Sentinel Audit II: Status of the Federal Bureau of Investigation’s Case Management System (Redacted)
Audit Report 07-03
December 2006
Office of the Inspector General
Rank |
Risk Condition |
Risk Consequence |
Impact Phase |
Mitigation Strategy |
1 |
New model for data access and control (access rules) may impact Sentinel’s schedule and budget. |
Regarding APG, parallel development efforts may result in changes to Sentinel functional content or interface requirements and consume significant resources. |
1 |
M1. Actively engage parallel development efforts; develop MOUs for content, interfaces and funding strategy; incorporate into Sentinel plans as appropriate. |
2 |
User requirements may change significantly as a result of the BPR initiative and impact Sentinel’s schedule and budget. |
Funding and schedule will not support project completion. |
2 |
M1. Place the SRS under configuration control prior to RFP release. |
3 |
Absent an authoritative source of identity attributes, Sentinel must internally develop identity attributes for Role Based Access Control, and impact to be consistent with FBI Enterprise Service Directory Service requirements is unknown. |
Time spent on creating Role Based Access Control may impact schedule. |
2 |
M1 Seek FBI definition of authoritative identify attributes and authoritative sources |
4 |
Development contractor hiring is lagging resource need to complete design work. |
Project plans, schedules and scope will require modification; Sentinel vision prolonged/ not achieved. |
2 |
PM1. Identify the Government and support contractor resources, (and associated timeline, skills, et al.) in the Sentinel Project Plan. |
5 |
Lack of attendance or participation by users in training. |
Poor or slow user acceptance of Sentinel. |
1 |
M1-- Review the prime contractor's approach to market and provide outreach for each Sentinel phase. |
6 |
Activities related to data cleansing of data from phased out legacy systems may have been underestimated. |
1. Requires GFE Data Staging partition by 11/1/06 (in FBI facility with C&A complete and Oracle 10g with RAC installed). |
1 |
Consequence 1. |
7 |
The evolving Enterprise Architecture can present new design constraints to Sentinel |
To preclude non-compliance with Enterprise Standards, incorporation of changes, deviations, and/or corrective actions will impact cost, schedule and scope. |
1 |
√M1. Monitor evolving standards; perform impact assessments; present assessments to TRB; file deviation request or incorporate as appropriate |
8 |
Data migration from phased-out legacy systems may have been underestimated |
Some data may be lost or compromised, or ACS may not be able to be replaced |
2 |
PM1. Identify all required data elements |
9 |
Use of PKI requires the user to change their logon routine from a UID/Password approach to using tokens, readers, and pin numbers. The transition to this mode of logon will inevitably antagonize many users, although, once they get used to it they most likely will not find it problematic. |
The risk here is fundamentally one of having users fail to accept Sentinel because of, or in association with, their negative reaction to their initial use of PKI-enabled logon |
2 |
M3 - Transfer Bureau roll-out and use of PKI enabled infrastructure to Trilogy prior to the Sentinel use so that the issue is addressed for most users independent of Sentinel. |
10 |
Proposed Controlled Interface solution does not meet the requirements for information sharing with systems classified higher than Collateral Secret (e.g., with Intelligence Community) and with systems at a lower classification level (e.g., state and local law enforcement). |
Imprecise requirements could lead to scope creep. |
2 |
M1 Investigate Intelligence Community certified products. |
11 |
LCMS is an interface to Sentinel, but the legacy program continues to modify the application, thereby adding to Sentinel's risk for uncontrolled scope, schedule, and cost. |
Parallel development efforts may result in changes to Sentinel's functional or interface requirements that may cause delays or increase cost. |
1 |
M1. Actively engage parallel development efforts; develop MOUs for content, interfaces, and funding strategy; incorporate into SENTINEL plans as appropriate |
12 |
Privacy Impact Assessment (PIA) requirements impact cost and schedule |
Cost and schedule could expand to accommodate new requirements |
2 |
M1-- Work with OGC to define the hard system requirements and verify against the SRS, include OGC (PIA centric) personnel in our high level design meetings, so they can understand what and how various data elements are being used. |
13 |
N-Dex is an interface to SENTINEL, but the program continues to modify the application, thereby adding to Sentinel's risk for uncontrolled scope, schedule, and cost. |
Parallel development efforts may result in changes to Sentinel's functional or interface requirements that may cause delays or increase cost. |
2 |
M1. Actively engage parallel development efforts; develop MOUs for content, interfaces, and funding strategy; incorporate into Sentinel plans as appropriate |
14 |
Audit Services (ESOC) is an interface to Sentinel, but the legacy program continues to modify the application, thereby adding to Sentinel's risk for uncontrolled scope, schedule, and cost. ESOC plans to use ArcSight, a COTS application LMSI also plans to use in Sentinel. |
Parallel development efforts may result in changes to Sentinel's functional or interface requirements that may cause delays or increase cost. |
2 |
M1. Actively engage parallel development efforts; develop MOUs for content, interfaces, and funding strategy; incorporate into Sentinel plans as appropriate |
15 |
DEEP is to be replaced by Sentinel, but the legacy program continues to modify the application, thereby adding to Sentinel's risk for uncontrolled scope, schedule, and cost. |
Parallel development efforts may result in changes to Sentinel's functional or interface requirements that may cause delays or increase cost |
3 |
M1. Actively engage parallel development efforts; develop MOUs for content, interfaces, and funding strategy; incorporate into Sentinel plans as appropriate |
16 |
Requirement definitions necessitate inordinate customization of selected COTS/GOTS products (custom code) |
Integrated solution will not facilitate expansion of services throughout the enterprise as envisioned |
3 |
M1. Ensure min. functionality requirements can be identified |
17 |
EDMS is an interface to Sentinel, but the legacy program continues to modify the application, thereby adding to Sentinel's risk for uncontrolled scope, schedule, and cost. |
Parallel development efforts may result in changes to Sentinel's functional or interface requirements that may cause delays or increase cost. |
4 |
M1. Actively engage parallel development efforts; develop MOUs for content, interfaces, and funding strategy; incorporate into Sentinel plans as appropriate |
18 |
GUARDIAN is to be replaced by Sentinel, but the legacy program continues to modify the application, thereby adding to Sentinel's risk for uncontrolled scope, schedule, and cost. |
Parallel development efforts may result in changes to Sentinel's functional or interface requirements that may cause delays or increase cost |
4 |
M1. Actively engage parallel development efforts; develop MOUs for content, interfaces, and funding strategy; incorporate into Sentinel plans as appropriate |
19 |
Policy does not currently exist to support the sharing of Sentinel information with external agencies. |
The lack of policy could delay the implementation of information sharing capabilities. |
1 |
M1 There is a requirement to have a data model that is compliant with the latest version of the Global Justice XML standard. This should accommodate the appropriate data elements. The program will track with the appropriate FBI divisions and the Global Justice XML standards groups to ensure that as updates occur; this information can be passed back to the appropriate Sentinel committees for action. |
20 |
Development environment data is lost or corrupted. |
Disaster event causes loss of SEI/ |
M1 Develop a well defined Disaster Recovery Plan with contingencies for all types of anticipated disasters. |
« Previous | Table of Contents | Next » |