This is the accessible text file for GAO report number GAO-08-922
entitled 'DOD Business Systems Modernization: Planned Investment in
Navy Program to Create Cashless Shipboard Environment Needs to Be
Justified and Better Managed' which was released on September 8, 2008.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Subcommittee on Readiness and Management Support,
Committee on Armed Services, U.S. Senate:
United States Government Accountability Office:
GAO:
September 2008:
DOD Business Systems Modernization:
Planned Investment in Navy Program to Create Cashless Shipboard
Environment Needs to Be Justified and Better Managed:
GAO-08-922:
GAO Highlights:
Highlights of GAO-08-922, a report to the Subcommittee on Readiness and
Management Support, Committee on Armed Services, U.S. Senate.
Why GAO Did This Study:
GAO has designated the Department of Defense’s (DOD) multi-billion
dollar business systems modernization efforts as high risk, in part
because key information technology (IT) management controls have not
been implemented on key investments, such as the Navy Cash program.
Initiated in 2001, Navy Cash is a joint Department of the Navy (DON)
and Department of the Treasury Financial Management Service (FMS)
program to create a cashless environment on ships using smart card
technology, and is estimated to cost about $320 million to fully
deploy. As requested, GAO analyzed whether DON is effectively
implementing IT management controls on the program, including
architectural alignment, economic justification, requirements
development and management, risk management, security management, and
system quality measurement against relevant guidance.
What GAO Found:
Key IT management controls have not been effectively implemented on
Navy Cash, to the point that further investment in this program, as it
is currently defined, has not been shown to be a prudent and judicious
use of scarce modernization resources. In particular, Navy Cash has not
been (1) assessed and defined in a way to ensure that it is not
duplicative of programs in the Air Force and the Army that use smart
card technology for electronic retail transactions and (2) economically
justified on the basis of reliable analyses of estimated costs and
expected benefits over the program’s life. As a result, DON cannot
demonstrate that the investment alternative that it is pursuing is the
most cost-effective solution to satisfying its mission needs.
Moreover, other management controls, which are intended to maximize the
chances of delivering defined and justified system capabilities and
benefits on time and within budget, have not been effectively
implemented.
* System requirements have not been effectively managed. For example,
neither policies nor plans that define how system requirements are to
be managed, nor an approved baseline set of requirements that are
justified and needed to cost-effectively meet mission needs, exist.
Instead, requirements are addressed reactively through requests for
changes to the system based primarily on the availability of funding.
* Program risks have not been effectively managed. In particular,
plans, processes, and procedures that provide for identifying,
mitigating, and disclosing risks have not been defined, nor have risk-
related roles and responsibilities for key stakeholders.
* System security has not been effectively managed, thus putting the
confidentiality, integrity, and availability of deployed and operating
shipboard devices, applications, and data at increased risk of being
compromised. For example, the mitigation of system vulnerabilities by
applying software patches has not been effectively implemented.
* Key aspects of system quality are not being effectively measured. For
example, data for determining trends in unresolved system change
requests, which is an indicator of system stability, as well as user
feedback on system satisfaction, are not being collected and used.
Program oversight and management officials acknowledged these
weaknesses and cited turnover of staff in key positions and their
primary focus on deploying Navy Cash as reasons for the state of some
of these IT management controls. Collectively, this means that, after
investing about 6 years and $132 million on Navy Cash and planning to
invest an additional $60 million to further develop the program, the
department has yet to demonstrate through verifiable analysis and
evidence that the program, as currently defined, is justified.
Moreover, even if further investment was to be demonstrated, the manner
in which the delivery of program capabilities is being managed is not
adequate. As a result, the program is at risk of delivering a system
solution that falls short of cost, schedule, and performance
expectations.
What GAO Recommends:
GAO recommends that investment of modernization funding in Navy Cash be
limited until a basis for informed decision making is established, and
that other program management weaknesses be corrected, as appropriate.
DOD agreed with most of GAO’s recommendations and described actions
underway or planned to address them, while FMS committed to supporting
DON in implementing them. Both provided other comments that GAO
addresses in the report.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-922]. For more
information, contact Randolph C. Hite at (202) 512-3439 or
hiter@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
Key IT Management Controls Have Not Been Effectively Implemented on
Navy Cash:
Conclusions:
Recommendations:
Agency Comments and Our Evaluation:
Appendix I: Objective, Scope, and Methodology:
Appendix II: Comments from the Department of Defense:
Appendix III: Comments from the Department of the Treasury, Financial
Management Service:
Appendix IV: GAO Contacts and Staff Acknowledgments:
Tables:
Table 1: Capabilities and Limitations of Navy Cash Predecessor Systems:
Table 2: Organizations Responsible for Navy Cash Oversight and
Management:
Table 3: Summary of Business System Acquisition Best Practices:
Table 4: Summary of Cost-Estimating Characteristics That the Cost
Estimate Satisfies:
Table 5: Satisfaction of OMB Economic Analysis Criteria:
Figures:
Figure 1: Simplified Diagram of Navy Cash Network:
Figure 2: Actual and Estimated Development and Operations and
Maintenance Costs for Navy Cash:
Figure 3: DON and FMS Roles and Relationships for Navy Cash:
Abbreviations:
ATM: automated teller machine:
BEA: business enterprise architecture:
DOD: Department of Defense:
DON: Department of the Navy:
FISMA: Federal Information Security Management Act:
FMS: Department of the Treasury, Financial Management Service:
IT: information technology:
NAVSUP: Naval Supply Systems Command:
NIST: National Institute of Standards and Technology:
NTCSS: Naval Tactical Command Support System:
OMB: Office of Management and Budget:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
September 8, 2008:
The Honorable Daniel K. Akaka:
Chairman:
The Honorable John Thune:
Ranking Member:
Subcommittee on Readiness and Management Support:
Committee on Armed Services:
United States Senate:
The Honorable John Ensign:
United States Senate:
For decades, the Department of Defense (DOD) has been challenged in
modernizing its business systems.[Footnote 1] In 1995, we designated
the department's modernization effort as high-risk, and we continue to
do so today.[Footnote 2] Among our reasons for doing so are the
enormous size and complexity of the effort, and the department's long-
standing challenges in implementing effective information technology
(IT) management controls on each business system investment.
One of the Department of the Navy's (DON) larger business system
modernizations is Navy Cash. Initiated in 2001, the program is to
create a cashless environment on ships through the use of smart card
technology.[Footnote 3] It is being executed jointly with the
Department of the Treasury's Financial Management Service (FMS), under
which DON is responsible for managing the acquisition of Navy Cash,
while FMS is responsible for (1) managing the funds distributed through
the system and (2) developing and maintaining the system. Navy Cash is
expected to cost approximately $320 million to develop and implement
over a 14-year period. Of this, $220 million is being funded by DON and
$100 million is being funded by FMS. The system is to be fully deployed
in fiscal year 2011.
As agreed, our objective was to determine whether DON is effectively
implementing IT management controls on Navy Cash. To accomplish this,
we analyzed a range of program documentation and interviewed cognizant
officials relative to the following IT management controls:
architectural alignment, economic justification, requirements
development and management, risk management, security management, and
system quality measurement. In doing so, we compared DON's efforts in
each control area to relevant federal and industry requirements and
guidance.
We conducted this performance audit between June 2007 and September
2008, in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objective. We
believe that the evidence obtained provides a reasonable basis for our
findings and conclusions based on our audit objective. Additional
details on our objective, scope, and methodology are in appendix I.
Results in Brief:
Key IT management controls have not been effectively implemented on
Navy Cash. Collectively, these IT management controls are intended to
ensure that a selected system investment alternative represents the
most cost-effective option to meeting a mission need and, if it is,
that the proposed investment, as defined, is acquired and deployed in a
way that maximizes the chances of delivering promised system
capabilities and benefits on time and within budget. For Navy Cash,
these management controls have largely not been implemented. As a
result, investment in the system has not been justified. More
specifically:
* Navy Cash has not been assessed to ensure that it is not duplicative
of programs in the Air Force and the Army that also provide for the use
of smart card technology for electronic retail transactions. As a
result, the extent of such duplication, and thus the opportunity for
DOD to share and reuse system functions and services across the
military departments, is not known. Within DOD, the means for avoiding
business system duplication and overlap is the department's process for
assessing compliance with the DOD business enterprise architecture
(BEA).[Footnote 4] However, the BEA does not contain business
activities that Navy Cash supports and according to DOD officials, are
not planned for inclusion in the architecture. Further, even if the BEA
included the business activities that Navy Cash supports, the program's
ability to assess architecture compliance would have been limited
because the program office did not develop a complete set of system-
level architecture products needed to perform a meaningful compliance
assessment. As a result, resources are being invested to deliver
capabilities that could be potentially duplicative of similar programs
in the department; therefore, DOD may not be pursuing the most cost-
effective solution to its mission needs.
* Navy Cash has not been economically justified on the basis of
reliable analyses of estimated costs and expected benefits over the
life of the program. According to the latest economic analysis, the
program is expected to produce estimated benefits of about $133 million
for an estimated cost of about $100 million. However, the cost estimate
is not reliable because it covers only 6 years of costs, while the
program's estimated life cycle is now at least 14 years. Moreover, the
cost estimate excludes FMS's costs, and it was not derived in
accordance with effective estimating practices, such as adjusting the
estimate to account for program risks and changes to the program. At
the same time, the economic analysis did not consider all relevant
alternatives, such as leveraging in part or in total the above
mentioned Air Force and Army programs. Further, the benefits projection
erroneously counted $40 million as cost savings rather than cost
transfers (i.e., shift in the control over spending from one group to
another that does not result in an economic gain); therefore, projected
benefits should only be $93 million. Additionally, the economic
analysis has not been validated using data on actual benefits accrued
to date. Without a reliable economic analysis, DON's ongoing and
planned investment in Navy Cash lacks adequate justification and may
not be a cost-effective course of action.
Even if investment in Navy Cash were justified, the manner in which the
system is being acquired and deployed does not reflect other key IT
management controls, and thus introduces considerable cost, schedule,
and performance risks.
* System requirements have not been adequately developed and managed.
In particular, basic requirements documentation does not exist to
inform program estimates of the costs and schedule needed to accomplish
the work associated with delivering predetermined and economically
justified system capabilities. In addition, plans and procedures that
define how system requirements are to be managed and who is responsible
for doing so do not exist. As a result, ongoing system development is
not focused on delivering an approved baseline set of capabilities, but
rather is reactive to addressing requirements that emerge through the
program's change control process. Under this process, users propose
changes to the system and these proposals are approved or disapproved
by a joint DON and FMS change control board primarily on the basis of
consensus about the need for the change and the availability of funds.
The result is an inability to develop and measure performance against
meaningful cost, schedule, and capability baselines, and thereby
reasonably ensure that Navy Cash is meeting expectations, and that
those responsible for it are accountable for the results.
* Program risks have not been effectively managed. In particular,
plans, processes, and procedures that provide for identifying,
mitigating, and disclosing risks do not exist, and risk management
roles and responsibilities have not been assigned to key stakeholders.
As a result, the program office is not proactively attempting to avoid
the occurrence of cost, schedule, and performance problems, but rather
is reacting to the consequences of actual problems.
* The security of deployed and operating Navy Cash shipboard devices,
applications, and data has not been effectively managed. Specifically,
the program office has not (1) fully implemented a comprehensive patch
management process; (2) followed an adequate process for planning,
implementing, evaluating, and documenting remedial actions for known
information security weaknesses; (3) obtained adequate assurance that
FMS has effective security controls in place to protect Navy Cash
applications and data; and (4) developed an adequate contingency plan
and conducted effective contingency plan testing. As a result, the
confidentiality, integrity, and availability of deployed and operating
Navy Cash shipboard devices, applications, and financial data are at
increased risk of being compromised.
* System quality is not being effectively measured because sufficient
data for determining trends in unresolved change requests, which is an
indicator of a system's stability and for understanding users'
satisfaction with the system, are not being collected and used. To the
program's credit, it has (1) established a change control board to
review and decide whether to approve requests for changes to the system
and (2) conducted a survey to assess the extent to which users are
satisfied with the system. However, the program office has not
consistently collected and captured the data needed to analyze trends
in significant change requests that have not been resolved, such as the
dates that the change requests are opened and closed, and the priority
of change requests. In addition, the last user survey was conducted 6
years ago and this survey was limited to a prototype version of the
system operating on two ships. Without meaningful data in these areas,
the quality of the system is not clear.
Program officials acknowledged the above weaknesses and attributed them
to, among other things, turnover of staff in key positions and their
focus on deploying the system. Further, they stated that addressing
these weaknesses has not been a top program priority because Navy Cash
has been deployed to and is operating on about 80 percent of the ships.
Given that the department still plans to invest an additional $60
million to further develop the program, it is important to treat all
the weaknesses that we have identified as priorities.
Accordingly, we are making recommendations to the Secretary of Defense
aimed at limiting further investment of modernization funding in Navy
Cash to only (1) deployment of already developed and tested
capabilities, (2) correction of information security vulnerabilities
and weaknesses on ships where it has been deployed and is operating,
and (3) development of the basis for deciding whether further
development, as planned, is in the department's best interest to
pursue. If further investment in development can be justified, then we
are recommending that the IT management control weaknesses related to
requirements management, risk management, and system quality
measurement discussed in this report be considered program management
priorities and that they be addressed before significant system
development and modernization activities begin.
We received written comments on a draft of this report from both DOD
and FMS. In DOD's comments, signed by the Deputy Under Secretary of
Defense (Business Transformation) and reprinted in appendix II, the
department stated that it concurred with 9 of our 11 recommendations,
partially concurred with 1, and non-concurred with the remaining 1.
* In non-concurring with our recommendation for limiting further
investment in the program, the department actually concurred with two
out of three aspects of the recommendation. Nevertheless, for the
aspect of our recommendation aimed at limiting further investment in
the program to certain types of spending, it stated that it did not
concur with limiting investment to the exclusion of needed maintenance
(e.g., technology refresh) of operational systems. We agree with this
comment, as it is consistent with statements in our report, including
the recommendation on the report's highlights page and the report's
conclusions, which focus on limiting investment of modernization
funding only, and not operations and maintenance funding. To avoid any
misunderstanding as to our intent, we have clarified our report.
* With respect to our recommendation for optimizing the relationships
among DOD's programs that provide smart card technology for electronic
retail and banking transactions, the department stated that while it
concurs with the overall intent of the recommendation, it believes that
the Office of the Under Secretary of Defense (Comptroller) is the
appropriate organization to implement it. Since our intent was not to
prescribe the only DOD organization that should be responsible for
implementing the recommendation, we have slightly modified the
recommendation to provide the department flexibility in this regard.
In FMS's comments, signed by the Commissioner and reprinted in appendix
III, the service stated that our recommendations will help strengthen
the Navy Cash program and that it has begun to address several of our
findings and recommendations. Further, it stated that it will work with
and support DOD in implementing the recommendations, and consistent
with DOD's comments, stated that it did not agree with limiting
investment in the program to the exclusion of maintenance of deployed
systems. As noted above, this is not the intent of our recommendation,
and we have slightly modified the report to avoid any possible
confusion as to our intent. Notwithstanding FMS's agreement with our
recommendations, it provided additional comments on the findings that
underlie several of the recommendations. For various reasons discussed
in detail in the agency comments section of this report, we either do
not agree with most of these additional comments or do not find most of
them to be germane to our findings and recommendations.
Background:
DON's primary mission is to organize, train, maintain, and equip combat-
ready naval forces capable of winning the global war on terror and any
other armed conflict, deterring aggression by would-be foes, preserving
freedom of the seas, and promoting peace and security. To support this
mission, DON performs a variety of interrelated and interdependent
business functions (e.g., acquisition and financial management),
relying heavily on IT systems. In fiscal year 2008, DON's IT budget was
about $2.7 billion, of which $2.2 billion was allocated to operations
and maintenance of existing systems and the remaining $500 million to
systems in development and modernization. Of the approximately 3,000
business systems that DOD reports in its current inventory, DON
accounts for 904, or about 30 percent, of the total. The Navy Cash
system is one such system investment.
Navy Cash: A Brief Description:
In 2001, DON initiated Navy Cash in partnership with Treasury's FMS to
enable sailors and marines to use smart cards that store monetary
value, also known as stored value cards, to make retail purchases and
conduct banking transactions while on ships and ashore. The program
builds upon capabilities that have been incrementally introduced from
previously deployed systems. (Table 1 summarizes these systems and
their capabilities and limitations.)
Table 1: Capabilities and Limitations of Navy Cash Predecessor Systems:
System: Automated Teller Machines (ATMs)-At-Sea;
Year deployed: 1988;
Capabilities: Localized, shipboard ATMs that received and accounted for
a portion of sailors' and marines' paycheck to be available through
ATMs. According to DON, this reduced disbursing office workload and
provided a more secure means of storing personal funds. This system was
replaced by ATMs-at-Sea/Commercial Banking Afloat;
Limitations: User accounts were limited to a particular ship; no direct
access to personal bank accounts ashore.
System: ATMs-At-Sea/Commercial Banking Afloat;
Year deployed: 1996;
Capabilities: Sailors and marines had access to ship-based ATM account
or personal bank accounts ashore via satellite communication;
Limitations: Communication link not always available to smaller ships.
Source: GAO analysis of DON data.
[End of table]
According to DOD, Navy Cash's key objectives include introducing
workload efficiencies and improving the quality of life for sailors and
marines by:
* reducing the amount of currency on ships, which lowers costs
associated with cash handling activities;
* enabling sailors and marines to conduct ashore banking transactions
from ships; and:
* enabling sailors and marines to conduct banking or retail
transactions while ashore (wherever these branded debit cards are
accepted).
Navy Cash consists of various equipment and devices, including servers
that connect to the ship's local area network as well as point-of-sale
terminals and ATMs that communicate with Navy Cash smart cards. These
cards contain an electronic chip that stores monetary value and
interacts with the various devices for conducting electronic retail
purchases and personal banking transactions on the ships. On shore,
cardholders can access their Navy Cash accounts via ATMs worldwide or
conduct retail purchases using the card's magnetic stripe, which
provides a debit card feature. According to program officials, while
ashore, sailors and marines have access to over 1,000,000 ATMs and 23
million merchants worldwide.
Navy Cash uses a ship's Automated Digital Network System to access
satellite communications systems, and then transmits transaction files
off the ship through fleet network operations centers to a financial
agent (i.e., bank) ashore. To do so, it uses a store-and-forward
process[Footnote 5] to batch transactions together and transmit them
off the ship typically during non-peak evening hours. These
transactions are then processed in a manner similar to personal check
processing through the Automated Clearing House.[Footnote 6] Figure 1
is a simplified illustration of the Navy Cash network used to transmit
these transactions.
Figure 1: Simplified Diagram of Navy Cash Network:
[See PDF for image]
This figure is a simplified diagram of Navy Cash network, depicting the
following flow of information:
Local area Network (on board navy vessel):
Point-of-sale device;
- Bank card:
Cashless ATM;
- Bank card:
Navy Cash server (daily batch processing);
Automated Digital Network System:
Connects through Satellite communications to:
Fleet network operations center;
Connects through commercial landlines to:
U.S. Treasury financial agent bank;
Financial network and other financial institutions.
Source: GAO, based on DON data (analysis); Art Explosion (clip art).
[End of figure]
Originally, the program was expected to be fully deployed and reach
full operational capability by December 2008 at an estimated cost of
about $100 million over a 6-year life cycle.[Footnote 7] The program
office now expects the program to reach full operational capability in
fiscal year 2011, and it estimates the program's 14-year life cycle
cost[Footnote 8] to be about $320 million, of which about $100 million
is to be funded by FMS. Of the $320 million, about $136 million is for
development and modernization, and about $184 million is for operations
and maintenance. From fiscal year 2002 to 2007, DON and FMS reported
that approximately $132 million has been spent on the program, of which
$47 million is FMS's cost. Of the $188 million expected to be spent
(fiscal years 2008-2015), about $57 million is for development and
modernization. (See fig. 2 for a breakdown of the actual and planned
costs.)
Figure 2: Actual and Estimated Development and Operations and
Maintenance Costs for Navy Cash:
[See PDF for image]
This figure is a stacked vertical bar graph depicting the following
data:
Actual fiscal years 2002-2007, Operations and maintenance: $53 million;
Actual fiscal years 2002-2007, Development and modernization: $79
million;
Total: $132 million.
Estimated fiscal years 2008-2015, Operations and maintenance: $131
million;
Estimated fiscal years 2008-2015, Development and modernization: $57
million;
Total: $188 million.
Source: DON and FMS.
[End of figure]
When fully deployed, the program office estimates that Navy Cash could
process over $350 million annually in transactions initiated by about
170,000 sailors and marines worldwide on approximately 160 ships. As of
April 2008, the program has been deployed to approximately 130 ships.
Navy Cash Oversight and Management Roles and Responsibilities:
To manage the acquisition and deployment of Navy Cash, DON established
a program management office within the Naval Supply Systems Command
(NAVSUP).[Footnote 9] As authorized by statute[Footnote 10] and because
of its experience in developing stored value card programs for other
military departments, NAVSUP has partnered with FMS to develop Navy
Cash. In February 2001, NAVSUP and FMS signed a memorandum of agreement
that, among other things, delineated their respective program roles and
responsibilities. According to the agreement, NAVSUP, through the Navy
Cash program office, is responsible for managing the acquisition of the
program, including managing system requirements and developing program
cost and benefit estimates. According to DOD and other relevant
guidance, acquisition management includes, among other things, such key
IT management control areas as architectural alignment, economic
justification, requirements management, risk management, security
management, and system quality measurement.
Also according to the agreement, FMS, through a designated financial
agent, is to (1) provide for all financial services (i.e., manage the
funds distributed through Navy Cash) and (2) develop, test, operate,
and maintain the system's software (e.g., terminal and accounting
applications) and hardware (e.g., accounting servers, smart cards). In
short, the financial agent acts as the depository bank, holding and
managing the pool of sailor and marine funds, including accounting for
the funds and settling transactions processed. FMS is also responsible
for tracking and overseeing the financial agent's provision of
services, as defined in a financial agency agreement between FMS and
the agent. (See fig. 3 for DON and FMS roles and relationships for Navy
Cash.)
Figure 3: DON and FMS Roles and Relationships for Navy Cash:
[See PDF for image]
This figure is an illustration of DON and FMS roles and relationships
for Navy Cash:
DON:
Manages acquisition of the system.
FMS:
Oversees development, implementation, and maintenance of the system.
DON/FMS: Change Management Approval Group:
Decides on system changes.
Source: GAO analysis of DON and FMS data.
[End of figure]
In addition, various other organizations share program oversight and
review activities. A listing of key entities and their roles and
responsibilities can be found in table 2.
Table 2: Organizations Responsible for Navy Cash Oversight and
Management:
Entity: DOD Under Secretary of Defense, Comptroller;
Roles and responsibilities: Serves as the Navy Cash investment review
board and performs annual or milestone reviews of the planning,
programming, budgeting, and execution processes.
Entity: DON Chief Information Officer;
Roles and responsibilities: Ensures that the program's goals are
achievable and executable; conformance to financial management
regulations, and DON, DOD, and federal IT policies in several areas
(e.g., security, architecture, and investment management); and
recommends to the Secretary of DON whether to continue, modify, or
terminate IT programs based on its ability to meet these regulations.
Entity: NAVSUP (Vice Commander);
Roles and responsibilities: Serves as the milestone decision authority,
which according to DOD, has overall responsibility for the program, to
include approving the program to proceed through its acquisition cycle
on the basis of, for example, the life cycle cost-and-benefits
estimate, acquisition strategy, and acquisition program baseline.
Entity: Navy Cash Program Office;
Roles and responsibilities: Manages the acquisition by performing
activities such as assessing compliance with the DOD's BEA; preparing
cost and benefit estimates; developing and managing program
requirements; managing program risks; ensuring the confidentiality,
integrity, and availability of shipboard devices, applications, and
financial data; measuring system quality; and providing infrastructure
for installation of system hardware and software.
Entity: Treasury, FMS;
Roles and responsibilities: Manages and oversees the designated
financial agent, including holding and accounting for funds distributed
throughout the system; developing, implementing, and maintaining the
financial software and hardware; and providing life cycle support for
the maintenance of the financial software, hardware, and other
services, and ensures controls are adequate to protect transactions
processed through the designated financial agent's network and
equipment and that these controls comply with applicable rules and
regulations issued by regulatory and private organizations.[A]
Entity: Change Management Approval Group;
Roles and responsibilities: Comprised of representatives from the Navy
Cash program office and FMS that jointly review and approve changes to
system functionality.
Entity: Disbursing Officer;
Roles and responsibilities: Processes transactions from the ship to the
appropriate DON network operations center; produces system related
reporting on transactions for accounting purposes; distributes and
reports lost or stolen cards; monitors and reports on negative (i.e.,
insufficient) account balances; maintains shipboard cash reserve; and
resolves system-related issues while deployed with assistance from the
financial agent.
Source: GAO based on DON and FMS data.
[A] According to FMS, the regulatory organizations include the Office
of the Comptroller of the Currency, Federal Reserve Board, and Federal
Deposit Insurance Corporation, and the private organizations are the
National Automated Clearing House Association, as well as the
corporation whose name is branded on the Navy Cash smart card.
[End of table]
Use of IT Management Controls Maximizes Chances for Success:
Effective IT management controls are grounded in tried and proven
methods, processes, techniques, and activities that organizations
define and use to minimize program risks and maximize the chances of a
program's success. Using such best practices can result in better
outcomes, including cost savings, improved service and product quality,
and a better return on investment. For example, two software
engineering analyses of nearly 200 systems acquisitions projects
indicate that teams using systems acquisition best practices produced
cost savings of at least 11 percent over similar projects conducted by
teams that did not employ the kind of rigor and discipline embedded in
these practices.[Footnote 11] In addition, our research shows that best
practices are a significant factor in successful acquisition outcomes,
including increasing the likelihood that programs and projects will be
executed within cost and schedule estimates.[Footnote 12]
We and others have identified and promoted the use of a number of best
practices associated with acquiring IT systems.[Footnote 13] See table
3 for a description of several of these activities.
Table 3: Summary of Business System Acquisition Best Practices:
Business practice: Architectural alignment; To ensure that the
acquisition is consistent with the organization's enterprise
architecture;
Description: Architectural alignment is the process for analyzing and
verifying that the proposed architecture of the system being acquired
is consistent with the enterprise architecture for the organization
acquiring the system. Such alignment is needed to ensure that acquired
systems can interoperate and are not unnecessarily duplicative of one
another.
Business practice: Economic justification; To ensure that system
investments have an adequate economic justification;
Description: Economic justification is the process for ensuring that
acquisition decisions are based on reliable analyses of the proposed
investment's likely costs versus benefits over its useful life as well
as an analysis of the risks associated with actually realizing the
acquisition's forecasted benefits for its estimated costs. Economic
justification is not a one-time event, but rather is performed
throughout an acquisition's life cycle in order to permit informed
investment decision making.
Business practice: Requirements management; To ensure that requirements
are traceable, verifiable, and controlled;
Description: Requirements management is the process for ensuring that
the requirements are traceable, verifiable, and controlled.
Traceability refers to the ability to follow a requirement from origin
to implementation, and is critical to understanding the
interconnections and dependencies among the individual requirements,
and the impact when a requirement is changed. Requirements management
begins when the solicitation's requirements are documented and ends
when system responsibility is transferred to the support organization.
Business practice: Risk management; To ensure that risks are identified
and systematically mitigated;
Description: Risk management is the process for identifying potential
acquisition problems and taking appropriate steps to avoid their
becoming actual problems. Risk management occurs early and continuously
in the acquisition life cycle.
Business practice: Security management; To protect the confidentiality,
integrity, and availability of information and information systems;
Description: Security management is the process for implementing
controls to sufficiently prevent, limit, or detect access to computer
networks, systems, or information. Security management provides for
appropriate confidentiality, availability, and integrity of data and
information.
Business practice: System quality measurement; To ensure the maturity
and stability of system products;
Description: System quality measurement is the process for
understanding the maturity and stability of the system products being
developed, operated, and maintained so that problems can be identified
and addressed early, therefore limiting their overall impact on program
cost and schedule. One indicator of system quality is the volume and
significance of system defect reports and change proposals.
Source: GAO.
[End of table]
Prior GAO Reviews Have Identified IT Management Control Weaknesses on
DOD Business System Investments:
We have previously reported[Footnote 14] that DOD has not effectively
managed a number of business system investments. Among other things,
our reviews of individual system investments have identified weaknesses
in such things as architectural alignment and informed investment
decision making, which are also the focus areas of the Ronald W. Reagan
National Defense Authorization Act for Fiscal Year 2005[Footnote 15]
business system provisions. Our reviews have also identified weaknesses
in other system acquisition and investment management areas--such as
economic justification, requirements management, and risk management.
Recently, for example, we reported that the Army's approach for
investing about $5 billion over the next several years in its General
Fund Enterprise Business System, Global Combat Support System-Army
Field/Tactical,[Footnote 16] and Logistics Modernization Program did
not include alignment with Army enterprise architecture or use of a
portfolio-based business system investment review process.[Footnote 17]
Moreover, we reported that the Army did not have reliable processes,
such as an independent verification and validation function, or
analyses, such as economic analyses, to support its management of these
programs. We concluded that until the Army adopts a business system
investment management approach that provides for reviewing groups of
systems and making enterprise decisions on how these groups will
collectively interoperate to provide a desired capability, it runs the
risk of investing significant resources in business systems that do not
provide the desired functionality and efficiency. Accordingly, we made
recommendations aimed at improving the department's efforts to achieve
total asset visibility and enhancing its efforts to improve its control
and accountability over business system investments. The department
agreed with our recommendations.
We also reported that DON had not, among other things, economically
justified its ongoing and planned investment in the Naval Tactical
Command Support System (NTCSS)[Footnote 18] and had not invested in
NTCSS within the context of a well-defined DOD or DON enterprise
architecture. In addition, we reported that DON had not effectively
performed key measurement, reporting, budgeting, and oversight
activities, and had not adequately conducted requirements management
and testing activities. We concluded that without this information, DON
could not determine whether NTCSS as defined, and as being developed,
is the right solution to meet its strategic business and technological
needs. Accordingly, we recommended that the department develop the
analytical basis to determine if continued investment in NTCSS
represents prudent use of limited resources and to strengthen
management of the program, conditional upon a decision to proceed with
further investment in the program. The department largely agreed with
these recommendations.
In addition, we reported that the Army had not defined and developed
its Transportation Coordinators' Automated Information for Movements
System II--a joint services system with the goal of helping to manage
the movement of forces and equipment within the United States and
abroad--in the context of a DOD enterprise architecture.[Footnote 19]
We also reported that the Army had not economically justified the
program on the basis of reliable estimates of life cycle costs and
benefits and had not effectively implemented risk management. As a
result, we concluded that the Army did not know if its investment in
this program, as planned, is warranted or represents a prudent use of
limited DOD resources. Accordingly, we recommended that DOD, among
other things, develop the analytical basis needed to determine if
continued investment in this program, as planned, represents prudent
use of limited defense resources. In response, the department largely
agreed with our recommendations, and has since reduced the program's
scope by canceling planned investments.
Key IT Management Controls Have Not Been Effectively Implemented on
Navy Cash:
DOD acquisition policies and related federal guidance provide a
framework within which to manage system investments, like Navy Cash.
Effective implementation of this framework can minimize program risks
and better ensure that system investments are defined in a way to
optimally support mission operations and performance, as well as
deliver promised system capabilities and benefits on time and within
budget. Thus far, key IT management controls associated with this
framework have not been implemented on Navy Cash. In particular, the
program's overlap with and duplication of other DOD programs has not
been assessed, and the program has not been economically justified on
the basis of reliable estimates of life cycle costs and benefits. As a
result, the program, as defined, has not been shown to be the most cost-
effective investment option.
Even if investment in the proposed Navy Cash solution is shown to be a
wise and prudent course of action, the manner in which Navy Cash is
being acquired and deployed is not adequate because (1) requirements
have not been adequately developed and managed; (2) program risks have
not been effectively managed; (3) security has not been effectively
managed; and (4) system quality has not been adequately measured. As a
result, the system will likely experience performance shortfalls and
cost more and take longer to implement and maintain than necessary.
Program officials acknowledged these weaknesses and attributed them to,
among other things, turnover of staff in key positions and their focus
on deploying the system. Further, they stated that addressing these
weaknesses has not been a top program priority because Navy Cash has
been deployed to and is operating on about 80 percent of the ships.
Nevertheless, about $60 million in development and modernization
funding remains to be spent on this program. As a result, it is
important that all these weaknesses be addressed to reduce the risk of
delivering a system solution that falls short of expectations.
Key Controls for Justifying Planned Investment in Navy Cash Have Not
Been Effectively Implemented:
Investment in the proposed Navy Cash solution has not been adequately
justified. Specifically, the system solution has not been assessed
relative to other DOD programs that employ smart cards for electronic
retail transactions. Moreover, it has not been economically justified
on the basis of reliable estimates of cost and benefits over the
system's expected life. As a result, planned investment in the system,
as defined, may not be a cost-effective course of action.
Navy Cash Duplication with Other DOD Programs Has Not Been Assessed:
DOD's acquisition policies and guidance,[Footnote 20] as well as
federal and best practice guidance,[Footnote 21] recognize the
importance of investing in business systems within the context of an
enterprise architecture.[Footnote 22] Moreover, the Ronald W. Reagan
National Defense Authorization Act for Fiscal Year 2005[Footnote 23]
requires that defense business systems be compliant with the federated
BEA.[Footnote 24] Our research and experience in reviewing federal
agencies show that making investments without the context of a well-
defined enterprise architecture often results in systems that are,
among other things, duplicative of other systems.[Footnote 25]
Navy Cash has not been assessed and defined in a way to ensure that it
is not duplicative of the Eagle Cash and EZpay programs, both of which
provide for the use of smart card technology for electronic retail
transactions in support of the Air Force and the Army.[Footnote 26]
Within DOD, the means for avoiding business system duplication and
overlap is the department's process for assessing compliance with the
DOD BEA and its associated investment review and decision making
processes. In 2005, 2006, and 2007, Navy Cash was evaluated for
compliance with the BEA. However, the BEA does not contain business
activities[Footnote 27] that Navy Cash supports. According to officials
from DOD's Business Transformation Agency, which is responsible for
DOD's BEA, these business activities are not included nor are they
planned for inclusion in the BEA, because the capabilities provided by
Navy Cash relate strictly to personal banking, which is outside of the
current scope of the BEA. As a result, compliance could not be assessed
beyond concluding that Navy Cash was compliant because it did not
conflict with the BEA. Moreover, even if the BEA included the business
activities that Navy Cash supports, the program's ability to assess BEA
compliance would have been limited because the program office did not
develop a complete set of system-level architecture products needed to
perform a meaningful compliance assessment. Thus, Navy Cash's potential
overlap and duplication with similar programs is not sufficiently
understood.
According to program officials, Navy Cash is not duplicative of Eagle
Cash and EZpay because it is designed to operate on ships at sea, which
do not maintain constant network connectivity with on shore networks.
Therefore, they said that it requires different communications and
financial transaction capabilities than the other two stored value card
programs. We agree that there are important differences between the
programs. However, they all perform chip-based financial transactions,
and thus opportunities may exist for them to provide or reuse shared
system services, as well as to merge into a DOD-wide stored value card
program. According to program officials, overlap and duplication among
the programs was not assessed. This means that aspects of Navy Cash
could be potentially duplicative of these other programs, and thus DOD
may not be pursuing the most cost-effective solution to meet its
mission needs. In this regard, the program's Milestone Decision
Authority told us that the differences between Navy Cash and other
stored value card programs are minimal and stated that officials with
the three stored value card programs have recently begun discussions
with FMS on how to collaborate and possibly move towards one system
solution.
Navy Cash Has Not Been Economically Justified:
Investment in Navy Cash has not been economically justified on the
basis of a reliable analysis of estimated system costs and expected
benefits over the life of the program. Specifically, according to the
latest economic analysis, the program is expected to produce estimated
benefits of about $133 million for an estimated cost of about $100
million. However, the cost estimate is not reliable, because the
program's 2002 economic analysis is 6 years old and is based on a cost
estimate of about $100 million that was not derived in accordance with
effective estimating practices, such as including all costs over the
system's life cycle, and adjusting the estimate to account for program
risks and material program changes. Further, this economic analysis did
not comply with applicable federal guidance.[Footnote 28] For example,
it did not adequately consider all relevant alternatives, and it
erroneously counted $40 million as cost savings rather than transfers
[Footnote 29] (i.e., shift of control over spending of resources from
one group to another that do not result in an economic gain). Further,
the economic analysis has yet to be validated using actual data on the
accrual of benefits. Without an economic analysis that is reliable,
DON's ongoing and planned investment in Navy Cash lacks justification
as a cost-effective course of action.
Economic Analysis Used a Cost Estimate That Omits Relevant Costs and
Was Not Derived Using Key Estimating Practices:
A reliable cost estimate is an essential element for informed
investment decision making, realistic budget formulation and program
resourcing, meaningful progress measurement, proactive course
correction, and accountability for results. According to the Office of
Management and Budget (OMB),[Footnote 30] programs must maintain
current and well-documented estimates of program costs, and these
estimates must span the full expected life of the program. Without
reliable estimates, programs cannot be adequately justified on the
basis of reliable costs and benefits and they are at increased risk of
experiencing cost overruns, missed deadlines, and performance
shortfalls.
Our research has identified a number of best practices for effective
program cost estimating, and we have issued guidance that associates
these practices with four characteristics of a reliable cost estimate.
[Footnote 31] Specifically, estimates need to be:
* Comprehensive: The cost estimates should include both government and
financial agent costs over the program's full life cycle, from the
inception of the program through design, development, deployment, and
operation and maintenance to retirement. They should also provide a
level of detail appropriate to ensure that cost elements are neither
omitted nor double counted, and include documentation of all cost-
influencing ground rules and assumptions.
* Well-documented: The cost estimates should have clearly-defined
purposes, and be supported by documented descriptions of key program or
system characteristics (e.g., relationships with other systems,
performance parameters). Additionally, they should capture in writing
such things as the source data used and their significance, the
calculations performed and their results, and the rationale for
choosing a particular estimating method or reference. Moreover, this
information should be captured in such a way that the data used to
derive the estimate can be traced back to, and verified against, their
sources.
* Accurate: The cost estimates should provide for results that are
unbiased and not be overly conservative or optimistic (i.e., should
represent the most likely costs). In addition, the estimates should be
updated regularly to reflect material changes in the program, and steps
should be taken to minimize mathematical mistakes and their
significance. The estimates should also be grounded in a historical
record of cost estimating and actual experiences on comparable
programs.
* Credible: The cost estimates should discuss any limitations in the
analysis performed that are due to uncertainty or biases surrounding
data or assumptions. Further, the estimates' derivation should provide
for varying any major assumptions and recalculating outcomes based on
sensitivity analyses, and the estimates' associated risks and inherent
uncertainty should be disclosed. Also, the estimates should be verified
based on cross-checks using other estimating methods.
The $100 million life cycle cost estimate, as documented in the
program's 6-year old economic analysis, does not reflect many of the
practices associated with a reliable cost estimate, including several
practices related to being comprehensive and well documented, and all
related to being accurate and credible (see table 4).
Table 4: Summary of Cost-Estimating Characteristics That the Cost
Estimate Satisfies:
Characteristic of reliable estimates: Comprehensive;
Satisfied?[A]: Partially.
Characteristic of reliable estimates: Well-documented;
Satisfied?[A]: Partially.
Characteristic of reliable estimates: Accurate;
Satisfied?[A]: No.
Characteristic of reliable estimates: Credible;
Satisfied?[A]: No.
Source: GAO analysis of DON data.
[A] "Yes" means that the program office provided documentation
demonstrating satisfaction of the criterion. "Partially" means that the
program office provided documentation demonstrating satisfaction of
part of the criterion. "No" means that the program office has yet to
provide documentation demonstrating satisfaction of the criterion.
[End of table]
The cost estimate of about $100 million, as documented in the program's
2002 economic analysis, does not meet all of the practices related to
being comprehensive. Specifically, it only includes costs from fiscal
years 2003 through 2008 (6-year period), and it does not include both
the government and financial agent costs associated with development,
acquisition (non-development), implementation, and operations and
support over the system's life cycle. Moreover, it does not include
FMS's portion of the program's cost, which is estimated to be about
$100 million over a 14-year period. In addition, the cost estimate does
not clearly describe how the various cost sub-elements are aggregated
to produce the amounts associated with the two documented cost
categories, system installation costs, and operations and maintenance
costs. Therefore, it is not clear that all pertinent costs are included
and no costs are double counted. Lastly, although some key assumptions
have been identified, such as the ship implementation schedule, other
key assumptions, such as labor rates and inflation rates, are not. As a
result, the estimate cannot be considered comprehensive.
The cost estimate used in the economic analysis also addresses some,
but not all, of the practices related to being well-documented.
Specifically, the purpose of the cost estimate was clearly defined and
a technical baseline has been documented that includes, among others
things, the hardware and software specifications and planned
performance parameters. However, the calculations used to derive the
cost estimate, including descriptions of the methodologies used and
traceability back to source data (e.g., vendor quotes, salary data),
are not documented. In addition, while program officials described the
estimating approach used, such as using market research and historical
data to determine the costs associated with hardware, software, and
installations, they did not have documentation of the methodology used
to arrive at the total costs of each of these elements and how they
were combined to produce the overall cost estimate. Therefore, the
program's cost estimate cannot be considered well-documented.
In addition, the $100 million documented cost estimate lacks accuracy
because it does not reflect an assessment of the costs most likely to
be incurred. Specifically, this estimate covers only 6 years of costs
(fiscal years 2003 through 2008). In contrast, the program's current
cost estimate is about $320 million over a 14-year life cycle, and
according to program officials, the program's life cycle is being
reexamined and will likely be extended.
Lastly, the $100 million cost estimate is not credible because a
complete uncertainty analysis (i.e., both a sensitivity analysis and a
Monte Carlo simulation[Footnote 32]) was not performed on this
estimate. A sensitivity analysis reveals how the cost estimate is
affected by a change in a single assumption or cost driver, such as the
ship installation schedule, while holding all other parameters
constant. A Monte Carlo simulation assesses the aggregate variability
of the cost estimate to determine a confidence range around the
estimate. Without such analyses of uncertainty, the program office
cannot have confidence that the program can be completed within the
cost estimate.
Program officials acknowledged the limitations in the estimate, and
attributed them to turnover of staff and their current focus on
deploying the system. Nevertheless, program officials stated that they
intend to develop a revised cost estimate when they update the
program's economic analysis, but they had yet to establish a date for
accomplishing this. Given that a significant amount of development and
modernization funding remains to be invested on the program, it is
important that the program office economically justify such investment.
Economic Analysis Does Not Satisfy Other Relevant Guidance:
According to OMB,[Footnote 33] economic analyses should meet certain
criteria to be considered reasonable, such as comparing alternatives on
the basis of net present value and conducting an uncertainty analysis
of benefits.
The program's December 2002 economic analysis meets one, does not meet
four, and partially meets two of the seven OMB criteria governing how
to perform such analyses. For example, while the analysis explained why
the investment is needed, it did not consider the costs and benefits
associated with at least three alternatives to the status quo, such as
Eagle Cash, EZpay, or some derivative that provided for reuse of shared
services among the programs. Moreover, at least three alternatives to
the status quo were not assessed on the basis of net present value,
using the proper discount rate to account for inflation. Instead, the
analysis only qualitatively evaluated Navy Cash against its predecessor
systems. For example, the analysis included evaluation of the
capabilities and limitations of the predecessor systems, but did not
include evaluating the relative cost and benefits of any alternatives
to Navy Cash.
In addition, the program's benefit projections erroneously counted
about $40 million in cost transfers as cost savings, thus overstating
projected benefits (i.e., projected benefits should only be $93
million). Transfers represent shifts of control over the spending of
resources from one group to another and thus do not result in an
economic gain. According to OMB guidance, transfers do not produce
economic gains because the benefits to those government entities that
receive such a transfer are the same as the costs borne by those
government entities that provide the transfer.[Footnote 34] Moreover,
no uncertainty analysis was performed on the benefit estimates. (See
table 5 for the results of our analyses relative to each of the seven
criteria.)
Table 5: Satisfaction of OMB Economic Analysis Criteria:
Criteria: The cost-benefit analysis should clearly explain why the
investment was needed;
Explanation: The analysis should clearly explain the reason why the
status quo is unacceptable;
Satisfied?[A]: Yes;
GAO analysis: The economic analysis explained why the status quo was
not viable.
Criteria: At least three alternatives to the status quo should be
considered;
Explanation: At least three meaningful alternatives to the status quo
should be examined to help ensure that the alternative chosen was not
preselected;
Satisfied?[A]: No;
GAO analysis: Only one meaningful alternative to the status quo (i.e.,
Navy Cash) was considered. In addition, the predecessor systems were
not examined on the basis of their cost and benefits. Rather, they were
examined only in terms of their functional characteristics.
Criteria: The general rationale for the cost-benefit analysis,
including at least three alternatives, should be discussed;
Explanation: The general rationale for the cost-benefit analysis,
including at least three alternatives that are being considered, should
be discussed to enable reviewers of the analysis to understand the
context for the alternative selected;
Satisfied?[A]: Partially;
GAO analysis: The general rationale for the cost-benefit analysis was
discussed, but it did not include the rationale for at least three
alternatives.
Criteria: The quality of the benefits to be realized from each
alternative should be reasonable;
Explanation: The quality of the benefit estimate for each alternative
should be complete and reasonable for a net present value to be
calculable and accurate;
Satisfied?[A]: No;
GAO analysis: The benefits estimate was not reasonable in that it
included $40 million of transfers.
Criteria: At least three alternatives should be compared on the basis
of net present value;
Explanation: The net present value should be calculated because it
consistently allows for the selection of the alternative with the
greatest benefit net of cost;
Satisfied?[A]: Partially;
GAO analysis: An estimate of the present value of cost savings or
avoidances net of costs was computed for Navy Cash, but at least three
alternatives were not compared on the basis of net present value.
Criteria: The proper discount rate for calculating each alternative's
net present value should be used;
Explanation: OMB provides specific guidance on the choice of discount
rate for evaluating projects whose benefits and costs will be
distributed over time;
Satisfied?[A]: No;
GAO analysis: The proper discount rate was not used for calculating net
present value. Specifically, a discount rate of 4.65 percent should
have been used compared to the discount rate of 2 percent used by the
program.
Criteria: A complete uncertainty analysis of the benefits should be
included;
Explanation: Estimates of benefits are typically uncertain because of
imprecision in both underlying data and modeling assumptions. Because
such uncertainty is basic to virtually any cost-benefit analysis, its
effects should be analyzed and reported;
Satisfied?[A]: No;
GAO analysis: An uncertainty analysis of the program's estimated
benefits was not included.
Source: OMB guidance and GAO analysis of DON data.
[A] "Yes" means that the program office provided documentation
demonstrating satisfaction of the criterion. "Partially" means that the
program office provided documentation demonstrating satisfaction of
part of the criterion. "No" means that the program office has yet to
provide documentation demonstrating satisfaction of the criterion.
[End of table]
Program officials stated that they do not know why the economic
analysis was not developed in accordance with OMB guidance. They also
stated that they intend to update the economic analysis and, in doing
so, intend to address OMB guidance. However, they did not have a date
for accomplishing this because their priority is deploying the system.
Actual Accrual of Estimated Benefits Has Not Been Validated:
The Clinger-Cohen Act of 1996 and OMB guidance[Footnote 35] emphasize
the need to develop information to ensure that IT investments are
actually contributing to tangible, observable improvements in mission
performance. DOD guidance[Footnote 36] also states that estimated
benefits should be validated to ensure that desired outcomes are being
achieved. To this end, agencies should define and collect metrics to
determine whether expected benefits from a given investment are being
accrued, and they should modify subsequent economic analyses to reflect
the lessons learned.
Despite the fact that Navy Cash has been installed and is operating on
approximately 130 ships, DON has yet to determine whether the system is
actually producing expected benefits. For example, the 2002 economic
analysis stated that Navy Cash would reduce cash on ships, and
contribute to man-hour savings as a result of increased productivity.
It also stated that it would improve quality-of-life for sailors and
marines. While DON has measured the reduction in the cash onboard some
ships where Navy Cash is operating, this reduction represents a
transfer and is not an actual benefit. Moreover, the extent to which
the system is achieving expected man-hour savings, which would
constitute a true benefit, has not been measured. Lastly, customer
(sailor and marine) satisfaction with the system, which is a legitimate
qualitative benefit, has not been determined since a prototype of Navy
Cash was installed on two ships in 2001.
Program officials stated that DON's Manpower Analysis Center[Footnote
37] is responsible for measuring man-hour savings. Further, they said
that customer satisfaction with the system was being measured through
informal feedback from the sailors and marines, and they recently began
a more formal customer satisfaction survey. They also stated that in
updating the economic analysis, they plan to assess and reflect the
accrual of actual benefits. However, they had not established a date
for accomplishing this.
Key Controls for Ensuring That Defined Navy Cash Capabilities Are
Delivered on Time and Within Budget Have Not Been Effectively
Implemented:
DOD policy and related guidance recognizes the importance of
implementing a range of management controls associated with ensuring
that IT investments are defined, developed, deployed, and operated
efficiently and effectively.[Footnote 38] By implementing these
controls, the chances of delivering systems that perform as intended,
and not costing more or taking longer than necessary, are increased.
These controls include requirements development and management, risk
management, security management, and system quality measurement. For
Navy Cash, none of these controls have been effectively implemented.
Specifically,
* program requirements have not been adequately developed and managed;
* program risks have not been effectively managed;
* security has not been adequately managed; and:
* data needed to measure two aspects of system quality--trends in
unresolved change requests and evaluation of user satisfaction with the
system--have not been collected and used.
As a result, Navy Cash is unlikely to perform in a manner that meets
user and operational needs, and it is likely to cost more and take
longer than necessary.
Navy Cash Requirements Have Not Been Adequately Developed and Managed:
Well-defined and managed requirements are recognized by DOD guidance
and relevant best practices as essential, and can be viewed as a
cornerstone of effective system acquisition.[Footnote 39] Effective
requirements development and management includes (1) developing
detailed system requirements; (2) establishing policies and plans for
managing changes to requirements, including defining roles and
responsibilities, and identifying how the integrity of a baseline set
of requirements will be maintained; and (3) maintaining bi-directional
requirements traceability, meaning that system-level requirements can
be traced both backward to higher level business or operational
requirements, and forward to system design specifications and test
plans.
The program office has not satisfied these three aspects of effective
requirements development and management. Specifically:
* The program office has not developed system-level requirements for
Navy Cash. System-level requirements are derived from higher-level
operational requirements and are specified at a level of detail needed
for system developers to design and build to. Without system
requirements, the ability of the program office to understand the
impact of any system change requests (i.e., cost, schedule, and
performance) and thus make informed decisions about such changes, is
limited. For example, although the program office identified a high-
level requirement for the system to share information with the Retail
Operations Management system used in ships' store operations, the
associated system-level requirements were not defined. As a result, the
deployed version of the system was not designed and developed to
provide this interface. The requirement for this interface was later
realized after a number of system and operational problems surfaced.
Addressing these problems through a series of changes required
additional time and funding. Program officials acknowledged that more
effective requirements development and management practices could have
avoided these problems. As another example, a system requirement for
automatically deploying software patches to operational systems was not
defined. Had this requirement been defined, the system design could
have provided for developing a capability to minimize the level of
effort required to identify, distribute, and install patches. Instead,
a less efficient and labor-intensive manual process has been used.
* The program office does not have a policy or plans for managing
requirements. Such policies and plans establish organizational roles
and responsibilities for managing requirements, including maintaining
and controlling modifications or changes to the baseline sets of
requirements, establishing priorities among competing requests for
changes, and assessing the impact on cost, schedule, and performance of
each change. In lieu of a policy or plans, the program office has
established an ad hoc change control process, whereby change proposals
are approved or disapproved by a joint DON and FMS change control board
based on a change management policy that was drafted in 2003. However,
this policy was never finalized or approved and does not define roles
and responsibilities or how requirements will be managed. Further, the
board has not been chartered. Moreover, program officials told us that
the board's decisions are made primarily on the basis of consensus
about the need for the change and the availability of funds.
* Other than security requirements, Navy Cash requirements cannot be
traced from the higher level business or operational requirements to
system design specifications and test plans. Specifically, we attempted
to trace a sample of Navy Cash system-level requirements backward to
high-level requirements and forward to design documents and test plans
and results. However, as noted above, no system-level requirements
exist. Without this link in the requirements traceability chain,
traceability could not be demonstrated. Having requirements
traceability is essential for ensuring that developed and deployed
system products satisfy operational needs and user expectations. In the
case of Navy Cash, where system capabilities are reactive to change
requests rather than proactively driven by requirements, such
traceability is also essential to understanding the impact to the
system of each change request and thus having an informed basis for
approving and prioritizing any changes.
Program officials acknowledged these weaknesses and recently stated
that they intend to address them. To accomplish this, they reported
that they have hired a new employee who is to be trained in
requirements development and management, and who is to develop a
requirements management plan.
Until the program office employs fundamental requirements development
and management practices, it cannot reliably estimate the program costs
and develop schedules needed to accomplish the work associated with
delivering predetermined and economically justified system
capabilities. The result is an inability to develop and measure
performance against meaningful cost, schedule, and capability
baselines, and thereby reasonably ensure that the program is meeting
expectations and those responsible for it are accountable for results.
Navy Cash's Risks Have Not Been Effectively Managed:
Proactively managing program risks is a key acquisition management
control that, if done properly, can increase the chances of programs
delivering promised capabilities and benefits on time and within
budget. For Navy Cash, program risks have not been effectively managed.
Rather, the program office has reacted to the realization of actual
problems. In particular, plans, processes, and procedures are not in
place that provide for identifying, controlling, and disclosing risks,
and risk management roles and responsibilities have not been assigned
to key stakeholders. As a result, the program office is not positioned
to proactively avoid the occurrence of cost, schedule, and performance
problems.
DOD and related guidance[Footnote 40] recognize the importance of
performing effective risk management on programs like Navy Cash. Among
other things, effective risk management includes: (1) establishing and
implementing a written plan and defined process for risk
identification, analysis, and mitigation; (2) assigning responsibility
for managing risks to key stakeholders; (3) encouraging program-wide
participation in risk management; and (4) examining the status of
identified risks during program milestone reviews.
The program office has not fully satisfied any of the above cited risk
management practices. For example:
* A written plan or defined process that provides for identifying,
analyzing, and mitigating risks has not been established. In the
absence of a plan and process, program officials stated that risks are
informally addressed during bi-monthly program management reviews that
involve key stakeholders, including the program office, FMS, and the
financial agent. However, our analysis of minutes of these reviews
indicates that they are more focused on reacting to the consequences of
actual problems, rather than proactively attempting to avoid the
occurrence of potential problems.
�* While program officials stated that responsibility for managing risks
rests with the program manager, roles and responsibilities for managing
and identifying risks have not been documented for any key
stakeholders, including individuals in the program office, and with FMS
and the financial agent. Without clearly documenting their roles and
responsibilities, proactive identification, disclosure, and mitigation
of all key risks is unlikely to occur, and program approval and
decision making authorities will not be adequately informed.
* While program officials stated that attending and participating in
program management reviews is encouraged, we have yet to receive any
verifiable evidence that risks are addressed in these reviews or that
involvement in risk management is encouraged.
* Program officials have yet to provide any verifiable evidence that
program decision making and oversight authorities have been apprised of
the status of identified risks.
Program officials acknowledged the above weaknesses and attributed them
to staff turnover in key positions and their focus on deploying the
system rather than establishing management processes and procedures.
Nevertheless, program officials stated that they intend to develop a
risk plan and process, but said that this would not occur until
December 2008. Given that a significant amount of development and
modernization investment remains, it is important that mitigating
existing risks, including those discussed in this report, as well as
future risks be treated as a program priority.
Navy Cash Security Management Has Not Been Effectively Implemented:
A number of Navy Cash security management weaknesses exist.
Specifically, the program office has not (1) fully implemented a
comprehensive patch management process; (2) followed an adequate
process for planning, implementing, evaluating, and documenting
remedial actions for known information security weaknesses; (3)
obtained adequate assurance that FMS has effective security controls in
place to protect Navy Cash applications and data; and (4) developed an
adequate contingency plan and conducted effective contingency plan
testing. Program officials acknowledged these weaknesses but have yet
to provide us with plans for addressing them. As a result, the
confidentiality, integrity, and availability of deployed and operating
Navy Cash shipboard devices, applications, and financial data are at
increased risk of being compromised.
Patch Management Has Not Been Fully Implemented:
DOD guidance[Footnote 41] states that component organizations should
develop a process for patching system vulnerabilities. Further,
National Institute of Standards and Technology (NIST) guidance[Footnote
42] recognizes the importance of implementing comprehensive patch
management that includes, among other things, (1) having a complete
inventory of system hardware and software assets, (2) automatically
deploying vulnerability patches, and (3) measuring patch management
performance.
Although the program office performs patch management for Navy Cash,
key practices have not been fully implemented. Specifically,
* A complete inventory of system assets does not exist. According to
NIST, a system inventory enables organizations to monitor system
hardware and software assets for the presence of all threats,
vulnerabilities, and patches. While the financial agent maintains a
Navy Cash asset database for the 128 ships on which the system is
operating, this database is missing 3 hardware inventories and 19
software inventories. According to program officials, the financial
agent's database is incomplete because it was created from purchase
orders after the system was in operation. Furthermore, although the
program office maintains hardware inventories for each ship in a DON
configuration management database, the office does not maintain
inventories of Navy Cash software. Until the program office develops a
complete inventory of Navy Cash system assets, it will not be able to
identify and patch all system threats and vulnerabilities.
* Vulnerability patches are not deployed in an automated or timely
manner. According to NIST guidance, deploying patches automatically
minimizes the level of effort and time required to identify,
distribute, and install patches. However, patches are currently
deployed manually for Navy Cash when ships are in port for maintenance.
As a result, the risk of vulnerabilities being exploited before ships
return to port is increased. Although the program office plans to
introduce the capability to automatically deploy patches as part of the
next software release in the first quarter of fiscal year 2009, program
officials said that it will take between 18 to 24 months to rollout
this capability to the entire fleet. Program officials also stated that
they do not know why this capability was not part of the original
system requirements and design. Until the program office begins
automatically deploying patches, Navy Cash assets and data will be
exposed to increased risk.
* The performance of patch management is not being measured. NIST
guidance recommends consistent measurement of the effectiveness of
patch management through the use of metrics, such as susceptibility to
attack and mitigation response time. Although program officials stated
that they maintain patch management metrics, they have yet to provide
us with a description of the metrics or an explanation of how they are
used. Until the program office develops and uses performance metrics,
it will not be able to assess and improve the effectiveness of its
patch management effort.
To strengthen its patch management efforts, the program office has
developed a vulnerability management guide. However, this guide has not
been finalized and approved, and according to program officials, it
does not follow NIST patch management guidance. Without comprehensive
patch management, increased risk exists that system vulnerabilities
could be exploited.
Remedial Action Plans Have Not Been Documented:
The Federal Information Security Management Act (FISMA)[Footnote 43]
requires that agencies' information security programs must include a
process for planning, implementing, evaluating, and documenting
remedial actions to address any deficiencies in the information
security policies, procedures, and practices of the agency. OMB has
outlined steps for documenting remedial actions--referred to by OMB as
a plan of action and milestones--for systems where IT security
weaknesses have been identified. Additionally, NIST guidance[Footnote
44] states that a plan of action and milestones should be included in a
system's accreditation package and describe how the information system
owner intends to address those vulnerabilities by reducing,
eliminating, or accepting the identified vulnerabilities.
Since the system was accredited in November 2006, the program office
has not developed any plans of action and milestones, even though
medium and low information security risks were identified during
security test and evaluation efforts supporting the certification and
accreditation. According to program officials, the risks were accepted
by the designated approving authority, rather than corrected, because
they involve features that are necessary for the system to operate,
such as having certain hardware interfaces and access permissions.
While accepting rather than correcting such weaknesses is consistent
with DON guidance[Footnote 45] for developing plans of action and
milestones, it is not consistent with NIST guidance. Specifically, DON
guidance states that these plans are only required for accreditation
decisions that are conditional upon corrective actions being taken.
However, NIST guidance specifies that the development of a plan of
action and milestones should include instances where risk is being
accepted.
The lack of plans of action and milestones means that the program
office has not adequately addressed information security risks.
Moreover, the limitations in DON guidance mean that other Navy programs
may not have done so as well. Until the program office fully implements
a remedial action process that meets the FISMA requirements and OMB and
NIST guidance, program management and oversight officials will not have
sufficient assurance that all security weaknesses are being reported
and tracked, and that options for addressing them are fully considered.
Information Security Requirements Have Not Been Fully Defined:
FISMA requires each federal agency to develop, document, and implement
an agencywide information security program to provide information
security for the information and information systems that support the
operations and assets of the agency, including those provided or
managed by another agency, contractor, or other source. Among other
things, this includes testing system management, operational, and
technical security controls. Although the program office has partnered
with FMS to develop and support the operation of Navy Cash, it is
ultimately responsible for ensuring the security of Navy Cash systems
and data.
The program office has not taken adequate steps to ensure that security
controls are tested. Specifically, the memorandum of agreement between
the program office and FMS does not establish requirements for FMS and
the financial agent relative to periodic information security control
reviews, including reviews of applicable management, operational, and
technical controls, and to provide DON with copies of information
security control reviews that are performed on the Navy Cash system and
its supporting infrastructure. This is important because FMS--through
its financial agent[Footnote 46]--provides services that support Navy
Cash that must be secure, such as holding and accounting for funds
distributed throughout the system and processing transactions. Although
FMS has performed some management and operational control tests, such
as periodic personnel and physical security assessments of selected
commercial facilities that provide services and support to Navy Cash,
these assessments were not designed to evaluate the technical controls
of the system's computing environment because the memorandum of
agreement does not include such requirements.
Until the program office and FMS establish information security
requirements for overseeing the financial agent's technical information
security controls, an increased risk exists that the confidentiality,
integrity, and availability of information stored, transmitted, and
processed by the financial agent can be compromised.
Contingency Plan Is Missing Key Elements:
OMB guidance[Footnote 47] requires agencies to develop contingency
plans and to test those plans at least annually. NIST guidance states
that contingency plans should include a sequence of recovery
activities, which describe system priorities based on business impact
and notification procedures, which describe the methods used to notify
personnel with recovery responsibilities.[Footnote 48] In addition,
according to NIST, contingency plan tests should include explicit test
objectives and success criteria for each planned activity and related
procedure and documentation of lessons learned.
Although the program office has developed contingency plans for Navy
Cash, it did not identify the sequence of recovery activities and
notification procedures for recovery personnel in them. The sequence of
activities should prioritize the recovery of system components by
criticality and the notification procedures should describe the methods
used to notify recovery personnel during business and non-business
hours. Until the program office includes these areas in the contingency
plans, it cannot ensure that system components will restore in a
logical manner and that ship recovery personnel will be notified
promptly when a system disruption is detected. In addition, while the
program office has largely included explicit test objectives and
success criteria in all the test procedures, they did not document the
lessons learned. According to NIST, lessons learned can improve
contingency plan effectiveness and this should be incorporated into the
plan. According to program officials, NIST was not used for developing
and conducting tests of the contingency plan. Without lessons learned,
the program office will not be able to properly maintain and improve
the contingency planning guide.
Until DON develops sufficient contingency plans and testing procedures,
increased risk exists that Navy Cash systems, data, and operations will
not be able to fully recover from a disruption or disaster.
Navy Cash Quality Measures Are Not Being Collected:
Effective management of programs like Navy Cash depends in part on the
ability to measure the quality of the system being acquired and
operated.[Footnote 49] One measure of system quality is the trend in
the number of unaddressed, high-priority system change requests.
Sufficient data to measure trends in open (i.e., unresolved) system
change requests, which is a recognized indicator of a system's
stability and quality are not being collected. To the program's credit,
it has formed a group consisting of program office, FMS, and financial
agent representatives to review and decide whether to approve requests
for changes to the system. However, this group is not consistently
collecting data as to when a change request is opened or closed and
what the priority level of each change request is. Thus, it does not
know at any given time, for example, how many change requests are
pending, the significance of pending change requests, and the age of
these change requests. Program officials acknowledged these weaknesses
but stated that their focus has been on deploying the system. This
means that the program office cannot know and disclose to DOD decision
makers whether the system's stability and maturity are moving in the
right direction.
In addition, the program office has not consistently collected data on
user and operator satisfaction with the system. Specifically, the
program office conducted two surveys in the last 6 years--a user
satisfaction survey and a shipboard merchant satisfaction survey--but
neither of these surveys is meaningful. More specifically, the user
satisfaction survey was done in 2002 and thus is dated; and it covered
only two ships and a prototype version of Navy Cash and thus its scope
is limited. In addition, neither survey produced a response rate that
can be generalized and projected (about 50 percent and 20 percent for
the two ships in the user survey, and about 30 percent for the merchant
survey).
Program officials stated that they have relied on informal user
feedback from disbursing officers, who have indicated overall
satisfaction with the system. Nevertheless, they said that a survey of
users and operators is being planned and expected to be completed by
the fall of 2008. Without meaningful data about Navy Cash's stability
and the satisfaction of those who use it, it is not clear Navy Cash is
a quality system.
Conclusions:
Navy Cash's potential duplication of other DOD programs that perform
similar functions, combined with its lack of meaningful economic
justification, together mean that the department does not have an
adequate basis for knowing whether Navy Cash, as defined, is the most
cost-effective solution to meeting its strategic business and
technological needs. Because such a basis is absolutely fundamental to
informed investment decision making, a compelling case exists for the
department to reevaluate current plans for investing almost $60 million
of additional modernization funding to further develop the system.
Even if reevaluation supports current or modified investment plans, the
manner in which the program is being executed remains a source of
considerable cost, schedule, and performance risk. In particular,
without employing fundamental requirements development and management
practices, the department cannot reliably estimate program costs and
develop schedules needed to accomplish the work associated with
delivering predetermined and economically justified system
capabilities. In addition, without effective risk management, the
department is not positioned to proactively avoid the occurrence of
cost, schedule, and performance problems. Furthermore, the lack of
adequate security management puts the confidentiality, integrity, and
availability of deployed and operating Navy Cash shipboard devices,
applications, and financial data at increased risk of being
compromised. Moreover, without meaningful data about the Navy Cash's
stability and the satisfaction of those who use it, it is not clear
that Navy Cash is a quality system.
To overcome each of these weaknesses, it is important to not only
acknowledge them, which the program office has done, but to also treat
them as program priorities, including developing and implementing plans
for addressing them, which the program office has largely not done.
Recommendations:
Because of the uncertainty surrounding whether Navy Cash, as defined,
represents a cost-effective solution, we recommend that the Secretary
of Defense direct the Secretary of the Navy to limit further investment
of modernization funding in the program to only (1) deployment to
remaining ships of already developed and tested capabilities; (2)
correction of information security vulnerabilities and weaknesses on
ships where it is deployed and operating; and (3) development of the
basis for an informed decision as to whether further development and
modernization is economically justified and in the department's
collective best interests.
To develop the basis for an informed decision about further Navy Cash
development, we further recommend that the Secretary of Defense, direct
the appropriate DOD organizations to (1) examine the relationships
among DOD's programs for delivering military personnel with smart card
technology for electronic retail and banking transactions; (2)
identify, in coordination with the respective program offices,
alternatives for optimizing the relationships of these programs in a
way that minimizes areas of duplication, maximizes reuse of shared
services across the programs, and considers opportunities for a
consolidated stored value card program across the military services;
and (3) share the results with the appropriate organizations for use in
making an informed decision about planned investment in Navy Cash.
To further develop this basis for an informed decision about Navy Cash
development, we also recommend that the Secretary of Defense direct the
Secretary of the Navy to ensure that the appropriate Navy
organizational entities prepare a reliable economic analysis that
encompasses the program's total life cycle costs, including those of
FMS, and that (1) addresses cost-estimating best practices and complies
with relevant OMB cost-benefit guidance and (2) incorporates data on
whether deployed Navy Cash capabilities are actually producing
benefits.
To address Navy Cash information security management weaknesses and
improve the operational security of the system, we recommend that the
Secretary of Defense direct the Secretary of the Navy to ensure that
the Navy Cash program manager, in collaboration with the appropriate
organizations, take the following five actions:
* Develop and implement a patch management approach based on NIST
guidance, which includes a complete Navy Cash systems inventory; an
automated patch deployment capability; and a patch management
performance vulnerability measurement capability, including metrics for
susceptibility to attack and mitigation response time.
* Institute a process to plan, implement, evaluate, and document
remedial actions for deficiencies in Navy Cash information security
policies, procedures, and practices, and ensure that this process meets
FISMA requirements, as well as applicable OMB and NIST guidance.
* Update the NAVSUP/FMS memorandum of agreement, in collaboration with
FMS, to establish specific security requirements for FMS and the
financial agent to periodically perform information security control
reviews, including applicable management, operational, and technical
controls, of the Navy Cash system, and to provide NAVSUP with copies of
the results of these reviews that pertain to the Navy Cash system and
its supporting infrastructure.
* Develop a complete contingency plan to include a (1) sequence of
recovery activities and (2) procedures for notifying ship personnel
with contingency plan responsibilities to begin recovery activities;
and to test the contingency plan in accordance with NIST guidance,
including documenting lessons learned from testing.
To address DON information security guidance limitations, we also
recommend that the Secretary of Defense direct the Secretary of the
Navy to ensure that the Navy Operational Designated Approving
Authority, as part of the Naval Network Warfare Command, updates its
certification and accreditation guidance to require the development of
plans of action and milestones for all above identified security
weaknesses.
If further investment in development of Navy Cash can be justified, we
then recommend that the Secretary of Defense direct the Secretary of
the Navy, through the appropriate chain of command, to ensure that the
Navy Cash program manager takes the following actions.
* With respect to requirements development and management, (1) develop
detailed system requirements; (2) establish policies and plans for
managing changes to requirements, including defining roles and
responsibilities, and identifying how the integrity of a baseline set
of requirements will be maintained; and (3) maintain bi-directional
requirements traceability.
* With respect to risk management, (1) establish and implement a
written plan and defined process for risk identification, analysis, and
mitigation; (2) assign responsibility for managing risk to key
stakeholders; (3) encourage program-wide participation in risk
management; (4) include and track the risks discussed in this report as
part of a risk inventory; and (5) apprise decision making and oversight
authorities of the status of risks identified during program reviews.
* With respect to system quality measurement, collect and use
sufficient data for (1) determining trends in unresolved change
requests and (2) understanding users' satisfaction with the system.
Agency Comments and Our Evaluation:
Both DOD and FMS provided written comments on a draft of this report.
In DOD's comments, signed by the Deputy Under Secretary of Defense
(Business Transformation) and reprinted in appendix II, the department
stated that it concurred with 9 of our 11 recommendations, partially
concurred with 1, and non-concurred with the remaining 1. In non-
concurring with our recommendation for limiting further investment in
the program, the department actually concurred with two out of three
aspects of the recommendation. Nevertheless, for the aspect of our
recommendation aimed at limiting further investment in the program to
certain types of spending, it stated that it did not concur with
limiting investment to the exclusion of needed maintenance (e.g.,
technology refresh) of operational systems. We agree with this comment,
as it is consistent with statements in our report, including the
recommendation summary on the report's highlights page and the report's
conclusions, both of which focus on limiting investment of
modernization funding only, and not operations and maintenance funding.
To avoid any misunderstanding as to our intent, we clarified our
report.
With respect to our recommendation for optimizing the relationships
among DOD's programs that provide smart card technology for electronic
retail and banking transactions, the department stated that, while it
concurs with the overall intent of the recommendation, it believes that
the Office of the Under Secretary of Defense (Comptroller) is the
appropriate organization to implement it. Since our intent was not to
prescribe the only DOD organization that should be responsible for
implementing the recommendation, we have slightly modified the
recommendation to provide the department flexibility in this regard.
Notwithstanding DOD's considerable agreement with our recommendations,
the department provided additional comments on the findings that
underlie several of the recommendations, which it described as needed
to clarify and avoid confusion about the program. For various reasons
discussed below, we either do not agree with most of these additional
comments or do not find them germane to our findings and
recommendations.
* First, the department stated that the report's overall findings
understate the program's discipline and conformance with applicable
guidance and best practices. We do not agree. Our review extended to
six key acquisition control areas, all of which are reflected in DOD's
own acquisition policies as well as other federal guidance. Effective
implementation of these controls can minimize program risks and better
ensure that system investments are defined in a way to optimally
support mission operations and performance, as well as deliver promised
system capabilities and benefits on time and within budget. However, we
found that none of these key IT management controls were being
effectively implemented on Navy Cash, and the department agreed with
our recommendations aimed at correcting this.
* Second, the department stated that the report's findings do not
accurately capture the program's maturity since the system has been
deployed to over 80 percent of its user base. While we do not question
the extent to which the system has been deployed to date, and in fact
state in our report that the system has been deployed to about 80
percent of the fleet, we do not agree that the program is mature, as
evidence by the numerous IT management control weaknesses that we found
and the fact that about $60 million in modernization funding remains to
be spent on the system.
* Third, the department stated that it recognizes that some security
management limitations exist, but added that these limitations do not
pose a serious risk to the confidentiality, integrity, or availability
of the deployed system, and that our report may cause cardholders to
become unnecessarily concerned. We do not agree that these limitations
do not pose a serious risk. Our report details a number of serious
security management weaknesses relative to both DOD and NIST guidance,
such as not following an adequate process for planning, implementing,
evaluating and documenting remedial actions for known information
security vulnerabilities, as well as not obtaining adequate assurance
that FMS has effective security controls in place to protect Navy Cash
applications and data. As a result, we appropriately conclude in our
report that such failures to effectively manage Navy Cash security
places the confidentiality, integrity, and availability of deployed and
operating shipboard devices, applications, and financial data at
increased risk of being compromised. Swift implementation of our
recommendations is the best solution to alleviating any cardholder
concerns that may arise from these weaknesses.
In FMS's comments, signed by the Commissioner of FMS and reprinted in
appendix III, the service stated that our recommendations will help
strengthen Navy Cash and that it has begun addressing our findings and
recommendations. In addition, it stated that it will support DOD in
implementing the recommendations, and consistent with DOD, commented
that it did not agree with one part of one of our recommendations,
adding that limiting investment in Navy Cash beyond fielding and
maintaining already tested system capabilities would place future
operations at risk. As stated above, this recommendation is focused on
limiting further investment in modernization funding, not operations
and maintenance funding. To avoid any confusion about this, we have
added language to other parts of the report to emphasize this focus.
In addition to the above, and notwithstanding its overall agreement
with our recommendations, FMS provided other comments relative to
several of the findings that underlie our recommendations.[Footnote 50]
As discussed below, we either do not agree with these additional
comments or do not find them to be germane to our findings and
recommendations.
* First, FMS stated that our report does not identify a security
breach, loss of cardholder or government funds, unauthorized release of
personal or other sensitive information, or any other compromise of
system integrity. We agree that our report does not identify these
things, as the scope of work was not intended to identify them. Rather,
our scope focused on the program's implementation of key security
management controls outlined in DOD and NIST guidance. In this regard,
we found serious information security management control weaknesses and
concluded that these weaknesses increased the risk to the
confidentiality, integrity, and availability of information stored,
transmitted, and processed by the financial agent.
* Second, FMS stated that the issue of whether Navy Cash is duplicative
of other similar DOD smart card programs was addressed before Navy Cash
was initiated in 2001, when DON and FMS determined that for technical
and cost reasons it could not alter the other DOD programs to meet Navy
Cash requirements. We do not find this comment relevant to our
recommendation because our point is not that one of the other DOD
programs should be altered and used in place of Navy Cash. Rather, our
point is that these smart card programs need to be looked at
collectively to decide whether it is in the department's best interest
to continue investing in separate smart card programs or to invest in a
single department-wide solution. This point is consistent with FMS's
stated goal of having a single smart card for DOD.
* Third, FMS stated that it disagreed with our finding that the Navy
Cash benefits projection erroneously counted $40 million as cost
savings rather than cost transfers, adding that this value represents
not merely a transfer between agencies but actual savings to the United
States. While we do not disagree that this interest savings represents
a benefit to the United States government, it also represents a cost--
interest foregone--to holders of Treasury debt. Therefore, the interest
savings represents a transfer rather than savings from one member or
sector to another.
We are sending copies of this report to interested congressional
committees; the Director, Office of Management and Budget; the
Congressional Budget Office; the Secretary of Defense; the Secretary of
the Treasury; and the Department of Defense Office of the Inspector
General. We also will make copies available to others upon request. In
addition, the report will be available at no charge on the GAO Web site
[hyperlink, http://www.gao.gov].
If you or your staffs have any questions on matters discussed in this
report, please contact Randolph C. Hite at (202) 512-3439 or
hiter@gao.gov, or Gregory C. Wilshusen at (202) 512-3789 or
wilshuseng@gao.gov. Contact points for our Offices of Congressional
Relations and Public Affairs may be found on the last page of this
report. GAO staff who made major contributions to this report are
listed in appendix IV.
Signed by:
Randolph C. Hite:
Director Information Technology Architecture and Systems Issues:
Signed by:
Gregory C. Wilshusen:
Director Information Security Issues:
[End of section]
Appendix I: Objective, Scope, and Methodology:
Our objective was to determine whether the Department of the Navy (DON)
is effectively implementing information technology management controls
on Navy Cash. We selected Navy Cash primarily because the Department of
Defense's (DOD) inventory of DON systems identified the program as one
of DON's five largest development and modernization investments. To
address the objective, we focused on the following management areas (1)
architectural alignment; (2) economic justification; (3) requirements
development and management; (4) risk management; (5) security
management; and (6) system quality measurement. In doing so, we
analyzed a range of program documentation, such as the acquisition
strategy, business case, economic analysis, agreements between the
partnering organizations, and interviewed cognizant officials, such as
the Milestone Decision Authority, program manager, and Financial
Management Service (FMS) and financial agent officials responsible for
Navy Cash.
To address architectural alignment, we reviewed the program's business
enterprise architecture (BEA) compliance assessments and system
architecture products as well as versions 4.0, 4.1, and 5.0 of the BEA
and compared them to the BEA compliance requirements described in the
Ronald W. Reagan National Defense Authorization Act for Fiscal Year
2005[Footnote 51] and DOD's BEA compliance guidance and evaluated the
extent to which the compliance assessments addressed all relevant BEA
products. We also reviewed DOD guidance for program architecture
development, such as DOD's Business Transformation Guidance, and
compared Navy Cash's program architecture development activities to
this guidance. In addition, we interviewed Navy Cash and FMS officials,
as well as Navy Cash's Milestone Decision Authority, and requested
related documentation on the potential duplication between Navy Cash
and other DOD programs that involve the use of smart card
functionality, such as the Air Force's and Army's Eagle Cash and EZpay
programs.
To address the program's economic justification, we reviewed the latest
economic analysis to determine the basis for the cost and benefit
estimates. This included evaluating the analysis against Office of
Management and Budget guidance and GAO's Cost Assessment
Guide.[Footnote 52] In addition, we interviewed cognizant program
officials, including the Navy Cash program manager and FMS, regarding
their respective roles, responsibilities, and actual efforts in
developing and/or reviewing the economic analysis and the extent to
which measures and metrics showed that projected benefits in the
economic analysis were actually being realized. We also interviewed
cognizant officials such as the Milestone Decision Authority about the
purpose and use of the program's economic analysis for managing the
investment in the Navy Cash program.
To address requirements development and management, we reviewed
relevant program documentation, such as the concept of operations
document, and interviewed relevant program officials and evaluated this
information against relevant best practices.[Footnote 53] We also
reviewed interface requirements documents, minutes of program
management meetings, and traceability of security requirements. In
addition, we interviewed program officials involved in the requirements
management process to discuss the change control process they use and
their roles and responsibilities for managing requirements.
To address risk management, we reviewed relevant risk management
documentation, such as program management review meeting minutes and
compared the program office's activities with DOD's risk management
guidance[Footnote 54] and related best practices.[Footnote 55] We
analyzed the effectiveness of the program's management reviews in terms
of managing risks. In doing so, we interviewed cognizant program
officials responsible, such as the program manager, Milestone Decision
Authority, and FMS officials to discuss their roles and
responsibilities and obtain clarification on the program's approach to
managing risks associated with acquiring and implementing Navy Cash.
To address security management, we reviewed relevant security
documentation, such as DOD and National Institute of Standards and
Technology information security guidance, and the Navy Cash afloat and
ashore system security authorization agreements. In addition, we
observed the system in operation aboard the USS Theodore Roosevelt and
discussed security issues with ship personnel, program office, FMS, and
financial agent officials. We also reviewed USS Harry S. Truman
contingency plan test results. Additionally, we reviewed a database
used to maintain the inventory of Navy Cash hardware and software
assets as a part of our analysis on the Navy Cash vulnerability
management program. Furthermore, we interviewed cognizant DON, FMS, and
financial agent officials to discuss their roles and responsibilities
and obtain clarification on the program's approach to protecting the
confidentiality, integrity, and availability of Navy Cash systems and
information.
To address system quality measurement, we reviewed program
documentation, such as change request logs, and a plan of action and
milestones for change requests. We also compared the program's data
collection and analysis practices relative to these areas to program
guidance and best practices.[Footnote 56] We reviewed the plans for and
results of surveys that were performed on user and shipboard merchant
satisfaction with Navy Cash, and we interviewed program management and
technical officials.
We conducted our work at DOD offices and program office and ship
facilities in the Washington, D.C. metropolitan area, Norfolk,
Virginia, and Mechanicsburg, Pennsylvania, between June 2007 and
September 2008, in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform
the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit
objective. We believe that the evidence obtained provides a reasonable
basis for our findings and conclusions based on our audit objective.
[End of section]
Appendix II: Comments from the Department of Defense:
Office Of The Under Secretary Of Defense:
Acquisition Technology And Logistics:
3000 Defense Pentagon:
Washington, DC 20301-3000:
August 27, 2008:
Mr. Randolph C. Hite:
Director, Information Technology Architecture and Systems Issues:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, D.C. 20548:
Dear Mr. Hite:
This is the Department of Defense (DoD) response to the GAO draft
report GAO-08-922. "DOD Business Systems Modernization: Planned
Investment in Navy Program to Create Cashless Shipboard Environment
Needs to Be Justified and Better Managed," dated July 18, 2008 (GAO
Code 310660). Detailed comments on the recommendations are enclosed.
The Department concurs with nine of the recommendations and partially
concurs with one recommendation and non-concurs with one
recommendation. The Department also believes that the overall findings
of the report understate the level of discipline and conformance with
applicable guidance and best business practices. Additionally, the
report's findings do not accurately capture the maturity of the program
since the system has been deployed to over 80 percent of the planned
user base. Finally. the Department would like to note that development
of the system has been a simple, low cost adaptation of a system made
up of primarily commercial-off-the-shelf products.
With regard to GAO's first recommendation, although the Department
concurs that an updated economic analysis is needed to decide "as to
whether further development and modernization is economically justified
and in the department's collective best interests." the Department
intends to avoid any significant disruption of afloat disbursing
operations to ensure that the warfighters continue to have access to
their pay. Navy Cash must remain operational while corrective actions
to address GAO's recommendations are underway. The earliest installed
systems are nearing the end of their expected operational life due to
aging hardware and technology obsolescence. These must be replaced
through a planned technical refresh. in order to maintain already
developed and tested capabilities.
Information technology management controls continue to be a top
priority throughout the entire DoD as we modernize our business
systems. As the Department continues to move forward, we appreciate the
GAO's input in our on-going business systems modernization efforts.
Sincerely,
Signed by:
Paul A. Brinkley:
Deputy Under Secretary of Defense (Business Transformation):
Enclosure: As stated:
GAO Draft Report Dated July 18, 2008:
GAO-08-922 (GAO Code 310660):
"DOD Business Systems Modernization: Planned Investment In Navy Program
To Create Cashless Shipboard Environment Needs To Be Justified And
Better Managed:
Department Of Defense Comments To The GAO Recommendations:
Recommendation 1: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy to limit further investment in the
program to only: (I) deployment to remaining ships of already developed
and tested capabilities: (2) correction of information security
vulnerabilities and weaknesses on ships where it is deployed and
operating; and (3) development of the basis for an informed decision as
to whether further development and modernization is economically
justified and in the department's collective best interests.
DOD Response: Non-Concur. The Department concurs with the
recommendation to reduce system vulnerabilities and to update the
economic justification. However, the Department non-concurs that the
Navy limit its investment in the program to solely those activities
listed in the recommendation. Some investment beyond the parameters
suggested by GAO is needed to maintain the current system to ensure
that afloat disbursing operations continue and that the warfighter
continues to have access to their pay. Instead, the Navy will limit its
investment in the program to fielding and maintaining already tested
capabilities and selection and testing of technology refresh hardware,
which is required to maintain the already developed and tested
capabilities.
The Navy Cash Program Office will complete the economic justification
and address the report's other recommendations prior to making the
investment in the technology refresh hardware that is currently planned
to be delivered to the Fleet in Fiscal Year (FY) 2010.
Today, most Navy Cash system updates (including Information Assurance
Vulnerability Management (IAVM) updates) are fielded through ship
maintenance actions. A new software release which will automate
Information Assurance Vulnerability (IAV) updates to Navy Cash servers
and report compliance to the Navy Cash program is in the accreditation
process. Currently, IAV patches are supported during ships grooms or by
having shipboard Information Technology (IT) personnel support the Navy
Cash servers with updates.
Target completion date for these corrective actions is September 30.
2009.
Recommendation 2: The GAO recommends that the Secretary of Defense,
through the appropriate chain of command, direct the Director of the
DoD Business Transformation Agency, to: (1) examine the relationships
among DoD's programs for delivering military personnel with smart card
technology for electronic retail and banking transactions; (2)
identify, in coordination with the respective program offices,
alternatives for optimizing the relationships of these programs in a
way that minimizes areas of duplication, maximizes reuse of shared
services across the programs, and considers opportunities for a
consolidated stored value card program across the military services:
and (3) share the results with the appropriate organizations for use in
making an informed decision about planned investment in Navy Cash.
DOD Response: Partially Concur. The Department concurs with the overall
intent of the recommendation, but believes that the appropriate
organization within DoD is the Office of the Under Secretary of Defense
(Comptroller) (OUSD(C)). OUSD(C) is responsible for cash disbursement
to Sailors and Marines across the globe as well as reconciling the
Department's fund balance with the Treasury. As such, OUSD(C),
utilizing the Investment Review Board (IRB) structure, will task a
functional team to work with the Navy Cash Program Office and other
program offices within DoD as appropriate to examine the relationships
among DoD's programs for delivering military personnel smart card
technology for electronic retail and banking transactions. OUSD(C) will
identify alternatives, if any, for optimizing those relationships and
will present those alternatives to the DoD Financial Management IRB and
Defense Business Systems Management Committee (DBSMC) upon completion
of the analysis.
Recommendation 3: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy to ensure that the appropriate Navy
organizational entities prepare a reliable economic analysis that
encompasses the program's total life cycle costs, including those of
Department of the Treasury, Financial Management Service (FMS) and
that: (1) addresses cost-estimating best practices and complies with
relevant OMB cost benefit guidance: and (2) incorporates data on
whether deployed Navy Cash capabilities are actually producing
benefits.
DOD Response: Concur. In 2006, the Navy Cash Program Office did a high
level review of Navy Cash to determine if system capabilities were
producing anticipated benefits. The Program Office learned that ships
overwhelmingly exceeded the expected goal of carrying less cash, which
was a major goal of the system and central to the economic analysis.
The Navy Cash Program Office will develop a comprehensive and reliable
economic analysis in compliance with relevant Office of Management and
Budget (OMB) cost benefit guidance prior to technology refresh hardware
procurement for installation on ships.
Target completion date for developing this economic analysis is
September 30, 2009.
Recommendation 4: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy to ensure that the Navy Cash program
manager, in collaboration with the appropriate organizations develop
and implement a patch management approach based on National Institute
of Standards and Technology (NIST) guidance, which includes a complete
Navy Cash systems inventory; an automated patch deployment capability;
and a patch management performance vulnerability measurement
capability, including metrics for susceptibility to attack and
mitigation response time.
DOD Response: Concur. The Navy Cash program is in the process of
resubmitting an updated certification package to the Naval Network
Warfare Command (NNWC), which is the program's Designated Approving
Authority, to ensure that the Navy Cash revised patch management
procedures comply with all current security directives.
The next planned release, which is already going through the
accreditation process, includes an automated patch deployment
capability. As part of configuration management, the program office
will work with stakeholders to consolidate our existing tracking tools
into a single systems inventory to track the deployment of automated
patches, and measure the patch management performance vulnerability. in
accordance with N1ST Standards. Completion for system accreditation and
tracking tool development will be in FY 2009.
Target completion date for completing our corrective actions is March
31. 2009.
Recommendation 5: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy to ensure that the Navy Cash program
manager, in collaboration with the appropriate organizations institute
a process to plan, implement, evaluate, and document remedial actions
for deficiencies in Navy Cash information security policies, procedures
and practices, and ensure that this process meets Financial Information
Security Management Act (FISMA) requirements, as well as applicable OMB
and NIST guidance.
DOD Response: Concur. To address GAO's recommendation, the program
office in conjunction with its stakeholders will finalize the draft
Information Assurance Vulnerability Management Guide and accompanying
IAVM Coordinator Standard Operating Procedure to include documenting
remedial actions for deficiencies in the Navy Cash system in the System
Level IT Security Plan of Action and Milestones (POA&M), in accordance
with FISMA requirements and Department of Navy, OMB. and National
Institute of Standards and Technology (NIST) Guidance.
As stated in the response to Recommendation 4, the Navy Cash program is
in the process of resubmitting an updated Certification package to NNWC
to ensure that the Navy Cash revised patch management procedures comply
with all current security directives.
Target completion date for completing our corrective actions is March
31, 2009.
Recommendation 6: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy to ensure that the Navy Cash program
manager, in collaboration with the appropriate organizations update the
Naval Supply Systems Command (NAVSUP)/Treasury Financial Management
Services (FMS) memorandum of agreement, in collaboration with FMS, to
establish specific security requirements for FMS and the financial
agent to periodically perform information security control reviews,
including applicable management, operational, and technical controls,
of the Navy Cash system, and to provide NAVSUP with copies of the
results of these reviews that pertain to the Navy Cash system and its
supporting infrastructure.
DOD Response: Concur. The Treasury FMS Security office has conducted
several security reviews of the Treasury Financial Agent's security
posture in accordance with Treasury's Electronic Systems Processing
Security Guidelines. They are also developing electronic systems
processing security guidelines for applications like Navy Cash.
The Navy Cash Program Office will work with Treasury to update the
Memorandum of Agreement (MOA) to reflect the security guidelines that
FMS places on its financial agents.
Target completion date for completing our corrective actions is May 31.
2009.
Recommendation 7: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy to ensure that the Navy Cash program
manager, in collaboration with the appropriate organizations develop a
complete contingency plan to include a: (1) sequence of recovery
activities; and (2) procedures for notifying ship personnel with
contingency plan responsibilities to begin recovery activities; and to
test the contingency plan in accordance with NIST guidance, including
documenting lessons learned from testing.
DOD Response: Concur. The recovery strategies in the Navy Cash
Contingency Planning Guide will be updated to include a more detailed
sequence of recovery activities and procedures for notifying ship
personnel with contingency plan responsibilities to begin recovery
activities. The Navy Cash Contingency Plan test procedures will be
updated to include the documentation of lessons learned, in accordance
with NIST guidance.
Target completion date for completing our corrective actions is May 31,
2009.
Recommendation 8: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy to ensure that the Navy Operational
Designated Approving Authority, as part of the Naval Network Warfare
Command, updates it certification and accreditation guidance to require
the development of plans of action and milestones for all above
identified security weaknesses.
DOD Response: Concur. The requirement for a System Level IT Security
Plan of Action and Milestone (POA&M) is included in the new Department
of Defense Information Assurance Certification and Accreditation
Process (DIACAP). The Navy Cash Program Office has developed a System
Level IT Security POA&M in the pending Certification and Accreditation
package for the next software update for Navy Cash.
Target completion date for completing our corrective actions is
December 31, 2008.
For the following three recommendations, if further investment in
development of Navy Cash can be justified then:
Recommendation 9: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy, through the appropriate chain of
command, to ensure that the Navy Cash program manager: (1) develop
detailed system requirements; (2) establish policies and plans for
managing changes to requirements, including defining roles and
responsibilities, and identifying how the integrity of the baseline set
of requirements will be maintained; and (3) maintain bi-directional
requirements traceability.
DOD Response: Concur. The Navy Cash Program Office will define system
requirements and establish related policies and plans adequate to
manage changes to requirements and to maintain bi-directional
requirements traceability in accordance with best business practices
for all future efforts.
Target completion date for completing our corrective actions is May 31,
2009.
Recommendation 10: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy, through the appropriate chain of
command, to ensure that the Navy Cash program manager: (1) establish
and implement a written plan and defined process for risk
identification, analysis, and mitigation; (2) assign responsibility for
managing risk to key stakeholders; (3) encourage program-wide
participation in risk management; (4) include and track the risks
discussed in this report as part of a risk inventory; and (5) apprise
decision making and oversight authorities of the status of identified
risks during program reviews.
DOD Response: Concur. While the Navy Cash Program Office addressed
program risks regularly and successfully through our Program Management
Review process, the Program Office has since instituted a more formal
risk management approach as recommended here and in accordance with the
Naval Systems Commands Risk Management Policy (NAVSUP INSTRUCTION
5000.20). The effort was kicked-off at the program review held June 10-
11, 2008, with formal documentation currently under development.
Target completion date for completing our corrective actions is
December 31, 2008.
Recommendation 11: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy, through the appropriate chain of
command, ensure that the Navy Cash program manager: (l) determines
trends in unresolved change requests and (2) understands users'
satisfaction with the system.
DOD Response: Concur. In the past, the Navy Cash Program Office has
only dealt with a minimum number of proposed changes, and all proposed
changes were well-documented. The Program Office will add the detail to
the existing process as recommended here.
It is important to highlight that the user base has been and continues
to be an important participant in essentially every program discussion.
As indicated in the report. the Program Office is currently conducting
another survey and will revise/repeat the survey process as required to
ensure understanding of user satisfaction.
Target completion date for completing our corrective actions is
September 30, 2009.
Comments To The Draft Audit Report:
The Department believes the following details and clarifications will
help readers of this report to better understand statements made in the
report that were not directly addressed in the recommendations or
responses.
Navy Cash is designated as an Acquisition Category (ACAT) III program
and is not a Major Automated Information Systems (MAIS) program. To
manage the acquisition and deployment of Navy Cash, the Navy
established a program management office within the Naval Supply Systems
Command (NAVSUP). The program office grew over time front 4 Full Time
Equivalents (FTE) in September 2000, to 8.5 FTEs in June 2008. NAVSUP
has partnered with the Treasury's FMS not only because of statutory
regulations on holding public funds (31 C.F.R. Part 202, 31 U.S.C. §
3302), but also to take advantage of the "treasury's extensive
experience in fielding stored value card programs with the Army, Air
Force and Marine Corps.
Navy Cash is a fully developed system, currently installed on 128 ships
and is over SO percent deployed. The system has achieved the major
program goals for cost, schedule, and performance. Half of the ships
remaining in our deployment schedule are new construction ships that
have not yet been delivered to the Navy. In addition, Navy's
partnership with the Treasury and the Treasury Financial Agent provided
access to what are, in effect, proven Commercial Off-the-Shelf (COTS)
products that required little modification to provide the financial
services necessary to support Navy Cash.
The Department recognizes some limited areas for improvement in
security management as described in our responses, but these
limitations do not represent a serious risk to the confidentiality,
integrity, or availability of the deployed Navy Cash systems, as
indicated on Page 8 of the report. The Department is concerned that
cardholders would become
unnecessarily concerned.
Although this report primarily focuses on cashless retail functions, it
needs to be noted that the core capability of Navy Cash is to enable
Sailors and Marines embarked on Navy ships access to their pay in
accordance with 31 U.S.C. § 3342 and The Debt Collection Improvement
Act of 1996.
[End of section]
Appendix III: Comments from the Department of the Treasury, Financial
Management Service:
Department Of The Treasury:
Financial Management Service:
Commissioner:
Washington, DC 20227:
August 18, 2008:
Mr. Randolph C. Hite:
Director, Information Technology Architecture and Systems Issues:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Hite:
Thank you for the opportunity to comment on the Government
Accountability Office's (GAO) draft report entitled "DoD Business
Systems Modernization, Planned investment in Navy Program to Create
Cashless Shipboard Environment Needs to Be Justified and Better
Managed" (GAO-08-922). We appreciate GAO's efforts to identify
improvements in the Navy Cash program which is managed jointly by the
U.S. Department of the Navy (Navy) and the Financial Management Service
(FMS).
The Navy Cash program has successfully met the Navy's goal of
transforming cash management by removing the vast majority of cash from
the Fleet's operations. Since its introduction in 2001, the program has
displaced more than 5300 million in coin and currency on 128 Navy
ships, through the issuance of more than 200,000 financial smart cards
to Sailors and Marines who have initiated more than 100 million
transactions. Information security is critically important to both the
Navy and FMS. We note that the draft report identifies no security
breach. loss of cardholder or government funds. unauthorized release of
personal or other sensitive information, or any other compromise of
system integrity in connection with these operations.
The GAO recommendations identified in the draft report will help
strengthen the Navy Cash program, and we are already addressing several
of the findings and recommendations. Please note our comments below and
in an attachment to this letter.
First, we note that the draft report requires Navy to ensure that FMS
strengthen Its Information Technology security program in accordance
with the Federal Information Security Management Act (FISMA)
requirements. FMS will continue to support the. Navy in its efforts to
comply with the report's recommendations so long as implementation is
consistent with FMS' policies and the statutory authorities and
regulations which govern the provision of financial services by FMS'
financial agents. FMS has unique authority to designate financial and
fiscal agents to assist in the performance of many functions related to
the nation's finances. See, e.g., 12 J S.C. §§ 90, 391. This authority
permits FMS to effectively administer centralized public funds deposit.
management, and accounting functions, without the expense of developing
and maintaining its own banking system. Navy Cash funds constitute
public money under 31 C.F.R. Part 202 and thus, in accordance with 31
U.S.C. § 3302. must be held in the Treasury or in an account held by a
Treasury designated financial agent.
The commercial banking institutions selected by FMS to act as financial
agents are highly regulated and must act in compliance with rules
issued by the Office of the Comptroller of the Currency (OCC), Federal
Reserve Board, Federal Deposit Insurance Corporation (FDIC) and private
organizations (i.e. Mastercard and NACHA). FMS is in the process of
strengthening its Information Technology security program to improve
FMS' oversight of the internal controls employed by its financial
agents. FMS recognizes the importance of improved oversight of the
manner in which its financial agents implement security controls in
order to ensure that stringent security procedures are in place.
Second, the draft report questions whether Navy Cash is duplicative of
similar smart card programs operated by the Air Force and Army. This
issue was addressed before the Navy Cash program was implemented in
2001. Given the unique requirements of ships at sea, FMS and Navy
determined that the functionality of the other Department of Defense
(DoD) smart card programs could not support Navy Cash. Among other
things, Navy Cash requires a dual-factor smart card that functions on
ship (integrated circuit chip) and ashore (magnetic stripe), an
automated end-of-day settlement process, and a "Split pay" program that
allows the Sailor/Marine to allocate a portion of his or her pay to the
Navy Cash card. For both technical and costs reasons, none of the other
FMS/DoD smart card platforms could be altered to provide this
functionality.
In 2004, DoD and FMS agreed on a goal of a "single smart card." Efforts
to advance this concept include two proofs of technology pilots
(conducted in 2005 and 2006) with DoD using the Common Access Card.
Also, an Inter-Agency Stored Value Card team, which was chartered in
2007, is assisting FMS as it develops a stored value card strategy to
support a single DoD smart card for the future.
Finally, we want to clarify the statement in the draft report that "the
Navy Cash benefits projection erroneously counted $40 million as cost
savings rather than cost transfers..." We disagree with this statement.
The initial Business Case Analysis ("BCA") estimated that when
implemented fleetwide, Navy Cash would displace $459 million in cash
that would otherwise be held outside of the Treasury. The BCA
calculated the time value of the funds retained in the Treasury to be
in excess of $40 million for the first six years of the program. This
value is not merely a transfer between agencies, but represents actual
savings to the United States.
Again, thank you for the opportunity to comment on this draft GAO
report. If you have any questions or wish to discuss these comments in
more detail, I can be reached at (202) 874-7000, or you may contact
Sheryl Morrow on (202) 874-6720.
Sincerely,
Signed by:
Judith R. Tillman:
Enclosure:
Financial Management Service's (FMS) Response to Recommendations in
Government Accountability Office's Draft Report DoD Business Systems
Modernization, Planned Investment in Navy Program to Create Cashless
Shipboard Environment Needs to Be Justified and Better Managed (GAO-08-
922):
Recommendation 1: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy to limit further investment in the
program to only: (1) deployment to remaining ships of already developed
and tested capabilities; (2) correction of information security
vulnerabilities and weaknesses on ships where it is deployed and
operating; and (3) development of the basis for an informed decision as
to whether further development and modernization is economically
justified and in the department's collective best interests.
Response: FMS agrees with the recommendation to correct system
vulnerabilities and update economic justification for the Navy Cash
program. However, FMS disagrees with the recommendation to limit
investment beyond fielding and maintaining already tested capabilities
because the recommendation would place future operations at risk.
Important components of the Navy Cash system architecture are at end-of-
life. Therefore, the process to identify, test, and certify replacement
equipment must continue or the program's operations will be
jeopardized. FMS will support Navy in its update of the economic
analysis of the program's costs and benefits.
Recommendation 2: The GAO recommends that the Secretary of the Defense
through the appropriate chain of command, direct the Director of the
DoD Business Transformation Agency, to: (1) examine the relationships
among DoD's programs for delivering military personnel with smart card
technology for electronic retail and banking transactions; (2)
identify, in coordination with the respective program offices,
alternatives for optimizing the relationships of these programs in a
way that minimizes areas of duplication, maximizes reuse of shared
services across the programs, and considers opportunities for a
consolidated stored value card program across the military services;
and (3) share the results with the appropriate organizations for use in
making an informed decision about planned investment in Navy Cash.
Response: FMS welcomes DoD's continued support and input in connection
with its efforts to review, develop, and implement a strategy that will
ultimately result in a single, multi-functional smart card to meet
DoD's cash management needs.
Recommendation 3: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy to ensure that the appropriate Navy
organizational entities prepare a reliable economic analysis that
encompasses the program's total life cycle costs, including those of
Department of the Treasury, Financial Management Service
(FMS) and that: (1) addresses cost-estimating best practices and
complies with relevant OMB cost benefit guidance; and (2) incorporates
data on whether deployed Navy Cash capabilities are actually producing
benefits.
Response: FMS will support Navy in its analysis of the program's costs
and benefits.
Recommendation 4: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy to ensure that the Navy Cash program
manager, in collaboration with the appropriate organizations develop
and implement a patch management approach based on National Institute
of Standards and Technology (NIST) guidance, which includes a complete
Navy Cash systems inventory; an automated patch deployment capability;
and a patch management performance vulnerability measurement
capability, including metrics for susceptibility to attack and
mitigation response time.
Response: FMS will support Navy in its implementation of this
recommendation and is currently working with Navy to implement an
automated patch deployment capability.
Recommendation 5: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy to ensure that the Navy Cash program
manager, in collaboration with the appropriate organizations institute
a process to plan, implement, evaluate, and document remedial actions
for deficiencies in Navy Cash information security policies, procedures
and practices, and ensure that this process meets Financial Information
Security Management Act (FISMA) requirements, as well as applicable OMB
and NIST guidance.
Response: FMS will support Navy in its implementation of this
recommendation, and will ensure that implementation is consistent with
FMS' and other authorities related to the banking services provided by
FMS' financial agent.
Recommendation 6: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy to ensure that the Navy Cash program
manager, in collaboration with the appropriate organizations update the
Naval Supply Systems Command (NAVSUP)/FMS memorandum of agreement, in
collaboration with FMS, to establish specific security requirements for
FMS and the financial agent to periodically perform information
security control reviews, including applicable management, operational,
and technical controls, of the Navy Cash system, and to provide NAVSUP
with copies of the results of these reviews that pertain to the Navy
Cash system and its supporting infrastructure.
Response: FMS will work with NAVSUP to update the Memorandum of
Agreement (MoA) to reflect the security guidelines that FMS places on
its financial agents. FMS is in the process of enhancing its existing
security requirements and oversight of its financial agents and will
ensure that Navy is provided access to the results of the reviews that
pertain to the Navy Cash program.
Recommendation 7: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy to ensure that the Navy Cash program
manager, in collaboration with the appropriate organizations develop a
complete contingency plan to include a: (1) sequence of recovery
activities; and (2) procedures for notifying ship personnel with
contingency plan responsibilities to begin recovery activities; and to
test the contingency plan in accordance with NIST guidance, including
documenting lessons learned from testing.
Response: FMS will support Navy in its implementation of this
recommendation, and will ensure that implementation is consistent with
FMS' and other authorities related to the banking services provided by
FMS' financial agent.
Recommendation 8: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy to ensure that the Navy Operational
Designated Approving Authority, as part of the Naval Network Warfare
Command, updates it certification and accreditation guidance to require
the development of plans of action and milestones for all above
identified security weaknesses.
Response: FMS will support Navy in its implementation of this
recommendation, and will ensure that implementation is consistent with
FMS' and other authorities related to the banking services provided by
FMS' financial agent.
Recommendation 9: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy, through the appropriate chain of
command, to ensure that the Navy Cash program manager: (1) develop
detailed system requirements; (2) establish policies and plans for
managing changes to requirements, including defining roles and
responsibilities, and identifying how the integrity of the baseline set
of requirements will be maintained; and (3) maintain bi-directional
requirements traceability.
Response: FMS will support Navy in its implementation of this
recommendation, and will ensure that implementation is consistent with
FMS' and other authorities related to the banking services provided by
FMS' financial agent.
Recommendation 10: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy, through the appropriate chain of
command, to ensure that the Navy Cash program manager: (1) establish
and implement a written plan and defined process for risk
identification, analysis, and mitigation; (2) assign responsibility for
managing risk to key stakeholders; (3) encourage program-wide
participation in risk management; (4) include and track the risks
discussed in this report as part of a risk inventory; and (5) apprise
decision making and oversight authorities are of the status of
identified risks during program reviews.
Response: FMS will support Navy in its implementation of this
recommendation, and will ensure that implementation is consistent with
FMS' and other authorities related to the banking services provided by
FMS' financial agent.
Recommendation 11: The GAO recommends that the Secretary of Defense
direct the Secretary of the Navy, through the appropriate chain of
command, ensure that the Navy Cash program manager: (1) determines
trends in unresolved change requests and (2) understands users'
satisfaction with the system.
Response: FMS will support Navy in its implementation of this
recommendation, and will ensure that implementation is consistent with
FMS' and other authorities related to the banking services provided by
FMS' financial agent.
[End of section]
Appendix IV: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Randolph C. Hite (202) 512-3439 or hiter@gao.gov Gregory C. Wilshusen
(202) 512-3789 or wilshuseng@gao.gov:
Staff Acknowledgments:
In addition to the contact persons named above, key contributors to
this report were Neelaxi Lakhmani (Assistant Director), Jenniffer
Wilson (Assistant Director), Ed Glagola (Assistant Director), Monica
Anatalio, Carolyn Boyce, Harold Brumm, West Coile, Neil Doherty, Cheryl
Dottermusch, Joshua Hammerstein, Mustafa Hassan, Michael Holland, James
Houtz, Ethan Iczkovitz, Rebecca LaPaze, Anh Le, Josh Leiling, Mary
Marshall, Karen Richey, Melissa Schermerhorn, Karl Seifert, Jonathan
Ticehurst, and Adam Vodraska.
[End of section]
Footnotes:
[1] Business systems include financial and non-financial systems that
support DOD's business operations, such as civilian personnel, finance,
health, logistics, military personnel, procurement, and transportation.
[2] GAO, High-Risk Series: An Update, [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-07-310] (Washington, D.C.:
January 2007).
[3] Smart cards are plastic devices that are about the size of a credit
card and contain an embedded integrated circuit chip capable of storing
and processing data. The term "smart card" may also be used to refer to
cards with a computer chip, also referred to as an e-purse, that store
information to be processed by hardware such as point-of-sale terminals
or card access devices.
[4] The BEA defines the department's business priorities, the
capabilities required to support those priorities, and the combinations
of systems and initiatives that enable those capabilities.
[5] The Navy Cash shipboard server stores individual transactions,
groups them into a single compressed file, and then transmits the file
of daily transactions for processing.
[6] The Automated Clearing House is a network that allows banking
institutions to clear, or validate, electronic transactions.
[7] This estimate, reported in DON's 2002 economic analysis, did not
include FMS's costs for the program.
[8] According to program documentation, Navy Cash has a 14-year
expected life. However, program officials stated that this life cycle
is being reconsidered and a new life cycle has yet to be established.
[9] NAVSUP is one of five system commands within DON. Its mission
includes, among other things, providing DON quality supplies and
services on a timely basis.
[10] Financial agent services are authorized under a number of
statutes, including but not limited to, 12 U.S.C. § 265 and 12 U.S.C. §
332.
[11] Donald E. Harter, Mayuram S. Krishnan, and Sandra A. Slaughter,
"Effects of Process Maturity on Quality, Cycle Time, and Effort in
Software Product Development," Management Science, vol. 46, no. 4,
2000; and Bradford K. Clark, "Quantifying the Effects of Process
Improvement on Effort," IEEE Software (November/December 2000).
[12] GAO, Information Technology: DOD's Acquisition Policies and
Guidance Need to Incorporate Additional Best Practices and Controls,
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-722] (Washington,
D.C.: July 2004).
[13] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-722].
[14] See, for example, GAO, DOD Business Transformation: Lack of an
Integrated Strategy Puts the Army's Asset Visibility System Investments
at Risk, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-860]
(Washington, D.C.: July 27, 2007); GAO, Information Technology: DOD
Needs to Ensure That Navy Marine Corps Intranet Program Is Meeting
Goals and Satisfying Customers, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-07-51] (Washington, D.C.: Dec. 8, 2006); GAO, Defense
Travel System: Reported Savings Questionable and Implementation
Challenges Remain, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-
980] (Washington, D.C.: Sept. 26, 2006); GAO, DOD Systems
Modernization: Uncertain Joint Use and Marginal Expected Value of
Military Asset Deployment System Warrant Reassessment of Planned
Investment, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-171]
(Washington, D.C.: Dec. 15, 2005); and GAO, DOD Systems Modernization:
Planned Investment in the Navy Tactical Command Support System Needs to
Be Reassessed, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-
215] (Washington, D.C.: Dec. 5, 2005).
[15] Ronald W. Reagan National Defense Authorization Act for Fiscal
Year 2005, Pub. L. No. 108-375, § 332 (2004) (codified at 10 U.S.C. §§
186 and 2222).
[16] Field/tactical refers to Army units that are deployable to
locations around the world, such as Iraq or Afghanistan.
[17] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-860].
[18] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-215].
[19] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-171].
[20] Department of Defense Directive Number 5000.1 and Department of
Defense Architecture Framework, Version 1.0, Volume 1 (February 2004).
[21] Clinger-Cohen Act of 1996, 40 U.S.C. § 11315(b)(2); E-Government
Act of 2002, Public Law No. 107-347 (Dec. 17, 2002); GAO, Information
Technology: A Framework for Assessing and Improving Enterprise
Architecture Management (Version 1.1), [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-03-584G] (Washington, D.C.: April
2003); Chief Information Officer Council, A Practical Guide to Federal
Enterprise Architecture, Version 1.0 (February 2001); and Institute of
Electrical and Electronics Engineers, Standard for Recommended Practice
for Architectural Description of Software-Intensive Systems 1471-2000
(Sept. 21, 2000).
[22] A well-defined enterprise architecture provides a clear and
comprehensive picture of an entity, whether it is an organization
(e.g., a federal department) or a functional or mission area that cuts
across more than one organization (e.g., personnel management). This
picture consists of snapshots of both the enterprise's current or "As
Is" environment and its target or "To Be" environment, as well as a
capital investment road map for transitioning from the current to the
target environment. These snapshots consist of integrated "views,"
which are one or more architecture products that describe, for example,
the enterprise's business processes and rules; information needs and
flows among functions, supporting systems, services, and applications;
and data and technical standards and structures.
[23] Pub. L. No. 108-375, § 332 (2004) (codified at 10 U.S.C. §§ 186
and 2222).
[24] DOD has adopted a federated approach for developing its business
mission area enterprise architecture, which includes the corporate BEA
representing the thin layer of DOD-wide corporate architectural
policies, capabilities, rules, and standards; component architectures
(e.g., DON enterprise architecture); and program architectures (e.g.,
Navy Cash architecture).
[25] See, for example, GAO, Information Technology: FBI Is Taking Steps
to Develop an Enterprise Architecture, but Much Remains to Be
Accomplished, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-363]
(Washington, D.C.: Sept. 9, 2005); GAO, Homeland Security: Efforts
Under Way to Develop Enterprise Architecture, but Much Work Remains,
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-777] (Washington,
D.C.: Aug. 6, 2004); GAO, Information Technology: Architecture Needed
to Guide NASA's Financial Management Modernization, [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-04-43] (Washington, D.C.: Nov.
21, 2003); GAO, DOD Business Systems Modernization: Important Progress
Made to Develop Business Enterprise Architecture, but Much Work
Remains, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-1018]
(Washington, D.C.: Sept. 19, 2003); GAO, Information Technology: DLA
Should Strengthen Business Systems Modernization Architecture and
Investment Activities, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-01-631] (Washington, D.C.: June 29, 2001); and GAO,
Information Technology: INS Needs to Better Manage the Development of
Its Enterprise Architecture, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO/AIMD-00-212] (Washington, D.C.: Aug. 1, 2000).
[26] These programs are deployed and in operation, and they preceded
deployment of the Navy Cash program.
[27] Business or operational activities are tasks normally conducted in
the course of achieving a mission or a business goal. The BEA describes
business or operational activities relevant to specific aspects of the
business mission areas, such as financial visibility.
[28] Office of Management and Budget, Guidelines and Discount Rates for
Benefits-Cost Analysis of Federal Programs, Circular A-94 (Washington,
D.C.: Oct. 29, 1992); Planning, Budgeting, Acquisition and Management
of Capital Assets, Circular A-11, Part 7 (Washington, D.C.: June 26,
2008).
[29] Transfers represent shifts of control over resource allocation
from one group to another that do not result in economic gains. Rather,
the benefits to the group that receives the transfer are offset by the
costs borne by the group that provides the transfer.
[30] OMB, Circular No. A-11, Preparation, Submission, and Execution of
the Budget, (Washington, D.C.: Executive Office of the President, June
2006); Circular No. A-130 Revised, Management of Federal Information
Resources, (Washington, D.C.: Executive Office of the President, Nov.
28, 2000); and Capital Programming Guide: Supplement to Circular A-11,
Part 7: Planning, Budgeting, and Acquisition of Capital Assets,
(Washington, D.C.: Executive Office of the President, June 2006).
[31] GAO, Cost Assessment Guide: Best Practices for Estimating and
Managing Program Costs, Exposure Draft, [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-07-1134SP] (Washington, D.C.:
July 2007).
[32] A risk analysis can be accomplished by the use of a Monte Carlo
simulation, which involves the use of random numbers and probability
distributions to examine random outcomes.
[33] OMB, Guidelines and Discount Rates for Benefits-Cost Analysis of
Federal Programs, Circular A-94 (Washington, D.C.: Oct. 29, 1992);
Planning, Budgeting, Acquisition and Management of Capital Assets,
Circular A-11, Part 7 (Washington, D.C.: June 26, 2008).
[34] OMB Circular No. A-94, § 6(a)(4).
[35] Clinger-Cohen Act of 1996, 40 U.S.C. sections 11101-11704, and
OMB, Circular No. A-130, Management of Federal Information Resources
(Nov. 30, 2000).
[36] DOD, Defense Acquisition Guidebook, Version 1.0 (Oct. 17, 2004).
[37] This center is responsible for, among other things, manpower
analysis and work studies as directed by the Chief of Naval Operations.
[38] For example, see DOD, Department of Defense Directive Number
5000.1, The Defense Acquisition System (May 12, 2003); Department of
Defense Instruction Number 5000.2, Operation of the Defense Acquisition
System (May 12, 2003); Defense Acquisition Guidebook, Version 1.0 (Oct.
17, 2004); and Software Engineering Institute, CMMI for Acquisition,
Version 1.2, CMU/SEI-2007-TR-017 (Pittsburgh, Pa.: November 2007).
[39] DOD, Defense Acquisition Guidebook, Version 1.0 (Oct. 17, 2004).
Software Engineering Institute, Software Acquisition Capability
Maturity Model® (SA-CMM®) version 1.03, CMU/SEI-2002-TR-010
(Pittsburgh, Pa.: March 2002).
[40] DOD, Risk Management Guide for DOD Acquisition, 6th Edition,
Version 1.0, [hyperlink, http://www.acq.osd.mil/sse/ed/docs/2006-RM-
Guide-4Aug06-final-version.pdf] (accessed Mar. 13, 2008) and Software
Engineering Institute, CMMI for Acquisition, Version 1.2, CMU/SEI-2007-
TR-017 (Pittsburgh, Pa.: November 2007).
[41] CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and
Computer Network Defense (CND), CH 3 8 Mar 06.
[42] National Institute of Standards and Technology, Creating a Patch
and Vulnerability Management Program, Special Publication 800-40
(November 2005).
[43] FISMA was enacted as title III, E-Government Act of 2002, Pub. L.
No. 107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002).
[44] NIST, Guide for the Security Certification and Accreditation of
Federal Information Systems, Special Publication 800-37 (May 2004).
[45] This guidance for a comprehensive plan of action and milestones
was distributed by the Navy Operational Designated Approving Authority,
within the Naval Network Warfare Command, which is DON's central
operational authority for information technology requirements, network
and information operations in support of naval forces afloat and
ashore. This command is responsible for granting Navy Cash its
authority to operate.
[46] Financial agent services are authorized under a number of
statutes, including but not limited to, 12 U.S.C. § 265 and 12 U.S.C. §
332.
[47] Circular No. A-130; and OMB, FY 2007 Reporting Instructions for
the Federal Information Security Management Act and Agency Privacy
Management, OMB Memoranda M-07-19, July 25, 2007.
[48] NIST, Contingency Planning Guide for Information Technology
Systems, Special Publication 800-34 (June 2002).
[49] IEEE Std 12207-2008, Systems and software engineering - Software
life cycle processes, (Piscataway, N.J.: 2008).
[50] We did not assess the assertion by FMS that Navy Cash funds
constitute public money and thus must be held in the Treasury or in an
account held by a Treasury designated financial agent.
[51] Ronald W. Reagan National Defense Authorization Act for Fiscal
Year 2005, Pub. L. No. 108-375, § 332 (2004) (codified at 10 U.S.C. §§
186 and 2222).
[52] Office of Management and Budget, Guidelines and Discount Rates for
Benefit-Cost Analysis of Federal Programs, Circular No. A-94 (Oct. 29,
1992); Planning, Budgeting, Acquisition and Management of Capital
Assets, Circular A-11, Part 7 (Washington, D.C.: June 26, 2008); GAO,
Cost Assessment Guide: "Best Practices for Estimating and Managing
Program Costs," 2007 exposure draft.
[53] Software Engineering Institute, Software Acquisition Capability
Maturity Model® (SA-CMM®), version 1.03, CMU/SEI-2002-TR-010
(Pittsburgh, Pa.: March 2002).
[54] DOD, Risk Management Guide for DOD Acquisition, 6th Edition,
Version 1.0, [hyperlink, http://www.acq.osd.mil/sse/ed/docs/2006-RM-
Guide-4Aug06-final-version.pdf] (accessed Mar. 13, 2008).
[55] Software Engineering Institute, CMMI for Acquisition, Version 1.2,
CMU/SEI-2007-TR-017 (Pittsburgh, Pa.: November 2007).
[56] GAO, Year 2000 Computing Crisis: A Testing Guide, [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-10.1.21] (Washington, D.C.:
November 1998); and IEEE Std 12207-2008, Systems and software
engineering - Software life cycle processes (Piscataway, N.J.: 2008).
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: