The Federal Bureau of Investigation's
Management of the Trilogy Information Technology Modernization Project

Audit Report No. 05-07
February 2005
Office of the Inspector General

Appendix 7

The FBI's Response to the Draft Report


U.S. Department of Justice
Federal Bureau of Investigation
Washington, D.C. 20535-0001

January 26, 2005

The Honorable Glenn A. Fine
Inspector General
Office of the Inspector General
U.S. Department of Justice
Room 4322
950 Pennsylvania Avenue, N.W.
Washington, D.C. 20530


Dear Mr. Fine:

The Federal Bureau of Investigation (FBI) appreciates your efforts, and those of your staff, in assessing the progress of our Trilogy technology modernization project. As always, the FBI welcomes your observations and final recommendations. We will give them thorough review and consideration.

We have completed our review of your draft report entitled, "The Federal Bureau of Investigation's Management of the Trilogy Information Technology Modernization Project" and appreciate this opportunity to respond to your preliminary findings and recommendations. Based upon our review, your findings and recommendations are consistent with the FBI's internal reviews and with those of other oversight entities. I am pleased to inform you that the FBI has made significant progress in addressing not only all the recommendations, but all the key issues raised in your draft report.

Before responding to the individual recommendations, however, there are several issues that call for clarification. These relate to the national security impact of the delay of the Virtual Case File (VCF), the future of the VCF, and changes in the FBI's management of information technology (IT). A more detailed "fact check” that pointed out specific inaccuracies was submitted under separate cover on January 19, 2005.

Issue 1: National security remains uncompromised by the delay of VCF

We agree that we have not met our goals for an automated case management system. However, we disagree with your finding that "the continuing lack of an effective case management system hinders the FBI's capability to perform its critical national security mission." The draft report states that delays in the VCF program raise national security implications because the FBI is continuing to rely on the Automated Case Support (ACS) system and paper files, which hamper FBI Agents and Analysts from adequately searching and sharing information from investigative files. These statements overlook the substantial IT improvements that directly support our counterterrorism mission.

While VCF would improve efficiency, workflow, and records management, it is important to stress that VCF is a software application, not a counterterrorism database or hardware set. All FBI Special Agents and Intelligence Analysts have access to the necessary FBI databases. The legacy case management system, ACS, has limitations, but it is a widely used tool that heavily supports case, lead, and collected-item management, reporting, and indexing services. ACS is searchable and data entered into it can be updated. More importantly, ACS is far from the only means by which the FBI searches, analyzes, and shares data.

Substantial IT improvements have been made, such as upgrading our secure network to a high-speed reliable network. Hardware and robust search tools have greatly enhanced our ability to access, analyze, and share information. As pointed out in the draft report, the new Trilogy network and hardware provides a uniform suite of software that has given FBI personnel the ability to share information, including images, audio, video, and multimedia files, quickly, reliably, and securely. The Trilogy upgrades have also provided a foundation for a number of new capabilities that support the FBI's counterterrorism mission.

The FBI's Investigative Data Warehouse (IDW) now provides Special Agents, Intelligence Analysts, and members of Joint Terrorism Task Forces (JTTFs), with a single access point to more than 47 sources of counterterrorism data, including information from FBI files, other government agency data, and open source news feeds, that were previously available only through separate, stove-piped systems.

New analytical tools are used across multiple data sources providing a more complete view of the information possessed by the Bureau. Users can search up to 100 million pages of international terrorism-related documents and billions of structured records such as addresses and phone numbers in seconds. They can also search rapidly for pictures of known terrorists and match or compare the pictures with other individuals in minutes rather than days. Coupled with sophisticated state-of-the-art search tools, the IDW enhances the FBI's ability to identify relationships across cases quickly and easily.

Other critical IT improvements have given the FBI unprecedented connectivity with our partners in the Intelligence and Law Enforcement Communities. The Top Secret/Sensitive Compartmented Information Operational Network (SCION) gives FBI personnel the ability to electronically receive, disseminate, and share compartmented sources of intelligence information among the FBI's counterterrorism and counterintelligence operations and with the Intelligence Community. SCION also provides for video teleconferencing at the TOP SECRET level.

The FBI has further enhanced its SECRET level connectivity to the Intelligence and Homeland Security Communities via the Department of Defense's (DOD) SECRET Internet Protocol Router Network (SIPRNET). At the start of 2004, the FBI had a SIPRNET presence of 50 stand-alone workstations. In December 2004, the FBI implemented a new strategy which currently provides FBI users with access to SIPRNET from their Trilogy desktop.

The FBI uses SIPRNET to disseminate both raw and finished intelligence and to support more than 100 JTTFs, the Foreign Terrorist Tracking Task Force (FTTTF), the National Virtual Translation Center (NVTC), the Terrorism Screening Center (TSC), and the Terrorist Explosive Devices Analytical Center (TEDAC).

The Secure Video Teleconferencing Network (SVTCN) provides SECRET level, state-of-the-art video teleconferencing capability between FBI Headquarters, remote field offices, JTTFs, and other secure locations. The SVTCN operates over the FBI's new Trilogy network and can relay live video and information from a crisis center to senior FBI management located at any FBI site. The SVTCN also supports distance learning activities.

We have also enhanced connectivity through the FBI's Automated Messaging System (FAMS). FAMS began 24/7 operations on December 15, 2004, and now provides users with the capability to send and receive critical organizational message traffic to any of the 40,000+ addresses on the Defense Messaging System (DMS). FAMS will replace the legacy SAMNET system and support all FBI users by April 30, 2005. The Top Secret version of FAMS is currently under test and will provide the same capability to everyone on SCION by May 30, 2005. The FBI is the first civilian agency to operate on the classified DMS.

Another innovation is the FBI Intelligence Information Reports Dissemination System (FIDS), deployed throughout the FBI on November 15, 2004. FIDS is a web-based software application that allows all FBI personnel with access to the FBI's Intranet to create and disseminate standardized Intelligence Information Reports (IIRs) quickly and efficiently. FIDS is significant because it is the first Extensible Markup Language (XML) - based IIR system in the federal government with a message format output standardized to Intelligence Community standards. It facilitates interoperability with other Intelligence Community databases and dissemination systems using XML. It also automates the IIR re-engineered process with a re-engineered electronic workflow allowing for improved information management.

The FBI is also beginning to implement programs for data marts as part of the Intelligence Community System for Information Sharing (ICSIS). The first FBI Secret/Top Secret Intelligence Community data mart is currently being developed and will be online by January 30, 2005.

To facilitate information sharing with state, municipal, and tribal law enforcement and first responders, the FBI continues to expand its use of Law Enforcement Online (LEO). LEO is used to support the sharing of vital information between the National JTTF, the Department of Justice (DOJ), the TSC, and local JTTFs across the country. The National JTTF and each of the JTTFs have established Special Interest Groups on LEO, accessible to all law enforcement personnel, to facilitate the exchange of terrorism information nationally and locally.

We have interfaced LEO with two other law enforcement networks: (1) the National Law Enforcement Telecommunications System (NLETS), an information sharing network that connects state, municipal, and federal law enforcement and justice agencies; and (2) the Regional Information Sharing Systems Network (RISS), that provides law enforcement users in six regional centers with database pointer systems, investigative leads bulletin boards, and encrypted e-mail. These networks are specifically designed to facilitate sharing of intelligence to coordinate efforts against criminal networks that operate in many locations across jurisdictional lines. Interconnectivity among the combined users of LEO, NLETS, and RISS gives us the means to share information about groups posing the greatest threats to the United States with more law enforcement partners, quickly, and with greater ease.

LEO also supports the National Alert System (NAS), which uses push-technology to notify up to 21,000 users/agencies of critical alert information within minutes. Messages pop up on computers - like instant messaging, but in a secure environment - and alert notifications are sent to police chiefs’ cell phones and pagers. The system can deliver the message selectively to specific groups (as dictated by geography or function, such as border states or airport security) or broadcast to all possible recipients. Messages can include text, photos, and maps.

The Criminal Justice Information Services (CJIS) Information Sharing project will use LEO'S sensitive but unclassified (SBU) infrastructure to share information between CJIS Division systems, including the National Crime Information Center (NCIC) and Integrated Automated Fingerprint Identification System (IAFIS), and federal, state, municipal and tribal law enforcement.

In addition, we are well on our way toward implementing the Law Enforcement National Data Exchange (N-DEx). The N-DEx will provide federal, state, municipal and tribal law enforcement with a system to collect, process, and disseminate criminal and investigative data. This national information sharing program will provide the Law Enforcement Community with:

  • Information about methods of criminal operation identified by national contributors;

  • arrestee/indictor information;

  • victim information;

  • suspect information; and

  • other ongoing criminal and investigative information.

N-DEx will provide a national law enforcement "pointer" to more detailed indices, case, and intelligence information. It will provide for automated direct electronic input from local, tribal, state, and federal agencies, as well as interactive responses.

On June 15, 2004, the FBI's Security Division granted interim approval to operate the N-DEx system. A number of law enforcement agencies have signed MOUs with the FBI regarding prototyping, including: (1) Marietta, Georgia, Police Department; (2) Alexandria, Virginia, Police Department; (3) the Uniform Crime Reporting (UCR) State Repository, West Virginia State Police, Huntington, West Virginia; and (4) Cabell County, West Virginia, Sheriff's Office. Upon final FBI Office of the General Counsel approval of the Privacy Impact Statement and the signing of the new piloting memorandum of understanding, the prototyping phase will transition to the piloting phase.

N-DEx is fully integrated with the Global Justice XML initiative for improving interoperability of all criminal justice information systems under one standard. N-DEx is also fully integrated with the DOJ Law Enforcement Information Sharing Program (LEISP) plan.

In short, the FBI's capacity to access, analyze, and share data internally and externally has improved considerably since the OIG began this audit, strengthening our ability to predict and prevent acts of terrorism and otherwise supporting our national security mission. Additional improvements currently underway will further strengthen these capabilities over the next few months.

Issue 2: The FBI has a plan to leverage what has been developed on the VCF project and move forward with a long-term solution

The draft report states that "the FBI is moving away from VCF as the solution of its case management requirements. Instead, the FBI is relying on the future (and uncertain) development of an interagency FICMS for its case management needs." This statement requires clarification.

First, it implies that the VCF project is being abandoned and replaced by the Federal Investigative Case Management System (FICMS). In fact, VCF and FICMS are two separate, but related projects that will move forward simultaneously. The VCF project remains the highest IT priority for the FBI, and we are developing an implementation plan that will result in deployment of a fully functional investigative case and records management system.

We have tasked Aerospace Corporation, a non-for-profit federally funded contractor, to evaluate the SAIC-delivered VCF application. Under a separate option, we tasked Aerospace with evaluating commercial off-the-shelf (COTS) and government off-the-shelf (GOTS) products that may meet the defined FBI's requirements. Aerospace has delivered two reports to the FBI, a Commercial Off the Shelf/Government Off the Shelf (COTS/GOTS) Technology Trade Study and an Independent Verification and Validation of the Trilogy Virtual Case File Report. These reports will serve as vital sources of information for the FBI's future VCF.

Second, the finding represents a fundamental misunderstanding of the FICMS project. To clarify, FICMS does not replace VCF. FICMS serves as the framework that will govern development of DOJ and Department of Homeland Security (DHS) investigative case management systems to ensure the high level of inter-agency compatibility needed to facilitate information sharing. Each agency has unique needs and will implement its own services to manage investigative workflow, manage records, and analyze data. However, these individual systems will follow the broad FICMS blueprint so that data can flow easily and securely between agencies.

The two projects are on parallel tracks that will eventually converge. The FBI is moving forward in the development and deployment of a case management system. The success from the FBI project will be used to develop the FICMS, a broad blueprint for federal investigative case management systems.

The FBI has learned critical lessons in various areas, including: contract management, project management, adequate policies and procedures, modular development and deployment, discretionary access controls for security of data, record management requirements, and the value of prototyping. These lessons learned will be applied to future case management systems and to all future IT projects.

Issue 3: The FBI's Management of IT

The draft report states that contracting weaknesses were a primary cause of schedule and cost problems associated with Trilogy. We agree with the finding that the FBI's oversight of the Trilogy contracts should have been stronger. However, it is important to note that at the start of the Trilogy project, the FBI recognized its limitations and appropriately outsourced elements of the project in accordance with the general framework for handling these contracts that was dictated by DOJ. As the draft report states, DOJ initially required that the FBI perform the project integration function and that Trilogy be divided among two contractors.

The General Services Administration's Federal Technologies Services' Federal Systems Integration and Management (FEDSIM) Center acted as the contracting office on behalf of the FBI for the key Trilogy contracts. Accordingly, FEDSIM was responsible for overseeing competing contracts, awarding and maintaining contracts, tracking contract health, and day-to-day management. Mitretek Systems was the Program Management and Systems Engineering and Technical Advisory Services (SETA) contractor that supported the Trilogy Program. Computer Sciences Corporation (formerly DynCorp) was the contractor responsible for the network and hardware components of the Trilogy Program. SAIC was responsible for delivering the user applications component, including the VCF. SAIC also later assumed the role of Integrator for the Trilogy Program.

With regard to the overall management of IT, we are pleased to report that we have made fundamental changes in the method by which IT is managed in the FBI - changes that will ensure that we move forward in a manner that supports our mission, priorities, and Strategic Plan, and that is consistent with industry best practices and established principles of IT management.

As part of a top-to-bottom reorganization of the FBI's IT resources, the FBI established the Office of the Chief Information Officer (OCIO) to centrally manage all IT responsibilities, activities, policies, and employees across the Bureau. With the FBI's new IT organization, all IT projects now fall under the OCIO. The OCIO is responsible for the FBI's overall IT efforts, including developing the FBI's IT strategic plan and operating budget, developing and maintaining the FBI's technology assets, and providing technical direction for the re-engineering of FBI business processes.

The OCIO is divided into four components: policy and planning, project management, technology development, and operation and maintenance. This structure provides for end-to-end management of IT projects within the FBI and incorporates best practices for governing a large IT organization.

Under the centralized leadership of the OCIO, the FBI is taking a coordinated, strategic approach to IT. OCIO has established an IT governance framework for managing IT projects at each stage of their "lifecycle" from planning and investment, through development and deployment, operation and maintenance, and disposal. The OCIO has also implemented a comprehensive set of safeguards to ensure that future IT programs do not run into problems like those encountered on the VCF project.

In December 2004, the OCIO completed our first release of the Strategic IT Plan (SITP), which maps out how IT will support the FBI's Strategic Plan and mission goals over the next five years. All IT projects are now required to be consistent with the FBI's Strategic Plan.

We established our baseline Enterprise Architecture (EA) in 2004 and are in the process of developing our target EA in September 2005. We have already identified all of the IT systems, applications, networks and databases in the Bureau in an IT Master Systems List. All IT projects in the future will be required to be consistent with the FBI's EA.

We have implemented a Life Cycle Management Directive (LCMD) that fundamentally changes how IT projects are managed in the Bureau. Our LCMD governs how IT projects are managed from "cradle to grave" and is consistent with industry and other government agency best practices. The LCMD guides FBI personnel on the technical management and engineering practices used to plan, acquire, operate, maintain, and replace IT systems and services. All IT projects and programs will be required to undergo rigorous project and executive level "control gate" reviews for each stage, from inception through disposal. There are seven gates, nine phases, and 14 key supporting processes in the LCMD. These reviews are the mechanism for management control and direction, decision-making, coordination, and confirmation of successful performance. The LCMD will help prevent the delays and problems that occurred during the Trilogy project.

We have established five Enterprise IT Governance Review Boards: (1) the Investment Management/Project Review Board; (2) the Technical Review Board; (3) the Change Management Board; (4) the IT Policy Review Board; and (5) the Enterprise Architecture Board. These Boards decide whether to proceed with, revise, or terminate a program or project. An Executive Assistant Director-Level IT Advisory Board now meets quarterly to discuss IT matters with key stakeholders. We have established charters and procedures, and all Boards are operational.

The Investment Management/Project Review Board now reviews and approves new IT investments at specified stages of each IT project's life cycle. We are also in the process of evaluating the FBI's 130+ existing IT projects for overall health and placement within the system development life cycle. This will enable FBI executives to uncover and address cost, schedule, and performance risks.

The FBI has implemented a comprehensive and effective IT Portfolio Management Program. The program focuses on performance assessments of IT investments in the operations and maintenance (O&M) phase of their life cycle. Since the majority of our IT investments currently reside in the O&M phase, these assessments help senior management make more informed decisions about IT investments (personnel and dollars). Portfolio Management recommendations are focused on those investments that should be leveraged, replaced, outsourced, or retired. A pilot portfolio assessment of one Division has been completed to date, and the enterprise portfolio assessment will be completed in the fall of this year, in time to support the FY 2008 budget/investment cycle.

The FBI has established an IT Portfolio Management Automation project that will develop the FBI's Enterprise IT Tool. This is a software package that will identify and track sanctioned IT projects with baselined plans, schedules, scope, and costs. It will also track all FBI IT hardware and software infrastructure procurements at an integrated, enterprise level. The Enterprise IT Tool will electronically track all IT projects throughout the lifecycle and help us to ensure that new IT investments are aligned with mission goals.

We are also taking steps to ensure a high level of performance for our IT projects. The OCIO is in the process of establishing an IT Metrics program that identifies and measures IT performance according to industry standards, government regulations, and earned value management system (EVMS) principles. Currently, we publish a CIO Monthly IT metrics report using the Balanced Scorecard Methodology. Our plan is to establish EVMS for "major" IT projects, which are being reviewed by the Investment Management/Project Review Board at the rate of approximately five projects per month, beginning in January 2005. When a program or project metric varies by more than 10 percent of the acceptable thresholds for cost, schedule and performance, it will trigger closer scrutiny and remedial action by the Investment Management/Project Review Board.

We have launched a joint initiative between the CIO and the Chief Financial Officer of the FBI that will standardize and automate all procurement actions involving all IT acquisitions, as well as focus on increased competition and small business involvement.

To build a stronger IT workforce, including managers, the OCIO has begun to train our Program and Project Managers, as well as executive management personnel, to be certified as Program Management Professionals (PMP). The OCIO currently has two certified government and five contractor PMPs. Approximately 25 managers have taken the PMP review course and plan to take the test. Another 20 are currently enrolled in the training program. This and other leadership training provides best practices and techniques to provide better management of the IT projects and the enterprise IT portfolio.

To coordinate IT policies, the OCIO is in the process of establishing a Master IT Policy List. Once established, any new IT policies or modifications will have to be reviewed and approved by the IT Policy Review Board. The Master IT Policy List will enable the OCIO to monitor all IT projects during the LCMD control gate review processes and enforce all applicable IT policies.

We are also taking steps to standardize technology assessments. The FBI CTO is working closely with the EA team to standardize enterprise technology standards, technical reference models, technical architectures, and technical design reviews under the LCMD and system testing/integration. A unified test and integration facility will allow for centralized technology assessment that provides responsive IT solutions to meet mission needs. These measures mitigate project risks through common, interoperable, supportable, and affordable solutions.

In the area of security, the FBI has implemented an Information Assurance Program, which also contributes to the LCMD. It is implementing key IT capabilities, such as Public Key Infrastructure (PKI) and the Enterprise Security Operations Center (ESOC), which will strengthen IT services in the Bureau and mitigate internal and external threats. Additionally, Security and Information Assurance is being fully integrated into the new LCMD and the EA, throughout the process, instead of being "bolted-on" afterwards. Certification and Accreditation is being required for all IT Projects and Systems.

The VCF Initial Operating Capability (IOC) was fully executed using the FBI's new approach to IT management. Project objectives, requirements, and constraints were clearly identified before proceeding forward to each control gate. A cost-sharing arrangement was established as part of the renegotiated UAC contract. A well developed plan was established and agreed to as part of the contract negotiations. Control gates (i.e., go/no go criteria) were used at major milestones to control the release of funding and to keep the project focused. Adherence to defined management processes was mandated. As a result, the VCF IOC was developed on schedule and within budget and its deployment is currently on schedule.

Development of the FIDS is another example of how the FBI's new approach to IT management is supporting our national security mission. The FIDS was designed to meet exigent intelligence mission needs and was successfully developed using a proven business process and information management framework. It was created by a five-member development team and conformed to the FBI CIO's new Life Cycle Management Process. Its successful six-month development cycle is an example of focused systems development in record time at reasonable cost.

As demonstrated by VCF IOC, PKI, and FIDS, proper planning and contractor oversight will ensure success on future IT projects.

Response to Recommendations

Recommendation 1: Replace the obsolete ACS system as quickly and as cost-effectively as feasible.

The FBI agrees with the recommendation to replace the ACS system as quickly and as cost-effectively as feasible, and doing so remains our top IT priority.

We are continuing to move forward with the VCF project in accordance with a two-track plan initiated in June 2004. Track One, also known as IOC, will pilot the operational use of VCF’s automated workflow process. Several hundred employees in the New Orleans Field Office, Baton Rouge RA, and the Drug Unit within the America's Criminal Enterprise Section at FBIHQ will use the system as their document routing system from mid-January through the end of March 2005. Objectives of the pilot are to: (1) test drive the workflow concept; (2) validate the human machine interface; (3) create an electronic interface to ACS; (4) assess network performance; and (5) develop and deliver an enterprise-geared training curriculum. The IOC is on track to accomplish all these objectives.

As part of Track Two, the FBI contracted with multiple independent vendors to perform the following tasks:

  1. Examine the latest working version of the VCF application to determine if the software, as designed, will meet the FBI's operational, security, and performance requirements. The contractor is also tasked to determine if the VCF application is scalable and can be maintained and enhanced easily.

  2. Examine the current technologies and vendors, as well as available off-the-shelf software applications and those designed for other agencies, to determine the best combination to meet the FBI's needs. In many ways, the pace of technological innovation has overtaken our original vision for VCF, and there are now products to suit our purposes that did not exist when Trilogy began.

  3. We have also asked a different contractor to review and revalidate our users' requirements because the mission of the FBI has evolved and there are new requirements for information and intelligence sharing among different entities.

As mentioned above, we are currently reviewing the Aerospace report, and the other reports are expected by the end of January 2005. These independent reviews will provide the FBI with valuable information to help managers make future decisions related to FBI applications.

Recommendation 2: Reprogram FBI resources to meet the critical need for a functional case management system.

The FBI agrees with this recommendation. As mentioned above, deployment of a new case management system is the FBI's top IT priority. Accordingly, we will devote all necessary resources to support the project, even if this requires reprogramming. In 2004, resources were reprogrammed to support reorganization of the OCIO and related human capital development initiatives. As discussed above, these efforts will help ensure that all IT projects, including the VCF, are well managed in accordance with established best practices for IT management.

Recommendation 3: Freeze the critical design requirements for the case management system before initiating a new contract and ensure that the contractor fully understands the requirements and has the capability to meet them.

The FBI agrees with this recommendation and has already taken steps to address it. This recommendation is consistent with the FBI's new approach to IT management and accordingly, all future IT contracts will follow this approach. At the heart of our new IT management initiatives, including the IT Strategic Plan and the LCMD, is the understanding that we must have a clear picture of what we intend to achieve before making substantial investments. This principle is being applied to VCF Track Two to include the revalidation of our users' requirements.

The implementation of the LCMD and Review Boards will mitigate the project scope and requirements creep. The LCMD requires the requirements to be clearly defined before system development starts. The Review Boards will ensure that the LCMD is enforced.

Similarly, FICMS will move forward with clear System Requirement Specifications and will use a proven contract vehicle to help ensure that they are met.

Recommendation 4: Incorporate development efforts for the VCF into the development of the requirements for any successor case management system.

The FBI agrees with this recommendation and has already taken steps to address it. Lessons learned over the course of the VCF project can and will be incorporated into development of any future case management system.

For example, the VCF project suffered in part from runaway scope. After evaluating the lessons learned from the VCF development, we have adopted a process that will avoid a recurrence. The FBI has created a complete set of requirements for developing future case management applications. To ensure that future IT systems do not expand beyond their functional level, the IT system will be designed, developed, and deployed incrementally against specified and planned parameters.

Recommendation 5: Validate and improve, as necessary, financial systems for tracking project costs to ensure complete and accurate data.

The FBI agrees with this recommendation and has already taken remedial steps. Following the FBI's submission of the LCMD, this recommendation was closed by the OIG on December 17, 2004 in the report entitled "FBI's Management of IT Investments, Audit Report Number 03-09."

Recommendation 6: Develop policies and procedures to ensure that future contracts for IT-related projects include defined requirements, progress milestones, and penalties for deviations from the baselines.

The FBI agrees with this recommendation and has taken appropriate action. Following the FBI's submission of the LCMD, this recommendation was closed by the OIG on December 17, 2004 in the report entitled "FBI's Management of IT Investments, Audit Report Number 03-09."

Recommendation 7: Establish management controls and accountability to ensure that baselines for the remainder of the current user applications contract and any successor Trilogy-related contracts are met.

The FBI agrees with this recommendation and has taken appropriate action. As previously outlined, the FBI has implemented a comprehensive approach to management of IT under which all IT projects are evaluated for overall health, cost, contribution to the FBI mission, and performance at each stage of their lifecycle.

Recommendation 8: Apply ITIM processes to all Trilogy and any successor projects.

The FBI agrees and will apply ITIM processes to future IT projects, including any additional Trilogy-related projects. This recommendation was resolved by the OIG in the report entitled, "FBI's Management of IT Investments, Audit Report Number 03-09." In that report, the OIG concurred with the FBI's Plan of Action and Milestones, and the FBI continues to provide status updates on a quarterly basis in accordance with that report.

In the March 24, 2004, OIG report entitled "FBI's Implementation of IT Recommendations, Audit Report Number 03-36," the OIG agreed that efficiencies can be achieved by both the OIG and the FBI by tracking a duplicate recommendation only under a single audit -- the audit in which the recommendation originated. Accordingly, we recommend that the FBI continue to report on progress in this area under Audit Report Number 03-09.

Recommendation 9: Monitor the Enterprise Architecture being developed to ensure timely completion as scheduled.

The FBI agrees with this recommendation and has already taken steps to address it. As discussed above, the FBI has made considerable progress toward development of an EA.

This recommendation was closed by the OIG on September 12, 2003, in the report entitled, "FBI's Management of IT Investments, Audit Report Number 03-09." It was also resolved in the Government Accountability Office (GAO) report entitled, "Information Technology - FBI Needs an Enterprise Architecture to Guide Its Modernization Activities, GAO-03-959." Also, in September 2004, the GAO initiated a follow-up review of the FBI's Enterprise Architecture Efforts (Job Code 310291) and a report is pending. Accordingly, we recommend that this recommendation be closed to avoid unnecessary duplication of GAO's efforts.


Although deployment of a new case management system for the FBI has been delayed, the overall pace of IT modernization in the FBI continues to accelerate. We have made substantial IT improvements to enhance our ability to access, analyze, and share information. We did so in a manner that has not hampered critical ongoing operations and that ensures the security of our information and the privacy rights of individuals. Today, armed with a solid IT foundation, a new organization and framework for IT management, and with the lessons learned over the course of the Trilogy project, the FBI is moving forward with further IT enhancements to help us perform our mission.

We appreciate the OIG’s guidance throughout this process. We look forward to working with your office in implementing recommendations that remain unaddressed.


Zalmai Azmi
Chief Information Officer
Federal Bureau of Investigation