Summary
The Federal Bureau of Investigation (FBI) is in the process of modernizing its information technology (IT) systems. Replacing much of its 1980s-based technology with modern system applications and a robust technical infrastructure, this modernization is intended to enable the FBI to take an integrated approach--coordinated agencywide--to performing its critical missions, such as federal crime investigation and terrorism prevention. GAO was requested to conduct a series of reviews of the FBI's modernization management. The objective of this first review was to determine whether the FBI has an enterprise architecture to guide and constrain modernization investments.
About 2 years into its ongoing systems modernization efforts, the FBI does not yet have an enterprise architecture. An enterprise architecture is an organizational blueprint that defines--in logical or business terms and in technology terms--how an organization operates today, intends to operate in the future, and intends to invest in technology to transition to this future state. GAO's research has shown that attempting to modernize an IT environment without a well-defined and enforceable enterprise architecture risks, among other things, building systems that do not effectively and efficiently support mission operations and performance. The FBI acknowledges the need for an enterprise architecture and has committed to developing one by the fall of 2003. However, it currently lacks the means for effectively reaching this end. For example, while the bureau did recently designate a chief architect and select an architecture framework to use, it does not yet have an agency architecture policy, an architecture program management plan, or an architecture development methodology, all of which are necessary components of effective architecture management. Given the state of the FBI's enterprise architecture management efforts, the bureau is at Stage 1 of GAO's enterprise architecture management maturity framework. Organizations at Stage 1 are characterized by architecture efforts that are ad hoc and unstructured, lack institutional leadership and direction, and do not provide the management foundation necessary for successful architecture development and use as a tool for informed IT investment decision making. A key for an organization to advance beyond this stage is to treat architecture development, maintenance, and implementation as an institutional management priority, which the FBI has yet to do. To do less will expose the bureau's ongoing and planned modernization efforts to unnecessary risk.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
No director on record
No team on record
No phone on record
Recommendations for Executive Action
Recommendation: The FBI Director should immediately designate EA development, maintenance, and implementation as an agency priority and manage it as such. To this end, the Director should ensure that appropriate steps are taken to develop, maintain, and implement an EA in a manner consistent with our architecture management framework. This includes first laying an effective EA management foundation by (1) ensuring that all business partners are represented on the architecture governance board; (2) adopting an architecture development methodology and automated tool; (3) establishing an EA program office that is accountable for developing the EA; (4) tasking the program office with developing a management plan that specifies how and when the EA is to be developed and issued; (5) ensuring that the management plan provides for the bureau's "as-is" and "to-be" environments, as well as a sequencing plan for transitioning from the "as-is" to the "to-be"; (6) ensuring that the management plan also describes the enterprise in terms of business, data, applications, and technology; (7) ensuring that the plan also calls for describing the security related to the business, data, and technology; (8) ensuring that the plan establishes metrics for measuring EA progress, quality, compliance, and return on investment; and (9) allocating the necessary funding and personnel to EA activities.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Implemented
Comments: In September 2003, the FBI Director designated EA development, maintenance, and implementation a bureau priority, and, in early September 2005, the bureau began taking the necessary steps to lay an effective EA management foundation. For example, the bureau established an Enterprise Architecture Board with division representatives (among others) to direct, oversee, and approve the EA. In addition, the bureau adopted a framework and automated tool (Popkin) for its enterprise architecture repository. Further, it established a program office, with responsibility for the development, implementation, and maintenance of the EA. Moreover, this office developed a program management plan in October 2004 that specifies how and when the EA is to be developed and issued; provides for the bureau's "as-is" and "to-be" environments, as well as a sequencing plan for transitioning from the "as-is" to the "to-be"; calls for describing the enterprise in terms of business, data, applications, and technology, including describing security related to each; and establishes metrics for measuring EA progress, quality, compliance, and return on investment. More recently, the bureau has adopted an EA methodology and allocated the necessary resources for the bureau?s EA activities.
Recommendation: Next, the Director should ensure that steps to develop the architecture products include (1) establishing a written and approved policy for EA development; (2) placing EA products under configuration management; (3) ensuring that EA products describe the enterprise's business, as well as the data, applications, and technology that support it; (4) ensuring that EA products describe the "as-is" environment, the "to-be" environment, and a sequencing plan; (5) ensuring that business, performance, data, application, and technology descriptions address security; and (6) ensuring that progress against EA plans is measured and reported.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Implemented
Comments: In early September 2005, we reported (in Information Technology, FBI Is Taking Steps to Develop an Enterprise Architecture, but Much Remains to be Developed, GAO-05-363) that the FBI had a written and approved policy for EA development, and that EA products, such as the program management plan, have been placed under configuration management. We also reported that the bureau is in the process of developing its "as-is" and "to-be" architectures which describe the enterprise's business, performance, data, applications and technology, including descriptions for security services. Further, we reported that the bureau's EA products are to describe the "as-is" environment, the "to-be" environment, and a sequencing plan. In addition, we reported that the FBI is measuring and reporting progress against EA plans.
Recommendation: In addition, the Director should ensure that steps to complete architecture products include (1) establishing a written and approved policy for EA maintenance; (2) ensuring that EA products and management processes undergo independent verification and validation; (3) ensuring that EA products describe the enterprise's business and the data, application, and technology that supports it; (4) ensuring that EA products describe the "as-is" environment, the "to-be" environment, and a sequencing plan; (5) ensuring that business, performance, data, application, and technology descriptions address security; (6) ensuring that the Chief Information Officer approves the EA; (7) ensuring that the steering committee and/or the investment review board has approved the current version of the EA; and (8) measuring and reporting on the quality of EA products.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Implemented
Comments: In early September 2005, we reported that the FBI hired a contractor to begin performing independent verification and validation on EA products and management processes. Since that time, independent verification and validation of EA products and management processes has occurred. In addition, the bureau established a plan that addresses EA maintenance. Further, the FBI's EA Baseline Architecture, the EA Target Architecture, and to a limited extent, the FBI Transition & Sequencing Plan specify a number of critical products, such as descriptions of the bureau's business, data, applications, and technology, as well as the "as-is" and "to-be" environments. A number of EA products have been approved by the CIO and relevant oversight committees within the bureau, such as the Enterprise Architecture Board. In addition, the FBI defined measures and metrics for its EA work and reports that it is instituting regular reporting on progress against those metrics.
Recommendation: Further, the Director should ensure that steps taken to use the EA to manage modernization efforts include (1) establishing a written and approved policy for IT investment compliance with EA, (2) establishing processes to formally manage EA changes, (3) ensuring that EA is an integral component of IT investment management processes, (4) ensuring that EA products are periodically updated, (5) ensuring that IT investments comply with the EA, (6) obtaining Director approval of the current EA version, (7) measuring and reporting EA return on investment, and (8) measuring and reporting on EA compliance.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Implemented
Comments: In early September 2005, we reported that the bureau had established a written policy for IT investment compliance with its EA (recommendation element 1), and had developed a configuration management plan, which defines a process to formally manage change. Since that time, the FBI CIO developed an IT Investment Management Process that makes EA part of IT investment management, ensures that EA products are updated, and that explicitly evaluates IT investment based on EA compliance. In addition, the FBI Director approved several of the current EA documents, including the FBI EA Target Architecture. Moreover, the FBI reports that it is instituting regular reporting on the return on its EA investments, although we have yet to receive documentation demonstrating actual measurement and reporting. Further, a number of relevant EA documents have been approved by the FBI Director.
Recommendation: Finally, the Director should ensure that the bureau develops and implements an agency strategy for mitigating the risks associated with continued investment in modernized systems before it has an EA and controls for implementing it.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Implemented
Comments: According to FBI's CIO, the bureau has developed and implemented a strategy for mitigating the risks associated with continued investment absent its EA. The strategy calls for the CIO and the enterprise architecture board (EAB) to review all IT proposals and investments to ensure alignment with the bureau's EA vision--a set of foundational principles. In addition, the bureau reports it has begun implementing the strategy on its IT investments. For example, according to the CIO, in June 2004, he and the board reviewed five proposed investments for consistency with the bureau's EA vision. Further, the CIO stated that as EA products evolve and are delivered, the bureau plans to use them to guide and constrain IT investment decision-making, which our review of EAB minutes shows is happening.
