Sentinel Audit II:  Status of the Federal Bureau of Investigation’s Case Management System (Redacted)

Audit Report 07-03
December 2006
Office of the Inspector General


Appendix 5
Risk Register

Rank

Risk Condition

Risk Consequence

Impact Phase

Mitigation Strategy

1

New model for data access and control (access rules) may impact Sentinel’s schedule and budget.

Regarding APG, parallel development efforts may result in changes to Sentinel functional content or interface requirements and consume significant resources.

1

M1. Actively engage parallel development efforts; develop MOUs for content, interfaces and funding strategy; incorporate into Sentinel plans as appropriate.
M2. Identify critical interfaces and the phase they may impact Sentinel.
M3. Establish WG to help establish ICDs with other projects (ICWG).
M4. Establish MOUs with other projects as applicable.
M5. Identify source of additional funding if required.
M6. Document external systems and interface requirements for inclusion in the solicitation.
M7. Establish a working partnership and collaborate with the legacy systems’ owning organization (ITOD).

2

User requirements may change significantly as a result of the BPR initiative and impact Sentinel’s schedule and budget.

Funding and schedule will not support project completion.

2

M1. Place the SRS under configuration control prior to RFP release.
M2. Maintain strict requirements and configuration controls throughout the project.
M3. Ensure user advocacy group is the focal point for all user changes/needs.
M4. Ensure contractors are aware and adhere to change process, including communication with user community.
M5. Ensure core FBI capabilities are addressed early in system development.
M6. Ensure continuous feedback with user community.
M7. Concurrence of SRS contents to be achieved by each division.

3

Absent an authoritative source of identity attributes, Sentinel must internally develop identity attributes for Role Based Access Control, and impact to be consistent with FBI Enterprise Service Directory Service requirements is unknown.

Time spent on creating Role Based Access Control may impact schedule.

2

M1 Seek FBI definition of authoritative identify attributes and authoritative sources
M2 Establish identity attribute standards for Sentinel and FBI use
M3 Seek FBI clarification of target directory architecture to support centralized management of authoritative identity attributes

4

Development contractor hiring is lagging resource need to complete design work.

Project plans, schedules and scope will require modification; Sentinel vision prolonged/ not achieved.

2

PM1. Identify the Government and support contractor resources, (and associated timeline, skills, et al.) in the Sentinel Project Plan.
PM2. Assess the realism of Contractor staffing during Source Selection.
PM3. Define security clearance requirements consistent with the access required by Development contractor personnel, likely reducing the number of TS security clearances required.
M4. Require staffing plan submission, with clearance status, in project review reporting
M5. Ensure active govt involvement in VAR resolution
M6. LM has opened up hiring to all corporate divisions and Sentinel subcontractors and Corporate HR is assisting with surge support.

5

Lack of attendance or participation by users in training.

Poor or slow user acceptance of Sentinel.

1

M1-- Review the prime contractor's approach to market and provide outreach for each Sentinel phase.
M2-- Validate training approach with pilot user group to be followed by Bureau executive endorsement.
M3--Identify method to achieve or require sufficient level of training participation.

6

Activities related to data cleansing of data from phased out legacy systems may have been underestimated.

1. Requires GFE Data Staging partition by 11/1/06 (in FBI facility with C&A complete and Oracle 10g with RAC installed).
2a. Cleansed data will not be placed back into ACS which can result in a long term data synchronization problem.
2b. Placing cleansed data back into the legacy data base may impact those continuing to use legacy applications.
3. Need to maintain security control of data in staging area (Data will not be protected by ACS or Sentinel access controls)
4. Data cleansing is a Phase 2 risk mitigation activity and should not delay Phase 1 critical path activities.

1

Consequence 1.
M1 Use new staging or SIT hardware to perform data cleansing. Delay data cleaning until receipt of hardware.
Consequence 2a.
M1 Data Migration alternative trade studies (IMS UID 2070 &3955)
Consequence 2b.
M1 Data Migration alternative trade studies (IMS UID 2070 &3955)
Consequence 3.
M1 Cleansing to be done only in FBI Facility
M2 Access limited to select group read into "process". FBI only?
Consequence 4.
M1 Remove IMS dependencies between Data Cleansing and DCR/PDR/CDR

7

The evolving Enterprise Architecture can present new design constraints to Sentinel

To preclude non-compliance with Enterprise Standards, incorporation of changes, deviations, and/or corrective actions will impact cost, schedule and scope.

1

√M1. Monitor evolving standards; perform impact assessments; present assessments to TRB; file deviation request or incorporate as appropriate
√M2. Participate in TRB and EAB and evaluation of technical inputs. EC submitted
√M3. Develop method to influence EA, standards list, and monitor enterprise mandates (sys arch Mike Reed)
√M4. Establish ICWG
√M5. Ensure EA changes are forwarded to Sentinel for review and impact, with RFC developed if appropriate
√M6. System Architect hired and has direct liaison with Enterprise Architect chief.

8

Data migration from phased-out legacy systems may have been underestimated

Some data may be lost or compromised, or ACS may not be able to be replaced

2

PM1. Identify all required data elements
PM2. Develop mapping of ACS elements to Sentinel data requirements
M3. Develop migration plan to support data conversion to new environment
M4. Develop test plan to validate migration strategy
√M5. Ensure management funds adequate to provide analysis if required.
M6. Work with ITOD to determine scope of effort
M7. Review results of previous data cleansing efforts for issues, provide lessons learned to LM
M8. Ensure system design provides for migration.
M9. Integration of data, design and migration IPTs

9

Use of PKI requires the user to change their logon routine from a UID/Password approach to using tokens, readers, and pin numbers. The transition to this mode of logon will inevitably antagonize many users, although, once they get used to it they most likely will not find it problematic.

The risk here is fundamentally one of having users fail to accept Sentinel because of, or in association with, their negative reaction to their initial use of PKI-enabled logon

2

M3 - Transfer Bureau roll-out and use of PKI enabled infrastructure to Trilogy prior to the Sentinel use so that the issue is addressed for most users independent of Sentinel.
M4 - Decision will have to be made as to whether to use non-PKI enabled authentication for Phase 1. (Contractor must implement some form of authentication for "non-general" users)
M5 - Add PKI to communications strategy (get the word out in training and all communications, etc.)

10

Proposed Controlled Interface solution does not meet the requirements for information sharing with systems classified higher than Collateral Secret (e.g., with Intelligence Community) and with systems at a lower classification level (e.g., state and local law enforcement).

Imprecise requirements could lead to scope creep.

2

M1 Investigate Intelligence Community certified products.
M2 Evaluate cross domain design and present a design at Program Design Review (PDR) that most effectively meets required functionality and cross domain security requirements.
M3 Evaluate product and design recommendations and adjudicate via Engineering Review Board (ERB) and Sentinel Configuration and Change Management Board (SCCMB).

11

LCMS is an interface to Sentinel, but the legacy program continues to modify the application, thereby adding to Sentinel's risk for uncontrolled scope, schedule, and cost.

Parallel development efforts may result in changes to Sentinel's functional or interface requirements that may cause delays or increase cost.

1

M1. Actively engage parallel development efforts; develop MOUs for content, interfaces, and funding strategy; incorporate into SENTINEL plans as appropriate
√M2. Identify critical interfaces and the phase that they may impact Sentinel
√M3. Establish WG to help establish ICDs with other projects (ICWG)
M4. Establish MOUs with other projects as applicable
M5. Identify source of additional funding if required
PM6. Document external systems and interface requirements for inclusion in the solicitation.
PM7. Establish a working partnership and collaborate with the legacy systems’ owning organization (ITOD).

12

Privacy Impact Assessment (PIA) requirements impact cost and schedule

Cost and schedule could expand to accommodate new requirements

2

M1-- Work with OGC to define the hard system requirements and verify against the SRS, include OGC (PIA centric) personnel in our high level design meetings, so they can understand what and how various data elements are being used.
M2-- Work with OGC and DNI to accommodate 'interim, best guess' requirements; comply with RFC process as requirements firm up
M3-- Document DNI/OGC guidance through use of ECs

13

N-Dex is an interface to SENTINEL, but the program continues to modify the application, thereby adding to Sentinel's risk for uncontrolled scope, schedule, and cost.

Parallel development efforts may result in changes to Sentinel's functional or interface requirements that may cause delays or increase cost.

2

M1. Actively engage parallel development efforts; develop MOUs for content, interfaces, and funding strategy; incorporate into Sentinel plans as appropriate
√M2. Identify critical interfaces and the phase that they may impact Sentinel
√M3. Establish WG to help establish ICDs with other projects (ICWG)
M4. Establish MOs with other projects as applicable
M5. Identify source of additional funding if required
PM6. Document external systems and interface requirements for inclusion in the solicitation.
PM7. Establish a working partnership and collaborate with the legacy systems’ owning organization (ITOD).
M8. RFP to extend program has been published.

14

Audit Services (ESOC) is an interface to Sentinel, but the legacy program continues to modify the application, thereby adding to Sentinel's risk for uncontrolled scope, schedule, and cost. ESOC plans to use ArcSight, a COTS application LMSI also plans to use in Sentinel.

Parallel development efforts may result in changes to Sentinel's functional or interface requirements that may cause delays or increase cost.
ArcSight client may impact Sentinel network connectivity, bandwidth and loads from passing data.

2

M1. Actively engage parallel development efforts; develop MOUs for content, interfaces, and funding strategy; incorporate into Sentinel plans as appropriate
√ M2. Identify critical interfaces and the phase that they may impact Sentinel
√M3. Establish WG to help establish ICDs with other projects (ICWG)
M4. Establish MOUs with other projects as applicable
M5. Identify source of additional funding if required
PM6. Document external systems and interface requirements for inclusion in the solicitation.
PM7. Establish a working partnership (an IPT) and collaborate with the legacy systems’ owning organization (ITOD).

15

DEEP is to be replaced by Sentinel, but the legacy program continues to modify the application, thereby adding to Sentinel's risk for uncontrolled scope, schedule, and cost.

Parallel development efforts may result in changes to Sentinel's functional or interface requirements that may cause delays or increase cost

3

M1. Actively engage parallel development efforts; develop MOUs for content, interfaces, and funding strategy; incorporate into Sentinel plans as appropriate
√M2. Identify critical interfaces and the phase that they may impact Sentinel
√M3. Establish WG to help establish ICDs with other projects (ICWG)
M4. Establish MOUs with other projects as applicable
M5. Identify source of additional funding if required
PM6. Document external systems and interface requirements for inclusion in the solicitation.
PM7. Establish a working partnership and collaborate with the legacy systems’ owning organization (ITOD).

16

Requirement definitions necessitate inordinate customization of selected COTS/GOTS products (custom code)

Integrated solution will not facilitate expansion of services throughout the enterprise as envisioned

3

M1. Ensure min. functionality requirements can be identified
M2. Conduct analysis of minimum requirements vs. proposed technical solution
M3. Ensure at each phase and design review that solution is extendible to the enterprise
M4. Tag milestones by phase to program schedule for monitoring

17

EDMS is an interface to Sentinel, but the legacy program continues to modify the application, thereby adding to Sentinel's risk for uncontrolled scope, schedule, and cost.

Parallel development efforts may result in changes to Sentinel's functional or interface requirements that may cause delays or increase cost.

4

M1. Actively engage parallel development efforts; develop MOUs for content, interfaces, and funding strategy; incorporate into Sentinel plans as appropriate
√M2. Identify critical interfaces and the phase that they may impact Sentinel
√M3. Establish WG to help establish ICDs with other projects (ICWG)
M4. Establish MOUs with other projects as applicable
M5. Identify source of additional funding if required
PM6. Document external systems and interface requirements for inclusion in the solicitation.
PM7. Establish a working partnership and collaborate with the legacy systems’ owning organization (ITOD).

18

GUARDIAN is to be replaced by Sentinel, but the legacy program continues to modify the application, thereby adding to Sentinel's risk for uncontrolled scope, schedule, and cost.

Parallel development efforts may result in changes to Sentinel's functional or interface requirements that may cause delays or increase cost

4

M1. Actively engage parallel development efforts; develop MOUs for content, interfaces, and funding strategy; incorporate into Sentinel plans as appropriate
√M2. Identify critical interfaces and the phase that they may impact Sentinel
√M3. Establish WG to help establish ICDs with other projects (ICWG)
M4. Establish MOUs with other projects as applicable
M5. Identify source of additional funding if required
PM6. Document external systems and interface requirements for inclusion in the solicitation.
PM7. Establish a working partnership and collaborate with the legacy systems’ owning organization (ITOD).

19

Policy does not currently exist to support the sharing of Sentinel information with external agencies.

The lack of policy could delay the implementation of information sharing capabilities.

1

M1 There is a requirement to have a data model that is compliant with the latest version of the Global Justice XML standard. This should accommodate the appropriate data elements. The program will track with the appropriate FBI divisions and the Global Justice XML standards groups to ensure that as updates occur; this information can be passed back to the appropriate Sentinel committees for action.

20

Development environment data is lost or corrupted.

Disaster event causes loss of SEI/
Development data resulting in key milestone/ schedule slippages.

 

M1 Develop a well defined Disaster Recovery Plan with contingencies for all types of anticipated disasters.



« Previous Table of Contents Next »