The Status of Enterprise Architecture and Information Technology
Investment Management in the Department of Justice
Audit Report 06-02
Office of the Inspector General
To more effectively manage its Information Technology (IT) investments in compliance with legislation and regulations, the Department of Justice (Department) is in the early stages of developing Enterprise Architecture and Information Technology Investment Management (ITIM) processes. An Enterprise Architecture is a strategic information asset base that defines the organization's mission, the information and technologies necessary to perform the mission, and the transitional processes for implementing new technologies in response to changing mission needs. Enterprise Architectures provide explicit structural frames of reference that allow an understanding of: (1) what the enterprise does; (2) when, where, how, and why it does it; and (3) what it uses to do it. An ITIM process enables an organization to manage its IT investments by continuous identification, selection, control, life-cycle management, and evaluation. This structured process provides a systematic method for agencies to minimize risks while maximizing the return on its IT investments.
We performed this audit to determine if the Department is effectively managing its Enterprise Architecture and ITIM efforts. The Department's IT budget for fiscal year (FY) 2005 is $2.2 billion for 320 systems, including 22 major systems that cross-cut more than one organizational component of the Department. The Department continues to face significant challenges in ensuring that its IT systems are developed and deployed in a timely and cost-effective manner. For example, IT systems planning and utilization is one of the Department's top ten management challenges. Further, the management of the Department's IT investments has been a material weakness since FY 2002.
Congress enacted the Information Technology Management Reform Act of 1996 (known as the Clinger-Cohen Act) to address longstanding problems related to federal IT management. The Clinger-Cohen Act requires the head of each federal agency to implement a process that maximizes the value of agency IT investments and assesses and manages acquisition risks. A key goal of the Act is to ensure that agencies implement IT projects at acceptable costs and within reasonable timeframes. Under Clinger-Cohen, IT projects are to contribute to tangible and observable improvements in the mission performance of each agency. The act also requires the Chief Information Officer (CIO) of each agency to develop, maintain, and facilitate the implementation of Enterprise Architectures as a means of integrating business processes with agency goals. The Office of Management and Budget (OMB) has also issued guidance on IT management (Circular A-130), which requires each federal agency to establish and maintain a capital planning and investment control process for IT.
The Department has not yet established an Enterprise Architecture or ITIM processes and therefore is not in compliance with the Clinger-Cohen Act, OMB guidance, and Department regulations. However, the Department is actively developing and implementing new frameworks aimed at establishing an Enterprise Architecture and ITIM processes. Also, some Department components, such as the Federal Bureau of Investigation (FBI) and the Drug Enforcement Administration (DEA), have made progress in developing component-level Enterprise Architectures and ITIM processes.
The Department's Justice Management Division, which manages the Department's cross-cutting systems and 20 of its own operational and administrative systems, began work in 1999 on developing an Enterprise Architecture and ITIM processes, but these efforts were overtaken by higher priority work on the broader Department-level Enterprise Architecture and ITIM processes. Previous attempts by the Department to develop an Enterprise Architecture and ITIM processes using established frameworks were troubled with false starts and a lack of focus and direction. The Department now anticipates that its current efforts to complete an Enterprise Architecture and fully implement ITIM processes will take several years. Without an established, comprehensive Enterprise Architecture and mature ITIM processes in place, the Department risks investing in IT systems that may be duplicative, poorly integrated, and costly to maintain.
The Department's Enterprise Architecture efforts began in 1999. These efforts have suffered from a lack of institutional commitment and a changing perception of the composition and priority of a Department Enterprise Architecture. After several years spent attempting to develop an Enterprise Architecture using generally accepted frameworks, the Department decided to develop its own approach tailored to the Department's needs. Under a two-tiered approach, the Department's Justice Management Division (JMD) is responsible for developing Enterprise Architecture for the major IT systems that span multiple Department components, while component-specific IT systems will be covered by Enterprise Architectures developed by the respective Department components. Together, these two levels of architectures will comprise a comprehensive Department Enterprise Architecture. JMD needs to oversee and coordinate the component-level Enterprise Architecture efforts to ensure they contribute to the formation of the Department's Enterprise Architecture. However, to date the Department has provided little oversight of the components' development of Enterprise Architectures.
JMD is developing a framework, called the Capability Delivery Model, to establish its Enterprise Architecture. The Department expects to complete the framework in late FY 2005 and the resulting Enterprise Architecture by late FY 2009. According to Department officials, the Capability Delivery Model will not be as high-level as the commonly used Federal Enterprise Architecture Framework (FEAF), but rather is intended to be more useful and relevant to day-to-day operations of the Department while containing the basic elements of the FEAF. The Department expects the Enterprise Architecture developed through the framework to cover the Department's major, cross-cutting IT systems and enable the Department to more effectively and efficiently manage its current and future IT infrastructure and applications. The Department estimated spending approximately $1 million on Enterprise Architecture efforts in FY 2004 and predicts spending approximately $1.1 million in FY 2005. However, Department officials were unable to provide us with specific expenditures related to the cost of Enterprise Architecture efforts from FY 1999 to 2004.
In April 2003, the U.S. Government Accountability Office (GAO), in collaboration with the OMB and the CIO Council, published an Enterprise Architecture framework.1 The GAO framework provides measures to aid in assessing the progress of an organization's Enterprise Architecture efforts. The GAO framework describes five stages of Enterprise Architecture maturity and details the elements needed to achieve each stage.
Applying the GAO five-stage framework to assess what the Department has achieved toward developing its Enterprise Architecture, we found that the Department has completed six of the nine elements to reach a Stage 2 maturity level. The Department has adequate resources; a program office responsible for Enterprise Architecture development and maintenance; a Chief Architect; an Enterprise Architecture framework and methodology; plans for current, target, and transitional architectures in terms of business, performance, information, application, and technology; and application of security within each architectural area. The Department does not have a Department-wide committee responsible for directing, overseeing, and approving the Enterprise Architecture; an automated tool; or metrics for measuring Enterprise Architecture progress, quality, compliance, and return on investment.
The Department has made progress toward attaining Stage 3 maturity. The Department has worked on developing a process for the establishment of current, target, and transition architectures. However, the Department lacks a written and approved policy for Enterprise Architecture development, implementation, and maintenance. In addition, the Department must ensure that when completed, all Enterprise Architecture products undergo configuration management.2
To attain Stage 4 maturity, the Department must complete additional work before the Enterprise Architecture can be used as intended - to drive sound IT investments that are consistent with the Department's goals and missions. The Department is working on a current architecture, transition plan, and target architecture, which it plans to complete by FY 2009.
To reach the Stage 5 level of a fully mature Enterprise Architecture, an organization must use its Enterprise Architecture to drive IT investments and ensure systems' interoperability. The Department cannot meet Stage 5 requirements of the Enterprise Architecture Management Framework until it completes its Enterprise Architecture.
The foundation of the Department's Enterprise Architecture lies in its IT infrastructure. A consolidated infrastructure will aid the Capability Architecture effort by providing a common conceptual framework to support technical interoperability, defining a common Department vocabulary, and providing a high-level description of the IT deployed throughout the Department. We found that the Department is developing the elements of a consolidated infrastructure through pilot programs.
Completion of a clear and comprehensive Department Enterprise Architecture will require a collaborative effort between the Department and the major Department components. The two-tiered architecture envisioned by the Department will require components to contribute Enterprise Architectures that encompass component-specific IT systems, which are not included in the Department's cross-cutting Capability Architectures. However, some components have been independently developing Enterprise Architectures for several years at considerable cost - $26.7 million in FY 2004 - without substantive or consistent Department-level guidance or monitoring. While focusing on a Department-wide Enterprise Architecture methodology, the Department has not provided sufficient direction to ensure that components' Enterprise Architecture efforts are consistent with, and meet the needs of, the overall Department Enterprise Architecture. Also, the Department has not tracked the development of components' Enterprise Architectures, validated those Enterprise Architectures that have been developed, or ensured that Enterprise Architectures are kept current.
However, the Department has begun work to improve its oversight and guidance in this area. For example, an Enterprise Architecture Program Management Plan, completed June 2005, discusses the Department's Enterprise Architecture organization, interaction between the components and the Department, the need for a Department-wide Enterprise Architecture tool, and components' use of the FEAF.
Information Technology Investment Management
A key objective of the Clinger-Cohen Act is to ensure that agencies implement processes for maximizing the value of IT investments and for assessing and managing the risks of IT acquisitions. To accomplish this objective, agencies must establish processes to ensure that IT projects are being implemented at acceptable costs and within reasonable timeframes, and that the projects are contributing to tangible, observable improvements in mission performance. Additionally, OMB Circular A-130 requires each federal agency to establish and maintain a capital planning and investment control process for IT. The Department is in the early stages of developing a Department-wide ITIM to share IT information, data, and infrastructure. Some Department components have developed or are developing their own ITIM processes, although the Department does not have overall information regarding the cost or status of these efforts.
Prior to FY 2004, the Department was not making investment decisions consistent with the development of a cohesive Department IT portfolio. Instead, the Department reviewed component IT concept proposals and budget requests to ensure alignment with the Department's 2002 IT Strategic Plan. In 2002, the Department initiated ITIM policies and procedures to comply with Clinger-Cohen but found the components were making slow progress in developing their ITIM processes. In October 2004, the Department issued a framework for developing ITIM processes, called the IT Strategic Management (ITSM) Framework. The Department expects the ITSM Framework to lead to a Department-level ITIM and a high level of IT leadership and centralization of IT functions. The ITSM is intended to encompass all IT investments of the Department by providing direction to the larger components on what investment strategies to take, while also providing ITIM processes for smaller components where creating complete ITIM processes is impractical.
The Department's ITSM Framework consists of three phases: IT Planning, IT Funding and Architecture, and IT Investment Oversight.
With the implementation of the ITSM beginning in 2004, the Department's approach to IT management has begun to change from a decentralized to a more centralized approach. According to a Department official, the Department plans to take a more integrated approach and to focus more on IT management at the Department level. This new vision has resulted in a more proactive role by the Department in matching technology to identified business needs.
The ITSM framework is emphasizing the Department's oversight role to ensure that components' ITIM processes and investments are aligned with those of the Department. The Department's initial oversight of component ITIMs began in March 2001 with DOJ Order 2880.1A, which requires components to have an ITIM process. Initially the Department required components to submit their ITIM methodologies for review, but this oversight of components' ITIM processes was abandoned in 2002. After 2002, the Department changed its focus from the investment process to the investments and IT products themselves, and priorities became product-oriented instead of process-oriented. As a result of the ITSM, the Department is now refocusing on the investment process. However, the Department's current oversight effort centers almost exclusively on the FBI's ITIM, because the FBI's IT budget is the largest of the Department's components. While the Oversight Phase in the ITSM framework will be used to supervise components' IT projects, currently there is no Departmental oversight or approval of ITIM processes other than the FBI's.
We found that although the Department is in the process of developing both an Enterprise Architecture and ITIM processes based on Department-developed frameworks, it is not yet in full compliance with the Clinger-Cohen Act, OMB guidance, or Department regulations. However, at this early stage of development, we believe the methodologies being implemented by the Department - the Capability Delivery Model for an Enterprise Architecture and the ITSM framework for ITIM - will comply with the requirements of Clinger-Cohen and OMB A-130, if brought to completion as planned. The Department has also begun to improve its oversight and guidance of the components' Enterprise Architectures and ITIM processes. However, additional oversight of the components is needed to ensure the success of the Capability Delivery Model and the ITSM framework.
In this report, we make seven recommendations for improving the Department's IT management. The recommendations are: