FROM DOC_DB.DOCUMENT D, DOC_DB.REPORTS R, DOC_DB.BACKGROUND B
						 *
ERROR at line 2:
ORA-00942: table or view does not exist 

-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-658	

TITLE:     BUSINESS SYSTEMS MODERNIZATION: DOD Continues to Improve 
Institutional Approach, but Further Steps Needed

DATE:   05/15/2006 
				                                                                         
----------------------------------------------------------------- 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-658

     

     *  
          * Results in Brief
          * Background
               * Enterprise Architecture and Information Technology Investmen
                    * Enterprise Architecture: A Brief Description
                    * IT Investment Management: A Brief Description
               * DOD's Institutional Approach to Business Systems Modernizati
                    * DOD's Business Enterprise Architecture: A Brief
                      Description
               * Fiscal Year 2005 National Defense Authorization Act Requirem
               * Recent Review Indicates DOD Has Begun to Address Long-standi
          * DOD Is Taking Steps to Address Act's Requirements and Improv
               * DOD Continues to Address Limitations in Prior Version of Arc
               * DOD Has Made and Intends to Make More Improvements to Transi
               * DOD Is Addressing Issues Related to Reporting Business Syste
               * DOD Has Efforts Under Way to Control its Business System Inv
                    * DOD Has Not Established All Required Investment Review
                      Board
          * DOD Is Implementing Our Prior Recommendations
          * Conclusions
          * Recommendations for Executive Action
          * Agency Comments and Our Evaluation
     * Appendix I: Objectives, Scope, and Methodology
     * Appendix II: Prior Recommendations on DOD's Business Enterpr
     * Appendix III: Comments from the Department of Defense
     * Appendix IV: Summary of Several Architecture Frameworks
     * Appendix V: GAO Contacts and Staff Acknowledgments
          * GAO Contacts
          * Acknowledgments
               * Order by Mail or Phone

Report to Congressional Committees

United States Government Accountability Office

GAO

May 2006

BUSINESS SYSTEMS MODERNIZATION

DOD Continues to Improve Institutional Approach, but Further Steps Needed

DOD Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization DOD Business Systems Modernization DOD
Business Systems Modernization

GAO-06-658

Contents

Letter 1

Results in Brief 3
Background 6
DOD Is Taking Steps to Address Act's Requirements and Improve Approach to
Modernizing Business Systems 22
DOD Is Implementing Our Prior Recommendations 40
Conclusions 42
Recommendations for Executive Action 43
Agency Comments and Our Evaluation 43
Appendix I Objectives, Scope, and Methodology 47
Appendix II Prior Recommendations on DOD's Business Enterprise
Architecture and Investment Management 50
Appendix III Comments from the Department of Defense 60
Appendix IV Summary of Several Architecture Frameworks 63
Appendix V GAO Contacts and Staff Acknowledgments 67

Tables

Table 1: Roles and Responsibilities of Governance Entities 12
Table 2: Business Transformation Agency Divisions 14
Table 3: Core Business Missions and Associated Principal Staff Assistants
16
Table 4: Business Enterprise Priorities 17

Figures

Figure 1: Business Transformation Agency Organization 14
Figure 2: Interdependent DODAF Views of an Architecture 64

Abbreviations

ASD(NII)/CIO Assistant Secretary of Defense (Networks and Information
Integration)/Chief Information Officer BEA Business Enterprise
Architecture BTA Business Transformation Agency CA Certification Authority
CIO Chief Information Officer DBSMC Defense Business Systems Management
Committee DITPR DOD Information Technology Portfolio Repository DOD
Department of Defense DODAF Department of Defense Architecture Framework
ETP Enterprise Transition Plan FEA Federal Enterprise Architecture FEAF
Federal Enterprise Architecture Framework FCP Forward Compatible Payroll
IRB Investment Review Board IT information technology NCES Net-Centric
Enterprise Services NSS National Security Systems OMB Office of Management
and Budget SFIS Standard Financial Information Structure SNAP-IT Select
and Native Programming Data System- Information Technology

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office

Washington, DC 20548

May 15, 2006 May 15, 2006

Congressional Committees Congressional Committees

For decades, the Department of Defense (DOD) has not been successful in
repeated attempts to modernize its timeworn business systems1 and
operations. In 1995, we first designated DOD's business systems
modernization as "high risk," and we continue to designate it as such
today.2 As our research on successful public and private sector
organizations has shown, attempting a large-scale systems modernization
program in a large organization such as DOD without, among other things, a
well-defined enterprise architecture3123 and the associated investment
management controls for implementing it often results in systems that are
duplicative, stovepiped, non-integrated, and unnecessarily costly to
manage, maintain, and operate. For decades, the Department of Defense
(DOD) has not been successful in repeated attempts to modernize its
timeworn business systems and operations. In 1995, we first designated
DOD's business systems modernization as "high risk," and we continue to
designate it as such today. As our research on successful public and
private sector organizations has shown, attempting a large-scale systems
modernization program in a large organization such as DOD without, among
other things, a well-defined enterprise architecture and the associated
investment management controls for implementing it often results in
systems that are duplicative, stovepiped, non-integrated, and
unnecessarily costly to manage, maintain, and operate.

In May 2001, we made recommendations to the Secretary of Defense that
provided the means for effectively developing and implementing an
enterprise architecture and limiting systems investments until the
department had a well-defined architecture and a corporate approach to
investment control and decision making.44 In July 2001, the department
initiated a business management modernization program to, among other
things, develop a business enterprise architecture and establish the
investment controls needed to effectively implement it. This effort was
begun as part of the Secretary of Defense's broad initiative to "transform
the way the department works and what it works on." In May 2001, we made
recommendations to the Secretary of Defense that provided the means for
effectively developing and implementing an enterprise architecture and
limiting systems investments until the department had a well-defined
architecture and a corporate approach to investment control and decision
making. In July 2001, the department initiated a business management
modernization program to, among other things, develop a business
enterprise architecture and establish the investment controls needed to
effectively implement it. This effort was begun as part of the Secretary
of Defense's broad initiative to "transform the way the department works
and what it works on."

1Business systems are information systems that include financial and
non-financial systems and support DOD's business operations, such as
civilian personnel, finance, health, logistics, military personnel,
procurement, and transportation. See 10 U.S.C. S: 2222 (j) (2).

2GAO, High-Risk Program, GAO-06-497T (Washington, D.C.: Mar. 15, 2006).

3An enterprise architecture, or modernization blueprint, provides a clear
and comprehensive picture of an entity, whether it is an organization
(e.g., federal department or agency) or a functional or mission area that
cuts across more than one organization (e.g., financial management). This
picture consists of snapshots of the enterprise's current "As Is"
operational and technological environment and its target or "To Be"
environment, as well as a capital investment roadmap for transitioning
from the current to the target environment. These snapshots further
consist of "views," which are basically one or more architecture products
that provide conceptual or logical representations of the enterprise.

4GAO, Information Technology: Architecture Needed to Guide Modernization
of DOD's Financial Operations, GAO-01-525 (Washington, D.C.: May 17,
2001).

Between 2001 and 2005, we reported that the department's business
management modernization program was not being effectively managed,
concluding in 2005 that hundreds of millions of dollars had been spent on
an architecture and investment management structures that had limited
use.5

To assist DOD in addressing these modernization management challenges,
Congress included provisions in the Ronald W. Reagan National Defense
Authorization Act for Fiscal Year 2005 (the Act) 6 that were consistent
with our recommendations for developing a business enterprise architecture
and associated enterprise transition plan, and establishing and
implementing effective information technology (IT) business system
investment management structures and processes. More specifically, the Act
required the department to, among other things, (1) develop a business
enterprise architecture, (2) develop a transition plan to implement the
architecture, (3) include systems information in its annual budget
submission, (4) establish a system investment approval and accountability
structure, (5) establish an investment review process, and (6) approve and
certify system modernizations costing in excess of $1 million. The Act
further requires that the Secretary of Defense submit an annual report to
congressional defense committees on its compliance with certain
requirements of the Act not later than March 15 of each year from 2005
through 2009. Additionally, the Act directs us to submit to congressional
defense committees-within 60 days of DOD's report submission-an assessment
of DOD's actions taken to comply with these requirements.

5See, for example, GAO-01-525 ; DOD Business Systems Modernization:
Improvements to Enterprise Architecture Development and Implementation
Efforts Needed, GAO-03-458 (Washington, D.C.: Feb. 28, 2003); Information
Technology: Observations on Department of Defense's Draft Enterprise
Architecture, GAO-03-571R (Washington, D.C.: Mar. 28, 2003); Business
Systems Modernization: Summary of GAO's Assessment of the Department of
Defense's Initial Business Enterprise Architecture, GAO-03-877R
(Washington, D.C.: July 7, 2003); DOD Business Systems Modernization:
Important Progress Made to Develop Business Enterprise Architecture, but
Much Work Remains, GAO-03-1018 (Washington, D.C.: Sept. 19, 2003); DOD
Business Systems Modernization: Limited Progress in Development of
Business Enterprise Architecture and Oversight of Information Technology
Investments, GAO-04-731R (Washington, D.C.: May 17, 2004); DOD Business
Systems Modernization: Billions Being Invested without Adequate Oversight,
GAO-05-381 (Washington, D.C.: April 29, 2005); DOD Business Systems
Modernization: Long-standing Weaknesses in Enterprise Architecture
Development Need to Be Addressed, GAO-05-702 (Washington, D.C.: July 22,
2005).

6Ronald W. Reagan National Defense Authorization Act for Fiscal Year 2005,
Pub. L. No. 108-375, S: 332, 118 Stat. 1811, 1851-1856 (Oct. 28, 2004)
(codified in part at 10 U.S.C. S: 2222).

As agreed with your offices, the objectives of our review were to (1)
assess the actions by DOD to comply with the requirements of Section 2222
of Title 10, U.S. Code and (2) determine the extent to which DOD has
addressed our prior recommendations. To accomplish this, we used our
November 2005 report7 as a baseline of comparison, focusing on the steps
the department has taken to address the areas of noncompliance that we
cited in that report.

We performed our work from January through May 2006 in accordance with
generally accepted government auditing standards. Details on our
objectives, scope, and methodology are contained in appendix I.

                                Results in Brief

As part of DOD's incremental strategy for developing and implementing its
architecture, transition plan, and tiered accountability framework for
managing business systems, the department has taken steps over the last 6
months to further comply with the Act and otherwise improve its overall
approach to business systems modernization. On March 15, 2006, DOD
released a minor update to its business enterprise architecture (version
3.1), developed an updated enterprise transition plan, and issued its
annual report to Congress describing steps taken to address the Act's
requirements, among other things. The updated architecture and transition
plan, as well as the report and related documentation, reflect steps taken
to address a number of the areas that we previously reported as falling
short of the Act's requirements and related guidance. However, additional
steps are needed to fully comply with the Act and relevant guidance. The
following illustrate steps taken thus far to improve management of the
department's business systems modernization effort and where further
improvement is needed.

           o  The latest version of the architecture continues to specify
           DOD's Standard Financial Information Structure (SFIS) as an
           enterprisewide data standard for categorizing financial
           information to support financial management and reporting
           functions. In addition, the architecture now adds greater
           definition on standard processes, rules, and data for
           intra-governmental ordering and billing. However, certain SFIS
           data elements, such as those relating to the planning,
           programming, and budgeting business process area, have yet to be
           defined. According to DOD, these data elements will be in the next
           version of the architecture. The latest version of the
           architecture also does not yet include a systems standards profile
           to facilitate data sharing among departmentwide business systems
           and promote interoperability with departmentwide IT infrastructure
           systems. Further, military services and defense agencies
           architectures have yet to be aligned with the departmental
           architecture. Once such missing scope and content is added, the
           architecture will be a more sufficient frame of reference to
           optimally guide and constrain DOD-wide system investment decision
           making.
           o  The enterprise transition plan now includes an initiative aimed
           at identifying capability gaps between the "As Is" and "To Be"
           architectural environments, and DOD continues to validate the
           inventory of ongoing IT investments that formed the basis for the
           prior version of the transition plan. Further, the plan provides
           information on progress on major investments over the last 6
           months-including key accomplishments and milestones attained, and
           more information about the termination of legacy systems. However,
           it still does not identify, for example, all legacy systems that
           will not be part of the target architecture, and it does not
           include system investment information for all of the department's
           agencies and combatant commands. Once missing content is added and
           all planned investments are validated by capability gap analyses,
           the department will be better positioned to sequentially manage
           the migration and disposition of existing business processes and
           systems-and the introduction of new ones.
           o  The fiscal year 2007 IT budget submission was prepared using a
           system that has been reconciled with DOD's single authoritative
           system inventory. This should improve the completeness and
           reliability of the budget submission.
           o  The IT investment management structures and processes that DOD
           previously defined are being refined and implemented across the
           department. For example, DOD reports that 226 business systems,
           which represent about $3.6 billion in modernization funding, were
           approved by the Defense Business Systems Management Committee
           (DBSMC). Further, it reports that over 290 business systems have
           been identified for phase-out/elimination. The extent to which
           these structures and processes will be applied to the department's
           approximately 3,700 business systems is still evolving. Further,
           an investment review board required by the Act and DOD policy for
           IT infrastructure and information assurance investments has yet to
           be established.

           The Act's requirements concerning the architecture, transition
           plan, budgetary disclosure, and investment management structures
           and processes are consistent with our prior recommendations. In
           taking steps to further comply with the Act, DOD has either
           implemented-or is in the process of implementing-these 29 prior
           recommendations. More specifically, the department has fully
           implemented 16 of the recommendations and is in the process of
           implementing the remaining 13. For example, the department has
           implemented our recommendation to issue a policy governing the
           development, implementation, and maintenance of an enterprise
           architecture. However, it has not implemented our recommendation
           to develop a plan governing the development, maintenance, and
           implementation of the enterprise architecture. Such a plan would,
           at a minimum, define what the incremental improvements will be,
           and how and when they will be accomplished. The plan would also
           include what (and when) architecture and transition plan scope and
           content-and architecture compliance criteria-will be added, with
           particular emphasis and clarity around the near-term increments.
           It is important for the department to develop this plan as soon as
           possible because without it, the department is less likely to
           accomplish intended improvements-and Congress will not have the
           means to measure progress and hold the department accountable.
           According to DOD officials, the department is committed to
           addressing our recommendations but has yet to provide any time
           frames.

           To further assist the department in strengthening its business
           systems modernization efforts, to facilitate congressional
           oversight, and promote departmental accountability, we are
           recommending that the department submit its enterprise
           architecture program management plan to defense congressional
           committees.

           In its written comments on a draft of this report, signed by the
           Deputy Under Secretary of Defense (Business Transformation) and
           reprinted in appendix III, the department stated that our findings
           are a fair representation of DOD's efforts to date, and while it
           does not agree with all of our points, it recognizes that even in
           areas of disagreement there is opportunity for dialog and
           learning. In this regard, the department provided additional
           comments in two areas.

           First, DOD recognized the importance of addressing our
           recommendations, and stated that it is important that we make our
           recommendations sufficiently specific to permit reasonable
           implementation and that we provide prompt feedback on whether
           DOD's implementation actions are in line with the recommendations.
           We agree and will continue to work proactively and constructively
           with the department to facilitate their implementation.

           Second, DOD stated that it partially agreed with the
           recommendation in the draft report, characterizing it as
           developing a departmentwide enterprise architecture program
           management plan to gain control of the department's IT
           environment. According to DOD, such a plan would far exceed the
           current scope of business systems modernization, and thus
           addressing it would require more time than our recommendation
           allowed. We agree that the business enterprise architecture should
           be departmentwide in scope and should allow the department to gain
           control of its business IT environment. However, the
           recommendation in our draft report was only aimed at developing an
           incremental plan that would show what missing scope and content
           would be added in each incremental version of the architecture and
           transition plan to eventually have an architecture and transition
           plan that addressed the full scope of the department's business IT
           environment and permitted such control to be gained. It was not
           intended to be interpreted as actually having this scope and
           content added to the transition plan in the time frame specified.
           To further ensure that our recommendation is properly interpreted
           and implemented, and to address DOD's concern about the time frame
           that we cited, we have slightly modified the recommendation.

           DOD is a massive and complex organization. In fiscal year 2005,
           the department reported that its operations involved $1.3 trillion
           in assets and $1.9 trillion in liabilities; more than 2.9 million
           military and civilian personnel; and $635 billion in net cost of
           operations. For fiscal year 2006, the department received
           appropriations of about $403 billion.8 The department comprises a
           wide range of organizations, including the military services and
           their respective major commands and functional activities;
           numerous defense agencies and field activities; and various
           combatant and joint operational commands, which are responsible
           for military operations for specific geographic regions or
           theaters of operations.

           In support of its military operations, the department performs an
           assortment of interrelated and interdependent business functions,
           including logistics management, procurement, health care
           management, and financial management. DOD recently reported that,
           in order to support these business functions, it relies on 3,717
           business systems. For fiscal year 2006, DOD received approximately
           $15.5 billion-and for fiscal year 2007, DOD has requested
           approximately $16 billion-in appropriated funds to operate,
           maintain, and modernize its business systems. As we have
           previously reported,9 DOD's systems environment is overly complex
           and error prone, and is characterized by (1) little
           standardization across the department; (2) multiple systems
           performing the same tasks; (3) the same data stored in multiple
           systems; and (4) the need for manual data entry into multiple
           systems. In addition, our reports10 have continually shown that
           the department's nonintegrated and duplicative systems contribute
           to fraud, waste, and abuse. Of the 25 areas on our governmentwide
           high-risk list, 8 are DOD program areas, and the department shares
           responsibility for 6 other governmentwide high-risk areas.11 DOD's
           business systems modernization is one of the high-risk areas, and
           it is an essential enabler to addressing many of the department's
           other high-risk areas. For example, modernized business systems
           are integral to the department's efforts to address its financial,
           supply chain, and information security management high-risk areas.

           Effective use of an enterprise architecture, or a modernization
           blueprint, is a hallmark of successful public and private
           organizations. For more than a decade, we have promoted the use of
           architectures to guide and constrain systems modernization,
           recognizing them as a crucial means to this challenging goal:
           agency operational structures that are optimally defined in both
           the business and technological environments. Congress, the Office
           of Management and Budget (OMB), and the federal Chief Information
           Officer (CIO) Council have also recognized the importance of an
           architecture-centric approach to modernization. We, OMB, and the
           CIO Council have issued enterprise architecture guidance.12 The
           Clinger-Cohen Act of 199613 mandates that an agency's CIO develop,
           maintain, and facilitate the implementation of an IT architecture.
           Further, the E-Government Act of 200214 requires OMB to oversee
           the development of enterprise architectures within and across
           agencies. In addition, we and OMB have issued guidance that
           emphasizes the need for system investments to be consistent with
           these architectures.15

           A corporate approach to IT investment management is also
           characteristic of successful public and private organizations.
           Recognizing this, Congress developed and enacted the Clinger-Cohen
           Act of 1996,16 which requires OMB to establish processes to
           analyze, track, and evaluate the risks and results of major
           capital investments in information systems made by executive
           agencies.17 In response to the Clinger-Cohen Act and other
           statutes, OMB has developed policy and issued guidance for
           planning, budgeting, acquisition, and management of federal
           capital assets.18 We have also issued guidance in this area,19
           which defines institutional structures such as IRBs and associated
           processes, such as common investment criteria.

           An enterprise architecture provides a clear and comprehensive
           picture of an entity, whether it is an organization (e.g., a
           federal department) or a functional or mission area that cuts
           across more than one organization (e.g., financial management).
           This picture consists of snapshots of both the enterprise's
           current ("As Is") environment and its target ("To Be")
           environment. These snapshots consist of "views," which are one or
           more architecture products (e.g., models, diagrams, matrixes, and
           text) that provide logical or technical representations of the
           enterprise. The architecture also includes a transition or
           sequencing plan, which is based on an analysis of the gaps between
           the "As Is" and "To Be" environments; this plan provides a
           temporal roadmap for moving between the two environments, and
           incorporates such considerations as technology opportunities,
           marketplace trends, fiscal and budgetary constraints,
           institutional system development and acquisition capabilities,
           legacy and new system dependencies and life expectancies, and the
           projected value of competing investments.

           The suite of products produced for a given entity's enterprise
           architecture, including its structure and content, is largely
           governed by the framework used to develop the architecture. Since
           the 1980s, various architecture frameworks have been developed.
           Appendix IV discusses these various frameworks.

           The importance of developing, implementing, and maintaining an
           enterprise architecture is a basic tenet of both organizational
           transformation and systems modernization. Managed properly, an
           enterprise architecture can clarify and help optimize the
           interdependencies and relationships among an organization's
           business operations (and the underlying IT infrastructure and
           applications) that support these operations. To support effective
           architecture management in the federal government, we have issued
           architecture management guidance, as has the federal CIO Council
           and OMB.20 This guidance recognizes that when an enterprise
           architecture is employed in concert with other important
           management controls, such as portfolio-based capital planning and
           investment control practices, architectures can greatly increase
           the chances that an organization's operational and IT environments
           will be configured to optimize mission performance. Our experience
           with federal agencies has shown that investing in IT without
           defining these investments in the context of an architecture often
           results in systems that are duplicative, not well integrated, and
           unnecessarily costly to maintain and interface.21

           IT investment management is a process for linking IT investment
           decisions to an organization's strategic objectives and business
           plans. Generally, it includes structures (including
           decision-making bodies known as IRBs), processes for developing
           information on investments (such as costs and benefits), and
           practices to inform management decisions (such as whether a given
           investment is aligned with an enterprise architecture). The
           federal approach to IT investment management is based on
           establishing systematic processes for selecting, controlling, and
           evaluating investments that provides a systematic way for agencies
           to minimize risks while maximizing the returns of investments.22

           o  During the selection phase, the organization (1) identifies and
           analyzes each project's risks and returns before committing
           significant funds to any project and (2) selects those IT projects
           that will best support its mission needs.
           o  During the control phase, the organization ensures that, as
           projects develop and investment expenditures continue, the project
           continues to meet mission needs at the expected levels of cost and
           risk. If the project is not meeting expectations or if problems
           arise, steps are quickly taken to address the deficiencies.
           o  During the evaluation phase, actual versus expected results are
           compared once a project has been fully implemented. This is done
           to (1) assess the project's impact on mission performance, (2)
           identify any changes or modifications to the project that may be
           needed, and (3) revise the investment management process based on
           lessons learned.

           Consistent with our architecture management framework,23 our
           investment management framework24 recognizes the importance of an
           enterprise architecture as a critical frame of reference for
           organizations making IT investment decisions, stating that only
           investments that move the organization toward its target
           architecture-as defined by its sequencing plan-should be approved,
           unless a waiver is provided or a decision is made to modify the
           architecture. Moreover, this framework states that an
           organization's policies and procedures should describe the
           relationship between its architecture and its investment
           decision-making authority. Our experience has shown that mature
           and effective management of IT investments can vastly improve
           government performance and accountability, help to avoid wasteful
           IT spending, and leverage opportunities to improve delivery of
           services to the public.

           DOD's institutional approach to managing its business systems
           modernization efforts has changed several times since 2001. Most
           recently, in 2005, the department reassigned responsibility for
           providing executive leadership for the direction, oversight, and
           execution of its business transformation and systems modernization
           efforts to several entities. These entities include the DBSMC,
           which serves as the highest ranking governance body for business
           systems modernization activities; the Principal Staff Assistants,
           who serve as the certification authorities for business system
           modernizations in their respective core business missions; the
           IRBs, which form the review and decisionmaking bodies for business
           system investments in their respective areas of responsibility;
           and the Business Transformation Agency (BTA),25 which leads and
           coordinates business transformation efforts across the department.
           Table 1 lists these entities and their roles and responsibilities.

7GAO, DOD Business Systems Modernization: Important Progress Made in
Establishing Foundational Architecture Products and Investment Management
Practices, but Much Work Remains, GAO-06-219 (Washington, D.C.: Nov. 23,
2005).

                                   Background

8This amount does not include an additional $50 billion for military
operations in Iraq and Afghanistan.

9GAO, DOD Business Systems Modernization: Important Progress Made in
Establishing Foundational Architecture Products and Investment Management
Practices, but Much Work Remains, GAO-06-219 (Washington, D.C.: Nov. 23,
2005).

10See, for example, GAO, Defense Inventory: Opportunities Exist to Improve
Spare Parts Support Aboard Deployed Navy Ships, GAO-03-887 (Washington,
D.C.: Aug. 29, 2003); Military Pay: Army National Guard Personnel
Mobilized to Active Duty Experienced Significant Pay Problems, GAO-04-89
(Washington, D.C.: Nov. 13, 2003); and DOD Travel Cards: Control
Weaknesses Resulted in Millions of Dollars of Improper Payments,
GAO-04-576 (Washington, D.C.: June 9, 2004).

11 GAO-06-497T . The eight specific DOD high-risk areas are: (1) approach
to business transformation, (2) business systems modernization, (3)
contract management, (4) financial management, (5) personnel security
clearance, (6) supply chain management, (7) support infrastructure
management, and (8) weapon systems acquisition. The six governmentwide
high-risk areas are (1) disability programs, (2) interagency contracting,
(3) information systems and critical infrastructure, (4) information
sharing for homeland security, (5) human capital, and (6) real property.

Enterprise Architecture and Information Technology Investment Management Are
Critical to Achieving Successful Systems Modernization

12CIO Council, A Practical Guide to Federal Enterprise Architecture,
Version 1.0 (Feb. 2001).

13The Clinger-Cohen Act of 1996, 40 U.S.C. S: 11312 and 11315(b)(2).

14The E-Government Act of 2002, Public Law 107-347 (Dec. 17, 2002).

15OMB Capital Programming Guide, Version 1.0 (July 1997) and GAO,
Information Technology Investment Management: A Framework for Assessing
and Improving Process Maturity, GAO-04-394G (Washington, D.C.: March
2004).

16The Clinger-Cohen Act of 1996, 40 U.S.C. sections 11101-11704. This Act
expanded the responsibilities of OMB and the agencies that had been set
under the Paperwork Reduction Act with regard to IT management. See 44
U.S.C. 3504(a)(1)(B)(vi) (OMB); 44 U.S.C. 3506(h)(5) (agencies).

17We have made recommendations to improve OMB's process for monitoring
high-risk IT investments; see GAO, Information Technology: OMB Can Make
More Effective Use of Its Investment Reviews, GAO-05-276 (Washington,
D.C.: April 15, 2005).

  Enterprise Architecture: A Brief Description

18This policy is set forth and guidance is provided in OMB Circular No.
A-11 (Nov. 2, 2005) (section 300), and in OMB's Capital Programming Guide,
which directs agencies to develop, implement, and use a capital
programming process to build their capital asset portfolios.

19 GAO-04-394G .

  IT Investment Management: A Brief Description

20GAO, Information Technology: A Framework for Assessing and Improving
Enterprise Architecture Management (Version 1.1), GAO-03-584G (Washington,
D.C.: April 2003); and A Practical Guide to Federal Enterprise
Architecture, Version 1.0.

21See, for example, GAO, Homeland Security: Efforts Under Way to Develop
Enterprise Architecture, but Much Work Remains, GAO-04-777 (Washington,
D.C.: Aug. 6, 2004); DOD Business Systems Modernization: Limited Progress
in Development of Business Enterprise Architecture and Oversight of
Information Technology Investments, GAO-04- 731R (Washington, D.C.: May
17, 2004); Information Technology: Architecture Needed to Guide NASA's
Financial Management Modernization, GAO-04-43 (Washington, D.C.: Nov. 21,
2003); DOD Business Systems Modernization: Important Progress Made to
Develop Business Enterprise Architecture, but Much Work Remains,
GAO-03-1018 (Washington, D.C.: Sept. 19, 2003); Business Systems
Modernization: Summary of GAO's Assessment of the Department of Defense's
Initial Business Enterprise Architecture, GAO-03-877R (Washington, D.C.:
July 7, 2003); Information Technology: DLA Should Strengthen Business
Systems Modernization Architecture and Investment Activities, GAO-01-631
(Washington, D.C.: June 29, 2001); and Information Technology: INS Needs
to Better Manage the Development of Its Enterprise Architecture,
GAO/AIMD-00-212 (Washington, D.C.: Aug. 1, 2000).

22GAO, Executive Guide: Improving Mission Performance Through Strategic
Information Management and Technology, GAO/AIMD-94-115 (Washington, D.C.:
May 1994); Office of Management and Budget, Evaluating Information
Technology Investments, A Practical Guide (Washington, D.C.: Nov. 1995);
GAO, Assessing Risks and Returns: A Guide for Evaluating Federal Agencies'
IT Investment Decision-making, GAO/AIMD-10.1.13 (Washington, D.C.: Feb.
1997); and GAO-04-394G .

23 GAO-03-584G .

24 GAO-04-394G .

DOD's Institutional Approach to Business Systems Modernization

Table 1: Roles and Responsibilities of Governance Entities

                      Roles and                                               
Entity             responsibilities          Membership
Defense Business      o  Provides strategic  Chaired by the Deputy         
Systems Management    direction and plans    Secretary of Defense; Vice    
Committee             for the business       Chair is the Under Secretary  
                         mission area in        of Defense for Acquisition,   
                         coordination with the  Technology, and Logistics.    
                         warfighting and        Includes senior leadership in 
                         enterprise information the Office of the Secretary   
                         environment mission    of Defense, the military      
                         areas.                 services' secretaries, and    
                         o  Serves as approving defense agencies' heads, such 
                         authority for business as the Assistant Secretary of 
                         system modernization.  Defense (Networks and         
                         o  Approves business   Information                   
                         mission area           Integration)/Chief            
                         transformation plans   Information Officer           
                         and coordinates        (ASD(NII)/CIO), the Vice      
                         transition planning in Chairman of the Joint Chiefs  
                         a documented program   of Staff, and the Commanders  
                         baseline with critical of the U.S. Transportation    
                         success factors,       Command and Joint Forces      
                         milestones, metrics,   Command.                      
                         deliverables, and      
                         periodic program       
                         reviews.               
                         o  Establishes key     
                         metrics and targets by 
                         which to track         
                         business               
                         transformation         
                         progress.              
                         o  Establishes         
                         policies and approves  
                         the business mission   
                         area strategic plan,   
                         the transition plan    
                         for implementation for 
                         business systems       
                         modernization, the     
                         transformation program 
                         baseline, and the      
                         business enterprise    
                         architecture.          
                         o  Executes a          
                         comprehensive          
                         communications         
                         strategy.              
Principal Staff       o  Support the DBSMC's Officials who report directly 
Assistants            management of          to the Secretary or Deputy    
                         enterprise business IT Secretary of Defense. These   
                         investments.           include the Under Secretaries 
                         o  Serve as the        of Defense; the Assistant     
                         certification          Secretaries of Defense; the   
                         authorities            General Counsel of the        
                         accountable for the    Department of Defense; the    
                         obligation of funds    Assistants to the Secretary   
                         for respective         of Defense; and the Directors 
                         business system        of the Office of the          
                         modernizations within  Secretary of Defense.         
                         designated core        
                         business missions.a    
                         o  Provide the DBSMC   
                         with recommendations   
                         for system investment  
                         approval.              
Investment Review     o  Serve as the        Includes the Deputy Secretary 
Boards                oversight and          of Defense; the Under         
                         investment             Secretary of Defense          
                         decision-making bodies (Comptroller); Under          
                         for those business     Secretary of Defense for      
                         capabilities that      Acquisition, Technology, and  
                         support activities     Logistics; Assistant          
                         under their designated Secretary of Defense          
                         areas of               (Personnel and Readiness);    
                         responsibility.        ASD(NII)/CIO; military        
                         o  Assess investments  services; defense agencies;   
                         relative to their      and combatant commands.       
                         impact on end-to-end   
                         business process       
                         improvements           
                         supporting warfighter  
                         needs.                 
                         o  Certify that all    
                         business systems       
                         investments costing    
                         more than $1 million   
                         are integrated and     
                         compliant with the     
                         business enterprise    
                         architecture.          
Business              o  Serves as the       Operates under the authority, 
Transformation        day-to-day management  direction, and control of the 
Agencyb               entity of the business Under Secretary of Defense    
                         transformation effort  for Acquisition, Technology,  
                         at the DOD enterprise  and Logistics-the vice chair  
                         level.                 of the DBSMC. The day-to-day  
                         o  Provides support to direction, management, and    
                         the executive          oversight is provided         
                         governance bodies.     cooperatively by the Deputy   
                         o  Integrates the work Under Secretary of Defense    
                         of the Principal Staff (Business Transformation) and 
                         Assistants in the      the Deputy Under Secretary of 
                         areas of business      Defense (Financial            
                         process reengineering, Management).                  
                         core business mission  
                         activities, and IRB    
                         matters.               

25The Business Management Modernization Program's mission for advancing
departmentwide business transformation efforts, particularly with regard
to business systems modernization, has been absorbed into the BTA.

Source: DOD.

aThe five core business missions are described in table 3.

bThe organizational structure of the agency is outlined in figure 1 and
the roles and responsibilities of the agency divisions are described in
table 2.

The BTA, established in 2005, is organized into eight divisions, one of
which is the office of the Defense Business Systems Acquisition
Executive-the component acquisition executive for DOD enterprise-level
systems and initiatives. 26 Figure 1 outlines the organizational structure
of the agency and table 2 shows the roles and responsibilities of the
agency divisions.

26An enterprise-level system supports cross-organizational requirements,
rather than a single group or component within an agency or organization.
A DOD-wide system refers to a system for all of DOD. For example, the
Defense Civilian Personnel Data System is the system that standardizes
civilian human resource processes and promotes efficiency of service
delivery for all DOD civilian personnel. An enterprise-level initiative
refers to an initiative of an enterprise, rather than a group or component
within an agency or organization. At DOD, an enterprise-level initiative
can be an enterprise system, program, project, activity, or a family of
enterprise systems.

Figure 1: Business Transformation Agency Organization

aThis role is temporarily filled by the Deputy Under Secretary of Defense
for Business Transformation and the Deputy Under Secretary of Defense for
Financial Management.

Table 2: Business Transformation Agency Divisions

Office                     Description                                     
Defense Business Systems      o  Develops, coordinates, and integrates     
Acquisition Executive         projects, programs, systems, and initiatives 
                                 that provide DOD enterprisewide business     
                                 capabilities to the warfighter.              
                                 o  Exercises acquisition executive oversight 
                                 for DOD enterprise-level business systems    
                                 assigned by the DBSMC.                       
                                 o  Serves as the milestone decision          
                                 authority for specific programs as directed  
                                 by the DBSMC, and as the DOD component       
                                 acquisition executive for business systems.  
                                 o  Manages resources, including fiscal,      
                                 personnel, and contracts for assigned        
                                 systems and programs.                        
Enterprise Integration        o  Supports the integration of               
                                 enterprise-level business capabilities.      
                                 o  Ensures adoption of DOD-wide information  
                                 and process standards, as defined in the     
                                 business enterprise architecture (BEA).      
Transformation Planning       o  Maintains and updates the department's    
and Performance               BEA and corresponding enterprise transition  
                                 plan.                                        
                                 o  Monitors the performance of enterprise    
                                 programs and initiatives by ensuring that    
                                 they meet the milestones documented in the   
                                 enterprise transition plan.                  
                                 o  Includes the Milestone Assurance Team,    
                                 which monitors the performance of            
                                 enterprise-level programs and initiatives.   
Transformation Priorities     o  Serves as the primary link to the         
and Requirements              Principal Staff Assistants within the Office 
                                 of the Secretary of Defense as well as other 
                                 DOD-level organizations including the US     
                                 Transportation Command, the Defense          
                                 Logistics Agency, and the Defense Finance    
                                 and Accounting Service.                      
                                 o  Ensures that the functional priorities    
                                 and requirements of these organizations are  
                                 reflected in both the BEA and the enterprise 
                                 transition plan, as well as in the guidance  
                                 for business systems investment management.  
                                 o  Comprises a mix of senior leaders from    
                                 both government and industry that have       
                                 experience in business processes and systems 
                                 technology.                                  
Investment Management         o  Provides leadership in investment         
                                 management for DOD enterprise-level business 
                                 systems.                                     
                                 o  Supports and coordinates IRB processes    
                                 and actions for certification.               
                                 o  Reports on IRB certification status in    
                                 congressional reports and DBSMC meetings.    
                                 o  Updates and defines IRB data elements in  
                                 the DOD Information Technology Portfolio     
                                 Repository and conducts the systems          
                                 inventory for OMB.                           
Warfighter Support Office     o  Identifies enterprise-level business      
                                 issues that directly impact the warfighter   
                                 and works to resolve these issues via        
                                 systems capability and process improvements. 
                                 o  Engages with joint staff and combatant    
                                 commands to identify and communicate         
                                 requirements to the agency.                  
                                 o  Monitors business process and system      
                                 improvement initiatives sponsored by the     
                                 agency and ensures their progress in         
                                 accordance with performance objectives.      
Information and Federation    o  Manages the information strategy, which   
Strategy                      encompasses integration efforts, strategic   
                                 planning, change management, and long-term   
                                 internal and external communications.        
                                 o  Ensures that integrated best industry     
                                 practices are applied to all areas of        
                                 strategic planning and communications for    
                                 the agency.                                  
Agency Operations             o  Provides centralized support across the   
                                 agency, such as administrative services,     
                                 personnel and staffing, contracting, budget, 
                                 IT, security, and training.                  
                                 o  Supports the monthly DBSMC meetings.      
                                 o  Coordinates with external stakeholders.   
                                 o  Establishes and maintains a central       
                                 repository for records, deliverables, and    
                                 policies for the agency.                     

Source: DOD.

  DOD's Business Enterprise Architecture: A Brief Description

In 2005, DOD adopted a 6-month incremental approach to developing its
enterprise architecture as either a major release or a minor release.27
DOD released version 3.0 of the business enterprise architecture on
September 28, 2005, describing it as the initial baseline. According to
DOD, this version was intended to provide a blueprint to help ensure
near-term delivery of the right capabilities, resources, and materiel to
the warfighter. To do so, this version focused on six business enterprise
priorities-which DOD states are short-term objectives to achieve immediate
results, within DOD's five core business missions-to be addressed through
identification of corporate business needs and analysis of capability gaps
(see table 3). The core business missions transcend DOD's various
functional areas (e.g., planning, budgeting, IT, procurement, and
maintenance) and are intended to be the means through which end-to-end
warfighter support is delivered. Responsibility for the core business
missions is assigned to specific Principal Staff Assistants.

27According to DOD, major releases are to have substantially new
architecture content that incorporates emerging enterprise priorities and
capabilities in support of DOD enterprise systems and initiatives and the
IRBs. Minor releases are not to contain new enterprise priorities or
business capabilities, but instead are to provide extension and "clean up"
of the preceding releases.

Table 3: Core Business Missions and Associated Principal Staff Assistants

DOD core business                                       Principal Staff    
mission              Description                        Assistants         
Human Resources      This mission includes all human    Under Secretary of 
Management           resources-related processes        Defense (Personnel 
                        necessary to recruit, train, and   and Readiness)     
                        prepare personnel for warfighter   
                        organizations. It also includes    
                        providing trained, healthy, and    
                        ready personnel to combatant and   
                        combat support organizations, and  
                        ensures timely and accurate access 
                        to compensation and benefits for   
                        all DOD personnel.                 
Weapon System        This mission includes full         Under Secretary of 
Lifecycle Management life-cycle management of defense   Defense for        
                        acquisition of weapons systems and Acquisition,       
                        automated information systems,     Technology, and    
                        including requirements,            Logistics          
                        technology, development,           
                        production, and sustainment.       
Materiel Supply and  This mission includes the          Under Secretary of 
Service Management   management of supply chains of     Defense for        
                        materiel supply and services to    Acquisition,       
                        maintain the readiness of          Technology, and    
                        non-deployed and deployed          Logistics          
                        warfighters to support operations. 
                        It also includes all aspects       
                        associated with acquiring,         
                        storing, and transporting all      
                        classes of supplies.               
Real Property and    This mission includes the          Under Secretary of 
Installations        provision of installations and     Defense for        
Lifecycle Management facilities to house military       Acquisition,       
                        forces, to store and maintain      Technology, and    
                        military equipment, and to serve   Logistics          
                        as training and deployment         
                        platforms for dispatching          
                        warfighter units.                  
Financial Management This mission includes the          Under Secretary of 
                        provision of accurate and reliable Defense            
                        financial information in support   (Comptroller)      
                        of the planning, programming,      
                        budgeting, and execution process   
                        to ensure adequate financial       
                        resources for warfighting mission  
                        requirements. It also includes     
                        providing information to reliably  
                        cost the conduct, output, and      
                        performance of DOD operations and  
                        missions, and the programs to      
                        support them.                      

Source: DOD.

Table 4 provides descriptions of the business enterprise priorities.
According to the department, these business enterprise priorities will
evolve and expand in future versions of the architecture.

Table 4: Business Enterprise Priorities

Business Enterprise Priority Description                                   
Personnel Visibility         Providing access to reliable, timely, and     
                                accurate personnel information for warfighter 
                                mission planning.                             
Acquisition Visibility       Providing transparency and access to          
                                acquisition information that is critical to   
                                supporting life-cycle management of the       
                                department's processes for delivering weapons 
                                systems and automated information systems.    
Common Supplier Engagement   Aligning and integrating policies, processes, 
                                data, technology, and people to simplify and  
                                standardize the methods that DOD uses to      
                                interact with commercial and government       
                                suppliers.                                    
Materiel Visibility          Improving supply chain performance.           
Real Property Accountability Acquiring access to real-time information on  
                                DOD real property assets.                     
Financial Visibility         Providing immediate access to accurate and    
                                reliable financial information that will      
                                enhance efficient and effective decision      
                                making.                                       

Source: DOD.

In addition to focusing the scope of version 3.0 of the architecture on
these priorities within the five core business missions, the extent to
which each priority was to be addressed, according to DOD, was limited to
answering four key groups of questions:

           o  Who are our people, what are their skills, and where are they
           located?
           o  Who are our industry partners, and what is the state of our
           relationship with them?
           o  What assets are we providing to support the warfighter, and
           where are these assets deployed?
           o  How are we investing our funds to best enable the warfighting
           mission?

           To produce a version of the architecture within this scope, DOD
           created 12 of the 26 recommended products included in the DOD
           Architecture Framework-the structural guide that the department
           has established for developing an architecture28-including 7
           products that the framework designates as "essential." For
           example, one essential product is the Operational Node
           Connectivity Description-a graphic showing "operational nodes"
           (organizations), including a depiction of each node's information
           exchange needs.

           On March 15, 2006, DOD released version 3.1 of the business
           enterprise architecture. According to program officials and our
           review of program documentation, version 3.1 is a minor release
           and-similar to version 3.0-addresses enterprise-level business and
           strategic plans, goals, objectives, and strategies. Program
           officials also noted that version 3.1 continues to be an
           outcome-based architecture that is focused on six business
           enterprise priorities within DOD's five core business missions,
           and that this version was developed following the same methodology
           and architectural framework as version 3.0. Program officials
           stated that the next release (version 4.0) will be similar to
           version 3.1, because it will also be a minor release.

           Congress included six provisions in the Act 29 that are aimed at
           ensuring DOD's development of a well-defined business enterprise
           architecture and associated enterprise transition plan, as well as
           the establishment and implementation of effective investment
           management structures and processes. The requirements are as
           follows:

           (1) Develop a business enterprise architecture that:

           o  includes an information infrastructure that, at a minimum,
           would enable DOD to:

                        o  comply with all federal accounting, financial
                        management, and reporting requirements;
                        o  routinely produce timely, accurate, and reliable
                        financial information for management purposes;
                        o  integrate budget, accounting, and program
                        information and systems; and
                        o  provide for the systematic measurement of
                        performance, including the ability to produce timely,
                        relevant, and reliable cost information;

           o  includes policies, procedures, data standards, and system
           interface requirements that are to be applied uniformly throughout
           the department; and
           o  is consistent with OMB policies and procedures.

           (2) Develop a transition plan for implementing the architecture
           that includes:

           o  an acquisition strategy for new systems needed to complete the
           enterprise architecture;
           o  a list and schedule of legacy business systems to be
           terminated;
           o  a list and strategy of modifications to legacy business
           systems; and
           o  time-phased milestones, performance metrics, and a statement of
           financial and non-financial resource needs.

           (3) Identify each business system proposed for funding in DOD's
           fiscal year budget submissions and include:

           o  information on each business system proposed for funding in
           that budget;
           o  funds for current services and for business systems
           modernization; and
           o  the designated approval authority for each business system.

           (4) Delegate the responsibility for business systems to designated
           approval authorities within the Office of the Secretary of
           Defense.

           (5) Require each approval authority to establish investment review
           structures and processes, including a hierarchy of IRBs-each with
           appropriate representation from across the department. The review
           process must cover:

           o  review and approval of each business system by an IRB before
           funds are obligated;
           o  at least an annual review of every business system investment;
           o  use of threshold criteria to ensure an appropriate level of
           review and accountability;
           o  use of procedures for making architecture compliance
           certifications;
           o  use of procedures consistent with DOD guidance; and
           o  incorporation of common decision criteria.

           (6) Effective October 1, 2005, DOD may not obligate appropriated
           funds for a defense business system modernization with a total
           cost of more than $1 million unless the approval authority
           certifies that the business system modernization:

           o  complies with the business enterprise architecture;
           o  is necessary to achieve a critical national security capability
           or address a critical requirement in an area such as safety or
           security; or
           o  is necessary to prevent a significant adverse effect on an
           essential project in consideration of alternative solutions, and
           the certification is approved by the DBSMC.

           Between May 2001 and July 2005, we have reported on DOD's efforts
           to develop an architecture and to establish and implement
           effective investment management structures and processes.30 These
           reports identified serious problems and concerns about the
           department's architecture program, the quality of the architecture
           and the transition plan, and the lack of an investment management
           structure and controls to implement the architecture. To address
           these concerns, we made 34 recommendations to ensure that the
           architecture was well-defined, managed, and implemented.

           In response to our recommendations and requirements in the Act and
           as described in the previous section, in 2005 DOD fundamentally
           changed its institutional approach to architecture development,
           management, and implementation. Consistent with our
           recommendations, DOD has also adopted an incremental approach to
           developing a purpose-driven and standards-based enterprise
           architecture, and it has established a tiered accountability
           structure through a hierarchy of investment oversight and
           decision-making entities for reviewing and approving business
           system investments.

           In November 2005,31 we reviewed DOD's efforts to satisfy the six
           requirements cited in the Act. In our report and in testimony,32
           we stated that DOD had partially satisfied the four legislative
           requirements relating to architecture development, transition plan
           development, budgetary disclosure, and investment review; it had
           satisfied the provision concerning designated approval
           authorities; and it was in the process of satisfying the provision
           for certification and approval of modernizations costing in excess
           of $1 million. We concluded that the department had made important
           progress in establishing the kind of fundamental management
           structures and processes that are needed to correct the
           long-standing and pervasive IT management weaknesses that have led
           to our designation of DOD business systems modernization as a
           high-risk program, and that this progress provided a foundation on
           which to build. However, we also concluded that much more remained
           to be accomplished to fully satisfy the Act's requirements and
           address the department's IT management weaknesses, particularly
           with regard to sufficiently developing the enterprise architecture
           and transition plan and ensuring that investment review and
           approval processes are institutionally implemented.

           DOD continues to take incremental steps to comply with the
           remaining five requirements of the Act  and improve its business
           systems modernization approach. On March 15, 2006, DOD released a
           minor update to its business enterprise architecture (version
           3.1), developed an updated enterprise transition plan, and issued
           its annual report to Congress describing steps taken and planned
           relative to the Act's requirements, among other things. These
           steps address several of the missing elements we previously
           identified relative to the legislative provisions concerning the
           architecture, transition plan, budgetary disclosure, investment
           review, and the reviews of systems costing in excess of $1
           million. DOD officials told us that additional steps are intended
           to fully implement the Act's requirements and address our prior
           concerns. According to program officials, this continued progress
           is a reflection of DOD leadership's commitment to effective
           business systems modernization. While this progress better
           positions the department to address the business systems
           modernization high-risk area, sustained leadership is essential to
           further improve its modernization approach, fully address the
           Act's requirements, and ultimately acquire and implement
           modernized business systems.

           Version 3.1 of the business enterprise architecture, according to
           DOD's most recent annual report to Congress, resolves several of
           the architecture gaps identified in the prior version and
           introduces several other minor improvements, but it does not
           include major content changes. This version reflects steps taken
           by DOD to address some of the missing elements, inconsistencies,
           and usability issues that we identified in our prior report33
           related to the Act's requirements and related architecture
           guidance. According to DOD officials, they are committed to
           incrementally evolving the architecture's scope, content, internal
           alignment, and usability. Until they do, however, the
           architecture's utility will be limited.

           With regard to complying with federal accounting, financial
           management, and reporting requirements, the architecture has much
           of the information needed to achieve compliance with the
           Department of the Treasury's United States Standard General
           Ledger, 34 such as the data elements or attributes that are needed
           to facilitate information sharing and reconciliation with the
           Treasury. In addition, the SFIS,35 which includes a standard
           accounting classification structure, can allow DOD to standardize
           financial data elements necessary to support budgeting,
           accounting, cost management, and external reporting; it also
           incorporates many of the Standard General Ledger's attributes.

           Further, version 3.1 provides new business rules for
           intra-governmental transactions36 that can be automated to enforce
           compliance with federal accounting, financial management, and
           reporting requirements. For example, version 3.1 includes the
           intra-governmental transactions business rule
           "ENT_Available_Reimbursable_Authority" 37 to enforce compliance
           with a Generally Accepted Accounting Principle standard that funds
           to be paid can be received. Business rules are important because
           they explicitly translate important business policies and
           procedures into specific, unambiguous rules that govern what can
           and cannot be done.

           However, version 3.1 does not yet address the locations where
           specified activities are to occur and where the systems are to be
           located. Program officials agreed; however, they stated that the
           architecture is not intended to include this level of detail
           because it is capabilities-based rather than solutions-based, and
           they said that this information will be contained either within
           the department's Global Information Grid38 or in individual
           systems' program documentation. As previously reported,39 we do
           not agree that information pertaining to locations is only germane
           to the solutions-based architectures, and the explicit linkage
           between the business enterprise architecture and Global
           Information Grid is not apparent. The identification of
           operationally significant and strategic business locations, as
           well as the need for a business logistics model, is a generally
           accepted best practice for defining the business operations of an
           architecture.40 This is because the cost and performance of
           implemented business operations and technology solutions are
           affected by the location and therefore need to be examined,
           assessed, and decided on in an enterprise context rather than in a
           piecemeal, systems-specific fashion.

           In addition, the architecture does not provide for compliance with
           all federal accounting, financial, and reporting requirements. For
           example, it does not apply the concept of tiered accountability to
           identify which laws, policies, and regulations are relevant at the
           enterprise level. Until it does, the department cannot effectively
           identify overlaps in IT spending by the components41 and programs
           for common functions or enterprise requirements. In addition, some
           business rules are at inconsistent levels of detail within the
           architecture. For example, some business rules are defined in
           high-level conceptual terms (e.g., "ENT_Cost_Reporting") while
           others are defined more specifically at an operational level
           (e.g., "ENT_DOD_Obligations_Against"). Until standard
           enterprise-level operational rules are defined and developed, DOD
           components will continue to implement operational procedures that
           are inconsistent because they are based on their own unique
           interpretations of the laws, policies, and regulations.

           With regard to timely, accurate, and reliable financial
           information for management purposes, we reported in November 2005
           42 that SFIS had not been completed or implemented and that the
           architecture had yet to include standard definitions of key terms
           in the architecture-such as all enterprise-level terms. Since
           then, the department has completed phase I of the SFIS initiative,
           which is focused on standardizing general ledger and external
           financial reporting requirements, and has incorporated associated
           definitions in the architecture. In addition, the department
           continues to evolve the integrated dictionary and include
           definitions and descriptions of many terms used in the
           architecture. For example, the integrated dictionary in version
           3.1 includes a business enterprise priority dictionary from which
           it is easy to find descriptions of business priorities such as
           "acquisition visibility," "common supplier engagement," and
           "financial visibility." Further, version 3.1 provides additional
           compliance based on modifications to intra-governmental
           transaction concepts (e.g., a standard capability for creating and
           routing requisitions, purchase orders, billings, payments, and
           collections) to provide enhanced visibility to buying and selling
           transactions between entities of the federal government. This
           enhanced visibility facilitates easy access to information about
           intra-governmental transactions, thereby supporting the
           requirement to routinely produce timely information.

           However, additional SFIS definition efforts remain under way, and
           the department plans to further define key data elements and
           attributes that are not yet in the architecture. For example,
           according to program officials, data elements-such as those
           relating to the planning, programming, and budgeting business
           process area-have yet to be defined. According to DOD, these data
           elements will be in the next version of the architecture. Further,
           although the integrated dictionary contains definitions of many
           terms (e.g., business capabilities, data objects, and system
           functions), it has yet to contain definitions of key accounting
           and budget terms such as "balance forwarded" and "receipt
           balances" that are used in the description of the data object
           termed "Receipt Account Trial Balance and Ledgers." According to
           DOD's architecture framework, the integrated dictionary should
           enable the set of architecture products to stand alone, allowing
           them to be read and understood with minimum reference to outside
           resources. Program officials agreed and stated that both the SFIS
           and the integrated dictionary will evolve and be incorporated into
           future releases.

           Moreover, version 3.1 does not identify and explicitly define all
           business rules that would enable the financial information to be
           verified and validated on the basis of timeliness, accuracy, and
           reliability. For example, although a United States Standard
           General Ledger transaction library43 was developed, its use as a
           business rule in a business process model-or an enabler to an
           operational activity to verify and validate the accuracy of
           transaction postings (or the relationships among transactions)-is
           not explicitly defined and identified in version 3.1. In addition,
           architectural elements that are identified and intended to address
           this requirement are not always well defined. For example, "review
           and certify financial statement" is identified as a process in the
           integrated dictionary, but depicted as an operational event in the
           process labeled "perform financial reporting" in the operational
           event-trace description product, which indicates when activities
           are to occur within operational processes. In addition, "perform
           financial reporting" is identified as both an event and a process
           in the integrated dictionary. Beyond these definitional
           ambiguities, identified business rules are not always allocated to
           specific systems in the architecture. For example, business rules
           are not allocated to the Business Enterprise Information Services-
           an enterprise-level automated reporting system intended to provide
           timely, accurate, and reliable business information across the
           department to support auditable financial statements and provide
           detailed financial information visibility for management in
           support of the warfighter; and to integrate budget, accounting,
           and program information that is widely dispersed among systems and
           organizations across the department. Such limitations constrain
           the utility and effectiveness of the architecture in guiding and
           constraining system development.

           With regard to the integration of budgeting, accounting, and
           programming information and systems, we reported in November
           200544 that the architecture did not include certain elements-such
           as a fully defined and implemented SFIS-and all systems needed to
           achieve integration. According to DOD, version 3.1 incorporates 59
           SFIS phase 1 data elements and 109 business rules. In addition,
           this version provides content relevant to the integration of
           intra-governmental transaction functionality for reimbursable
           orders, which is important in addressing the financial visibility
           and common supplier engagement business enterprise priorities.
           This functional integration can lead to the simplification of
           system and data integration. Nevertheless, version 3.1 does not
           specify all systems needed to achieve integration, as evidenced by
           instances in which the architecture provides "placeholders" or
           generic references for yet-to-be-defined systems (e.g., Financial
           Management System Entity). Program officials agreed and stated
           that these systems would be added as solutions are defined to
           address identified capability gaps.

           In addition, although version 3.1 includes separate entity
           relationship diagrams for the accounting, budget, and cost
           functional areas, it does not describe the relationships of
           entities across the planning, programming, budgeting, and
           execution process. According to the architecture's overview and
           summary information, this overall business process has yet to be
           fully developed, including definition around the interdependencies
           that currently exist in the "As Is" planning, programming,
           budgeting, and execution process. As a result, the architecture
           does not yet support effective development of planning,
           programming, budgeting, and execution systems.

           With respect to the systematic measurement of
           performance-including the ability to produce timely, relevant, and
           reliable cost information-version 3.1 adds features linking the
           architecture business capabilities to systems and initiatives in
           the transition plan. For example, the architecture indicates that
           the business capability termed "financial reporting" will be
           enabled by the Business Enterprise Information Services system.
           These linkages provide an alignment of system investments with the
           architecture and thus can be used to establish business
           performance measures for system investments. In addition, the
           department has developed an initial baseline of capability metrics
           in the updated transition plan, which according to program
           officials will be used to measure progress towards achieving
           capability outcomes.

           However, version 3.1 still does not provide for the systematic
           measurement of performance (i.e., the means by which the
           department can measure the intended mission value to be delivered
           by the portfolio of programs in the architecture). The
           architecture also does not include standard methods to collect and
           evaluate performance data and SFIS data elements that support
           systematic measurement of performance have yet to be developed.
           Program officials acknowledged this missing content and stated
           that they plan to include measurements and targets in future
           releases.

           In addition, version 3.1 does not describe business performance
           shortfalls to be addressed based on a capability gap analysis
           between the "As Is" and the "To Be" environments. Program
           officials stated that such performance shortfalls, such as the
           inability to properly eliminate intra-governmental transactions,
           are being identified through a variety of sources (e.g., Inspector
           General and DOD Performance and Accountability reports along with
           our own reports). However, they agreed that there is a need to
           synthesize and prioritize these inputs so that a better
           understanding can be obtained on the performance shortfalls that
           have to be addressed through the "To Be" solutions.

           With respect to policies, procedures, data standards, and system
           interface requirements, version 3.1 requires that SFIS be
           established as an enterprisewide data standard for categorizing
           financial information along several dimensions (e.g.,
           appropriation account, budget program, organizational,
           transactional, trading partner, and cost accounting) to support
           financial management and reporting functions. Further, version 3.1
           adds greater definition on standard processes, rules, and data for
           intra-governmental ordering and billing.

           However, as stated earlier, SFIS data elements have not been
           completely defined and continue to evolve. In addition, the
           architecture has yet to include a systems standards profile to
           facilitate data sharing among departmentwide business systems and
           interoperability with departmentwide IT infrastructure systems.
           Program officials acknowledged that the architecture does not
           include a systems standards profile and stated that they are
           working with the Assistant Secretary of Defense (Networks and
           Information Integration)/Chief Information Officer (ASD(NII)/CIO)
           to address this in future versions.

           With regard to OMB policies and procedures, similar to version
           3.0, the latest version does not include a depiction of the "As
           Is" architecture, which is essential to performing a gap analysis
           to identify capability and system performance shortfalls that the
           transition plan is to address. Also, it does not include either an
           "As Is" or "To Be" depiction of all business processes, such as
           key aspects of the planning, programming, budgeting, and execution
           processes; the technology infrastructure; and security
           architecture. In response, program officials stated that "As Is"
           environment analyses and definitions have occurred and are planned
           on in an "as needed" and "just enough" basis. For example, they
           described "As Is" analysis and definition that has occurred at the
           system level for several of the enterprise-level systems (e.g.,
           DOD Real Property Information Systems), and work under way to
           further understand the interdependencies that exist in the current
           planning, programming, budgeting, and execution business process
           as an essential part of developing the "To Be" description of this
           process. While the "As Is" description is not included in versions
           3.0 and 3.1, according to a program official, the "As Is" work is
           in fact now being used to perform a business capability gap
           analysis and guide transformation based on the current set of
           priorities. In our view, the issue is not whether each
           architecture release includes all of the elements of an "As Is"
           environment, but that the releases disclose at a minimum the "As
           Is" analyses that have and that have not been performed. It is
           also in our view that DOD should describe in the architecture
           releases the importance or irrelevance of "As Is" analyses to the
           systems and initiatives in the enterprise transition plan and the
           operational activities and business processes in the target
           architecture.

           In addition to these areas, version 3.1 has also yet to address
           other limitations we previously reported. Specifically:

           o  Version 3.1 products are not yet fully integrated. For example,
           the operational event-trace description product-which indicates
           when activities are to occur within operational processes-is
           decomposed to a greater level of detail than the corresponding
           operational activity model, which shows the operational activities
           (or tasks) that are to occur and the input and output process
           flows among these activities. Program officials acknowledged this
           and stated that they are working to improve the operational
           activity models for several business enterprise priorities (e.g.,
           Personnel Visibility and Financial Visibility). In particular, the
           updated transition plan identifies business capability outcome
           metrics for additional operational activities, such as "Manage
           Vacancy Recruiting."
           o  Version 3.1 is not yet adequately linked to the component
           architectures and transition plans, which is particularly
           important given the department's federated approach to developing
           and implementing the architecture. As we previously reported, a
           federated architecture is composed of a set of coherent but
           distinct entity architectures. The members of the federation
           collaborate to develop an integrated enterprise architecture that
           conforms to the enterprise view and to the overarching rules of
           the federation. In its March 15, 2006, report to Congress, the
           department stated that integration will be an ongoing goal. To
           accomplish this goal, program officials told us that a federation
           strategy is being developed and will be implemented in future
           versions of the architecture and transition plan. However, they
           did not have an enterprise architecture development management
           plan containing this strategy.

           As we previously reported, the department has taken a 6-month
           incremental approach to developing the business enterprise
           architecture and meeting the Act's requirements. DOD officials
           told us that, as a minor release, version 3.1 was not intended to
           include new priorities or capabilities; but instead was intended
           to provide extension and "clean up" of the preceding release. They
           further stated that this approach of developing minor releases
           provides the department the means by which to balance architecture
           maintenance and implementation.

           We support DOD taking an incremental approach to developing the
           business enterprise architecture, recognizing that adopting such
           an approach is a best practice that we have advocated. In
           addition, we believe that version 3.1 provides an improved
           foundation on which to continue to build a more complete
           architecture.

           However, although the department agreed to develop a near-term
           plan it has not yet developed or established milestones for
           developing a near- or a long-term plan that will provide details
           on what will be included in these incremental architecture
           developments and what will not be included, with particular
           emphasis and clarity around the near-term increments. Without such
           a plan, the department is less likely to accomplish intended
           improvements. In addition, once the missing scope, content, and
           related shortcomings described is added, the architecture will be
           a more sufficient frame of reference to optimally guide and
           constrain DOD-wide system investment decision making.

           According to the department's most recent annual report to
           Congress, the March 15, 2006, version of its enterprise transition
           plan provides information on progress on major investments over
           the last 6 months-including key accomplishments and milestones
           attained, as well as new information on near-term activities
           (i.e., within the next 6 months) at both the enterprise and
           component levels. DOD also reports that this latest version of the
           transition plan indicates which of the limitations and gaps that
           we identified in the earlier plan have been addressed. DOD has
           taken a number of steps to improve its enterprise transition plan
           and address some of the missing elements that we previously
           identified45 relative to the Act's requirements and related
           transition planning guidance.

           With respect to the development of an acquisition strategy, the
           March 2006 transition plan refines and updates the September 2005
           transition plan. As we previously reported, the September 2005
           transition plan was largely based on a bottom-up planning process
           in which ongoing programs were examined and categorized in the
           plan around business enterprise priorities and capabilities,
           including a determination as to which programs would be designated
           and managed as DOD-wide programs versus component programs. To
           improve on this plan, the department defines an initiative that is
           based on shortfalls of current business capabilities. For example,
           version 3.1 of the architecture includes an initiative-referred to
           as the intra-governmental transactions initiative-that was based
           on a current "As Is" business capability shortfall relative to
           DOD's ability to properly eliminate intra-governmental
           transactions. This shortfall was highlighted as a material
           weakness in DOD's Fiscal Year 2005 Performance and Accountability
           Report.

           DOD continues to validate the inventory of ongoing IT investments
           that formed the basis for the prior version of the transition
           plan. Specifically, DOD intends future updates to the plan to
           continue to introduce the results of ongoing and planned analyses
           of gaps between its "As Is" and "To Be" architectural
           environments, in which capability and performance shortfalls are
           described and investments (such as transformation initiatives and
           systems) that are to address these shortfalls are clearly
           identified. In fact, DOD officials stated that they anticipate the
           scope and funding of some on-going programs in the plan-such as
           the Defense Integrated Military Human Resources System and the
           intra-governmental transactions initiative-to be revised to align
           them to achieve a desired business capability. Program officials
           stated that this evolution of the plan will be driven by (1)
           identifying gaps between the architecture requirements and
           currently planned program activities and (2) planning new systems
           and initiatives to address gaps identified in priorities,
           capabilities, and existing program activities. In particular, DOD
           plans to identify gaps (i.e., shortfalls) in the performance of
           its business capabilities in the next version of the architecture
           and, as transformation efforts mature, DOD will introduce a more
           top-down, capability-based approach.

           With respect to the identification of legacy systems that will and
           will not be part of the "To Be" architectural environment,
           including modifications to these systems, the prior plan
           identified some, but not all, of these systems. To address this
           limitation, the current plan identifies a number of additional
           legacy systems that will be terminated and thus will not be part
           of the target environment. For example, the plan now includes a
           number of recently determined termination dates for systems such
           as the Cash Reconciliation System, Financial Reporting System, and
           Navy Prompt Payment Interest. Furthermore, in its annual report to
           Congress, DOD noted that the military services collectively have
           identified over 290 legacy systems for elimination. DOD also
           indicated that this number is expected to change over time as more
           systems come in for certification and enterprise solutions are
           identified and refined. Moreover, the plan now reflects legacy
           systems identified to date for enterprise and component priorities
           and, according to officials, the list will continue to evolve as
           investment decisions are made via the tiered accountability
           investment review structure. For example, the Air Force has
           reassessed the systems migrating to the target Expeditionary
           Combat Support System, and this is reported in the March 2006
           plan. Program officials noted that this number will fluctuate as
           the scope of the Expeditionary Combat Support System changes.

           The March 2006 transition plan, however, does not yet include a
           number of the elements we have previously identified.

           o  It does not include a complete listing of the legacy systems
           that will not be part of the target architecture. In particular,
           the termination dates for many legacy systems remain unknown,
           making it unclear whether or not they will be part of the target
           environment. For example, the plan does not provide specific dates
           for terminating legacy systems such as the Personnel Records
           Management System, Defense Departmental Reporting System, and Base
           Accounts Receivable System.

           o  The plan does not include system and budget information for 13
           of its 15 defense agencies46 and for 8 of its 9 combatant
           commands.47 Program officials told us that information for these
           defense agencies and combatant commands is not included because,
           similar to the September plan, it was focused on the largest
           business-focused organizations in DOD, which they defined as those
           meeting tier 1 and tier 2 IRB certification criteria.48 According
           to the officials, the majority of these organizations do not have
           investments that meet the threshold criteria. Nevertheless, they
           appended that additional components will be added as appropriate
           when they have large business system investments planned. They
           also stated that the Defense Information Systems Agency's IT
           infrastructure investments will not be reflected in the enterprise
           transition plan because the capabilities that these investments
           are intended to deliver are reflected in the Global Information
           Grid rather than in the business enterprise architecture. As we
           previously reported,49 exclusion of Defense Information Systems
           Agency investments is particularly limiting, given that this
           agency and its investments provide the infrastructure services
           that business systems depend on to operate. Without including
           information on the timing and content of these investments, the
           critical relationship between infrastructure and systems becomes
           blurred in many ways. For example, it becomes unclear whether a
           new business system will be able to reuse existing infrastructure
           components or services-thereby leveraging established
           capabilities-or whether it will have to introduce duplicative
           capabilities as part of the business system investment.
           o  The plan does not include a complete listing of the legacy
           systems that will be part of the target architecture, nor does it
           include explicit strategies for modifying those legacy systems
           identified in the plan's system migration diagrams. In particular,
           the plan identifies those legacy systems for which some of its
           functionality will be migrated; however, it does not indicate
           whether or not these systems will still be operational in the "To
           Be" environment or will eventually be terminated. For example,
           although the plan identifies the Cargo Movement Operations System
           as one where the functionality will only be partially migrated,
           neither the plan nor version 3.1 of the architecture indicate
           whether this system will continue to be a part of the target
           environment.

           With respect to milestones, performance metrics, and resource
           needs, the plan identifies incremental milestones and resource
           needs for major investments and performance metrics for certain
           investments. The plan also identifies progress against program
           milestones that were depicted in the September 2005 plan. For
           example, in an effort to improve visibility into personnel
           activities, DOD reported that, for the Defense Civilian Personnel
           Data System, it met the milestone to deploy a data warehouse
           capability to facilitate data sharing. It also reported that, for
           this system, it has set a September 2008 milestone for developing
           an implementation strategy for integrating modules supporting
           functionality that is currently provided by stand-alone
           applications. However, it does not include other important
           information needed to understand the sequencing of these business
           investments. In particular, it does not include such information
           as organizational, process, and technology improvements required
           to achieve identified milestones. In addition, if an investment is
           dependent on Net-Centric Enterprise Services (NCES)50 for its core
           services, it should include the above information in establishing
           its deployment milestone and detail any issue associated with the
           incremental deployment of the NCES program.

           Beyond these areas, the March 2006 plan has yet to completely
           define specific business capabilities that are needed to support
           the business enterprise priorities. For example, according to DOD,
           the Materiel Visibility business enterprise priority requires
           additional capabilities related to the supply chain planning
           process, but neither these capabilities nor associated investments
           were in the plan. Program officials agreed and stated that future
           versions of the architecture and the transition plan will address
           the supply chain planning process, as well as other
           yet-to-be-identified process requirements (i.e., capability gaps).

           As we previously reported, the department is taking an incremental
           approach to developing its enterprise transition plan. In doing
           so, the department's latest plan improves on the prior plan, and
           program officials stated that many of the missing elements that we
           identified will be included in future iterations of the plan. This
           incremental approach is both a best practice and is consistent
           with our previous recommendation. However, the latest plan is
           still missing important content and the department has yet to
           develop or establish milestones for developing a near- or a
           long-term plan that will provide details on what will be included
           in each incremental iteration of the enterprise transition plan,
           with particular emphasis and clarity focused on the near-term
           increments. Without such a plan, the department is less likely to
           accomplish intended improvements. A transition plan is to be an
           acquisition strategy that recognizes timing and technological
           dependencies among planned systems investments, as well as other
           considerations, such as market trends and return on investment.
           The plan should enable the department to affirm that the set of
           programs in the plan are the appropriate ones to fill the gap
           between where it is now architecturally and where it wants to be.
           In addition, the plan should not only define schedule milestones
           but also include commitments for system capabilities and
           associated outcomes. Once missing content is added and all planned
           investments are validated by capability gap analyses, the
           department will be better positioned to sequentially manage the
           migration and disposition of existing business processes and
           systems-and the introduction of new ones.

           DOD has taken steps to meet the Act's requirements51 relative to
           the identification of all business systems in its IT budget
           request. In particular, program officials told us that the DOD
           Information Technology Portfolio Repository (DITPR) has been
           established as the authoritative repository for certain
           information about DOD's systems, such as system names and the
           responsible DOD components. Further, this repository is being
           expanded to contain information required for the certification,
           approval, and annual reviews of these business system investments.
           To ensure consistency of DOD's fiscal year 2007 IT budget
           submission with this authoritative inventory, DOD has reconciled
           (and intends to continue reconciling) DITPR with the database that
           it uses to prepare its IT budget submissions, referred to as
           Select and Native Programming Data System-Information Technology
           (SNAP-IT). According to program and military service officials,
           DOD is taking steps to ensure that each system investment is
           entered in DITPR and SNAP-IT, as appropriate, and it is
           continually reconciling the information between the two to ensure
           consistency.

           To further improve the completeness and reliability of the fiscal
           year 2007 IT budget request, program officials told us that
           business system investments greater than $1 million were broken
           out individually, but that more needs to be done before smaller
           systems-those with modernization funding less than $1 million over
           the future years' defense program (fiscal years 2006-2011)-are
           individually visible in the budget. DOD's steps should help ensure
           the completeness and reliability of its IT budget submissions, and
           increase compliance with the Act's requirements relative to DOD's
           IT budgetary disclosure.

           The Act specifies two basic requirements, effective October 1,
           2005, for obligation of funds for business system modernizations
           costing more than $1 million. First, it requires that these
           modernizations be certified by a designated "approval authority"52
           as meeting specific criteria.53 Second, it requires that the DBSMC
           approve each certification. The Act also states that failure to do
           so before the obligation of funds for any such modernization
           constitutes a violation of the Anti-deficiency Act.54 In this
           regard, the department reported in September 2005 that the DBSMC
           had approved 166 business system modernizations, and in March 2006
           that an additional 60 business systems were approved by the DBSMC.
           According to DOD, these 226 business systems represent about $3.6
           billion in modernization investment funding.

           A key element of the department's approach to reviewing and
           approving business systems investments is the use of what it
           refers to as "tiered accountability." DOD's tiered accountability
           approach involves an investment control process that begins at the
           component level and works its way through a hierarchy of review
           and approval authorities, depending on the size and significance
           of the investment. In our discussions with Army, Navy, and Air
           Force officials, they emphasized that the success of the process
           depends on them to perform a thorough analysis of each business
           system before it is submitted for higher-level review and
           approval.

           According to the department's March 2006 report, the investment
           review and approval process has identified over 290 systems for
           phase-out/elimination. Furthermore, in January 2006, the
           department eliminated further development of the Forward
           Compatible Payroll System (FCP). According to the department's
           fiscal year 2007 budget request selected capital investment
           report, FCP was intended to address the military pay problems that
           are generated by the existing obsolete military pay system.
           However, in reviewing the program status, it was determined that
           FCP would duplicate the functionality contained in the Defense
           Integrated Military Human Resources System. Therefore, it was
           unnecessary to continue investing in two military payroll systems.
           According to the department's fiscal year 2007 IT budget request,
           approximately $33 million was sought for fiscal year 2007 and
           about $31 million was estimated for fiscal year 2008 for FCP.
           Eliminating this duplicative system will enable DOD to use this
           funding for other priorities. The funding of multiple systems that
           perform the same function is one reason the department has
           thousands of business systems. Identifying and eliminating
           duplicative systems helps optimize mission performance and
           accountability and supports the department's transformation goals.

           The department's March 2006 report to congressional defense
           committees also notes that the investment review process has
           identified approximately 40 business systems for which the
           requested funding was reduced and the funding availability periods
           were shortened to less than the number of years requested. Based
           on information provided by the BTA program officials, there was a
           reduction of funding and the number of years that funding will be
           available for 14 Army business systems, 8 Air Force business
           systems, and 8 Navy business systems. More specifically, the
           Army's Future Combat Systems Advanced Collaborative Environment
           program requested funding of $100 million for fiscal years 2006 to
           2011, but the amount approved was reduced to approximately $51
           million for fiscal years 2006 to 2008. Similarly, Navy's Military
           Sealift Command Human Resources Management System requested
           funding of about $19 million for fiscal years 2006 to 2011, but
           the amount approved was approximately $2 million for the first 6
           months of fiscal year 2006. According to Navy officials, this
           system initiative will be reviewed to ascertain whether it has
           some of the same functionality as the Defense Civilian Personnel
           Data System. Funding system initiatives for shorter time periods
           can help reduce the financial risk by providing additional
           opportunities for monitoring a project's progress against
           established milestones and help ensure that the investment is
           properly aligned with the architecture and the department's
           overall goals and objectives.

           Besides limiting funding as part of the investment review and
           approval process, this process is also resulting in conditions
           being place on system investments. These conditions identify
           specific actions that must be taken and the specific time frames
           attached to when the actions must be completed. For example, in
           the case of the Army's Logistics Modernization Program, a system
           initiative that we have previously reported on, one of the noted
           conditions was that the Army had to address the issues discussed
           in our report.55 In our May 2004 report, we recommended that the
           department establish a mechanism that provides for tracking all
           business systems modernization conditional approvals to provide
           reasonable assurance that all specific actions are completed on
           time.56 The department's action is consistent with the intent of
           our recommendation. Further, the military service officials
           indicated that the tracking systems will be one of the "tools"
           they will use as part of the required statutory annual system
           reviews. In the case of the Army, officials noted that they had
           requested an update on the status of each condition by April 7,
           2006.

           Notwithstanding the above described efforts to control the
           department's business system investments, formidable challenges
           remain. In particular, military service officials told us that the
           review of those business systems that have modernization funding
           of less than $1 million represents the majority of the
           department's reported 3,717 business systems, and that reviews of
           these systems are only now being started on an annual basis. In
           April 2006, the department issued guidance entitled "Investment
           Certification and Annual Review Process User Guidance," which
           complements the department's May 2005 guidance on its IRB process.
           According to Air Force officials, the additional guidance is
           intended to help ease the administrative burden associated with
           performing the system reviews and further instill consistency
           among the DOD components. However, the extent to which the
           structures and processes will be applied to the department's 3,717
           business systems is still evolving. Given the large number of
           systems involved, it is important that the system review and
           approval process be effectively implemented for all systems. For
           example, we reported in April 2005,57 that the Army, the Navy, and
           the Air Force have 193; 1,512; and 166 logistics systems,
           respectively. Such large numbers of systems indicate a real
           possibility for eliminating unnecessary duplication and avoiding
           unnecessary spending.

           The Act directs that DOD establish five IRBs, each responsible and
           accountable for controlling certain business system investments to
           ensure compliance and consistency with the business enterprise
           architecture. Four of the five designated IRBs have been
           established, the exception being an IRB chaired by the
           ASD(NII)/CIO. According to the Act and the Deputy Secretary of
           Defense's March 19, 2005, memorandum, the ASD(NII)/CIO-chaired IRB
           is responsible and accountable for any business system that
           primarily supports IT infrastructure or information assurance
           activities. According to ASD(NII)/CIO officials, this IRB has not
           been established because the CIO does not have direct control and
           accountability over any business systems, thus making this IRB
           unnecessary. These officials further noted that if there is
           specific infrastructure that would be necessary for a given
           business system, a representative of the ASD(NII)/CIO office is a
           participant in each of the other four IRBs.

           The Act's requirement that modernizations costing more than $1
           million must be certified by a designated "approval authority" and
           subsequently approved by the DBSMC prior to funds being obligated
           not only applies to any business systems that constitute
           functional area applications but also to any infrastructure that
           constitutes a business system. Our analysis of the department's
           detailed fiscal year 2007 budget request documents disclosed
           approximately $47 million of infrastructure modernizations costing
           more than $1 million that are designated by DOD in those documents
           as in support of the business mission area. Investment in
           infrastructure is an integral part of both an enterprise
           architecture and transition plan, and should, therefore, be
           subject to the same investment management structures and processes
           as the application systems that they support.

           The Act's requirements concerning the architecture, transition
           plan, budgetary disclosure, and investment management structures
           and processes-as discussed earlier-are consistent with our prior
           recommendations. Over the last 5 years, we have made 34
           recommendations to assist the department in developing a
           well-defined and useful business enterprise architecture and using
           it to gain control over its ongoing business system investments.
           (See app. II for details on the status of our recommendations.)
           DOD agreed with our recommendations and stated its commitment to
           implement them. Of the 34 recommendations, DOD had taken steps to
           fully implement 4 and 29 of our recommendations were still open as
           of November 2005, meaning that DOD had yet to fully implement
           them.58

           In its March 15, 2006, annual report to Congress, DOD restated its
           commitment to address each of the remaining 29 open
           recommendations. It also reported that it had fully implemented 23
           of the open recommendations and was in the process of implementing
           6.

           In taking steps to further comply with the Act, DOD has also taken
           (and continues to take) actions to implement our open
           recommendations. Of the 29 remaining recommendations, DOD has
           taken steps to fully implement 16 and is in the process of
           implementing the remaining 13. For example, DOD has fully acted on
           our recommendations to

           o  issue a policy that directs the development, implementation,
           and maintenance of an architecture and
           o  establish a hierarchy of IRBs to gain control over ongoing IT
           investments.

           DOD is also taking steps related to, for example, our
           recommendations to develop an architecture program management plan
           and adopt a strategic approach to meeting the program's human
           capital needs. However, additional steps are needed to fully
           implement these recommendations.

           o  The department included a high-level, notional description of
           steps it plans to take over the next year related to architecture
           development, maintenance, and implementation. Program officials
           also described in broad terms these plans orally to us. In
           particular, the department intends to define and implement a
           metrics framework to measure results in terms of operational
           performance improvement, add scope and content to the architecture
           in 6-month increments, and define and use criteria to gauge
           investment compliance with the architecture. However, the
           department has yet to develop an enterprise architecture program
           management plan to describe, among other things, what the
           architecture and transition plan increments individually or
           collectively will include and not include, and how the quality and
           utility of these increments will be determined.
           o  Program officials told us that they have begun analyzing the
           architecture program's workforce needs and capabilities using a
           three-phase approach. Phase I-which according to DOD is
           complete-resulted in the development of a knowledge and skills
           model for the program's architecture and transition plan staff.
           The second phase is in progress-according to DOD-and involves
           identifying and assessing the knowledge and skills of the existing
           architecture and transition plan staff. According to program
           officials, this phase will set overall program needs and provide
           the basis for identifying gaps and recommendations for filling the
           gaps. Phase III will implement the recommendations. According to
           DOD, it has not yet established milestones for Phase III.

           Program officials, including the Special Assistant to the Deputy
           Under Secretary of Defense (Business Transformation) and the
           Director of Transformation Planning and Performance, stated that
           the department is committed to addressing all of our open
           recommendations. However the department has yet to establish
           milestones for addressing all our recommendations. It is important
           that the department move swiftly in doing so because these
           recommendations are aimed at strengthening architecture management
           activities, adding missing content to architecture products, and
           controlling ongoing and planned business system investments. Until
           it does, the department will not be able to effectively guide and
           constrain its business modernization efforts and move away from
           non-integrated business systems development efforts.

           Since our last report, DOD has continued to make important
           progress in defining and implementing institutional management
           controls (i.e., processes, structures, and tools), but much
           remains to be accomplished relative to the National Defense
           Authorization Act for Fiscal Year 2005  requirements and relevant
           guidance. In particular, the business enterprise architecture and
           the enterprise transition plan are still missing important content
           and the business system investment process is not yet fully
           established and institutionalized at all organizational levels.
           DOD recognizes this and has stated its commitment to incrementally
           improve its business systems modernization controls relative to
           most of these areas. It is critically important that DOD swiftly
           implement our open recommendations, including developing a
           well-defined enterprise architecture program management plan, as
           we have previously noted and recommended, and the department has
           agreed to do so. However, the department has yet to develop this
           plan or establish milestones for developing it. Until it does, the
           likelihood of sustained incremental improvement to its
           modernization management controls will be diminished and the means
           of holding the department accountable for such improvement will be
           missing. Even with this plan and the associated management control
           improvements, however, the more formidable challenge facing the
           department is how well it can implement these controls over the
           years ahead on each and every business system investment. While
           not a guarantee, institutionalization of well-defined
           modernization management controls can go a long way in addressing
           this longer-term challenge.

           To further assist the department in institutionalizing
           well-defined business systems modernization management controls,
           to facilitate congressional oversight, and promote departmental
           accountability, we recommend that the Secretary of Defense direct
           the Deputy Secretary of Defense, as the chair of the DBSMC, to
           submit an enterprise architecture program management plan to
           defense congressional committees. At a minimum, the plan should
           define what the department's incremental improvements to the
           architecture and transition plan will be, and how and when they
           will be accomplished, including what (and when) architecture and
           transition plan scope and content and architecture compliance
           criteria will be added into which versions. In addition, the plan
           should include an explicit purpose and scope for each version of
           the architecture, along with milestones, resource needs, and
           performance measures for each planned version, with particular
           focus and clarity on the near-term versions.

           In its written comments on a draft of this report, signed by the
           Deputy Under Secretary of Defense (Business Transformation) and
           reprinted in appendix III, the department stated that it
           appreciated our analysis of its plans and activities and our
           associated recommendations, adding that we continue to be a
           constructive player in the department's efforts to transform its
           business operations and that it welcomes our insights and looks
           forward to our future participation in its transformation efforts.
           The department also stated that our assessment and findings are a
           fair representation of DOD's efforts to date, and while it does
           not agree with all of our points, it recognizes that even in areas
           of disagreement there is opportunity for dialog and learning. In
           this regard, the department provided additional comments in two
           areas.

           First, DOD recognized the importance of addressing our
           recommendations, and stated that it has moved aggressively over
           the past year to do so. It also stated that it is important that
           we make recommendations that are sufficiently specific to permit
           reasonable implementation and that we provide prompt feedback on
           whether DOD's implementation actions are in line with the
           recommendations. We agree and will continue to work proactively
           and constructively with the department to facilitate the
           implementation of the recommendations in the future.

           Second, DOD stated that it partially agreed with the
           recommendation in the draft report, characterizing it as
           developing a departmentwide enterprise architecture program
           management plan to gain control of the department's IT
           environment. According to DOD, such a plan would far exceed the
           current scope of business systems modernization, and thus
           addressing it would require it to first explore the feasibility of
           such a departmentwide approach and more time than our recommended
           July 31, 2006 date for providing the plan to defense congressional
           committees. Accordingly, DOD stated that it would issue a formal
           position on our recommendation by September 30, 2006.

           We agree that the business enterprise architecture should be
           departmentwide in scope and that its content should address, and
           thus allow it to gain control of, the department's business IT
           environment, which would include both business systems and
           supporting IT infrastructure and shared services (e.g.,
           information security). However, the recommendation in our draft
           report was not aimed at adding this scope and content to the
           architecture and transition plan by July 31, 2006. Rather, it was
           aimed at developing an incremental plan that would show what
           missing scope and content would be added in each incremental
           version of the architecture and transition plan to eventually have
           an enterprise architecture that addressed the full scope of the
           department's business IT environment. The exploration activities
           that DOD identifies in its comments would thus be one aspect of
           what would be done under this incremental program management plan.
           Further, as we recommended, this plan would be much clearer and
           more precise with respect to the purpose, scope, and content of
           the next version of the architecture and transition plan, as well
           as the time frames and resources for producing it, and
           understandably more notional with respect to the later versions
           that perhaps require exploration activities and further thought.

           Because the plan that we recommended is fundamental to the
           continued improvement of the architecture and transition plan and
           congressional oversight, we believe that it needs to be developed
           and provided to defense congressional committees expeditiously.
           However, to further ensure that the intent of our recommendation
           is properly interpreted, and to address DOD's concern about the
           time needed to address it, we have slightly modified the
           recommendation to add clarifying language and to exclude a date
           for the plan's submission to defense congressional committees.

           We are sending copies of this report to interested congressional
           committees; the Director, Office of Management and Budget; the
           Secretary of Defense; the Deputy Secretary of Defense; the Under
           Secretary of Defense for Acquisition, Technology, and Logistics;
           the Under Secretary of Defense (Comptroller); the Assistant
           Secretary of Defense (Networks and Information Integration)/Chief
           Information Officer; the Under Secretary of Defense (Personnel and
           Readiness); and the Director, Defense Finance and Accounting
           Service. This report will also be available at no charge on our
           Web site at http://www.gao.gov .

           If you or your staff have any questions on matters discussed in
           this report, please contact me at (202) 512-3439 or [email protected],
           or McCoy Williams at (202) 512-9095 or [email protected]. Contact
           points for our Offices of Congressional Relations and Public
           Affairs may be found on the last page of this report. GAO staff
           who made major contributions to this report are listed in appendix
           V.

           Randolph C. Hite Director Information Technology Architecture and
           Systems Issues

           McCoy Williams

           Director

           Financial Management Assurance

           List of Committees

           The Honorable John Warner Chairman The Honorable Carl Levin
           Ranking Minority Member Committee on Armed Services United States
           Senate

           The Honorable Ted Stevens Chairman The Honorable Daniel K. Inouye
           Ranking Minority Member Subcommittee on Defense Committee on
           Appropriations United States Senate

           The Honorable Duncan L. Hunter Chairman The Honorable Ike Skelton
           Ranking Minority Member Committee on Armed Services House of
           Representatives

           The Honorable C.W. Bill Young Chairman The Honorable John P.
           Murtha Ranking Minority Member Subcommittee on Defense Committee
           on Appropriations House of Representatives

           Our objectives were to (1) assess the actions by the Department of
           Defense (DOD) to comply with the requirements of Section 2222 of
           Title 10, U.S. Code1 and (2) determine the extent to which DOD has
           addressed our prior recommendations.

           Consistent with the Act and as agreed with the staffs of
           congressional defense committees, we used our November 2005 report
           ( GAO-06-219 ) as a baseline and evaluated DOD's efforts relative
           to the remaining five requirements in the Act: (1) development of
           an enterprise architecture that includes an information
           infrastructure enabling DOD to support specific capabilities, such
           as data standards and system interface requirements; (2)
           development of a transition plan for implementing the enterprise
           architecture that includes specific elements, such as the
           acquisition strategy for new systems; (3) inclusion of business
           systems information in DOD's budget submission; (4) establishment
           of business systems investment review processes and structures;
           and (5) approval of defense business systems investments in excess
           of $1 million.

           To determine whether the architecture addressed the requirements
           specified in the Act, we reviewed version 3.1 of the business
           enterprise architecture, which was released on March 15, 2006.
           This review included analyzing the scope and content of version
           3.1 architecture products to determine whether they addressed the
           missing elements we identified in our November 2005 report. In
           addition, we requested a traceability matrix demonstrating where
           in the architecture each of the elements was addressed and
           interviewed program officials to validate the information in this
           matrix. In reviewing the products, we focused on the changes from
           version 3.0 and the traceability matrix prepared by DOD. In
           addition, we interviewed key program officials, including the
           Director of Transformation Planning and Performance; Special
           Assistant to the Deputy Under Secretary of Defense (Business
           Transformation); Chief Architect; and the Enterprise Transition
           Plan Team lead, to obtain an understanding of the steps taken and
           planned to address the missing elements we previously reported and
           to ascertain the relationship between the architecture and the
           plan.

           To determine whether the enterprise transition plan addressed the
           requirements specified in the Act, we reviewed the updated
           enterprise transition plan released on March 15, 2006, and
           included in DOD's March 15, 2006, annual report to Congress. This
           review included determining whether the transition plan addressed
           the missing elements identified in our November 2005 report, such
           as an acquisition strategy for new systems and a statement of
           financial and non-financial resource needs. Specifically, we
           requested a traceability matrix demonstrating where in the
           transition plan each of the elements was addressed and interviewed
           program officials to validate the information in this matrix. In
           reviewing the plan, we focused on the changes from the September
           30, 2005, version and the traceability matrix prepared by DOD. We
           interviewed program officials, including the Director of
           Transformation Planning and Performance; Special Assistant to the
           Deputy Under Secretary of Defense (Business Transformation); Chief
           Architect; and the Enterprise Transition Plan Team lead to obtain
           an understanding of the steps taken and planned to address the
           missing elements we previously reported, and to ascertain the
           relationship between the plan and the architecture.

           To determine whether DOD's fiscal year 2007 information technology
           (IT) budget submission was prepared in accordance with the
           criteria set forth in the Act, we reviewed and analyzed DOD's
           fiscal year 2007 IT budget request. As part of our analysis, we
           determined the portion of the budget request that related to the
           department's business systems and related infrastructure. We
           reviewed the accompanying budget exhibits and selected capital
           investment reports to obtain additional information on specific
           business systems.

           To determine whether DOD has established investment review
           structures and processes and issued a standard set of investment
           review and decision-making criteria, we reviewed applicable
           policies and procedures issued by the department. In this regard,
           we interviewed program officials to determine whether the one
           investment review board (IRB) that we reported as not being
           established in our November 2005 report had since been
           established, and if not, the reasons why. We also examined process
           documents to see whether they provide for key requirements in the
           Act, such as annual reviews of every investment and use of
           business enterprise architecture compliance criteria.

           To determine whether the department was reviewing and approving
           business system investments exceeding $1 million, we obtained from
           DOD the list of business system investments certified by the IRBs
           and approved by the Defense Business Systems Management Committee.
           Because of time constraints, we selectively verified the
           information provided by the department with the certification and
           approval information in the budget request to identify any
           anomalies. We also analyzed the fiscal year 2006 column of the
           fiscal year 2007 budget request to ascertain the specific number
           of business systems earmarked for modernization funding in excess
           of $1 million. We selected systems from our analysis of the IT
           budget with DOD's list of systems to ascertain if the business
           systems were certified and approved as stipulated by the Act. For
           these selected systems, we obtained and reviewed documentation
           related to the certification and approval process as specified in
           the Act and outlined in the department's tiered accountability
           concept. Furthermore, we met with representatives from the Army,
           the Navy, and the Air Force to ascertain the specific actions that
           were taken (or planned to be taken) in order to perform the annual
           systems reviews as required by the Act.

           To determine the extent to which DOD has addressed our open
           recommendations, we met with program officials, including the
           Director of Transformation Planning and Performance, Chief
           Architect, and the Enterprise Transition Plan Team lead, to obtain
           an understanding of the steps taken and planned to address our
           recommendations. We obtained and analyzed documentation that
           described the specific corrective actions taken. We reviewed
           program documentation, such as the March 15, 2006, annual report,
           updated transition plan, and version 3.1 of the architecture to
           determine whether DOD addressed our recommendations related to
           architecture scope and content. We used our Enterprise
           Architecture Management Maturity Framework, which describes the
           stages of management maturity, to update the status of key
           elements of architecture management best practices that DOD had
           not adopted. To make this determination, we reviewed program
           documentation, such as program policies and procedures,
           configuration and communications plans, and charters for the
           governance bodies; and we compared them to the elements in the
           framework. We also reviewed documentation regarding DOD
           verification and validation activities in the architecture
           development process. In addition, we reviewed the guidance
           establishing the IRBs and describing the investment management
           process.

           We did not independently validate the reliability of the cost and
           budget figures provided by DOD, because the specific amounts were
           not relevant to our findings.

           We conducted our work at DOD headquarters offices in Arlington,
           Virginia, from January through May 2006 in accordance with
           generally accepted government auditing standards.

           Various enterprise architecture frameworks are available for
           organizations to follow. Although these frameworks differ in their
           nomenclatures and modeling approaches, they consistently help
           define an enterprise's operations in both (1) logical terms, such
           as interrelated business processes and business rules, information
           needs and flows, and work locations and users; and (2) technical
           terms, such as hardware, software, data, communications, and
           security attributes and performance standards. The frameworks help
           define these perspectives for both the enterprise's current, or
           "As Is," environment and its target, or "To Be," environment-as
           well as a transition plan for moving from the "As Is" to the "To
           Be" environment.

           For example, John A. Zachman developed a structure or framework
           for defining and capturing an architecture.1 This framework
           describes six windows or "perspectives" from which to view the
           enterprise: those of (1) the strategic planner, (2) system user,
           (3) system designer, (4) system developer, (5) subcontractor, and
           (6) system itself. Zachman also proposed six models that are
           associated with each of these perspectives; these models describe
           (1) how the entity operates, (2) what the entity uses to operate,
           (3) where the entity operates, (4) who operates the entity, (5)
           when entity operations occur, and (6) why the entity operates.
           Zachman's framework provides a conceptual schema that can be used
           to identify and describe an entity's existing and planned
           components and their relationships to one another before beginning
           the costly and time-consuming efforts associated with developing
           or transforming the entity.

           Since Zachman introduced his framework, a number of other
           frameworks have been proposed. In August 2003, the department
           released version 1.0 of the DOD Architecture Framework (DODAF).2
           The DODAF defines the type and content of the architectural
           products, as well as the relationships among the products that are
           needed to produce a useful architecture. Briefly, it decomposes an
           architecture into three primary views: operational, systems, and
           technical standards3 (see fig. 2). According to DOD, the three
           interdependent views are needed to ensure that IT systems support
           operational needs and that they are developed and implemented in
           an interoperable and cost-effective manner.

           Figure 2: Interdependent DODAF Views of an Architecture

           In September 1999, the federal CIO's Council published the Federal
           Enterprise Architecture Framework (FEAF), which is intended to
           provide federal agencies with a common construct on which to base
           their respective architectures and to facilitate the coordination
           of common business processes, technology insertion, information
           flows, and system investments among federal agencies. FEAF
           describes an approach, including models and definitions, for
           developing and documenting architecture descriptions for
           multiorganizational functional segments of the federal government.
           Similar to most frameworks, FEAF's proposed models describe an
           entity's business, the data necessary to conduct the business,
           applications to manage the data, and technology to support the
           applications.

           In addition, the OMB established the Federal Enterprise
           Architecture (FEA) Program Management Office to develop a
           federated enterprise architecture in the context of five
           "reference models, and a security and privacy profile that
           overlays the five models."

           o  The Business Reference Model is intended to describe the
           federal government's businesses, independent of the agencies that
           perform them. This model consists of four business areas: (1)
           services for citizens, (2) mode of delivery, (3) support delivery
           of services, and (4) management of government resources. It serves
           as the foundation for the Federal Enterprise Architecture. The OMB
           expects agencies to use this model as part of their capital
           planning and investment control processes to help identify
           opportunities to consolidate information technology investments
           across the federal government. Version 2.0 of this model was
           released in June 2003.
           o  The Performance Reference Model is intended to describe a set
           of performance measures for major information technology
           initiatives and their contribution to program performance.
           According to OMB, this model will help agencies produce enhanced
           performance information; improve the alignment and better
           articulate the contribution of inputs, such as technology, to
           outputs and outcomes; and identify improvement opportunities that
           span traditional organizational boundaries. Version 1.0 of this
           model was released in September 2003.
           o  The Service Component Reference Model is intended to identify
           and classify information technology service (i.e., application)
           components that support federal agencies and promote the reuse of
           components across agencies. This model is intended to provide the
           foundation for the reuse of applications, application
           capabilities, components (defined as "a self-contained business
           process or service with predetermined functionality that may be
           exposed through a business or technology interface"), and business
           services. According to OMB, this model is a business-driven,
           functional framework that classifies service components with
           respect to how they support business or performance objectives.
           Version 1.0 of this model was released in June 2003.
           o  The Data Reference Model is intended to describe, at an
           aggregate level, the types of data and information that support
           program and business line operations and the relationships among
           these types. This model is intended to help describe the types of
           interactions and information exchanges that occur across the
           federal government. Version 2.0 of this model was released in
           November 2005.
           o  The Technical Reference Model is intended to describe the
           standards, specifications, and technologies that collectively
           support the secure delivery, exchange, and construction of service
           components. Version 1.1 of this model was released in August 2003.
           o  The Security and Privacy Profile is intended to provide
           guidance on designing and deploying measures that ensure the
           protection of information resources. OMB has released version 1.0
           of the profile.

           Randolph C. Hite, (202) 512-3439 or [email protected]

           McCoy Williams, (202) 512-9095 or [email protected]

           In addition to the contacts named above, key contributors to this
           report were Darby Smith, Assistant Director; Neelaxi Lakhmani,
           Acting Assistant Director; and Susan Czachor, Francis Dymond, Eric
           Essig, Nancy Glover, Anh Le, John Martin, Mai Nguyen, Debra
           Rucker, and Andrea Smith.

           The Government Accountability Office, the audit, evaluation and
           investigative arm of Congress, exists to support Congress in
           meeting its constitutional responsibilities and to help improve
           the performance and accountability of the federal government for
           the American people. GAO examines the use of public funds;
           evaluates federal programs and policies; and provides analyses,
           recommendations, and other assistance to help Congress make
           informed oversight, policy, and funding decisions. GAO's
           commitment to good government is reflected in its core values of
           accountability, integrity, and reliability.

           The fastest and easiest way to obtain copies of GAO documents at
           no cost is through GAO's Web site ( www.gao.gov ). Each weekday,
           GAO posts newly released reports, testimony, and correspondence on
           its Web site. To have GAO e-mail you a list of newly posted
           products every afternoon, go to www.gao.gov and select "Subscribe
           to Updates."

           The first copy of each printed report is free. Additional copies
           are $2 each. A check or money order should be made out to the
           Superintendent of Documents. GAO also accepts VISA and Mastercard.
           Orders for 100 or more copies mailed to a single address are
           discounted 25 percent. Orders should be sent to:

           U.S. Government Accountability Office 441 G Street NW, Room LM
           Washington, D.C. 20548

           To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax:
           (202) 512-6061

           Contact:

           Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail:
           [email protected] Automated answering system: (800) 424-5454 or
           (202) 512-7470

           Gloria Jarmon, Managing Director, [email protected] (202) 512-4400
           U.S. Government Accountability Office, 441 G Street NW, Room 7125
           Washington, D.C. 20548

           Paul Anderson, Managing Director, [email protected] (202)
           512-4800 U.S. Government Accountability Office, 441 G Street NW,
           Room 7149 Washington, D.C. 20548

28DOD, Department of Defense Architecture Framework, Version 1.0, Volume 1
(Aug. 2003) and Volume 2 (Feb. 2004).

Fiscal Year 2005 National Defense Authorization Act Requirements

29Ronald W. Reagan National Defense Authorization Act for Fiscal Year
2005, Pub. L. No. 108-375, S: 332, 118 Stat. 1811, 1851-1856 (Oct. 28,
2004) (codified in part at 10 U.S.C. S: 2222).

Recent Review Indicates DOD Has Begun to Address Long-standing Weaknesses in
Institutional Approach to Business Systems Modernization

30GAO, Information Technology: Architecture Needed to Guide Modernization
of DOD's Financial Operations, GAO-01-525 (Washington, D.C.: May 17,
2001); DOD Business Systems Modernization: Improvements to Enterprise
Architecture Development and Implementation Efforts Needed, GAO-03-458
(Washington, D.C.: Feb. 28, 2003); Information Technology: Observations on
Department of Defense's Draft Enterprise Architecture, GAO-03-571R
(Washington, D.C.: Mar. 28, 2003); Business Systems Modernization: Summary
of GAO's Assessment of the Department of Defense's Initial Business
Enterprise Architecture, GAO-03-877R (Washington, D.C.: July 7, 2003); DOD
Business Systems Modernization: Important Progress Made to Develop
Business Enterprise Architecture, but Much Work Remains, GAO-03-1018
(Washington, D.C.: Sept. 19, 2003); DOD Business Systems Modernization:
Limited Progress in Development of Business Enterprise Architecture and
Oversight of Information Technology Investments, GAO-04-731R (Washington,
D.C.: May 17, 2004); DOD Business Systems Modernization: Billions Being
Invested without Adequate Oversight, GAO-05-381 (Washington, D.C.: April
29, 2005); DOD Business Systems Modernization: Long-standing Weaknesses in
Enterprise Architecture Development Need to Be Addressed, GAO-05-702
(Washington, D.C.: July 22, 2005).

31 GAO-06-219 .

32 GAO-06-219 ; and Defense Management: Foundational Steps Being Taken to
Manage DOD Business Systems Modernization, but Much Remains to be
Accomplished to Effect True Business Transformation, GAO-06-234T
(Washington, D.C.: Nov. 9, 2005).

DOD Is Taking Steps to Address Act's Requirements and Improve Approach to
                          Modernizing Business Systems

DOD Continues to Address Limitations in Prior Version of Architecture

33 GAO-06-219 .

34The United States Standard General Ledger provides a uniform chart of
accounts and technical guidance used in standardizing federal agency
accounting.

35 SFIS is the department's common financial business language.

36Intra-governmental transactions involve sales, services, or transfers
between two entities of the federal government.

37The ENT designation represents all business enterprise priorities.

38DOD defines the Global Information Grid as the globally interconnected,
end-to-end set of information, capabilities, associated processes, and
personnel for collecting, processing, storing, disseminating, and managing
information on demand to warfighters, policy makers, and support
personnel.

39 GAO-06-219 .

40See, for example, J. A. Zachman, "A Framework for Information Systems
Architecture," IBM Systems Journal 26, no. 3 (1987); Paula Hagan,
"Relating Elements of the Zachman Framework, Spewak's Enterprise
Architecture Planning, and DOD Products" (June 18, 2002); and B. Craig
Meyers and Patricia Oberndorf, "Managing Software Acquisition Open Systems
and COTS Products" (Addison-Wesley, 2001).

41DOD "components" include the military services, combatant commands,
defense agencies, and DOD field activities.

42 GAO-06-219 .

43This is a library of DOD standard accounting transactions that result
from specific business events (e.g., ordering depot-level repair parts).
It can be used as a baseline to institutionalize the United States
Standard General Ledger across components; and along with SFIS, it
provides a standard for DOD to update existing (and deploy new) business
systems.

44 GAO-06-219 .

DOD Has Made and Intends to Make More Improvements to Transition Plan

45 GAO-06-219 .

46DOD included system and budget information for the Defense Financial and
Accounting Service and Defense Logistics Agency in the transition plan.
DOD did not include this information for the following defense agencies:
(1) Ballistic Missile Defense Organization, (2) Defense Advanced Research
Projects Agency, (3) Defense Commissary Agency, (4) Defense Contract Audit
Agency, (5) Defense Contract Management Agency, (6) Defense Information
Systems Agency, (7) Defense Intelligence Agency, (8) Defense Legal
Services Agency, (9) Defense Security Cooperation Agency, (10) Defense
Security Service, (11) Defense Threat Reduction Agency, (12) National
Imagery and Mapping Agency, and (13) National Security Agency.

47DOD included system and budget information for the Transportation
Command in the transition plan. DOD did not include this information for
the (1) Central Command, (2) Joint Forces Command, (3) Pacific Command,
(4) Southern Command, (5) Space Command, (6) Special Operations Command,
(7) European Command, and (8) Strategic Command.

48As defined in the department's Investment Review Process Overview and
Concept of Operations for Investment Review Boards, tier 1 systems include
all systems that are classified as a "major automated information system"
or a "major defense acquisition program." A major automated information
system is a program or initiative that is so designated by the
ASD(NII)/CIO or that is estimated to require program costs in any single
year in excess of $32 million (fiscal year 2000 constant dollars), total
program costs in excess of $126 million (fiscal year 2000 constant
dollars), or total life-cycle costs in excess of $378 million (fiscal year
2000 constant dollars). A major defense acquisition program is so
designated by the Secretary of Defense, or it is a program estimated by
the Secretary of Defense to require an eventual total expenditure for
research, development, test, and evaluation of more than $300 million
(fiscal year 1990 constant dollars) or an eventual total expenditure for
procurement of more than $1.8 billion (fiscal year 1990 constant dollars).
Tier 2 systems include those with modernization efforts of $10 million or
greater but that are not designated as a major automated information
system or a major defense acquisition program, or programs that have been
designated as IRB interest programs because of their impact on DOD
transformation objectives. The tier system includes another tier in
addition to these two: tier 3 systems are modernization efforts that have
anticipated costs greater than $1 million but less than $10 million.

49 GAO-06-219 .

50NCES is intended to provide capabilities that are key to enabling
ubiquitous access to reliable decision-quality information. NCES
capabilities can be packaged into four product lines: service-oriented
architecture foundation (e.g., security and information assurance),
collaboration (e.g., application sharing), content discovery and delivery
(e.g., delivering information across the enterprise), and portal (e.g.,
user-defined Web-based presentation).

DOD Is Addressing Issues Related to Reporting Business Systems

51The Ronald W. Reagan National Defense Authorization Act for Fiscal Year
2005 specifies information that the department is to incorporate in its
budget request for fiscal year 2006 and each fiscal year thereafter.
Specifically, the Act states that each budget request must include
information on (1) each defense business system for which funding is being
requested; (2) all funds, by appropriation, for each such business system,
including funds by appropriation specifically for current services
(operation and maintenance) and systems modernization; and (3) the
designated approval authority for each business system.

DOD Has Efforts Under Way to Control its Business System Investments

52Approval authorities, including the Under Secretary of Defense for
Acquisition, Technology, and Logistics; the Under Secretary of Defense
(Comptroller); the Under Secretary of Defense for Personnel and Readiness;
the Assistant Secretary of Defense for Networks and Information
Integration/Chief Information Officer of the Department of Defense; and
the Deputy Secretary of Defense or an Under Secretary of Defense, as
designated by the Secretary of Defense, are responsible for the review,
approval, and oversight of business systems and must establish investment
review processes for systems under their cognizance.

53A key condition identified in the Act includes certification by
designated approval authorities that the defense business system
modernization is (1) in compliance with the enterprise architecture; (2)
necessary to achieve critical national security capability or address a
critical requirement in an area such as safety or security; or (3)
necessary to prevent a significant adverse effect on a project that is
needed to achieve an essential capability, taking into consideration the
alternative solutions for preventing such an adverse effect.

5431 U.S.C. S: 1341(a) (1) (A); see 10 U.S.C. S: 2222(b).

55 GAO-04-615 and Army Depot Maintenance: Ineffective Oversight of Depot
Maintenance Operations and System Implementation Efforts, GAO-05-441
(Washington, D.C.: June 30, 2005).

56 GAO-04-615 .

57 GAO-05-381 .

  DOD Has Not Established All Required Investment Review Boards

                 DOD Is Implementing Our Prior Recommendations

58One of our recommendations was absorbed into another recommendation,
which resulted in a total of 29 remaining open recommendations.

                                  Conclusions

                      Recommendations for Executive Action

                       Agency Comments and Our Evaluation

Appendix I: Objectives, Scope, and Methodology Appendix I: Objectives,
Scope, and Methodology

1Ronald W. Reagan National Defense Authorization Act for Fiscal Year 2005,
Public Law 108-375, S: 332, 118 Stat. 1811, 1851-1856 (Oct. 28, 2004)
(codified in part at 10 U.S.C. S: 2222).

Appendix II: Prior Recommendations on DOD's Business Enterprise
Architecture and Investment Management Appendix II: Prior Recommendations
on DOD's Business Enterprise Architecture and Investment Management

                           Implemented?            
GAO report information       In      GAO        
and recommendation      Yes  Process assessment 
GAO-01-525: Information                          
Technology:                                      
Architecture Needed to                           
Guide Modernization of                           
DOD's Financial                                  
Operations, May 17,                              
2001.                                            
(1) The Secretary of     X                       Previously implemented    
Defense immediately                              
designate DOD financial                          
management                                       
modernization a                                  
departmental priority                            
and accordingly direct                           
the Deputy Secretary of                          
Defense to lead an                               
integrated program                               
across the department                            
for modernizing and                              
optimizing financial                             
management operations                            
and systems.                                     
(2) The Secretary        X                       The Deputy Secretary of   
immediately issue a DOD                          Defense issued a          
policy that directs the                          memorandum on February 7, 
development,                                     2005, establishing the    
implementation, and                              Defense Business Systems  
maintenance of an                                Management Committee      
enterprise architecture                          (DBSMC), whose            
(EA).                                            responsibilities, among   
                                                    other things, include the 
                                                    approval of the business  
                                                    enterprise architecture   
                                                    (BEA) and the enterprise  
                                                    transition plan (ETP). On 
                                                    October 7, 2005, the      
                                                    Deputy Secretary of       
                                                    Defense also issued a     
                                                    memorandum establishing   
                                                    the Business              
                                                    Transformation Agency     
                                                    (BTA), which is           
                                                    responsible for           
                                                    maintaining and updating  
                                                    the BEA and the ETP.      
(3) The Secretary        X                       In February 2005, the     
immediately modify the                           Deputy Secretary of       
Senior Financial                                 Defense established the   
Management Oversight                             DBSMC, as the highest     
Council's charter to                             ranking governance body   
                                                    responsible for           
      o  designate the                              overseeing DOD business   
      Deputy Secretary of                           systems modernization     
      Defense as the                                efforts and               
      Council Chair and                                                       
      the Under Secretary                              o  designated the      
      of Defense                                       Deputy Secretary of    
      (Comptroller) as the                             Defense as the Chair   
      Council Vice-Chair;                              and the Under          
      o  empower the                                   Secretary of Defense   
      Council to serve as                              for Acquisition,       
      DOD's EA steering                                Technology, and        
      committee, giving it                             Logistics as Vice-     
      the responsibility                               Chair;                 
      and authority to                                 o  assigned the        
      ensure that a DOD EA                             committee the          
      is developed and                                 responsibility of      
      maintained in                                    reviewing and          
      accordance with the                              approving all major    
      DOD Architecture                                 releases of the BEA    
      Framework;                                       and ETP and assigned   
      o  empower the                                   the BTA the            
      Council to serve as                              responsibility for     
      DOD's financial                                  maintaining and        
      management                                       updating the BEA in    
      investment review                                accordance with DOD    
      board, giving it the                             Architecture           
      responsibility and                               Framework;             
      authority to (1)                                 o  delegated, on March 
      select and control                               19, 2005, the          
      all DOD financial                                authority for the      
      management                                       review, approval, and  
      investments and (2)                              oversight of the       
      ensure that its                                  planning, design,      
      investment decisions                             acquisition,           
      treat compliance                                 deployment, operation, 
      with the EA as an                                maintenance, and       
      explicit condition                               modernization of       
      for investment                                   defense business       
      approval that can be                             systems to the         
      waived only if                                   designated approval    
      justified by a                                   authority for each     
      compelling written                               business area; a and   
      analysis; and                                    o  issued criteria for 
      o  expand the role                               reviewing all business 
      of the Council's                                 systems annually and   
      System Compliance                                for certifying         
      Working Group to                                 business system        
      include supporting                               modernizations over $1 
      the Council in                                   million. The           
      determining the                                  department's guidance  
      compliance of each                               recognizes that one of 
      system investment                                the key elements in    
      with the enterprise                              evaluating its         
      architecture at key                              business system        
      decision points in                               investments is the     
      the system's                                     importance of being    
      development or                                   consistent with the    
      acquisition life                                 BEA.                   
      cycle.                                        
(4) The Secretary        X                       The BTA, whose management 
immediately make the                             and oversight is provided 
Assistant Secretary of                           cooperatively by the      
Defense (Command,                                Deputy Under Secretary of 
Control,                                         Defense (Business         
Communications, &                                Transformation) and the   
Intelligence), in                                Deputy Under Secretary of 
collaboration with the                           Defense (Financial        
Under Secretary of                               Management) briefs the    
Defense (Comptroller),                           DBSMC monthly on, among   
accountable to the                               other things, the status  
Senior Financial                                 of the BEA. The Assistant 
Management Oversight                             Secretary of Defense      
Council for developing                           (Networks and Information 
and maintaining a DOD                            Integration)/DOD Chief    
enterprise                                       Information Officer       
architecture.                                    (ASD(NII)/CIO) is a       
                                                    member of the DBSMC.      
In fulfilling this                                                         
responsibility, the                              In fulfilling this        
Assistant Secretary                              responsibility, the       
appoint a chief                                  department has appointed  
architect for DOD                                a Chief Architect under   
business management                              the BTA, and developed a  
modernization and                                position description that 
establish and                                    outlines the roles and    
adequately staff and                             responsibilities of the   
fund an enterprise                               chief architect. In       
architecture program                             addition, in July 2001,   
office that is                                   it established a program  
responsible for                                  office and according to   
developing and                                   program officials, the    
maintaining a DOD-wide                           department has adequate   
EA in a manner that is                           staff and funding for     
consistent with the                              developing and            
framework defined in                             maintaining the           
the Chief Information                            architecture. Moreover,   
Officer (CIO) Council's                          the department has taken  
published guide for                              steps to                  
managing enterprise                                                        
architectures. In                                   o  obtain executive    
particular, the                                     buy-in and support, as 
Assistant Secretary                                 evidence by the        
should take appropriate                             establishment of the   
steps to ensure that                                DBSMC;                 
the Chief Architect                                 o  establish the       
                                                       architecture           
      o  obtains executive                             management structure   
      buy-in and support;                              and controls-such as   
      o  establishes                                   establishing one       
      architecture                                     division under the BTA 
      management structure                             to oversee             
      and controls;                                    architecture           
      o  defines the                                   development and        
      architecture process                             maintenance, and       
      and approach;                                    another to oversee the 
      o  develops the                                  long-term internal and 
      baseline                                         external communication 
      architecture, the                                activities;            
      target architecture,                             o  define the process  
      and the sequencing                               and approach for       
      plan;                                            developing the current 
      o  facilitates the                               version of the         
      use of the                                       architecture;          
      architecture to                                  o  develop the target  
      guide business                                   or "To Be"             
      management                                       architecture and the   
      modernization                                    transition plan, and   
      projects and                                     intend to incorporate  
      investments; and                                 an "As Is" strategy in 
      o  maintains the                                 the next version of    
      architecture.                                    the architecture;      
                                                       o  use the             
                                                       architecture to guide  
                                                       its business           
                                                       modernization projects 
                                                       and investments; and   
                                                       o  assign the BTA the  
                                                       responsibility for     
                                                       maintaining the        
                                                       architecture.          
(5) The ASD(NII)/CIO     X                       In February 2005, the     
report at least                                  Deputy Secretary of       
quarterly to the Senior                          Defense established the   
Financial Management                             DBSMC. As mentioned       
Oversight Council on                             earlier, the DBSMC is     
the Chief Architect's                            comprised of senior       
progress in developing                           executives from across    
an EA, including the                             DOD, including the        
Chief Architect's                                ASD(NII)/CIO and is       
adherence to enterprise                          chaired by the Deputy     
architecture policy and                          Secretary of Defense.     
guidance from the                                                          
Office of Management                             As stated earlier, the    
and Budget (OMB), the                            BTA, whose management and 
CIO Council, and DOD.                            oversight is provided     
                                                    cooperatively by the      
                                                    Deputy Under Secretary of 
                                                    Defense (Business         
                                                    Transformation) and the   
                                                    Deputy Under Secretary of 
                                                    Defense (Financial        
                                                    Management), briefs the   
                                                    DBSMC monthly on-among    
                                                    other things-the status   
                                                    of DOD's efforts to       
                                                    develop, implement, and   
                                                    maintain the architecture 
                                                    and the transition plan,  
                                                    including adherence to    
                                                    relevant policies and     
                                                    guidance.                 
(6) The Senior           X                       In February 2005, the     
Financial Management                             Deputy Secretary of       
Oversight Council                                Defense established the   
report to the Secretary                          DBSMC. As mentioned       
of Defense every 6                               earlier, the DBSMC is     
months on progress in                            chaired by the Deputy     
developing and                                   Secretary of Defense, who 
implementing an EA.                              is briefed monthly on the 
                                                    progress of the           
                                                    architecture's            
                                                    development and           
                                                    implementation. According 
                                                    to the DBSMC charter, the 
                                                    chair will report to the  
                                                    Secretary of Defense, as  
                                                    appropriate.              
(7) The Secretary        X                       Previously implemented    
reports every 6 months                           
to the congressional                             
defense authorizing and                          
appropriating                                    
committees on progress                           
in developing and                                
implementing an EA.                              
(8) Until an enterprise               X          On June 2, 2005, the      
architecture is                                  Under Secretary of        
developed and the                                Defense for Acquisition,  
Council is positioned                            Technology, and Logistics 
to serve as DOD's                                set forth guidance that   
financial management                             identified the processes  
investment review board                          to establish and operate  
as recommended, the                              IRBs for the purpose of   
Secretary of Defense                             reviewing all business    
limit DOD components'                            system investments at     
financial management                             least annually and for    
investments to the                               certifying business       
deployment of systems                            system modernizations     
that have already been                           over $1 million as        
fully tested and                                 required by the Fiscal    
involve no additional                            Year 2005 National        
development or                                   Defense Authorization     
acquisition costs;                               Act. Furthermore, in      
stay-in-business                                 April 2006, the Deputy    
maintenance needed to                            Under Secretary of        
keep existing systems                            Defense (Business         
operational; management                          Transformation) and the   
controls needed to                               Deputy Under Secretary of 
effectively invest in                            Defense (Financial        
modernized systems; and                          Management) issued BEA    
new systems or existing                          compliance guidance.      
system changes that are                          Since the April 2006      
congressionally                                  guidance was issued after 
directed or are                                  completion of our field   
relatively small, cost                           work, we have not had the 
effective, and low risk                          opportunity to assess the 
and can be delivered in                          guidance to ascertain if  
a relatively short time                          it addresses the          
frame.                                           recommendation.           
GAO-03-458: DOD                                  
Business Systems                                 
Modernization:                                   
Improvements to                                  
Enterprise Architecture                          
Development and                                  
Implementation Efforts                           
Needed, February 28,                             
2003.                                            
(1) The Secretary of     X                       Previously implemented    
Defense ensure that the                          
enterprise architecture                          
executive committee                              
members are singularly                           
and collectively made                            
explicitly accountable                           
to the Secretary for                             
the delivery of the                              
enterprise                                       
architecture, including                          
approval of each                                 
version of the                                   
architecture.                                    
(2) The Secretary of                  X          Under the BTA, the        
Defense ensure that the                          department has            
enterprise architecture                          established an            
program is supported by                          Information and           
a proactive marketing                            Federation Strategy       
and communication                                office whose              
program.                                         responsibilities include  
                                                    internal and external     
                                                    communications. In        
                                                    February 2006, this       
                                                    office developed a        
                                                    communication strategy    
                                                    and communications plan.  
                                                                              
                                                    Based on the best         
                                                    practices defined by the  
                                                    CIO Council's A Practical 
                                                    Guide to Federal          
                                                    Enterprise Architecture,  
                                                    we found that the         
                                                    communications plan       
                                                    adhered to some of the    
                                                    guidelines-such as        
                                                    identifying key           
                                                    audiences, purpose, scope 
                                                    and function and          
                                                    identifying communication 
                                                    tools and a number of     
                                                    outreach programs to be   
                                                    used when conveying the   
                                                    message to the targeted   
                                                    audiences.                
                                                                              
                                                    However, the department's 
                                                    plan and strategy does    
                                                    not fully adhere to the   
                                                    criteria set forth by     
                                                    best practices. In        
                                                    particular, the plan      
                                                    lacked an explanation of  
                                                    roles and                 
                                                    responsibilities and does 
                                                    not include details       
                                                    regarding evaluation,     
                                                    metrics, and feedback.    
(3) The Secretary of     X                       The department has        
Defense ensure that the                          established a quality     
quality assurance                                assurance function, which 
function includes the                            is an embedded process    
review of adherence to                           within the overall        
process standards and                            architecture development. 
reliability of reported                          This function includes    
program performance, is                          the review of adherence   
made independent of the                          to process standards, as  
program management                               appropriate, and it       
function, and is not                             reports to a BTA division 
performed by subject                             that is independent of    
matter experts involved                          the division responsible  
in the development of                            for developing and        
key architecture                                 maintaining the           
products.                                        architecture. It is also  
                                                    authorized to elevate     
                                                    issues to the Under       
                                                    Secretary of Defense for  
                                                    Acquisition, Technology,  
                                                    and Logistics.            
(4) The Secretary gain   X                       On March 19, 2005, the    
control over ongoing IT                          Deputy Secretary of       
investments by                                   Defense delegated the     
establishing a                                   authority for the review, 
hierarchy of investment                          approval, and oversight   
review boards, each                              of the planning, design,  
responsible and                                  acquisition, deployment,  
accountable for                                  operation, maintenance,   
selecting and                                    and modernization of      
controlling investments                          defense business systems  
that meet defined                                to the designated         
threshold criteria, and                          approval authority for    
each composed of the                             each business area.       
appropriate level of                             Additionally, on June 2,  
executive                                        2005, the Under Secretary 
representatives,                                 of Defense for            
depending on the                                 Acquisition, Technology,  
threshold criteria,                              and Logistics set forth   
from across the                                  guidance that identified  
department.                                      the processes to          
                                                    establish and operate     
                                                    IRBs for the purpose of   
                                                    reviewing all business    
                                                    system investments.       
(5) The Secretary gain   X                       As noted above, the Under 
control over ongoing IT                          Secretary of Defense for  
investments by                                   Acquisition, Technology,  
establishing a standard                          and Logistics has issued  
set of criteria to                               criteria for reviewing    
include (a) alignment                            all business system       
and consistency with                             investments. The guidance 
the DOD enterprise                               points out that one of    
architecture and (b)                             the key elements in       
our open                                         evaluating the            
recommendations                                  department's business     
governing limitations                            system investments is the 
in business systems                              importance of being       
investments pending                              consistent with the BEA.  
development of the                               Furthermore, in April     
architecture.                                    2006, the Deputy Under    
                                                    Secretary of Defense      
                                                    (Business Transformation) 
                                                    and the Deputy Under      
                                                    Secretary of Defense      
                                                    (Financial Management)    
                                                    issued BEA compliance     
                                                    guidance.                 
(6) The Secretary gain   X                       As noted above, the Under 
control over ongoing IT                          Secretary of Defense for  
investments by                                   Acquisition, Technology,  
directing these boards                           and Logistics has issued  
to immediately apply                             criteria for reviewing    
these criteria in                                all business system       
completing reviews of                            investments. The guidance 
all ongoing IT                                   points out that one of    
investments and to not                           the key elements in       
fund investments that                            evaluating the            
do not meet these                                department's business     
criteria unless they                             system investments is the 
are otherwise justified                          importance of being       
by explicit criteria                             consistent with the BEA.  
waivers.                                         Furthermore, in April     
                                                    2006, the Deputy Under    
                                                    Secretary of Defense      
                                                    (Business Transformation) 
                                                    and the Deputy Under      
                                                    Secretary of Defense      
                                                    (Financial Management)    
                                                    issued BEA compliance     
                                                    guidance, which the IRBs  
                                                    have been directed to     
                                                    use.                      
GAO-03-1018: DOD                                 
Business Systems                                 
Modernization:                                   
Important Progress Made                          
to Develop Business                              
Enterprise                                       
Architecture, but Much                           
Work Remains, September                          
19, 2003.                                        
(1) The Secretary of     X                       On June 2, 2005, the      
Defense or his                                   Under Secretary of        
appropriate designee                             Defense for Acquisition,  
define and implement an                          Technology, and Logistics 
effective investment                             set forth guidance that   
management process to                            is to be used in          
proactively identify,                            reviewing all business    
control, and obtain DOD                          system investments at     
Comptroller review and                           least annually and for    
approval of                                      certifying business       
expenditures for new                             system modernizations     
and ongoing business                             over $1 million as        
systems investments                              required by the Fiscal    
exceeding $1 million                             Year 2005 National        
while the architecture                           Defense Authorization     
is being developed and                           Act. In its March 15,     
after it is completed,                           2006, report to           
and which includes                               congressional defense     
clearly defined domain                           committees, the           
owners' roles and                                department reported that  
responsibilities for                             the DBSMC had certified a 
selecting and                                    total of 226 systems,     
controlling ongoing and                          which represents about    
planned system                                   $3.6 billion in           
investments.                                     modernization funding.    
(2) The Secretary of                  X          DOD has taken some        
Defense or his                                   actions to address the 31 
appropriate designee                             elements identified in    
implement the core                               GAO's Enterprise          
elements in our                                  Architecture Framework    
Enterprise Architecture                          for assessing and         
Framework for Assessing                          improving enterprise      
and Improving                                    architecture management.  
Enterprise Architecture                          DOD has addressed 17 of   
Management that we                               the 31 elements. For      
identify in this report                          example, the BEA is an    
as not satisfied,                                integral component of the 
including ensuring that                          IT investment management  
minutes of the meetings                          process and the quality   
of the executive body                            of the BEA products is    
charged with directing,                          measured and reported.    
overseeing, and                                  DOD has begun to address  
approving the                                    7 additional elements.    
architecture are                                 For example, although the 
prepared and                                     BEA plans call for        
maintained.                                      developing metrics for    
                                                    measuring progress,       
                                                    quality, and compliance,  
                                                    it does not call for      
                                                    developing metrics for    
                                                    return on investment. DOD 
                                                    has yet to begin          
                                                    addressing the remaining  
                                                    7 elements. For example,  
                                                    architecture descriptions 
                                                    have yet to address       
                                                    security and return on    
                                                    architecture investment   
                                                    is not measured and       
                                                    reported.                 
(3) The Secretary of     X                       Previously implemented    
Defense or his                                   
appropriate designee                             
update version 1.0 of                            
the architecture to                              
include the 340 Joint                            
Financial Management                             
Improvement Program                              
requirements that our                            
report identified as                             
omitted or not fully                             
addressed.                                       
(4) The Secretary of                  X          Program officials stated  
Defense or his                                   that "As Is" environment  
appropriate designee                             analyses and definitions  
update version 1.0 of                            have occurred-and are     
the architecture to                              planned on in an "as      
include the 29 key                               needed" and "just enough" 
elements governing the                           basis. For example, they  
"As Is" architectural                            described "As Is"         
content that our report                          analysis and definition   
identified as not being                          that has occurred at the  
fully satisfied.                                 system level for several  
                                                    of the enterprise-level   
                                                    systems (e.g., DOD Real   
                                                    Property Information      
                                                    Systems), and work under  
                                                    way to further understand 
                                                    the interdependencies     
                                                    that exist in the current 
                                                    planning, programming,    
                                                    budgeting, and execution  
                                                    business process as an    
                                                    essential part of         
                                                    developing the "To Be"    
                                                    description of this       
                                                    process. While not        
                                                    included in versions 3.0  
                                                    and 3.1, according to an  
                                                    official, the "As Is"     
                                                    work is in fact now being 
                                                    used to perform a         
                                                    business capability gap   
                                                    analysis and guide        
                                                    transformation based on   
                                                    the current set of        
                                                    priorities.               
                                                                              
                                                    However, DOD has yet to   
                                                    disclose, at a minimum,   
                                                    the "As Is" analyses that 
                                                    have and that have not    
                                                    been performed in the     
                                                    architecture releases. In 
                                                    addition, DOD has yet to  
                                                    describe in the           
                                                    architecture releases the 
                                                    importance and/or         
                                                    irrelevance of "As Is"    
                                                    analyses to the systems   
                                                    and initiatives in the    
                                                    enterprise transition     
                                                    plan, and the operational 
                                                    activities and business   
                                                    processes in the target   
                                                    architecture.             
(5) The Secretary of                  X          DOD issued BEA version    
Defense or his                                   3.1 on March 15, 2006,    
appropriate designee                             which addressed some      
update version 1.0 of                            limitations in the prior  
the architecture to                              version that we reported. 
include the 30 key                               However, version 3.1 is   
elements governing the                           still missing certain     
"To Be" architectural                            scope and content. For    
content that our report                          example, this version     
identified as not being                          continues to specify      
fully satisfied.                                 DOD's Standard Financial  
                                                    Information Structure     
                                                    (SFIS) as an              
                                                    enterprisewide data       
                                                    standard for categorizing 
                                                    financial information to  
                                                    support financial         
                                                    management and reporting  
                                                    functions. In addition,   
                                                    it adds greater           
                                                    definition on standard    
                                                    processes, rules, and     
                                                    data for                  
                                                    intra-governmental        
                                                    ordering and billing.     
                                                    However, certain SFIS     
                                                    data elements, such as    
                                                    those relating to the     
                                                    planning, programming,    
                                                    and budgeting business    
                                                    process area have yet to  
                                                    be defined. In addition,  
                                                    the architecture has yet  
                                                    to include a systems      
                                                    standards profile to      
                                                    facilitate data sharing   
                                                    among departmentwide      
                                                    business systems and      
                                                    promote interoperability  
                                                    with departmentwide IT    
                                                    infrastructure systems.   
                                                    Further, military         
                                                    services and defense      
                                                    agencies architectures    
                                                    have yet to be aligned    
                                                    with this departmental    
                                                    architecture.             
(6) The Secretary of     X                       Version 3.1 of the        
Defense or his                                   architecture provides     
appropriate designee                             significant improvements  
update version 1.0 to                            with regard to navigation 
ensure that "To Be"                              and use and addresses the 
architecture artifacts                           internal consistency of   
are internally                                   the architecture          
consistent, to include                           artifacts that we         
addressing the                                   previously described.     
inconsistencies                                  
described in this                                
report as well as                                
including user                                   
instructions or                                  
guidance for easier                              
architecture navigation                          
and use.                                         
(7) The Secretary of                  X          DOD issued an updated     
Defense or his                                   enterprise transition     
appropriate designee                             plan on March 15, 2006.   
update version 1.0 of                            This plan provides        
the architecture to                              information on progress   
include (a) the 3 key                            on major investments over 
elements governing the                           the last 6 months,        
transition plan content                          including key             
that our report                                  accomplishments and       
identified as not being                          milestones attained.      
fully satisfied and (b)                          Further, the plan builds  
those system                                     on the prior plan by      
investments that will                            defining an initiative    
not become part of the                           aimed at identifying      
"To Be" architecture,                            capability gaps between   
including time frames                            the "As Is" and "To Be"   
for phasing out those                            architectural             
systems.                                         environments, and DOD     
                                                    continues to validate the 
                                                    inventory of ongoing IT   
                                                    investments that formed   
                                                    the basis for the prior   
                                                    version of the transition 
                                                    plan. However, while the  
                                                    plan includes more        
                                                    information about the     
                                                    termination of legacy     
                                                    systems, it still does    
                                                    not identify, for         
                                                    example, all legacy       
                                                    systems that will not be  
                                                    part of the target        
                                                    architecture-and it does  
                                                    not include system        
                                                    investment information    
                                                    for all of the            
                                                    department's agencies and 
                                                    combatant commands.       
(8) The Secretary of                  X          According to the          
Defense or his                                   verification and          
appropriate designee                             validation contractor, of 
update version 1.0 of                            the 157 comments from     
the architecture to                              version 3.0, 123 were     
address comments made                            deemed potentially in     
by the verification and                          scope for version 3.1. Of 
validation contractor.                           these 123 comments, they  
                                                    stated that 85 were       
                                                    deferred to the next      
                                                    architecture release and  
                                                    38 were to be addressed   
                                                    in version 3.1. The       
                                                    verification and          
                                                    validation contractor is  
                                                    currently reviewing       
                                                    version 3.1 and has yet   
                                                    to report on whether the  
                                                    38 comments were          
                                                    addressed in version 3.1. 
(9) The Secretary of                  X          The department included a 
Defense or his                                   high-level, notional      
appropriate designee                             description of steps it   
develop a well-defined,                          plans to take over the    
near-term plan for                               next year related to      
extending and evolving                           architecture development, 
the architecture and                             maintenance, and          
ensure that this plan                            implementation in its     
includes addressing our                          most recent annual report 
recommendations,                                 to Congress. In           
defining roles and                               particular, the           
responsibilities of all                          department intends to     
stakeholders involved                            define and implement a    
in extending and                                 metrics framework to      
evolving the                                     measure results in terms  
architecture,                                    of operational            
explaining dependencies                          performance improvement,  
among planned                                    add scope and content to  
activities, and                                  the architecture in       
defining measures of                             6-month increments, and   
activity progress.                               define and use criteria   
                                                    to gauge investment       
                                                    compliance with the       
                                                    architecture. However,    
                                                    the department has yet to 
                                                    develop a plan to         
                                                    describe, among other     
                                                    things, what the          
                                                    architecture and          
                                                    transition plan           
                                                    increments individually   
                                                    or collectively will      
                                                    include and not include,  
                                                    with particular emphasis  
                                                    and clarity on near-term  
                                                    increments, the resources 
                                                    needed to produce the     
                                                    increments, who will be   
                                                    responsible for producing 
                                                    them, and how the quality 
                                                    and utility of these      
                                                    increments will be        
                                                    determined.               
(10) The Secretary of                 X          According to program      
Defense or his                                   officials, the Office of  
appropriate designee                             the Under Secretary of    
limit the pilot                                  Defense for Business      
projects to small,                               Transformation has        
low-cost, low-risk                               prepared a draft policy   
prototype investments                            on initiatives that will  
that are intended to                             serve to define a pilot   
provide knowledge                                project in terms of size  
needed to extend and                             and scope, and detail the 
evolve the                                       process for obtaining     
architecture, and are                            approval and funding.     
not to acquire and                               
implement production                             
version system                                   
solutions or to deploy                           
an operational system                            
capability.                                      
GAO-04-615: DOD                                  
Business Systems                                 
Modernization: Billions                          
Continue to Be Invested                          
with Inadequate                                  
Management Oversight                             
and Accountability, May                          
27, 2004.                                        
(1) The Secretary of     X                       This recommendation was   
Defense direct the                               absorbed into GAO-05-381  
Under Secretary of                               recommendation #2.        
Defense (Comptroller)                            
and the Assistant                                
Secretary of Defense                             
for Networks and                                 
Information Integration                          
to develop a standard                            
definition for DOD                               
components to use to                             
identify business                                
systems.                                         
(2) The Secretary of     X                       On July 13, 2004, the     
Defense direct the                               ASD(NII)/CIO directed     
Assistant Secretary of                           establishment of the DOD  
Defense for Networks                             Information Technology    
and Information                                  Portfolio Repository      
Integration to expand                            (DITPR). According to BTA 
the existing IT                                  officials, all identified 
Registry to include all                          business systems have     
business systems.                                been entered into the     
                                                    DITPR. As of April 2006,  
                                                    the department reported   
                                                    that it had 3,717         
                                                    business systems.         
(3) The Secretary of     X                       The DITPR is being used   
Defense direct the                               to track and monitor      
Under Secretary of                               investment decisions. For 
Defense (Comptroller)                            example, if the DBSMC     
to establish a                                   notes that a business     
mechanism that provides                          system must show how it   
for tracking all                                 is compliant with the     
business systems                                 SFIS, that action is      
modernization                                    maintained in the DITPR   
conditional approvals                            and, on completion, the   
to provide reasonable                            completion date is        
assurance that all                               entered into DITPR.       
specific actions are                             
completed on time.                               
GAO-05-381: DOD                                  
Business Systems                                 
Modernization: Billions                          
Being Invested without                           
Adequate Oversight,                              
April 29, 2005.                                  
(1) The Secretary of     X                       The department has        
Defense direct that the                          appropriately classified  
DOD CIO, in                                      the 56 systems in its     
consultation with the                            fiscal year 2007 IT       
domains, review the 56                           budget request.           
systems reclassified                             
from business systems                            
to national security                             
systems to determine                             
how these should be                              
properly reported in                             
the fiscal year 2007 IT                          
budget request.                                  
(2) The Secretary of     X                       The department's business 
Defense direct that the                          systems are reported in   
Defense Business                                 its fiscal year 2007      
Systems Management                               budget request in         
Committee work with the                          accordance with the       
investment review                                criteria specified in the 
boards to review the                             Act.                      
reported business                                
systems inventory so                             
systems are defined in                           
accordance with the                              
definition specified in                          
the Fiscal Year 2005                             
Defense Authorization                            
Act.                                             
(3) The Secretary of                  X          DOD has documented a      
Defense direct that the                          series of actions that    
DBSMC develop a                                  address our               
comprehensive plan that                          recommendations. In its   
addresses                                        March 15, 2006, report to 
implementation of our                            Congress, DOD stated that 
previous                                         it had fully implemented  
recommendations related                          our 23 open               
to the BEA and the                               recommendations and was   
control and                                      in the process of         
accountability over                              implementing 6. We agree  
business systems                                 that DOD has taken        
investments (at a                                actions to implement our  
minimum, the plan                                open recommendations,     
should assign                                    with 16 being implemented 
responsibility and                               and 13 in the process of  
estimated time frames                            being implemented.        
for completion).                                 However, while DOD        
                                                    included a high-level     
                                                    summary in its March 15,  
                                                    2006 annual report to     
                                                    Congress, it did not      
                                                    include information such  
                                                    as responsibilities, time 
                                                    frames, and actions       
                                                    planned to address all of 
                                                    the recommendations that  
                                                    have yet to be fully      
                                                    implemented.              
(4) The Secretary of                  X          In its March 15, 2006,    
Defense direct that the                          annual report to          
comprehensive plan we                            Congress, the department  
recommend be                                     included a high-level     
incorporated into the                            summary that outlines the 
department's second                              status of our             
annual report due March                          recommendations. However, 
15, 2006, to defense                             as noted above, it did    
congressional                                    not fully satisfy our     
committees, as required                          recommendation.           
by the Fiscal Year 2005                          
Defense Authorization                            
Act to help facilitate                           
congressional                                    
oversight.                                       
GAO-05-702: DOD                                  
Business Systems                                 
Modernization:                                   
Long-standing                                    
Weaknesses in                                    
Enterprise Architecture                          
Development Need to Be                           
Addressed, July 22,                              
2005.                                            
(1) The Secretary of     X                       In its March 15, 2006,    
Defense should direct                            annual report to          
the Deputy Secretary of                          Congress, DOD disclosed   
Defense, as the chair                            the current state of the  
of DBSMC and in                                  BEA program by including  
collaboration with                               key milestones for fiscal 
DBSMC members, to                                years 2006 and 2007,      
immediately fully                                accomplishments since     
disclose the state of                            September 2005, and       
its BEA program to                               limitations of and gaps   
DOD's congressional                              in the architecture and   
authorization and                                transition plan. For      
appropriations                                   example, in an effort to  
committees, including                            improve visibility into   
its limited progress                             personnel activities, in  
and results to date, as                          fiscal year 2006, DOD     
well as specific plans                           reported that it has      
and commitments for                              deployed a civilian       
strengthening program                            personnel data warehouse  
management and                                   to facilitate data        
producing measurable                             sharing. In addition, the 
results that reflect                             department reported that  
the department's                                 termination and migration 
capability to do so.                             dates had yet to be       
                                                    determined for a number   
                                                    of systems.               
(2) The Secretary of                  X          In its March 15, 2006,    
Defense should direct                            annual report to          
the Deputy Secretary of                          Congress, the department  
Defense, as the chair                            included a high-level     
of the DBSMC and in                              summary that outlines the 
collaboration with                               status of our             
DBSMC members, to                                recommendations. However, 
ensure that each of our                          it did not include        
recommendations related                          information such as       
to the BEA management                            responsibilities, time    
and content are                                  frames, and actions       
reflected in the plans                           planned to address all of 
and commitments.                                 the recommendations that  
                                                    have yet to be fully      
                                                    implemented.              

Appendix III: Comments from the Department of Defense Appendix III:
Comments from the Department of Defense

Appendix IV: Summary of Several Architecture Frameworks Appendix IV:
Summary of Several Architecture Frameworks

1J.A. Zachman, "A Framework for Information Systems Architecture," IBM
Systems Journal 26, no. 3 (1987).

2DOD, Department of Defense Architecture Framework, Version 1.0, Volume 1
(Aug. 2003) and Volume 2 (Feb. 2004).

3There are some overarching aspects of architecture that relate to all
three of the views. These overarching aspects-such as goals, mission
statements, and concepts of operations-are captured in the All-view
products.

AA Appendix V: GAO Contacts and Staff Acknowledgments

                                  GAO Contacts

                                Acknowledgments

(310616)

GAO's Mission

Obtaining Copies of GAO Reports and Testimony

Order by Mail or Phone

To Report Fraud, Waste, and Abuse in Federal Programs

Congressional Relations

Public Affairs

www.gao.gov/cgi-bin/getrpt? GAO-06-658 .

To view the full product, including the scope

and methodology, click on the link above.

For more information, contact Randolph C. Hite at (202) 512-3439 or
[email protected].

Highlights of GAO-06-658 , a report to congressional committees

May 2006

BUSINESS SYSTEMS MODERNIZATION

DOD Continues to Improve Institutional Approach, but Further Steps Needed

For decades, the Department of Defense (DOD) has not been successful in
repeated attempts to modernize its business systems and operations. To
assist DOD, Congress included provisions in the Fiscal Year 2005 Ronald W.
Reagan National Defense Authorization Act that were consistent with GAO's
recommendations for developing a business enterprise architecture and
associated enterprise transition plan and establishing and implementing
effective information technology (IT) business system investment
management structures and processes. The Act further requires that the
Secretary of Defense submit an annual report to congressional defense
committees on its compliance with certain requirements of the Act not
later than March 15 of each year from 2005 through 2009. In response to
the Act's mandate, GAO assessed the actions by DOD to comply with the
requirements of the Act and determined the extent to which DOD has
addressed GAO's prior recommendations.

What GAO Recommends

GAO is recommending that the department submit its enterprise architecture
program management plan to defense congressional committees. DOD commented
that GAO's findings are fair, and it expressed general agreement with
GAO's recommendations.

As part of DOD's incremental strategy for developing and implementing its
architecture, transition plan, and accountability framework for managing
business systems, the department has taken steps over the last 6 months to
address a number of the areas that GAO previously reported as falling
short of the Act's requirements. However, additional steps are needed to
fully comply with the Act and relevant guidance. For example,

           o  The architecture identifies an enterprisewide data standard to
           support financial management and reporting functions. However, the
           data elements-such as those associated with the planning,
           programming, and budgeting business process-are not yet part of
           the architecture.
           o  The enterprise transition plan now includes an initiative aimed
           at identifying capability gaps between the "As Is" and "To Be"
           architectural environments, and DOD continues to validate the
           inventory of ongoing IT investments that formed the basis for the
           prior version of the transition plan. However, the plan does not
           include, among other things, a complete listing of the legacy
           systems that will not be part of the target architecture, and it
           does not include system investment information for all of the
           department's agencies and combatant commands. 
           o  The department's fiscal year 2007 IT budget submission was
           prepared using a system that was reconciled with DOD's single
           authoritative system inventory. This should improve the
           reliability of the budget submission.
           o  The IT investment management structures and processes that DOD
           previously defined are being refined and implemented across the
           department. However, the investment review board that is to focus
           on IT infrastructure and information assurance investments has
           still not been established.

DOD has also taken steps to address 29 prior GAO recommendations to
strengthen the management of its business systems modernization through
the adoption of enterprise architecture and investment management best
practices. As a result of DOD's actions, 16 of the recommendations have
now been implemented and 13 are in the process of being implemented.

Notwithstanding DOD's incremental strategy for improving its institutional
approach to business systems modernization and complying with the Act, the
department has yet to create or establish milestones for developing an
enterprise architecture program management plan that defines, among other
things, what the increments of improvement are, and how and when they will
be accomplished, with particular emphasis and clarity around the near-term
increments. It is important for the department to develop this plan as
soon as possible because without it, the department is less likely to
accomplish intended improvements and the Congress does not have the means
to measure progress and hold the department accountable for doing so.

DOD Business Systems Modernization

           Source: GAO.

           aApproval authorities include the Under Secretary of Defense for
           Acquisition, Technology, and Logistics; the Under Secretary of
           Defense (Comptroller); the Under Secretary of Defense for
           Personnel and Readiness; and the Assistant Secretary of Defense
           for Networks and Information Integration/Chief Information Officer
           of the Department of Defense. These approval authorities are
           responsible for the review, approval, and oversight of business
           systems and must establish investment review processes for systems
           under their cognizance.

           bDOD defines the Global Information Grid as the globally
           interconnected, end-to-end set of information, capabilities,
           associated processes, and personnel for collecting, processing,
           storing, disseminating, and managing information on demand to
           warfighters, policy makers, and support personnel.

           cDepartment of Defense Fiscal Year 2007 IT/NSS President's Budget,
           Report on Defense Business Systems Modernization FY2005 National
           Defense Authorization Act, Section 332 February 2006.

(3) The Secretary of Defense should  X  Program officials told us that     
direct the Deputy Secretary of          they have begun analyzing the      
Defense, as the chair of the DBSMC      architecture program's workforce   
and in collaboration with DBSMC         needs and capabilities using a     
members, to ensure that plans and       three-phase approach. Phase I,     
commitments provide for effective       which according to DOD is          
BEA workforce planning, including       complete, resulted in the          
assessing workforce knowledge and       development of a knowledge and     
skills needs, determining existing      skills model for the program's     
workforce capabilities, identifying     architecture and transition plan   
gaps, and filling these gaps.           staff. The second phase, which     
                                           according to DOD is in progress,   
                                           involves identifying and assessing 
                                           the knowledge and skills of the    
                                           existing architecture and          
                                           transition plan staff. According   
                                           to program officials, this phase   
                                           will set overall program needs and 
                                           provide the basis for identifying  
                                           gaps and recommendations for       
                                           filling the gaps. Phase III will   
                                           implement the recommendations.     
                                           According to DOD, it has not yet   
                                           established milestones for Phase   
                                           III.                               
*** End of document. ***