Summary

For decades, the Department of Defense (DOD) has been challenged in modernizing its thousands of business systems. Since 1995, GAO has designated the department's business systems modernization efforts as high risk. One key to effectively modernizing DOD's systems environment and satisfying relevant legislative requirements is ensuring that business system investments comply with an enterprisewide strategic blueprint, commonly called an enterprise architecture. For DOD's business systems modernization, it is developing and using a federated Business Enterprise Architecture (BEA), which is a coherent family of parent and subsidiary architectures. GAO was requested to determine whether key Department of the Navy business systems modernization programs comply with DOD's federated BEA. To determine this, GAO examined the BEA compliance assessments, certifications, and approvals for selected Navy programs against relevant guidance.

Key DOD business systems modernization programs do not adequately demonstrate compliance with the department's federated BEA, even though each program largely followed DOD's existing compliance guidance, used its compliance assessment tool, and was certified and approved as being compliant by department investment oversight and decision-making entities. In particular, the programs' BEA compliance assessments did not include all relevant architecture products, such as products that specify the technical standards needed to promote interoperability among related systems; examine overlaps with other business systems, even though a stated goal of the BEA is to identify duplication and thereby promote the use of shared services; and address compliance with the Department of the Navy's enterprise architecture, which is a major BEA federation member. These important steps were not performed for a variety of reasons, including the fact that the department's guidance does not provide for performing them and its assessment tool is not configured to do so. In addition, even though the department's investment oversight and decision-making authorities certified and approved these business system programs as compliant with the BEA, these certification and approval entities did not validate each program's compliance assessment and assertions. According to DOD officials, department policy and guidance do not require these authorities to do so. Instead, they said that this responsibility is assigned to DOD's component organizations, such as the Department of the Navy. However, Department of the Navy oversight and decision-making authorities also did not validate the programs' assessments and assertions. According to department officials from the Office of the Chief Information Officer, this is because these authorities do not have the resources needed to do so and because important aspects of the Department of the Navy enterprise architecture are not yet sufficiently developed to permit a compliance determination. In addition, guidance does not exist that specifies how an assessment should be validated. Because of these limitations, these and other DOD programs are at increased risk of being defined and implemented in a way that does not sufficiently ensure interoperability and avoid duplication and overlap, which are both goals of the BEA and the department's related investment management approach. Unless this changes, DOD and its components will not have a sufficient basis for knowing if its business system programs have been defined to effectively and efficiently support corporate business operations, and DOD's business systems modernization efforts will likely remain on GAO's high-risk list.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Implemented" or "Not implemented" based on our follow up work.

Recommendations for Executive Action