U. S. DEPARTMENT OF JUSTICE

Corrective Action Report

Issue and Milestone Schedule

                Date of Submission

First Quarter Update:

Second Quarter Update:

Third Quarter Update:

End of Year Report:

10/29/04

Issue Title

Information Technology Security Weaknesses in Financial Management Systems

Issue ID

Organization

Department of Justice

Date First Initiated

10/04

Original Target for Completion

03/31/05

Current Target for Completion

03/31/05

Actual Date of Completion

Issue Type (Organization Rating)

Program Material Weakness

Date of Source Report

Issue Type (DOJ Rating)

Program Material Weakness

Issue Description

Financial audits continue to find significant weaknesses in internal controls related to IT security.  Consolidated financial statement audit reviews revealed a range of deficiencies in the component financial and financial-mixed IT systems.  Material weaknesses and reportable conditions were noted at several major components, including the Federal Bureau of Investigation; the U.S. Marshals Service; the Office of Justice Programs; the Bureau of Prisons; the Bureau of Alcohol, Tobacco, Firearms and Explosives; and the Offices, Boards and Divisions.  Control weaknesses cited include: access controls, specifically noting failure to ensure adequate separation of duties; application software development and change controls; service continuity; system software; and, application controls.

What We Will Do About It

The Office of the Chief Information Officer, working with the Chief Financial Officer and Component Program Managers, has developed a corrective action plan to address weaknesses identified and implement corrective actions to ensure program improvements are made and institutionalized.

Milestones

Original Target Date

Current Target Date

Actual Date of Completion

1.  Gather findings and weaknesses from self assessments, Office of the Inspector General audits, and certifications and accreditations for financial systems; ensure that corrective plans of action and milestones are developed, with resource requirements identified, and are entered into the Department’s Computer Security Assessment and Management Tool for continuous monitoring and tracking.

12/31/04

12/31/04

2.  Ensure corrective actions are prioritized and monitored on a quarterly basis.

03/31/05

03/31/05

How We Will Know It Is Fixed

Future financial systems reviews will not yield similar findings

U. S. DEPARTMENT OF JUSTICE

Corrective Action Report

Issue and Milestone Schedule

                Date of Submission

First Quarter Update:

Second Quarter Update:

Third Quarter Update:

End of Year Report:

10/15/04

Issue Title

Management of Information Technology Investments

Issue ID

Organization

Federal Bureau of Investigation

Date First Initiated

2002

Original Target for Completion

Current Target for Completion

10/05

Actual Date of Completion

Issue Type (Organization Rating)

Program Concern

Source Title

OIG Audit Report 03-09

Date of Source Report

12/02

Issue Type (DOJ Rating)

Program Concern

A December 2002 Office of Inspector General (OIG) audit report entitled, Federal Bureau of Investigation’s (FBI) Management of Information Technology (IT) Investments, stated that in the past the FBI has not given sufficient management attention to IT investments.  As a result, the FBI has not fully implemented critical processes necessary for such management and has invested large sums of money on IT projects without assurance that these projects would meet intended goals.

This issue is DOWNGRADED.  DOJ no longer considers this issue to be material at the Department level due to the substantial efforts made at the agency level by the FBI to address this matter.

In January 2002, the FBI began implementing an IT investment management process as a part of its overall IT strategic management framework.  To date, the FBI has made significant progress toward creating a stronger foundation for IT management practices.  The Department is working closely with the FBI to ensure the integration of the DOJ and FBI investment management processes and project oversight processes.  Senior DOJ and FBI officials hold biweekly meetings on these issues.  DOJ representatives attend the FBI project status briefings (i.e., project management reviews) which have been initiated to review the project status on major FBI IT projects.

During FY 2004, the FBI named an Acting Chief Information Officer (CIO) and Chief Technology Officer (CTO) and appointed a Chief Architect to create and manage the FBI’s Enterprise Architecture (EA) and Strategic IT Plan (SITP).  The work on the EA and SITP will address the findings and recommendations of the September 2003 Government Accountability Office audit on the FBI’s EA.

FY 2004 End of Year Update

Milestone 3:  The CIO approved the Life Cycle Management Directive (LCMD) the first week of August 2004, and the Director signed off on it on 8/30/04.  The FBI will use the document as a model to show how an IT project will go through its project and product life cycles.  The FBI now requires all IT projects to follow the LCM.

Milestone 5:  Implemented policy for all IT projects.  The IT LCMD requires all IT projects to have a project management plan.

Milestone 6:  The FBI established key review boards to direct and monitor FBI IT investments.  Specifically, the Investment Management Project Review Board is an executive level board that will review all planned IT investments at Gates 1 and 2 of the IT LCMD.  Further, the Enterprise Architecture Board reviews planned projects to ensure that EA policies and IT standards are followed.  The Technical Configuration Control Board evaluates all potential change requests to ensure that changes are technically feasible and fit within the current IT infrastructure.  The Change Management Board reviews projects as they transition through the developmental life cycle and become operational.  All changes that impact user access and system availability are reviewed and approved.  Completed the IRD inventory and assessment in November 2003 and provided the results to the OIG in the November 2003 update.

Milestone 8:  Completed and delivered to the OIG training templates for identifying business needs and using cost/benefit analysis in the November 2003 update.  Issued an electronic communication the week of August 2, 2004, establishing that training will be provided on the policies and procedures required for all IT projects.  Currently working with the training division to formalize the training regimen.  The CIO’s Office and the Training Division have met on two occasions and are planning further meetings to review/finalize training requirements and planning.

Milestone 15:  Releases 2 and 3 baselines for Virtual Case File (VCF) are pending.  The FBI and contractor are finalizing the Transportation Network Component/Information Presentation Component (TNC/IPC) revised baseline.

Milestone 16:  Completed and provided technical requirements documentation for User Application Component (UAC).  Provided evidence to OIG in November 2003 update.

Milestone 17:  Provided integrated plan, noting all risks in the three reports and risks the FBI has accepted and/or is mitigating, to the OIG in the November 2003 update.

Milestone 20:  Launched VCF web-based training, and provided this training to 20,906 users.  FBI Academy Learning Management System is operational and providing office software training to Trilogy users.  Technical training continues and VCF training modules are available on-line at FBI Virtual Academy.  Provided evidence of training conducted and available to the OIG in the November 2003 update.

Milestone 23:  Sent evidence of completed forms to OIG in November 2003 update.

Milestone 24:  The FBI now has a Chief Architect and a new organization under the Office of the CIO, the Office of IT Policy and Planning (OIPP).  The previous Chief Architect and staff are creating and managing the SITP in alignment with the EA.  The first release of the Plan is in its final review.  The OCIO anticipates releasing it to the Director for signature in November 2004.  The review of the integration of high level IT metrics goals into the SITP has been completed.  Additionally, the CIO published the first metrics report in September 2004, reflecting metrics for June 2004.  The report was based on the Balanced Scorecard Methodology.  Subsequently, the July and August 2004 IT metrics reports were published in October 2004.  As the IT metrics report matures, strategic goals, IT acquisition, and ITIM metrics will be incorporated.

Milestones

Original Target Date

Current Target Date

Actual Date of Completion

1.  Establish regularly scheduled meetings with standing agendas for the investment boards and specific roles and responsibilities for each board member.

06/02

06/02

06/02

2.  Establish education and training plans to ensure that board members acquire required core competencies.

03/03

12/03

08/03

3.  Implement official project management guidance.

06/03

08/04 (LCM release 1)

08/04 (LCM release 1)

4.  Establish and operate a project management office.

06/03

09/03

n/a

5.  Approve a project management plan for each IT project (by the Project Oversight Committee).

09/03

12/03

01/04

6.  Complete and consistently keep up the IT inventory and its use by the boards as a decision-making tool.

06/03

09/04

11/03

7.  Execute key process activities necessary for the investment review boards to maintain effective oversight.

09/03

09/03

09/03

8.  Establish, and train on, policies and procedures for identifying the business needs and users of IT projects.

09/03

12/03;

10/05

9.  Apply IMP to all IT project proposals, including those funded through base funding.

09/03

09/03

07/03

10.  Implement recommendations on expanding the policies and procedures set forth in the post-implementation review.

06/02

06/02

06/02

11.  Incorporate input from various ITIM users into the development and refinement of the control and evaluate phases.

08/02

08/02

08/02

12.  Perform a business architecture compliance review of IT proposals to ensure support of the Bureau's mission.

06/03

06/03

06/03

13.  Implement a plan for integration of the IMP with a system development life-cycle methodology.

06/03

06/03

07/03

14.  Develop the first phase of a comprehensive EA and implement a maturation plan.

04/03

06/03

06/03

15.  Establish and monitor baselines for Trilogy.

03/03

01/04

01/04

16.  Define and disseminate the technical requirements for Trilogy's UAC.

03/03

09/03

11/03

17.  Prepare and monitor an action plan to address the risks identified by the three internal reports on Trilogy.

03/03

12/03

11/03

18.  Establish a process for future IT deployments wherein field offices can submit input and receive feedback from HQ.

06/03

06/03

06/03

19.  Correct Trilogy service support contractor deficiencies.

03/03

03/03

01/03

20.  Resolve outstanding issues related to the Trilogy on-line training system and a training plan specifically designed for IT specialists and electronic technicians.

09/03

09/03

11/03

21.  Deliver remaining Extended Fast Track computers.

02/03

03/03

03/03

22.  Procure trouble-shooting equipment for Trilogy.

03/03

03/03

03/03

23.  Create a web-based replacement approach for WordPerfect macros.

06/04

06/04

11/03

24.  Integrate the IT strategic planning process, the IMP, and the performance goals in the Department IT plan.

09/04

10/05 (SITP release 1)

How We Will Know It Is Fixed

Addressing the recommendations assists the FBI in further maturing the IT Strategic Management Framework.  The FBI’s progress toward implementation will be measured against GAO’s ITIM Framework for Assessing and Improving Process Maturity.  The FBI is working to integrate strategic planning, budgeting, EA, investment management, and project management into an overall framework that meets GAO’s guidelines, OMB direction, and DOJ policy in a manner that supports the FBI’s mission.

FBI IT projects will stay within budget and on schedule and result in successful program operations.  The FBI will have an SITP and EA to guide future selection, control, evaluation, and management of the IT project and system portfolio.

U. S. DEPARTMENT OF JUSTICE

Corrective Action Report

Issue and Milestone Schedule

Date of Submission

First Quarter Update:

Second Quarter Update:

Third Quarter Update:

End of Year Report:

09/30/04

Issue Title

Computer Security Implementation

Issue ID

Organization

Department

Date First Initiated

10/01/02

Original Target for Completion

12/30/04

Current Target for Completion

06/30/04

Actual Date of Completion

06/30/04

(CLOSED)

Issue Type (Organization Rating)

Program Material Weakness

Source Title

Date of Source Report

Issue Type (DOJ Rating)

Program Material Weakness

Issue Description

Financial and Security Act audits and reviews conducted by the Department’s Inspector General and independent verification and validation (IV&V) reviews, penetration testing, self assessments, and certifications and accreditations continue to identify weaknesses in both classified systems and sensitive but unclassified (SBU) systems.  Specific concerns include issues with management, operational, and technical controls that protect each system and the data stored on it from unauthorized use, loss, or modification.  Because technical controls prevent unauthorized system access, the Department’s Office of the Inspector General concluded that the vulnerabilities noted in those areas were most significant.  The most common vulnerability was with security standards and procedures, and password and logon management.  Due to insufficient common standards and inadequate Department oversight, components have been given broad abilities to implement controls and too much latitude in establishing system settings.  Additionally, vulnerabilities identified are more voluminous in the Department’s legacy networks and infrastructures.

What We Will Do About It

This issue is CLOSED, due to completion of Milestone 7 in June 2004.

For a complete history of actions taken, refer to past Performance and Accountability Reports.

U. S. DEPARTMENT OF JUSTICE

Corrective Action Report

Issue and Milestone Schedule

                Date of Submission

First Quarter Update:

Second Quarter Update:

Third Quarter Update:

End of Year Report:

10/27/04

Issue Title

DOJ Financial Systems Compliance

Issue ID

Organization

Department of Justice

Date First Initiated

02/28/01

Original Target for Completion

On-going

Current Target for Completion

On-going

Actual Date of Completion

Issue Type (Organization Rating)

Financial System Material Weakness

Source Title

Management Review and Annual Financial Statement Audits

Date of Source Report

11/30/01

Issue Type (DOJ Rating)

Financial System Material Weakness

Issue Description

For DOJ as a whole, the need to address weaknesses cited in the financial statement audits, nonconformances with Office of Management and Budget (OMB) Circular No. A-127 and A-130, technological changes, and the need to better support critical financial operations and agency programs contribute to the necessity to modernize the Department’s financial systems and improve internal controls.

What We Will Do About It

The Attorney General identified a unified core financial system as part of the ten goals for revamping the Department’s management.  The unified core system will be a commercial off-the-shelf  (COTS) Financial Management System product(s) certified by the Joint Financial Management Improvement Program as meeting core federal financial management system requirements.

FY 2004 Year End Update

The target dates have changed for all outstanding milestones due to the extended period of COTS software evaluation, which directly impacts timing of the integration and implementation (I&I) request for quote (RFQ) issuance, the I&I contract award, and the implementation of the Unified Financial Management System (UFMS).

Milestone 9:  Although the initial UFMS implementation is scheduled to begin in FY 2006, DOJ expects to be substantially compliant with the Federal Financial Management Improvement Act (FFMIA) by July 2005. Components reported as not meeting federal accounting standards or systems requirements, and having material weaknesses in system controls/security, will implement compensating internal controls and financial system improvements to effect substantial compliance with FFMIA by July 2005.

Milestones

Original Target Date

Current Target Date

Actual Date of Completion

1. Planning phase, including milestones.

05/30/02

08/15/02

08/15/02

2. Develop requirements for issuance of COTS solicitation.

02/21/03

02/21/03

02/14/03

3. Develop consolidated requirements for draft I&I solicitation.

03/27/03

04/15/03

04/15/03

4. Receive/evaluate/award contract for COTS software.

05/30/03

2^nd Q/FY 2004

03/29/04

5. Develop/conduct COTS acceptance testing that will include full DOJ pilot simulation.

10/17/03

1^st Q/ FY 2005

6. Issue final I&I solicitation.

06/03/03

2^nd Q/FY 2005

7. Receive/evaluate/award contract for I&I contractor.

08/29/03

3^rd Q/FY 2005

8. Implement COTS UFMS software for designated program/component.

10/01/04

FY 2006

9. Bring systems into substantial compliance with FFMIA.

04/01/03

07/31/05

How We Will Know It Is Fixed

Modern financial systems that comply with federal financial system requirements will be implemented, and system dependent audit recommendations will be closed.

U. S. DEPARTMENT OF JUSTICE

Corrective Action Report

Issue and Milestone Schedule

                Date of Submission

First Quarter Update:

Second Quarter Update:

Third Quarter Update:

End of Year Report:

10/27/04

Issue Title

DOJ Accounting Standards Compliance

Issue ID

Organization

Department of Justice

Date First Initiated

12/19/02

Original Target for Completion

09/30/03

Current Target for Completion

09/30/05

Actual Date of Completion

Issue Type (Organization Rating)

Financial System Material Weakness

Source Title

FY 2002/2003 Integrity Act Review and Financial Statement Audit Report

Date of Source Report

FY 2002/FY 2003

Issue Type (DOJ Rating)

Financial System Material Weakness

Issue Description

In the FY 2003 audit reports, the Federal Bureau of Investigation (FBI); the Offices, Boards and Divisions (OBDs); the Working Capital Fund (WCF); the United States Marshals Service (USMS); and the Asset Forfeiture Fund/Seized Assets Deposit Fund (AFF) were reported by the auditors as having material weaknesses in their compliance with certain federal accounting standards.  Included were findings related to weaknesses in business processes, financial transaction recording, and reporting, including seized asset accounting.  In FY 2004, several material weaknesses were identified for OJP that included inconsistencies in its financial reporting processes (e.g., grant accounting and monitoring).  Weaknesses existed in ATF’s accrual accounting methodology in FY 2004.  A new material weakness regarding improper segregation of duties was added to the USMS for FY 2004.  The FBI has two material weaknesses.

What We Will Do About It

In FY 2004, the OBDs, WCF, and AFF eliminated their material weaknesses.  Also, the USMS reduced its material weakness for implementing effective controls for the preparation of reliable and timely financial reports to a financial system concern.

Milestone 1: During the fourth quarter of FY 2004, the FBI selected one additional applicant through the preliminary process who met the employee background requirements.  In an effort to become fully staffed, the FBI solicited two additional positions to fill the remaining vacancies.  Throughout the fiscal year, the Finance Division’s General Ledger Unit was given the highest priority in terms of its hiring efforts and critical functions.

Milestones

Original Target Date

Current Target Date

Actual Date of Completion

1.  The FBI will hire additional staff for financial statement reporting process.

06/30/03

02/01/05

2.  The FBI will improve its existing process of recording and tracking property in a timely and accurate manner.

09/30/05

09/30/05

3.  The JMD will revise its procedures and provide guidance and training to those processing data for the OBDs and WCF.

09/30/03

06/30/04

06/30/04

4.  The USMS will improve its timeliness in business processes, procedures, and reporting practices.

06/30/04

09/30/04

09/30/04

5.  The AFF will enhance its monitoring and training processes and establish additional procedures to improve control over transaction processing and reporting.

06/30/04

09/30/04

09/30/04

6.  The OJP anticipates eliminating its inconsistencies with the financial reporting process including continuous grant accounting and monitoring and adherence to proper internal controls.

03/31/05

03/31/05

7.  The OJP will improve its financial management systems controls.

06/30/05

06/30/05

8.  The ATF will continue to strengthen its accrual accounting methodology.

06/30/05

06/30/05

9. The USMS will improve its segregation of duties in the financial systems environment.

06/30/05

06/30/05

10. The USMS will strengthen the existing weaknesses in its general and application controls.

06/30/05

06/30/05

How We Will Know It Is Fixed

Management evaluation of these issues will be supported by audit review.