DOD Business Systems Modernization:
Recent Slowdown in Institutionalizing Key Management Controls Needs to Be Addressed
GAO-09-586, May 18, 2009
Since 1995, GAO has designated the Department of Defense's (DOD) business systems modernization program as high risk, and it continues to do so today. To assist in addressing DOD's business system modernization challenges, the Ronald W. Reagan National Defense Authorization Act for Fiscal Year 2005 (the Act) contains provisions that require the department to take certain actions and to annually report to its congressional committees on these actions. The Act also directs GAO to review each annual report. In response, GAO performed its fifth annual review of DOD's actions to comply with key aspects in the Act and related federal guidance. To do so, GAO reviewed, for example, the latest version of DOD's business enterprise architecture (BEA) and transition plan, investment management policies and procedures, and information in the department's business system data repositories.
The pace of DOD's progress in defining and implementing key institutional modernization management controls has slowed compared with progress made in each of the last 4 years, leaving much still to be accomplished to fully implement the Act's requirements and related guidance. In particular, the corporate BEA continues to evolve and address previously identified missing elements, inconsistencies, and usability issues, but gaps still remain. For example, while the BEA now identifies information assurance laws, regulations, and policies, it still does not include business rules for all business processes. Further, little progress has been made in the last year in extending (i.e., federating) the BEA to the entire family of business mission area architectures, including using an independent verification and validation agent to assess the components' subsidiary architectures and federation efforts. The updated enterprise transition plan continues to identify systems and initiatives, but important elements are still missing, as are individual component plans. For example, while the plan provides a range of information, such as budgets and performance measures, for key enterprisewide and component-specific investments, it is missing information on identified investments. The fiscal year 2009 budget submission included some, but omitted other, key information about business system investments, in part because of the lack of a reliable comprehensive inventory of all defense business systems. Investment approval and accountability structures have been established for DOD and the Air Force, and related policies and procedures that are consistent with relevant guidance have been partially defined. However, these structures and processes are still lacking for the Navy. Business system investments costing over $1 million continue to be certified and approved, but these decisions are not always based on complete information. For example, key Navy investments have not fully demonstrated compliance with the department's BEA, and their economic justifications were not based on reliable estimates of cost and benefits. In addition, the information in DOD's authoritative repository of system investments that is used to make these decisions is not always accurate. Department officials attributed this slowdown in large part to pending decisions surrounding the roles, responsibilities, authorities, and relationships among key senior leadership positions, such as DOD's Deputy Chief Management Officer and the military departments' Chief Management Officers. Until DOD fully implements these long-standing institutional modernization management controls provided for under the Act, addressed in GAO recommendations, and otherwise embodied in relevant guidance, its business systems modernization will likely remain a high-risk program. As a result, it is important that the department act quickly to resolve pending decisions about key positions.
- Review Pending
- Closed - implemented
- Closed - not implemented
Recommendations for Executive Action
Recommendation: To ensure that DOD continues to implement the full range of institutional management controls needed to address its business systems modernization high-risk area, the Secretary of Defense should direct the Deputy Secretary of Defense, as chair of the DBSMC and as DOD's CMO, to resolve the issues surrounding the roles, responsibilities, authorities, and relationships of the Deputy CMO and the military department CMOs relative to the BEA and ETP federation and business system investment management.
Agency Affected: Department of Defense
Comments: In February 2010, DOD issued additional guidance that clarified the roles, responsibilities, authorities, and relationships of the department's Deputy Chief Management Officer (DCMO) and the military department chief management officers (CMOs) relative to business system investment management. Specifically, the guidance assigned the DCMO and military CMOs responsibility for determining if business process reengineering activities have been conducted as part of the department's investment review board (IRB) processes. It also assigned the military CMOs the roles and responsibilities of a pre-certification authority as defined in previous IRB guidance. In addition, DOD officials stated in July 2010 that the department's IRB guidance will be updated in the coming fiscal year to provide additional information regarding DCMO and military CMO roles and responsibilities in the IRB process. However, the department has yet to clarify in policy or guidance the roles, responsibilities, authorities, and relationships between the DCMO and military CMOs relative to the BEA and and ETP federation.
Recommendation: To ensure that business system investment reviews and related certification and approval decisions, as well as annual budget submissions, are based on complete and accurate information, the Secretary of Defense should direct the appropriate DOD organizations to develop and implement plans for reconciling and validating the completeness and reliability of information in its DITPR and SNAP-IT system data repositories, and to include information on the status of these efforts in the department's fiscal year 2010 report in response to the Act.
Agency Affected: Department of Defense
Comments: In November 2009, the department reported that it was taking steps to synchronize information stored in the Defense Information Technology Portfolio Repository (DITPR) and Select and Native Programming Data Input System-Information Technology (SNAP-IT) systems. Specifically, it reported that the chief information officer and the office of Program Analysis and Evaluation intend to modify both DITPR and SNAP-IT to eliminate duplication of data and use web services to provide integration for the two systems. In April 2010, the department reported that before it can modify SNAP-IT to address our recommendation, certain technical changes would need to be made that could take about 12 months to complete. It also reported that additional policy and guidance changes would be necessary, but did not indicate when it expected to complete that effort. In March 2011, GAO performed a data reliability comparison between DITPR and SNAP-IT and found that there are still differences in the numbers of business systems, which indicate reconciliation between the systems has not yet been completed. According to the Office of the ASD(NII)/DOD CIO, efforts to provide automated SNAP-IT and DITPR integration work were delayed due to increased SNAP-IT requirements in supporting the fiscal year 2012 budget submission and ongoing reorganization efforts within DOD. The department plans to restart the process of integrating the two systems beginning in the third quarter of fiscal year 2011.