Background

This report is the final in a series of three reports prepared by the Department of Justice (Department) Office of the Inspector General (OIG) in response to a congressional request included in the Department’s appropriation for fiscal year (FY) 2006. Specifically, Congress instructed the OIG to present to the Committees on Appropriations: (1) an inventory of all major Department information technology (IT) systems and planned initiatives, and (2) a report that details all research, plans, studies, and evaluations that the Department has produced, or is in the process of producing, concerning IT systems, needs, plans, and initiatives. Congress requested that the OIG include an analysis identifying the depth and scope of problems the Department has experienced in the formulation of its IT plans.

The OIG’s first report, issued in March 2006, presented an unverified inventory of the Department’s major IT investments based on information reported to the Office of Management and Budget (OMB) for budget purposes.⁷ The inventory contained 46 major investments, each with projected costs at or exceeding $15 million for FYs 2005 through 2007.

The second report, issued in June 2007, presented the refined inventory of major systems according to criteria developed by the OIG, reducing the number of major systems to 38.⁸ The second report also examined issues related to verifying cost information about the 38 systems.

This third and final report addresses the request for the OIG to prepare a report that details the research, plans, studies, and evaluations related to the Department’s information technology initiatives. We used the refined inventory of major systems presented in the second report to focus our work for this current report. This report also includes an analysis of problems related to IT planning that have been identified in previous OIG reports.

Major Systems

We generally focused our audit on the 38 major systems and initiatives that were identified in the refined OIG inventory, which are shown in Figure 1, listed by the component within the Department that is responsible for each system.⁹ The components are the:

• Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF)

• Bureau of Prisons (BOP)

• Drug Enforcement Administration (DEA)

• Executive Office for Immigration Review (EOIR)

• Federal Bureau of Investigation (FBI)

• Justice Management Division (JMD)

• Office of the Deputy Attorney General (ODAG)

• Office of Justice Programs (OJP)

Major Systems and Projects

These systems represent a wide range of types of systems and initiatives, including efforts to acquire infrastructure, implement communications networks, and build application programs to support business transactions. For example, the DEA’s Firebird project is providing infrastructure network equipment which allows DEA staff to use various automated programs. Its Concorde project is intended to update and transition older applications that currently run on older hardware and database platforms to newer platforms. OJP’s Litigation Case Management System project is a major new development effort designed to build an enterprise case management system that will serve as an infrastructure for the sharing of case-related information within and between the Department’s components and United States Attorneys Offices.

The systems we reviewed are also in various stages of development and operation. Some of the systems have been in steady-state operational status for many years. Others are new development or in a mixed life-cycle phase, meaning the system is operational with significant modifications or enhancements being implemented. These variations affect which studies, plans, and evaluations have been or should have been prepared.

The OMB budget process grants agencies significant flexibility in defining what needs to be reported as an “IT investment” for budget purposes. Most of the system titles in Figure 1 represent single information systems, but others, such as the DEA’s EIS and the FBI’s FTTTF represent programs that include multiple information systems. JMD’s Public Key Infrastructure (PKI) project is an initiative that will affect access to many other systems in the Department by specifying access controls. A brief summary on each system or project is found in Appendix VI, along with a list of the studies, plans, and evaluations we obtained associated with the project.

Information Technology Organizations

Our work involved the Department’s Office of the Chief Information Officer and the eight Department components or offices listed on page 2.

Office of the Chief Information Officer (OCIO)

The Deputy Assistant Attorney General for Information Resources Management (DAAG/ IRM), who reports to the Assistant Attorney General for Administration, serves as the Department’s Chief Information Officer (CIO). The CIO’s responsibilities include establishing and implementing Department-wide IT policies and standards, developing the Department’s IT Strategic Plan, and reviewing and evaluating the performance of Department IT programs and projects. In his role as the DAAG/ IRM, the CIO leads the Information Resources Management (IRM) function of the Justice Management Division (JMD).

Justice Management Division

JMD provides administrative services to the Department, including those related to human resources, controller activities, and IT systems and support. In the area of IT, JMD serves a central role for the Department for policy, planning, monitoring, and services. DOJ Order 2880.1B, Information Resources Management Program, September 27, 2005, requires the CIO, in his role as the DAAG/ IRM, to deliver IT services to the Department through the JMD.¹¹

JMD developed and operates many systems that serve more than one component in the Department, and it owns six of the major systems in our inventory. JMD is responsible for overseeing the development and implementation of the Unified Financial Management System, which is intended to consolidate financial reporting for all of the Department’s components and replace six different financial management systems. The Litigation Case Management System will serve seven litigating divisions of the Department and will implement a common case management architecture for future projects. The Integrated Wireless Network project is intended to provide a consolidated, nationwide federal wireless communications service that will replace standalone systems in various components. The Justice Consolidated Office Network seeks to provide a reliable common office automation platform upon which 16 of the Department’s litigating, management, and law enforcement components operate mission-critical applications. Under the Classified Information Technology Program, the Department will develop a classified Enterprise Architecture, an initial operational infrastructure, and an operations and maintenance model for processing classified information.¹² The Department has also established a Public Key Infrastructure project to enhance access security for existing applications and services. The enhanced security will support communications between Department staff and federal, state, and local government agencies.

Within the OCIO, the CIO-DAAG/ IRM leads five staffs: (1) Policy and Planning, (2) Electronic Government Services, (3) Information Technology Security, (4) Operations Services, and (5) Enterprise Solutions. Of the six systems and projects in the refined inventory for which JMD is responsible, five are the responsibility of the OCIO. The following four projects are assigned to the Enterprise Solutions Staff:

• Classified Information Technology Program,

• Justice Consolidated Network,

• Litigation Case Management System, and

• Public Key Infrastructure Project.

The Integrated Wireless Network project is assigned to the Electronic Government Services Staff. The Office of the Controller, which is not a part of the IRM office, is responsible for the sixth JMD project, the Unified Financial Management System.

Component IT Organizations

Components in the Department are responsible for:

• providing information on their investments as requested by the Department’s CIO;

• demonstrating that resources are being well-spent and managed;

• demonstrating that risks are being properly addressed;

• developing an acquisition strategy for all major IT projects;

• implementing security policies and guidelines, and

• using the methodology in the Department’s Systems Development Life Cycle Guidance Document for all information systems and applications, tailored to individual projects.

Each of the components responsible for one of the major IT systems in the OIG’s refined inventory has its own CIO and IT organization, with the exception of the ODAG. Many of the initiatives in the refined inventory were managed out of the CIO’s offices identified in Figure 2, although some were managed by other offices within the component.

Chief Information Officers and Organizations

Standards for IT Studies, Plans, and Evaluations

Numerous federal, Department, and component-level guidelines establish criteria for IT research, studies, plans, and evaluations. The guidelines come from both IT and budget authorities, and may apply to the Department as a whole or to individual components such as the DEA or FBI. While the various standards should complement one another, the compliance environment is complex and involves strategic planning, IT development methodologies, IT investment management, enterprise architecture, procurement, and budgeting. Additionally, many standards exist as guidelines rather than requirements, thereby allowing needed flexibility depending on the specific characteristics (type, size, scope, status) of each project.

Federal IT Standards

The Information Technology Management Reform Act (ITMRA) of 1996, also known as the Clinger-Cohen Act, P.L. 104-106, February 1996, requires federal agencies to improve the acquisition, use, and disposal of information technology by implementing a capital planning and investment control (CPIC) process that links to budget formulation and execution.¹³ The process is intended to maximize the value, and assess and manage the risks, of IT acquisitions. This Act also requires agencies to focus information resource planning to support their strategic missions and to rethink and restructure the way they do their work before investing in information systems.

OMB Circular A-130, Management of Federal Information Resources, revised November 2000, establishes policy for the management of federal information resources, based on several laws, including the Clinger Cohen Act. The Circular assigns responsibilities to various agencies and establishes standards for the CPIC process. The CPIC process is intended to include all stages of capital programming, including planning, budgeting, procurement, management, and assessment. It requires information resource management Strategic Plans, which are strategic in nature, and IT Capital Plans, which are operational in nature. The IT Capital Plans are submitted to OMB with agency budget submissions annually, and are required to include the IT Capital Asset Plans for major information systems or projects.

The OMB also publishes guidelines governing budget submissions each year that influence IT planning and documentation. OMB Circular A-11, Preparation, Submission, and Execution of the Budget, June 2006, establishes detailed standards for the IT Capital Plans to be submitted for each budget year. Two main exhibits are submitted with the Department’s budget each year representing the Department’s IT Capital Plan. Under the Circular’s Part 2, Preparation and Submission of Budget Estimates, Section 53, Information Technology and e-Government, federal agencies are required to submit an Agency IT Investment Portfolio, called the OMB exhibit 53, which is a table of basic information about each major IT investment. Section 53 also requires the submission of Privacy Impact Assessments (PIA), one of the studies we have included in our audit.

Circular A-11’s Part 7, Section 300, Planning, Budgeting, Acquisition, and Management of Capital Assets, requires agencies to provide an IT Capital Asset Plan and Business Case (exhibit 300) for each major IT investment that is included in the portfolio. This part also generally establishes policy for planning, budgeting, acquiring, and managing federal capital assets, and provides instructions on budget justification and reporting requirements for major information technology investments. Each exhibit 300 is required to contain information demonstrating compliance with OMB’s CPIC policies and with OMB Circular A-130 and E-Gov related policy memoranda. Agencies justify new or continued funding for major acquisitions by demonstrating on exhibits 300:

• a direct connection to the agency’s strategic plan,

• a positive return on investment for the selected alternative,

• sound acquisition (program and procurement) planning,

• comprehensive risk mitigation and management planning,

• realistic cost and schedule goals, and

• measurable performance benefits.

In addition, agencies are expected to document detailed information substantiating the portfolio of major investments in accordance with the agency’s capital programming process.

The OMB’s Capital Programming Guide, Supplement to OMB Circular A-11, Part 7, Planning, Budgeting, and Acquisition of Capital Assets, June 2006, contains more detailed guidance to federal agencies about practices and lessons learned for more efficient project and acquisition management of capital assets. It integrates various statutory and management initiatives into a single, integrated capital programming process to ensure that capital assets successfully contribute to the achievement of agency strategic goals and objectives. Its purpose is to assist federal agencies in planning, procuring, and using capital assets to achieve the maximum return on investment.

Additionally, numerous laws and standards exist regarding specific financial systems, system security, enterprise architectures, electronic access, and data quality. Because these standards focus on specific system requirements rather than on IT planning and evaluation processes, we did not use these as the basis for determining IT planning and evaluation requirements, and they are not included in this report.

Department Standards

The Department has implemented a number of standards that define IT processes and result in studies, plans, and evaluations. DOJ Order 2880.1B, Information Resources Management Program, September 2005, establishes the CIO’s authority for issuing Department-wide IT policies, standards, and guidelines, and for reviewing and evaluating the performance of IT programs and projects.

The Department’s Guide to the DOJ Information Technology Investment Management (ITIM) Process (ITIM Guide), August 2001, implemented the capital planning and investment control process that was required by the Clinger-Cohen Act.¹⁴ The ITIM Guide integrates the interrelated disciplines of strategic planning, performance planning, systems life-cycle development, capital planning, security, architecture, and acquisition planning, and program management. Intended to complement the Systems Development Life Cycle process already in place, it defines criteria for “major” information systems in the Department and specifies a number of documents that should be produced as part of each phase of IT management.

The Department’s Systems Development Life Cycle (SDLC) Guidance Document, revised January 2003, establishes life-cycle management procedures, practices, and guidelines governing IT work within the Department. The guidance is intended to be used for all of the Department’s information systems and applications, but is also intended to allow flexibility to suit the characteristics of particular development efforts. Tailoring standards may be based on individual project cost, complexity, and criticality to the agency’s mission. When a full sequential life-cycle pattern is not appropriate, the SDLC offers alternate work patterns for smaller or more limited efforts, such as implementing commercial-off-the-shelf (COTS) products.

Component-Specific Standards

Each of the Department’s components may establish its own life-cycle guidelines as long as they are consistent with the Department’s standards. For this audit, we found that the BOP, EOIR, and JMD use the Department’s SDLC. The DEA and FBI developed their own life-cycle development methodologies defining IT project management procedures and documentation requirements – the DEA System Development Life Cycle (DEA SDLC), March 2000, and the FBI Life Cycle Management Directive (FBI LCMD), August 2005, which was first implemented in November 2004.¹⁵

The DEA SDLC closely follows the Department’s life-cycle guidance in terms of the phases of development and documents described. The FBI LCMD is a more recent methodology and more closely resembles elements of the CPIC process. Some of the documents required by the FBI LCMD are virtually identical to aspects of the Capital Asset Plan and Business Case (exhibit 300) that is to be submitted to the OMB for each major IT investment. Details about the requirements under each methodology for the studies, plans, and evaluations included in this audit are found in the detailed discussion of each document type in Finding 1. All of the Department’s components included in this audit allow some variation within their own IT development standards.

IT System Life-Cycle Concepts

Projects can be expected to go through a process of identifying a business need and alternative solutions for meeting the need, selecting the best alternative, planning to acquire or build the solution, defining specific requirements, and designing, building, testing, implementing, and evaluating the implemented solution. The Department’s SDLC Guidance Document describes 10 phases of IT work: initiation, concept development, planning, requirements analysis, design, development, integration and test, implementation, operations and maintenance, and disposition of information systems within the Department. The SDLC specifies tasks and deliverables, including planning documents, to be created for each of the phases.

For different types of acquisitions and smaller-scope projects, the life-cycle work pattern can be tailored to reduce the workload from a full sequential work pattern. Tailoring the work pattern may include dropping requirements for specific tasks, studies, plans, and evaluations. The major tasks and deliverables for each SDLC phase are summarized in Figure 3.

Systems Life Cycle Phases & Documents

The Department’s ITIM process describes three phases: Select, Control, and Evaluate. The DOJ ITIM Guide also defines major tasks and deliverables associated with each of the three phases. The tasks and deliverables focus on the investment management process in the Department, rather than on the details of each system or project. There is some overlap between the SDLC and ITIM tasks and deliverables, but they do not precisely coincide because the focus of each is different. The ITIM phases and deliverables are summarized in Figure 4.

DOJ ITIM Process

Both the SDLC and ITIM tasks and deliverables generally follow the progression of IT projects chronologically. Under both, studies and research, such as alternatives analyses, feasibility studies, risk analyses, and market research for possible solutions are performed early in the life of a system as the basis for selecting the best alternative and preparing the business case for the project. Major plans of all types, such as project management plans and quality assurance plans, are developed after the selected approach has been authorized. Post-implementation reviews, in-process review reports, and user satisfaction reviews are types of evaluations that occur after an IT system has been implemented or a project has been terminated. We used this chronological approach to identify and organize the studies, research, plans, and evaluations that are addressed in this audit.

This chronological approach is qualified by the evolutionary nature of the entire life-cycle process. As projects evolve to become more defined over time, plans should also become more defined. The life cycle of identifying business needs, selecting best alternatives, determining which IT investments should be added to and continued in the Department’s portfolio, acquiring and building solutions, and evaluating the results is intended to be iterative and ongoing. Both the SDLC and ITIM require multiple iterations of various documents, with updates as projects become more defined and change over time. Both the SDLC and ITIM also require various types of ongoing evaluations to occur regularly as decision points are reached during the course of IT projects.

Audit Approach

Our audit objectives were to: (1) identify all research, plans, studies, and evaluations that the Department has produced, or is in the process of producing, concerning IT systems, needs, plans, and initiatives; and (2) analyze the depth and scope of the problems the Department has experienced in the formulation of its IT plans.

We identified relevant federal, Department, and component-specific requirements and standards for IT research, studies, plans, and evaluations, and merged the various standards into a generic set of requirements and standards. We requested and obtained documents from the components related to 38 major Department IT projects listed in our inventory, and assessed compliance with the document standards for the major systems in the inventory.

For this audit report, we focused specifically on studies and research that justified the selection of investments in the revised inventory of major IT systems and projects, plans that were developed after the investments were authorized, and evaluations that were performed after systems were implemented. We did not request every document specified by the DOJ SDLC or ITIM Guide, such as early plans that were developed before projects received authorization (system boundary documents) and specification and design documents.¹⁶

To evaluate problems the Department has experienced in planning, we reviewed relevant audit and inspection reports, extending the scope of our audit work to several systems and projects that were not included in the inventory of major systems. We analyzed these evaluations for information about problems the Department has experienced in formulating IT plans.

7. Department of Justice, Office of the Inspector General, Inventory of Major Department of Justice Information System Investments as of Fiscal Year 2006, Audit Report No. 06-25, March 2006.

8. Department of Justice, Office of the Inspector General, Identification and Review of the Department’s Major Information Technology Systems Inventory, Audit Report No. 07-37, June 2007.

9. For our analysis of problems the Department has experienced with planning for IT systems, we included a few additional systems and projects for which we had information about project termination or other problems. These are introduced in Finding 2.

10. In the previously issued OIG report on Identification and Review of the Department’s Major Information Technology Systems Inventory, which provides information on the cost of the Department’s major IT systems, we included the OFC as part of the DEA because the DEA’s unobligated funds developed the OFC. However, in this report we include the OFC as part of the ODAG because the system actually resides in that office.

11. A DOJ Order is a type of directive used to issue Departmental policy and direction for administrative matters.

12. Enterprise Architecture (EA) is a blueprint that explains and guides how an organization’s IT and information management elements work together to accomplish the mission of the organization. An EA addresses business activities and processes, data sets and information flows, applications and software, and technology.

13. The Clinger-Cohen Act is Division E of the National Defense Authorization Act for Fiscal Year 1996.

14. ITIM processes help identify needed IT projects, select new projects, and track and oversee project costs and schedules.

15. The U.S. Marshals Service (USMS) also developed its own SDLC, but there were no USMS systems in the revised inventory used as the basis for this audit.

16. Although a case can be made that all these documents are planning documents, it was not feasible in the course of one audit to assess entire documentation libraries for multiple projects.