DOD Business Systems Modernization:

Key Navy Programs' Compliance with DOD's Federated Business Enterprise Architecture Needs to Be Adequately Demonstrated

GAO-08-972: Published: Aug 7, 2008. Publicly Released: Aug 7, 2008.

Additional Materials:

Contact:

Valerie C. Melvin
(202) 512-6304
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

For decades, the Department of Defense (DOD) has been challenged in modernizing its thousands of business systems. Since 1995, GAO has designated the department's business systems modernization efforts as high risk. One key to effectively modernizing DOD's systems environment and satisfying relevant legislative requirements is ensuring that business system investments comply with an enterprisewide strategic blueprint, commonly called an enterprise architecture. For DOD's business systems modernization, it is developing and using a federated Business Enterprise Architecture (BEA), which is a coherent family of parent and subsidiary architectures. GAO was requested to determine whether key Department of the Navy business systems modernization programs comply with DOD's federated BEA. To determine this, GAO examined the BEA compliance assessments, certifications, and approvals for selected Navy programs against relevant guidance.

Key DOD business systems modernization programs do not adequately demonstrate compliance with the department's federated BEA, even though each program largely followed DOD's existing compliance guidance, used its compliance assessment tool, and was certified and approved as being compliant by department investment oversight and decision-making entities. In particular, the programs' BEA compliance assessments did not include all relevant architecture products, such as products that specify the technical standards needed to promote interoperability among related systems; examine overlaps with other business systems, even though a stated goal of the BEA is to identify duplication and thereby promote the use of shared services; and address compliance with the Department of the Navy's enterprise architecture, which is a major BEA federation member. These important steps were not performed for a variety of reasons, including the fact that the department's guidance does not provide for performing them and its assessment tool is not configured to do so. In addition, even though the department's investment oversight and decision-making authorities certified and approved these business system programs as compliant with the BEA, these certification and approval entities did not validate each program's compliance assessment and assertions. According to DOD officials, department policy and guidance do not require these authorities to do so. Instead, they said that this responsibility is assigned to DOD's component organizations, such as the Department of the Navy. However, Department of the Navy oversight and decision-making authorities also did not validate the programs' assessments and assertions. According to department officials from the Office of the Chief Information Officer, this is because these authorities do not have the resources needed to do so and because important aspects of the Department of the Navy enterprise architecture are not yet sufficiently developed to permit a compliance determination. In addition, guidance does not exist that specifies how an assessment should be validated. Because of these limitations, these and other DOD programs are at increased risk of being defined and implemented in a way that does not sufficiently ensure interoperability and avoid duplication and overlap, which are both goals of the BEA and the department's related investment management approach. Unless this changes, DOD and its components will not have a sufficient basis for knowing if its business system programs have been defined to effectively and efficiently support corporate business operations, and DOD's business systems modernization efforts will likely remain on GAO's high-risk list.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To adequately ensure that DOD business system investments are defined and implemented within the context of its federated BEA, the Secretary of Defense should direct the responsible authorities in the department to amend relevant DOD policy to explicitly require business system program compliance with the federated BEA, to include both the corporate BEA and the component enterprise architectures as a condition for program certification and approval.

    Agency Affected: Department of Defense

    Status: Closed - Not Implemented

    Comments: Relevant DOD policies and guidance have yet to be amended to explicitly require business system program compliance with the component architectures as a condition for program certification and approval. According the Office of the DOD Deputy Chief Management Officer, DOD is working to implement its proposed vision for the future BEA, which is to include the ability for programs to automatically assert compliance with all relevant BEA products, including BEA products developed by DOD components (e.g., military departments). However, this vision has yet to be implemented and a timeframe has yet to be established.

    Recommendation: To adequately ensure that DOD business system investments are defined and implemented within the context of its federated BEA, the Secretary of Defense should direct the responsible authorities in the department to use the program-specific data in the compliance assessment tool for identifying and analyzing potential overlap and duplication, and thus opportunities for reuse and consolidation among programs and provide programs access rights to use this functionality.

    Agency Affected: Department of Defense

    Status: Closed - Not Implemented

    Comments: DOD has described actions it plans to take to address the recommendation, but these actions have yet to be implemented. Specifically, DOD has described an approach for automating BEA compliance assessments that is to allow for, among other things, identifying individual systems associated with specific BEA business processes. As envisioned, this would assist in identifying potential overlap and duplication. However, the automated approach has not yet been implemented and related guidance does not address how potentially duplicative systems will be identified. In addition, the tools associated with implementing DOD's proposed approach for automating BEA compliance assessments are still being piloted and the current BEA compliance guidance does not require programs to identify and analyze potential overlap and duplication as part of the BEA compliance process. According to officials within the Office of the DOD Deputy Chief Management Officer, DOD expects to issue new BEA compliance guidance for the next version of the BEA (version 10.0), which is planned for release in March 2013.

    Recommendation: To adequately ensure that DOD business system investments are defined and implemented within the context of its federated BEA, the Secretary of Defense should direct the responsible authorities in the department to revise the DOD BEA compliance assessment guidance to (1) include assessment of all relevant operational, technical, and system architecture products and (2) provide for the development and use of key program architecture products in conducting the assessment early enough in the program's life cycle to permit the results of the assessments to have a timely impact on the program's definition, design, and implementation.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: The Department of Defense (DOD) has taken steps that addressed the recommendation. Specifically, the department issued an updated version of its Business Enterprise Architecture (BEA) compliance guidance (version 8.0) on March 11, 2011 that improves upon prior guidance by discussing when key program architecture products should be developed and used to support BEA compliance assessments. For example, while the guidance does not require programs to use BEA system or technical products as part of the compliance assessments, it does require an operational activity model to support compliance assertions made at or before a program enters the technology development phase. According to officials in the Office of the DOD Deputy Chief Management Officer, an approved target systems environment has not yet been defined and approved, and the system view products that have been developed for the BEA cannot be used for compliance until an approved target systems environment exists. According to these officials, DOD expects to issue new BEA compliance guidance for the next version of the BEA (version 10.0), which is planned for release in March 2013.

    Recommendation: To adequately ensure that DOD business system investments are defined and implemented within the context of its federated BEA, the Secretary of Defense should direct the responsible authorities in the department to amend relevant DOD policy to explicitly assign responsibility for validating program BEA compliance assertions to military departments and defense agencies and issue guidance that describes the nature, scope, and methodology for doing so.

    Agency Affected: Department of Defense

    Status: Closed - Not Implemented

    Comments: DOD has not amended relevant policies requiring BEA compliance assertions to be validated. The department issued the latest version of its BEA compliance guidance (version 8.0) on March 11, 2011, which calls for pre-certification authorities (for non-military department agencies) and chief management officers (for military departments) to be accountable for BEA compliance. However, the guidance does not call for these authorities to validate BEA compliance assertions. Further, the guidance does not include a description of the nature, scope, or methodology to be used in validating program compliance assertions. According to officials in the Office of the DOD Deputy Chief Management Officer, DOD expects to issue new BEA compliance guidance for the next version of the BEA (version 10.0), which is planned for release in March 2013.

    Jul 28, 2014

    Jul 17, 2014

    Jul 14, 2014

    Jul 11, 2014

    Jul 9, 2014

    Jul 8, 2014

    Jun 30, 2014

    Jun 26, 2014

    Looking for more? Browse all our products here