Federal Bureau of Investigation's Comments on Recent GAO Report  
on its Enterprise Architecture Efforts (14-NOV-03, GAO-04-190R). 
                                                                 
On September 25, 2003, we issued our report on efforts by the	 
Federal Bureau of Investigation (FBI) to develop a corporate	 
blueprint--commonly called an enterprise architecture--to guide  
and constrain its information technology (IT) systems		 
modernization. (This report is available on GAO's Web site at	 
www.gao.gov/cgi-bin/getrpt?GAO-03-959.) We provided the FBI with 
a draft of this report on August 22, 2003, requesting that	 
comments be provided by September 18. On September 23, the FBI	 
provided us with written comments. However, the comments were not
received in time to be analyzed, incorporated, and responded to  
in the report and still meet our September 25, 2003, reporting	 
commitment to Congress. As discussed with Congress at that time, 
we did not extend the reporting date in order to include the	 
FBI's comments and instead are transmitting and responding to	 
them in this follow-up correspondence.				 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-04-190R					        
    ACCNO:   A08863						        
  TITLE:     Federal Bureau of Investigation's Comments on Recent GAO 
Report on its Enterprise Architecture Efforts			 
     DATE:   11/14/2003 
  SUBJECT:   Information resources management			 
	     Information systems				 
	     Information technology				 
	     Strategic planning 				 
	     Enterprise architecture				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-04-190R

United States General Accounting Office Washington, DC 20548

November 14, 2003

The Honorable Porter J. Goss
Chairman, Permanent Select Committee on Intelligence
House of Representatives

The Honorable Nancy Pelosi
House of Representatives

The Honorable Bob Graham
United States Senate

The Honorable Richard C. Shelby
United States Senate

Subject: 	Federal Bureau of Investigation's Comments on Recent GAO Report
on its Enterprise Architecture Efforts

On September 25, 2003, we issued our report on efforts by the Federal
Bureau of Investigation (FBI) to develop a corporate blueprint-commonly
called an enterprise architecture-to guide and constrain its information
technology (IT) systems modernization.1 (This report is available on GAO's
Web site at www.gao.gov/cgi-bin/getrpt?GAO-03-959.) We provided the FBI
with a draft of this report on August 22, 2003, requesting that comments
be provided by September

18. On September 23, the FBI provided us with written comments. However,
the comments were not received in time to be analyzed, incorporated, and
responded to in the report and still meet our September 25, 2003,
reporting commitment to you. As discussed with your offices at that time,
we did not extend the reporting date in order to include the FBI's
comments and instead are transmitting and responding to them in this
follow-up correspondence.

In its written comments signed by the Assistant Director, Inspection
Division (which are reprinted in their entirety in the enclosure), the FBI
made two primary points. First, it expressed its commitment to developing
and using an enterprise architecture (EA), including (1) agreeing with our
conclusion that it needs an architecture to effectively manage its IT
systems modernization; (2) consistent with our recommendations, stating
that it recognized the need for immediate attention to its architecture
efforts; and (3) noting that it was managing its architecture effort as an
IT modernization enabler and priority.

1U.S. General Accounting Office, Information Technology: FBI Needs an
Enterprise Architecture to Guide Its Modernization Activities, GAO-03-959
(Washington, D.C.: Sept. 25, 2003).

                    GAO-04-190R FBI Enterprise Architecture

Related to this first point, the FBI also stated that it has efforts
currently under way to improve its EA posture, and that substantial and
real progress has already been made in doing so. For example, it stated
that an executive team had been established to (1) assess the bureau's EA
status and resource needs using our EA maturity management framework2 and
(2) formulate recommendations for improvement. Although the FBI's comments
did not specify when it would complete the assessment, it did state that
the necessary resources would be applied to architecture development,
maintenance, and implementation following the results of the assessment.
To illustrate its progress, the FBI stated that it had

o  	completed and approved what it referred to as an EA foundation
document which, according to its comments, contains an architecture
approach based on 55 principles spanning 10 categories of bureau
activities and operations and acknowledges its largest modernization
project (Trilogy) as one enabler for moving from its current architectural
state to its target state;

o  	established key IT modernization management structures and processes,
such as an investment management process that requires all proposed
investments to address EA, a governance board to review investment
proposals and architectural decisions, an application integration board to
ensure that new applications are consistent with the bureau's IT
environment, and change management and control entities to examine and
approve changes to its IT infrastructure;

o  	assigned EA resources, including appointing a chief architect,
assigning staff, and obtaining private-industry expert assistance, to
support its ongoing architecture assessment and development of
architecture products;

o  	established a list of existing systems that had completed security
certification and accreditation;

o  	begun acquiring an automated tool to serve as an architecture
repository, as well as a risk management tool for determining existing
system vulnerabilities and cost-effective risk mitigation steps; and

o  	begun conducting outreach with external parties, such as the Justice
Department, the federal CIO Council, and its intelligence community
partners to, among other things, learn from these entities' EA
experiences.

We support the FBI's stated commitment to architecture development and
use, including its adoption of our maturity framework. Moreover, we
believe that the examples of EA-related activities cited in the bureau's
comments, some of which were subsequent to completion of our audit work,
are steps in the right direction. However, the examples that the FBI cites
do not alter our report's findings and conclusions about the maturity of
the FBI's EA program because they are either already recognized in our
report or they do not fully address the EA management maturity core
elements that our report cites as not being satisfied. Moreover, the

2U.S. General Accounting Office, Information Technology: A Framework for
Assessing and Improving Enterprise Architecture Management (Version 1.1),
GAO-03-584G (Washington, D.C.: April 2003).

FBI does not currently have a version of an EA to guide and constrain its
ongoing and planned IT investments. Our evaluation and response to each of
the FBI's examples of progress are provided below.

o  	At the time we completed our audit work, the EA foundation document
was in draft form, and our review of this draft showed that while it
contained information that would be useful in developing a plan for
architecture development, maintenance, and implementation, as well as
information that would be useful in developing architecture artifacts or
products, it did not satisfy the basic content requirements for either an
EA or a plan for developing, implementing, and maintaining one. For
example, neither the draft nor the recently approved version specifies the
tasks, time frames, or responsible parties for actually developing and
completing such architecture products as the business, information/data,
services/applications, technology, and performance reference models, as
well as the security views that should be part of these models.

o  	At the time we completed our audit work, the bureau's EA governance
board did not include all relevant internal stakeholders, such as
representatives from its counterterrorism and counterintelligence
organizational components. As our framework recognizes, enterprisewide
representation and accountability on the architecture governance body is a
critical success factor and a recognized best practice. Since we issued
our report, FBI officials told us that they now have all relevant
stakeholders represented on the board.

o  	Our report recognizes that the bureau had appointed a chief architect
and assigned staff as part of its EA efforts. However, the report also
points out that it began these efforts over 32 months ago, and the level
of commitment and resources devoted to them had neither advanced the FBI
beyond stage 1 of our maturity framework nor produced an EA that could
effectively support the investment and modernization management processes
and structures that the FBI cited as having been established. Moreover, as
we state in the report, the then-chief architect characterized the
bureau's annual commitment of $1 million in resources to these efforts as
"limited," and this amount now appears to be an overstatement.
Specifically, the FBI stated in its comments that it is actually investing
less than this amount in its EA efforts ($285,000 and $500,000 in fiscal
years 2003 and 2004, respectively), but that its fiscal year 2005 budget
request includes a substantial, but unspecified, increase.

o  	Despite the bureau's progress in establishing a listing of existing
systems under security certification and accreditation, which we believe
would be a useful source of information in developing an EA, the
then-chief architect told us that this listing was incomplete and required
management approval before it could serve as a basis for developing the
"as-is" architecture description.

o  	The bureau's comments acknowledge that it is in the process of
acquiring automated EA tools, and thus does not yet satisfy core elements
of our framework related to establishing an EA management foundation.
Further, to augment these tools, the bureau has yet to establish a
methodology that it will follow to create its architecture artifacts,
which is another management foundation core element.

o  	We support the efforts that the FBI cited for outreach to relevant
external stakeholders. Understanding these relationships, and ultimately
defining them in architecture artifacts, should be part of an effectively
managed EA program.

The FBI's second primary comment was that our report was too narrowly
focused and not comprehensive because it was limited to EA and did not
include an assessment of the FBI's other IT management controls and
capabilities. Because our report focused on EA, the bureau said that the
report was premature.

While we agree that the report focuses on the FBI's EA activities, we do
not agree that this is either inappropriate or makes the report premature.
As agreed with your offices, we are in the process of reviewing a wide
range of FBI IT management areas, such as system acquisition capabilities,
IT human capital management, IT investment management practices, and
architecture development and use. As further agreed, we are to report on
these areas incrementally, as appropriate. Our report represents an
appropriate and timely first increment for two principal reasons.

o  	Our experience over the last 10 years in evaluating federal agency IT
management has shown that providing our congressional clients and the
subject agency's leadership team with the results of major segments of our
work as they are available permits more timely corrective action, and thus
better outcomes.

o  	Reporting first on EA in particular, which can be viewed as an
essential link between strategic planning and system
investment/implementation, provides the FBI sooner rather than later with
a comprehensive set of recommendations for effectively making its
architecture efforts more mature in time to influence its ongoing and
planned IT investment/implementation efforts. Any delay on our part in
reporting on this area of strategic importance would only increase the
agency's exposure to modernization risk and postpone your awareness and
understanding of this critical issue. This does not, however, mean that
the FBI should not be pursuing near-term IT upgrades before it completes
and is positioned to use an architecture, nor is it intended to suggest
that the bureau's planned and ongoing modernization investments to date
are completely unjustified and unreasonable. Rather, it means that these
investments and upgrades are being pursued without a blueprint that
provides an authoritative, commonly understood frame of reference that
translates strategy into implemental actions, which, in turn, increases
modernization risk.

                                     -----

We are sending copies of this correspondence to the Chairman and Vice
Chairman of the Senate Select Committee on Intelligence and the Ranking
Minority Member of the House Permanent Select Committee on Intelligence.
We are also sending copies to the Attorney General; the Director, FBI; the
Director, Office of Management and Budget; and other interested parties.
In addition, this

correspondence will be available without charge on GAO's Web site at
www.gao.gov.

Should you or your offices have any questions on matters discussed in this
correspondence, please contact me at (202) 512-3439 or by e-mail at
[email protected]. Key contributors to this response included Katherine I.
Chu-
Hickman, Barbara Collier, Gregory Donnellon, Michael P. Fruitman, Paula A.
Moore, Gary N. Mountjoy, and Megan M. Secrest.

Randolph C. Hite
Director, Information Technology Architecture and Systems Issues

Enclosure

Enclosure: Comments from the Federal Bureau of Investigation

                                    (310268)

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

The General Accounting Office, the audit, evaluation and investigative arm
of

GAO's Mission 	Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

The fastest and easiest way to obtain copies of GAO documents at no cost
is through the Internet. GAO's Web site (www.gao.gov) contains abstracts
and full-

Obtaining Copies of GAO Reports and Testimony

text files of current reports and testimony and an expanding archive of
older products. The Web site features a search engine to help you locate
documents using key words and phrases. You can print these documents in
their entirety, including charts and other graphics.

Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document files.
To have GAO email this list to you every afternoon, go to www.gao.gov and
select "Subscribe to e-mail alerts" under the "Order GAO Products"
heading.

Order by Mail or Phone 	The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:

U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C.
20548

To order by Phone: 	Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

To Report Fraud,	Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm

                  Waste, and Abuse in E-mail: [email protected]

Federal Programs Automated answering system: (800) 424-5454 or (202)
512-7470

Public Affairs 	Jeff Nelligan, Managing Director, [email protected] (202)
512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
*** End of document. ***