This is the accessible text file for GAO report number GAO-07-912 entitled 'Information Technology: FBI Following a Number of Key Acquisition Practices on New Case Management System, but Improvements Still Needed' which was released on August 3, 2007. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: July 2007: Information Technology: FBI Following a Number of Key Acquisition Practices on New Case Management System, but Improvements Still Needed: GAO-07-912: GAO Highlights: Highlights of GAO-07-912, a report to congressional requesters Why GAO Did This Study: The Sentinel program is intended to replace and expand on the Federal Bureau of Investigation’s (FBI) failed Virtual Case File (VCF) project and thereby meet the bureau’s pressing need for a modern, automated capability to support its field agents and intelligence analysts' investigative case management and information sharing requirements. Because of the FBI’s experience with VCF and the importance of Sentinel to the bureau’s mission operations, GAO was asked to conduct a series of reviews on the FBI’s management of Sentinel. This review focuses on the FBI's (1) use of effective practices for acquiring Sentinel and (2) basis for reliably estimating Sentinel's schedule and costs. To address its objectives, GAO researched relevant best practices, reviewed FBI policies and procedures, program plans and other program documents, and interviewed appropriate program officials. What GAO Found: The FBI is managing its Sentinel program according to a number of key systems acquisition best practices. For example, the FBI has followed best practices when soliciting offers from contractors to lead the development of Sentinel; it has also followed the practices in evaluating the offers and making a contract award decision. In addition, it has established and is following effective processes to proactively identify and mitigate program risks before they have a chance to become actual cost, schedule, or performance problems. Further, it has taken a range of steps to effectively define expectations for its prime contractor and to measure performance against these expectations and related incentives and hold the contractor accountable for results. However, the bureau has not done the same for one key aspect of tracking and overseeing its program management support contractors. In particular, it has not established performance and product quality standards for these support contractors. According to FBI officials, such standards are not necessary because they monitor their support contractors on a daily basis, including the review and approval of all work products. By not implementing this practice, GAO believes that the FBI’s monitoring does not adequately ensure that Sentinel support contractors are performing important program management functions effectively and efficiently. The FBI’s policies, procedures, and supporting tools that form the basis for Sentinel’s schedule and cost estimates do not adequately reflect key best practices. While the FBI has issued an IT program management handbook, related guidance, and tools that define how IT program schedules and costs are to be estimated, this handbook and related material do not, for example, address such key practices as having a historical database of program schedule and cost estimates to inform future estimates. As a result, the reliability of Sentinel’s schedule and cost estimates is questionable. GAO’s analyses of the Sentinel cost estimates and program officials’ statements confirm this. For example, the analyses show that the estimates do not include all relevant costs, such as a technology refresh, and are not grounded in fully documented methodologies or a corporate history of experiences on other IT programs. FBI officials agreed that they need to update their IT program management handbook and related materials to incorporate schedule and cost estimating best practices and to establish a historical database of its estimating experiences on IT programs. Until FBI takes these steps, IT programs, such as Sentinel, are unlikely to have reliable schedule and cost estimates to support informed investment decision making, and their actual progress is unlikely to track closely to estimates. What GAO Recommends: To increase the chances of Sentinel’s success, GAO is recommending that the FBI (1) strengthen support contractor tracking and oversight and (2) establish and implement policies, procedures, and tools needed to develop reliable schedule and cost estimates for IT programs, including Sentinel. The FBI concurred with GAO’s second recommendation, but not the first. GAO does not agree with FBI’s position. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-912]. To view the full product, including the scope and methodology, click on the link above. For more information, contact Randolph C. Hite at (202) 512-3439 or hiter@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Information Technology Is Instrumental to FBI Mission Operations: FBI Is Largely Following Several Best Practices in Managing Key Aspects of Sentinel: FBI Policies and Procedures Governing Sentinel Schedule and Cost Estimates Do Not Reflect Important Best Practices: Conclusions: Recommendations: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: Key IT System Acquisition Best Practices: Appendix III: Sentinel Implementation of Contract Tracking and Oversight Best Practices: Appendix IV: Comments from the Federal Bureau of Investigations: Appendix V: GAO Contact and Staff Acknowledgments: Tables: Table 1: Summary of Business Systems Acquisition Best Practices: Table 2: FBI's Implementation of Contract Solicitation and Award Best Practices for Sentinel: Table 3: FBI's Implementation of Risk Management Best Practices for Sentinel: Table 4: FBI's Implementation of Organizational Change Management Best Practices for Sentinel: Table 5: Sentinel's Implementation of Configuration Management Best Practices: Table 6: Sentinel's Implementation of Contract Tracking and Oversight Best Practices: Table 7: FBI's Implementation of Best Practices for Schedule Estimation: Table 8: Summary of FBI Policies' and Procedures' Reflection of Best Practices Characteristics for Cost Estimating: Table 9: Sentinel Implementation of Contract Tracking and Oversight Best Practices on Prime Contract: Table 10: Sentinel Implementation of Contract Tracking and Oversight Best Practices for Support Contractors: Figures: Figure 1: Sentinel Program Office Structure: Figure 2: Configuration Control Process for Sentinel: Abbreviations: CIO-SP2i: Chief Information Officer-Solutions and Partners 2: COTS: commercial off-the-shelf: GEMPC: government estimate of most probable cost: GWAC: governmentwide acquisition contract: IGCE: independent government cost estimate: NIH: National Institutes of Health: VCF: Virtual Case File: United States Government Accountability Office: Washington, DC 20548: July 30, 2007: The Honorable Barbara Mikulski: Chair: The Honorable Richard Shelby: Ranking Member: Subcommittee on Commerce, Justice, Science, and Related Agencies: Committee on Appropriations: United States Senate: The Honorable John Conyers Jr. Chairman: The Honorable Lamar Smith: Ranking Member: Committee on the Judiciary: House of Representatives: The Honorable F. James Sensenbrenner Jr. House of Representatives: In early 2005, the Federal Bureau of Investigation (FBI) began its Sentinel program, estimated to be a 6-year, $425 million program to replace and expand both its failed Virtual Case File (VCF) project and its antiquated, paper-based, legacy system for supporting mission- critical intelligence analysis and investigative case management activities. One of the reasons we and others have cited for VCF's failure was limited use of acquisition management best practices. Because of the FBI's experience with VCF and the importance of Sentinel to the bureau's mission operations, you requested us to review the FBI's management of Sentinel. In response to your request, we agreed to perform a series of incremental reviews to address a broad range of objectives. We initiated our work on these reviews in August 2005 and released the first of our reports on Sentinel in October 2006.[Footnote 1] This report provides the results of our second review. As agreed, the two specific objectives for this report are to determine the FBI's (1) use of effective practices for acquiring Sentinel and (2) basis for reliably estimating Sentinel's schedule and costs. For the first objective, we focused on contract solicitation and award, risk management, organizational change management, configuration management, and contractor tracking and oversight. In addressing both objectives, we researched relevant best practices, reviewed FBI policies and procedures, program plans and other program documents, and interviewed appropriate program officials to ascertain whether the practices had been defined and implemented. We conducted our work from our Washington, D.C., headquarters and at FBI headquarters and facilities in the greater Washington, D.C., metropolitan area between September 2005 and May 2007 in accordance with generally accepted government auditing standards. Details on our objectives, scope, and methodology are included in appendix I. Results in Brief: The FBI is managing various aspects of Sentinel according to a number of effective system acquisition best practices. According to FBI officials, they have made these practices an area of focus in order to minimize Sentinel's exposure to risk. Our research shows that use of these and other practices increase the chances of program success. For Sentinel, the FBI has: * taken appropriate steps when soliciting proposals from contractors to lead the development of Sentinel and when evaluating the offers and awarding contracts; * established and is following effective processes to proactively identify and mitigate program risks before they have a chance to become actual cost, schedule, or performance problems; * begun to plan and position itself for the human capital and business process changes that are embedded in the commercial software products that are to be used for Sentinel, such as changes to staff roles and responsibilities and the procedures governing the execution of them; * established and is implementing controls and tools for systematically identifying Sentinel's component parts (software, hardware, and documentation) and controlling this configuration of parts in a way that reasonably ensures the integrity of each; and: * undertaken a range of activities to effectively define expectations for the prime contractor and to measure performance against and to hold the contractor accountable for meeting these expectations. However, the bureau is not effectively performing a key tracking and oversight practice for its many support contractors that are performing program management functions. Specifically, it has not defined metrics- based performance standards for these contractors' services and products. FBI officials stated that this practice is not necessary because they monitor these support contractors on a daily basis, including review and approval of all work products. Given the bureau's extensive reliance on support contractors to augment its own program management staff, taking a more proactive, standards-based approach to maximize the performance of support contractors is important to Sentinel's overall success. By not establishing standards in statements of work governing the quality of these contractors' products and services, the FBI cannot adequately ensure that its support contractors are performing important program management functions efficiently. The FBI's policies and procedures that form the basis for Sentinel's schedule and cost estimates are not fully consistent with reliable estimating practices. While the FBI has issued an IT program management handbook, related guidance, and tools that define how IT program schedules and costs are to be estimated, this handbook and related material do not, for example, address having a historical database of program schedule and cost estimates to inform future estimates. As a result, the reliability of Sentinel schedule and cost estimates is questionable. In this regard, our analysis of the Sentinel cost estimates shows that they do not include all relevant costs, such as a technology refresh and government labor and inflationary costs, and are not adequately grounded in fully documented methodologies or a corporate history of experiences on other IT programs. These limitations are in part because of the absence of key practices in the FBI's handbook and related materials and in part because the FBI did not follow its own handbook in estimating Sentinel's costs. Without reliable estimates, FBI leadership and Congress will not have an adequate basis for informed program decision making, and program execution is unlikely to track closely to estimates. To ensure that the FBI maximizes the performance of its support contractors and produces and uses reliable cost and schedule estimates on programs like Sentinel, we are recommending that the bureau strengthen one key aspect of support contractor tracking and oversight and establish and implement the policies, procedures, and tools needed to reliably develop schedule and cost estimates for all its IT programs, including Sentinel. In written comments on a draft of this report, signed by the FBI Chief Information Officer, the bureau stated that it agreed with our second recommendation. However, the bureau disagreed with the first recommendation, stating that its existing efforts to track and oversee each Sentinel support contractor are sufficient. However, the FBI's comments did not fully address the underlying basis for our recommendation, which was that the absence of defined quality and timeliness standards for support contractor products and services limits the bureau's ability to clearly direct and measure contractor performance, in turn limiting how effectively and efficiently key program management functions could be performed. As a result, we disagree with the FBI's position on this recommendation. The FBI also provided technical comments, which we have incorporated as appropriate into the report. Background: The FBI serves as the primary investigative unit of the Department of Justice. The FBI's mission includes investigating serious federal crimes, protecting the nation from foreign intelligence and terrorist threats, and assisting other law enforcement agencies. Approximately 12,000 special agents and 16,000 analysts and mission support personnel are located in the bureau's Washington, D.C., headquarters and in more than 70 offices in the United States and in more than 50 offices in foreign countries. Mission responsibilities at the bureau are divided among a number of major organizational components, including: Administration: manages the bureau's personnel programs, budgetary and financial services, records, information resources, and information security. National Security: integrates investigative and intelligence activities against current and emerging national security threats and provides information and analysis for the national security and law enforcement communities. Criminal Investigations: investigates serious federal crimes and probes federal statutory violations involving exploitation of the Internet and computer systems. Law Enforcement: provides law enforcement information and forensic services to federal, state, local, and international agencies. Office of the Chief Information Officer: develops the bureau's IT strategic plan and operating budget and develops and maintains technology assets. Information Technology Is Instrumental to FBI Mission Operations: To execute its mission responsibilities, the FBI relies extensively on the use of information systems. In particular, the bureau operates and maintains hundreds of computerized systems, databases, and applications, such as: * the Combined DNA Index System, which supports forensic examinations; * the National Crime Information Center and the Integrated Automated Fingerprint Identification System, which help state and local law enforcement agencies identify criminals; * the Automated Case Management System, which manages information collected on investigative cases; * the Investigative Data Warehouse, which aggregates data from disparate databases in a standard format to facilitate content management and data mining; and: * the Terrorist Screening Database, which consolidates identification information about known or suspected international and domestic terrorists. Following the terrorist attacks in the United States on September 11, 2001, the FBI shifted its mission focus to detecting and preventing future attacks and began to reorganize and transform. According to the bureau, the complexity of this mission shift, along with the changing law enforcement environment, strained its existing IT environment. As a result, the bureau accelerated the IT modernization program that it had begun in September 2000. This program, later named Trilogy, was the FBI's largest IT initiative to date and consisted of three parts: (1) the Information Presentation Component to upgrade FBI's computer hardware and system software, (2) the Transportation Network Component to upgrade the agency's communication network, and (3) the User Application Component to upgrade and consolidate the bureau's five key investigative software applications. The heart of this last component became the Virtual Case File (VCF) project, which was intended to replace the obsolete Automated Case Support system, FBI's primary case management application. While the first two components of Trilogy experienced cost overruns and schedule delays, in part because of fundamental changes to requirements, both are currently operating. However, we recently reported[Footnote 2] that certain information security controls over the Trilogy-related network were ineffective in protecting the confidentiality, integrity, and availability of information and information resources. For instance, we found that FBI did not consistently (1) configure network devices and services securely to prevent unauthorized insider access; (2) identify and authenticate users to prevent unauthorized access; (3) enforce the principle of least privilege to ensure that authorized access was necessary and appropriate; (4) apply strong encryption techniques to protect sensitive data on its networks; (5) log, audit, or monitor security- related events; (6) protect the physical security of its network; and (7) patch key servers and workstations in a timely manner. Taken collectively, we concluded that these weaknesses place sensitive information transmitted on the network at increased risk of unauthorized disclosure or modification and could result in a disruption of service. Accordingly, we recommended that the FBI Director take several steps to fully implement key activities of the bureau's information security program for the network. These activities include updating assessments and plans to reflect the bureau's current operating environment, providing more comprehensive coverage of system tests, and correcting security weaknesses in a timely manner. In commenting on this report, the FBI's Chief Information Officer (CIO) concurred with many of our recommendations, but did not believe that the bureau had placed sensitive information at an unacceptable risk for unauthorized disclosure, modification, or insider threat exploitation. The CIO cited significant strides in reducing risk since the Robert Hanssen espionage investigation. In response, we stated that until weaknesses identified in network devices and services, identification and authentication, authorization, cryptography, audit and monitoring, physical security, and patch management are addressed, increased risk to FBI's critical network remains. Further, until the bureau fully and effectively implements certain information security program activities for the network, security controls will likely remain inadequate or inconsistently applied. The third component of Trilogy--VCF-- never became fully operational. In fact, the FBI terminated the project after Trilogy's overall costs grew from $380 million to $537 million. VCF fell behind schedule and pilot testing showed that completing it was infeasible and cost prohibitive. Among reasons we and others have cited for VCF's failure were poorly defined system requirements, ineffective requirements change control, limited contractor oversight, and human capital shortfalls because of, for example, no continuity in certain management positions and a lack of trained staff for key program positions. Sentinel: A Brief Description: The Sentinel program began in 2005, and is intended to be both the successor to and an expansion of VCF. In brief, Sentinel is to meet FBI's pressing need for a modern, automated capability for investigative case management and information sharing to help field agents and intelligence analysts perform their jobs more effectively and efficiently. The program's key objectives are to (1) successfully implement a system that acts as a single point of entry for all investigative case management and that provides paperless case management and workflow capabilities, (2) facilitate a bureau-wide organizational change management program, and (3) provide intuitive interfaces that feature data relevant to individual users. Using commercially available software and hardware components, Sentinel is to provide a range of investigative case management and workflow capabilities, including: * leads management and evidence management; * document and records management, indexed searching, and electronic workflow; * links to legacy FBI systems and external data sources; * training, statistical, and reporting tools; and: * security management. The FBI chose to use a governmentwide acquisition contract[Footnote 3] (GWAC) for Sentinel after conducting a multi-step evaluation of the different GWACs available to federal agencies. In August 2005, the FBI issued a request for vendor proposals to more than 40 eligible companies under a National Institutes of Health (NIH)[Footnote 4] contracting vehicle. According to the CIO, the request was also provided to more than 500 eligible subcontractors. For the next 8 months, FBI's Sentinel Source Selection Evaluation Team reviewed and evaluated vendors' responses to the task order request for proposal to determine which proposal represented the best value. The evaluation team recommended--and FBI ultimately chose--Lockheed Martin as the primary Sentinel contractor. In March 2006, the FBI awarded the task order to develop and integrate Sentinel to Lockheed Martin. The FBI has structured the acquisition of Sentinel into four phases; the completion of each is expected to span about 12 to 18 months. According to FBI officials, the FBI is conducting end user training for Phase 1 and expects to roll out the Phase 1 production in June 2007. The specific content of each phase is to be proposed by and negotiated with the prime contractor. The general content of each phase has these and other capabilities include: Phase 1: A Web-based portal that will provide a data access tool for the Automated Case Management System and other legacy systems; a service-oriented architecture[Footnote 5] definition to support delivery and sharing of common services across the bureau. Phase 2: Case document and records management capabilities, document repositories, improved information assurance, application workflow, and improved data labeling to enhance information sharing. Phase 3: Updated and enhanced system storage and search capabilities. Phase 4: Implementing the remaining components of the new case management system to replace ACS. To manage the acquisition and deployment of Sentinel, the FBI established a program management office within the CIO's office. The program office is led by a program manager and consists of the eight primary FBI units (see fig. 1). Overall, the FBI estimates that the four phases will cost about $425 million through fiscal year 2011. For fiscal year 2005, the FBI reprogrammed $97 million in appropriated funds from various sources to fund Sentinel work. For fiscal years 2006 and 2007, the FBI said it budgeted about $85 million and $138 million respectively, for Sentinel, of which it reports having obligated about $95 million. For fiscal year 2008, the FBI reports that it has budgeted about $50 million for Sentinel. Figure 1: Sentinel Program Office Structure: [See PDF for image] Source: GAO analysis of FBI data. [End of figure] Use of System Acquisition Management Best Practices Maximizes Chances for Program Success: Acquisition best practices are tried and proven methods, processes, techniques, and activities that organizations define and use to minimize program risks and maximize the chances of program success. Using best practices can result in better outcomes--including cost savings, improved service and product quality, and, ultimately, a better return on investment. For example, two software engineering analyses of nearly 200 systems acquisitions projects indicated that teams using systems acquisition best practices produced cost savings of at least 11 percent over similar projects conducted by teams that did not employ the kind of rigor and discipline embedded in these practices. In addition, our research shows that best practices are a significant factor in successful acquisition outcomes, including increasing the likelihood that programs and projects will be executed within cost and schedule estimates.[Footnote 6] We and others have identified and promoted the use of a number of best practices associated with acquiring IT systems. In 2004, we reported[Footnote 7] on 18 relevant best practices and grouped them into two categories: (1) ten practices for acquiring any type of business system and (2) eight complementary practices that relate specifically to acquiring commercial component-based business systems. Examples of these practices relevant to any business systems acquisition include ensuring that (1) reasonable planning for all parts of the acquisition occurs, (2) a clear understanding of system requirements exists, and (3) risks are proactively identified and systematically mitigated. Examples of best practices relevant to commercial component-based systems acquisitions include ensuring that (1) commercial product modification is effectively controlled, (2) relationships among commercial products are understood before acquisition decisions are made, and (3) the organizational impact of using new system functionality is proactively managed. Each of these practices is composed of from one to eight activities and is summarized in table 1 and described in greater detail in appendix II. Table 1: Summary of Business Systems Acquisition Best Practices: Best practices: Best practices relevant to any business systems acquisition: Acquisition planning; To ensure that reasonable planning for all parts of the acquisition is conducted; Activity: Best practices relevant to any business systems acquisition: * Plans are prepared during acquisition planning and maintained throughout the acquisition; * Planning addresses the entire acquisition process, as well as life cycle support of the products being acquired; * The acquisition organization has a written policy for planning the acquisition; * Responsibility for acquisition planning activities is designated. Best practices: Best practices relevant to any business systems acquisition: Architectural alignment; To ensure that the acquisition is consistent with the organization's enterprise architecture; Activity: Best practices relevant to any business systems acquisition: * The system being acquired is assessed for alignment with the enterprise architecture at key life cycle decision points, and any deviations from the architecture are explicitly understood and justified by an explicit waiver to the architecture; * Product line requirements---rather than just the requirements for the system being acquired---are an explicit consideration in each acquisition. Best practices: Best practices relevant to any business systems acquisition: Contract tracking and oversight; To ensure that contract activities are performed in accordance with contractual requirements; Activity: Best practices relevant to any business systems acquisition: * The acquiring organization has sufficient insight into the contractor's activities to manage and control the contractor and ensure that contract requirements are met; * The acquiring organization and contractor maintain ongoing communication; commitments are agreed to and implemented by both parties; * All contract changes are managed throughout the life of the contract; * The acquisition organization has a written policy for contract tracking and oversight; * Responsibility for contract tracking and oversight activities is designated; * The acquiring organization involves contracting specialists in the execution of the contract; * A quantitative set of software and system metrics is used to define and measure product quality and contractor performance; * In addition to incentives for meeting cost and schedule estimates, measurable, metrics-based product quality incentives are explicitly cited in the contract. Best practices: Best practices relevant to any business systems acquisition: Economic justification; To ensure that system investments have an adequate economic justification; Activity: Best practices relevant to any business systems acquisition: * System investment decisions are made on the basis of reliable analyses of estimated costs, expected benefits, and anticipated risks; * Large systems acquisitions are (to the maximum extent practical) divided into a series of smaller, incremental acquisition efforts, and investment decisions on these smaller efforts are made on the basis of reliable analyses of estimated costs, expected benefits, and anticipated risks. Best practices: Best practices relevant to any business systems acquisition: Evaluation; To ensure that evidence showing that the contract products satisfy the defined requirements are provided prior to accepting contractor products; Activity: Best practices relevant to any business systems acquisition: * Evaluation requirements are developed in conjunction with the contractual requirements and are maintained over the life of the acquisition; * Evaluations are planned and conducted throughout the total acquisition period to provide an integrated approach that satisfies evaluation requirements and takes advantage of all evaluation results; * Evaluations provide an objective basis to support the product acceptance decision; * The acquiring organization has a written policy for managing the evaluation of the acquired products; * Responsibility for evaluation activities is designated. Best practices: Best practices relevant to any business systems acquisition: Project management; To ensure that the project office and its supporting organizations function efficiently and effectively; Activity: Best practices relevant to any business systems acquisition: * Project management activities are planned, organized, controlled, and communicated; * The performance, cost, and schedule of the acquisition are continually measured, compared with planned objectives, and controlled; * Problems discovered during the acquisition are managed and controlled; * The acquisition organization has a written policy for project management; * Responsibility for project management is designated. Best practices: Best practices relevant to any business systems acquisition: Requirements development and management; To ensure that contractual requirements are clearly defined and understood by the acquisition stakeholders; Activity: Best practices relevant to any business systems acquisition: * Contractual requirements are developed, managed, and maintained; * The end user and other affected groups have input into the contractual requirements over the life of the acquisition; * Contractual requirements are traceable and verifiable; * The contractual requirements baseline is established prior to release of the solicitation package; * The acquisition organization has a written policy for establishing and managing the contractual requirements; * Responsibility for requirements development and management is designated; * Requirements that are mandatory versus optional are clearly delineated and used in deciding what requirements can be eliminated or postponed to meet other project goals, such as cost and schedule constraints. Best practices: Best practices relevant to any business systems acquisition: Risk management; To ensure that risks are proactively identified and systematically mitigated; Activity: Best practices relevant to any business systems acquisition: * Projectwide participation in the identification and mitigation of risks is encouraged; * The defined acquisition process provides for the identification, analysis, and mitigation of risks; * Milestone reviews include the status of identified risks; * The acquisition organization has a written policy for managing acquisition risk; * Responsibility for acquisition risk management activities is designated. Best practices: Best practices relevant to any business systems acquisition: Solicitation; To ensure that a quality solicitation is produced and a best-qualified contractor is selected; Activity: Best practices relevant to any business systems acquisition: * The solicitation package includes the contractual requirements and the proposal evaluation criteria; * The technical and management elements of proposals are evaluated to ensure that the requirements of the contract will be satisfied; * The selection official selects a supplier who is qualified to satisfy the contract's requirements; * The acquiring organization has a written policy for conducting the solicitation; * Responsibility for the solicitation is designated; * A selection official has been designated to be responsible for the selection process and decision; * The acquiring team includes contracting specialists to support contract administration. Best practices: Best practices relevant to any business systems acquisition: Transition to support; To ensure proper transfer of the system from the acquiring organization to the support organization; Activity: Best practices relevant to any business systems acquisition: * The acquiring organization ensures that the support organization has the capacity and capability to provide the required support; * There is no loss in continuity of support to the products during transition from the supplier to the support organization; * Configuration management of the products is maintained throughout the transition; * The acquiring organization has a written policy for transitioning the products to the support organization; * The acquiring organization ensures that the support organization is involved in planning for transition to support; * Responsibility for transition to support activities is designated. Best practices: Complementary best practices relevant to commercial component-based business systems acquisitions: Component modification; To ensure that commercial product modification is effectively controlled; Activity: Best practices relevant to any business systems acquisition: * Modification of commercial components is discouraged and allowed only if justified by a thorough analysis of life cycle costs and benefits. Best practices: Complementary best practices relevant to commercial component-based business systems acquisitions: Configuration management; To ensure the integrity and consistency of system commercial components; Activity: Best practices relevant to any business systems acquisition: * Project plans explicitly provide for evaluation, acquisition, and implementation of new, often frequent, product releases; * Modification or upgrades to deployed versions of system components are centrally controlled and unilateral user release changes are precluded. Best practices: Complementary best practices relevant to commercial component-based business systems acquisitions: Dependency analysis; To ensure that relationships among commercial products are understood before acquisition decisions are made; Activity: Best practices relevant to any business systems acquisition: * Decisions about acquisition of commercial components are based on deliberate and thorough research, analysis, and evaluation of the components' interdependencies. Best practices: Complementary best practices relevant to commercial component-based business systems acquisitions: Legacy systems integration planning; To ensure reasonable planning for integration of commercial products with existing systems; Activity: Best practices relevant to any business systems acquisition: * Project plans explicitly provide for the necessary time and resources for integrating commercial components with legacy systems. Best practices: Complementary best practices relevant to commercial component-based business systems acquisitions: Organization change management; To ensure that the organizational impact of using new system functionality is proactively managed; Activity: Best practices relevant to any business systems acquisition: * Project plans explicitly provide for preparing users for the impact that the business processes embedded in the commercial components will have on users respective roles and responsibilities; * The introduction and adoption of changes to how users will be expected to execute their jobs is actively managed. Best practices: Complementary best practices relevant to commercial component-based business systems acquisitions: Solicitation; To ensure that a quality solicitation is produced and a best-qualified contractor is selected; Activity: Best practices relevant to any business systems acquisition: * Systems integration contractors are explicitly evaluated on their ability to implement commercial components. Best practices: Complementary best practices relevant to commercial component-based business systems acquisitions: Tradeoff analysis; To ensure that system requirements alone do not drive the system's solution; Activity: Best practices relevant to any business systems acquisition: * Investment decisions throughout a system's life cycle are based on tradeoffs among the availability of commercial products (current and future), the architectural environment in which the system is to operate (current and future), defined system requirements, and acquisition cost/schedule constraints. Best practices: Complementary best practices relevant to commercial component-based business systems acquisitions: Vendor and product research and evaluation; To ensure that vendor and product characteristics are understood before acquisition decisions are made; Activity: Best practices relevant to any business systems acquisition: * Commercial component and vendor options are researched, evaluated/tested, and understood, both early and continuously; * A set of evaluation criteria for selecting among commercial component options is established that includes both defined system requirements and vendor/commercial product characteristics (e.g., customer satisfaction with company and product line). Sources: See sources listed in appendix I of this report. [End of table] FBI Is Establishing Institutional IT Management Controls, but Success of IT Programs Depends on Implementation of Controls: The FBI has recognized the importance of IT to transformation, making it one of the bureau's top ten priorities. Consistent with this, the FBI's strategic plan contains explicit IT-related strategic goals, objectives, and initiatives (near-term and long-term) to support the collection, analysis, processing, and dissemination of information. This recognition is important because, as we previously reported,[Footnote 8] the bureau's longstanding approach to managing IT has not always been fully consistent with leading practices. The effects of this can be seen in, for example, the failure of projects such as VCF. To address these issues, the FBI has, as we reported in 2004, centralized IT responsibility and authority under the CIO and the CIO has taken steps to define and implement management capabilities in the areas of enterprise architecture, IT investment management, systems development and acquisition, and IT human capital. Since 2004, the FBI has continued to make progress in establishing key IT management capabilities. As we previously reported,[Footnote 9] the FBI has created a life cycle management directive that governs all phases and aspects of the bureau's IT projects, including Sentinel. The directive includes guidance, planned reviews, and control gates for each project milestone, including planning, acquisition, development, testing, and operational management of implemented systems. However, we have also reported that the challenge now for the FBI is to build on these foundational capabilities and implement them effectively on the program and project investments it has under way and planned, including Sentinel. More specifically, we stated that the success of Sentinel will depend on how well the FBI defines and implements its new IT management approaches and capabilities. Among other things, we said that it will be crucial for the FBI to understand and control Sentinel requirements in the context of (1) its enterprise architecture, (2) the capabilities and interoperability of commercially available products, and (3) the bureau's human capital and financial resource constraints, and to prepare users for the impact of the new system on how they do their jobs. We concluded that not taking these steps will introduce program risks that could lead to problems similar to those that contributed to the failure of the VCF. In this regard, we recently reported on Sentinel's implementation of IT human capital best practices.[Footnote 10] We determined that the FBI had moved quickly to staff the Sentinel program office, had created a staffing plan that defined program positions needed for the program, and had filled most of them, primarily with contract staff. However, we also determined that the Sentinel staffing plan addressed only the program office's immediate staffing needs. It did not provide for the kind of strategic human capital management focus that is essential to success. Exacerbating this situation was that the FBI was not proactively managing Sentinel human capital availability as a program risk. We concluded that, unless the FBI adopted a more strategic approach to managing human capital for the Sentinel program and treated human capital as a program risk, the chances of delivering required intelligence and investigative support capabilities in a timely and cost-effective manner were reduced. Accordingly, we recommended that the FBI adopt such an approach, and the FBI agreed with our recommendations. According to the FBI's CIO, Sentinel human capital management improvements are being accomplished as part of ongoing Office of the CIO's human capital management initiatives, which are being pursued in close coordination with ongoing FBI-wide human capital management improvements. FBI Is Largely Following Several Best Practices in Managing Key Aspects of Sentinel: The FBI is managing various aspects of Sentinel in accordance with a number of key system acquisition best practices because the FBI CIO and Sentinel program manager have made doing so an area of focus, which reduces Sentinel acquisition risks. At the same time, however, acquisition risks are being increased because support contractors that are performing program management functions are not subject to metrics- based, performance standards. Without such standards, the FBI cannot adequately ensure that support contractors are performing important program management functions effectively and efficiently. Important Steps in Soliciting Sentinel Contractor Proposals and Awarding the Prime Contract Were Conducted: The FBI took a number of important steps when soliciting offers from contractors to lead the development of Sentinel and in evaluating the offers and making a contract award decision.[Footnote 11] We and others[Footnote 12] have reported on contract solicitation and award best practices used to solicit commercial, component-based IT systems. These practices provide for establishing an organizational framework to conduct a solicitation, including things such as establishing a solicitation policy, defining roles and responsibilities, hiring a qualified solicitation team (including designating responsibility for the selection of a vendor and including contract specialists on the solicitation team). These practices also include guidance on how to evaluate proposals, including things such as: (1) explicitly evaluating systems integration contractors on their ability to implement commercial IT components; (2) specifying the contractual requirements and the proposal's evaluation criteria in the solicitation package; (3) evaluating the technical and management elements of proposals on the basis of how they satisfy the requirements of the contract; and (4) selecting a contractor that is qualified to satisfy the contract's requirements. The FBI followed all of these best practices for Sentinel. For instance, the FBI developed a policy for conducting the solicitation-- the Sentinel Source Selection Plan--that addressed, among other things, the qualifications for members of the source selection organization. The source selection plan also identified the individual ultimately responsible for conducting the solicitation and making the award decision. With regard to evaluating proposals, the Sentinel solicitation package contained the contractual requirements and evaluation criteria the bureau would use. Those criteria were designed to explicitly evaluate vendors on their ability to integrate commercial IT products and components like those to be used in Sentinel. In addition, FBI evaluated vendor proposals based on both the technical and management elements of their respective proposals, including elements like past performance, proposed technical approach, proposed management approach, plans for mitigating organizational conflict of interest, proposed security approach, and demonstrated prior success in meeting schedule requirements, controlling costs, and program planning. In addition, the FBI used a GWAC, in which vendors' technical competence had already been already established, thus helping to ensure that the FBI's selected vendor was qualified. For a summary of the FBI's implementation of these best practices, see table 2. Table 2: FBI's Implementation of Contract Solicitation and Award Best Practices for Sentinel: Contract solicitation and award best practices: The solicitation package includes the contractual requirements and the proposal evaluation criteria; Implemented for Sentinel?: yes. Contract solicitation and award best practices: The technical and management elements of proposals are evaluated to ensure that the requirements of the contract will be satisfied; Implemented for Sentinel?: yes. Contract solicitation and award best practices: The selection official selects a supplier qualified to satisfy the contract's requirements; Implemented for Sentinel?: yes. Contract solicitation and award best practices: The acquiring organization has a written policy for conducting the solicitation; Implemented for Sentinel?: yes. Contract solicitation and award best practices: Responsibility for the solicitation is designated; Implemented for Sentinel?: yes. Contract solicitation and award best practices: A selection official has been designated to be responsible for the selections process and decision; Implemented for Sentinel?: yes. Contract solicitation and award best practices: The acquiring team includes contracting specialists to support contract administration; Implemented for Sentinel?: yes. Contract solicitation and award best practices: Systems integration contractors are explicitly evaluated on their ability to implement commercial components; Implemented for Sentinel?: yes. Source: GAO analysis of FBI data. [End of table] An Effective Risk Management Process Has Been Defined and Is Being Followed for Sentinel: The FBI has established and is following effective processes for proactively identifying and mitigating program risks before they have a chance to become actual cost, schedule, or performance problems. We and others view risk management as a core acquisition management practice. In brief, risk management is a process for identifying potential acquisition problems and taking appropriate steps to avoid them. It includes identifying risks and categorizing them based on estimated impact, developing and executing risk mitigation strategies, and reporting on progress in doing so. Risk management practices include, among other things: (1) encouraging project-wide participation in the identification and mitigation of risks; (2) defining and implementing a process for the identification, analysis, and mitigation of acquisition risks; (3) examining the status of identified risks in program milestone reviews; (4) establishing a written policy for managing acquisition risk; and (5) designating responsibility for acquisition risk management activities. FBI's approach for managing Sentinel's risks employs best practices. (See table 3.) For instance, the Sentinel Risk Management Plan encourages all project team members to identify and mitigate risks, and program officials told us that an e-mail notification system has been implemented in which team members use an e-mail template to forward perceived or newly identified risks to program management. Furthermore, the Risk Management Plan and the prime contractor's Risk and Opportunity Management Plan establish mechanisms for analyzing and mitigating identified risks. Under these plans, risk review boards (1) solicit input on risks from employees, (2) approve specified risk mitigation plans for these risks and assign the risks to their respective risk registers, and (3) periodically review each risk within the register to monitor the implementation of the mitigation plans. Further, these plans (as well as the bureau's Life Cycle Management Directive) call for program control gate and milestone reviews that include the status of identified risks, which our analysis of gate and milestone documentation shows includes consideration of risks. This is important because it gives FBI management the opportunity to be apprised of the risks facing the program and what program staff is doing to prevent these risks from occurring when milestone decisions are made. Table 3: FBI's Implementation of Risk Management Best Practices for Sentinel: Risk management best practices: Projectwide participation in the identification and mitigation of risks is encouraged; Implemented for Sentinel?: yes. Risk management best practices: The defined acquisition process provides for the identification, analysis, and mitigation of risks; Implemented for Sentinel?: yes. Risk management best practices: Milestone reviews include the status of identified risks; Implemented for Sentinel?: yes. Risk management best practices: The acquisition organization has a written policy for managing acquisition risk; Implemented for Sentinel?: yes. Risk management best practices: Responsibility for acquisition risk management activities is designated; Implemented for Sentinel?: yes. Source: GAO analysis of FBI data. [End of table] FBI Is Beginning to Address Organizational Change and Impacts of Sentinel: The FBI is beginning to plan for and position itself for the human capital and business process changes that are embedded in the commercial off-the-shelf (COTS) software products that are to be used for Sentinel. Given that the first phase of Sentinel involves minimal new COTS software products and later phases are to be heavily COTS- based, the timing of this planning and positioning is appropriate. As we have previously reported, acquiring software-intensive systems that leverage commercial components involves acquisition management best practices beyond those associated with custom, one-of-a-kind software development efforts. One category of best practices related to COTS acquisitions is proactively planning for and positioning the organization for the people and process changes that will occur as a result of adopting the functionality embedded in commercial products. In short, such change occurs because COTS products are created based on a set of requirements that will have marketability to a broad customer base, rather than to a single customer, which in this case is the FBI. While such products are configurable to align with the customer's architectural needs, such as business rules and date standards, the standard core functionality in the products will require the implementing organization to adopt the product's embedded business processes, which in turn will require changes to the roles and responsibilities of the organization's workforce and the policies and procedures that they follow. To ensure that the organizational impact of implementing a COTS-based system is effectively managed, best practices advocate that (1) project plans explicitly provide for preparing users for the impact that the business processes embedded in the commercial components will have on their roles and responsibilities and (2) the organization actively manages the introduction and adoption of changes to how users will be expected to execute their jobs. As noted earlier, Phase I of Sentinel does not involve extensive use of COTS. Rather, Phase I largely involves development of a customized Web- based portal to the FBI's legacy case management system. Thus, the need for the FBI to have already planned for and be positioned to introduce significant Sentinel-induced organizational change is not expected to be as critical as in later phases. According to the Sentinel program manager, the impact on users in Phase 1 will be minimal due to the small scope of changes that users will need to deal with. Phase 2, in comparison, will introduce changes to individual users' roles, responsibilities, and business practices resulting from re-engineered business processes and a range of COTS-based system capabilities. This means that most of the organizational change management activities for Sentinel are planned for such later phases. Recognizing the relevance of organizational change management to post- Phase 1 efforts, the FBI has taken steps consistent with both of these previously-cited best practices. (See table 4.) With respect to planning, the Sentinel Program Management Plan identifies the need to work closely with users to ensure that they understand Sentinel capabilities, and the Sentinel Communication Plan outlines a strategy to assist FBI personnel in understanding the purpose and scope of Sentinel and its implications. Among other things, this plan provides for tracking user acceptance, including metrics to continually gauge acceptance and the effectiveness of the strategy. In addition, the Sentinel Training and Strategy Plan provides for analyzing workforce impacts and addressing changes to individuals' roles and responsibilities. Regarding actively managing the introduction of changes to how individuals execute their jobs, the FBI has set in motion five areas of activity that are embodied in the previously-mentioned plans. These activities are stakeholder management, organizational impact assessment and understanding, communication, training, and performance support. More specifically, the prime contractor has conducted a Sentinel Stakeholder and Organizational Risk Assessment based in part on visiting several FBI field offices and conducting focus groups with prospective Sentinel users to assess risks to users' acceptance of Sentinel. The results of this analysis have been incorporated into their communication and training plans and are to be addressed through things such as user manuals and program documentation. For instance, the risk and impact analysis showed that on-screen navigation through Sentinel was an area of user concern, so the training plan has treated this as an area of emphasis. According to program officials, such areas of focus are intended to proactively engage and manage stakeholders through the change process, with the ultimate goal of having Sentinel become "business as usual." The challenge that the FBI faces as it proceeds with future Sentinel phases is to ensure that the five areas of activity, particularly the communication and training plans, are effectively implemented. Table 4: FBI's Implementation of Organizational Change Management Best Practices for Sentinel: Organizational change management best practices: Project plans explicitly provide for preparing users for the impact that the business processes embedded in the commercial components will have on their roles and responsibilities; Implemented for Sentinel?: yes. Organizational change management best practices: The organization actively manages the introduction and adoption of changes to how users will be expected to execute their jobs; Implemented for Sentinel?: yes. Source: GAO analysis of FBI data. [End of table] Sentinel Configuration Management Process Defined and Largely Implemented: The FBI has put in place controls and tools for systematically identifying Sentinel's component parts (software, hardware, and documentation) and controlling the configuration of these parts in a way that reasonably ensures the integrity of each and it has effectively implemented most of those controls. However, FBI has not fully implemented one of the key practices. As a result, it is unclear whether the support contractor that is responsible for this practice is in fact executing it in an effective and efficient manner. Configuration management is an essential ingredient in successful IT systems programs such as Sentinel. The purpose of configuration management is to maintain integrity and traceability and to control modifications or changes to program assets like technology products and program documentation throughout their life cycles. Effective configuration management, among other things, enables integration and alignment among related program assets. As we have previously reported,[Footnote 13] an effective configuration management program comprises four primary elements, each of which should be described in a configuration management plan and implemented according to the plan. The four elements of an effective configuration management program are: * Configuration identification: Identifying, documenting, and assigning unique identifiers (e.g., serial number and name) to program assets, generally referred to as configuration items. * Configuration control: Evaluating and deciding whether to approve changes to a product's baseline configuration, generally accomplished through configuration control boards, which evaluate proposed changes on the basis of costs, benefits, and risks, and decide whether to permit a change. * Configuration status accounting: Documenting and reporting on the status of configuration items as a product evolves. Documentation, such as historical change lists, are generated and kept in a library, thereby allowing organizations to be continuously aware of the state of a product's configuration and thus to be in a position to make informed decisions about changing the configuration. * Configuration auditing: Determining alignment between the actual product and the documentation describing it, thereby ensuring that the documentation used to support the configuration control board's decision making is consistent with the actual system products that reflect these decisions. Configuration audits, both functional and physical, are performed when a significant product change is introduced and they help to ensure that only authorized changes are being made. The FBI developed the Sentinel Configuration Management Plan to govern the assets that both the FBI and prime contractor develop. This plan reflects the bureau's Life Cycle Management Directive and each of the previously-cited best practices. Moreover, the FBI has largely implemented its plan, as described here and summarized in table 5. * With respect to configuration identification, the plan defines which classes of program assets are under configuration control and specifies how program staff is to (a) determine the program's configuration items and (b) assign each a unique identifier. In this regard, we observed the naming conventions the program office created for identifying and uniquely naming program assets and then verified that the FBI had inventoried items in accordance with these conventions. In addition, we observed that the FBI had placed under configuration control all of its relevant program documentation, as well as all the data item deliverables from the prime contractor, including multiple software components. * Regarding configuration control, the FBI's plan calls for, and its prime contractor has implemented, a commercially available software tool to store and manage the program's configuration items, including such things as baselined planning documents and hardware and software assets. Among other things, we observed that the tool features a series of access controls that permit only authorized changes to program assets. For example, the tool did not allow unauthorized changes to configuration items. The FBI and the prime contractor have established configuration control boards, engineering review boards, and software change control boards as specified in the plan to establish a baselined configuration for Sentinel's assets and to authorize changes to them. These boards work together (see fig. 2) to review suggested changes to configuration items on the basis of potential impacts on the rest of the system, including risk, cost, and schedule implications. If these boards approve a change, it is executed by the contractor and recorded in the tool. If a change is rejected by one of the review boards, it is dropped and that decision is also recorded along with the board's rationale. Figure 2: Configuration Control Process for Sentinel: [See PDF for image] Source; GAO analysis of contractor and FBI configuration management plans. [End of figure] * Concerning configuration status accounting, the FBI's plan outlines procedures that are consistent with best practices and FBI's Life Cycle Management Directive. These procedures include keeping historical change lists and producing monthly configuration status accounting reports. However, according to FBI officials, the FBI is not producing regular reports as called for in its plan because the configuration management tool that the FBI is using has the ability to produce the same kinds of reports on demand. Such "real time" reporting satisfies the intent of this best practice. * With respect to configuration auditing, the FBI's plan calls for audits of the status of program assets. However, the bureau is not following its plans because, according to program officials, the configuration management tool's embedded controls and processes reduce the need for such audits. One such control that we observed includes the automatic recording of who made a change to the software or hardware asset and when the change was made. Nevertheless, the FBI has tasked one of its support contractors with checking the status of configuration items on a daily basis to augment the tool controls. According to the contractor's representative performing this check, the boards' configuration-related decisions are compared with the configuration status reflected in the tool; deviations are to be reported to program management. This approach, according to bureau officials, constitutes "real time" auditing and is better than the periodic audits cited in the Configuration Management Plan. However, this contractor's activities are not documented or otherwise governed by explicit performance criteria. As a result, the results of configuration audits were not available to assess possible configuration management and security impacts, as provided for in the Sentinel Configuration Management Plan. Thus, we could not verify the FBI's implementation of configuration auditing activities. This lack of performance criteria and measures for support contractors are described further in the next section. FBI officials stated that they intended to perform configuration audits called for in their plan in early June. Table 5: Sentinel's Implementation of Configuration Management Best Practices: Configuration management best practices: 1. Configuration identification; Implemented for Sentinel?: yes. Configuration management best practices: 2. Configuration control; Implemented for Sentinel?: yes. Configuration management best practices: 3. Configuration status accounting; Implemented for Sentinel?: yes. Configuration management best practices: 4. Configuration auditing; Implemented for Sentinel?: partially implemented. Source: GAO analysis of FBI data. [End of table] Most Key Tracking and Oversight Activities Being Performed for Sentinel Contractors: The FBI is performing a range of activities to effectively define expectations for its prime contractor and to measure performance against and hold the contractor accountable for meeting these expectations. The bureau is also performing a number of key practices that are relevant to tracking and overseeing the many support contractors that are performing program management functions. However, it is not performing one key practice--establishing and employing product and service performance standards. As a result, the FBI cannot adequately ensure that these support contractors are performing required program management functions effectively and efficiently. Contract tracking and oversight is the process by which contractual agreements are established and contractor efforts to satisfy those agreements are monitored. This process involves information sharing between the acquirer and contractor to ensure that contractual requirements are understood, that there are measurements to disclose overall project status and problems, and that there are appropriate incentives for ensuring that cost and schedule commitments are met and that quality products are delivered. Contract tracking and oversight begins with the award of a contract and ends at the conclusion of the contract's period of performance. Contract tracking and oversight best practices include ensuring that (1) the acquiring organization has sufficient insight into the contractor's activities to manage and control the contractor and ensure that the contract's requirements are met; (2) the acquiring organization and contractor maintain ongoing communication and both parties implement agreed-to commitments; (3) all contract changes are managed throughout the life of the contract; (4) the acquisition organization has a written policy for contract tracking and oversight; (5) responsibility for contract tracking and oversight activities is designated; (6) the acquiring organization involves contracting specialists in the execution of the contract; (7) a quantitative set of software and system metrics is used to define and measure product quality and contractor performance; and (8) incentives for meeting cost and schedule estimates and measurable, metric-based product quality incentives are explicitly cited in the contract. The FBI has taken a number of actions to satisfy these best practices with respect to the Sentinel prime contractor; however, the bureau has not done the same in tracking and overseeing the many support contractors that are performing program management functions. Three examples of best practices implemented in relation to the prime contractor are described here. (See app. III for information on the implementation of all eight practices.) * To ensure sufficient insight into the contractor's activities, the bureau has instituted integrated product teams for Sentinel, whereby members of the program management office work side by side with the prime contractor. As a result, the Sentinel program office has had daily insight into the direction of the contractor's work, thereby giving the FBI management regular opportunities to manage and control the contractor's activities. Moreover, the FBI requires that the prime contractor provide a monthly report detailing the contractor's activities during the previous month, as well as its anticipated activities for the next month, to permit further insight into the contractor's activities. In addition, the bureau has also established weekly meetings with its contractors to review accomplishments, ongoing issues, and program risks. * Concerning managing changes to the contract throughout its lifetime, the program office has implemented a change control process consisting of several review boards to manage changes to program assets. According to program officials, board decisions that significantly change requirements (e.g., deliverables) are handled through contract letters. These letters serve as an official record of the FBI's direction to the contractor, including changes to deliverables called for in the statement of work. * Regarding having a written policy for contract tracking and oversight, the FBI's Life Cycle Management Directive established the bureau's policy for tracking and overseeing contractors on all IT programs, including Sentinel. In addition, the Sentinel Program Management Plan provides additional procedures, including conducting reviews such as the Requirements Clarification review, the Design Concept Review, and the Preliminary Design Review. Further, the Sentinel statement of work contains requirements for the contractor's earned value management system, earned value baseline, and the contractor's monthly earned value status reports. With respect to support contractor tracking and oversight, the bureau is at least partially satisfying all but one of these relevant best practices. (See app. III for information on implementation of all eight practices.) However, it has not, for example, established and applied measurable performance standards in its support contractors' statements of work. Specifically, while these statements of work identify specific tasks to be accomplished and assign responsibility for overseeing their execution, they do not cite associated quality and timeliness standards for contract deliverables or other such performance measures. As noted earlier, for example, the activities performed by the configuration management support contractor (see prior section) are not governed by written procedures and are not subject to explicit performance standards. Program officials stated that they manage support contractors daily through face-to-face interaction, and that all work products provided by support contractors are reviewed and approved by government supervisors.[Footnote 14] Thus, they added, explicit performance standards are not needed. Given the bureau's reliance on support contractors, however, maximizing their performance is important to Sentinel's overall success. By not ensuring that statements of work spell out measures governing product and service quality and timeliness, the FBI cannot adequately ensure that these contractors are performing important program management functions effectively and efficiently. Table 6: Sentinel's Implementation of Contract Tracking and Oversight Best Practices: Best practices for contract tracking and oversight: The acquiring organization has sufficient insight into the contractor's activities to manage and control the contractor and ensure contract requirements are met; Implemented for prime contractor?: yes; Implemented for support contractors?: yes. Best practices for contract tracking and oversight: The acquiring organization and contractor maintain ongoing communication; commitments are agreed to and implemented by both parties; Implemented for prime contractor?: yes; Implemented for support contractors?: yes. Best practices for contract tracking and oversight: All contract changes are managed throughout the life of the contract; Implemented for prime contractor?: yes; Implemented for support contractors?: not applicable[A]. Best practices for contract tracking and oversight: Responsibility for contract tracking and oversight activities is designated; Implemented for prime contractor?: yes; Implemented for support contractors?: yes. Best practices for contract tracking and oversight: The acquisition organization has a written policy for contract tracking and oversight; Implemented for prime contractor?: yes; Implemented for support contractors?: yes. Best practices for contract tracking and oversight: The acquiring organization involves contracting specialists in the execution of the contract; Implemented for prime contractor?: yes; Implemented for support contractors?: yes. Best practices for contract tracking and oversight: A quantitative set of software and system metrics is used to define and measure product quality and contractor performance; Implemented for prime contractor?: yes; Implemented for support contractors?: no. Best practices for contract tracking and oversight: In addition to incentives for meeting cost and schedule estimates, measurable, metrics- based product quality incentives are cited in contract; Implemented for prime contractor?: yes; Implemented for support contractors?: not applicable[B]. Source: GAO analysis of FBI data. [A] FBI officials stated that program support contractor staff is largely acquired through existing government contracts that are managed outside of the FBI. As a result, changes to these contracts are beyond the control and authority of the FBI. [B] According to program officials, none of the support contracts allow for incentives. [End of table] FBI Policies and Procedures Governing Sentinel Schedule and Cost Estimates Do Not Reflect Important Best Practices: The FBI's policies and procedures that form the basis for Sentinel's schedule and cost estimates are not fully consistent with reliable estimating practices. While the FBI has issued an IT program management handbook, related guidance, and tools that define how IT program schedules and costs are to be estimated, this handbook and related material do not, for example, address having a historical database of program schedule and cost estimates to inform future estimates. In addition, this handbook and related material do not adequately address such schedule estimating practices as providing float time between key activities and reserve time for high risk activities, and they do not adequately address such cost estimating best practices as documentation of source information. The cost estimates that the FBI has developed for Sentinel reflect these limitations in policies, procedures, and tools. In particular, the estimates to date did not include all relevant costs and could not be verified by supporting documentation. Without well-defined policies, procedures, and supporting tools for estimating IT programs' schedules and costs, the reliability of these programs' respective estimates is questionable and, in the case of Sentinel, a key basis of informed investment management is missing. FBI Policies and Procedures for Estimating Program Schedules Address Some, but Not All, Best Practices: The success of any program depends in part on having a reliable schedule of when the program's set of work activities will occur, how long they will take, and how they are related to one another. As such, the schedule not only provides a road map for systematic execution of a program, but also provides the means by which to gauge progress, identify and address potential problems, and promote accountability. Among other things, best practices and related federal guidance call for a program schedule to be program-wide in scope, meaning that it should include the integrated breakdown of the work to be performed by both the government and its contractors over the expected life of the program. Best practices also call for the schedule to expressly identify and define the relationships and dependencies among work elements and the constraints affecting the start and completion of work elements. A well-defined schedule helps to identify the amount of human capital and fiscal resources that are needed to execute the program, and thus is an important contribution to a reliable cost estimate. Our research has identified a range of best practices associated with effective schedule estimating.[Footnote 15] These practices include: * Capturing key activities: The schedule should reflect all key activities (steps, events, outcomes, etc.) as defined in the program's work breakdown structure, to include activities to be performed by both the government and its contractors. * Sequencing key activities: The schedule should line up key activities in the order that they are to be carried out. In particular, activities that must finish prior to the start of other activities (i.e., predecessor activities) as well as activities that cannot begin until other activities are completed (i.e., successor activities) should be identified. By doing so, dependencies among activities that collectively lead to the accomplishment of events or milestones can be established and used as a basis for guiding work and measuring progress. * Establishing the duration of key activities: The schedule should reflect how long each activity will take to execute. In determining the duration of each activity, the same rationale, data, and assumptions used for cost estimating should be used for schedule estimating. Further, these durations should be as short as possible and they should have specific start and end dates. Excessively long periods needed to execute an activity should prompt further decomposition of the activity so that shorter execution durations will result. * Assigning resources to key activities: The schedule should reflect who will do the work activities, whether all required resources will be available when they are needed, and whether any funding or time constraints exist. * Establishing the critical path for key activities: The schedule should identify the longest duration path through the sequenced list of key activities, which is known as the schedule's critical path. If any activity slips along this path, the entire program will be delayed. Therefore, potential problems that might occur along or near the critical path should be identified and reflected in the scheduling of the time for high risk activities (see next). * Identifying "float time" between key activities: The schedule should identify the time that a predecessor activity can slip before the delay affects successor activities, which is known as "float time" and is an indicator of schedule flexibility. As a general rule, activities along the critical path typically have the least amount of float time. * Distributing reserves to high risk activities: The baseline schedule should include a buffer or a reserve of extra time. Typically, the schedule reserve is calculated by taking the difference in time between the planned completion date and the contractual completion date for either the program as a whole or for a part of the program. As a general rule, the reserve should be applied to high risk activities, which are typically found along the critical path. * Integrating key activities horizontally and vertically: The schedule should be horizontally integrated, meaning that it should link the products and outcomes associated with already sequenced activities (see previous section). These links are commonly referred to as "hand offs" and serve to verify that activities are arranged in the right order to achieve aggregated products or outcomes. The schedule should also be vertically integrated, meaning that traceability exists among varying levels of activities and supporting tasks and sub-tasks. Such mapping or alignment among levels enables different groups to work to the same master schedule. The FBI's policies and procedures that govern IT program schedule estimating are defined in the bureau's IT Program Management Handbook and its IT Investment Management Process. To the bureau's credit, these documents reflect several of the previously cited best practices for schedule estimating. For example, the handbook requires program managers to define and sequence the key activities required to complete a given project, to determine the durations of each activity, and to identify the resources needed to complete tasks. Further, the handbook calls for the identification of the project's critical path and "float time." However, the handbook and associated worksheets do not specifically call for the distribution of schedule reserve to high risk activities or for the integration of tasks horizontally and vertically. Moreover, FBI policies and procedures only partially provide for assigning resources to key activities because the FBI's guidance does not address consideration of whether funding or time constraints exist. (See table 7 for a summary of the extent to which FBI policies and procedures address each of the best practices.) FBI Office of the CIO officials agreed that these best practices are not addressed in current bureau policies for estimating schedules and that they need to be. Until they are, schedule estimates for FBI IT programs, like Sentinel, will be of questionable reliability, and thus the risk of Sentinel's actual performance not tracking closely to plans is increased. The delays that the FBI has recently experienced on Phase I of Sentinel illustrate how this risk may have been realized. Specifically, the original milestone for completing deployment of Sentinel Phase I to all headquarters and field offices was May 2007. However, according to bureau officials, this milestone slipped to June 2007. According to program officials, the delay is due to a number of factors, including early miscommunication with the prime contractor on when work on the program was to begin, a number of changes within the prime contractor's staff, and problems integrating commercial products that were not discovered until system acceptance testing. However, the limitations in the FBI's policies and procedures that are the basis for the Sentinel schedule could have led to development of a Phase I schedule that was not sufficiently reliable, and thus was a contributor to this schedule slip. Table 7: FBI's Implementation of Best Practices for Schedule Estimation: Schedule estimation best practices: Capture of key activities; Implemented for Sentinel?: yes. Schedule estimation best practices: Sequencing of key activities; Implemented for Sentinel?: yes. Schedule estimation best practices: Duration of key activities; Implemented for Sentinel?: yes. Schedule estimation best practices: Resources for key activities; Implemented for Sentinel?: partially. Schedule estimation best practices: Identification of critical path; Implemented for Sentinel?: yes. Schedule estimation best practices: Identification of "float time" between key activities; Implemented for Sentinel?: yes. Schedule estimation best practices: Distribution of reserve to high risk activities; Implemented for Sentinel?: no. Schedule estimation best practices: Horizontal and vertical integration within key activities; Implemented for Sentinel?: no. Source: GAO analysis of FBI data. [End of table] FBI Policies and Procedures for Estimating Program's Costs Address Some, but Not All, Best Practices: A reliable cost estimate is critical to the success of any IT program. Such an estimate provides the basis for informed investment decision making, realistic budget formulation and program resourcing, meaningful progress measurement, proactive course correction when warranted, and accountability for results. According to OMB,[Footnote 16] programs must maintain current and well-documented estimates of program costs, and these estimates must encompass the full life cycle of the program. Among other things, OMB states that generating reliable program cost estimates is a critical function necessary to support OMB's capital programming process. Without this capability, agencies are at risk of experiencing program cost overruns, missed deadlines, and performance shortfalls. Our research has identified a number of best practices that are the basis of effective program cost estimating. We have grouped these practices into four characteristics of a high-quality and reliable cost estimate.[Footnote 17] They are: * Comprehensive: The cost estimates should include both government and contractor costs of the program over its full life cycle, from inception of the program through design, development, deployment, and operation and maintenance to retirement of the program. They should also provide a level of detail appropriate to ensure that cost elements are neither omitted nor double counted, and they should document all cost-influencing ground rules and assumptions. * Well-documented: The cost estimates should capture in writing such things as the source data used and their significance, the calculations performed and their results, and the rationale for choosing a particular estimating method or reference. Moreover, this information should be captured in such a way that the data used to derive the estimate can be traced back to, and verified against their sources. * Accurate: The cost estimates should provide for results that are unbiased, and they should not be overly conservative or optimistic (i.e., should represent most likely costs). In addition, the estimates should be updated regularly to reflect material changes in the program, and steps should be taken to minimize mathematical mistakes and their significance. Among other things, the estimate should be grounded in documented assumptions and a historical record of cost and schedule estimating and actual experiences on other comparable programs. * Credible: The cost estimates should discuss any limitations in the analysis performed due to uncertainty or biases surrounding data or assumptions, and their derivation should provide for varying major assumptions and recalculating outcomes based on sensitivity analyses, and the associated risk and uncertainty inherent in estimates should be disclosed. Further, the estimates should be verified based on cross- checks using other methods and by comparing the results with independent cost estimates. The FBI's policies and procedures that govern estimating program costs are defined in the bureau's IT Program Management Handbook, Cost- Benefit Analysis Guide, and IT Investment Management Process. To the bureau's credit, these documents reflect some of the previously cited best practices. For example, the handbook calls for cost estimates to be comprehensive and to be life cycle in scope, including total costs (e.g., research, development, production, training, operations and maintenance, software licensing, and labor) over its full life cycle (from initiation to system retirement). Moreover, FBI guidance partially provides for documenting these estimates and ensuring their accuracy by, for example, stating that estimating assumptions should be documented and that the estimates are to be updated on a regular basis. However, these policies and procedures do not reflect all of the cost estimating best practices associated with well-documented, accurate, and credible estimates. With respect to being well-documented, they do not require that the sources of historical data used in the estimate be documented and, with respect to accuracy, they do not provide for the establishment and use of a historical database of estimating and actual experiences on comparable programs. Without documenting estimated data sources, the basis for the estimates, including the circumstances surrounding the data used to derive and whether these data have been properly normalized, cannot be understood. This means that the reliability of the estimate for either current use in managing a program or for inclusion in a historical database for use in future program estimates, cannot be assured. Further, without provision for establishing and using a historical database, one will not be available to inform future estimates, as is the case for the FBI. With respect to credibility, the FBI's policies and procedures do not address the need to consider and reflect any limitations in the analyses on which the estimates are based, or to document any uncertainty or biases surrounding the data used. As a result, the associated uncertainty in the estimate itself cannot be determined, thus limiting the estimate's integrity and utility. Further, the FBI's policies and procedures do not provide for the conduct of risk/sensitivity analyses[Footnote 18] and disclosure of the associated risk and uncertainty of the estimates. Thus, estimates will not include important information to inform program decision making, such as the range of potential costs surrounding the point estimate and the reasons behind this range. FBI Office of the CIO officials agreed that these practices are not included in the bureau's policies and procedures that form the basis for IT program cost estimates and that they need to be. Until an effective basis for cost estimating is in place and employed, FBI IT programs, like Sentinel, will likely not have reliable cost estimates to properly inform investment decision making and the risk of actual program cost performance not tracking closely to estimates will be increased. Table 8: Summary of FBI Policies' and Procedures' Reflection of Best Practices Characteristics for Cost Estimating: Cost estimation best practice characteristics: Comprehensive; Addressed in policies and procedures?: yes. Cost estimation best practice characteristics: Well documented; Addressed in policies and procedures?: partial. Cost estimation best practice characteristics: Accurate; Addressed in policies and procedures?: partial. Cost estimation best practice characteristics: Credible; Addressed in policies and procedures?: no. Source: GAO analysis of FBI data. [End of table] Our analysis of Sentinel cost estimates[Footnote 19] revealed reliability issues. In particular, none of the estimates are comprehensive in that they each omit relevant costs. For example, one estimate does not include government or support contractor costs and, according to program officials, another estimate does not include technology refresh, certain government labor costs, or inflationary costs. In addition, these estimates cannot be considered fully accurate or well documented. For example, according to program officials, none of the estimates was derived using a historical database reflecting actual and estimated costs on similar programs. Further, none of the estimates had a fully documented estimating methodology, although some parts of one cost estimate were documented. Also, none of the estimates could be traced to the source of the data that were used in developing them. These reliability concerns with the Sentinel cost estimates are due in part to the FBI's not following its own cost estimating policies and procedures and in part to the previously mentioned limitations in the FBI's cost estimating policies, procedures, and supporting tools. As a result, the Sentinel cost estimates do not provide a sufficient basis for informed investment decision making and do not facilitate meaningful tracking of progress against estimates, both of which are fundamental to effectively managing an IT program. Conclusions: The success of large-scale IT programs, such as Sentinel, is to a large part determined by the extent to which they are executed according to rigorous and disciplined system acquisition management best practices. While implementing such practices does not guarantee program success, doing so will minimize the program's exposure to risk and thus the extent to which the program falls short of expectations. In the case of Sentinel, living up to expectations is critical because not only are the capabilities that Sentinel is to provide mission critical, they are long overdue and thus time is of the essence. To the FBI's credit, it has implemented a number of best practices for Sentinel and by doing so has placed itself on a path to both avoid the kind of missteps that led to the failure of VCF and increase the chances of putting needed mission capabilities in the hands of bureau agents and analysts as soon as possible. Nevertheless, the FBI is still not where it needs to be in managing its program office support contracts and in having reliable estimates of Sentinel schedules and costs to manage and disclose progress and to inform bureau, Department of Justice, and congressional investment decision making. As a result, there is a risk that contractor-provided program management support will not be performed effectively and efficiently. Given that Sentinel's program office relies extensively on such contractor support to execute its many program management functions, less than high quality support contractor performance could adversely affect Sentinel's success. Risks also exist relative to having a reliable basis for informed decisions about Sentinel's investment options because bureau policies, procedures, and tools that form the basis for Sentinel schedule and cost estimates do not reflect important best practices. Moreover, the cost estimates that the FBI has developed to date for Sentinel reflect these limitations. This means that bureau and Justice leadership and Congress lack reasonable assurance that they have a reliable cost basis on which to decide among competing investment options and measure Sentinel's progress. Both effective support contractor tracking and oversight and reliable schedule and cost estimating are critical management functions that should be implemented for programs like Sentinel according to organizational policies and procedures that are grounded in relevant best practices. The FBI's current policies and procedures in this area do not address several key best practices, and hence the bureau has not implemented such practices for Sentinel. It is important that the FBI correct this void in its policies and procedures and that all its IT programs implement these practices. Recommendations: To strengthen the FBI's management of its Sentinel program, we are recommending that the FBI Director instruct the bureau's CIO to: * work with Sentinel support contractors, where feasible, to establish and implement performance standards in statements of work relative to the quality and timeliness of products and the performance of services and: * revise the IT handbook and related guidance to address schedule and cost estimating best practices that are identified in this report as not being addressed in FBI policies and procedures and ensure that these best practices are fully employed on all major IT programs, including Sentinel. Agency Comments and Our Evaluation: In written comments on a draft of this report signed by the FBI CIO and reprinted in appendix IV, the bureau stated that it agreed with our recommendation to revise and implement its guidance for IT program schedule and cost estimation. The FBI CIO stated that the bureau plans to do so by September 30, 2007. However, the FBI disagreed with our recommendation to establish and implement metrics-based performance standards for its Sentinel program office support contractors, stating that the program office already provides sufficient oversight of these contractors. To support this position, the FBI commented that Sentinel's staffing plan contains support contractor position descriptions that include identifying the skills required to execute each position's functions. Further, it commented that all support contractor's products are reviewed and approved by government supervisors, and that the support contractors submit reports on accomplishments that are used by the FBI in reviewing and approving invoices. While we do not take issue with any of these comments, we also do not believe that these actions fully address our recommendation. As a result, we disagree with the bureau's position. Specifically, our point is not whether the functions that support contractors perform, or the skills needed to perform them, are identified or whether support contractors' work is reviewed before invoice payment is approved; rather, our point is that standards governing the quality and timeliness of the functions and work performed are not defined; this lack of standards, in turn, increases the chances of support contractors producing products or providing services that fall short of expectations and thus do not support effective and efficient program management. As we state in our report, this is particularly important for the Sentinel program because the bureau is relying extensively on support contractors to augment its own program management staff. The FBI also provided technical comments, which we have incorporated throughout the report as appropriate. As agreed, unless you publicly announce its contents earlier, we plan no further distribution of this report until 5 days from the report date. At that time, we will send copies of this report to the Chairman and Vice Chairman of the Senate Select Committee on Intelligence and the Ranking Member of the House Permanent Select Committee on Intelligence as well as to the Chairman and Ranking Member of the Senate Committee on the Judiciary; the Chairman and Ranking Member of the House Committee on Appropriations, Subcommittee on Science; the departments of State, Justice, and Commerce, and related agencies. We are also sending copies to the Attorney General; the Director, FBI; the Director, Office of Management and Budget; and other interested parties. In addition, the report will also be available without charge on GAO's Web site at http://www.gao.gov. Should you have any questions about matters discussed in this report, please contact me at (202) 512-3439 or by e-mail at hiter@gao.gov. Contact points for our Office of Congressional Relations and Public Affairs Office may be found on the last page of this report. Key contributors to this report are listed in appendix V. Signed by: Randolph C. Hite: Director, Information Technology Architecture and Systems Issues: [End of section] Appendix I: Objectives, Scope, and Methodology: Our objectives were to determine the FBI's (1) use of effective practices for acquiring Sentinel and (2) basis for reliably estimating Sentinel's schedule and costs. To address the first objective, we focused on five key areas associated with acquiring commercial component-based IT systems, as agreed with our requestors: solicitation,[Footnote 20] risk management, organizational change management, configuration management, and contract tracking and oversight. We researched relevant best practices, including published guidance from the Software Engineering Institute (SEI) and GAO-issued reports associated with each of these five areas. We also obtained and reviewed relevant FBI policies, procedures, guidance, and Sentinel program documentation (see below), and interviewed pertinent Sentinel program and Office of the CIO officials as well as prime contractor (Lockheed Martin) and support contractor representatives where appropriate, to determine how the FBI had defined its approach to managing each of these five areas and how it had actually implemented them on Sentinel. We then compared this body of evidence to best practices and related guidance that we researched, identified variances, and discussed the reasons for and impact of any variances with FBI officials. The key, governing FBI documents that we obtained and reviewed relative to each of the five areas included (1) FBI Information Technology Life Cycle Management Directive version 3.0; (2) Project Management Handbook, version 1; and (3) Sentinel Program Management Plan, version 1.2. In addition, we obtained and reviewed the following documents that were specific to each of the five areas: * For solicitation, these documents include: (1) the Sentinel Source Selection Plan; (2) the Sentinel Source Selection Decision document; and (3) the Sentinel Source Selection Evaluation Team Final Report. * For risk management, these documents include: (1) the Sentinel Risk Management Plan; (2) the Sentinel Risk Register; and (3) the Lockheed Martin Risk and Opportunity Management Plan for Sentinel.[Footnote 21] * For organizational change management, these documents include: (1) the Sentinel Workforce Transformation Strategy and Plan; (2) the Sentinel Stakeholder and Organizational Risk Assessment; (3) the Sentinel Organizational Impact Assessment; (4) the Sentinel Communications Plan; and (5) the Sentinel Training Strategy and Plan. * For configuration management, these documents include: (1) the Sentinel Configuration Management Plan; and (2) the Lockheed Martin Configuration Management Plan for Sentinel. * For contract tracking and oversight these documents include (1) the statements of work for Sentinel support contractors; (2) the Sentinel Measurement Plan; (3) selected Sentinel Measurement reports; (4) the Sentinel Statement of Work; and (5) select monthly EVM reports.[Footnote 22] To address our second objective, we used GAO's draft guide on estimating program schedules and costs, which is based on extensive research of best practices, and federal schedule and cost estimating guidance found in the OMB Capital Programming Guide. In addition, we obtained and reviewed FBI policies and procedures governing schedule and cost estimating, including the FBI Program Management Handbook, FBI Information Technology Life Cycle Management Directive, and the FBI Information Technology Management Guide. We then compared the bureau's policies and procedures to the practices in GAO's guide and to federal guidance, identified variances, and discussed reasons for variances with officials from the Office of the CIO. We also interviewed program officials, and/or obtained and reviewed Sentinel cost estimates relative to the analysis, data, and calculations supporting each estimate. We conducted our work from our Washington, D.C., headquarters, and at FBI headquarters and facilities in the greater Washington, D.C., metropolitan area between September 2005 and May 2007 in accordance with generally accepted government auditing standards. [End of section] Appendix II: Key IT System Acquisition Best Practices: We and others have identified and promoted the use of a number of best practices associated with acquiring IT systems. In 2004, we reported[Footnote 23] on 18 relevant best practices and grouped them into two categories: (1) ten practices for acquiring any type of business system and (2) eight complementary practices that relate specifically to acquiring commercial component-based business systems. Each is described here. Best Practices Relevant to Any IT Business Systems Acquisition: 1. Acquisition Planning: Purpose: To ensure that reasonable planning for all parts of the acquisition is conducted. Description: Acquisition planning is the process for conducting and documenting acquisition planning activities beginning early and covering all parts of the project. This planning extends to all acquisition areas, such as budgeting, scheduling, resource estimating, risk identification, and requirements definition as well as the overall acquisition strategy. Acquisition planning begins with the earliest identification of a requirement that is to be satisfied through an acquisition. Activities: (1) Plans are prepared during acquisition planning and maintained throughout the acquisition. (2) Planning addresses the entire acquisition process, including life cycle support of the products being acquired. (3) The acquisition organization has a written policy for planning the acquisition. (4) Responsibility for acquisition planning activities is designated. 2. Architectural Alignment: Purpose: To ensure that the acquisition is consistent with the organization's enterprise architecture. Description: Architectural alignment is the process for analyzing and verifying that the proposed architecture of the system being acquired is consistent with the enterprise architecture for the organization acquiring the system. Such alignment is needed to ensure that acquired systems can interoperate and are not unnecessarily duplicative of one another. Exceptions to this alignment requirement are permitted, but only when justified and only when granted an explicit waiver from the architecture. A particular architectural consideration is whether requirements that extend beyond the specific system being acquired should be considered when selecting system components. Such "product line" (i.e., systems that are developed from a common set of assets and share a common and managed set of features) considerations can provide substantial production economies over acquiring systems from scratch. Activities: (1) The system being acquired is assessed for alignment with the enterprise architecture at key life cycle decision points and any deviations from the architecture are explicitly understood and justified by an explicit waiver to the architecture. (2) Product line requirements--rather than just the requirements for the system being acquired--are an explicit consideration in each acquisition. 3. Contract Tracking and Oversight: Purpose: To ensure that contract activities are performed in accordance with contractual requirements. Description: Contract tracking and oversight is the process by which contractual agreements are established and contractor efforts to satisfy those agreements are monitored. It involves information sharing between the acquirer and contractor to ensure that contractual requirements are understood, that there are regular measurements to disclose overall project status and whether problems exist, and that there are appropriate incentives for ensuring that cost and schedule commitments are met and that quality products are delivered. Contract tracking and oversight begins with the award of the contract and ends at the conclusion of the contract's period of performance. Activities: (1) The acquiring organization has sufficient insight into the contractor's activities to manage and control the contractor and ensure that contract requirements are met. (2) The acquiring organization and contractor maintain ongoing communication; commitments are agreed to and implemented by both parties. (3) All contract changes are managed throughout the life of the contract. (4) The acquiring organization has a written policy for contract tracking and oversight. (5) Responsibility for contract tracking and oversight activities is designated. (6) The acquiring organization involves contracting specialists in the execution of the contract. (7) A quantitative set of software and system metrics is used to define and measure product quality and contractor performance.[Footnote 24] (8) In addition to incentives for meeting cost and schedule estimates, measurable, metrics- based product quality incentives are explicitly cited in the contract. 4. Economic Justification: Purpose: To ensure that system investments have an adequate economic justification. Description: Economic justification is the process for ensuring that acquisition decisions are based on reliable analyses of the proposed investment's likely costs versus benefits over its useful life as well as an analysis of the risks associated with actually realizing the acquisition's forecasted benefits for its estimated costs. Moreover, it entails minimizing the risk and uncertainty of large acquisitions that require spending large sums of money over many years by breaking the acquisition into smaller, incremental acquisitions. Economic justification is not a one-time event, but rather is performed throughout an acquisition's life cycle in order to permit informed investment decision making. Activities: (1) System investment decisions are made on the basis of reliable analyses of estimated system life cycle costs, expected benefits, and anticipated risks. (2) Large systems acquisitions are (to the maximum extent practical) divided into a series of smaller, incremental acquisition efforts, and investment decisions on these smaller efforts are made on the basis of reliable analyses of estimated costs, expected benefits, and anticipated risks. 5. Evaluation: Purpose: To ensure that evidence showing that the contract products satisfy the defined requirements are provided prior to accepting contractor products. Description: Evaluation is the process by which contract deliverables are analyzed to determine whether they meet contract requirements. It includes developing criteria such as product acceptance criteria to be included into both the solicitation package and the contract. It should be conducted continuously throughout the contract period as products are delivered. It begins with development of the products' requirements and ends when the acquisition is completed. Activities: (1) Evaluation requirements are developed in conjunction with the contractual requirements and are maintained over the life of the acquisition. (2) Evaluations are planned and conducted throughout the total acquisition period to provide an integrated approach that satisfies evaluation requirements and takes advantage of all evaluation results. (3) Evaluations provide an objective basis to support the product acceptance decision. (4) The acquisition organization has a written policy for managing the evaluation of the acquired products. (5) Responsibility for evaluation activities is designated. 6. Project Management: Purpose: To ensure that the project office and its supporting organizations function efficiently and effectively. Description: Project management is the process for planning, organizing, staffing, directing, and managing all project-office- related activities, such as defining project tasks, estimating and securing resources, scheduling activities and tasks, training, and accepting products. Project management begins when the project office is formed and ends when the acquisition is completed. Activities: (1) Project management activities are planned, organized, controlled, and communicated. (2) The performance, cost, and schedule of the acquisition are continually measured, compared with planned objectives, and controlled. (3) Problems discovered during the acquisition are managed and controlled. (4) The acquisition organization has a written policy for project management. (5) Responsibility for project management is designated. 7. Requirements Development and Management: Purpose: To ensure that contractual requirements are clearly defined and understood by the acquisition stakeholders. Description: Requirements development is the process for developing and documenting contractual requirements, including evaluating opportunities for reusing existing assets. It involves participation from end users to ensure that product requirements are well understood, and that optional versus mandatory requirements are clearly delineated. Requirements management is the process for establishing and maintaining agreement on the contractual requirements among the various stakeholders and for ensuring that the requirements are traceable, verifiable, and controlled. This involves base lining the requirements and controlling subsequent requirements changes. Requirements development and management begins when the solicitation's requirements are documented and ends when system responsibility is transferred to the support organization. Activities: (1) Contractual requirements are developed, managed, and maintained. (2) The end user and other affected groups have input into the contractual requirements over the life of the acquisition. (3) Contractual requirements are traceable and verifiable. (4) The contractual requirements baseline is established prior to release of the solicitation package. (5) The acquisition organization has a written policy for establishing and managing the contractual requirements. (6) Responsibility for requirements development and management is designated. (7) Requirements that are mandatory versus optional are clearly delineated and used in deciding what requirements can be eliminated or postponed to meet other project goals, such as cost and schedule constraints. 8. Risk Management: Purpose: To ensure that risks are identified and systematically mitigated. Description: Risk management is the process for identifying potential acquisition problems and taking appropriate steps to avoid their becoming actual problems. It includes risk identification and categorization based on estimated impact, development of risk mitigation strategies, and execution of and reporting on the strategies. Risk management occurs early and continuously in the acquisition life cycle. Activities: (1) Project wide participation in the identification and mitigation of risks is encouraged. (2) The defined acquisition process provides for the identification, analysis, and mitigation of risks. (3) Milestone reviews include the status of identified risks. (4) The acquisition organization has a written policy for managing acquisition risk. (5) Responsibility for acquisition risk management activities is designated. 9. Solicitation: Purpose: To ensure that a quality solicitation is produced, and a best qualified contractor selected. Description: Solicitation is the process for developing, documenting, and issuing the solicitation package; developing and implementing a plan to evaluate responses; conducting contract negotiations; and awarding the contract. Solicitation ends with contract award. Activities: (1) The solicitation package includes the contractual requirements and the proposal evaluation criteria. (2) The technical and management elements of proposals are evaluated to ensure that the requirements of the contract will be satisfied. (3) The selection official selects a supplier who is qualified to satisfy the contract's requirements. (4) The acquiring organization has a written policy for conducting the solicitation. (5) Responsibility for the solicitation is designated. (6) A selection official has been designated to be responsible for the selection process and decision. (7) The acquiring team includes contracting specialists to support contract administration. 10. Transition to Support: Purpose: To ensure proper transfer of the system from the acquisition organization to the eventual support organization. Description: Transition to support is the process for developing and implementing the plans for transitioning products to the support organization. This includes engaging relevant stakeholders in the acquisition and sharing information about the system's supporting infrastructure. Transition to support begins with requirements development and ends when the responsibility for the products is turned over to the support organization. Activities: (1) The acquiring organization ensures that the support organization has the capacity and capability to provide the required support. (2) There is no loss in continuity of support to the products during transition from the supplier to the support organization. (3) Configuration management of the products is maintained throughout the transition. (4) The acquiring organization has a written policy for transitioning products to the support organization. (5) The acquiring organization ensures that the support organization is involved in planning for transition to support. (6) Responsibility for transition to support activities is designated. Complementary Best Practices Relevant to Commercial Component-Based IT Business Systems Acquisitions: 1. Component Modification: Purpose: To ensure that commercial product modification is effectively controlled. Description: Component modification is the process for limiting the chances of a commercial product being modified to the point that it becomes a one-of-a-kind solution because doing so can result in extensive life cycle costs. Such modifications, if not incorporated into the commercially available version of the product by the supplier, mean that every product release has to be modified in accordance with the custom changes, thus precluding realization of some of the benefit of using a commercial product. Activity: (1) Modification of commercial components is discouraged and allowed only if justified by a thorough analysis of life cycle costs and benefits. 2. Configuration Management: Purpose: To ensure the integrity and consistency of commercial system components. Description: Configuration management relative to commercial component- based systems is the process for ensuring that changes to the commercial components of a system are strictly controlled. It recognizes that when using commercial components, it is the vendor, not the acquisition or support organization, that controls the release of new component versions and that new versions are released frequently. Thus, acquisition management needs to provide for both receiving new product releases and controlling the implementation of these releases. Activities: (1) Project plans explicitly provide for evaluation, acquisition, and implementation of new, often frequent, product releases. (2) Modification or upgrades to deployed versions of system components are centrally controlled and unilateral user release changes are precluded. 3. Dependency Analysis: Purpose: To ensure that relationships between commercial products are understood before acquisition decisions are made. Description: Dependency analysis relative to commercial component- based systems is the process for determining and understanding the characteristics of these products so that inherent dependencies among them can be considered before they are acquired. It involves recognizing that the logical and physical relationships among products impact one another. This is necessary because commercial products are built around each vendor's functional and architectural assumptions and paradigms, such as approaches to error handling and data access, and these assumptions and paradigms are likely to be different among products from different sources. Such differences complicate product integration. Further, some commercial products have built-in dependencies with other products that, if not known, can further complicate integration. Activity: (1) Decisions about the acquisition of commercial components are based on deliberate and thorough research, analysis, and evaluation of the components' interdependencies. 4. Legacy Systems Integration Planning: Purpose: To ensure reasonable planning for integration of commercial products with existing systems. Description: Legacy systems integration planning is the process for ensuring that the time and resources needed to integrate existing systems with the system being acquired are identified and provided for. It involves identifying which legacy systems will interact with the system being acquired and what kinds and levels of testing are required. Integration planning recognizes that, although some commercial products may provide mechanisms and information that are helpful in integration with legacy systems, the unavailability of the source code for commercial products and the different organizations that are responsible for the two will likely require additional time and effort. Activity: (1) Project plans explicitly provide for the time and resources necessary for integrating commercial components with legacy systems. 5. Organization Change Management: Purpose: To ensure that the organizational impact of using new system functionality is proactively managed. Description: Organization change management relative to commercial component-based systems is the process for preparing system users for the business process changes that will accompany implementation of the system. It involves engaging users and communicating the nature of anticipated changes to system users through training on how jobs will change. This is necessary because commercial products are created with the developers' expectations of how they will be used, and the products' functionality may require the organization implementing the system to change existing business processes. Activities: (1) Project plans explicitly provide for preparing users on the impact that the business processes embedded in the commercial components will have on the user's respective roles and responsibilities. (2) The introduction and adoption of changes to how users will be expected to execute their jobs are actively managed. 6. Solicitation: Purpose: To ensure that a quality solicitation is produced and a best qualified contractor is selected. Description: Solicitation relative to commercial component-based systems is the process for ensuring that a capable contractor is selected. It involves ensuring that the selected contractor has experience with integrating commercial component products. This is important because expertise in developing custom system solutions is different from expertise in implementing commercial components; it requires different core competencies and experiences to be successful. Activity: (1) Systems integration contractors are explicitly evaluated on their ability to implement commercial components. 7. Tradeoff Analysis: Purpose: To ensure that system requirements alone do not drive the system solution. Description: Tradeoff analysis relative to commercial product-based systems is the process for analyzing and understanding the tradeoffs among competing acquisition variables so as to produce informed acquisition decision making. It involves planning and executing acquisitions in a manner that recognizes four competing interests: defined system requirements, the architectural environment (current and future) in which the system needs to operate, acquisition cost and schedule constraints, and the availability of products in the commercial marketplace (current and future). This analysis should be performed early and continuously throughout an acquisition's life cycle. Activity: (1) Investment decisions throughout a system's life cycle are based on tradeoffs among the availability of commercial products (current and future), the architectural environment in which the system is to operate (current and future), defined system requirements, and acquisition cost/schedule constraints. 8. Vendor and Product Research and Evaluation: Purpose: To ensure that vendor and product characteristics are understood before acquisition decisions are made. Description: Vendor and product research and evaluation relative to commercial component-based systems is the process for obtaining reliable information about both the product being considered and the vendor offering the product. It involves taking additional steps beyond vendor representations, such as obtaining information about the vendor's history, obtaining information on the vendor's business strategy relative to evolution and support of the product, and evaluating copies of the product in a test environment. Activities: (1) Commercial component and vendor options are researched, evaluated/tested, and understood, both early and continuously. (2) A set of evaluation criteria for selecting among commercial component options is established that includes both defined system requirements and vendor/commercial product characteristics (e.g., customer satisfaction with company and product line). [End of section] Appendix III: Sentinel Implementation of Contract Tracking and Oversight Best Practices: Table 9 contains our assessment of the FBI's efforts for contract tracking and oversight for both the prime contractor and the sub- contractors. Table 9: Sentinel Implementation of Contract Tracking and Oversight Best Practices on Prime Contract: Best practice for contract tracking and oversight: The acquiring organization has sufficient insight into the contractor's activities to be able to manage and control the contractor and ensure that contract requirements are met; Implemented for Sentinel?: yes; Evidence: FBI ensured sufficient insight into the contractor's activities through such mechanisms as integrated product teams (in which the program office works side by side with contractor staff), weekly meetings with contractor staff, monthly contractor invoice reports, and earned value management. These mechanisms provide the FBI with the means for controlling the contractor's activities and ensuring that requirements are met. Best practice for contract tracking and oversight: The acquiring organization and contractor maintain ongoing communication and commitments are agreed to and implemented by both parties; Implemented for Sentinel?: yes; Evidence: The FBI maintains ongoing communications with the contractor through the above mentioned IPTs, weekly meetings, and periodic reports to ensure that commitments are implemented. Additionally, commitments are agreed to via contract letters. These letters record changes to deliverables or otherwise redirect work defined in the statements of work. Best practice for contract tracking and oversight: All contract changes are managed throughout the life of the contract; Implemented for Sentinel?: yes; Evidence: The FBI has implemented a change control process consisting of several boards that review proposed changes to the program and decide whether to implement the change. According to the FBI, significant changes to any contract deliverables are handled through the previously mentioned contract letters. Best practice for contract tracking and oversight: Responsibility for contract tracking and oversight activities is designated; Implemented for Sentinel?: yes; Evidence: The Sentinel Program Management Plan designates responsibility for contract tracking and oversight. Specifically, this plan designates the Sentinel Contracting Officer (CO) and a Contracting Officer's Technical Representative (COTR) as responsible for ensuring continuing alignment between the set of contracts/task orders being used by the Sentinel program and the program's needs. Both of these contracting officials report to the Sentinel Program Manager, who is ultimately responsible for all areas of program execution, including contract tracking and oversight. Best practice for contract tracking and oversight: The acquisition organization has a written policy for contract tracking and oversight; Implemented for Sentinel?: yes; Evidence: The Sentinel Program Management Plan contains the FBI's policy for contract tracking and oversight. This plan reflects the contract tracking and oversight policies and procedures defined in the FBI's IT Life Cycle Management Directive. Best practice for contract tracking and oversight: The acquiring organization involves contracting specialists in the execution of the contract; Implemented for Sentinel?: yes; Evidence: Both the Sentinel CO and COTR are contracting specialists. In addition, the bureau has hired support contractors to provide contract management expertise. Best practice for contract tracking and oversight: A quantitative set of software and system metrics is used to define and measure product quality and contractor performance; Implemented for Sentinel?: yes; Evidence: The Sentinel Measurement Plan defines quantifiable metrics for product quality and provides for contractor reporting on satisfaction of these metrics. Further, the contractor provides monthly reports detailing its performance and laying out expectations for the coming month. Best practice for contract tracking and oversight: In addition to incentives for meeting cost and schedule estimates, measurable, metrics- based product quality incentives are explicitly cited in the contract; Implemented for Sentinel?: yes; Evidence: The FBI created an award fee plan for the contractor that provides metrics-based product quality incentives in addition to cost and schedule incentives. Source: GAO analysis of FBI data. [End of table] Table 10: Sentinel Implementation of Contract Tracking and Oversight Best Practices for Support Contractors: Criteria: The acquiring organization has sufficient insight into the contractor's activities to be able to manage and control the contractor and ensure that contract requirements are met; Implemented for Sentinel?: yes; Evidence: Support contractor staff is co-located in the program office with FBI program officials, and according to FBI officials, they interact with them and direct their work on a daily basis. Additionally, program officials told us that they also interact with support contractor staff at a weekly status meeting to review deliverables and performance and otherwise ensure that contract requirements are met. Criteria: The acquiring organization and contractor maintain ongoing communication and commitments are agreed to and implemented by both parties; Implemented for Sentinel?: yes; Evidence: Program officials told us that they maintain ongoing communication with the support contractor's staff through IPTs, day-to- day contact, and during weekly meetings. According to these officials, during these interactions, commitments are agreed to and their implementation is ensured. Criteria: All contract changes are managed throughout the life of the contract; Implemented for Sentinel?: not applicable; Evidence: Program support contractor staff is largely acquired through existing government contracts that are managed outside of the FBI. As a result, changes to these contracts are beyond the control and authority of the FBI. Criteria: Responsibility for contract tracking and oversight activities is designated; Implemented for Sentinel?: yes; Evidence: The Sentinel Program Management Plan designates responsibility for contract tracking and oversight. According to the plan, the designated CO and COTR are responsible for contract tracking and oversight. Criteria: The acquisition organization has a written policy for contract tracking and oversight; Implemented for Sentinel?: yes; Evidence: The Sentinel Program Management Plan specifies the FBI's policy for contract tracking and oversight. This plan reflects the policies and procedures in the FBI's IT Life Cycle Management Directive. Criteria: The acquiring organization involves contracting specialists in the execution of the contract; Implemented for Sentinel?: yes; Evidence: Both the Sentinel CO and COTR are contracting specialists. In addition, the bureau has hired support contractors to provide contract management expertise. Criteria: A quantitative set of software and system metrics is used to define and measure product quality and contractor performance; Implemented for Sentinel?: no; Evidence: The statements of work for the Sentinel support contractors do not establish metrics that define and measure contractor performance relative to, for example, product quality and timeliness and service effectiveness and efficiency. Criteria: In addition to incentives for meeting cost and schedule estimates, measurable, metrics-based product quality incentives are explicitly cited in the contract; Implemented for Sentinel?: not applicable; Evidence: According to program officials, none of the contracts with support contractors are award fee contracts. Thus, the contract structures do not allow for incentives. Source: GAO analysis of FBI data. [End of table] [End of section] Appendix IV: Comments from the Federal Bureau of Investigations: U.S. Department of Justice: Federal Bureau of Investigation: Washington, D, C. 20535-0001: July 18, 2007: Mr. Randolph C. Hite: Director, information Technology Architecture and Systems Issues: Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Hite: Re: FBI Response To GAO'S Draft Report, "Information Technology, FBI Following A Number Of Key Acquisition Practices On New Case Management System But Improvements Still Needed," GAO-07-912: Thank you for the opportunity to review and comment on the Government Accountability Office (GAO) draft report entitled "Information Security, FBI Following a Number of Key Acquisition Practices on New Case Management System but Improvements Still Needed" (hereafter referred to as "the Report"). The Report has been reviewed by the Federal Bureau of Investigation (FBI), Office of the Chief Information Officer (OCIO). This letter constitutes the formal FBI response. Based on our review of the Report, the FBI concurs with the GAO's technical recommendation pertaining to the revision of the information Technology (IT) Handbook and related guidance to address schedule and cost estimating best practices. The Program Management Handbook, referred to as the IT Handbook by the GAO, will be updated in conjunction with Life Cycle Management Directive (LCMD) Version 4, with a targeted publication of late 4th Quarter, Fiscal Year 2007. LCMD Version 4 will address the best practices as related to schedule and costing and will be provided to all offices at the FBI, including SENTINEL. The FBI does not concur with the GAO's comments that the FBI should establish and implement performance standards in statements of work for SENTINEL support contractors relative to the quality and timeliness of products and the performance of services. The SENTINEL Program Management Office (PMO) support contractors have defined position descriptions and skills required to perform the functions defined in the staffing plan. The majority of the management team's work is task oriented, suspense driven, and requires written products. All products provided by the support contractors, such as minutes, white papers, and comments, are reviewed and approved by government supervisors. Additionally, support contractors submit reports on work accomplishments to their respective contractor Team Lead who then provides a monthly report to the Business Management Unit. This report, along with the invoice that reflects the number of hours billed per contractor, is provided to Unit/Team Leads for their review and concurrence. Therefore, the government leadership has the opportunity to concur/comment on work performed/hours expended by each support contractor. Hence, the FBI believes the PMO provides sufficient government oversight of its support contractors. Again, thank you for the opportunity to respond to the Report. Should you or your staff have questions regarding our response, please feel free to contact me or one of my executives listed below: Mr. Dean E. Hall: Deputy Chief Information Officer: Office of the Chief Information Officer: 202-324-2307: Mr. John Martin Hope: Program Management Executive: Office of IT Program Management: 202-324- 9798: Sincerely yours, Signed by: Zalmai Azmi: Chief Information Officer: [End of section] Appendix V: GAO Contact and Staff Acknowledgments: GAO Contact: Randolph C. Hite, (202) 512-3439 or hiter@gao.gov: Staff Acknowledgments: In addition to those named above, Monica Anatalio, Tonia Brown, Carol Cha, Neil Doherty, Jennifer Echard, Nancy Glover, Daniel Gordon, Jim MacAuley, Paula Moore (Assistant Director), Karen Richey, Teresa Tucker, Kevin Walsh, and Jeffrey Woodward made key contributions to this report. FOOTNOTES [1] GAO, Information Technology: FBI Has Largely Staffed Key Modernization Program, but Strategic Approach to Managing Program's Human Capital Is Needed, GAO-07-19 (Washington, D.C.: October 2006). [2] GAO, Information Security: FBI Needs to Address Weaknesses in Critical Network, GAO-07-368 (Washington, D.C.: April 2007). [3] GWACs are governmentwide contracts authorized by the Clinger-Cohen Act to improve the acquisition of IT by federal agencies. GWACs are operated at the departments of Commerce and Transportation, the National Aeronautics and Space Administration, GSA's Federal Technology Service, and NIH. GWACs are typically multiple-award contracts for IT that allow an indefinite quantity of goods or services (within specified limits) to be furnished during a fixed period, with deliveries scheduled through orders with the contractor. The providing agency awards the contract and other agencies order from it. [4] NIH's CIO--Solutions and Partners 2 Innovations (CIO-SP2i) contract vehicle was created in 1996 to streamline federal agencies' purchasing of IT products and services. The contract has a spending cap of $19.5 billion and encompasses all aspects of support for federal CIOs, from direct technology purchases to consulting services for management activities. There are 45 prime contractors currently associated with the CIO-SP2i vehicle and, unlike other GWACs, prime contractors on this NIH vehicle may act as subcontractors for other primes. [5] A "service-oriented architecture" is an approach for sharing functions and applications across an organization by designing them as discrete, reusable, business-oriented services. These services need to be, among other things, (1) self-contained, meaning that they do not depend on any other functions or applications to execute a discrete unit of work; (2) published and exposed as self-describing business capabilities that can be accessed and used; and (3) subscribed to via well-defined and standardized interfaces instead of unique, tightly coupled connections. Such a service orientation is thus not only intended to promote the reduced redundancy and increased integration that any architectural approach is designed to achieve, but also to provide the kind of flexibility needed to support a quicker response to changing and evolving business requirements and emerging conditions. [6] GAO-04-722, Information Technology: DOD's Acquisition Policies and Guidance Need to Incorporate Additional Best Practices and Controls (Washington, D.C.: July 2004). [7] GAO-04-722. [8] GAO, Information Technology: Foundational Steps Being Taken to Make Needed FBI Systems Modernization Management Improvements, GAO-04-842 (Washington, D.C.: September 2004). [9] GAO, Information Technology, FBI Is Building Management Capabilities Essential to Successful System Deployments, but Challenges Remain, GAO-05-1014T (Washington, D.C.: September 2006). [10] GAO, Information Technology: FBI Has Largely Staffed Key Modernization Program, but Strategic Approach to Managing Program's Human Capital Is Needed, GAO-07-19 (Washington, D.C.: October 2006). [11] We did not determine whether the FBI had complied with the Federal Acquisition Regulation or other contracting or ordering requirements in soliciting and evaluating proposals and in issuing the task order. [12] See GAO, Information Technology: DOD's Acquisition Policies and Guidance Need to Incorporate Additional Best Practices and Controls, GAO-04-722 (Washington, D.C.: July 2004) and SEI's Software Acquisition Capability Maturity Model. [13] GAO, DOD Business Systems Modernization: Long-standing Weaknesses in Enterprise Architecture Development Need to Be Addressed, GAO-05-702 (Washington, D.C.: July 2005). [14] We did not assess whether these arrangements amount to personal services contracts for which statutory authority is required. A personal services contract is characterized by the employer-employee relationship it creates between the government and the contractor's personnel. See Federal Acquisition Regulation 37.104. [15] GAO, Cost Assessment Guide: "Best Practices for Estimating and Managing Program Costs," 2007 exposure draft. [16] Office of Management and Budget, Circular No. A-11, Preparation, Submission, and Execution of the Budget (Washington, D.C.: Executive Office of the President, June 2006); Circular No. A-130 Revised, Management of Federal Information Resources (Washington, D.C.: Executive Office of the President, Nov. 28, 2000); and Capital Programming Guide: Supplement to Circular A-11, Part 7, Preparation, Submission, and Execution of the Budget (Washington, D.C.: Executive Office of the President, June 2006). [17] GAO, Cost Assessment Guide: "Best Practices for Estimating and Managing Program Costs," 2007 exposure draft. [18] A risk/uncertainty analysis quantifies the risk inherent in a cost estimate by using probability distributions and ranges of cost to assess the aggregate variability in the point estimate. The result is a set of estimated probabilities of achieving alternative outcomes given the uncertainty in the underlying parameters. [19] The FBI has developed three different types of Sentinel cost estimates. The first estimate was developed in April 2005 and is referred to as the Independent Government Cost Estimate (IGCE). In short, an IGCE is performed to check the reasonableness of contractors' cost proposals and to make sure that the proposals offered are within a feasible budget range so that funds will be available to execute the program. An IGCE is submitted by the program manager as part of a request for contract funding. It provides the government's assessment of the program's most probable cost. The second estimate, which is referred to as the Government Estimate of Most Probable Cost (GEMPC), was prepared in March 2006, and is actually an independent assessment of what the contractor estimates it will cost to execute the terms of the contract. The GEMPC determines the realism of the contractor's estimate, including identifying potential areas of risk that require further negotiation between the government and the contractor. The third estimate is what is presented in the OMB 300 budget exhibit, which is intended to be an estimate of a program's cost over its life cycle. This estimate includes annual funding requirements for future budget years. [20] We did not determine whether the FBI complied with the Federal Acquisition Regulation or other contracting or ordering requirements in soliciting and evaluating proposals and in issuing the task order. [21] We did not verify whether the individuals assigned responsibility for a given risk had actually executed the risk mitigation strategy. [22] We did not examine specific contractor invoices or the controls surrounding review and approval of invoices because these financial management activities are being addressed as part of an ongoing GAO review. [23] GAO-04-722, Information Technology: DOD's Acquisition Policies and Guidance Need to Incorporate Additional Best Practices and Controls (Washington, D.C.: July 2004). [24] Richard J. Adams, Suellen Eslinger, Karen L. Owens, and Mary A. Rich, Reducing Risk in the Acquisition of Software-Intensive Systems: Best Practices from the Space System Domain (Los Angeles, Calif: 2003). GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to www.gao.gov and select "Subscribe to Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, D.C. 20548: Public Affairs: Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: