Information Technology
FBI Is Implementing Key Acquisition Methods on Its New Case Management System, but Related Agencywide Guidance Needs to Be Improved
GAO-08-1014, Sep 23, 2008
Additional Materials:
Share This:
Contact:
(202) 512-3000
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
The Federal Bureau of Investigation (FBI) is 3 years into its 6-year, $451 million program known as Sentinel, which is to replace its antiquated, paper-based, legacy systems for supporting mission-critical intelligence analysis and investigative case management activities. Because of the importance of Sentinel to the bureau's mission operations, GAO was asked to conduct a series of reviews on the FBI's management of the program. This review focuses on whether the FBI is employing effective methods in acquiring commercial solutions for Sentinel. To do so, GAO researched relevant best practices; reviewed FBI policies and procedures, program plans, and other program documents; and interviewed appropriate program officials.
The FBI's Sentinel program is implementing five key methods for acquiring commercial information technology solutions. In particular, it is managing Sentinel requirements by making sure that changes to established baselines are justified and approved on the basis of costs, benefits, and risks, and it is ensuring that different levels of requirements and related design specification and test cases are properly aligned with one another. In addition, the bureau is analyzing commercially available product alternatives in relation to requirements, costs, and other factors to ensure that the most cost-effective mix of products is being used to minimize requirement gaps. In doing so, it is taking steps to understand the dependencies among the commercial products, thus ensuring that they can interoperate effectively. Also, the bureau is not modifying the commercial products that it is selecting and using to develop Sentinel, which should allow it to minimize future maintenance costs by taking advantage of future product releases and other vendor product support. Last, it is taking steps to ensure that Sentinel integration with FBI legacy systems will occur when needed, for example, by establishing agreements with legacy system owners. Collectively, implementation of these acquisition methods should increase the chances of cost effectively delivering required Sentinel capabilities on time. However, the implementation of most of these acquisition methods is generally not governed by bureauwide policies and guidance that address all relevant practices. To the credit of program officials, this void in corporate policies and guidance has not affected Sentinel, as they are implementing all of the key practices either through reliance on their prime contractor's approaches or through Sentinel-specific plans. If policies and guidance relative to each of these methods for acquiring commercial component-based systems were incorporated into FBI-wide policies and guidance, the bureau could increase its chances of employing them on a repeatable basis across all applicable system investments.
Status Legend:
- Review Pending
- Open
- Closed - implemented
- Closed - not implemented
Recommendations for Executive Action
Recommendation: To leverage key commercial component-based acquisition methods being implemented on Sentinel, and increase the chances of these practices being implemented on all FBI IT programs, the FBI Director should instruct the Chief Information Officer to incorporate into FBI policy or guidance each of the practices that we identified in this report as not being addressed relative to commercial product modification.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Closed - Not Implemented
Comments: To date, the Federal Bureau of Investigation has not implemented this recommendation. In September 2011, the Bureau updated its recommended Analysis/Trade Study Report template (DT-005) to consider commercial product customization, when appropriate. However, this guidance does not specifically address effective controls for modifications to commercial components, which include (1) having a defined policy or guidance governing modification of commercial products, (2) ensuring that any modification is justified on the basis of the life-cycle impact on system costs and benefits, and (3) working proactively with the product's vendor to incorporate planned modifications into the next release of the product. By not addressing these leading practices for modifying commercial information technology components in its guidance, the Bureau may not be able to fully realize the advantages of such commercial components and may introduce problems in operating and maintaining its systems as a result of their modification.
Recommendation: To leverage key commercial component-based acquisition methods being implemented on Sentinel, and increase the chances of these practices being implemented on all FBI IT programs, the FBI Director should instruct the Chief Information Officer to incorporate into FBI policy or guidance each of the practices that we identified in this report as not being addressed relative to commercial product dependency analysis.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Closed - Implemented
Comments: In November 2008, the Federal Bureau of Investigation (FBI) implemented this recommendation by developing guidance for commercial product dependency analysis as part of the tailoring process outlined in FBI's IT Life Cycle Management framework. For instance, FBI project teams now allocate requirements among the various commercial components that constitute a given system design in a Requirements Traceability Matrix (DT-031). Consistent with our recommendation, the matrix requires, for example, that system and interface requirements be allocated to sub-systems, hardware and software components, as well as test procedures and results. In addition, FBI project teams complete an Interface Control Document, which specifies system requirements associated with the equipment, software, operations, or services affecting the involved systems or segments. Moreover, bureau officials stated that certain of its information technology (IT) projects have utilized iterative prototyping, a leading practice for ensuring that system components will successfully interact. By taking these actions, FBI has helped ensure that its IT investments will deliver required capabilities in a timely and cost-effective fashion.
Recommendation: To leverage key commercial component-based acquisition methods being implemented on Sentinel, and increase the chances of these practices being implemented on all FBI IT programs, the FBI Director should instruct the Chief Information Officer to incorporate into FBI policy or guidance each of the practices that we identified in this report as not being addressed relative to requirements/commercial product trade-off analysis.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Closed - Implemented
Comments: In September 2011, the Federal Bureau of Investigation (FBI) implemented this recommendation by updating its recommended Analysis/Trade Study Report template (DT-005) to have project teams analyze trade-offs between implemented systems and competing design alternatives to determine the best fit based on commercial component capabilities and high-level project requirements as part of the tailoring process outlined in FBI's IT Life Cycle Management framework. The template states that this analysis should be revisited early and continuously throughout the system acquisition life cycle, beginning at the system concept exploration phase and continuing through project-level and bureau governance milestone reviews. Additionally, the template states that the analysis should address the relative quality and cost trade-offs between the commercial alternatives and should involve relevant stakeholders in trade-off analyses and decision making processes. By requiring periodic reassessment of system design with respect to commercial alternatives, the Bureau has increased the likelihood that its investments in information systems will deliver required capabilities in a timely and cost-effective way.
Recommendation: To leverage key commercial component-based acquisition methods being implemented on Sentinel, and increase the chances of these practices being implemented on all FBI IT programs, the FBI Director should instruct the Chief Information Officer to incorporate into FBI policy or guidance each of the practices that we identified in this report as not being addressed relative to legacy system integration management.
Agency Affected: Department of Justice: Federal Bureau of Investigation
Status: Closed - Implemented
Comments: In November 2008, the Federal Bureau of Investigation (FBI) implemented this recommendation by incorporating the Interface Control Document as part of the tailoring process defined in its IT Life Cycle Management framework. This document is used as a requirements agreement between two or more participants within a system, or between systems. It specifies the requirements and/or design definitions of system interfaces affecting multiple systems, segments, or contractors within a project. It establishes the specifications and system requirements associated with the equipment, software, operations, or services affecting the involved systems or segments. This document also defines a set of qualification methods (such as testing, analysis, and inspection) to be used to verify that the requirements for the interfaces have been met. FBI officials confirmed that although legacy systems are not specifically mentioned with regard to interface control documents, all legacy and existing systems are documented and tested to ensure proper integration. By adopting this approach, FBI has increased the likelihood that its IT investments will perform as required and will be fielded in a timely and cost-effective fashion.