This is the accessible text file for GAO report number GAO-08-922 
entitled 'DOD Business Systems Modernization: Planned Investment in 
Navy Program to Create Cashless Shipboard Environment Needs to Be 
Justified and Better Managed' which was released on September 8, 2008.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Subcommittee on Readiness and Management Support, 
Committee on Armed Services, U.S. Senate: 

United States Government Accountability Office: 
GAO: 

September 2008: 

DOD Business Systems Modernization: 

Planned Investment in Navy Program to Create Cashless Shipboard 
Environment Needs to Be Justified and Better Managed: 

GAO-08-922: 

GAO Highlights: 

Highlights of GAO-08-922, a report to the Subcommittee on Readiness and 
Management Support, Committee on Armed Services, U.S. Senate. 

Why GAO Did This Study: 

GAO has designated the Department of Defense’s (DOD) multi-billion 
dollar business systems modernization efforts as high risk, in part 
because key information technology (IT) management controls have not 
been implemented on key investments, such as the Navy Cash program. 
Initiated in 2001, Navy Cash is a joint Department of the Navy (DON) 
and Department of the Treasury Financial Management Service (FMS) 
program to create a cashless environment on ships using smart card 
technology, and is estimated to cost about $320 million to fully 
deploy. As requested, GAO analyzed whether DON is effectively 
implementing IT management controls on the program, including 
architectural alignment, economic justification, requirements 
development and management, risk management, security management, and 
system quality measurement against relevant guidance. 

What GAO Found: 

Key IT management controls have not been effectively implemented on 
Navy Cash, to the point that further investment in this program, as it 
is currently defined, has not been shown to be a prudent and judicious 
use of scarce modernization resources. In particular, Navy Cash has not 
been (1) assessed and defined in a way to ensure that it is not 
duplicative of programs in the Air Force and the Army that use smart 
card technology for electronic retail transactions and (2) economically 
justified on the basis of reliable analyses of estimated costs and 
expected benefits over the program’s life. As a result, DON cannot 
demonstrate that the investment alternative that it is pursuing is the 
most cost-effective solution to satisfying its mission needs. 

Moreover, other management controls, which are intended to maximize the 
chances of delivering defined and justified system capabilities and 
benefits on time and within budget, have not been effectively 
implemented. 

* System requirements have not been effectively managed. For example, 
neither policies nor plans that define how system requirements are to 
be managed, nor an approved baseline set of requirements that are 
justified and needed to cost-effectively meet mission needs, exist. 
Instead, requirements are addressed reactively through requests for 
changes to the system based primarily on the availability of funding. 

* Program risks have not been effectively managed. In particular, 
plans, processes, and procedures that provide for identifying, 
mitigating, and disclosing risks have not been defined, nor have risk-
related roles and responsibilities for key stakeholders. 

* System security has not been effectively managed, thus putting the 
confidentiality, integrity, and availability of deployed and operating 
shipboard devices, applications, and data at increased risk of being 
compromised. For example, the mitigation of system vulnerabilities by 
applying software patches has not been effectively implemented. 

* Key aspects of system quality are not being effectively measured. For 
example, data for determining trends in unresolved system change 
requests, which is an indicator of system stability, as well as user 
feedback on system satisfaction, are not being collected and used. 

Program oversight and management officials acknowledged these 
weaknesses and cited turnover of staff in key positions and their 
primary focus on deploying Navy Cash as reasons for the state of some 
of these IT management controls. Collectively, this means that, after 
investing about 6 years and $132 million on Navy Cash and planning to 
invest an additional $60 million to further develop the program, the 
department has yet to demonstrate through verifiable analysis and 
evidence that the program, as currently defined, is justified. 
Moreover, even if further investment was to be demonstrated, the manner 
in which the delivery of program capabilities is being managed is not 
adequate. As a result, the program is at risk of delivering a system 
solution that falls short of cost, schedule, and performance 
expectations. 

What GAO Recommends: 

GAO recommends that investment of modernization funding in Navy Cash be 
limited until a basis for informed decision making is established, and 
that other program management weaknesses be corrected, as appropriate. 
DOD agreed with most of GAO’s recommendations and described actions 
underway or planned to address them, while FMS committed to supporting 
DON in implementing them. Both provided other comments that GAO 
addresses in the report. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-922]. For more 
information, contact Randolph C. Hite at (202) 512-3439 or 
hiter@gao.gov. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Key IT Management Controls Have Not Been Effectively Implemented on 
Navy Cash: 

Conclusions: 

Recommendations: 

Agency Comments and Our Evaluation: 

Appendix I: Objective, Scope, and Methodology: 

Appendix II: Comments from the Department of Defense: 

Appendix III: Comments from the Department of the Treasury, Financial 
Management Service: 

Appendix IV: GAO Contacts and Staff Acknowledgments: 

Tables: 

Table 1: Capabilities and Limitations of Navy Cash Predecessor Systems: 

Table 2: Organizations Responsible for Navy Cash Oversight and 
Management: 

Table 3: Summary of Business System Acquisition Best Practices: 

Table 4: Summary of Cost-Estimating Characteristics That the Cost 
Estimate Satisfies: 

Table 5: Satisfaction of OMB Economic Analysis Criteria: 

Figures: 

Figure 1: Simplified Diagram of Navy Cash Network: 

Figure 2: Actual and Estimated Development and Operations and 
Maintenance Costs for Navy Cash: 

Figure 3: DON and FMS Roles and Relationships for Navy Cash: 

Abbreviations: 

ATM: automated teller machine: 

BEA: business enterprise architecture: 

DOD: Department of Defense: 

DON: Department of the Navy: 

FISMA: Federal Information Security Management Act: 

FMS: Department of the Treasury, Financial Management Service: 

IT: information technology: 

NAVSUP: Naval Supply Systems Command: 

NIST: National Institute of Standards and Technology: 

NTCSS: Naval Tactical Command Support System: 

OMB: Office of Management and Budget: 

[End of section] 

United States Government Accountability Office:
Washington, DC 20548: 

September 8, 2008: 

The Honorable Daniel K. Akaka: 
Chairman: 
The Honorable John Thune: 
Ranking Member: 
Subcommittee on Readiness and Management Support: 
Committee on Armed Services: 
United States Senate: 

The Honorable John Ensign: 
United States Senate: 

For decades, the Department of Defense (DOD) has been challenged in 
modernizing its business systems.[Footnote 1] In 1995, we designated 
the department's modernization effort as high-risk, and we continue to 
do so today.[Footnote 2] Among our reasons for doing so are the 
enormous size and complexity of the effort, and the department's long- 
standing challenges in implementing effective information technology 
(IT) management controls on each business system investment. 

One of the Department of the Navy's (DON) larger business system 
modernizations is Navy Cash. Initiated in 2001, the program is to 
create a cashless environment on ships through the use of smart card 
technology.[Footnote 3] It is being executed jointly with the 
Department of the Treasury's Financial Management Service (FMS), under 
which DON is responsible for managing the acquisition of Navy Cash, 
while FMS is responsible for (1) managing the funds distributed through 
the system and (2) developing and maintaining the system. Navy Cash is 
expected to cost approximately $320 million to develop and implement 
over a 14-year period. Of this, $220 million is being funded by DON and 
$100 million is being funded by FMS. The system is to be fully deployed 
in fiscal year 2011. 

As agreed, our objective was to determine whether DON is effectively 
implementing IT management controls on Navy Cash. To accomplish this, 
we analyzed a range of program documentation and interviewed cognizant 
officials relative to the following IT management controls: 
architectural alignment, economic justification, requirements 
development and management, risk management, security management, and 
system quality measurement. In doing so, we compared DON's efforts in 
each control area to relevant federal and industry requirements and 
guidance. 

We conducted this performance audit between June 2007 and September 
2008, in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objective. We 
believe that the evidence obtained provides a reasonable basis for our 
findings and conclusions based on our audit objective. Additional 
details on our objective, scope, and methodology are in appendix I. 

Results in Brief: 

Key IT management controls have not been effectively implemented on 
Navy Cash. Collectively, these IT management controls are intended to 
ensure that a selected system investment alternative represents the 
most cost-effective option to meeting a mission need and, if it is, 
that the proposed investment, as defined, is acquired and deployed in a 
way that maximizes the chances of delivering promised system 
capabilities and benefits on time and within budget. For Navy Cash, 
these management controls have largely not been implemented. As a 
result, investment in the system has not been justified. More 
specifically: 

* Navy Cash has not been assessed to ensure that it is not duplicative 
of programs in the Air Force and the Army that also provide for the use 
of smart card technology for electronic retail transactions. As a 
result, the extent of such duplication, and thus the opportunity for 
DOD to share and reuse system functions and services across the 
military departments, is not known. Within DOD, the means for avoiding 
business system duplication and overlap is the department's process for 
assessing compliance with the DOD business enterprise architecture 
(BEA).[Footnote 4] However, the BEA does not contain business 
activities that Navy Cash supports and according to DOD officials, are 
not planned for inclusion in the architecture. Further, even if the BEA 
included the business activities that Navy Cash supports, the program's 
ability to assess architecture compliance would have been limited 
because the program office did not develop a complete set of system- 
level architecture products needed to perform a meaningful compliance 
assessment. As a result, resources are being invested to deliver 
capabilities that could be potentially duplicative of similar programs 
in the department; therefore, DOD may not be pursuing the most cost- 
effective solution to its mission needs. 

* Navy Cash has not been economically justified on the basis of 
reliable analyses of estimated costs and expected benefits over the 
life of the program. According to the latest economic analysis, the 
program is expected to produce estimated benefits of about $133 million 
for an estimated cost of about $100 million. However, the cost estimate 
is not reliable because it covers only 6 years of costs, while the 
program's estimated life cycle is now at least 14 years. Moreover, the 
cost estimate excludes FMS's costs, and it was not derived in 
accordance with effective estimating practices, such as adjusting the 
estimate to account for program risks and changes to the program. At 
the same time, the economic analysis did not consider all relevant 
alternatives, such as leveraging in part or in total the above 
mentioned Air Force and Army programs. Further, the benefits projection 
erroneously counted $40 million as cost savings rather than cost 
transfers (i.e., shift in the control over spending from one group to 
another that does not result in an economic gain); therefore, projected 
benefits should only be $93 million. Additionally, the economic 
analysis has not been validated using data on actual benefits accrued 
to date. Without a reliable economic analysis, DON's ongoing and 
planned investment in Navy Cash lacks adequate justification and may 
not be a cost-effective course of action. 

Even if investment in Navy Cash were justified, the manner in which the 
system is being acquired and deployed does not reflect other key IT 
management controls, and thus introduces considerable cost, schedule, 
and performance risks. 

* System requirements have not been adequately developed and managed. 
In particular, basic requirements documentation does not exist to 
inform program estimates of the costs and schedule needed to accomplish 
the work associated with delivering predetermined and economically 
justified system capabilities. In addition, plans and procedures that 
define how system requirements are to be managed and who is responsible 
for doing so do not exist. As a result, ongoing system development is 
not focused on delivering an approved baseline set of capabilities, but 
rather is reactive to addressing requirements that emerge through the 
program's change control process. Under this process, users propose 
changes to the system and these proposals are approved or disapproved 
by a joint DON and FMS change control board primarily on the basis of 
consensus about the need for the change and the availability of funds. 
The result is an inability to develop and measure performance against 
meaningful cost, schedule, and capability baselines, and thereby 
reasonably ensure that Navy Cash is meeting expectations, and that 
those responsible for it are accountable for the results. 

* Program risks have not been effectively managed. In particular, 
plans, processes, and procedures that provide for identifying, 
mitigating, and disclosing risks do not exist, and risk management 
roles and responsibilities have not been assigned to key stakeholders. 
As a result, the program office is not proactively attempting to avoid 
the occurrence of cost, schedule, and performance problems, but rather 
is reacting to the consequences of actual problems. 

* The security of deployed and operating Navy Cash shipboard devices, 
applications, and data has not been effectively managed. Specifically, 
the program office has not (1) fully implemented a comprehensive patch 
management process; (2) followed an adequate process for planning, 
implementing, evaluating, and documenting remedial actions for known 
information security weaknesses; (3) obtained adequate assurance that 
FMS has effective security controls in place to protect Navy Cash 
applications and data; and (4) developed an adequate contingency plan 
and conducted effective contingency plan testing. As a result, the 
confidentiality, integrity, and availability of deployed and operating 
Navy Cash shipboard devices, applications, and financial data are at 
increased risk of being compromised. 

* System quality is not being effectively measured because sufficient 
data for determining trends in unresolved change requests, which is an 
indicator of a system's stability and for understanding users' 
satisfaction with the system, are not being collected and used. To the 
program's credit, it has (1) established a change control board to 
review and decide whether to approve requests for changes to the system 
and (2) conducted a survey to assess the extent to which users are 
satisfied with the system. However, the program office has not 
consistently collected and captured the data needed to analyze trends 
in significant change requests that have not been resolved, such as the 
dates that the change requests are opened and closed, and the priority 
of change requests. In addition, the last user survey was conducted 6 
years ago and this survey was limited to a prototype version of the 
system operating on two ships. Without meaningful data in these areas, 
the quality of the system is not clear. 

Program officials acknowledged the above weaknesses and attributed them 
to, among other things, turnover of staff in key positions and their 
focus on deploying the system. Further, they stated that addressing 
these weaknesses has not been a top program priority because Navy Cash 
has been deployed to and is operating on about 80 percent of the ships. 
Given that the department still plans to invest an additional $60 
million to further develop the program, it is important to treat all 
the weaknesses that we have identified as priorities. 

Accordingly, we are making recommendations to the Secretary of Defense 
aimed at limiting further investment of modernization funding in Navy 
Cash to only (1) deployment of already developed and tested 
capabilities, (2) correction of information security vulnerabilities 
and weaknesses on ships where it has been deployed and is operating, 
and (3) development of the basis for deciding whether further 
development, as planned, is in the department's best interest to 
pursue. If further investment in development can be justified, then we 
are recommending that the IT management control weaknesses related to 
requirements management, risk management, and system quality 
measurement discussed in this report be considered program management 
priorities and that they be addressed before significant system 
development and modernization activities begin. 

We received written comments on a draft of this report from both DOD 
and FMS. In DOD's comments, signed by the Deputy Under Secretary of 
Defense (Business Transformation) and reprinted in appendix II, the 
department stated that it concurred with 9 of our 11 recommendations, 
partially concurred with 1, and non-concurred with the remaining 1. 

* In non-concurring with our recommendation for limiting further 
investment in the program, the department actually concurred with two 
out of three aspects of the recommendation. Nevertheless, for the 
aspect of our recommendation aimed at limiting further investment in 
the program to certain types of spending, it stated that it did not 
concur with limiting investment to the exclusion of needed maintenance 
(e.g., technology refresh) of operational systems. We agree with this 
comment, as it is consistent with statements in our report, including 
the recommendation on the report's highlights page and the report's 
conclusions, which focus on limiting investment of modernization 
funding only, and not operations and maintenance funding. To avoid any 
misunderstanding as to our intent, we have clarified our report. 

* With respect to our recommendation for optimizing the relationships 
among DOD's programs that provide smart card technology for electronic 
retail and banking transactions, the department stated that while it 
concurs with the overall intent of the recommendation, it believes that 
the Office of the Under Secretary of Defense (Comptroller) is the 
appropriate organization to implement it. Since our intent was not to 
prescribe the only DOD organization that should be responsible for 
implementing the recommendation, we have slightly modified the 
recommendation to provide the department flexibility in this regard. 

In FMS's comments, signed by the Commissioner and reprinted in appendix 
III, the service stated that our recommendations will help strengthen 
the Navy Cash program and that it has begun to address several of our 
findings and recommendations. Further, it stated that it will work with 
and support DOD in implementing the recommendations, and consistent 
with DOD's comments, stated that it did not agree with limiting 
investment in the program to the exclusion of maintenance of deployed 
systems. As noted above, this is not the intent of our recommendation, 
and we have slightly modified the report to avoid any possible 
confusion as to our intent. Notwithstanding FMS's agreement with our 
recommendations, it provided additional comments on the findings that 
underlie several of the recommendations. For various reasons discussed 
in detail in the agency comments section of this report, we either do 
not agree with most of these additional comments or do not find most of 
them to be germane to our findings and recommendations. 

Background: 

DON's primary mission is to organize, train, maintain, and equip combat-
ready naval forces capable of winning the global war on terror and any 
other armed conflict, deterring aggression by would-be foes, preserving 
freedom of the seas, and promoting peace and security. To support this 
mission, DON performs a variety of interrelated and interdependent 
business functions (e.g., acquisition and financial management), 
relying heavily on IT systems. In fiscal year 2008, DON's IT budget was 
about $2.7 billion, of which $2.2 billion was allocated to operations 
and maintenance of existing systems and the remaining $500 million to 
systems in development and modernization. Of the approximately 3,000 
business systems that DOD reports in its current inventory, DON 
accounts for 904, or about 30 percent, of the total. The Navy Cash 
system is one such system investment. 

Navy Cash: A Brief Description: 

In 2001, DON initiated Navy Cash in partnership with Treasury's FMS to 
enable sailors and marines to use smart cards that store monetary 
value, also known as stored value cards, to make retail purchases and 
conduct banking transactions while on ships and ashore. The program 
builds upon capabilities that have been incrementally introduced from 
previously deployed systems. (Table 1 summarizes these systems and 
their capabilities and limitations.) 

Table 1: Capabilities and Limitations of Navy Cash Predecessor Systems: 

System: Automated Teller Machines (ATMs)-At-Sea; 
Year deployed: 1988; 
Capabilities: Localized, shipboard ATMs that received and accounted for 
a portion of sailors' and marines' paycheck to be available through 
ATMs. According to DON, this reduced disbursing office workload and 
provided a more secure means of storing personal funds. This system was 
replaced by ATMs-at-Sea/Commercial Banking Afloat; 
Limitations: User accounts were limited to a particular ship; no direct 
access to personal bank accounts ashore. 

System: ATMs-At-Sea/Commercial Banking Afloat; 
Year deployed: 1996; 
Capabilities: Sailors and marines had access to ship-based ATM account 
or personal bank accounts ashore via satellite communication; 
Limitations: Communication link not always available to smaller ships. 

Source: GAO analysis of DON data. 

[End of table] 

According to DOD, Navy Cash's key objectives include introducing 
workload efficiencies and improving the quality of life for sailors and 
marines by: 

* reducing the amount of currency on ships, which lowers costs 
associated with cash handling activities; 

* enabling sailors and marines to conduct ashore banking transactions 
from ships; and: 

* enabling sailors and marines to conduct banking or retail 
transactions while ashore (wherever these branded debit cards are 
accepted). 

Navy Cash consists of various equipment and devices, including servers 
that connect to the ship's local area network as well as point-of-sale 
terminals and ATMs that communicate with Navy Cash smart cards. These 
cards contain an electronic chip that stores monetary value and 
interacts with the various devices for conducting electronic retail 
purchases and personal banking transactions on the ships. On shore, 
cardholders can access their Navy Cash accounts via ATMs worldwide or 
conduct retail purchases using the card's magnetic stripe, which 
provides a debit card feature. According to program officials, while 
ashore, sailors and marines have access to over 1,000,000 ATMs and 23 
million merchants worldwide. 

Navy Cash uses a ship's Automated Digital Network System to access 
satellite communications systems, and then transmits transaction files 
off the ship through fleet network operations centers to a financial 
agent (i.e., bank) ashore. To do so, it uses a store-and-forward 
process[Footnote 5] to batch transactions together and transmit them 
off the ship typically during non-peak evening hours. These 
transactions are then processed in a manner similar to personal check 
processing through the Automated Clearing House.[Footnote 6] Figure 1 
is a simplified illustration of the Navy Cash network used to transmit 
these transactions. 

Figure 1: Simplified Diagram of Navy Cash Network: 

[See PDF for image] 

This figure is a simplified diagram of Navy Cash network, depicting the 
following flow of information: 

Local area Network (on board navy vessel): 
Point-of-sale device; 
- Bank card: 
Cashless ATM; 
- Bank card: 
Navy Cash server (daily batch processing); 

Automated Digital Network System: 

Connects through Satellite communications to: 

Fleet network operations center; 
Connects through commercial landlines to: 

U.S. Treasury financial agent bank; 
Financial network and other financial institutions. 

Source: GAO, based on DON data (analysis); Art Explosion (clip art). 

[End of figure] 

Originally, the program was expected to be fully deployed and reach 
full operational capability by December 2008 at an estimated cost of 
about $100 million over a 6-year life cycle.[Footnote 7] The program 
office now expects the program to reach full operational capability in 
fiscal year 2011, and it estimates the program's 14-year life cycle 
cost[Footnote 8] to be about $320 million, of which about $100 million 
is to be funded by FMS. Of the $320 million, about $136 million is for 
development and modernization, and about $184 million is for operations 
and maintenance. From fiscal year 2002 to 2007, DON and FMS reported 
that approximately $132 million has been spent on the program, of which 
$47 million is FMS's cost. Of the $188 million expected to be spent 
(fiscal years 2008-2015), about $57 million is for development and 
modernization. (See fig. 2 for a breakdown of the actual and planned 
costs.) 

Figure 2: Actual and Estimated Development and Operations and 
Maintenance Costs for Navy Cash: 

[See PDF for image] 

This figure is a stacked vertical bar graph depicting the following 
data: 

Actual fiscal years 2002-2007, Operations and maintenance: $53 million; 
Actual fiscal years 2002-2007, Development and modernization: $79 
million; 
Total: $132 million. 

Estimated fiscal years 2008-2015, Operations and maintenance: $131 
million; 
Estimated fiscal years 2008-2015, Development and modernization: $57 
million; 
Total: $188 million. 

Source: DON and FMS. 

[End of figure] 

When fully deployed, the program office estimates that Navy Cash could 
process over $350 million annually in transactions initiated by about 
170,000 sailors and marines worldwide on approximately 160 ships. As of 
April 2008, the program has been deployed to approximately 130 ships. 

Navy Cash Oversight and Management Roles and Responsibilities: 

To manage the acquisition and deployment of Navy Cash, DON established 
a program management office within the Naval Supply Systems Command 
(NAVSUP).[Footnote 9] As authorized by statute[Footnote 10] and because 
of its experience in developing stored value card programs for other 
military departments, NAVSUP has partnered with FMS to develop Navy 
Cash. In February 2001, NAVSUP and FMS signed a memorandum of agreement 
that, among other things, delineated their respective program roles and 
responsibilities. According to the agreement, NAVSUP, through the Navy 
Cash program office, is responsible for managing the acquisition of the 
program, including managing system requirements and developing program 
cost and benefit estimates. According to DOD and other relevant 
guidance, acquisition management includes, among other things, such key 
IT management control areas as architectural alignment, economic 
justification, requirements management, risk management, security 
management, and system quality measurement. 

Also according to the agreement, FMS, through a designated financial 
agent, is to (1) provide for all financial services (i.e., manage the 
funds distributed through Navy Cash) and (2) develop, test, operate, 
and maintain the system's software (e.g., terminal and accounting 
applications) and hardware (e.g., accounting servers, smart cards). In 
short, the financial agent acts as the depository bank, holding and 
managing the pool of sailor and marine funds, including accounting for 
the funds and settling transactions processed. FMS is also responsible 
for tracking and overseeing the financial agent's provision of 
services, as defined in a financial agency agreement between FMS and 
the agent. (See fig. 3 for DON and FMS roles and relationships for Navy 
Cash.) 

Figure 3: DON and FMS Roles and Relationships for Navy Cash: 

[See PDF for image] 

This figure is an illustration of DON and FMS roles and relationships 
for Navy Cash: 

DON: 
Manages acquisition of the system. 

FMS: 
Oversees development, implementation, and maintenance of the system. 

DON/FMS: Change Management Approval Group: 
Decides on system changes. 

Source: GAO analysis of DON and FMS data. 

[End of figure] 

In addition, various other organizations share program oversight and 
review activities. A listing of key entities and their roles and 
responsibilities can be found in table 2. 

Table 2: Organizations Responsible for Navy Cash Oversight and 
Management: 

Entity: DOD Under Secretary of Defense, Comptroller; 
Roles and responsibilities: Serves as the Navy Cash investment review 
board and performs annual or milestone reviews of the planning, 
programming, budgeting, and execution processes. 

Entity: DON Chief Information Officer; 
Roles and responsibilities: Ensures that the program's goals are 
achievable and executable; conformance to financial management 
regulations, and DON, DOD, and federal IT policies in several areas 
(e.g., security, architecture, and investment management); and 
recommends to the Secretary of DON whether to continue, modify, or 
terminate IT programs based on its ability to meet these regulations. 

Entity: NAVSUP (Vice Commander); 
Roles and responsibilities: Serves as the milestone decision authority, 
which according to DOD, has overall responsibility for the program, to 
include approving the program to proceed through its acquisition cycle 
on the basis of, for example, the life cycle cost-and-benefits 
estimate, acquisition strategy, and acquisition program baseline. 

Entity: Navy Cash Program Office; 
Roles and responsibilities: Manages the acquisition by performing 
activities such as assessing compliance with the DOD's BEA; preparing 
cost and benefit estimates; developing and managing program 
requirements; managing program risks; ensuring the confidentiality, 
integrity, and availability of shipboard devices, applications, and 
financial data; measuring system quality; and providing infrastructure 
for installation of system hardware and software. 

Entity: Treasury, FMS; 
Roles and responsibilities: Manages and oversees the designated 
financial agent, including holding and accounting for funds distributed 
throughout the system; developing, implementing, and maintaining the 
financial software and hardware; and providing life cycle support for 
the maintenance of the financial software, hardware, and other 
services, and ensures controls are adequate to protect transactions 
processed through the designated financial agent's network and 
equipment and that these controls comply with applicable rules and 
regulations issued by regulatory and private organizations.[A] 

Entity: Change Management Approval Group; 
Roles and responsibilities: Comprised of representatives from the Navy 
Cash program office and FMS that jointly review and approve changes to 
system functionality. 

Entity: Disbursing Officer; 
Roles and responsibilities: Processes transactions from the ship to the 
appropriate DON network operations center; produces system related 
reporting on transactions for accounting purposes; distributes and 
reports lost or stolen cards; monitors and reports on negative (i.e., 
insufficient) account balances; maintains shipboard cash reserve; and 
resolves system-related issues while deployed with assistance from the 
financial agent. 

Source: GAO based on DON and FMS data. 

[A] According to FMS, the regulatory organizations include the Office 
of the Comptroller of the Currency, Federal Reserve Board, and Federal 
Deposit Insurance Corporation, and the private organizations are the 
National Automated Clearing House Association, as well as the 
corporation whose name is branded on the Navy Cash smart card. 

[End of table] 

Use of IT Management Controls Maximizes Chances for Success: 

Effective IT management controls are grounded in tried and proven 
methods, processes, techniques, and activities that organizations 
define and use to minimize program risks and maximize the chances of a 
program's success. Using such best practices can result in better 
outcomes, including cost savings, improved service and product quality, 
and a better return on investment. For example, two software 
engineering analyses of nearly 200 systems acquisitions projects 
indicate that teams using systems acquisition best practices produced 
cost savings of at least 11 percent over similar projects conducted by 
teams that did not employ the kind of rigor and discipline embedded in 
these practices.[Footnote 11] In addition, our research shows that best 
practices are a significant factor in successful acquisition outcomes, 
including increasing the likelihood that programs and projects will be 
executed within cost and schedule estimates.[Footnote 12] 

We and others have identified and promoted the use of a number of best 
practices associated with acquiring IT systems.[Footnote 13] See table 
3 for a description of several of these activities. 

Table 3: Summary of Business System Acquisition Best Practices: 

Business practice: Architectural alignment; To ensure that the 
acquisition is consistent with the organization's enterprise 
architecture; 
Description: Architectural alignment is the process for analyzing and 
verifying that the proposed architecture of the system being acquired 
is consistent with the enterprise architecture for the organization 
acquiring the system. Such alignment is needed to ensure that acquired 
systems can interoperate and are not unnecessarily duplicative of one 
another. 

Business practice: Economic justification; To ensure that system 
investments have an adequate economic justification; 
Description: Economic justification is the process for ensuring that 
acquisition decisions are based on reliable analyses of the proposed 
investment's likely costs versus benefits over its useful life as well 
as an analysis of the risks associated with actually realizing the 
acquisition's forecasted benefits for its estimated costs. Economic 
justification is not a one-time event, but rather is performed 
throughout an acquisition's life cycle in order to permit informed 
investment decision making. 

Business practice: Requirements management; To ensure that requirements 
are traceable, verifiable, and controlled; 
Description: Requirements management is the process for ensuring that 
the requirements are traceable, verifiable, and controlled. 
Traceability refers to the ability to follow a requirement from origin 
to implementation, and is critical to understanding the 
interconnections and dependencies among the individual requirements, 
and the impact when a requirement is changed. Requirements management 
begins when the solicitation's requirements are documented and ends 
when system responsibility is transferred to the support organization. 

Business practice: Risk management; To ensure that risks are identified 
and systematically mitigated; 
Description: Risk management is the process for identifying potential 
acquisition problems and taking appropriate steps to avoid their 
becoming actual problems. Risk management occurs early and continuously 
in the acquisition life cycle. 

Business practice: Security management; To protect the confidentiality, 
integrity, and availability of information and information systems; 
Description: Security management is the process for implementing 
controls to sufficiently prevent, limit, or detect access to computer 
networks, systems, or information. Security management provides for 
appropriate confidentiality, availability, and integrity of data and 
information. 

Business practice: System quality measurement; To ensure the maturity 
and stability of system products; 
Description: System quality measurement is the process for 
understanding the maturity and stability of the system products being 
developed, operated, and maintained so that problems can be identified 
and addressed early, therefore limiting their overall impact on program 
cost and schedule. One indicator of system quality is the volume and 
significance of system defect reports and change proposals. 

Source: GAO. 

[End of table] 

Prior GAO Reviews Have Identified IT Management Control Weaknesses on 
DOD Business System Investments: 

We have previously reported[Footnote 14] that DOD has not effectively 
managed a number of business system investments. Among other things, 
our reviews of individual system investments have identified weaknesses 
in such things as architectural alignment and informed investment 
decision making, which are also the focus areas of the Ronald W. Reagan 
National Defense Authorization Act for Fiscal Year 2005[Footnote 15] 
business system provisions. Our reviews have also identified weaknesses 
in other system acquisition and investment management areas--such as 
economic justification, requirements management, and risk management. 

Recently, for example, we reported that the Army's approach for 
investing about $5 billion over the next several years in its General 
Fund Enterprise Business System, Global Combat Support System-Army 
Field/Tactical,[Footnote 16] and Logistics Modernization Program did 
not include alignment with Army enterprise architecture or use of a 
portfolio-based business system investment review process.[Footnote 17] 
Moreover, we reported that the Army did not have reliable processes, 
such as an independent verification and validation function, or 
analyses, such as economic analyses, to support its management of these 
programs. We concluded that until the Army adopts a business system 
investment management approach that provides for reviewing groups of 
systems and making enterprise decisions on how these groups will 
collectively interoperate to provide a desired capability, it runs the 
risk of investing significant resources in business systems that do not 
provide the desired functionality and efficiency. Accordingly, we made 
recommendations aimed at improving the department's efforts to achieve 
total asset visibility and enhancing its efforts to improve its control 
and accountability over business system investments. The department 
agreed with our recommendations. 

We also reported that DON had not, among other things, economically 
justified its ongoing and planned investment in the Naval Tactical 
Command Support System (NTCSS)[Footnote 18] and had not invested in 
NTCSS within the context of a well-defined DOD or DON enterprise 
architecture. In addition, we reported that DON had not effectively 
performed key measurement, reporting, budgeting, and oversight 
activities, and had not adequately conducted requirements management 
and testing activities. We concluded that without this information, DON 
could not determine whether NTCSS as defined, and as being developed, 
is the right solution to meet its strategic business and technological 
needs. Accordingly, we recommended that the department develop the 
analytical basis to determine if continued investment in NTCSS 
represents prudent use of limited resources and to strengthen 
management of the program, conditional upon a decision to proceed with 
further investment in the program. The department largely agreed with 
these recommendations. 

In addition, we reported that the Army had not defined and developed 
its Transportation Coordinators' Automated Information for Movements 
System II--a joint services system with the goal of helping to manage 
the movement of forces and equipment within the United States and 
abroad--in the context of a DOD enterprise architecture.[Footnote 19] 
We also reported that the Army had not economically justified the 
program on the basis of reliable estimates of life cycle costs and 
benefits and had not effectively implemented risk management. As a 
result, we concluded that the Army did not know if its investment in 
this program, as planned, is warranted or represents a prudent use of 
limited DOD resources. Accordingly, we recommended that DOD, among 
other things, develop the analytical basis needed to determine if 
continued investment in this program, as planned, represents prudent 
use of limited defense resources. In response, the department largely 
agreed with our recommendations, and has since reduced the program's 
scope by canceling planned investments. 

Key IT Management Controls Have Not Been Effectively Implemented on 
Navy Cash: 

DOD acquisition policies and related federal guidance provide a 
framework within which to manage system investments, like Navy Cash. 
Effective implementation of this framework can minimize program risks 
and better ensure that system investments are defined in a way to 
optimally support mission operations and performance, as well as 
deliver promised system capabilities and benefits on time and within 
budget. Thus far, key IT management controls associated with this 
framework have not been implemented on Navy Cash. In particular, the 
program's overlap with and duplication of other DOD programs has not 
been assessed, and the program has not been economically justified on 
the basis of reliable estimates of life cycle costs and benefits. As a 
result, the program, as defined, has not been shown to be the most cost-
effective investment option. 

Even if investment in the proposed Navy Cash solution is shown to be a 
wise and prudent course of action, the manner in which Navy Cash is 
being acquired and deployed is not adequate because (1) requirements 
have not been adequately developed and managed; (2) program risks have 
not been effectively managed; (3) security has not been effectively 
managed; and (4) system quality has not been adequately measured. As a 
result, the system will likely experience performance shortfalls and 
cost more and take longer to implement and maintain than necessary. 

Program officials acknowledged these weaknesses and attributed them to, 
among other things, turnover of staff in key positions and their focus 
on deploying the system. Further, they stated that addressing these 
weaknesses has not been a top program priority because Navy Cash has 
been deployed to and is operating on about 80 percent of the ships. 
Nevertheless, about $60 million in development and modernization 
funding remains to be spent on this program. As a result, it is 
important that all these weaknesses be addressed to reduce the risk of 
delivering a system solution that falls short of expectations. 

Key Controls for Justifying Planned Investment in Navy Cash Have Not 
Been Effectively Implemented: 

Investment in the proposed Navy Cash solution has not been adequately 
justified. Specifically, the system solution has not been assessed 
relative to other DOD programs that employ smart cards for electronic 
retail transactions. Moreover, it has not been economically justified 
on the basis of reliable estimates of cost and benefits over the 
system's expected life. As a result, planned investment in the system, 
as defined, may not be a cost-effective course of action. 

Navy Cash Duplication with Other DOD Programs Has Not Been Assessed: 

DOD's acquisition policies and guidance,[Footnote 20] as well as 
federal and best practice guidance,[Footnote 21] recognize the 
importance of investing in business systems within the context of an 
enterprise architecture.[Footnote 22] Moreover, the Ronald W. Reagan 
National Defense Authorization Act for Fiscal Year 2005[Footnote 23] 
requires that defense business systems be compliant with the federated 
BEA.[Footnote 24] Our research and experience in reviewing federal 
agencies show that making investments without the context of a well- 
defined enterprise architecture often results in systems that are, 
among other things, duplicative of other systems.[Footnote 25] 

Navy Cash has not been assessed and defined in a way to ensure that it 
is not duplicative of the Eagle Cash and EZpay programs, both of which 
provide for the use of smart card technology for electronic retail 
transactions in support of the Air Force and the Army.[Footnote 26] 
Within DOD, the means for avoiding business system duplication and 
overlap is the department's process for assessing compliance with the 
DOD BEA and its associated investment review and decision making 
processes. In 2005, 2006, and 2007, Navy Cash was evaluated for 
compliance with the BEA. However, the BEA does not contain business 
activities[Footnote 27] that Navy Cash supports. According to officials 
from DOD's Business Transformation Agency, which is responsible for 
DOD's BEA, these business activities are not included nor are they 
planned for inclusion in the BEA, because the capabilities provided by 
Navy Cash relate strictly to personal banking, which is outside of the 
current scope of the BEA. As a result, compliance could not be assessed 
beyond concluding that Navy Cash was compliant because it did not 
conflict with the BEA. Moreover, even if the BEA included the business 
activities that Navy Cash supports, the program's ability to assess BEA 
compliance would have been limited because the program office did not 
develop a complete set of system-level architecture products needed to 
perform a meaningful compliance assessment. Thus, Navy Cash's potential 
overlap and duplication with similar programs is not sufficiently 
understood. 

According to program officials, Navy Cash is not duplicative of Eagle 
Cash and EZpay because it is designed to operate on ships at sea, which 
do not maintain constant network connectivity with on shore networks. 
Therefore, they said that it requires different communications and 
financial transaction capabilities than the other two stored value card 
programs. We agree that there are important differences between the 
programs. However, they all perform chip-based financial transactions, 
and thus opportunities may exist for them to provide or reuse shared 
system services, as well as to merge into a DOD-wide stored value card 
program. According to program officials, overlap and duplication among 
the programs was not assessed. This means that aspects of Navy Cash 
could be potentially duplicative of these other programs, and thus DOD 
may not be pursuing the most cost-effective solution to meet its 
mission needs. In this regard, the program's Milestone Decision 
Authority told us that the differences between Navy Cash and other 
stored value card programs are minimal and stated that officials with 
the three stored value card programs have recently begun discussions 
with FMS on how to collaborate and possibly move towards one system 
solution. 

Navy Cash Has Not Been Economically Justified: 

Investment in Navy Cash has not been economically justified on the 
basis of a reliable analysis of estimated system costs and expected 
benefits over the life of the program. Specifically, according to the 
latest economic analysis, the program is expected to produce estimated 
benefits of about $133 million for an estimated cost of about $100 
million. However, the cost estimate is not reliable, because the 
program's 2002 economic analysis is 6 years old and is based on a cost 
estimate of about $100 million that was not derived in accordance with 
effective estimating practices, such as including all costs over the 
system's life cycle, and adjusting the estimate to account for program 
risks and material program changes. Further, this economic analysis did 
not comply with applicable federal guidance.[Footnote 28] For example, 
it did not adequately consider all relevant alternatives, and it 
erroneously counted $40 million as cost savings rather than transfers 
[Footnote 29] (i.e., shift of control over spending of resources from 
one group to another that do not result in an economic gain). Further, 
the economic analysis has yet to be validated using actual data on the 
accrual of benefits. Without an economic analysis that is reliable, 
DON's ongoing and planned investment in Navy Cash lacks justification 
as a cost-effective course of action. 

Economic Analysis Used a Cost Estimate That Omits Relevant Costs and 
Was Not Derived Using Key Estimating Practices: 

A reliable cost estimate is an essential element for informed 
investment decision making, realistic budget formulation and program 
resourcing, meaningful progress measurement, proactive course 
correction, and accountability for results. According to the Office of 
Management and Budget (OMB),[Footnote 30] programs must maintain 
current and well-documented estimates of program costs, and these 
estimates must span the full expected life of the program. Without 
reliable estimates, programs cannot be adequately justified on the 
basis of reliable costs and benefits and they are at increased risk of 
experiencing cost overruns, missed deadlines, and performance 
shortfalls. 

Our research has identified a number of best practices for effective 
program cost estimating, and we have issued guidance that associates 
these practices with four characteristics of a reliable cost estimate. 
[Footnote 31] Specifically, estimates need to be: 

* Comprehensive: The cost estimates should include both government and 
financial agent costs over the program's full life cycle, from the 
inception of the program through design, development, deployment, and 
operation and maintenance to retirement. They should also provide a 
level of detail appropriate to ensure that cost elements are neither 
omitted nor double counted, and include documentation of all cost- 
influencing ground rules and assumptions. 

* Well-documented: The cost estimates should have clearly-defined 
purposes, and be supported by documented descriptions of key program or 
system characteristics (e.g., relationships with other systems, 
performance parameters). Additionally, they should capture in writing 
such things as the source data used and their significance, the 
calculations performed and their results, and the rationale for 
choosing a particular estimating method or reference. Moreover, this 
information should be captured in such a way that the data used to 
derive the estimate can be traced back to, and verified against, their 
sources. 

* Accurate: The cost estimates should provide for results that are 
unbiased and not be overly conservative or optimistic (i.e., should 
represent the most likely costs). In addition, the estimates should be 
updated regularly to reflect material changes in the program, and steps 
should be taken to minimize mathematical mistakes and their 
significance. The estimates should also be grounded in a historical 
record of cost estimating and actual experiences on comparable 
programs. 

* Credible: The cost estimates should discuss any limitations in the 
analysis performed that are due to uncertainty or biases surrounding 
data or assumptions. Further, the estimates' derivation should provide 
for varying any major assumptions and recalculating outcomes based on 
sensitivity analyses, and the estimates' associated risks and inherent 
uncertainty should be disclosed. Also, the estimates should be verified 
based on cross-checks using other estimating methods. 

The $100 million life cycle cost estimate, as documented in the 
program's 6-year old economic analysis, does not reflect many of the 
practices associated with a reliable cost estimate, including several 
practices related to being comprehensive and well documented, and all 
related to being accurate and credible (see table 4). 

Table 4: Summary of Cost-Estimating Characteristics That the Cost 
Estimate Satisfies: 

Characteristic of reliable estimates: Comprehensive; 
Satisfied?[A]: Partially. 

Characteristic of reliable estimates: Well-documented; 
Satisfied?[A]: Partially. 

Characteristic of reliable estimates: Accurate; 
Satisfied?[A]: No. 

Characteristic of reliable estimates: Credible; 
Satisfied?[A]: No. 

Source: GAO analysis of DON data. 

[A] "Yes" means that the program office provided documentation 
demonstrating satisfaction of the criterion. "Partially" means that the 
program office provided documentation demonstrating satisfaction of 
part of the criterion. "No" means that the program office has yet to 
provide documentation demonstrating satisfaction of the criterion. 

[End of table] 

The cost estimate of about $100 million, as documented in the program's 
2002 economic analysis, does not meet all of the practices related to 
being comprehensive. Specifically, it only includes costs from fiscal 
years 2003 through 2008 (6-year period), and it does not include both 
the government and financial agent costs associated with development, 
acquisition (non-development), implementation, and operations and 
support over the system's life cycle. Moreover, it does not include 
FMS's portion of the program's cost, which is estimated to be about 
$100 million over a 14-year period. In addition, the cost estimate does 
not clearly describe how the various cost sub-elements are aggregated 
to produce the amounts associated with the two documented cost 
categories, system installation costs, and operations and maintenance 
costs. Therefore, it is not clear that all pertinent costs are included 
and no costs are double counted. Lastly, although some key assumptions 
have been identified, such as the ship implementation schedule, other 
key assumptions, such as labor rates and inflation rates, are not. As a 
result, the estimate cannot be considered comprehensive. 

The cost estimate used in the economic analysis also addresses some, 
but not all, of the practices related to being well-documented. 
Specifically, the purpose of the cost estimate was clearly defined and 
a technical baseline has been documented that includes, among others 
things, the hardware and software specifications and planned 
performance parameters. However, the calculations used to derive the 
cost estimate, including descriptions of the methodologies used and 
traceability back to source data (e.g., vendor quotes, salary data), 
are not documented. In addition, while program officials described the 
estimating approach used, such as using market research and historical 
data to determine the costs associated with hardware, software, and 
installations, they did not have documentation of the methodology used 
to arrive at the total costs of each of these elements and how they 
were combined to produce the overall cost estimate. Therefore, the 
program's cost estimate cannot be considered well-documented. 

In addition, the $100 million documented cost estimate lacks accuracy 
because it does not reflect an assessment of the costs most likely to 
be incurred. Specifically, this estimate covers only 6 years of costs 
(fiscal years 2003 through 2008). In contrast, the program's current 
cost estimate is about $320 million over a 14-year life cycle, and 
according to program officials, the program's life cycle is being 
reexamined and will likely be extended. 

Lastly, the $100 million cost estimate is not credible because a 
complete uncertainty analysis (i.e., both a sensitivity analysis and a 
Monte Carlo simulation[Footnote 32]) was not performed on this 
estimate. A sensitivity analysis reveals how the cost estimate is 
affected by a change in a single assumption or cost driver, such as the 
ship installation schedule, while holding all other parameters 
constant. A Monte Carlo simulation assesses the aggregate variability 
of the cost estimate to determine a confidence range around the 
estimate. Without such analyses of uncertainty, the program office 
cannot have confidence that the program can be completed within the 
cost estimate. 

Program officials acknowledged the limitations in the estimate, and 
attributed them to turnover of staff and their current focus on 
deploying the system. Nevertheless, program officials stated that they 
intend to develop a revised cost estimate when they update the 
program's economic analysis, but they had yet to establish a date for 
accomplishing this. Given that a significant amount of development and 
modernization funding remains to be invested on the program, it is 
important that the program office economically justify such investment. 

Economic Analysis Does Not Satisfy Other Relevant Guidance: 

According to OMB,[Footnote 33] economic analyses should meet certain 
criteria to be considered reasonable, such as comparing alternatives on 
the basis of net present value and conducting an uncertainty analysis 
of benefits. 

The program's December 2002 economic analysis meets one, does not meet 
four, and partially meets two of the seven OMB criteria governing how 
to perform such analyses. For example, while the analysis explained why 
the investment is needed, it did not consider the costs and benefits 
associated with at least three alternatives to the status quo, such as 
Eagle Cash, EZpay, or some derivative that provided for reuse of shared 
services among the programs. Moreover, at least three alternatives to 
the status quo were not assessed on the basis of net present value, 
using the proper discount rate to account for inflation. Instead, the 
analysis only qualitatively evaluated Navy Cash against its predecessor 
systems. For example, the analysis included evaluation of the 
capabilities and limitations of the predecessor systems, but did not 
include evaluating the relative cost and benefits of any alternatives 
to Navy Cash. 

In addition, the program's benefit projections erroneously counted 
about $40 million in cost transfers as cost savings, thus overstating 
projected benefits (i.e., projected benefits should only be $93 
million). Transfers represent shifts of control over the spending of 
resources from one group to another and thus do not result in an 
economic gain. According to OMB guidance, transfers do not produce 
economic gains because the benefits to those government entities that 
receive such a transfer are the same as the costs borne by those 
government entities that provide the transfer.[Footnote 34] Moreover, 
no uncertainty analysis was performed on the benefit estimates. (See 
table 5 for the results of our analyses relative to each of the seven 
criteria.) 

Table 5: Satisfaction of OMB Economic Analysis Criteria: 

Criteria: The cost-benefit analysis should clearly explain why the 
investment was needed; 
Explanation: The analysis should clearly explain the reason why the 
status quo is unacceptable; 
Satisfied?[A]: Yes; 
GAO analysis: The economic analysis explained why the status quo was 
not viable. 

Criteria: At least three alternatives to the status quo should be 
considered; 
Explanation: At least three meaningful alternatives to the status quo 
should be examined to help ensure that the alternative chosen was not 
preselected; 
Satisfied?[A]: No; 
GAO analysis: Only one meaningful alternative to the status quo (i.e., 
Navy Cash) was considered. In addition, the predecessor systems were 
not examined on the basis of their cost and benefits. Rather, they were 
examined only in terms of their functional characteristics. 

Criteria: The general rationale for the cost-benefit analysis, 
including at least three alternatives, should be discussed; 
Explanation: The general rationale for the cost-benefit analysis, 
including at least three alternatives that are being considered, should 
be discussed to enable reviewers of the analysis to understand the 
context for the alternative selected; 
Satisfied?[A]: Partially; 
GAO analysis: The general rationale for the cost-benefit analysis was 
discussed, but it did not include the rationale for at least three 
alternatives. 

Criteria: The quality of the benefits to be realized from each 
alternative should be reasonable; 
Explanation: The quality of the benefit estimate for each alternative 
should be complete and reasonable for a net present value to be 
calculable and accurate; 
Satisfied?[A]: No; 
GAO analysis: The benefits estimate was not reasonable in that it 
included $40 million of transfers. 

Criteria: At least three alternatives should be compared on the basis 
of net present value; 
Explanation: The net present value should be calculated because it 
consistently allows for the selection of the alternative with the 
greatest benefit net of cost; 
Satisfied?[A]: Partially; 
GAO analysis: An estimate of the present value of cost savings or 
avoidances net of costs was computed for Navy Cash, but at least three 
alternatives were not compared on the basis of net present value. 

Criteria: The proper discount rate for calculating each alternative's 
net present value should be used; 
Explanation: OMB provides specific guidance on the choice of discount 
rate for evaluating projects whose benefits and costs will be 
distributed over time; 
Satisfied?[A]: No; 
GAO analysis: The proper discount rate was not used for calculating net 
present value. Specifically, a discount rate of 4.65 percent should 
have been used compared to the discount rate of 2 percent used by the 
program. 

Criteria: A complete uncertainty analysis of the benefits should be 
included; 
Explanation: Estimates of benefits are typically uncertain because of 
imprecision in both underlying data and modeling assumptions. Because 
such uncertainty is basic to virtually any cost-benefit analysis, its 
effects should be analyzed and reported; 
Satisfied?[A]: No; 
GAO analysis: An uncertainty analysis of the program's estimated 
benefits was not included. 

Source: OMB guidance and GAO analysis of DON data. 

[A] "Yes" means that the program office provided documentation 
demonstrating satisfaction of the criterion. "Partially" means that the 
program office provided documentation demonstrating satisfaction of 
part of the criterion. "No" means that the program office has yet to 
provide documentation demonstrating satisfaction of the criterion. 

[End of table] 

Program officials stated that they do not know why the economic 
analysis was not developed in accordance with OMB guidance. They also 
stated that they intend to update the economic analysis and, in doing 
so, intend to address OMB guidance. However, they did not have a date 
for accomplishing this because their priority is deploying the system. 

Actual Accrual of Estimated Benefits Has Not Been Validated: 

The Clinger-Cohen Act of 1996 and OMB guidance[Footnote 35] emphasize 
the need to develop information to ensure that IT investments are 
actually contributing to tangible, observable improvements in mission 
performance. DOD guidance[Footnote 36] also states that estimated 
benefits should be validated to ensure that desired outcomes are being 
achieved. To this end, agencies should define and collect metrics to 
determine whether expected benefits from a given investment are being 
accrued, and they should modify subsequent economic analyses to reflect 
the lessons learned. 

Despite the fact that Navy Cash has been installed and is operating on 
approximately 130 ships, DON has yet to determine whether the system is 
actually producing expected benefits. For example, the 2002 economic 
analysis stated that Navy Cash would reduce cash on ships, and 
contribute to man-hour savings as a result of increased productivity. 
It also stated that it would improve quality-of-life for sailors and 
marines. While DON has measured the reduction in the cash onboard some 
ships where Navy Cash is operating, this reduction represents a 
transfer and is not an actual benefit. Moreover, the extent to which 
the system is achieving expected man-hour savings, which would 
constitute a true benefit, has not been measured. Lastly, customer 
(sailor and marine) satisfaction with the system, which is a legitimate 
qualitative benefit, has not been determined since a prototype of Navy 
Cash was installed on two ships in 2001. 

Program officials stated that DON's Manpower Analysis Center[Footnote 
37] is responsible for measuring man-hour savings. Further, they said 
that customer satisfaction with the system was being measured through 
informal feedback from the sailors and marines, and they recently began 
a more formal customer satisfaction survey. They also stated that in 
updating the economic analysis, they plan to assess and reflect the 
accrual of actual benefits. However, they had not established a date 
for accomplishing this. 

Key Controls for Ensuring That Defined Navy Cash Capabilities Are 
Delivered on Time and Within Budget Have Not Been Effectively 
Implemented: 

DOD policy and related guidance recognizes the importance of 
implementing a range of management controls associated with ensuring 
that IT investments are defined, developed, deployed, and operated 
efficiently and effectively.[Footnote 38] By implementing these 
controls, the chances of delivering systems that perform as intended, 
and not costing more or taking longer than necessary, are increased. 
These controls include requirements development and management, risk 
management, security management, and system quality measurement. For 
Navy Cash, none of these controls have been effectively implemented. 
Specifically, 

* program requirements have not been adequately developed and managed; 

* program risks have not been effectively managed; 

* security has not been adequately managed; and: 

* data needed to measure two aspects of system quality--trends in 
unresolved change requests and evaluation of user satisfaction with the 
system--have not been collected and used. 

As a result, Navy Cash is unlikely to perform in a manner that meets 
user and operational needs, and it is likely to cost more and take 
longer than necessary. 

Navy Cash Requirements Have Not Been Adequately Developed and Managed: 

Well-defined and managed requirements are recognized by DOD guidance 
and relevant best practices as essential, and can be viewed as a 
cornerstone of effective system acquisition.[Footnote 39] Effective 
requirements development and management includes (1) developing 
detailed system requirements; (2) establishing policies and plans for 
managing changes to requirements, including defining roles and 
responsibilities, and identifying how the integrity of a baseline set 
of requirements will be maintained; and (3) maintaining bi-directional 
requirements traceability, meaning that system-level requirements can 
be traced both backward to higher level business or operational 
requirements, and forward to system design specifications and test 
plans. 

The program office has not satisfied these three aspects of effective 
requirements development and management. Specifically: 

* The program office has not developed system-level requirements for 
Navy Cash. System-level requirements are derived from higher-level 
operational requirements and are specified at a level of detail needed 
for system developers to design and build to. Without system 
requirements, the ability of the program office to understand the 
impact of any system change requests (i.e., cost, schedule, and 
performance) and thus make informed decisions about such changes, is 
limited. For example, although the program office identified a high- 
level requirement for the system to share information with the Retail 
Operations Management system used in ships' store operations, the 
associated system-level requirements were not defined. As a result, the 
deployed version of the system was not designed and developed to 
provide this interface. The requirement for this interface was later 
realized after a number of system and operational problems surfaced. 
Addressing these problems through a series of changes required 
additional time and funding. Program officials acknowledged that more 
effective requirements development and management practices could have 
avoided these problems. As another example, a system requirement for 
automatically deploying software patches to operational systems was not 
defined. Had this requirement been defined, the system design could 
have provided for developing a capability to minimize the level of 
effort required to identify, distribute, and install patches. Instead, 
a less efficient and labor-intensive manual process has been used. 

* The program office does not have a policy or plans for managing 
requirements. Such policies and plans establish organizational roles 
and responsibilities for managing requirements, including maintaining 
and controlling modifications or changes to the baseline sets of 
requirements, establishing priorities among competing requests for 
changes, and assessing the impact on cost, schedule, and performance of 
each change. In lieu of a policy or plans, the program office has 
established an ad hoc change control process, whereby change proposals 
are approved or disapproved by a joint DON and FMS change control board 
based on a change management policy that was drafted in 2003. However, 
this policy was never finalized or approved and does not define roles 
and responsibilities or how requirements will be managed. Further, the 
board has not been chartered. Moreover, program officials told us that 
the board's decisions are made primarily on the basis of consensus 
about the need for the change and the availability of funds. 

* Other than security requirements, Navy Cash requirements cannot be 
traced from the higher level business or operational requirements to 
system design specifications and test plans. Specifically, we attempted 
to trace a sample of Navy Cash system-level requirements backward to 
high-level requirements and forward to design documents and test plans 
and results. However, as noted above, no system-level requirements 
exist. Without this link in the requirements traceability chain, 
traceability could not be demonstrated. Having requirements 
traceability is essential for ensuring that developed and deployed 
system products satisfy operational needs and user expectations. In the 
case of Navy Cash, where system capabilities are reactive to change 
requests rather than proactively driven by requirements, such 
traceability is also essential to understanding the impact to the 
system of each change request and thus having an informed basis for 
approving and prioritizing any changes. 

Program officials acknowledged these weaknesses and recently stated 
that they intend to address them. To accomplish this, they reported 
that they have hired a new employee who is to be trained in 
requirements development and management, and who is to develop a 
requirements management plan. 

Until the program office employs fundamental requirements development 
and management practices, it cannot reliably estimate the program costs 
and develop schedules needed to accomplish the work associated with 
delivering predetermined and economically justified system 
capabilities. The result is an inability to develop and measure 
performance against meaningful cost, schedule, and capability 
baselines, and thereby reasonably ensure that the program is meeting 
expectations and those responsible for it are accountable for results. 

Navy Cash's Risks Have Not Been Effectively Managed: 

Proactively managing program risks is a key acquisition management 
control that, if done properly, can increase the chances of programs 
delivering promised capabilities and benefits on time and within 
budget. For Navy Cash, program risks have not been effectively managed. 
Rather, the program office has reacted to the realization of actual 
problems. In particular, plans, processes, and procedures are not in 
place that provide for identifying, controlling, and disclosing risks, 
and risk management roles and responsibilities have not been assigned 
to key stakeholders. As a result, the program office is not positioned 
to proactively avoid the occurrence of cost, schedule, and performance 
problems. 

DOD and related guidance[Footnote 40] recognize the importance of 
performing effective risk management on programs like Navy Cash. Among 
other things, effective risk management includes: (1) establishing and 
implementing a written plan and defined process for risk 
identification, analysis, and mitigation; (2) assigning responsibility 
for managing risks to key stakeholders; (3) encouraging program-wide 
participation in risk management; and (4) examining the status of 
identified risks during program milestone reviews. 

The program office has not fully satisfied any of the above cited risk 
management practices. For example: 

* A written plan or defined process that provides for identifying, 
analyzing, and mitigating risks has not been established. In the 
absence of a plan and process, program officials stated that risks are 
informally addressed during bi-monthly program management reviews that 
involve key stakeholders, including the program office, FMS, and the 
financial agent. However, our analysis of minutes of these reviews 
indicates that they are more focused on reacting to the consequences of 
actual problems, rather than proactively attempting to avoid the 
occurrence of potential problems. 

* While program officials stated that responsibility for managing risks 
rests with the program manager, roles and responsibilities for managing 
and identifying risks have not been documented for any key 
stakeholders, including individuals in the program office, and with FMS 
and the financial agent. Without clearly documenting their roles and 
responsibilities, proactive identification, disclosure, and mitigation 
of all key risks is unlikely to occur, and program approval and 
decision making authorities will not be adequately informed. 

* While program officials stated that attending and participating in 
program management reviews is encouraged, we have yet to receive any 
verifiable evidence that risks are addressed in these reviews or that 
involvement in risk management is encouraged. 

* Program officials have yet to provide any verifiable evidence that 
program decision making and oversight authorities have been apprised of 
the status of identified risks. 

Program officials acknowledged the above weaknesses and attributed them 
to staff turnover in key positions and their focus on deploying the 
system rather than establishing management processes and procedures. 
Nevertheless, program officials stated that they intend to develop a 
risk plan and process, but said that this would not occur until 
December 2008. Given that a significant amount of development and 
modernization investment remains, it is important that mitigating 
existing risks, including those discussed in this report, as well as 
future risks be treated as a program priority. 

Navy Cash Security Management Has Not Been Effectively Implemented: 

A number of Navy Cash security management weaknesses exist. 
Specifically, the program office has not (1) fully implemented a 
comprehensive patch management process; (2) followed an adequate 
process for planning, implementing, evaluating, and documenting 
remedial actions for known information security weaknesses; (3) 
obtained adequate assurance that FMS has effective security controls in 
place to protect Navy Cash applications and data; and (4) developed an 
adequate contingency plan and conducted effective contingency plan 
testing. Program officials acknowledged these weaknesses but have yet 
to provide us with plans for addressing them. As a result, the 
confidentiality, integrity, and availability of deployed and operating 
Navy Cash shipboard devices, applications, and financial data are at 
increased risk of being compromised. 

Patch Management Has Not Been Fully Implemented: 

DOD guidance[Footnote 41] states that component organizations should 
develop a process for patching system vulnerabilities. Further, 
National Institute of Standards and Technology (NIST) guidance[Footnote 
42] recognizes the importance of implementing comprehensive patch 
management that includes, among other things, (1) having a complete 
inventory of system hardware and software assets, (2) automatically 
deploying vulnerability patches, and (3) measuring patch management 
performance. 

Although the program office performs patch management for Navy Cash, 
key practices have not been fully implemented. Specifically, 

* A complete inventory of system assets does not exist. According to 
NIST, a system inventory enables organizations to monitor system 
hardware and software assets for the presence of all threats, 
vulnerabilities, and patches. While the financial agent maintains a 
Navy Cash asset database for the 128 ships on which the system is 
operating, this database is missing 3 hardware inventories and 19 
software inventories. According to program officials, the financial 
agent's database is incomplete because it was created from purchase 
orders after the system was in operation. Furthermore, although the 
program office maintains hardware inventories for each ship in a DON 
configuration management database, the office does not maintain 
inventories of Navy Cash software. Until the program office develops a 
complete inventory of Navy Cash system assets, it will not be able to 
identify and patch all system threats and vulnerabilities. 

* Vulnerability patches are not deployed in an automated or timely 
manner. According to NIST guidance, deploying patches automatically 
minimizes the level of effort and time required to identify, 
distribute, and install patches. However, patches are currently 
deployed manually for Navy Cash when ships are in port for maintenance. 
As a result, the risk of vulnerabilities being exploited before ships 
return to port is increased. Although the program office plans to 
introduce the capability to automatically deploy patches as part of the 
next software release in the first quarter of fiscal year 2009, program 
officials said that it will take between 18 to 24 months to rollout 
this capability to the entire fleet. Program officials also stated that 
they do not know why this capability was not part of the original 
system requirements and design. Until the program office begins 
automatically deploying patches, Navy Cash assets and data will be 
exposed to increased risk. 

* The performance of patch management is not being measured. NIST 
guidance recommends consistent measurement of the effectiveness of 
patch management through the use of metrics, such as susceptibility to 
attack and mitigation response time. Although program officials stated 
that they maintain patch management metrics, they have yet to provide 
us with a description of the metrics or an explanation of how they are 
used. Until the program office develops and uses performance metrics, 
it will not be able to assess and improve the effectiveness of its 
patch management effort. 

To strengthen its patch management efforts, the program office has 
developed a vulnerability management guide. However, this guide has not 
been finalized and approved, and according to program officials, it 
does not follow NIST patch management guidance. Without comprehensive 
patch management, increased risk exists that system vulnerabilities 
could be exploited. 

Remedial Action Plans Have Not Been Documented: 

The Federal Information Security Management Act (FISMA)[Footnote 43] 
requires that agencies' information security programs must include a 
process for planning, implementing, evaluating, and documenting 
remedial actions to address any deficiencies in the information 
security policies, procedures, and practices of the agency. OMB has 
outlined steps for documenting remedial actions--referred to by OMB as 
a plan of action and milestones--for systems where IT security 
weaknesses have been identified. Additionally, NIST guidance[Footnote 
44] states that a plan of action and milestones should be included in a 
system's accreditation package and describe how the information system 
owner intends to address those vulnerabilities by reducing, 
eliminating, or accepting the identified vulnerabilities. 

Since the system was accredited in November 2006, the program office 
has not developed any plans of action and milestones, even though 
medium and low information security risks were identified during 
security test and evaluation efforts supporting the certification and 
accreditation. According to program officials, the risks were accepted 
by the designated approving authority, rather than corrected, because 
they involve features that are necessary for the system to operate, 
such as having certain hardware interfaces and access permissions. 
While accepting rather than correcting such weaknesses is consistent 
with DON guidance[Footnote 45] for developing plans of action and 
milestones, it is not consistent with NIST guidance. Specifically, DON 
guidance states that these plans are only required for accreditation 
decisions that are conditional upon corrective actions being taken. 
However, NIST guidance specifies that the development of a plan of 
action and milestones should include instances where risk is being 
accepted. 

The lack of plans of action and milestones means that the program 
office has not adequately addressed information security risks. 
Moreover, the limitations in DON guidance mean that other Navy programs 
may not have done so as well. Until the program office fully implements 
a remedial action process that meets the FISMA requirements and OMB and 
NIST guidance, program management and oversight officials will not have 
sufficient assurance that all security weaknesses are being reported 
and tracked, and that options for addressing them are fully considered. 

Information Security Requirements Have Not Been Fully Defined: 

FISMA requires each federal agency to develop, document, and implement 
an agencywide information security program to provide information 
security for the information and information systems that support the 
operations and assets of the agency, including those provided or 
managed by another agency, contractor, or other source. Among other 
things, this includes testing system management, operational, and 
technical security controls. Although the program office has partnered 
with FMS to develop and support the operation of Navy Cash, it is 
ultimately responsible for ensuring the security of Navy Cash systems 
and data. 

The program office has not taken adequate steps to ensure that security 
controls are tested. Specifically, the memorandum of agreement between 
the program office and FMS does not establish requirements for FMS and 
the financial agent relative to periodic information security control 
reviews, including reviews of applicable management, operational, and 
technical controls, and to provide DON with copies of information 
security control reviews that are performed on the Navy Cash system and 
its supporting infrastructure. This is important because FMS--through 
its financial agent[Footnote 46]--provides services that support Navy 
Cash that must be secure, such as holding and accounting for funds 
distributed throughout the system and processing transactions. Although 
FMS has performed some management and operational control tests, such 
as periodic personnel and physical security assessments of selected 
commercial facilities that provide services and support to Navy Cash, 
these assessments were not designed to evaluate the technical controls 
of the system's computing environment because the memorandum of 
agreement does not include such requirements. 

Until the program office and FMS establish information security 
requirements for overseeing the financial agent's technical information 
security controls, an increased risk exists that the confidentiality, 
integrity, and availability of information stored, transmitted, and 
processed by the financial agent can be compromised. 

Contingency Plan Is Missing Key Elements: 

OMB guidance[Footnote 47] requires agencies to develop contingency 
plans and to test those plans at least annually. NIST guidance states 
that contingency plans should include a sequence of recovery 
activities, which describe system priorities based on business impact 
and notification procedures, which describe the methods used to notify 
personnel with recovery responsibilities.[Footnote 48] In addition, 
according to NIST, contingency plan tests should include explicit test 
objectives and success criteria for each planned activity and related 
procedure and documentation of lessons learned. 

Although the program office has developed contingency plans for Navy 
Cash, it did not identify the sequence of recovery activities and 
notification procedures for recovery personnel in them. The sequence of 
activities should prioritize the recovery of system components by 
criticality and the notification procedures should describe the methods 
used to notify recovery personnel during business and non-business 
hours. Until the program office includes these areas in the contingency 
plans, it cannot ensure that system components will restore in a 
logical manner and that ship recovery personnel will be notified 
promptly when a system disruption is detected. In addition, while the 
program office has largely included explicit test objectives and 
success criteria in all the test procedures, they did not document the 
lessons learned. According to NIST, lessons learned can improve 
contingency plan effectiveness and this should be incorporated into the 
plan. According to program officials, NIST was not used for developing 
and conducting tests of the contingency plan. Without lessons learned, 
the program office will not be able to properly maintain and improve 
the contingency planning guide. 

Until DON develops sufficient contingency plans and testing procedures, 
increased risk exists that Navy Cash systems, data, and operations will 
not be able to fully recover from a disruption or disaster. 

Navy Cash Quality Measures Are Not Being Collected: 

Effective management of programs like Navy Cash depends in part on the 
ability to measure the quality of the system being acquired and 
operated.[Footnote 49] One measure of system quality is the trend in 
the number of unaddressed, high-priority system change requests. 

Sufficient data to measure trends in open (i.e., unresolved) system 
change requests, which is a recognized indicator of a system's 
stability and quality are not being collected. To the program's credit, 
it has formed a group consisting of program office, FMS, and financial 
agent representatives to review and decide whether to approve requests 
for changes to the system. However, this group is not consistently 
collecting data as to when a change request is opened or closed and 
what the priority level of each change request is. Thus, it does not 
know at any given time, for example, how many change requests are 
pending, the significance of pending change requests, and the age of 
these change requests. Program officials acknowledged these weaknesses 
but stated that their focus has been on deploying the system. This 
means that the program office cannot know and disclose to DOD decision 
makers whether the system's stability and maturity are moving in the 
right direction. 

In addition, the program office has not consistently collected data on 
user and operator satisfaction with the system. Specifically, the 
program office conducted two surveys in the last 6 years--a user 
satisfaction survey and a shipboard merchant satisfaction survey--but 
neither of these surveys is meaningful. More specifically, the user 
satisfaction survey was done in 2002 and thus is dated; and it covered 
only two ships and a prototype version of Navy Cash and thus its scope 
is limited. In addition, neither survey produced a response rate that 
can be generalized and projected (about 50 percent and 20 percent for 
the two ships in the user survey, and about 30 percent for the merchant 
survey). 

Program officials stated that they have relied on informal user 
feedback from disbursing officers, who have indicated overall 
satisfaction with the system. Nevertheless, they said that a survey of 
users and operators is being planned and expected to be completed by 
the fall of 2008. Without meaningful data about Navy Cash's stability 
and the satisfaction of those who use it, it is not clear Navy Cash is 
a quality system. 

Conclusions: 

Navy Cash's potential duplication of other DOD programs that perform 
similar functions, combined with its lack of meaningful economic 
justification, together mean that the department does not have an 
adequate basis for knowing whether Navy Cash, as defined, is the most 
cost-effective solution to meeting its strategic business and 
technological needs. Because such a basis is absolutely fundamental to 
informed investment decision making, a compelling case exists for the 
department to reevaluate current plans for investing almost $60 million 
of additional modernization funding to further develop the system. 

Even if reevaluation supports current or modified investment plans, the 
manner in which the program is being executed remains a source of 
considerable cost, schedule, and performance risk. In particular, 
without employing fundamental requirements development and management 
practices, the department cannot reliably estimate program costs and 
develop schedules needed to accomplish the work associated with 
delivering predetermined and economically justified system 
capabilities. In addition, without effective risk management, the 
department is not positioned to proactively avoid the occurrence of 
cost, schedule, and performance problems. Furthermore, the lack of 
adequate security management puts the confidentiality, integrity, and 
availability of deployed and operating Navy Cash shipboard devices, 
applications, and financial data at increased risk of being 
compromised. Moreover, without meaningful data about the Navy Cash's 
stability and the satisfaction of those who use it, it is not clear 
that Navy Cash is a quality system. 

To overcome each of these weaknesses, it is important to not only 
acknowledge them, which the program office has done, but to also treat 
them as program priorities, including developing and implementing plans 
for addressing them, which the program office has largely not done. 

Recommendations: 

Because of the uncertainty surrounding whether Navy Cash, as defined, 
represents a cost-effective solution, we recommend that the Secretary 
of Defense direct the Secretary of the Navy to limit further investment 
of modernization funding in the program to only (1) deployment to 
remaining ships of already developed and tested capabilities; (2) 
correction of information security vulnerabilities and weaknesses on 
ships where it is deployed and operating; and (3) development of the 
basis for an informed decision as to whether further development and 
modernization is economically justified and in the department's 
collective best interests. 

To develop the basis for an informed decision about further Navy Cash 
development, we further recommend that the Secretary of Defense, direct 
the appropriate DOD organizations to (1) examine the relationships 
among DOD's programs for delivering military personnel with smart card 
technology for electronic retail and banking transactions; (2) 
identify, in coordination with the respective program offices, 
alternatives for optimizing the relationships of these programs in a 
way that minimizes areas of duplication, maximizes reuse of shared 
services across the programs, and considers opportunities for a 
consolidated stored value card program across the military services; 
and (3) share the results with the appropriate organizations for use in 
making an informed decision about planned investment in Navy Cash. 

To further develop this basis for an informed decision about Navy Cash 
development, we also recommend that the Secretary of Defense direct the 
Secretary of the Navy to ensure that the appropriate Navy 
organizational entities prepare a reliable economic analysis that 
encompasses the program's total life cycle costs, including those of 
FMS, and that (1) addresses cost-estimating best practices and complies 
with relevant OMB cost-benefit guidance and (2) incorporates data on 
whether deployed Navy Cash capabilities are actually producing 
benefits. 

To address Navy Cash information security management weaknesses and 
improve the operational security of the system, we recommend that the 
Secretary of Defense direct the Secretary of the Navy to ensure that 
the Navy Cash program manager, in collaboration with the appropriate 
organizations, take the following five actions: 

* Develop and implement a patch management approach based on NIST 
guidance, which includes a complete Navy Cash systems inventory; an 
automated patch deployment capability; and a patch management 
performance vulnerability measurement capability, including metrics for 
susceptibility to attack and mitigation response time. 

* Institute a process to plan, implement, evaluate, and document 
remedial actions for deficiencies in Navy Cash information security 
policies, procedures, and practices, and ensure that this process meets 
FISMA requirements, as well as applicable OMB and NIST guidance. 

* Update the NAVSUP/FMS memorandum of agreement, in collaboration with 
FMS, to establish specific security requirements for FMS and the 
financial agent to periodically perform information security control 
reviews, including applicable management, operational, and technical 
controls, of the Navy Cash system, and to provide NAVSUP with copies of 
the results of these reviews that pertain to the Navy Cash system and 
its supporting infrastructure. 

* Develop a complete contingency plan to include a (1) sequence of 
recovery activities and (2) procedures for notifying ship personnel 
with contingency plan responsibilities to begin recovery activities; 
and to test the contingency plan in accordance with NIST guidance, 
including documenting lessons learned from testing. 

To address DON information security guidance limitations, we also 
recommend that the Secretary of Defense direct the Secretary of the 
Navy to ensure that the Navy Operational Designated Approving 
Authority, as part of the Naval Network Warfare Command, updates its 
certification and accreditation guidance to require the development of 
plans of action and milestones for all above identified security 
weaknesses. 

If further investment in development of Navy Cash can be justified, we 
then recommend that the Secretary of Defense direct the Secretary of 
the Navy, through the appropriate chain of command, to ensure that the 
Navy Cash program manager takes the following actions. 

* With respect to requirements development and management, (1) develop 
detailed system requirements; (2) establish policies and plans for 
managing changes to requirements, including defining roles and 
responsibilities, and identifying how the integrity of a baseline set 
of requirements will be maintained; and (3) maintain bi-directional 
requirements traceability. 

* With respect to risk management, (1) establish and implement a 
written plan and defined process for risk identification, analysis, and 
mitigation; (2) assign responsibility for managing risk to key 
stakeholders; (3) encourage program-wide participation in risk 
management; (4) include and track the risks discussed in this report as 
part of a risk inventory; and (5) apprise decision making and oversight 
authorities of the status of risks identified during program reviews. 

* With respect to system quality measurement, collect and use 
sufficient data for (1) determining trends in unresolved change 
requests and (2) understanding users' satisfaction with the system. 

Agency Comments and Our Evaluation: 

Both DOD and FMS provided written comments on a draft of this report. 
In DOD's comments, signed by the Deputy Under Secretary of Defense 
(Business Transformation) and reprinted in appendix II, the department 
stated that it concurred with 9 of our 11 recommendations, partially 
concurred with 1, and non-concurred with the remaining 1. In non- 
concurring with our recommendation for limiting further investment in 
the program, the department actually concurred with two out of three 
aspects of the recommendation. Nevertheless, for the aspect of our 
recommendation aimed at limiting further investment in the program to 
certain types of spending, it stated that it did not concur with 
limiting investment to the exclusion of needed maintenance (e.g., 
technology refresh) of operational systems. We agree with this comment, 
as it is consistent with statements in our report, including the 
recommendation summary on the report's highlights page and the report's 
conclusions, both of which focus on limiting investment of 
modernization funding only, and not operations and maintenance funding. 
To avoid any misunderstanding as to our intent, we clarified our 
report. 

With respect to our recommendation for optimizing the relationships 
among DOD's programs that provide smart card technology for electronic 
retail and banking transactions, the department stated that, while it 
concurs with the overall intent of the recommendation, it believes that 
the Office of the Under Secretary of Defense (Comptroller) is the 
appropriate organization to implement it. Since our intent was not to 
prescribe the only DOD organization that should be responsible for 
implementing the recommendation, we have slightly modified the 
recommendation to provide the department flexibility in this regard. 

Notwithstanding DOD's considerable agreement with our recommendations, 
the department provided additional comments on the findings that 
underlie several of the recommendations, which it described as needed 
to clarify and avoid confusion about the program. For various reasons 
discussed below, we either do not agree with most of these additional 
comments or do not find them germane to our findings and 
recommendations. 

* First, the department stated that the report's overall findings 
understate the program's discipline and conformance with applicable 
guidance and best practices. We do not agree. Our review extended to 
six key acquisition control areas, all of which are reflected in DOD's 
own acquisition policies as well as other federal guidance. Effective 
implementation of these controls can minimize program risks and better 
ensure that system investments are defined in a way to optimally 
support mission operations and performance, as well as deliver promised 
system capabilities and benefits on time and within budget. However, we 
found that none of these key IT management controls were being 
effectively implemented on Navy Cash, and the department agreed with 
our recommendations aimed at correcting this. 

* Second, the department stated that the report's findings do not 
accurately capture the program's maturity since the system has been 
deployed to over 80 percent of its user base. While we do not question 
the extent to which the system has been deployed to date, and in fact 
state in our report that the system has been deployed to about 80 
percent of the fleet, we do not agree that the program is mature, as 
evidence by the numerous IT management control weaknesses that we found 
and the fact that about $60 million in modernization funding remains to 
be spent on the system. 

* Third, the department stated that it recognizes that some security 
management limitations exist, but added that these limitations do not 
pose a serious risk to the confidentiality, integrity, or availability 
of the deployed system, and that our report may cause cardholders to 
become unnecessarily concerned. We do not agree that these limitations 
do not pose a serious risk. Our report details a number of serious 
security management weaknesses relative to both DOD and NIST guidance, 
such as not following an adequate process for planning, implementing, 
evaluating and documenting remedial actions for known information 
security vulnerabilities, as well as not obtaining adequate assurance 
that FMS has effective security controls in place to protect Navy Cash 
applications and data. As a result, we appropriately conclude in our 
report that such failures to effectively manage Navy Cash security 
places the confidentiality, integrity, and availability of deployed and 
operating shipboard devices, applications, and financial data at 
increased risk of being compromised. Swift implementation of our 
recommendations is the best solution to alleviating any cardholder 
concerns that may arise from these weaknesses. 

In FMS's comments, signed by the Commissioner of FMS and reprinted in 
appendix III, the service stated that our recommendations will help 
strengthen Navy Cash and that it has begun addressing our findings and 
recommendations. In addition, it stated that it will support DOD in 
implementing the recommendations, and consistent with DOD, commented 
that it did not agree with one part of one of our recommendations, 
adding that limiting investment in Navy Cash beyond fielding and 
maintaining already tested system capabilities would place future 
operations at risk. As stated above, this recommendation is focused on 
limiting further investment in modernization funding, not operations 
and maintenance funding. To avoid any confusion about this, we have 
added language to other parts of the report to emphasize this focus. 

In addition to the above, and notwithstanding its overall agreement 
with our recommendations, FMS provided other comments relative to 
several of the findings that underlie our recommendations.[Footnote 50] 
As discussed below, we either do not agree with these additional 
comments or do not find them to be germane to our findings and 
recommendations. 

* First, FMS stated that our report does not identify a security 
breach, loss of cardholder or government funds, unauthorized release of 
personal or other sensitive information, or any other compromise of 
system integrity. We agree that our report does not identify these 
things, as the scope of work was not intended to identify them. Rather, 
our scope focused on the program's implementation of key security 
management controls outlined in DOD and NIST guidance. In this regard, 
we found serious information security management control weaknesses and 
concluded that these weaknesses increased the risk to the 
confidentiality, integrity, and availability of information stored, 
transmitted, and processed by the financial agent. 

* Second, FMS stated that the issue of whether Navy Cash is duplicative 
of other similar DOD smart card programs was addressed before Navy Cash 
was initiated in 2001, when DON and FMS determined that for technical 
and cost reasons it could not alter the other DOD programs to meet Navy 
Cash requirements. We do not find this comment relevant to our 
recommendation because our point is not that one of the other DOD 
programs should be altered and used in place of Navy Cash. Rather, our 
point is that these smart card programs need to be looked at 
collectively to decide whether it is in the department's best interest 
to continue investing in separate smart card programs or to invest in a 
single department-wide solution. This point is consistent with FMS's 
stated goal of having a single smart card for DOD. 

* Third, FMS stated that it disagreed with our finding that the Navy 
Cash benefits projection erroneously counted $40 million as cost 
savings rather than cost transfers, adding that this value represents 
not merely a transfer between agencies but actual savings to the United 
States. While we do not disagree that this interest savings represents 
a benefit to the United States government, it also represents a cost-- 
interest foregone--to holders of Treasury debt. Therefore, the interest 
savings represents a transfer rather than savings from one member or 
sector to another. 

We are sending copies of this report to interested congressional 
committees; the Director, Office of Management and Budget; the 
Congressional Budget Office; the Secretary of Defense; the Secretary of 
the Treasury; and the Department of Defense Office of the Inspector 
General. We also will make copies available to others upon request. In 
addition, the report will be available at no charge on the GAO Web site 
[hyperlink, http://www.gao.gov]. 

If you or your staffs have any questions on matters discussed in this 
report, please contact Randolph C. Hite at (202) 512-3439 or 
hiter@gao.gov, or Gregory C. Wilshusen at (202) 512-3789 or 
wilshuseng@gao.gov. Contact points for our Offices of Congressional 
Relations and Public Affairs may be found on the last page of this 
report. GAO staff who made major contributions to this report are 
listed in appendix IV. 

Signed by: 

Randolph C. Hite: 
Director Information Technology Architecture and Systems Issues: 

Signed by: 

Gregory C. Wilshusen: 
Director Information Security Issues: 

[End of section] 

Appendix I: Objective, Scope, and Methodology: 

Our objective was to determine whether the Department of the Navy (DON) 
is effectively implementing information technology management controls 
on Navy Cash. We selected Navy Cash primarily because the Department of 
Defense's (DOD) inventory of DON systems identified the program as one 
of DON's five largest development and modernization investments. To 
address the objective, we focused on the following management areas (1) 
architectural alignment; (2) economic justification; (3) requirements 
development and management; (4) risk management; (5) security 
management; and (6) system quality measurement. In doing so, we 
analyzed a range of program documentation, such as the acquisition 
strategy, business case, economic analysis, agreements between the 
partnering organizations, and interviewed cognizant officials, such as 
the Milestone Decision Authority, program manager, and Financial 
Management Service (FMS) and financial agent officials responsible for 
Navy Cash. 

To address architectural alignment, we reviewed the program's business 
enterprise architecture (BEA) compliance assessments and system 
architecture products as well as versions 4.0, 4.1, and 5.0 of the BEA 
and compared them to the BEA compliance requirements described in the 
Ronald W. Reagan National Defense Authorization Act for Fiscal Year 
2005[Footnote 51] and DOD's BEA compliance guidance and evaluated the 
extent to which the compliance assessments addressed all relevant BEA 
products. We also reviewed DOD guidance for program architecture 
development, such as DOD's Business Transformation Guidance, and 
compared Navy Cash's program architecture development activities to 
this guidance. In addition, we interviewed Navy Cash and FMS officials, 
as well as Navy Cash's Milestone Decision Authority, and requested 
related documentation on the potential duplication between Navy Cash 
and other DOD programs that involve the use of smart card 
functionality, such as the Air Force's and Army's Eagle Cash and EZpay 
programs. 

To address the program's economic justification, we reviewed the latest 
economic analysis to determine the basis for the cost and benefit 
estimates. This included evaluating the analysis against Office of 
Management and Budget guidance and GAO's Cost Assessment 
Guide.[Footnote 52] In addition, we interviewed cognizant program 
officials, including the Navy Cash program manager and FMS, regarding 
their respective roles, responsibilities, and actual efforts in 
developing and/or reviewing the economic analysis and the extent to 
which measures and metrics showed that projected benefits in the 
economic analysis were actually being realized. We also interviewed 
cognizant officials such as the Milestone Decision Authority about the 
purpose and use of the program's economic analysis for managing the 
investment in the Navy Cash program. 

To address requirements development and management, we reviewed 
relevant program documentation, such as the concept of operations 
document, and interviewed relevant program officials and evaluated this 
information against relevant best practices.[Footnote 53] We also 
reviewed interface requirements documents, minutes of program 
management meetings, and traceability of security requirements. In 
addition, we interviewed program officials involved in the requirements 
management process to discuss the change control process they use and 
their roles and responsibilities for managing requirements. 

To address risk management, we reviewed relevant risk management 
documentation, such as program management review meeting minutes and 
compared the program office's activities with DOD's risk management 
guidance[Footnote 54] and related best practices.[Footnote 55] We 
analyzed the effectiveness of the program's management reviews in terms 
of managing risks. In doing so, we interviewed cognizant program 
officials responsible, such as the program manager, Milestone Decision 
Authority, and FMS officials to discuss their roles and 
responsibilities and obtain clarification on the program's approach to 
managing risks associated with acquiring and implementing Navy Cash. 

To address security management, we reviewed relevant security 
documentation, such as DOD and National Institute of Standards and 
Technology information security guidance, and the Navy Cash afloat and 
ashore system security authorization agreements. In addition, we 
observed the system in operation aboard the USS Theodore Roosevelt and 
discussed security issues with ship personnel, program office, FMS, and 
financial agent officials. We also reviewed USS Harry S. Truman 
contingency plan test results. Additionally, we reviewed a database 
used to maintain the inventory of Navy Cash hardware and software 
assets as a part of our analysis on the Navy Cash vulnerability 
management program. Furthermore, we interviewed cognizant DON, FMS, and 
financial agent officials to discuss their roles and responsibilities 
and obtain clarification on the program's approach to protecting the 
confidentiality, integrity, and availability of Navy Cash systems and 
information. 

To address system quality measurement, we reviewed program 
documentation, such as change request logs, and a plan of action and 
milestones for change requests. We also compared the program's data 
collection and analysis practices relative to these areas to program 
guidance and best practices.[Footnote 56] We reviewed the plans for and 
results of surveys that were performed on user and shipboard merchant 
satisfaction with Navy Cash, and we interviewed program management and 
technical officials. 

We conducted our work at DOD offices and program office and ship 
facilities in the Washington, D.C. metropolitan area, Norfolk, 
Virginia, and Mechanicsburg, Pennsylvania, between June 2007 and 
September 2008, in accordance with generally accepted government 
auditing standards. Those standards require that we plan and perform 
the audit to obtain sufficient, appropriate evidence to provide a 
reasonable basis for our findings and conclusions based on our audit 
objective. We believe that the evidence obtained provides a reasonable 
basis for our findings and conclusions based on our audit objective. 

[End of section] 

Appendix II: Comments from the Department of Defense: 

Office Of The Under Secretary Of Defense: 
Acquisition Technology And Logistics: 
3000 Defense Pentagon: 
Washington, DC 20301-3000: 

August 27, 2008: 

Mr. Randolph C. Hite: 
Director, Information Technology Architecture and Systems Issues: 
U.S. Government Accountability Office: 
441 G Street, N.W. 
Washington, D.C. 20548: 

Dear Mr. Hite: 

This is the Department of Defense (DoD) response to the GAO draft 
report GAO-08-922. "DOD Business Systems Modernization: Planned 
Investment in Navy Program to Create Cashless Shipboard Environment 
Needs to Be Justified and Better Managed," dated July 18, 2008 (GAO 
Code 310660). Detailed comments on the recommendations are enclosed. 

The Department concurs with nine of the recommendations and partially 
concurs with one recommendation and non-concurs with one 
recommendation. The Department also believes that the overall findings 
of the report understate the level of discipline and conformance with 
applicable guidance and best business practices. Additionally, the 
report's findings do not accurately capture the maturity of the program 
since the system has been deployed to over 80 percent of the planned 
user base. Finally. the Department would like to note that development 
of the system has been a simple, low cost adaptation of a system made 
up of primarily commercial-off-the-shelf products. 

With regard to GAO's first recommendation, although the Department 
concurs that an updated economic analysis is needed to decide "as to 
whether further development and modernization is economically justified 
and in the department's collective best interests." the Department 
intends to avoid any significant disruption of afloat disbursing 
operations to ensure that the warfighters continue to have access to 
their pay. Navy Cash must remain operational while corrective actions 
to address GAO's recommendations are underway. The earliest installed 
systems are nearing the end of their expected operational life due to 
aging hardware and technology obsolescence. These must be replaced 
through a planned technical refresh. in order to maintain already 
developed and tested capabilities. 

Information technology management controls continue to be a top 
priority throughout the entire DoD as we modernize our business 
systems. As the Department continues to move forward, we appreciate the 
GAO's input in our on-going business systems modernization efforts. 

Sincerely, 

Signed by: 

Paul A. Brinkley: 
Deputy Under Secretary of Defense (Business Transformation): 

Enclosure: As stated: 

GAO Draft Report Dated July 18, 2008: 
GAO-08-922 (GAO Code 310660): 
"DOD Business Systems Modernization: Planned Investment In Navy Program 
To Create Cashless Shipboard Environment Needs To Be Justified And 
Better Managed: 

Department Of Defense Comments To The GAO Recommendations: 

Recommendation 1: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy to limit further investment in the 
program to only: (I) deployment to remaining ships of already developed 
and tested capabilities: (2) correction of information security 
vulnerabilities and weaknesses on ships where it is deployed and 
operating; and (3) development of the basis for an informed decision as 
to whether further development and modernization is economically 
justified and in the department's collective best interests. 

DOD Response: Non-Concur. The Department concurs with the 
recommendation to reduce system vulnerabilities and to update the 
economic justification. However, the Department non-concurs that the 
Navy limit its investment in the program to solely those activities 
listed in the recommendation. Some investment beyond the parameters 
suggested by GAO is needed to maintain the current system to ensure 
that afloat disbursing operations continue and that the warfighter 
continues to have access to their pay. Instead, the Navy will limit its 
investment in the program to fielding and maintaining already tested 
capabilities and selection and testing of technology refresh hardware, 
which is required to maintain the already developed and tested 
capabilities. 

The Navy Cash Program Office will complete the economic justification 
and address the report's other recommendations prior to making the 
investment in the technology refresh hardware that is currently planned 
to be delivered to the Fleet in Fiscal Year (FY) 2010. 

Today, most Navy Cash system updates (including Information Assurance 
Vulnerability Management (IAVM) updates) are fielded through ship 
maintenance actions. A new software release which will automate 
Information Assurance Vulnerability (IAV) updates to Navy Cash servers 
and report compliance to the Navy Cash program is in the accreditation 
process. Currently, IAV patches are supported during ships grooms or by 
having shipboard Information Technology (IT) personnel support the Navy 
Cash servers with updates. 

Target completion date for these corrective actions is September 30. 
2009. 

Recommendation 2: The GAO recommends that the Secretary of Defense, 
through the appropriate chain of command, direct the Director of the 
DoD Business Transformation Agency, to: (1) examine the relationships 
among DoD's programs for delivering military personnel with smart card 
technology for electronic retail and banking transactions; (2) 
identify, in coordination with the respective program offices, 
alternatives for optimizing the relationships of these programs in a 
way that minimizes areas of duplication, maximizes reuse of shared 
services across the programs, and considers opportunities for a 
consolidated stored value card program across the military services: 
and (3) share the results with the appropriate organizations for use in 
making an informed decision about planned investment in Navy Cash. 

DOD Response: Partially Concur. The Department concurs with the overall 
intent of the recommendation, but believes that the appropriate 
organization within DoD is the Office of the Under Secretary of Defense 
(Comptroller) (OUSD(C)). OUSD(C) is responsible for cash disbursement 
to Sailors and Marines across the globe as well as reconciling the 
Department's fund balance with the Treasury. As such, OUSD(C), 
utilizing the Investment Review Board (IRB) structure, will task a 
functional team to work with the Navy Cash Program Office and other 
program offices within DoD as appropriate to examine the relationships 
among DoD's programs for delivering military personnel smart card 
technology for electronic retail and banking transactions. OUSD(C) will 
identify alternatives, if any, for optimizing those relationships and 
will present those alternatives to the DoD Financial Management IRB and 
Defense Business Systems Management Committee (DBSMC) upon completion 
of the analysis. 

Recommendation 3: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy to ensure that the appropriate Navy 
organizational entities prepare a reliable economic analysis that 
encompasses the program's total life cycle costs, including those of 
Department of the Treasury, Financial Management Service (FMS) and 
that: (1) addresses cost-estimating best practices and complies with 
relevant OMB cost benefit guidance: and (2) incorporates data on 
whether deployed Navy Cash capabilities are actually producing 
benefits. 

DOD Response: Concur. In 2006, the Navy Cash Program Office did a high 
level review of Navy Cash to determine if system capabilities were 
producing anticipated benefits. The Program Office learned that ships 
overwhelmingly exceeded the expected goal of carrying less cash, which 
was a major goal of the system and central to the economic analysis.
The Navy Cash Program Office will develop a comprehensive and reliable 
economic analysis in compliance with relevant Office of Management and 
Budget (OMB) cost benefit guidance prior to technology refresh hardware 
procurement for installation on ships. 

Target completion date for developing this economic analysis is 
September 30, 2009. 

Recommendation 4: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy to ensure that the Navy Cash program 
manager, in collaboration with the appropriate organizations develop 
and implement a patch management approach based on National Institute 
of Standards and Technology (NIST) guidance, which includes a complete 
Navy Cash systems inventory; an automated patch deployment capability; 
and a patch management performance vulnerability measurement 
capability, including metrics for susceptibility to attack and 
mitigation response time. 

DOD Response: Concur. The Navy Cash program is in the process of 
resubmitting an updated certification package to the Naval Network 
Warfare Command (NNWC), which is the program's Designated Approving 
Authority, to ensure that the Navy Cash revised patch management 
procedures comply with all current security directives. 

The next planned release, which is already going through the 
accreditation process, includes an automated patch deployment 
capability. As part of configuration management, the program office 
will work with stakeholders to consolidate our existing tracking tools 
into a single systems inventory to track the deployment of automated 
patches, and measure the patch management performance vulnerability. in 
accordance with N1ST Standards. Completion for system accreditation and 
tracking tool development will be in FY 2009. 

Target completion date for completing our corrective actions is March 
31. 2009. 

Recommendation 5: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy to ensure that the Navy Cash program 
manager, in collaboration with the appropriate organizations institute 
a process to plan, implement, evaluate, and document remedial actions 
for deficiencies in Navy Cash information security policies, procedures 
and practices, and ensure that this process meets Financial Information 
Security Management Act (FISMA) requirements, as well as applicable OMB 
and NIST guidance. 

DOD Response: Concur. To address GAO's recommendation, the program 
office in conjunction with its stakeholders will finalize the draft 
Information Assurance Vulnerability Management Guide and accompanying 
IAVM Coordinator Standard Operating Procedure to include documenting 
remedial actions for deficiencies in the Navy Cash system in the System 
Level IT Security Plan of Action and Milestones (POA&M), in accordance 
with FISMA requirements and Department of Navy, OMB. and National 
Institute of Standards and Technology (NIST) Guidance. 

As stated in the response to Recommendation 4, the Navy Cash program is 
in the process of resubmitting an updated Certification package to NNWC 
to ensure that the Navy Cash revised patch management procedures comply 
with all current security directives. 

Target completion date for completing our corrective actions is March 
31, 2009. 

Recommendation 6: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy to ensure that the Navy Cash program 
manager, in collaboration with the appropriate organizations update the 
Naval Supply Systems Command (NAVSUP)/Treasury Financial Management 
Services (FMS) memorandum of agreement, in collaboration with FMS, to 
establish specific security requirements for FMS and the financial 
agent to periodically perform information security control reviews, 
including applicable management, operational, and technical controls, 
of the Navy Cash system, and to provide NAVSUP with copies of the 
results of these reviews that pertain to the Navy Cash system and its 
supporting infrastructure. 

DOD Response: Concur. The Treasury FMS Security office has conducted 
several security reviews of the Treasury Financial Agent's security 
posture in accordance with Treasury's Electronic Systems Processing 
Security Guidelines. They are also developing electronic systems 
processing security guidelines for applications like Navy Cash.
The Navy Cash Program Office will work with Treasury to update the 
Memorandum of Agreement (MOA) to reflect the security guidelines that 
FMS places on its financial agents. 

Target completion date for completing our corrective actions is May 31. 
2009. 

Recommendation 7: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy to ensure that the Navy Cash program 
manager, in collaboration with the appropriate organizations develop a 
complete contingency plan to include a: (1) sequence of recovery 
activities; and (2) procedures for notifying ship personnel with 
contingency plan responsibilities to begin recovery activities; and to 
test the contingency plan in accordance with NIST guidance, including 
documenting lessons learned from testing. 

DOD Response: Concur. The recovery strategies in the Navy Cash 
Contingency Planning Guide will be updated to include a more detailed 
sequence of recovery activities and procedures for notifying ship 
personnel with contingency plan responsibilities to begin recovery 
activities. The Navy Cash Contingency Plan test procedures will be 
updated to include the documentation of lessons learned, in accordance 
with NIST guidance. 

Target completion date for completing our corrective actions is May 31, 
2009. 

Recommendation 8: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy to ensure that the Navy Operational 
Designated Approving Authority, as part of the Naval Network Warfare 
Command, updates it certification and accreditation guidance to require 
the development of plans of action and milestones for all above 
identified security weaknesses. 

DOD Response: Concur. The requirement for a System Level IT Security 
Plan of Action and Milestone (POA&M) is included in the new Department 
of Defense Information Assurance Certification and Accreditation 
Process (DIACAP). The Navy Cash Program Office has developed a System 
Level IT Security POA&M in the pending Certification and Accreditation 
package for the next software update for Navy Cash. 

Target completion date for completing our corrective actions is 
December 31, 2008. 

For the following three recommendations, if further investment in 
development of Navy Cash can be justified then: 

Recommendation 9: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy, through the appropriate chain of 
command, to ensure that the Navy Cash program manager: (1) develop 
detailed system requirements; (2) establish policies and plans for 
managing changes to requirements, including defining roles and 
responsibilities, and identifying how the integrity of the baseline set 
of requirements will be maintained; and (3) maintain bi-directional 
requirements traceability. 

DOD Response: Concur. The Navy Cash Program Office will define system 
requirements and establish related policies and plans adequate to 
manage changes to requirements and to maintain bi-directional 
requirements traceability in accordance with best business practices 
for all future efforts. 

Target completion date for completing our corrective actions is May 31, 
2009. 

Recommendation 10: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy, through the appropriate chain of 
command, to ensure that the Navy Cash program manager: (1) establish 
and implement a written plan and defined process for risk 
identification, analysis, and mitigation; (2) assign responsibility for 
managing risk to key stakeholders; (3) encourage program-wide 
participation in risk management; (4) include and track the risks 
discussed in this report as part of a risk inventory; and (5) apprise 
decision making and oversight authorities of the status of identified 
risks during program reviews. 

DOD Response: Concur. While the Navy Cash Program Office addressed 
program risks regularly and successfully through our Program Management 
Review process, the Program Office has since instituted a more formal 
risk management approach as recommended here and in accordance with the 
Naval Systems Commands Risk Management Policy (NAVSUP INSTRUCTION 
5000.20). The effort was kicked-off at the program review held June 10-
11, 2008, with formal documentation currently under development. 

Target completion date for completing our corrective actions is 
December 31, 2008. 

Recommendation 11: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy, through the appropriate chain of 
command, ensure that the Navy Cash program manager: (l) determines 
trends in unresolved change requests and (2) understands users' 
satisfaction with the system. 

DOD Response: Concur. In the past, the Navy Cash Program Office has 
only dealt with a minimum number of proposed changes, and all proposed 
changes were well-documented. The Program Office will add the detail to 
the existing process as recommended here. 

It is important to highlight that the user base has been and continues 
to be an important participant in essentially every program discussion. 
As indicated in the report. the Program Office is currently conducting 
another survey and will revise/repeat the survey process as required to 
ensure understanding of user satisfaction. 

Target completion date for completing our corrective actions is 
September 30, 2009. 

Comments To The Draft Audit Report: 

The Department believes the following details and clarifications will 
help readers of this report to better understand statements made in the 
report that were not directly addressed in the recommendations or 
responses. 

Navy Cash is designated as an Acquisition Category (ACAT) III program 
and is not a Major Automated Information Systems (MAIS) program. To 
manage the acquisition and deployment of Navy Cash, the Navy 
established a program management office within the Naval Supply Systems 
Command (NAVSUP). The program office grew over time front 4 Full Time 
Equivalents (FTE) in September 2000, to 8.5 FTEs in June 2008. NAVSUP 
has partnered with the Treasury's FMS not only because of statutory 
regulations on holding public funds (31 C.F.R. Part 202, 31 U.S.C. § 
3302), but also to take advantage of the "treasury's extensive 
experience in fielding stored value card programs with the Army, Air 
Force and Marine Corps. 

Navy Cash is a fully developed system, currently installed on 128 ships 
and is over SO percent deployed. The system has achieved the major 
program goals for cost, schedule, and performance. Half of the ships 
remaining in our deployment schedule are new construction ships that 
have not yet been delivered to the Navy. In addition, Navy's 
partnership with the Treasury and the Treasury Financial Agent provided 
access to what are, in effect, proven Commercial Off-the-Shelf (COTS) 
products that required little modification to provide the financial 
services necessary to support Navy Cash. 

The Department recognizes some limited areas for improvement in 
security management as described in our responses, but these 
limitations do not represent a serious risk to the confidentiality, 
integrity, or availability of the deployed Navy Cash systems, as 
indicated on Page 8 of the report. The Department is concerned that 
cardholders would become
unnecessarily concerned. 

Although this report primarily focuses on cashless retail functions, it 
needs to be noted that the core capability of Navy Cash is to enable 
Sailors and Marines embarked on Navy ships access to their pay in 
accordance with 31 U.S.C. § 3342 and The Debt Collection Improvement 
Act of 1996. 

[End of section] 

Appendix III: Comments from the Department of the Treasury, Financial 
Management Service: 

Department Of The Treasury: 
Financial Management Service: 
Commissioner: 
Washington, DC 20227: 

August 18, 2008: 

Mr. Randolph C. Hite: 
Director, Information Technology Architecture and Systems Issues: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Hite: 

Thank you for the opportunity to comment on the Government 
Accountability Office's (GAO) draft report entitled "DoD Business 
Systems Modernization, Planned investment in Navy Program to Create 
Cashless Shipboard Environment Needs to Be Justified and Better 
Managed" (GAO-08-922). We appreciate GAO's efforts to identify 
improvements in the Navy Cash program which is managed jointly by the 
U.S. Department of the Navy (Navy) and the Financial Management Service 
(FMS). 

The Navy Cash program has successfully met the Navy's goal of 
transforming cash management by removing the vast majority of cash from 
the Fleet's operations. Since its introduction in 2001, the program has 
displaced more than 5300 million in coin and currency on 128 Navy 
ships, through the issuance of more than 200,000 financial smart cards 
to Sailors and Marines who have initiated more than 100 million 
transactions. Information security is critically important to both the 
Navy and FMS. We note that the draft report identifies no security 
breach. loss of cardholder or government funds. unauthorized release of 
personal or other sensitive information, or any other compromise of 
system integrity in connection with these operations. 

The GAO recommendations identified in the draft report will help 
strengthen the Navy Cash program, and we are already addressing several 
of the findings and recommendations. Please note our comments below and 
in an attachment to this letter. 

First, we note that the draft report requires Navy to ensure that FMS 
strengthen Its Information Technology security program in accordance 
with the Federal Information Security Management Act (FISMA) 
requirements. FMS will continue to support the. Navy in its efforts to 
comply with the report's recommendations so long as implementation is 
consistent with FMS' policies and the statutory authorities and 
regulations which govern the provision of financial services by FMS' 
financial agents. FMS has unique authority to designate financial and 
fiscal agents to assist in the performance of many functions related to 
the nation's finances. See, e.g., 12 J S.C. §§ 90, 391. This authority 
permits FMS to effectively administer centralized public funds deposit. 
management, and accounting functions, without the expense of developing 
and maintaining its own banking system. Navy Cash funds constitute 
public money under 31 C.F.R. Part 202 and thus, in accordance with 31 
U.S.C. § 3302. must be held in the Treasury or in an account held by a 
Treasury designated financial agent. 

The commercial banking institutions selected by FMS to act as financial 
agents are highly regulated and must act in compliance with rules 
issued by the Office of the Comptroller of the Currency (OCC), Federal 
Reserve Board, Federal Deposit Insurance Corporation (FDIC) and private 
organizations (i.e. Mastercard and NACHA). FMS is in the process of 
strengthening its Information Technology security program to improve 
FMS' oversight of the internal controls employed by its financial 
agents. FMS recognizes the importance of improved oversight of the 
manner in which its financial agents implement security controls in 
order to ensure that stringent security procedures are in place. 

Second, the draft report questions whether Navy Cash is duplicative of 
similar smart card programs operated by the Air Force and Army. This 
issue was addressed before the Navy Cash program was implemented in 
2001. Given the unique requirements of ships at sea, FMS and Navy 
determined that the functionality of the other Department of Defense 
(DoD) smart card programs could not support Navy Cash. Among other 
things, Navy Cash requires a dual-factor smart card that functions on 
ship (integrated circuit chip) and ashore (magnetic stripe), an 
automated end-of-day settlement process, and a "Split pay" program that 
allows the Sailor/Marine to allocate a portion of his or her pay to the 
Navy Cash card. For both technical and costs reasons, none of the other 
FMS/DoD smart card platforms could be altered to provide this 
functionality. 

In 2004, DoD and FMS agreed on a goal of a "single smart card." Efforts 
to advance this concept include two proofs of technology pilots 
(conducted in 2005 and 2006) with DoD using the Common Access Card. 
Also, an Inter-Agency Stored Value Card team, which was chartered in 
2007, is assisting FMS as it develops a stored value card strategy to 
support a single DoD smart card for the future. 

Finally, we want to clarify the statement in the draft report that "the 
Navy Cash benefits projection erroneously counted $40 million as cost 
savings rather than cost transfers..." We disagree with this statement. 
The initial Business Case Analysis ("BCA") estimated that when 
implemented fleetwide, Navy Cash would displace $459 million in cash 
that would otherwise be held outside of the Treasury. The BCA 
calculated the time value of the funds retained in the Treasury to be 
in excess of $40 million for the first six years of the program. This 
value is not merely a transfer between agencies, but represents actual 
savings to the United States. 

Again, thank you for the opportunity to comment on this draft GAO 
report. If you have any questions or wish to discuss these comments in 
more detail, I can be reached at (202) 874-7000, or you may contact 
Sheryl Morrow on (202) 874-6720. 

Sincerely, 

Signed by: 

Judith R. Tillman: 

Enclosure: 

Financial Management Service's (FMS) Response to Recommendations in
Government Accountability Office's Draft Report DoD Business Systems 
Modernization, Planned Investment in Navy Program to Create Cashless 
Shipboard Environment Needs to Be Justified and Better Managed (GAO-08-
922): 

Recommendation 1: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy to limit further investment in the 
program to only: (1) deployment to remaining ships of already developed 
and tested capabilities; (2) correction of information security 
vulnerabilities and weaknesses on ships where it is deployed and 
operating; and (3) development of the basis for an informed decision as 
to whether further development and modernization is economically 
justified and in the department's collective best interests. 

Response: FMS agrees with the recommendation to correct system 
vulnerabilities and update economic justification for the Navy Cash 
program. However, FMS disagrees with the recommendation to limit 
investment beyond fielding and maintaining already tested capabilities 
because the recommendation would place future operations at risk. 
Important components of the Navy Cash system architecture are at end-of-
life. Therefore, the process to identify, test, and certify replacement 
equipment must continue or the program's operations will be 
jeopardized. FMS will support Navy in its update of the economic 
analysis of the program's costs and benefits. 

Recommendation 2: The GAO recommends that the Secretary of the Defense 
through the appropriate chain of command, direct the Director of the 
DoD Business Transformation Agency, to: (1) examine the relationships 
among DoD's programs for delivering military personnel with smart card 
technology for electronic retail and banking transactions; (2) 
identify, in coordination with the respective program offices, 
alternatives for optimizing the relationships of these programs in a 
way that minimizes areas of duplication, maximizes reuse of shared 
services across the programs, and considers opportunities for a 
consolidated stored value card program across the military services; 
and (3) share the results with the appropriate organizations for use in 
making an informed decision about planned investment in Navy Cash. 

Response: FMS welcomes DoD's continued support and input in connection 
with its efforts to review, develop, and implement a strategy that will 
ultimately result in a single, multi-functional smart card to meet 
DoD's cash management needs. 

Recommendation 3: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy to ensure that the appropriate Navy 
organizational entities prepare a reliable economic analysis that 
encompasses the program's total life cycle costs, including those of 
Department of the Treasury, Financial Management Service
(FMS) and that: (1) addresses cost-estimating best practices and 
complies with relevant OMB cost benefit guidance; and (2) incorporates 
data on whether deployed Navy Cash capabilities are actually producing 
benefits. 

Response: FMS will support Navy in its analysis of the program's costs 
and benefits. 

Recommendation 4: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy to ensure that the Navy Cash program 
manager, in collaboration with the appropriate organizations develop 
and implement a patch management approach based on National Institute 
of Standards and Technology (NIST) guidance, which includes a complete 
Navy Cash systems inventory; an automated patch deployment capability; 
and a patch management performance vulnerability measurement 
capability, including metrics for susceptibility to attack and 
mitigation response time. 

Response: FMS will support Navy in its implementation of this 
recommendation and is currently working with Navy to implement an 
automated patch deployment capability. 

Recommendation 5: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy to ensure that the Navy Cash program 
manager, in collaboration with the appropriate organizations institute 
a process to plan, implement, evaluate, and document remedial actions 
for deficiencies in Navy Cash information security policies, procedures 
and practices, and ensure that this process meets Financial Information 
Security Management Act (FISMA) requirements, as well as applicable OMB 
and NIST guidance. 

Response: FMS will support Navy in its implementation of this 
recommendation, and will ensure that implementation is consistent with 
FMS' and other authorities related to the banking services provided by 
FMS' financial agent. 

Recommendation 6: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy to ensure that the Navy Cash program 
manager, in collaboration with the appropriate organizations update the 
Naval Supply Systems Command (NAVSUP)/FMS memorandum of agreement, in 
collaboration with FMS, to establish specific security requirements for 
FMS and the financial agent to periodically perform information 
security control reviews, including applicable management, operational, 
and technical controls, of the Navy Cash system, and to provide NAVSUP 
with copies of the results of these reviews that pertain to the Navy 
Cash system and its supporting infrastructure. 

Response: FMS will work with NAVSUP to update the Memorandum of 
Agreement (MoA) to reflect the security guidelines that FMS places on 
its financial agents. FMS is in the process of enhancing its existing 
security requirements and oversight of its financial agents and will 
ensure that Navy is provided access to the results of the reviews that 
pertain to the Navy Cash program. 

Recommendation 7: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy to ensure that the Navy Cash program 
manager, in collaboration with the appropriate organizations develop a 
complete contingency plan to include a: (1) sequence of recovery 
activities; and (2) procedures for notifying ship personnel with 
contingency plan responsibilities to begin recovery activities; and to 
test the contingency plan in accordance with NIST guidance, including 
documenting lessons learned from testing. 

Response: FMS will support Navy in its implementation of this 
recommendation, and will ensure that implementation is consistent with 
FMS' and other authorities related to the banking services provided by 
FMS' financial agent. 

Recommendation 8: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy to ensure that the Navy Operational 
Designated Approving Authority, as part of the Naval Network Warfare 
Command, updates it certification and accreditation guidance to require 
the development of plans of action and milestones for all above 
identified security weaknesses. 

Response: FMS will support Navy in its implementation of this 
recommendation, and will ensure that implementation is consistent with 
FMS' and other authorities related to the banking services provided by 
FMS' financial agent. 

Recommendation 9: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy, through the appropriate chain of 
command, to ensure that the Navy Cash program manager: (1) develop 
detailed system requirements; (2) establish policies and plans for 
managing changes to requirements, including defining roles and 
responsibilities, and identifying how the integrity of the baseline set 
of requirements will be maintained; and (3) maintain bi-directional 
requirements traceability. 

Response: FMS will support Navy in its implementation of this 
recommendation, and will ensure that implementation is consistent with 
FMS' and other authorities related to the banking services provided by 
FMS' financial agent. 

Recommendation 10: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy, through the appropriate chain of 
command, to ensure that the Navy Cash program manager: (1) establish 
and implement a written plan and defined process for risk 
identification, analysis, and mitigation; (2) assign responsibility for 
managing risk to key stakeholders; (3) encourage program-wide 
participation in risk management; (4) include and track the risks 
discussed in this report as part of a risk inventory; and (5) apprise 
decision making and oversight authorities are of the status of 
identified risks during program reviews. 

Response: FMS will support Navy in its implementation of this 
recommendation, and will ensure that implementation is consistent with 
FMS' and other authorities related to the banking services provided by 
FMS' financial agent. 

Recommendation 11: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy, through the appropriate chain of 
command, ensure that the Navy Cash program manager: (1) determines 
trends in unresolved change requests and (2) understands users' 
satisfaction with the system. 

Response: FMS will support Navy in its implementation of this 
recommendation, and will ensure that implementation is consistent with 
FMS' and other authorities related to the banking services provided by 
FMS' financial agent. 

[End of section] 

Appendix IV: GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

Randolph C. Hite (202) 512-3439 or hiter@gao.gov Gregory C. Wilshusen 
(202) 512-3789 or wilshuseng@gao.gov: 

Staff Acknowledgments: 

In addition to the contact persons named above, key contributors to 
this report were Neelaxi Lakhmani (Assistant Director), Jenniffer 
Wilson (Assistant Director), Ed Glagola (Assistant Director), Monica 
Anatalio, Carolyn Boyce, Harold Brumm, West Coile, Neil Doherty, Cheryl 
Dottermusch, Joshua Hammerstein, Mustafa Hassan, Michael Holland, James 
Houtz, Ethan Iczkovitz, Rebecca LaPaze, Anh Le, Josh Leiling, Mary 
Marshall, Karen Richey, Melissa Schermerhorn, Karl Seifert, Jonathan 
Ticehurst, and Adam Vodraska. 

[End of section] 

Footnotes: 

[1] Business systems include financial and non-financial systems that 
support DOD's business operations, such as civilian personnel, finance, 
health, logistics, military personnel, procurement, and transportation. 

[2] GAO, High-Risk Series: An Update, [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-07-310] (Washington, D.C.: 
January 2007). 

[3] Smart cards are plastic devices that are about the size of a credit 
card and contain an embedded integrated circuit chip capable of storing 
and processing data. The term "smart card" may also be used to refer to 
cards with a computer chip, also referred to as an e-purse, that store 
information to be processed by hardware such as point-of-sale terminals 
or card access devices. 

[4] The BEA defines the department's business priorities, the 
capabilities required to support those priorities, and the combinations 
of systems and initiatives that enable those capabilities. 

[5] The Navy Cash shipboard server stores individual transactions, 
groups them into a single compressed file, and then transmits the file 
of daily transactions for processing. 

[6] The Automated Clearing House is a network that allows banking 
institutions to clear, or validate, electronic transactions. 

[7] This estimate, reported in DON's 2002 economic analysis, did not 
include FMS's costs for the program. 

[8] According to program documentation, Navy Cash has a 14-year 
expected life. However, program officials stated that this life cycle 
is being reconsidered and a new life cycle has yet to be established. 

[9] NAVSUP is one of five system commands within DON. Its mission 
includes, among other things, providing DON quality supplies and 
services on a timely basis. 

[10] Financial agent services are authorized under a number of 
statutes, including but not limited to, 12 U.S.C. § 265 and 12 U.S.C. § 
332. 

[11] Donald E. Harter, Mayuram S. Krishnan, and Sandra A. Slaughter, 
"Effects of Process Maturity on Quality, Cycle Time, and Effort in 
Software Product Development," Management Science, vol. 46, no. 4, 
2000; and Bradford K. Clark, "Quantifying the Effects of Process 
Improvement on Effort," IEEE Software (November/December 2000). 

[12] GAO, Information Technology: DOD's Acquisition Policies and 
Guidance Need to Incorporate Additional Best Practices and Controls, 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-722] (Washington, 
D.C.: July 2004). 

[13] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-722]. 

[14] See, for example, GAO, DOD Business Transformation: Lack of an 
Integrated Strategy Puts the Army's Asset Visibility System Investments 
at Risk, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-860] 
(Washington, D.C.: July 27, 2007); GAO, Information Technology: DOD 
Needs to Ensure That Navy Marine Corps Intranet Program Is Meeting 
Goals and Satisfying Customers, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-07-51] (Washington, D.C.: Dec. 8, 2006); GAO, Defense 
Travel System: Reported Savings Questionable and Implementation 
Challenges Remain, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-
980] (Washington, D.C.: Sept. 26, 2006); GAO, DOD Systems 
Modernization: Uncertain Joint Use and Marginal Expected Value of 
Military Asset Deployment System Warrant Reassessment of Planned 
Investment, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-171] 
(Washington, D.C.: Dec. 15, 2005); and GAO, DOD Systems Modernization: 
Planned Investment in the Navy Tactical Command Support System Needs to 
Be Reassessed, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-
215] (Washington, D.C.: Dec. 5, 2005). 

[15] Ronald W. Reagan National Defense Authorization Act for Fiscal 
Year 2005, Pub. L. No. 108-375, § 332 (2004) (codified at 10 U.S.C. §§ 
186 and 2222). 

[16] Field/tactical refers to Army units that are deployable to 
locations around the world, such as Iraq or Afghanistan. 

[17] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-860]. 

[18] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-215]. 

[19] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-171]. 

[20] Department of Defense Directive Number 5000.1 and Department of 
Defense Architecture Framework, Version 1.0, Volume 1 (February 2004). 

[21] Clinger-Cohen Act of 1996, 40 U.S.C. § 11315(b)(2); E-Government 
Act of 2002, Public Law No. 107-347 (Dec. 17, 2002); GAO, Information 
Technology: A Framework for Assessing and Improving Enterprise 
Architecture Management (Version 1.1), [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-03-584G] (Washington, D.C.: April 
2003); Chief Information Officer Council, A Practical Guide to Federal 
Enterprise Architecture, Version 1.0 (February 2001); and Institute of 
Electrical and Electronics Engineers, Standard for Recommended Practice 
for Architectural Description of Software-Intensive Systems 1471-2000 
(Sept. 21, 2000). 

[22] A well-defined enterprise architecture provides a clear and 
comprehensive picture of an entity, whether it is an organization 
(e.g., a federal department) or a functional or mission area that cuts 
across more than one organization (e.g., personnel management). This 
picture consists of snapshots of both the enterprise's current or "As 
Is" environment and its target or "To Be" environment, as well as a 
capital investment road map for transitioning from the current to the 
target environment. These snapshots consist of integrated "views," 
which are one or more architecture products that describe, for example, 
the enterprise's business processes and rules; information needs and 
flows among functions, supporting systems, services, and applications; 
and data and technical standards and structures. 

[23] Pub. L. No. 108-375, § 332 (2004) (codified at 10 U.S.C. §§ 186 
and 2222). 

[24] DOD has adopted a federated approach for developing its business 
mission area enterprise architecture, which includes the corporate BEA 
representing the thin layer of DOD-wide corporate architectural 
policies, capabilities, rules, and standards; component architectures 
(e.g., DON enterprise architecture); and program architectures (e.g., 
Navy Cash architecture). 

[25] See, for example, GAO, Information Technology: FBI Is Taking Steps 
to Develop an Enterprise Architecture, but Much Remains to Be 
Accomplished, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-363] 
(Washington, D.C.: Sept. 9, 2005); GAO, Homeland Security: Efforts 
Under Way to Develop Enterprise Architecture, but Much Work Remains, 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-777] (Washington, 
D.C.: Aug. 6, 2004); GAO, Information Technology: Architecture Needed 
to Guide NASA's Financial Management Modernization, [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-04-43] (Washington, D.C.: Nov. 
21, 2003); GAO, DOD Business Systems Modernization: Important Progress 
Made to Develop Business Enterprise Architecture, but Much Work 
Remains, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-1018] 
(Washington, D.C.: Sept. 19, 2003); GAO, Information Technology: DLA 
Should Strengthen Business Systems Modernization Architecture and 
Investment Activities, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-01-631] (Washington, D.C.: June 29, 2001); and GAO, 
Information Technology: INS Needs to Better Manage the Development of 
Its Enterprise Architecture, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO/AIMD-00-212] (Washington, D.C.: Aug. 1, 2000). 

[26] These programs are deployed and in operation, and they preceded 
deployment of the Navy Cash program. 

[27] Business or operational activities are tasks normally conducted in 
the course of achieving a mission or a business goal. The BEA describes 
business or operational activities relevant to specific aspects of the 
business mission areas, such as financial visibility. 

[28] Office of Management and Budget, Guidelines and Discount Rates for 
Benefits-Cost Analysis of Federal Programs, Circular A-94 (Washington, 
D.C.: Oct. 29, 1992); Planning, Budgeting, Acquisition and Management 
of Capital Assets, Circular A-11, Part 7 (Washington, D.C.: June 26, 
2008). 

[29] Transfers represent shifts of control over resource allocation 
from one group to another that do not result in economic gains. Rather, 
the benefits to the group that receives the transfer are offset by the 
costs borne by the group that provides the transfer. 

[30] OMB, Circular No. A-11, Preparation, Submission, and Execution of 
the Budget, (Washington, D.C.: Executive Office of the President, June 
2006); Circular No. A-130 Revised, Management of Federal Information 
Resources, (Washington, D.C.: Executive Office of the President, Nov. 
28, 2000); and Capital Programming Guide: Supplement to Circular A-11, 
Part 7: Planning, Budgeting, and Acquisition of Capital Assets, 
(Washington, D.C.: Executive Office of the President, June 2006). 

[31] GAO, Cost Assessment Guide: Best Practices for Estimating and 
Managing Program Costs, Exposure Draft, [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-07-1134SP] (Washington, D.C.: 
July 2007). 

[32] A risk analysis can be accomplished by the use of a Monte Carlo 
simulation, which involves the use of random numbers and probability 
distributions to examine random outcomes. 

[33] OMB, Guidelines and Discount Rates for Benefits-Cost Analysis of 
Federal Programs, Circular A-94 (Washington, D.C.: Oct. 29, 1992); 
Planning, Budgeting, Acquisition and Management of Capital Assets, 
Circular A-11, Part 7 (Washington, D.C.: June 26, 2008). 

[34] OMB Circular No. A-94, § 6(a)(4). 

[35] Clinger-Cohen Act of 1996, 40 U.S.C. sections 11101-11704, and 
OMB, Circular No. A-130, Management of Federal Information Resources 
(Nov. 30, 2000). 

[36] DOD, Defense Acquisition Guidebook, Version 1.0 (Oct. 17, 2004). 

[37] This center is responsible for, among other things, manpower 
analysis and work studies as directed by the Chief of Naval Operations. 

[38] For example, see DOD, Department of Defense Directive Number 
5000.1, The Defense Acquisition System (May 12, 2003); Department of 
Defense Instruction Number 5000.2, Operation of the Defense Acquisition 
System (May 12, 2003); Defense Acquisition Guidebook, Version 1.0 (Oct. 
17, 2004); and Software Engineering Institute, CMMI for Acquisition, 
Version 1.2, CMU/SEI-2007-TR-017 (Pittsburgh, Pa.: November 2007). 

[39] DOD, Defense Acquisition Guidebook, Version 1.0 (Oct. 17, 2004). 
Software Engineering Institute, Software Acquisition Capability 
Maturity Model® (SA-CMM®) version 1.03, CMU/SEI-2002-TR-010 
(Pittsburgh, Pa.: March 2002). 

[40] DOD, Risk Management Guide for DOD Acquisition, 6th Edition, 
Version 1.0, [hyperlink, http://www.acq.osd.mil/sse/ed/docs/2006-RM-
Guide-4Aug06-final-version.pdf] (accessed Mar. 13, 2008) and Software 
Engineering Institute, CMMI for Acquisition, Version 1.2, CMU/SEI-2007-
TR-017 (Pittsburgh, Pa.: November 2007). 

[41] CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and 
Computer Network Defense (CND), CH 3 8 Mar 06. 

[42] National Institute of Standards and Technology, Creating a Patch 
and Vulnerability Management Program, Special Publication 800-40 
(November 2005). 

[43] FISMA was enacted as title III, E-Government Act of 2002, Pub. L. 
No. 107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002). 

[44] NIST, Guide for the Security Certification and Accreditation of 
Federal Information Systems, Special Publication 800-37 (May 2004). 

[45] This guidance for a comprehensive plan of action and milestones 
was distributed by the Navy Operational Designated Approving Authority, 
within the Naval Network Warfare Command, which is DON's central 
operational authority for information technology requirements, network 
and information operations in support of naval forces afloat and 
ashore. This command is responsible for granting Navy Cash its 
authority to operate. 

[46] Financial agent services are authorized under a number of 
statutes, including but not limited to, 12 U.S.C. § 265 and 12 U.S.C. § 
332. 

[47] Circular No. A-130; and OMB, FY 2007 Reporting Instructions for 
the Federal Information Security Management Act and Agency Privacy 
Management, OMB Memoranda M-07-19, July 25, 2007. 

[48] NIST, Contingency Planning Guide for Information Technology 
Systems, Special Publication 800-34 (June 2002). 

[49] IEEE Std 12207-2008, Systems and software engineering - Software 
life cycle processes, (Piscataway, N.J.: 2008). 

[50] We did not assess the assertion by FMS that Navy Cash funds 
constitute public money and thus must be held in the Treasury or in an 
account held by a Treasury designated financial agent. 

[51] Ronald W. Reagan National Defense Authorization Act for Fiscal 
Year 2005, Pub. L. No. 108-375, § 332 (2004) (codified at 10 U.S.C. §§ 
186 and 2222). 

[52] Office of Management and Budget, Guidelines and Discount Rates for 
Benefit-Cost Analysis of Federal Programs, Circular No. A-94 (Oct. 29, 
1992); Planning, Budgeting, Acquisition and Management of Capital 
Assets, Circular A-11, Part 7 (Washington, D.C.: June 26, 2008); GAO, 
Cost Assessment Guide: "Best Practices for Estimating and Managing 
Program Costs," 2007 exposure draft. 

[53] Software Engineering Institute, Software Acquisition Capability 
Maturity Model® (SA-CMM®), version 1.03, CMU/SEI-2002-TR-010 
(Pittsburgh, Pa.: March 2002). 

[54] DOD, Risk Management Guide for DOD Acquisition, 6th Edition, 
Version 1.0, [hyperlink, http://www.acq.osd.mil/sse/ed/docs/2006-RM-
Guide-4Aug06-final-version.pdf] (accessed Mar. 13, 2008). 

[55] Software Engineering Institute, CMMI for Acquisition, Version 1.2, 
CMU/SEI-2007-TR-017 (Pittsburgh, Pa.: November 2007). 

[56] GAO, Year 2000 Computing Crisis: A Testing Guide, [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-10.1.21] (Washington, D.C.: 
November 1998); and IEEE Std 12207-2008, Systems and software 
engineering - Software life cycle processes (Piscataway, N.J.: 2008). 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: