The Department of Justice (Department) relies on 320 Information Technology (IT) systems to conduct the business of the Department through its components, offices, boards, and divisions. Most of these IT systems are unique to the major organizational components of the Department, although 22 major systems cross-cut more than one component. In Fiscal Year (FY) 2005, the Department budgeted nearly $2.25 billion for IT, and almost half the budget applied to cross-cutting systems.
Clinger-Cohen Act
Congress enacted the Information Technology Management Reform Act of 1996 (known as the Clinger-Cohen Act) to address longstanding problems related to federal IT management. The Clinger-Cohen Act requires the head of each federal agency to implement a process that maximizes the value of agency IT investments and assesses and manages acquisition risks. A key goal of the Act is to ensure that agencies implement IT projects at acceptable costs and within reasonable timeframes. Under Clinger-Cohen, IT projects are to contribute to tangible and observable improvements in the mission performance of each agency.
Clinger-Cohen also requires the Chief Information Officer (CIO) of each agency to develop, maintain, and facilitate the implementation of IT architectures as a means of integrating business processes with agency goals. An IT architecture, commonly referred to as an organization's Enterprise Architecture, is an integrated framework used to acquire, evolve, or maintain IT that achieves strategic and information resource management goals.
The Clinger-Cohen Act assigns to the head of an executive agency the responsibility to develop a capital planning and investment control process that will:
- provide for the selection, management, and evaluation of investments;
- be integrated with the budget, management, and program management processes;
- include minimum performance criteria for comparing and prioritizing alternative investment projects;
- identify investments that would result in shared benefits or costs for other agencies;
- identify quantifiable measurements for net benefits and risks of investments; and
- provide the means for senior management to obtain timely information regarding the progress of an investment.
OMB Circular A-130
Office of Management and Budget (OMB) Circular A-130 (A-130) requires each federal agency to establish and maintain a capital planning and investment control process for IT, commonly referred to as Information Technology Investment Management (ITIM). The major purpose of establishing an ITIM process is to link agency resources with agency results. The ITIM process is intended to guide strategic and operational information resource management, IT planning, and the Enterprise Architecture. This is accomplished by integrating the agency's budget execution processes with statutorily required strategic and performance, financial management, and acquisition plans.3
According to OMB Circular A-130, agencies are to use an ITIM process to link mission needs, information, and IT in an effective and efficient manner. An effective ITIM process has three components: select, control, and evaluate. The following chart describes the three fundamental phases of this IT investment approach.
FUNDAMENTAL PHASES OF THE IT INVESTMENT APPROACH
| Source: Government Accountability Office |
A-130 also requires agencies to document and submit their initial Enterprise Architectures to the OMB, as well as updates when significant changes occur. The Enterprise Architecture is to describe both the current architecture of an agency and its future, or target, architecture, as well as provide a roadmap enabling the agency to both support its current IT state and transition to a targeted environment. Such roadmaps include an agency's capital planning and investment control processes, Enterprise Architecture planning processes, and system life cycle methodologies.
In order to meet the requirements of Clinger-Cohen and A-130, the Department issued guidance to its components in March 2001, which provided a framework for developing ITIM processes, including those covering Enterprise Architectures.
DOJ Information Resources Management Policy
In March 2001, the Department's Assistant Attorney General for Administration approved DOJ Order 2880.1A, Information Resources Management, which established an Information Resources Management (IRM) policy for the Department based on Clinger-Cohen. This IRM policy applies to all major Department components.
The order requires each component to designate a CIO to serve as the primary point of contact for IRM policy and requires the component CIO to: (1) report directly to the respective component head, and (2) recommend a component-level ITIM process that both budgets for and prioritizes IT investment deployment. The component CIO is to submit the component's ITIM process to the DOJ CIO for approval upon completion. Once the process is approved by the DOJ CIO, the component is responsible for managing its respective IT investment portfolios and establishing component ITIM decision-making forums and policies. The order also requires the components to develop and maintain Enterprise Architectures to support their ITIM processes.
DOJ ITIM Guide
In August 2001, the Department issued The Guide to the Department of Justice Information Technology Investment Management Process (Guide) to implement the Clinger-Cohen Act, OMB Circular A-130, and other IT management requirements.4 The Guide requires all DOJ components to implement an ITIM model and provides structure and support to DOJ components developing an ITIM model tailored to the unique characteristics of each component. The elements of an adequate ITIM process, regardless of component size, mission, or operational requirements, are also included in the Guide. Using the select-control-evaluate methodology, the components are to establish a structured, repeatable, and documented process for IT investments throughout the life cycle of the investment.
The select-control-evaluate method outlined in the Guide is intended to maximize component resources by focusing on strategic investment planning decisions for ongoing and future budget requests. By integrating each component's existing strategic planning, budgeting, and decision-making processes, the component's ITIM is to conform with Departmental policies and guidance and include timely and substantive executive-level review at the component level.
The requirements established in the Guide apply to all IT projects and systems in the Department, and accordingly each Department component must:
- designate a CIO who reports directly to the head of the component as required by DOJ Order 2880.1A,
- establish an Executive Review Board to approve the component's IT portfolio and provide management oversight of decisions made about specific IT investments contained within the IT portfolio, and
- establish a component ITIM process that is both consistent with Departmental guidance and customized to function within the unique environment of the component.
Technical Reference Model
To facilitate the development of the Department's Enterprise Architecture, the Department issued a Technical Reference Model (TRM) in 2001. The TRM is not an architecture, but an aid to developing architectures for the Department. The TRM provides a foundation for developing technical and operational architectures, for defining services, and for identifying standards for all IT systems funded by the Department. It applies to both the development of new systems and the enhancement of existing systems. Use of the Department TRM was intended to promote the development and deployment of information systems that will enhance interoperability among components and their information systems.
Enterprise Architecture Management
In 1999, the Federal Chief Information Officers Council (CIO Council) issued the Federal Enterprise Architecture Framework (FEAF). This framework is illustrated in the following diagram.
| FEDERAL ENTERPRISE ARCHITECTURE FRAMEWORK
[Not Available Electronically] |
| Source: Federal CIO Council |
In support of the framework, the CIO Council issued the Practical Guide to Federal Enterprise Architecture (Practical Guide) in February 2001.5 The Practical Guide describes Enterprise Architecture as a strategic information asset base that defines the mission, the technologies necessary to perform the mission, and the transitional processes for implementing new technologies in response to changing mission needs. An Enterprise Architecture is to provide a clear and comprehensive layout of an entity, whether the entity is an organization or a functional or mission area. According to the Government Accountability Office (GAO), investing in IT without defining the IT investments in the context of an Enterprise Architecture often results in systems that are duplicative, not well integrated, and costly to maintain.
An Enterprise Architecture is comprised of four elements: Business Architecture, Data Architecture, Applications Architecture, and Technology Architecture. Together, these elements provide a clear picture of how an organization accomplishes its mission, goals, and objectives. It also provides the baseline from which initiatives are planned and later compared.
Each of the four architectures is comprised of a current or "as-is" element that describes the existing environment, a target or "to-be" element that describes the proposed environment, and a sequencing plan detailing the transition from the "as-is" to the "to-be" environment.
In April 2003, the GAO, in collaboration with the OMB and the CIO Council, published an updated Enterprise Architecture management framework.6 The GAO's new Enterprise Architecture management framework provides measures to aid management in assessing its progress and taking any necessary corrective action. The GAO Enterprise Architecture framework consists of three basic components: (1) five hierarchical stages of management maturity, (2) categories of attributes that are critical to the success of managing any endeavor, and (3) elements of Enterprise Architecture management that form the core of the CIO Council's Practical Guide.
The GAO framework outlines five maturity stages. These stages include steps toward achieving a stable and mature process that develops, maintains, and implements the Enterprise Architecture of an agency. As an organization improves its Enterprise Architecture management capabilities, its Enterprise Architecture management maturity subsequently increases. The five maturity stages are:
- Stage 1: Creating Enterprise Architecture Awareness
A Stage 1 organization does not have plans to develop and use an architecture, or it has plans that do not demonstrate an awareness of the value of having and using an architecture. Efforts are ad hoc and unstructured, lack institutional leadership and direction, and do not provide the management foundation necessary for successful development. - Stage 2: Building the Management Foundation
A Stage 2 organization recognizes that an Enterprise Architecture is a corporate asset by vesting accountability in an executive body that represents the entire enterprise, assigning management roles and responsibilities, establishing plans for developing the Enterprise Architecture and for measuring program progress and quality, and committing the resources necessary for developing the architecture. - Stage 3: Developing the Enterprise Architecture
A Stage 3 organization focuses on developing architecture products according to the selected framework, methodology, and established management plans. The scope of the architecture has been defined to encompass the entire enterprise, whether organization-based or function-based. Products are intended to describe the organization in business, performance, data, application, and technology terms. Products are to describe the "as-is" and "to-be" states and the plan for transitioning from the current to the future state (the sequencing plan). The organization is tracking and measuring its progress against plans, identifying and addressing variances, and reporting on its progress. - Stage 4: Completing the Enterprise Architecture
A Stage 4 organization has completed its products and obtained the approval of a steering committee (or an investment review board) and the CIO. Evolution of the approved products is governed by a written maintenance policy approved by the head of the organization. - Stage 5: Leveraging the Enterprise Architecture to Manage Change
A Stage 5 organization has obtained senior leadership approval of products and has established a written institutional policy stating that IT investments must comply with the architecture, unless granted an explicit compliance waiver. Decision-makers are using the architecture to identify and resolve ongoing and proposed IT investments that are conflicting, overlapping, not strategically linked, or redundant. The organization tracks and measures benefits or return on investment, and adjustments are continuously made to the Enterprise Architecture management process and products.
With the exception of the first stage, each maturity stage is composed of the following four success attributes that are critical to the successful performance of any management function:
- Demonstrates Commitment by the head of the enterprise providing support and sponsorship to achieve the success of the Enterprise Architecture effort.
- Provides the Capability to Meet Commitment by developing, maintaining, and implementing Enterprise Architecture through adequate resources, clear definitions of roles and responsibilities, and implementing organizational structures and process management controls that promote accountability and effective project execution.
- Demonstrates Satisfaction of Commitment to develop, maintain, and implement Enterprise Architecture by producing Enterprise Architecture plans and products.
- Verifies Satisfaction of Commitment by measuring and disclosing the extent to which efforts to develop, maintain, and implement the Enterprise Architecture have fulfilled stated goals or commitments. Measuring performance allows for tracking progress toward stated goals, allows appropriate actions to be taken when performance deviates significantly from goals, and creates incentives to influence both institutional and individual behaviors.
Collectively, these attributes form the basis by which an organization can institutionalize the management of any given function or program, such as Enterprise Architecture management. Each attribute contains core elements that contribute to the effective implementation and institutionalization of a critical success attribute. Appendix 4 summarizes the interrelationships of the elements in the Enterprise Architecture management process.
In 1997, the GAO issued Assessing Risks and Returns: A Guide For Evaluating Federal Agencies' IT Investment Decision-making, in which the GAO stated that investments in IT can have a dramatic impact on an agency's performance. Well-managed IT investments that are carefully selected and focused on meeting mission needs can propel an agency forward, dramatically improving performance while reducing costs. Likewise, poor investments, those that are inadequately justified or whose costs, risks, and benefits are poorly managed, can hinder and even restrict an agency's performance.
To provide a method for evaluating and assessing how well an agency is selecting and managing its IT resources, in May 2000 the GAO issued Information Technology Investment Management: A Framework For Assessing and Improving Process Maturity, and updated the framework in March 2004. The GAO's ITIM framework outlines a set of essential and complementary management disciplines such as ITIM, strategic planning, and software development. The ITIM framework supports the fundamental requirements of the Clinger-Cohen Act and is intended to be used as a tool for implementing the required processes. Appendix 5 contains a summary of the GAO ITIM Framework.
OMB Circular A-130 requires that agencies establish and maintain a capital planning and investment control process that links mission needs, information, and information technology in an effective and efficient manner. A-130 divides the process into the Select, Control, and Evaluate stages. See Appendix 7 for summary of OMB Circular A-130's three ITIM stages.
We identified eight reports issued since May 2000 by the GAO and the Office of the Inspector General (OIG) that are relevant to this audit. See Appendix 8 for details of the eight reports.
In general, the GAO has reported that although almost all federal agencies had created some type of ITIM process, none had yet implemented stable processes addressing all three phases of the select-control-evaluate approach. The GAO also reported that the federal government as a whole had not reached a mature state of Enterprise Architecture management. The OIG reports identified vulnerabilities with management, operational, and technical controls in specific Department IT systems. In addition, the OIG examined the status of Federal Bureau of Investigation (FBI) and Drug Enforcement Administration's (DEA) ITIM processes and Enterprise Architectures.
- Each agency prepares these plans pursuant to specific mandates. Agency strategic and performance plans are required by the Government Performance and Results Act of 1993, agency financial management plans are required by the Chief Financial Officer Act of 1990, and agency acquisition plans are required by the Federal Acquisition Streamlining Act of 1994.
- The additional requirements include the Government Performance and Results Act, Government Paperwork Reduction Act, Federal Acquisition Streamlining Act, Federal Acquisition Reform Act, Executive Order 13011, OMB Circular A-11, and OMB Memorandum M-00-07.
- The CIO Council is the principal interagency forum for improving practices in the design, modernization, use, sharing, and performance of federal government agency information resources. The CIO Council's Practical Guide provides a step-by-step process to assist agencies in defining, maintaining, and implementing Enterprise Architectures.
- The framework is entitled Information Technology, A Framework for Assessing and Improving Enterprise Architecture Management, Version 1.1 (GAO-03-584G), dated April 2003.
