The Federal Bureau of Investigation's Implementation of the
Laboratory Information Management System

Audit Report 06-33
June 2006
Office of the Inspector General

Below is a listing of relevant reports concerning the FBI’s information technology (IT) systems. These include reports issued by the Department of Justice Office of the Inspector General (OIG) and the Government Accountability Office (GAO). OIG Reports on the FBI’s IT OIG reports issued over the past 15 years have highlighted issues concerning the FBI’s utilization of IT, including its investigative systems. In 1990, the OIG issued The FBI’s Automatic Data Processing General Controls, which found that: The FBI’s phased implementation of its 10-year Long Range Automation Strategy, scheduled for completion in 1990, was severely behind schedule and may not be accomplished; The FBI’s Information Resources Management program was fragmented and ineffective, and the FBI’s Information Resources Management official did not have effective organization-wide authority; The FBI had not developed and implemented a data architecture; and The FBI’s major mainframe investigative systems were labor intensive, complex, untimely, and non-user friendly, and few agents used them. In December 2002, the OIG issued The FBI’s Management of Information Technology Investment. The report made 30 recommendations and focused on the need to adopt sound investment management practices as recommended by the GAO. The report also stated that the FBI did not fully implement the management processes associated with successful IT investments. Specifically, the FBI had failed to implement the following critical processes: defining and developing IT investment boards, following a disciplined process of tracking and overseeing each project’s cost and schedule milestones over time, identifying existing IT systems and projects, identifying the business needs for each IT project, and using defined processes to select new IT project proposals. In September 2003, the OIG issued The Federal Bureau of Investigation’s Implementation of Information Technology Recommendation, which outlined the FBI’s continued need to address the recommendations made by oversight organizations concerning its IT strategies. The report stated that although OIG audits found repeated deficiencies in the FBI’s IT control environment and lack of compliance with information security requirements, the FBI leadership appeared to be committed to enhancing controls to ensure that recommendations were implemented in a consistent and timely manner. Additionally, the report noted that the FBI established a system to facilitate the tracking and implementation of OIG recommendations. In May 2004, the OIG issued The FBI DNA Laboratory: A Review of Protocol and Practice Vulnerabilities. In this report the OIG findings focused on two general types of vulnerabilities that became apparent during the review: (1) protocol vulnerabilities and practice, and (2) operational vulnerabilities. As a result of the vulnerabilities, one of the 35 OIG recommendations was that the FBI Laboratory Division implement an information management system. The OIG noted that laboratory management had begun to lay the groundwork for the implementation of a system in 2002. Given the benefits that such a system would bring to evidence tracking and chain-of-custody documentation, the OIG recommended the successful implementation of an information management system as one of the laboratory’s top administrative priorities. In February 2006, the OIG issued The FBI’s Pre-Acquisition Planning for and Controls over the Sentinel Case Management System. Sentinel is part of the FBI’s IT modernization project to replace the FBI’s antiquated case management system. The report noted the FBI has taken steps to address its past mistakes in IT investments and to adequately plan for the development of Sentinel. External Reports on the FBI’s IT The GAO has issued several reports and related testimony that highlight deficiencies with the FBI’s IT environment. In a review of the Department’s Campaign Finance Task Force, the GAO reported in May 2000 that the FBI lacked an adequate information system that could manage and interrelate the evidence that had been gathered in relation to the Task Force’s investigations. Also, as part of a government-wide assessment of federal agencies, the GAO reported in February 2002 that the FBI needed to fully establish the management foundation that was necessary to successfully develop, implement, and maintain an Enterprise Architecture. In September 2003, the GAO issued Information Technology: FBI Needs an Enterprise Architecture to Guide Its Modernization Activities. This report reiterated the GAO’s finding made in the May 2002 report on the Department’s Campaign Finance Task Force that the FBI did not have an Enterprise Architecture, although it had begun efforts to develop one. Additionally, the GAO found that the FBI still did not have the processes in place to effectively develop, maintain, and implement an Enterprise Architecture. In September 2004, the GAO issued Information Technology: Foundational Steps Being Taken to Make Needed FBI Systems Modernization Management Improvements. This report stated that although improvements were underway and more were planned, the FBI did not have an integrated plan for modernizing its IT systems. Each of the FBI’s divisions and other organizational units that manage IT projects performed integrated planning for its respective IT projects. However, the plans did not provide a common, authoritative, and integrated view of how IT investments could help optimize mission performance, and they did not consistently contain the elements expected to be found in effective systems modernization plans. The GAO recommended that the FBI limit its near-term investments in IT systems until it developed an integrated systems and modernization plan and effective policies and procedures for systems acquisition and investment management. Additionally, the GAO recommended that the FBI’s Chief Information Officer (CIO) be provided with the responsibility and authority to effectively manage information technology FBI-wide. In September 2005, the GAO issued Information Technology: FBI Is Taking Steps to Develop an Enterprise Architecture, but Much Remains to be Accomplished. This report stated that the FBI managed its Enterprise Architecture program in accordance with many best practices, but other such practices had yet to be adopted. These best practices, which are described in GAO’s Enterprise Architecture management maturity framework, are those necessary for an organization to have an effective architecture program. In addition, the FBI relied heavily on contractor support to develop its Enterprise Architecture. However, it did not employ effective contract management controls in doing so. In September 2005, the GAO issued testimony entitled, Information Technology: FBI is Building Management Capabilities Essential to Successful System Deployments, but Challenges Remain. This testimony stated that the FBI had made important progress in establishing IT management controls and capabilities that GAO’s research and experience show are key to exploiting technology to enable transformation. These included centralizing IT responsibility and authority under the CIO and establishing and beginning to implement management capabilities in the areas of enterprise architecture, IT investment management, systems development and acquisition life cycle management, and IT human capital. In addition: The FBI had developed an initial version of its enterprise architecture and is managing its architecture activities in accordance with many key practices, but it had yet to adopt others (such as ensuring that the program office has staff with appropriate architecture expertise). The FBI was in the process of defining and implementing investment management policies and procedures. For example, it was performing assessments of existing systems to determine if any could be better used, replaced, outsourced, or retired, but these assessments had yet to be completed. The FBI had issued an agency-wide standard life cycle management directive, but it had yet to fully implement this directive on all projects. Also, certain key practices, such as acquisition management, required further development. The FBI had taken various steps to bolster its IT workforce, but it had yet to create an integrated plan based on a comprehensive analysis of existing and needed knowledge, skills, and abilities. According to the CIO, the FBI intended to hire a contractor develop an implementation plan. The CIO also intended to establish a management structure to carry out the plan. The challenge for the FBI is to build on these foundational capabilities and implement them effectively on the program and project investments it has underway and planned.