We provided a draft audit report to the DEA for review and comment. The response from the DEA is incorporated as Appendix 10 of this final report. The DEA concurred with the recommendations resulting from the audit. Our analysis of the DEA's response to specific recommendations is provided below.

Recommendation Number:

1. Resolved. This recommendation is resolved based on the DEA's plan to determine its current Enterprise Architecture (EA) maturity level and establish an EA Review Board that will apply the Government Accountability Office's Maturity Model criteria and the metrics within the model. This recommendation can be closed when we receive and review documentation that the DEA is applying metrics to measure EA progress, quality, compliance, and return on investment.

2. Resolved. This recommendation is resolved based on the DEA's plan to develop a charter, policy, plan, and maintenance process to keep the DEA's EA aligned with the federal and the Department of Justice EA framework and guidance. This recommendation can be closed when we receive and review a copy of the policy for EA development and maintenance that meets the requirements of the EA Management Framework.

3. Resolved. This recommendation is resolved based on the DEA's intent to actively ensure that configuration controls are provided and obeyed. This recommendation can be closed when we receive and review a copy of the maintenance process that will ensure the completed EA undergoes configuration management.

4. Resolved. This recommendation is resolved based on the DEA's plan to integrate security with EA so that all of the artifacts of the DEA's EA will be aligned with security attributes and comply with the Federal Information Security Management Act. This recommendation can be closed when we receive and review documentation that the target architecture addresses security as outlined in the EA Program Plan.

5. Resolved. This recommendation is resolved based on the DEA's plan to integrate the target EA with the Information Technology Investment Management (ITIM) process to ensure that the DEA's information technology investments are not duplicative, are well integrated, are cost effective, and support the DEA mission. This recommendation can be closed when we receive and review documentation that the remaining EA stages are completed and implemented.

6. Resolved. This recommendation is resolved based on the DEA's plan to schedule an ITIM investment board meeting to focus on investment management training, including process, evaluating, scoring, and EA. This recommendation can be closed when we receive and review documentation that the board members have received the planned training.

7. Resolved. This recommendation is resolved based on the DEA's intention to review and update the ITIM transition plan based on current activities, strategies, and plans. This recommendation can be closed when we receive and review the DEA's schedule from completing Stages 3 through 5 of the ITIM process to control and evaluate the DEA's information technology investments.