Summary
The Executive Office for United States Attorneys (EOUSA) of the Department of Justice is responsible for managing information technology (IT) resources for the United States Attorneys' Offices. GAO was asked to determine the extent to which EOUSA has institutionalized key IT management capabilities that are critical to achieving Justice's strategic goal of improving the integrity, security, and efficiency of its IT systems.
To varying degrees, EOUSA has partially defined and implemented certain IT management disciplines that are critical to successfully achieving the Justice Department's strategic goal of improving the integrity, security, and efficiency of its IT systems. However, it has yet to institutionalize any of these disciplines, meaning that it has not defined existing policies and procedures in accordance with relevant guidance, and it has yet to fully implement what it has defined. In particular, while EOUSA has developed an enterprise architecture--a blueprint for guiding operational and technological change--the architecture was not developed in accordance with certain best practices. In addition, while the office has implemented certain process controls for selecting, controlling, and evaluating its IT investments, it has not yet implemented others that are necessary in order to develop an effective foundation for investment management. Further, it has not implemented important management practices that are associated with an effective security program. In contrast, it has defined--and is implementing on a major system that we reviewed--most, but not all, of the management practices associated with effective systems acquisition. Institutionalization of these IT management disciplines has not been an agency priority and is not being guided by plans of action or sufficient resources. Until each discipline is given the priority it deserves, EOUSA will not have the IT management capabilities it needs to effectively achieve the department's strategic goal of improving the integrity, security, and efficiency of its IT systems.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
No director on record
No team on record
No phone on record
Recommendations for Executive Action
Recommendation: To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of enterprise architecture (EA) management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for EA management, establish a committee or group representing the enterprise that is responsible for directing, overseeing, or approving the EA.
Agency Affected: Department of Justice
Status: Implemented
Comments: EOUSA's Enterprise Architecture Program Management Plan (dated April 2004) specifies that the IT Investment Review Board is to approve the enterprise architecture.
Recommendation: To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for EA management, ensure that EA products are under configuration management.
Agency Affected: Department of Justice
Status: Implemented
Comments: According to officials, EOUSA uses PVCS as its configuration management tool. The baseline and target enterprise architecture products have been placed under configuration management using this tool. EOUSA provided screen shots of the tool showing the enterprise architecture items under configuration management as evidence of this.
Recommendation: To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for EA management, define, approve, and implement a policy for IT investment compliance with the EA.
Agency Affected: Department of Justice
Status: Implemented
Comments: EOUSA's policy for IT investment compliance with the enterprise architecture is defined in Section 3-16.100 of the U.S. Attorneys' Manual. According to EOUSA's Acting CIO and senior investment management analyst, the IT Investment Review Board has implemented this policy. As evidence, efforts to align investments with the enterprise architecture are reflected in the investment management guide which directs the Investment Review Board's operations.
Recommendation: To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for EA management, specify metrics for measuring EA benefits.
Agency Affected: Department of Justice
Status: Implemented
Comments: EOUSA's Enterprise Architecture Project Management Plan specifies metrics for measuring EA benefits. They include metrics for development and maintenance, quality, and compliance.
Recommendation: To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for EA management, define, approve, and implement a policy for maintaining the EA.
Agency Affected: Department of Justice
Status: Implemented
Comments: EOUSA's policy for maintaining the enterprise architecture is defined in section 3-16.100 of the U.S. Attorneys' Manual. It specifies that the EA is to be updated on at least an annual basis. At the time of our review, the agency was using the Enterprise Architecture Management System as their EA tool. When we followed up with EOUSA in November 2004, the IT analyst responsible for coordinating EA development/maintenance activities told us the agency had switched to the Systems Architect tool to maintain the EA.
Recommendation: To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for IT investment management, regularly oversee each IT project's progress toward cost and schedule milestones, using established criteria, and require corrective actions when milestones have not been achieved.
Agency Affected: Department of Justice
Status: Implemented
Comments: EOUSA's Information Technology Investment Process guide defines procedures for the board to regularly projects' progress toward cost and schedule milestones and to take action to correct deficiencies when necessary. According to the EOUSA analyst responsible for coordinating investment management activities, the Investment Review Board reviews existing and proposed IT projects as part of its normal course of business and requires corrective actions when necessary. When we followed up with the agency in November 2004, we were told that the Board had met 5 times since our review since it was instituted. Meeting minutes had not been documented but we were provided with the agenda for 2 meetings indicating that projects' status would be discussed.
Recommendation: To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for IT investment management, define and implement a policy for using the IT project and systems inventory for managerial decision making.
Agency Affected: Department of Justice
Status: Implemented
Comments: EOUSA's IT investment management process guide calls for the use of the IT project and systems inventory for managerial decision making. According to the analyst responsible for coordinating investment management activities, the Investment Review Board has implemented this, in particular in the selection process.
Recommendation: To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for IT investment management, ensure that an established, structured process is used to select new IT proposals.
Agency Affected: Department of Justice
Status: Implemented
Comments: EOUSA established a formalized, structured scoring process to select new investments. Specifically, the Investment Management Process guide defines procedures and criteria for (1) screen new IT project proposals, (2) analyze proposed project risks, benefits, and costs; (3) prioritize projects based on risk and return, and (4) determine the right mix of projects and make the final cut. According to the EOUSA analyst responsible for coordinating investment management activities, the process was used by the Investment Review Board in the Spring of 2004 to select projects for the FY2006 budget. While the board did not have any meeting minutes to support this, we were provided with board meeting agendas with showed the budget review and submission as discussion items.
Recommendation: To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for IT security management, allocate the appropriate resources to enable the responsibilities of the security officer to be fully performed.
Agency Affected: Department of Justice
Status: Implemented
Comments: According to the Acting CIO, EOUSA allocated resources to enable the responsibilities of the security officer to be fully performed, including two full time GS-14 level positions, and over $2.8 million dollars in IT security development and operations in fiscal year 2004.
Recommendation: To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of enterprise architecture (EA) management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for IT security management, ensure that risk assessments are performed on all existing and future systems.
Agency Affected: Department of Justice
Status: Implemented
Comments: According to the Assistant Director for Information Security, risk assessments have been performed on all existing systems, as required by EOUSA's certification and accreditation process and Department of Justice Information Technology Standards. As a case in point, documentation shows that its enhancement intrusion detection systems were accredited. Moreover, the Assistant Director for Information Security told us that the Department of Justice had mandated the early adoption of the National Institute of Standards and Technology Special Publication 800-35 (NIST 800-53), which requires that all systems undergo risk assessments to evaluate security controls and that, in accordance with this, EOUSA performs risk assessments of its systems on a regular basis. According to EOUSA's "report card" system that tracks compliance with NIST 800-53 requirements, security controls have been evaluated as part of risk assessments for each EOUSA system.
Recommendation: To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for IT security management, implement intrusion detection devices to monitor activity at the routers, firewalls, and virtual private network devices, and implement other network security controls as noted in the report.
Agency Affected: Department of Justice
Status: Implemented
Comments: On June 23, 2006, EOUSA's Assistant Director for Information Security and Program Manager for Intrusion Detection Systems reported that EOUSA has intrusion detection systems on all network segments that have a router, firewall, or VPN device. They demonstrated their system for monitoring activity on all sensors associated with these intrusion detection systems and provided a summary report generated by this system. They also demonstrated how they keep track of events outside the network to anticipate and prepare for potential incidents and threats.
Recommendation: To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for IT security management, develop and implement a centralized approach to security education and training.
Agency Affected: Department of Justice
Status: Implemented
Comments: EOUSA developed a web-based centralized security awareness training program, which it began implementing in November 2005. EOUSA's Assistant Director for Information Security provided the memorandum announcing the training to all employees as well as the course slides as evidence of this. A system used by EOUSA to keep track of staff who have taken the course showed that, as of June 23, 2006, 99% of the agency's employees had been trained with the program.
Recommendation: To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for IT security management, perform regular tests to determine compliance with policies and procedures and the effectiveness of security controls.
Agency Affected: Department of Justice
Status: Implemented
Comments: EOUSA uses an audit tool called Security Expressions to perform routine and ad hoc compliance tests for several security policies and controls, including password management, screen savers, and other configuration settings. In June 2006, EOUSA's Assistant Director for Information Security and IT Specialist responsible for compliance activities demonstrated the use of the tool. They noted that EOUSA's entire network is scanned nights a week and that the Security Expressions tool is run against the scans to check for compliance with specific security parameters. They also noted that monthly summary reports of these scans are provided to Justice and provided the most recent report submitted. The Assistant Director and IT Specialist also said that compliance with security policies and controls is also checked as part of the agency's comprehensive Evaluation and Review Staff (EARS) program at every site once every three years (we were informed of this program during our review).
Recommendation: To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for system acquisition management, develop and implement a policy for contract tracking and oversight.
Agency Affected: Department of Justice
Status: Implemented
Comments: Section 3 16.100 of the U.S. Attorneys' Manual defines policy for systems acquisition, including contract oversight. When we followed up on this recommendation with EOUSA in November 2004, officials stated that the agency had not acquired any systems since our review and therefore they could not demonstrate implementation of the policy. They noted, however, that the policy would help ensure that systems acquisition practices be implemented when a system was acquired.
Recommendation: To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for system acquisition management, develop and implement a policy for system acquisition planning.
Agency Affected: Department of Justice
Status: Implemented
Comments: Section 3-16.100 of EOUSA's US Attorneys' Manual states that systems acquisitions shall be documented and executed in accordance with industry-standard capability maturity model practices and procedures. When we followed up on this recommendation with EOUSA in November 2004, officials stated that the agency had not acquired any systems since our review and therefore they could not demonstrate implementation of the policy. They noted; however, that the policy would help ensure that systems acquisition practices be implemented when a system was acquired.
Recommendation: To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for system acquisition management, address the remaining key practices associated with evaluation as the Enterprise Case Management System progresses in the life cycle.
Agency Affected: Department of Justice
Status: Not Implemented
Comments: This recommendation is no longer applicable as EOUSA is no longer pursuing its Enterprise Case Management System. On November 19, 2004, EOUSA officials told us that the Justice Department was developing a departmentwide case management system into which ECMS would be subsumed.
Recommendation: To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, the Attorney General should direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, for system acquisition management, ensure that the Software Engineering Institute acquisition practices identified in this report are used in future system acquisitions.
Agency Affected: Department of Justice
Status: Implemented
Comments: On November 19, 2004, EOUSA officials stated that no systems were being procured by EOUSA. They noted that the policies addressing the various key practices we reviewed; however, would help in ensuring these practices are used in future system acquisitions.
Recommendation: In developing these plans, the Director of EOUSA should ensure that each plan (1) is integrated with the other three plans; (2) defines clear and measurable goals, objectives, and milestones; (3) specifies resource needs; and (4) assigns clear responsibility and accountability for implementing the plan. In implementing each plan, the Director should ensure that the needed resources are provided and that progress is measured and reported periodically to the Attorney General.
Agency Affected: Department of Justice: Executive Office for United States Attorneys
Status: Implemented
Comments: On 11/11/2004, EOUSA provided GAO a plan defining key actions and dates to address our recommendations for improving its practices for enterprise architecture management, IT investment management, information security, and systems acquisition. According to EOUSA's analyst responsible for coordinating enterprise architecture and investment management activities, the plan was approved by the Acting CIO.
