Return to the USDOJ/OIG Home Page

Federal Bureau of Investigation's Management of Information Technology Investments

Report No. 03-09
December 2002
Office of the Inspector General


APPENDIX IV

JMD’S ASSESSMENT OF THE FBI’S ITIM PROCESS

Category Element Rating Values:
Compliant,
Partially Compliant,
Non-Compliant
Policy/General calls for the creation of an enterprise-wide IT investment review board tasked with oversight and decision-making responsibility over all investments in the organization’s investment portfolio Compliant
  establishes and maintains a comprehensive investment portfolio that includes all IT investments regardless of size, type, status, or source of funding Compliant
  establishes a clear policy of endorsing IT investments based on their ability to meet the organization’s mission and strategic goals and priorities Compliant
  Follows the select/control/evaluate ITIM model recommended by OMB, GAO, and DOJ Compliant
  requires that the ITIM process he tied to and executed concurrently with the IT software development life cycle Compliant
  provides mechanisms for expeditious reporting of current or historical investment information Compliant
  for organizations that plan to create multiple IT investment boards along business or functional lines, establishes rules and procedures for:
- properly aligning IT investments with functional level investment review boards and their portfolios
- subjecting all portfolio decisions made by lower-level investment boards to final approval by an enterprise level investment review board
- assigning the enterprise level investment review board with the responsibility of identifying and controlling IT investments having enterprise scope due to their importance, size, cost, risk, or crosscutting nature
N/A
  endorses the acquisition and use of tools to facilitate the ITIM process Compliant
  defines major, crosscutting, and significant IT investments subject to DOJ ClO review that is consistent with DOJ policy Compliant

Not expressly stated in the process plan but acknowledged by submission of recent Exhibit 300/53s
     
Select Phase establishes a structured, managed, and documented process for rating, ranking, and selecting IT projects for investment Compliant
  establishes a structured and managed process for developing new IT proposals Compliant
  establishes requirements and procedures for documenting new investment proposals including:
- a concept of design and operation
- impact on the organization’s business functions and external entities
- measured impact on mission, strategic goals, and priorities
- comprehensive and detailed life-cycle costs
- a realistic and defensible benefit/cost analysis consistent with OMB and GAO guidelines
- a risk management plan
- an acquisition plan
- documentation that confirms consistency with mandated security and architectural requirements
- a detailed consideration of alternatives that emphasizes return on investment
Compliant
  establishes a minimum return on investment “hurdle” that must be met by any new project in order to be eligible for consideration Partially Compliant

The document is ambiguous on this
  requires the consideration of COTS products and the products or services of other government or commercial entities as alternatives to in-house development of a new investment proposal Compliant
  establishes standardized, quantitative criteria for rating, ranking, and selecting investments in a consistent and uniform manner Partially Compliant

FBI is currently working on its rating criteria.
Est. Completion date: 03-31-2002
  includes and gives considerable weight to selection factors that are linked directly to the organization’s mission and strategic goals Partially Compliant

Acknowledged in principle; FBI is currently working on it selection criteria.
Est. Completion date: 03-31-2002
  includes as a selection factor overall cost vs. budget availability Partially Compliant

FBI is currently working on its selection criteria
Est. Completion date: 03-31-2002
  includes as a selection factor the technical scope and complexity of the proposal and the organization’s demonstrated ability to develop, implement, arid manage projects similar in scope and complexity Partially Compliant

FBI is currently working on its selection criteria.
Est. Completion date: 03-31-2002
  includes as a selection factor a project’s adherence to the mandated enterprise architecture requirements Compliant

Acknowledged in principle in the document
  includes as a selection factor a project’s adherence to mandated security requirements Compliant
Acknowledged in principle in the document
  provides for the creation and maintenance of documentary evidence that supports the rating, ranking, and selection of each investment in the portfolio Compliant
  requires that the cost, benefits, schedule, and risks of each investment are defined in a detailed and consistent manner and are supported by ample documentation Compliant
  for projects that are selected for investment, establishes procedures arid requirements for creating cost, schedule, and performance baselines that will be compared later to actual cost, schedule, performance, and mitigation of risks Compliant
  for projects that are selected for investment, establishes requirements and procedures for:
- creating a project management team to manage the investment throughout its life cycle whose membership includes representatives from all groups in the organization having a stake in the project’s success or failure
- preparing a project management plan to be followed by the project management team throughout the life cycle of the project
- coordinating project acquisitions with the organization’s acquisition staff
- coordinating project funding and reporting with the organization’s budget staff
Compliant
  requires the creation of an independent verification and validation plan for all approved projects Compliant

QA/testing project teams that are independent of development teams will, define and execute these plans
     
Control Phase estabishes procedures for executing the project management plan Compliant

Part of existing FBI SDLC
  establishes requirements and procedures for calculating and documenting accurate arid up-to-date project costs at prescribed intervals Compliant
  Establishes requirements and procedures for documenting project progress using key milestones and work breakdown schedules Compliant
  Establishes a requirement and procedures for employing standard earned value management techniques for managing and assessing contracted services Compliant

Not explicitly stated but part of current SDLC requirements
  establishes requirements and procedures for regular project reviews that compare current project costs, benefits, risk management, adherence to schedule, and performance measures to the baselines developed in the select phase, and that communicate the results of the reviews to the project stakeholders, the investment review board, and other entities having investment oversight responsibility Compliant
  establishes reasonable baseline deviation tolerances that will be used to identify projects that are performing satisfactorily, marginally, or unsatisfactorily Partially Compliant

Deviation tolerances based on evaluation criteria still under development.

Est. Completion date: 03-31-2002
  establishes procedures for taking corrective action or terminating projects that deviate from baselines Compliant
  establishes requirements and procedures for subjecting all projects in the control phase to the rating, ranking, and selection processes of the select phase at prescribed intervals Compliant
  establishes requirements, procedures, and mechanisms for producing required reports and communicating them to entities having projector portfolio oversight responsibility Compliant
  establishes a requirement that projects in the portfolio be approved for deployment by the project management group and the investment review board Compliant

Part of SDLC process
  requires periodic deployment progress reports be prepared and communicated to the project management group, the investment review board, and other entities having oversight responsibility Compliant

Falls under FBI’s generic definition of PIR
     
Evaluate Phase establishes a requirement that a post implementation review be conducted of each investment after it is fully deployed and in use Compliant
  establishes requirements and procedures for creating arid communicating to oversight entities post implementation review reports that assess actual costs, benefits, and performance and compare them to corresponding baseline measures Compliant
  establishes a requirement for producing user surveys when applicable in order to determine if and to what degree the project is meeting the needs of the users Compliant
  establishes procedures for taking corrective action or terminating projects that deviate from baselines or that are not meeting the strategic needs of the organization Compliant
  establishes a means of applying lessons learned in the selection, planning, development, deployment, and evaluation of the project in order to improve the ITIM and SDLC processes Compliant
  establishes a requirement for conducting periodic operational reviews to assess the effectiveness of the investment in terms of cost, benefits, and performance, its adherence to enterprise architecture models and security requirements, and its ability to meet the organization’s evolving mission goals and priorities Compliant

Falls under the umbrella of FBI’s generic definition of PIR
  establishes a requirement that each project in the Evaluate phase be subjected again to the rating, ranking, and selection processes of the ITIM select phase at prescribed intervals so that a decision can be made on continued funding Compliant
  establishes requirements, procedures, and mechanisms for producing required reports about the investments in the evaluation phase and communicating this information to entities having project or portfolio oversight responsibility Compliant
  establishes a requirement that a plan be developed for disposing or replacing an IT asset when it no longer meets the needs of the organization Partially Compliant

Decision on disposal mentioned but not a plan.