DOD Business Systems Modernization:
Governance Mechanisms for Implementing Management Controls Need to Be Improved
GAO-12-685: Published: Jun 1, 2012. Publicly Released: Jun 1, 2012.
What GAO Found
The Department of Defense (DOD) continues to take steps to comply with the provisions of the Ronald W. Reagan National Defense Authorization Act for Fiscal Year 2005, as amended, and to satisfy relevant system modernization management guidance. While the department has initiated numerous activities aimed at addressing the act, it has been limited in its ability to demonstrate results. Specifically, the department
- released its most recent business enterprise architecture version, which continues to address the acts requirements and is consistent with the departments future vision for developing its architecture. However, the architecture has not yet resulted in a streamlined and modernized business systems environment, in part, because DOD has not fully defined the roles, responsibilities, and relationships associated with developing and implementing the architecture.
- included a range of information for 1,657 business system investments in its fiscal year 2013 budget submission; however, it does not reflect about 500 business systems, due in part to the lack of a reliable, comprehensive inventory of all defense business systems.
- has not implemented key practices from GAOs Information Technology Investment Management framework since GAOs last review in 2011. In addition, while DOD has reported its intent to implement a new organizational structure and guidance to address statutory requirements, this structure and guidance have yet to be established. Further, DOD has begun to implement a business process reengineering review process but has not yet measured and reported results.
- continues to describe certification actions in its annual report for its business system investments as required by the actDOD approved 198 actions to certify, decertify, or recertify defense business system modernizations, which represented a total of $2.2 billion in modernization spending. However, the basis for these actions and subsequent approvals is supported with limited information, such as unvalidated architectural compliance assertions.
- lacks the full complement of staff it identified as needed to perform business systems modernization responsibilities. Specifically, the office of the Deputy Chief Management Officer, which took over these responsibilities from another office in September 2011, reported that 41 percent of its positions were unfilled.
DODs progress in modernizing its business systems is limited, in part, by continued uncertainty surrounding the departments governance mechanisms, such as roles and responsibilities of key organizations and senior leadership positions. Until DOD fully implements governance mechanisms to address these long-standing institutional modernization management controls provided for under the act, addressed in GAO recommendations, and otherwise embodied in relevant guidance; its business systems modernization will likely remain a high-risk program.
Why GAO Did This Study
For decades, DOD has been challenged in modernizing its business systems. Since 1995, GAO has designated DODs business systems modernization program as high risk, and it continues to do so today. To assist in addressing DODs business system modernization challenges, the National Defense Authorization Act for Fiscal Year 2005 requires the department to take certain actions prior to obligating funds for covered systems. It also requires DOD to annually report to the congressional defense committees on these actions and for GAO to review each annual report. In response, GAO performed its annual review of DODs actions to comply with the act and related federal guidance. To do so, GAO reviewed, for example, the latest version of DODs business enterprise architecture, fiscal year 2013 budget submission, investment management policies and procedures, and certification actions for its business system investments.
What GAO Recommends
GAO recommends that the Secretary of Defense take steps to strengthen the departments mechanisms for governing its business systems modernization activities. DOD concurred with two of GAOs recommendations and partially concurred with one, but did not concur with the recommendation that it report progress on staffing the office responsible for business systems modernization to the congressional defense committees. GAO maintains that including staffing progress information in DODs annual report will facilitate congressional oversight and promote departmental accountability.
For more information, contact Valerie Melvin at (202) 512-6304 or firstname.lastname@example.org.
Recommendations for Executive Action
Comments: The Deputy Chief Management Officer (DCMO) approved the Business Enterprise Architecture (BEA) Configuration Control Board (CCB) charter on August 19, 2013. The charter specifies roles and responsibilities for the review and approval of proposed BEA content. However, the charter does not clarify the roles, responsibilities, and relationships among the Chief Management Officer, DCMO, Department of Defense (DOD) and military department Chief Information Officers (CIO), Principal Staff Assistants, military department Chief Management Officers, and the heads of the military departments and defense agencies, associated with the development of a federated BEA. According to DOD officials, the DOD CIO is drafting an enterprise architecture (EA) directive that is to specify the roles, responsibilities and policy associated with the development, review, approval, and use of EA across the department. According to the Director of Investment and Acquisition Management in the Office of the DCMO, final decisions about how this directive will be implemented have not yet been made. In addition, existing and future responsibilities may shift as a result of planned organizational changes. Specifically, on December 4, 2013, the Secretary of Defense issued a memorandum that outlined the results of an organizational review completed by the Office of the Secretary of Defense. Among other things, the Secretary called for strengthening the office of the DOD CIO by moving the oversight of business systems from the DCMO to the CIO, and for strengthening the Office of the DCMO to better coordinate the department's business affairs. Until the Department finalizes implementation plans for this reorganization, it will be challenged in taking needed steps to clarify the roles, responsibilities, and relationships among the various entities associated with the development of a federated BEA.
Recommendation: To ensure that DOD continues to implement the full range of institutional management controls needed to address its business systems modernization high-risk area, the Secretary of Defense should ensure that the Deputy Secretary of Defense, as the department's Chief Management Officer, establish a policy that clarifies the roles, responsibilities, and relationships among the Chief Management Officer, Deputy Chief Management Officer, DOD and military department Chief Information Officers, Principal Staff Assistants, military department Chief Management Officers, and the heads of the military departments and defense agencies, associated with the development of a federated business enterprise architecture (BEA). Among other things, the policy should address the development and implementation of an overarching taxonomy and associated ontologies to help ensure that each of the respective portions of the architecture will be properly linked and aligned. In addition, the policy should address alignment and coordination of business process areas, military department and defense agency activities associated with developing and implementing each of the various components of the BEA, and relationships among these entities.
Agency Affected: Department of Defense
Comments: The Department of Defense (DOD) has taken steps to address this recommendation. For example, the department has been integrating information contained in its system data repositories by developing and implementing the DOD Information Technology Investment Portal (DITIP). DITIP is now the authoritative source for DOD header (i.e., basic) information about information technology (IT) systems and is to serve as a one stop source for all IT investment portfolio information. More specifically, the system maintains a core database composed of common DOD IT Portfolio Repository (DITPR) and Select and Native Programming Data Input System - Information Technology (SNAP-IT) data elements as well as essential data elements required for initial registration of DOD IT systems (e.g., investment title, mission area, etc.). According to DOD, the portal addresses common data errors and integrates data between the portal and the DITPR and SNAP-IT system data repositories. In addition, DCMO's fiscal year 2014 investment management guidance included language indicating that the component Pre-Certification Authority is to assert that information contained in DITPR, DITIP, and SNAP-IT has been verified to be complete and accurate prior to any system's certification to spend appropriated funds. While this new approach has allowed DOD to improve certain information about its business system certification and approvals, other information needs continued improvement. Specifically, data contained in DITPR is not always consistent with DITIP and SNAP-IT. DOD officials stated that they plan to conduct a data validation process intended to align and reconcile the data common to DITPR and SNAP-IT via DITIP, but have not provided evidence that this validation process has been completed.
Recommendation: To ensure that annual budget submissions are based on complete and accurate information, the Secretary of Defense should direct the appropriate DOD organizations to establish a deadline by which it intends to complete the integration of the repositories and validate the completeness and reliability of information.
Agency Affected: Department of Defense
Comments: The Office of the Deputy Chief Management Officer's (DCMO) March 2014 annual report to Congress included some information about its business process reengineering efforts, but the report did not include the information called for by our recommendation. More specifically, the department's report to Congress stated that the department applied lessons learned to conduct business process reengineering assessments during the business system certification process. Further, according to the report, the Defense Business Council validated a sample of business process reengineering assessments submitted with fiscal year 2013 organizational execution plans as well as business process reengineering assessments concurrent with the review of fiscal year 2014 certification requests. The report also summarized the results of the validations, showing that the majority were incomplete and required additional work to comply with the department's business process reengineering requirements. While the department's annual report included information about the results of business process reengineering validations, the Office of the DCMO has not yet reported on measures such as the number of systems that have undergone material process changes, the number of interfaces eliminated, and the status of end-to-end business process reengineering efforts. According to officials from the Office of the DCMO, the business process reengineering process is still evolving and the Office of the DCMO will determine the best method to publish the results when they are available.
Recommendation: To facilitate congressional oversight and promote departmental accountability, the Secretary of Defense should ensure that the Deputy Secretary of Defense, as the department's Chief Management Officer, direct the Deputy Chief Management Officer to include in DOD's annual report to Congress on compliance with 10 U.S.C. § 2222, the results of the department's business process reengineering (BPR) efforts. Among other things, the results should include the department's determination of the number of systems that have undergone material process changes, the number of interfaces eliminated as part of these efforts (i.e., by program, by name), and the status of its end-to-end business process reengineering efforts.
Agency Affected: Department of Defense
Comments: According to the Office of the Deputy Chief Management Officer, the department does not concur with this recommendation and has not developed plans or a means by which to report on the status of filling staff positions and the impact of any unfilled positions on the ability of the office to conduct its work.
Recommendation: To facilitate congressional oversight and promote departmental accountability, the Secretary of Defense should ensure that the Deputy Secretary of Defense, as the department's Chief Management Officer, direct the Deputy Chief Management Officer to include in DOD's annual report to Congress on compliance with 10 U.S.C. § 2222, an update on the office of the DCMO's progress toward filling staff positions and the impact of any unfilled positions on the ability of the office to conduct its work.
Agency Affected: Department of Defense