The Status of Enterprise Architecture and Information Technology
Investment Management in the Department of Justice
Audit Report 06-02
Office of the Inspector General
We identified eight IT-related reports issued since May 2000 by the GAO and the OIG that are relevant to this audit. In May 2000, the GAO reported that although almost all federal agencies had created some type of ITIM process, none had yet implemented stable processes addressing all three phases of the select-control-evaluate approach.16 According to the GAO, one barrier to implementing reliable ITIM has been the lack of specific guidance on the required processes.
In February 2002, the GAO reported that the federal government as a whole had not reached a mature state of Enterprise Architecture management.17 In particular, about 52 percent of federal agencies reported having at least the management foundation that is needed to begin successfully developing, implementing, and maintaining an Enterprise Architecture, but about 48 percent of agencies had not yet advanced to this basic stage of maturity. In November 2003, the GAO updated its 2002 report and concluded that little progress had occurred in agencies' Enterprise Architecture management.18
In April 2002, pursuant to the FY 2001 Government Information Security Reform Act, the OIG issued a report on JMD's Rockville and Dallas Data Centers IT system. The report identified vulnerabilities with management, operational, and technical controls. The report noted significant vulnerabilities in the following areas:
The report stated that these vulnerabilities occurred because JMD lacked sufficient guidance, adequate security polices, and effective enforcement of policies.
In December 2002, the OIG issued a report on the FBI's Management of IT Investments. The OIG reported that the FBI did not have a fully developed enterprise architecture. Also, the FBI was not effectively selecting, controlling, and evaluating its IT investments because it had not fully implemented any of the critical processes necessary for successful ITIM.
In May 2003, also pursuant to the FY 2001 Government Information Security Reform Act, the OIG issued a report on JMD's Justice Communications Network IT system. The report identified vulnerabilities with the IT system including management, operational, and technical controls. The report noted significant vulnerabilities in the following areas:
The report stated that these vulnerabilities occurred because JMD had not implemented Department policies or updated security information and procedures.
In June 2004, pursuant to the Federal Information Security Management Act, the OIG issued an oversight and information systems consolidated report. The report identified JMD vulnerabilities in the following areas:
In September 2004, the OIG issued a report on the Drug Enforcement Administration's Management of Enterprise Architecture and IT Investments. The OIG found that the Drug Enforcement Administration had completed nearly 90 percent of the Enterprise Architecture Management Framework criteria for meeting the second of five levels of maturity. Also, the Drug Enforcement Administration had attained Stage 2 of the five maturity stages outlined in the GAO ITIM Framework.