Return to the USDOJ/OIG Home Page |
Federal Bureau of Investigation's Management of Information Technology Investments
Report No. 03-09
December 2002
Office of the Inspector General
Category | Element | Rating Values: Compliant, Partially Compliant, Non-Compliant |
---|---|---|
Policy/General | calls for the creation of an enterprise-wide IT investment review board tasked with oversight and decision-making responsibility over all investments in the organization’s investment portfolio | Compliant |
establishes and maintains a comprehensive investment portfolio that includes all IT investments regardless of size, type, status, or source of funding | Compliant | |
establishes a clear policy of endorsing IT investments based on their ability to meet the organization’s mission and strategic goals and priorities | Compliant | |
Follows the select/control/evaluate ITIM model recommended by OMB, GAO, and DOJ | Compliant | |
requires that the ITIM process he tied to and executed concurrently with the IT software development life cycle | Compliant | |
provides mechanisms for expeditious reporting of current or historical investment information | Compliant | |
for organizations that plan to create multiple IT investment boards along business or functional lines, establishes rules and procedures for: - properly aligning IT investments with functional level investment review boards and their portfolios - subjecting all portfolio decisions made by lower-level investment boards to final approval by an enterprise level investment review board - assigning the enterprise level investment review board with the responsibility of identifying and controlling IT investments having enterprise scope due to their importance, size, cost, risk, or crosscutting nature |
N/A | |
endorses the acquisition and use of tools to facilitate the ITIM process | Compliant | |
defines major, crosscutting, and significant IT investments subject to DOJ ClO review that is consistent with DOJ policy | Compliant Not expressly stated in the process plan but acknowledged by submission of recent Exhibit 300/53s |
|
Select Phase | establishes a structured, managed, and documented process for rating, ranking, and selecting IT projects for investment | Compliant |
establishes a structured and managed process for developing new IT proposals | Compliant | |
establishes requirements and procedures for documenting new investment proposals including: - a concept of design and operation - impact on the organization’s business functions and external entities - measured impact on mission, strategic goals, and priorities - comprehensive and detailed life-cycle costs - a realistic and defensible benefit/cost analysis consistent with OMB and GAO guidelines - a risk management plan - an acquisition plan - documentation that confirms consistency with mandated security and architectural requirements - a detailed consideration of alternatives that emphasizes return on investment |
Compliant | |
establishes a minimum return on investment “hurdle” that must be met by any new project in order to be eligible for consideration | Partially Compliant The document is ambiguous on this |
|
requires the consideration of COTS products and the products or services of other government or commercial entities as alternatives to in-house development of a new investment proposal | Compliant | |
establishes standardized, quantitative criteria for rating, ranking, and selecting investments in a consistent and uniform manner | Partially Compliant FBI is currently working on its rating criteria. Est. Completion date: 03-31-2002 |
|
includes and gives considerable weight to selection factors that are linked directly to the organization’s mission and strategic goals | Partially Compliant Acknowledged in principle; FBI is currently working on it selection criteria. Est. Completion date: 03-31-2002 |
|
includes as a selection factor overall cost vs. budget availability | Partially Compliant FBI is currently working on its selection criteria Est. Completion date: 03-31-2002 |
|
includes as a selection factor the technical scope and complexity of the proposal and the organization’s demonstrated ability to develop, implement, arid manage projects similar in scope and complexity | Partially Compliant FBI is currently working on its selection criteria. Est. Completion date: 03-31-2002 |
|
includes as a selection factor a project’s adherence to the mandated enterprise architecture requirements | Compliant Acknowledged in principle in the document |
|
includes as a selection factor a project’s adherence to mandated security requirements | Compliant Acknowledged in principle in the document |
|
provides for the creation and maintenance of documentary evidence that supports the rating, ranking, and selection of each investment in the portfolio | Compliant | |
requires that the cost, benefits, schedule, and risks of each investment are defined in a detailed and consistent manner and are supported by ample documentation | Compliant | |
for projects that are selected for investment, establishes procedures arid requirements for creating cost, schedule, and performance baselines that will be compared later to actual cost, schedule, performance, and mitigation of risks | Compliant | |
for projects that are selected for investment, establishes requirements and procedures for: - creating a project management team to manage the investment throughout its life cycle whose membership includes representatives from all groups in the organization having a stake in the project’s success or failure - preparing a project management plan to be followed by the project management team throughout the life cycle of the project - coordinating project acquisitions with the organization’s acquisition staff - coordinating project funding and reporting with the organization’s budget staff |
Compliant | |
requires the creation of an independent verification and validation plan for all approved projects | Compliant QA/testing project teams that are independent of development teams will, define and execute these plans |
|
Control Phase | estabishes procedures for executing the project management plan | Compliant Part of existing FBI SDLC |
establishes requirements and procedures for calculating and documenting accurate arid up-to-date project costs at prescribed intervals | Compliant | |
Establishes requirements and procedures for documenting project progress using key milestones and work breakdown schedules | Compliant | |
Establishes a requirement and procedures for employing standard earned value management techniques for managing and assessing contracted services | Compliant Not explicitly stated but part of current SDLC requirements |
|
establishes requirements and procedures for regular project reviews that compare current project costs, benefits, risk management, adherence to schedule, and performance measures to the baselines developed in the select phase, and that communicate the results of the reviews to the project stakeholders, the investment review board, and other entities having investment oversight responsibility | Compliant | |
establishes reasonable baseline deviation tolerances that will be used to identify projects that are performing satisfactorily, marginally, or unsatisfactorily | Partially Compliant Deviation tolerances based on evaluation criteria still under development. Est. Completion date: 03-31-2002 |
|
establishes procedures for taking corrective action or terminating projects that deviate from baselines | Compliant | |
establishes requirements and procedures for subjecting all projects in the control phase to the rating, ranking, and selection processes of the select phase at prescribed intervals | Compliant | |
establishes requirements, procedures, and mechanisms for producing required reports and communicating them to entities having projector portfolio oversight responsibility | Compliant | |
establishes a requirement that projects in the portfolio be approved for deployment by the project management group and the investment review board | Compliant Part of SDLC process |
|
requires periodic deployment progress reports be prepared and communicated to the project management group, the investment review board, and other entities having oversight responsibility | Compliant Falls under FBI’s generic definition of PIR |
|
Evaluate Phase | establishes a requirement that a post implementation review be conducted of each investment after it is fully deployed and in use | Compliant |
establishes requirements and procedures for creating arid communicating to oversight entities post implementation review reports that assess actual costs, benefits, and performance and compare them to corresponding baseline measures | Compliant | |
establishes a requirement for producing user surveys when applicable in order to determine if and to what degree the project is meeting the needs of the users | Compliant | |
establishes procedures for taking corrective action or terminating projects that deviate from baselines or that are not meeting the strategic needs of the organization | Compliant | |
establishes a means of applying lessons learned in the selection, planning, development, deployment, and evaluation of the project in order to improve the ITIM and SDLC processes | Compliant | |
establishes a requirement for conducting periodic operational reviews to assess the effectiveness of the investment in terms of cost, benefits, and performance, its adherence to enterprise architecture models and security requirements, and its ability to meet the organization’s evolving mission goals and priorities | Compliant Falls under the umbrella of FBI’s generic definition of PIR |
|
establishes a requirement that each project in the Evaluate phase be subjected again to the rating, ranking, and selection processes of the ITIM select phase at prescribed intervals so that a decision can be made on continued funding | Compliant | |
establishes requirements, procedures, and mechanisms for producing required reports about the investments in the evaluation phase and communicating this information to entities having project or portfolio oversight responsibility | Compliant | |
establishes a requirement that a plan be developed for disposing or replacing an IT asset when it no longer meets the needs of the organization | Partially Compliant Decision on disposal mentioned but not a plan. |