Sentinel Audit III: Status of the Federal Bureau of Investigation’s
Case Management System (Redacted - Public Version)
Audit Report 07-40
Office of the Inspector General
Below is a listing of relevant reports discussing the FBI’s information technology (IT) systems. These include reports issued by the Department of Justice Office of the Inspector General (OIG), the Government Accountability Office (GAO), and by other external entities as well as FBI internal reports.
Prior OIG Reports on FBI Case Management Efforts
In December 2006, the OIG issued a report entitled, Sentinel Audit II: Status of the Federal Bureau of Investigation’s Case Management System. The report stated that the FBI made progress addressing concerns previously reported. The OIG recommended that the FBI take the following steps:
ensure that the management reserve is based on an assessment of project risk for each phase and for the project overall,
periodically update the estimate of total project costs as actual cost data is available,
complete contingency plans as required by the Sentinel Risk Management Plan,
ensure that the independent verification and validation process is conducted through project completion, and
complete hiring as soon as possible for the vacant Project Management Office (PMO) positions needed during the current project phase.
In March 2006, the OIG issued a report entitled The Federal Bureau of Investigation’s Pre-Acquisition Planning for and Controls Over the Sentinel Case Management System. The report found that the FBI had taken important steps to address its past mistakes in planning for the development of Sentinel. The report identified the following areas of concern:
the incomplete staffing of the PMO,
the FBI’s ability to reprogram funds to complete the second phase of the project without jeopardizing its mission-critical operations,
Sentinel’s ability to share information with external intelligence and law enforcement agencies and provide a common framework for other agencies’ case management systems,
the lack of an established Earned Value Management (EVM) process,
the FBI’s ability to track and control Sentinel’s costs, and
The OIG concluded that these areas of concern required action and continued monitoring by the FBI, the OIG, and other interested parties.
In February 2005, the OIG issued a report entitled, The Federal Bureau of Investigation’s Management of the Trilogy Information Technology Modernization Project, which encompassed Sentinel’s predecessor, the Virtual Case File (VCF). The OIG recommended the FBI take the following steps:
Replace the obsolete ACS system as quickly and as cost effectively as feasible.
Reprogram FBI resources to meet the critical need for a functional case management system.
Freeze the critical design requirements for the case management system before initiating a new contract and ensure that the contractor fully understands the requirements and has the capability to meet them.
Incorporate development efforts for the VCF into the development of the requirements for any successor case management system.
Validate and improve as necessary financial systems for tracking project costs to ensure complete and accurate data.
Develop policies and procedures to ensure that future contracts for IT-related projects include defined requirements, progress milestones, and penalties for deviations from the baselines.
Establish management controls and accountability to ensure that baselines for the remainder of the current user applications contract and any successor Trilogy-related contracts are met.
Apply ITIM processes to all Trilogy-related and any successor projects.
Monitor the Enterprise Architecture being developed to ensure timely completion as scheduled.
The report concluded that the difficulties experienced in completing the Trilogy project were partially attributable to: (1) design modifications the FBI made as a result of refocusing its mission from traditional criminal investigations to preventing terrorism, (2) poor management decisions early in the project, (3) inadequate project oversight, (4) a lack of sound IT investment practices, and (5) not applying lessons learned over the course of the project.
External Reports on FBI Case Management Efforts
In July 2007, the GAO issued a report on the extent to which the FBI had established best practices for acquiring Sentinel and estimating the project’s schedule and costs.61 The GAO concluded that the FBI was managing Sentinel in accordance with several key best practices for acquiring IT systems, including practices for evaluating offers and awarding contracts. However, the GAO also concluded that the FBI had not established performance and product quality standards for the program management contractors who support the FBI in overseeing Sentinel. In addition, the GAO reported that the FBI’s policies, procedures, and supporting tools that formed the basis of Sentinel’s schedule and cost estimates did not incorporate several key best practices. As a result, the GAO questioned the reliability schedule and cost estimates, noting that the estimates did not include all relevant costs and used inadequately documented methodologies.
In April 2007, the GAO issued a report entitled, INFORMATION SECURITY: FBI Needs to Address Weaknesses in Critical Network identifying ineffective controls in protecting the confidentiality, integrity, and availability of information and information resources. The GAO found that the FBI did not consistently (1) configure network devices and services to prevent unauthorized insider access and ensure system integrity; (2) identify and authenticate users to prevent unauthorized access; (3) enforce the principle of least privilege to ensure that authorized access was necessary and appropriate; (4) apply strong encryption techniques to protect sensitive data on its networks; (5) log, audit, or monitor security-related events; (6) protect the physical security of its network; and (7) patch key servers and workstations in a timely manner. Taken collectively, these weaknesses place sensitive information transmitted on the FBI’s network at risk of unauthorized disclosure or modification, and could result in a disruption of service, increasing the FBI’s vulnerability to insider threats.
In October 2006, the GAO issued a report entitled, INFORMATION TECHNOLOGY: FBI Has Largely Staffed Key Modernization Program, but Strategic Approach to Managing Program’s Human Capital Is Needed. This report credited the FBI for filling almost all positions in its staffing plan. However, the report also noted a few key vacancies, and that the staffing plan was not derived using a documented data-driven methodology and did not provide for inventorying the knowledge and skills of existing staff, forecasting future knowledge and skill needs, analyzing gaps in capabilities between the existing staff and future workforce needs, and formulating strategies for filling expected gaps.
In February 2006, the GAO issued a report entitled Weak Controls over Trilogy Project Led to Payment of Questionable Contractor Costs and Missing Assets that was critical of the FBI’s controls over costs and assets of its Trilogy project. The GAO found that the FBI’s review and approval process for Trilogy contractor invoices did not provide an adequate basis for verifying that goods and services billed were actually received and that the amounts billed were appropriate, leaving the FBI highly vulnerable to payments of unallowable costs. These costs included first-class travel and other excessive airfare costs, incorrect charges for overtime hours, and charges for which the contractors could not document costs incurred. The GAO found unsupported and questionable costs in the amount of $10 million. The GAO also found that the FBI failed to establish controls to maintain accountability over equipment purchased for the Trilogy project. According to the GAO, poor property management led to 1,205 missing pieces of equipment valued at $7.6 million.
In April 2005, the House Surveys and Investigations staff issued A Report to the Committee on Appropriations, U.S. House of Representatives, which concluded that:
VCF development suffered from a lack of program management expertise, disciplined systems engineering practices, and contract management. The project also was affected by a high turnover of Chief Information Officers (CIO) and program managers.
VCF development was negatively impacted by the FBI’s lack of an empowered and centralized Office of Chief Information Officer and sound business processes by which IT projects are managed.
The FBI’s decision to terminate VCF was related to deficiencies in the VCF product delivered, failure of a pilot project to meet user needs, and the new direction the FBI planned to take for its case management system.
The FBI’s IT program management business structure and processes were, for the most part, in place, although some of these processes needed to mature.
In September 2004, the GAO issued a report entitled, Information Technology: Foundational Steps Being Taken to Make Needed FBI Systems Modernization Management Improvements. This report stated that although improvements were under way and more were planned, the FBI did not have an integrated plan for modernizing its IT systems. Each of the FBI’s divisions and other organizational units that manage IT projects performs integrated planning for its respective IT projects. However, the plans did not provide a common, authoritative, and integrated view of how IT investments will help optimize mission performance, and they did not consistently contain the elements expected to be found in effective systems modernization plans. The GAO recommended that the FBI limit its near-term investments in IT systems until the FBI developed an integrated systems and modernization plan and effective policies and procedures for systems acquisition and investment management. Additionally, the GAO recommended that the FBI’s CIO be provided with the responsibility and authority to effectively manage IT FBI-wide.
The National Research Council issued a report in May 2004 entitled A Review of the FBI’s Trilogy Information Technology Modernization Program. The report found that the program was not on a path to success, and identified the following needs:
valid contingency plans for transitioning from the old case management system to the new one,
completed Enterprise Architecture,
adequate time for testing the new system prior to deployment,
improved contract management processes, and
expanded IT human resources base.
The report concluded that the FBI had made significant progress in some areas of its IT modernization efforts, such as the modernization of the computing hardware and baseline software and the deployment of its networking infrastructure. However, because the FBI’s IT infrastructure was inadequate in the past, there was still an enormous gap between the FBI’s IT capabilities and the capabilities that were urgently needed.
The report was updated in June 2004 as a result of what the Council deemed clear evidence of progress being made by the FBI to move ahead in its IT modernization program. This included the appointment of a permanent CIO and the formation of a staffed program office for improved IT contract management. The progress being made by the FBI appeared to the Council to have been more rapid than expected, although many challenges remained. The Council also emphasized that the FBI’s missions constitute increasingly information-intensive challenges, and the ability to integrate and exploit rapid advances in IT capabilities will only become more critical with time. The update concluded that even with perfect program management and execution, substantial IT expenses on an ongoing basis are inevitable and must be anticipated in the budget process if the FBI is to maximize the operational leverage that IT offers.
FBI Internal Reports on Case Management
The FBI hired the Aerospace Corporation to perform an assessment of commercial-off-the-shelf (COTS) and government-off-the-shelf systems that could be used in developing a case management system and also an Independent Verification and Validation of Trilogy’s VCF. In December 2004, the contractor issued the study, which recommended that the FBI look to systems that have an emphasis on data sharing. The contractor further recommended that an acquisition strategy be developed that includes an incremental deployment of core capabilities and the incremental addition of such components as intelligent search and reporting and specific analytic capabilities.
The contractor released the Independent Verification and Validation of the Trilogy Virtual Case File, Delivery 1: Final Report in January 2005. The report recommended discarding the VCF and starting over with a COTS-based solution. The contractor concluded that a lack of effective engineering discipline had led to inadequate specification, design, and development of VCF. Further, the contractor could find no assurance that the architecture, concept of operations and requirements were correct or complete, and no assurance that they could be made so without substantial rework. In sum, the contractor reported that VCF was a system whose true capability was unknown, and whose capability may remain unknown without substantial time and resources applied to remediation.
Other OIG Reports on the FBI’s IT
OIG reports issued over the past 17 years have highlighted issues concerning the FBI’s utilization of IT, including its investigative systems. For example, in 1990 the OIG issued a report entitled The FBI’s Automatic Data Processing General Controls. This report described 11 internal control weaknesses and found that:
The FBI’s phased implementation of its 10-year Long Range Automation Strategy, scheduled for completion in 1990, was severely behind schedule and may not be accomplished.
The FBI’s Information Resources Management program was fragmented and ineffective, and the FBI’s Information Resources Management official did not have effective organization-wide authority.
The FBI had not developed and implemented a data architecture.
The FBI’s major mainframe investigative systems were labor intensive, complex, untimely, and non-user friendly and few agents used these systems.
The OIG’s July 1999 special report, The Handling of FBI Intelligence Information Related to the Justice Department’s Campaign Finance Investigation, reported that FBI personnel were not well-versed in the ACS system and other databases.
A March 2002 OIG report, entitled An Investigation of the Belated Production of Documents in the Oklahoma City Bombing Case, analyzed the causes for the FBI’s late delivery of many documents in the Oklahoma City bombing case. This report concluded that the ACS system was extraordinarily difficult to use, had significant deficiencies, and was not the vehicle for moving the FBI into the 21st century. The report noted that inefficiencies and complexities in the ACS, combined with the lack of a true information management system, were contributing factors in the FBI’s failure to provide hundreds of investigative documents to the defendants in the Oklahoma City bombing case.
In May 2002, the OIG issued a report on the FBI’s administrative and investigative mainframe systems entitled the Independent Evaluation Pursuant to the Government Information Security Reform Act, Fiscal Year 2002. The report identified continued vulnerabilities with management, operational, and technical controls within the FBI. The report stated that these vulnerabilities occurred because the Department and FBI security management had not enforced compliance with existing security policies, developed a complete set of policies to effectively secure the administrative and investigative mainframes, or held FBI personnel responsible for timely correction of recurring findings. Further, the report stated that FBI management had been slow to correct identified weaknesses and implement corrective action and, as a result, many of these deficiencies repeated year after year in subsequent audits.
In December 2002, the OIG issued a report on The FBI’s Management of Information Technology Investments, which included a case study of the Trilogy project. The report made 30 recommendations, 8 of which addressed the Trilogy project. The report’s focus was on the need to adopt sound investment management practices as recommended by the GAO. The report also stated that the FBI did not fully implement the management processes associated with successful IT investments. Specifically, the FBI had failed to implement the following critical processes:
defining and developing IT investment boards,
following a disciplined process of tracking and overseeing each project’s cost and schedule milestones over time,
identifying existing IT systems and projects,
identifying the business needs for each IT project, and
using defined processes to select new IT project proposals.
The audit found that the lack of critical IT investment management processes for Trilogy contributed to missed milestones and led to uncertainties about cost, schedule, and technical goals.
U.S. Government Accountability Office, Information Technology: FBI Following a Number of Key Acquisition Practices on New Case Management System but Improvements Still Needed, July 2007.
|« Previous||Table of Contents||Next »|