Information Technology: FBI Needs an Enterprise Architecture to Guide Its Modernization Activities
GAO-03-959
Published: Sep 25, 2003. Publicly Released: Sep 25, 2003.
Skip to Highlights
Highlights
The Federal Bureau of Investigation (FBI) is in the process of modernizing its information technology (IT) systems. Replacing much of its 1980s-based technology with modern system applications and a robust technical infrastructure, this modernization is intended to enable the FBI to take an integrated approach--coordinated agencywide--to performing its critical missions, such as federal crime investigation and terrorism prevention. GAO was requested to conduct a series of reviews of the FBI's modernization management. The objective of this first review was to determine whether the FBI has an enterprise architecture to guide and constrain modernization investments.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Federal Bureau of Investigation | The FBI Director should immediately designate EA development, maintenance, and implementation as an agency priority and manage it as such. To this end, the Director should ensure that appropriate steps are taken to develop, maintain, and implement an EA in a manner consistent with our architecture management framework. This includes first laying an effective EA management foundation by (1) ensuring that all business partners are represented on the architecture governance board; (2) adopting an architecture development methodology and automated tool; (3) establishing an EA program office that is accountable for developing the EA; (4) tasking the program office with developing a management plan that specifies how and when the EA is to be developed and issued; (5) ensuring that the management plan provides for the bureau's "as-is" and "to-be" environments, as well as a sequencing plan for transitioning from the "as-is" to the "to-be"; (6) ensuring that the management plan also describes the enterprise in terms of business, data, applications, and technology; (7) ensuring that the plan also calls for describing the security related to the business, data, and technology; (8) ensuring that the plan establishes metrics for measuring EA progress, quality, compliance, and return on investment; and (9) allocating the necessary funding and personnel to EA activities. |
Closed – Implemented
In September 2003, the FBI Director designated EA development, maintenance, and implementation a bureau priority, and, in early September 2005, the bureau began taking the necessary steps to lay an effective EA management foundation. For example, the bureau established an Enterprise Architecture Board with division representatives (among others) to direct, oversee, and approve the EA. In addition, the bureau adopted a framework and automated tool (Popkin) for its enterprise architecture repository. Further, it established a program office, with responsibility for the development, implementation, and maintenance of the EA. Moreover, this office developed a program management plan in October 2004 that specifies how and when the EA is to be developed and issued; provides for the bureau's "as-is" and "to-be" environments, as well as a sequencing plan for transitioning from the "as-is" to the "to-be"; calls for describing the enterprise in terms of business, data, applications, and technology, including describing security related to each; and establishes metrics for measuring EA progress, quality, compliance, and return on investment. More recently, the bureau has adopted an EA methodology and allocated the necessary resources for the bureau?s EA activities.
|
| Federal Bureau of Investigation | Next, the Director should ensure that steps to develop the architecture products include (1) establishing a written and approved policy for EA development; (2) placing EA products under configuration management; (3) ensuring that EA products describe the enterprise's business, as well as the data, applications, and technology that support it; (4) ensuring that EA products describe the "as-is" environment, the "to-be" environment, and a sequencing plan; (5) ensuring that business, performance, data, application, and technology descriptions address security; and (6) ensuring that progress against EA plans is measured and reported. |
Closed – Implemented
In early September 2005, we reported (in Information Technology, FBI Is Taking Steps to Develop an Enterprise Architecture, but Much Remains to be Developed, GAO-05-363) that the FBI had a written and approved policy for EA development, and that EA products, such as the program management plan, have been placed under configuration management. We also reported that the bureau is in the process of developing its "as-is" and "to-be" architectures which describe the enterprise's business, performance, data, applications and technology, including descriptions for security services. Further, we reported that the bureau's EA products are to describe the "as-is" environment, the "to-be" environment, and a sequencing plan. In addition, we reported that the FBI is measuring and reporting progress against EA plans.
|
| Federal Bureau of Investigation | In addition, the Director should ensure that steps to complete architecture products include (1) establishing a written and approved policy for EA maintenance; (2) ensuring that EA products and management processes undergo independent verification and validation; (3) ensuring that EA products describe the enterprise's business and the data, application, and technology that supports it; (4) ensuring that EA products describe the "as-is" environment, the "to-be" environment, and a sequencing plan; (5) ensuring that business, performance, data, application, and technology descriptions address security; (6) ensuring that the Chief Information Officer approves the EA; (7) ensuring that the steering committee and/or the investment review board has approved the current version of the EA; and (8) measuring and reporting on the quality of EA products. |
Closed – Implemented
In early September 2005, we reported that the FBI hired a contractor to begin performing independent verification and validation on EA products and management processes. Since that time, independent verification and validation of EA products and management processes has occurred. In addition, the bureau established a plan that addresses EA maintenance. Further, the FBI's EA Baseline Architecture, the EA Target Architecture, and to a limited extent, the FBI Transition & Sequencing Plan specify a number of critical products, such as descriptions of the bureau's business, data, applications, and technology, as well as the "as-is" and "to-be" environments. A number of EA products have been approved by the CIO and relevant oversight committees within the bureau, such as the Enterprise Architecture Board. In addition, the FBI defined measures and metrics for its EA work and reports that it is instituting regular reporting on progress against those metrics.
|
| Federal Bureau of Investigation | Further, the Director should ensure that steps taken to use the EA to manage modernization efforts include (1) establishing a written and approved policy for IT investment compliance with EA, (2) establishing processes to formally manage EA changes, (3) ensuring that EA is an integral component of IT investment management processes, (4) ensuring that EA products are periodically updated, (5) ensuring that IT investments comply with the EA, (6) obtaining Director approval of the current EA version, (7) measuring and reporting EA return on investment, and (8) measuring and reporting on EA compliance. |
Closed – Implemented
In early September 2005, we reported that the bureau had established a written policy for IT investment compliance with its EA (recommendation element 1), and had developed a configuration management plan, which defines a process to formally manage change. Since that time, the FBI CIO developed an IT Investment Management Process that makes EA part of IT investment management, ensures that EA products are updated, and that explicitly evaluates IT investment based on EA compliance. In addition, the FBI Director approved several of the current EA documents, including the FBI EA Target Architecture. Moreover, the FBI reports that it is instituting regular reporting on the return on its EA investments, although we have yet to receive documentation demonstrating actual measurement and reporting. Further, a number of relevant EA documents have been approved by the FBI Director.
|
| Federal Bureau of Investigation | Finally, the Director should ensure that the bureau develops and implements an agency strategy for mitigating the risks associated with continued investment in modernized systems before it has an EA and controls for implementing it. |
Closed – Implemented
According to FBI's CIO, the bureau has developed and implemented a strategy for mitigating the risks associated with continued investment absent its EA. The strategy calls for the CIO and the enterprise architecture board (EAB) to review all IT proposals and investments to ensure alignment with the bureau's EA vision--a set of foundational principles. In addition, the bureau reports it has begun implementing the strategy on its IT investments. For example, according to the CIO, in June 2004, he and the board reviewed five proposed investments for consistency with the bureau's EA vision. Further, the CIO stated that as EA products evolve and are delivered, the bureau plans to use them to guide and constrain IT investment decision-making, which our review of EAB minutes shows is happening.
|
Full Report
Office of Public Affairs
Topics
Best practicesEnterprise architectureFederal intelligence agenciesInformation resources managementInformation technologyLaw enforcement information systemsStrategic information systems planningSystems conversionsFederal enterprise architecture frameworkSystems modernization