Statement of
Glenn A. Fine
Inspector General, U.S. Department of Justice
before the
Senate Committee on Appropriations
Subcommittee on Commerce, Justice, State and the Judiciary
concerning
"The Federal Bureau of Investigation’s
Trilogy Information Technology Modernization Project"
February 3, 2005
* * * * *
Mr. Chairman, Senator Leahy, and Members of the Subcommittee on Commerce, Justice, State and the Judiciary: I appreciate the opportunity to testify before the Subcommittee as it examines the Federal Bureau of Investigation’s (FBI) Trilogy information technology (IT) modernization project. The Trilogy project was designed to upgrade the FBI’s IT infrastructure and replace its antiquated case management system with the Virtual Case File (VCF). Successful implementation of the Trilogy project is essential to modernizing the FBI’s inadequate information technology systems. The FBI’s systems currently do not permit FBI agents, analysts, and managers to readily access and share case-related information throughout the FBI. Without this capability, the FBI cannot perform its critical missions as efficiently and effectively as it should. In March 2004, this Subcommittee held a hearing on the status of the Trilogy project, and I testified about the schedule delays and cost increases of the Trilogy project. At that time, I stated that I was skeptical about the FBI’s proposed schedule to deploy a fully functional, complete version of the VCF before the end of calendar year 2004. Shortly before the hearing, the Office of the Inspector General (OIG) initiated a follow-up audit to assess the FBI’s management of the Trilogy project. Today the OIG released the results of this follow-up audit. Our audit found that the FBI successfully has completed the Trilogy IT infrastructure upgrades – albeit with delays and significant cost increases. However, the FBI has failed to complete and deploy the VCF, the critical component of Trilogy that was intended to provide the FBI with an effective case management system. The VCF still is not operational after more than 3 years of development and the allocation of $170 million. We found that the VCF either will require substantial additional work or need to be scrapped and replaced by a new system. Moreover, the FBI has not yet provided a realistic timetable or cost estimate for implementing a workable VCF or a successor system. Our audit also examined the causes for the delays and cost increases in the Trilogy project. Among the problems were poorly defined and slowly evolving design requirements for Trilogy, weak IT investment management practices at the FBI, weaknesses in the way contractors were retained and overseen, the lack of management continuity at the FBI on the Trilogy project, unrealistic scheduling of tasks on Trilogy, and inadequate resolution of issues that warned of problems in Trilogy’s development. In this statement, I describe the OIG’s examination of the Trilogy project. The statement is organized into five parts. First, I provide a brief description of prior OIG assessments and testimony about the FBI’s IT systems in general and Trilogy in particular. Second, I provide background information on the Trilogy project. Third, I discuss the results of the OIG’s recently completed audit regarding Trilogy’s cost increases and schedule delays. Fourth, I discuss the OIG’s assessment of the causes for the problems in Trilogy’s development and implementation. And fifth, as requested by the Subcommittee, I conclude my statement by briefly highlighting several ongoing and recently completed OIG reviews that examine a variety of other issues in the FBI. In a series of reviews over the past several years, the OIG has identified problems in the FBI’s IT systems, including outdated infrastructures, fragmented management, ineffective systems, and inadequate training. For example, a July 1999 OIG review examined the actions of the Campaign Finance Task Force that investigated allegations of improper fundraising practices during the 1996 Presidential campaign. The Task Force relied on the FBI’s antiquated case management system, the Automated Case Support (ACS) system, and other FBI databases to obtain information on the individuals and organizations that had become subjects of the investigation. In this review, the OIG noted that deficiencies in the ACS system and the way search results were handled within the FBI resulted in incomplete data being provided to the Task Force. Another OIG review issued in March 2002 examined how the FBI had failed to turn over to defense attorneys hundreds of FBI documents that should have been disclosed prior to the trials of Timothy McVeigh and Terry Nichols. The OIG again concluded that the FBI’s computer systems were antiquated, inefficient, and badly in need of improvement. We found that the ACS could not handle or retrieve documents in a useful, comprehensive, or efficient way, and it did not provide FBI employees with the type of support they need and deserve. An OIG audit issued in December 2002 examined the FBI’s IT investment management practices. This audit concluded that that the FBI had not effectively managed its IT investments because it had failed to: 1) effectively track and oversee the costs and schedules of IT projects; 2) properly establish and effectively use IT investment boards to review projects; 3) inventory the existing IT systems and projects; 4) identify the business needs for each IT project; and 5) use defined processes to select new IT projects. We concluded that the FBI continued to spend hundreds of millions of dollars on IT projects without adequate assurance that the projects would meet their intended goals. Our audit made eight recommendations with respect to Trilogy, including urging the FBI to establish schedule, cost, technical, and performance baselines and track significant deviations from these baselines. In a September 2003 audit, the OIG examined the FBI’s implementation of the OIG’s prior IT-related recommendations. While we found that the FBI had made substantial progress by implementing 93 of 148 total recommendations, we concluded that full implementation of the remaining recommendations was needed to ensure that the FBI’s IT program effectively supported the FBI’s mission. As noted above, in March 2004 this Subcommittee held a hearing to examine Information Technology in the FBI, at which the FBI Director testified about the status of the FBI’s Trilogy project. At that hearing, the FBI stated that it planned to have “a network with Full Site Capability by late spring” and that it was “closing in on the goal of completion” of the Trilogy project. The OIG initiated our follow-up audit to assess the FBI’s management of the Trilogy project. In December 2004, the OIG completed a draft of this audit report and concluded that the VCF was not operational after more than 3 years of development and the obligation of $170 million, and the FBI did not know when the VCF or a replacement system would be implemented. Pursuant to our standard practice, in late December 2004 the OIG provided the draft audit report to the FBI for its response. In early January 2005, the FBI publicly acknowledged problems and delays in the development of the VCF. In a written response to our audit report dated January 26, 2005, the FBI acknowledged that the VCF had not met its goals with respect to development of an automated case management system. Nevertheless, the FBI stated that the “VCF project remains the highest IT priority for the FBI.” After receiving the FBI’s comments, the OIG completed this audit report and released it today. I will now provide background on the Trilogy project and the VCF before summarizing the main findings of our audit. Trilogy is the largest of the FBI’s IT projects. As originally designed, the Trilogy project had three main components: The first two components of Trilogy provide the infrastructure needed to run the FBI’s various user applications, while the UAC was intended to upgrade and consolidate the FBI’s investigative applications. After the September 11 attacks, the FBI decided to replace the ACS with an entirely new case management system, the VCF. It is important to note that Trilogy was not intended to replace all 42 of the FBI’s investigative applications or the FBI’s approximately 160 other noninvestigative applications. Rather, Trilogy was intended to lay the foundation so that future enhancements would allow the FBI to achieve a state-of-the-art IT system that integrates all of the agency’s investigative and non-investigative applications. Our audit found that in late April 2004, the FBI completed the first two components of the Trilogy project. The FBI deployed new hardware and software, including 22,251 computer workstations, 3,408 printers, 1,463 scanners, and 475 servers, and it installed new communications networks. However, as I describe in the next section of this statement, this deployment was not done as quickly as the FBI hoped or expected. Despite the fact that after the September 11 attacks Congress appropriated the FBI an additional $78 million to accelerate deployment of Trilogy’s infrastructure components, the FBI completed the two infrastructure components by late April 2004, just before the FBI’s original target date of May 2004. Consequently, the FBI missed by some 22 months the completion date for the two infrastructure components under the accelerated schedule funded by Congress. In addition, the total costs for the infrastructure components of Trilogy increased from $238.6 million to $377 million over the course of the project. And while the infrastructure components are now in place to support improved investigative applications, the FBI still is far from implementing the third component of Trilogy, the VCF. Trilogy originally was planned in 2000 as a 3-year, $380 million project. Over its life, Trilogy has become a $581 million project that has suffered a continuing series of missed completion estimates and associated cost growth. Initially, in November 2000, Congress appropriated $100.7 million for the first year of the project. In May 2001, the FBI hired DynCorp (which later merged into Computer Sciences Corporation (CSC)) as the contractor for the IPC/TNC infrastructure components of Trilogy. At that time, the scheduled completion date for the Trilogy infrastructure was May 2004. In June 2001, the FBI hired Science Applications International Corporation (SAIC) to develop the user applications component of Trilogy (which became the VCF), with a scheduled completion date of June 2004. In early 2002, the FBI informed Congress in its Quarterly Congressional Status Report that with an additional $70 million in FY 2002 funding, the FBI could accelerate the deployment of Trilogy. Congress supplemented the Trilogy budget with $78 million from the Emergency Supplemental Appropriations Act of January 2002, thereby raising projected costs to $458 million. In December 2002, the FBI estimated it needed $137.9 million more to complete Trilogy, in addition to the $78 million it had received to accelerate completion of the project. Congress approved a $110.9 million reprogramming of funds that took into account the estimates to complete the IPC/TNC portions of Trilogy, as well as an estimate of the costs to complete the UAC portion. The $110.9 million reprogramming increased the FBI’s total available funding for the project to $568.7 million. In addition, $4.3 million for operations and maintenance and $8 million for computer specialist contractor support were added in FY 2003, for a total of $581.1 million – $201 million more than originally estimated. The following table describes the cost of Trilogy under the original plan and under the current plan:
Despite the increased money provided for Trilogy, its implementation has been delayed significantly. Part of the problem we found was that a stable schedule for Trilogy never was firmly established for much of the project’s history. Beginning in 2002 the FBI’s estimated dates for completing the Trilogy project components began to swing back and forth and were revised repeatedly. The original completion date for deploying the Trilogy infrastructure (the first two components of Trilogy) was May 2004. After the September 11 attacks, the FBI recognized the urgency of completing the project and moved up the completion date for deploying the Trilogy infrastructure to June 2003. Later, the FBI said the infrastructure would be completed by December 31, 2002. Still later, the FBI informed Congress that with an additional $70 million it could accelerate deployment of Trilogy and complete the two infrastructure components by July 2002 and also deploy the most critical analytical tools in the user applications component. Yet, the timetable for completing the infrastructure components slipped from July 2002 to October 2002 and then to March 2003. On March 28, 2003, CSC completed a communications network, the Wide Area Network, for Trilogy. The FBI reported that the Wide Area Network, with increased bandwidth and three layers of security, had been deployed to 622 sites. In April 2003, the FBI also reported to Congress that more than 21,000 new desktop computers and nearly 5,000 printers and scanners had been deployed. In April 2003, the FBI and CSC agreed to a statement of work for the remaining infrastructure components of Trilogy, including servers, upgraded software, e-mail capability, and other computer hardware, with a completion date of October 31, 2003. In August 2003, CSC informed the FBI that the October 2003 completion date would slip another two months to December 2003. In October 2003, CSC and the FBI agreed that the December 2003 date again would slip. In November 2003, the General Services Administration (whose Federal Systems Integration and Management Center, known as FEDSIM, had awarded contracts for Trilogy on behalf of the FBI) formally announced that CSC had failed to meet the deadline for completing work on infrastructure portions of Trilogy that were required to support the VCF user application under development. On December 4, 2003, CSC signed a commitment letter agreeing to complete the infrastructure components of the Trilogy project by April 30, 2004, for an additional $22.9 million, including an award fee of over $4 million. An award fee is used when the government wants to motivate a contractor with financial incentives. The FBI covered these additional costs by reprogramming funds from other FBI appropriations. In January 2004, the FBI converted the agreement with CSC to a revised statement of work providing for loss of the award fee if the April 30, 2004, deadline was not met. In addition, the revised statement of work provided for cost sharing at a rate of 50 percent for any work remaining after the April 30 deadline. CSC met the revised deadline of April 30, 2004, for completing the two infrastructure components of Trilogy. As a result, the FBI met the original target set in 2001 for the infrastructure components of Trilogy, but missed the accelerated schedule funded by additional money from Congress by some 22 months. In June 2002, the FBI decided to deploy the VCF user application component of Trilogy in two phases under an accelerated plan: delivery one in December 2003 and delivery two in June 2004. A third delivery eventually was added, also for June 2004. Delivery one was supposed to consist of the initial version of the VCF, which was intended to be a completely new case management system with data migrated from the ACS. The VCF also was intended to serve as the backbone of the FBI’s information management systems, replacing paper files with electronic case files. Deliveries two and three under the contract were supposed to consist of enhancements and additional operational capabilities to the VCF. SAIC provided the first version of the VCF to the FBI in December 2003, in accordance with the accelerated schedule. However, the FBI did not accept that version because the FBI said it was not a functional system and did not meet the FBI’s requirements. Deliveries two and three never occurred because of the difficulties experienced in completing the initial version of the VCF. The FBI informed the OIG that these deliveries are not being pursued now given the problems in the first delivery and the FBI’s plans to seek a common interagency platform for a case management system (the Federal Investigative Case Management System or FICMS, which is discussed below). In fact, the FBI has abandoned the intended three VCF deliveries and instead announced a new two-track approach for continuing development of the VCF. Track one, which the FBI refers to as the “Initial Operational Capability,” includes a 6-week test of an electronic workflow process scheduled to be completed by March 2005. During this test, the FBI’s New Orleans field office and a smaller resident agency office will enter investigative lead and case data into a prototype VCF file system, and this information will be approved electronically and uploaded into the ACS. The FBI intends to obtain user comments on, and assess the performance of, this new workflow system being tested in track one. However, it is important to make clear that the version of the VCF being tested in track one will not provide the FBI with the case management applications as envisioned throughout the Trilogy project because it represents just one developmental step in the creation of a fully functional investigative case management system. It does not offer full case management capabilities. Rather, it is designed to demonstrate that documents can be approved electronically and uploaded into the existing, obsolete ACS. The second track, called Full Operational Capability, is intended to reevaluate and update requirements for the next phase of developing a functional case management system to replace ACS. In track two, the FBI plans to identify user activities and processes for creating and approving documents and managing investigative leads, evidence, and cases. As a result of the information gleaned during track two, the FBI is updating and confirming the case management requirements and evaluating whether currently available software can be adapted for a case management system rather than creating a completely new system. In commenting on the findings in our audit report about the delays in the VCF, the FBI stated that “In many ways, the pace of technological innovation has overtaken our original vision for VCF, and there are now products to suit our purposes that did not exist when Trilogy began.” This suggests that the current VCF effort may be obsolete and that the FBI may implement an entirely new system to replace it. Moreover, our audit found that the FBI still does not have a clear timetable or prospect for completing the project. The VCF case management application was intended to replace the ACS and be the sole system within the FBI that would contain all investigative lead and case file information in a paperless system. Due to the failure to complete the VCF, the FBI continues to lack a modern case management system containing complete and accessible investigative lead and case information. While the FBI cites in its response to our report advances in other FBI IT systems, such as its newly created Investigative Data Warehouse, the VCF case management system would have many features that a Data Warehouse does not. The VCF was intended to be the backbone of the FBI’s information systems, replacing the FBI’s paper case files with electronic files. Case data in the VCF could be approved electronically, and the electronic files would be available throughout the FBI immediately as entered. Various lead and case information easily could be associated for analysis. The Investigative Data Warehouse, while perhaps a useful tool, does not manage case workflow, does not provide immediate access to case information, and does not substitute for an effective case management system. Consequently, the FBI continues to lack critical tools necessary to maximize the performance of both its criminal investigative and national security missions. As a parallel effort to the VCF, the FBI recently has stated that it is pursuing an effort to develop the Federal Investigative Case Management System (FICMS). FBI officials have variously described this effort to the OIG during the course of our audit as a continuation of the VCF, a new investigative case management system to replace the failed VCF, or a “framework” for the future development of an investigative case management system platform. In its January 26, 2005, formal response to the OIG audit report, however, the FBI stated that the VCF and the FICMS are “two separate, but related projects that will move forward simultaneously. The VCF project remains the highest IT priority for the FBI, and we are developing an implementation plan that will result in deployment of a fully functional investigative case and records management system.” The FBI also stated in its response that it is continuing to pursue the VCF through development of an implementation plan. The FBI hired the Aerospace Corporation to evaluate currently available software products to determine if they meet the FBI’s requirements for a case management system. The FBI also asked Aerospace to evaluate the adequacy of the VCF as delivered by SAIC to determine what might be salvaged from that effort. Yet, the timetable for the FICMS and the VCF still does not appear to be rapid or clear. In conjunction with the OIG’s audit, the FBI told the OIG that it hopes to award a contract for FICMS by April 30, 2005. But the FBI has not provided its estimated costs, a revised schedule for completing the VCF, or a schedule for developing a new case management system to replace the VCF through the FICMS effort. We believe the responsibility for ensuring the success of the Trilogy project is shared by several parties: the FBI; the Department of Justice; FEDSIM – the component of GSA that awarded Trilogy contracts on behalf of the FBI; and the two contractors – CSC for the two infrastructure components, and SAIC for the user applications component that became the VCF. These entities, to varying degrees, did not appropriately contract for, manage, monitor, or implement the Trilogy project. In our view, the main responsibility for the problems with Trilogy rests with the FBI. The FBI acted on a legitimate and urgent need to upgrade its IT infrastructure and replace the antiquated ACS. However, in the FBI’s desire to move quickly on the Trilogy project, it engaged FEDSIM to handle the contracting for this very large and complex project without providing or insisting upon: The resulting cost-plus-award-fee contract yielded control to the contactors for developing Trilogy’s technical requirements, while leaving the FBI little leverage to direct the project. In essence, the contract terms required paying the contractors regardless of whether they met schedules or were even technically capable of completing such a challenging project. In addition, the FBI failed to adequately develop and articulate the design requirements at the outset of the project, and consequently the requirements repeatedly changed as the project progressed, with too much contractor control and too little input from FBI management. In its response to the audit report, the FBI alluded to its lack of control over requirements as a reason for the current VCF problem by stating that “[T]he VCF project suffered in part from runaway scope.” The FBI response also stated that to guard against runway scope in the future, “the IT system will be designed, developed, and deployed incrementally against specified and planned parameters.” In addition to the poor choice of contracting method and sketchy requirements, neither the FBI, the Department, nor FEDSIM ensured that adequate schedule, cost, technical, and performance baselines were established to allow the project to be adequately monitored and to identify and rectify schedule slippages or technical problems. Since none of the responsible parties ensured that realistic milestones were established to complete various segments of the project, it was difficult to ensure that the contractors successfully met overall schedule, cost, technical, or performance targets for the project. In addition, the Department expected the FBI to assume the role of project integrator to ensure all three Trilogy components meshed properly and were on track, even though the FBI lacked this capability or experience. The FBI’s ability to manage the Trilogy project, even with the help of contractor personnel, was crippled further by a revolving door of Chief Information Officers (CIOs) and Trilogy project management personnel at the FBI. A variety of audits by the OIG and the Government Accountability Office, as well as internal FBI reviews, had identified deficiencies in the FBI’s management of IT projects, including Trilogy. However, the FBI’s corrective action was slow. Only recently has the FBI made substantial progress in its IT investment management processes. More specifically, in our audit report the OIG detailed the following eight causes for the FBI’s problems with the Trilogy project: I believe it is important to note that, despite the troubled history of the Trilogy project, the FBI recently has made some improvements in its management of information technology. One major improvement in the FBI’s IT management was the appointment of a new CIO in May 2004 and the consolidation of the FBI’s previously fragmented management of IT resources and responsibilities under the Office of the CIO. A significant problem in the FBI’s management of IT investments was that all of the FBI divisions with IT investments were not under a single authority and, as a result, had a variety of processes and procedures for developing new systems. Under the reorganization, the CIO is responsible for all of the FBI’s IT assets, projects, plans, processes, and budgets. In December 2004, the Office of the CIO completed an initial version of an IT Strategic Plan, which describes how IT will support the FBI’s Strategic Plan and mission goals for the next five years. All IT projects now are required to be consistent with the FBI’s Strategic Plan. The Office of the CIO also has developed an FBI-wide Life Cycle Management Directive to guide FBI personnel on the technical management and engineering practices used to plan, acquire, operate, maintain, and replace IT systems and services. The directive provides detailed guidance to FBI Program and Project Managers and, if fully and effectively implemented, will help prevent the delays and problems that occurred during the Trilogy project. As noted above, the FBI also is in the process of creating an Enterprise Architecture by September 2005. The Enterprise Architecture will provide a blueprint to aid the FBI in coordinating and managing its current and future IT infrastructure and systems. The FBI also is working on an IT Portfolio Management Program to list and technically document all of its IT systems. The FBI anticipates that recommendations stemming from its completed IT portfolio will be included in the development of its fiscal year 2007 IT budget. In commenting on the OIG’s Trilogy audit report, the FBI cited a number of other improvements it has begun to make, such as an IT metrics program to identify and measure IT performance, an initiative to standardize and automate IT procurement actions, a Program Management Professional certification training program, a Master IT Policy List to coordinate and control IT policies, standardized technology assessments, and an Information Assurance Program. Further, the FBI told us that VCF track one, or Initial Operating Capability, used the FBI’s new IT management approach, including identifying project objectives, requirements, and constraints before proceeding to control gates designed to keep the project on track and to regulate the release of funds. Also, the FBI said it developed a cost-sharing arrangement as part of the renegotiated UAC contract. These initiatives were beyond the scope of our audit, and we could not examine the FBI’s claims on these systems. However, they appear to represent progress in the FBI’s IT system. But none of them diminish the urgent need for the FBI to fully implement a fully functioning case management system like the VCF to create, organize, share, and analyze case information. In sum, the FBI has made progress with its management of IT and its implementation of the first two phases of Trilogy. Trilogy’s infrastructure improvements have been completed, including the delivery of thousands of modern computer workstations and other hardware throughout the FBI. Although the Trilogy infrastructure improvements were characterized by delays and increased costs, the infrastructure now is in place to support improved user applications, including the VCF or its successor case management system, which the FBI recognizes as its top IT priority. Yet, the VCF effort is incomplete, and the prospects for timely completion remain unclear. After more than 3 years, multiple missed deadlines, and a price tag of $170 million, the FBI still does not have an investigative case management system to replace the antiquated ACS system. Further, we are not confident that the FBI has a firm sense of how much longer and how much more it will cost to develop and deploy a usable system, whether the FBI continues to pursue the VCF system or decides to implement a new case management system. Finally, we disagree with the FBI’s assertion in its response to our draft report that the delays in deploying the VCF and the lack of an adequate case management system do not have national security implications. To the contrary, we believe there is a critical need to replace the ACS to enable FBI agents and analysts to effectively perform the FBI’s mission. The archaic ACS system – which some agents have avoided using – is cumbersome, inefficient, and limited in its capabilities, and does not manage, link, research, analyze, and share information as effectively or timely as needed. While the FBI has made strides in other IT areas – including installing a number of systems to share intelligence information and upload numerous documents into a data warehouse – the continued delays in developing the VCF affects the FBI’s ability to carry out its critical missions. To conclude this statement, in response to a request from the Subcommittee, I summarize briefly the OIG’s ongoing reviews of other priority issues in the FBI. The following are examples of ongoing and recently completed OIG reviews that may be of interest to the Subcommittee. The following are some examples of recently completed OIG reviews related to FBI operations: |