM level 2 compliant and action plans were developed to bring the remaining three SDD groups to level 2. Another assessment was conducted in July 2002, and new improvement plans were made based on the results of the assessment. The April 2003 assessment found that all of SDD achieved software CMM level 2.
Directorate of Border and Transportation Security After ensuring that its mission-critical systems are year 2000 compliant, but before investing in major software development efforts like ACE, the Commissioner of Customs should direct the Customs Chief Information Officer to ensure that process improvement activities are initiated for all ongoing essential software maintenance projects.
Closed – Implemented
Customs agreed with this recommendation. In response, Customs revised its system development life-cycle (SDLC) policy. The revised SDLC policy specifically addresses software maintenance projects and requires Capability Maturity Model (CMM) level 2 compliance for maintenance projects. Assessments conducted in November 2001, July 2002, and April 2003 have confirmed that maintenance projects have initiated and sustained software process improvement activities.

Full Report

Office of Public Affairs

Topics

Customs administrationInformation resources managementInformation systemsSoftwareSoftware verification and validationSoftware engineeringQuality assuranceConfiguration controlData automationComputer resources