The Status of Enterprise Architecture and Information Technology
Investment Management in the Department of Justice
Audit Report 06-02
Office of the Inspector General
The Department of Justice (Department) relies on 320 Information Technology (IT) systems to conduct the business of the Department through its components, offices, boards, and divisions. Most of these IT systems are unique to the major organizational components of the Department, although 22 major systems cross-cut more than one component. In Fiscal Year (FY) 2005, the Department budgeted nearly $2.25 billion for IT, and almost half the budget applied to cross-cutting systems.
Congress enacted the Information Technology Management Reform Act of 1996 (known as the Clinger-Cohen Act) to address longstanding problems related to federal IT management. The Clinger-Cohen Act requires the head of each federal agency to implement a process that maximizes the value of agency IT investments and assesses and manages acquisition risks. A key goal of the Act is to ensure that agencies implement IT projects at acceptable costs and within reasonable timeframes. Under Clinger-Cohen, IT projects are to contribute to tangible and observable improvements in the mission performance of each agency.
Clinger-Cohen also requires the Chief Information Officer (CIO) of each agency to develop, maintain, and facilitate the implementation of IT architectures as a means of integrating business processes with agency goals. An IT architecture, commonly referred to as an organization's Enterprise Architecture, is an integrated framework used to acquire, evolve, or maintain IT that achieves strategic and information resource management goals.
The Clinger-Cohen Act assigns to the head of an executive agency the responsibility to develop a capital planning and investment control process that will:
OMB Circular A-130
Office of Management and Budget (OMB) Circular A-130 (A-130) requires each federal agency to establish and maintain a capital planning and investment control process for IT, commonly referred to as Information Technology Investment Management (ITIM). The major purpose of establishing an ITIM process is to link agency resources with agency results. The ITIM process is intended to guide strategic and operational information resource management, IT planning, and the Enterprise Architecture. This is accomplished by integrating the agency's budget execution processes with statutorily required strategic and performance, financial management, and acquisition plans.3
According to OMB Circular A-130, agencies are to use an ITIM process to link mission needs, information, and IT in an effective and efficient manner. An effective ITIM process has three components: select, control, and evaluate. The following chart describes the three fundamental phases of this IT investment approach.
FUNDAMENTAL PHASES OF THE IT INVESTMENT APPROACH
A-130 also requires agencies to document and submit their initial Enterprise Architectures to the OMB, as well as updates when significant changes occur. The Enterprise Architecture is to describe both the current architecture of an agency and its future, or target, architecture, as well as provide a roadmap enabling the agency to both support its current IT state and transition to a targeted environment. Such roadmaps include an agency's capital planning and investment control processes, Enterprise Architecture planning processes, and system life cycle methodologies.
In order to meet the requirements of Clinger-Cohen and A-130, the Department issued guidance to its components in March 2001, which provided a framework for developing ITIM processes, including those covering Enterprise Architectures.
DOJ Information Resources Management Policy
In March 2001, the Department's Assistant Attorney General for Administration approved DOJ Order 2880.1A, Information Resources Management, which established an Information Resources Management (IRM) policy for the Department based on Clinger-Cohen. This IRM policy applies to all major Department components.
The order requires each component to designate a CIO to serve as the primary point of contact for IRM policy and requires the component CIO to: (1) report directly to the respective component head, and (2) recommend a component-level ITIM process that both budgets for and prioritizes IT investment deployment. The component CIO is to submit the component's ITIM process to the DOJ CIO for approval upon completion. Once the process is approved by the DOJ CIO, the component is responsible for managing its respective IT investment portfolios and establishing component ITIM decision-making forums and policies. The order also requires the components to develop and maintain Enterprise Architectures to support their ITIM processes.
DOJ ITIM Guide
In August 2001, the Department issued The Guide to the Department of Justice Information Technology Investment Management Process (Guide) to implement the Clinger-Cohen Act, OMB Circular A-130, and other IT management requirements.4 The Guide requires all DOJ components to implement an ITIM model and provides structure and support to DOJ components developing an ITIM model tailored to the unique characteristics of each component. The elements of an adequate ITIM process, regardless of component size, mission, or operational requirements, are also included in the Guide. Using the select-control-evaluate methodology, the components are to establish a structured, repeatable, and documented process for IT investments throughout the life cycle of the investment.
The select-control-evaluate method outlined in the Guide is intended to maximize component resources by focusing on strategic investment planning decisions for ongoing and future budget requests. By integrating each component's existing strategic planning, budgeting, and decision-making processes, the component's ITIM is to conform with Departmental policies and guidance and include timely and substantive executive-level review at the component level.
The requirements established in the Guide apply to all IT projects and systems in the Department, and accordingly each Department component must:
Technical Reference Model
To facilitate the development of the Department's Enterprise Architecture, the Department issued a Technical Reference Model (TRM) in 2001. The TRM is not an architecture, but an aid to developing architectures for the Department. The TRM provides a foundation for developing technical and operational architectures, for defining services, and for identifying standards for all IT systems funded by the Department. It applies to both the development of new systems and the enhancement of existing systems. Use of the Department TRM was intended to promote the development and deployment of information systems that will enhance interoperability among components and their information systems.
In 1999, the Federal Chief Information Officers Council (CIO Council) issued the Federal Enterprise Architecture Framework (FEAF). This framework is illustrated in the following diagram.
In support of the framework, the CIO Council issued the Practical Guide to Federal Enterprise Architecture (Practical Guide) in February 2001.5 The Practical Guide describes Enterprise Architecture as a strategic information asset base that defines the mission, the technologies necessary to perform the mission, and the transitional processes for implementing new technologies in response to changing mission needs. An Enterprise Architecture is to provide a clear and comprehensive layout of an entity, whether the entity is an organization or a functional or mission area. According to the Government Accountability Office (GAO), investing in IT without defining the IT investments in the context of an Enterprise Architecture often results in systems that are duplicative, not well integrated, and costly to maintain.
An Enterprise Architecture is comprised of four elements: Business Architecture, Data Architecture, Applications Architecture, and Technology Architecture. Together, these elements provide a clear picture of how an organization accomplishes its mission, goals, and objectives. It also provides the baseline from which initiatives are planned and later compared.
Each of the four architectures is comprised of a current or "as-is" element that describes the existing environment, a target or "to-be" element that describes the proposed environment, and a sequencing plan detailing the transition from the "as-is" to the "to-be" environment.
In April 2003, the GAO, in collaboration with the OMB and the CIO Council, published an updated Enterprise Architecture management framework.6 The GAO's new Enterprise Architecture management framework provides measures to aid management in assessing its progress and taking any necessary corrective action. The GAO Enterprise Architecture framework consists of three basic components: (1) five hierarchical stages of management maturity, (2) categories of attributes that are critical to the success of managing any endeavor, and (3) elements of Enterprise Architecture management that form the core of the CIO Council's Practical Guide.
The GAO framework outlines five maturity stages. These stages include steps toward achieving a stable and mature process that develops, maintains, and implements the Enterprise Architecture of an agency. As an organization improves its Enterprise Architecture management capabilities, its Enterprise Architecture management maturity subsequently increases. The five maturity stages are:
With the exception of the first stage, each maturity stage is composed of the following four success attributes that are critical to the successful performance of any management function:
Collectively, these attributes form the basis by which an organization can institutionalize the management of any given function or program, such as Enterprise Architecture management. Each attribute contains core elements that contribute to the effective implementation and institutionalization of a critical success attribute. Appendix 4 summarizes the interrelationships of the elements in the Enterprise Architecture management process.
In 1997, the GAO issued Assessing Risks and Returns: A Guide For Evaluating Federal Agencies' IT Investment Decision-making, in which the GAO stated that investments in IT can have a dramatic impact on an agency's performance. Well-managed IT investments that are carefully selected and focused on meeting mission needs can propel an agency forward, dramatically improving performance while reducing costs. Likewise, poor investments, those that are inadequately justified or whose costs, risks, and benefits are poorly managed, can hinder and even restrict an agency's performance.
To provide a method for evaluating and assessing how well an agency is selecting and managing its IT resources, in May 2000 the GAO issued Information Technology Investment Management: A Framework For Assessing and Improving Process Maturity, and updated the framework in March 2004. The GAO's ITIM framework outlines a set of essential and complementary management disciplines such as ITIM, strategic planning, and software development. The ITIM framework supports the fundamental requirements of the Clinger-Cohen Act and is intended to be used as a tool for implementing the required processes. Appendix 5 contains a summary of the GAO ITIM Framework.
OMB Circular A-130 requires that agencies establish and maintain a capital planning and investment control process that links mission needs, information, and information technology in an effective and efficient manner. A-130 divides the process into the Select, Control, and Evaluate stages. See Appendix 7 for summary of OMB Circular A-130's three ITIM stages.
We identified eight reports issued since May 2000 by the GAO and the Office of the Inspector General (OIG) that are relevant to this audit. See Appendix 8 for details of the eight reports.
In general, the GAO has reported that although almost all federal agencies had created some type of ITIM process, none had yet implemented stable processes addressing all three phases of the select-control-evaluate approach. The GAO also reported that the federal government as a whole had not reached a mature state of Enterprise Architecture management. The OIG reports identified vulnerabilities with management, operational, and technical controls in specific Department IT systems. In addition, the OIG examined the status of Federal Bureau of Investigation (FBI) and Drug Enforcement Administration's (DEA) ITIM processes and Enterprise Architectures.