Homeland Security: DHS Enterprise Architecture Continues to
Evolve but Improvements Needed (09-MAY-07, GAO-07-564).
GAO designated the transformation of the Department of Homeland
Security (DHS) as high risk in 2003, and it continues to do so
today. One essential tool for facilitating organizational
transformation is an enterprise architecture (EA)--a corporate
blueprint that serves as an authoritative frame of reference for
information technology investment decision making. The Congress
required DHS to submit a report that includes its EA and a
capital investment plan for implementing it. The Congress also
required that GAO review the report. In June 2006, DHS submitted
this report to the Congress. GAO's objective was to assess the
status of the EA, referred to as DHS EA 2006, and the plan for
implementing it. To meet this objective, GAO analyzed
architectural documents relative to its prior recommendations;
evaluated stakeholder comments and the process used to obtain
them; and analyzed the implementation plan against relevant
guidance.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-07-564
ACCNO: A69368
TITLE: Homeland Security: DHS Enterprise Architecture Continues
to Evolve but Improvements Needed
DATE: 05/09/2007
SUBJECT: Agency evaluation
Enterprise architecture
Federal agency reorganization
Homeland security
Information technology
Investment planning
Usability
Capital investment planning
Program implementation
Stakeholder consultations
GAO High Risk Series
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-07-564
* [1]DHS EA 2006 Has Evolved beyond Prior Versions, but Missing A
* [2]Conclusions
* [3]Recommendations for Executive Action
* [4]Agency Comments and Our Evaluation
* [5]GAO Contact
* [6]Staff Acknowledgments
* [7]GAO's Mission
* [8]Obtaining Copies of GAO Reports and Testimony
* [9]Order by Mail or Phone
* [10]To Report Fraud, Waste, and Abuse in Federal Programs
* [11]Congressional Relations
* [12]Public Affairs
Report to Congressional Committees
United States Government Accountability Office
GAO
May 2007
HOMELAND SECURITY
DHS Enterprise Architecture Continues to Evolve but Improvements Needed
GAO-07-564
Contents
Letter 1
DHS EA 2006 Has Evolved beyond Prior Versions, but Missing Architecture
Content and Limited Stakeholder Input Constrain Its Usability 2
Conclusions 3
Recommendations for Executive Action 4
Agency Comments and Our Evaluation 4
Appendix I Briefing to the Staffs of the Subcommittees on Homeland
Security Senate and House Committees on Appropriations 7
Appendix II Comments from the Department of Homeland Security 75
Appendix III GAO Contact and Staff Acknowledgments 77
Abbreviations
CBP Customs and Border Protection
CIO chief information officer
CURE create, update, reference, and eliminate
DHS Department of Homeland Security
EA enterprise architecture
EAMMF Enterprise Architecture Management Maturity Framework
FEMA Federal Emergency Management Agency
ICE Immigration and Customs Enforcement
IT information technology
OMB Office of Management and Budget
TRM technical reference model
TSA Transportation Security Administration
US-VISIT United States Visitor and Immigrant Status Indicator Technology
USSS United States Secret Service
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
United States Government Accountability Office
Washington, DC 20548
May 9, 2007
The Honorable Robert C. Byrd
Chairman
The Honorable Thad Cochran
Ranking Minority Member
Subcommittee on Homeland Security
Committee on Appropriations
United States Senate
The Honorable David E. Price
Chairman
The Honorable Harold Rogers
Ranking Minority Member
Subcommittee on Homeland Security
Committee on Appropriations
House of Representatives
Information technology (IT) is a critical tool in the Department of
Homeland Security's (DHS) quest to transform 22 diverse and distinct
agencies into one cohesive, high-performing department. Because of the
importance of this transformation and the magnitude of the associated
challenges, we designated the department's implementation and
transformation as a high-risk undertaking in 2003.^1 In 2003 and in 2004,
we reported that DHS needed to, among other things, develop and implement
an enterprise architecture (EA)--a corporate blueprint that serves as an
authoritative frame of reference to guide and constrain IT investment
decision making, promoting interoperability, minimizing wasteful
duplication and redundancy, and optimizing departmentwide mission
performance.^2
^1GAO, High-Risk Series: An Update, [13]GAO-03-119 (Washington, D.C.:
January 2003); High-Risk Series: An Update, [14]GAO-05-207 (Washington,
D.C.: January 2005).
^2GAO, Homeland Security: Efforts to Improve Information Sharing Need to
Be Strengthened, [15]GAO-03-760 (Washington, D.C.: Aug. 27, 2003) and
Department of Homeland Security: Formidable Information and Technology
Management Challenge Requires Institutional Approach, [16]GAO-04-702
(Washington, D.C.: Aug. 27, 2004).
Recognizing the importance that an EA plays in effectively leveraging IT
for organizational transformation, DHS issued an initial version of its
architecture in September 2003. Following our review of this EA and
recommendations for its improvement,^3 the department issued a second
version in October 2004. The DHS Appropriations Act of 2006 required the
department's chief information officer (CIO) to submit to Congress a
report that includes, among other things, an EA and a capital investment
plan for implementing the architecture.^4 It also required GAO to review
the report. On June 16, 2006, the CIO submitted its report, which included
the third version of the department's EA and a plan for implementing it,
which DHS referred to as DHS EA 2006 and Capital Investment Plan for
Implementing the DHS Enterprise Architecture.
Our objective was to assess the status of DHS EA 2006, including the
capital investment plan for implementing it. On February 28, 2007, we
briefed your staffs on the results of our review, which included sensitive
information. This report transmits the slides from that briefing, with
sensitive information removed. These slides, along with our scope and
methodology, are included as appendix I.
DHS EA 2006 Has Evolved beyond Prior Versions, but Missing Architecture Content
and Limited Stakeholder Input Constrain Its Usability
DHS EA 2006 partially addresses the content shortcomings in earlier
versions of the department's architecture, which we had reported on and
made recommendations to correct. However, the full depth and breadth of EA
content that our 41 recommendations provided for is not reflected in DHS
EA 2006. For example, we recommended that the architecture include a data
dictionary, which is a repository of standard definitions of key terms. In
response, DHS EA 2006 provides a data dictionary, but it does not include
definitions of all key terms (e.g., first responder). We also recommended
that DHS base its EA transition plan on, among other things, an analysis
of the gaps between the current ("as-is") and future ("to-be") states of
the architecture to define missing and needed capabilities.^5 However, DHS
EA 2006 does not include a transition plan, and it does not include any
evidence of a gap analysis--a comparison of the "as-is" and "to-be"
architectures to identify capability differences.
^3GAO, Homeland Security: Efforts Under Way to Develop Enterprise
Architecture, but Much Work Remains, [17]GAO-04-777 (Washington, D.C.:
Aug. 6, 2004).
^4The act also required DHS's CIO report to include a description of the
IT capital planning and investment control (CPIC) process and an IT human
capital plan.
^5An EA describes how an entity currently operates (the "as-is"
architecture) and how it plans to operate in the future (the "to-be"
architecture); it also includes a plan for making that transition (the
transition plan).
Moreover, this version of the architecture does not address the majority
of the 383 comments made on a draft of it by DHS stakeholders, including
component organizations and the department's EA support contractor. For
example, Immigration and Customs Enforcement commented that the inputs it
provided had not been incorporated, represented, or otherwise accommodated
in any way. Of the comments, 139 were categorized as fully addressed, 27
as partially addressed, 101 as not addressed but to be resolved in a later
EA version. The remaining 116 had no resolutions specified. In general,
comments were raised about the architecture's completeness, internal
consistency, and understandability. In addition, concerns were raised
about the architecture's usability as a departmental frame of reference
for informing IT investment decisions.
In addition, the approach DHS used in soliciting comments did not clearly
define the type of information requested and did not provide sufficient
time for detailed responses. Also, the extent to which comments were
obtained was limited. For example, key stakeholders, such as the Coast
Guard and Transportation Security Administration, chose to not comment on
a draft of DHS EA 2006.
Lastly, DHS's capital investment plan for implementing its architecture is
not based on an EA transition plan and is missing key IT investments. For
example, the plan does not account for all of DHS's planned investments in
IT nor does it include information on certain major IT capital
investments.
Conclusions
DHS's approach to developing its EA through incremental releases or
versions is reasonable, given the size and complexity of the department
and the volumes of information needed to produce a complete,
understandable, and usable architecture. As the department's third version
of its EA, DHS EA 2006 is an improvement over prior versions, as evidenced
by it at least partially addressing our prior recommendations. Moreover,
DHS EA 2006 is partially responsive to stakeholder comments on a draft of
it.
Nevertheless, DHS EA 2006 is still not sufficiently complete and usable,
given those aspects of our recommendations that it did not fully address
the range of stakeholder comments that have not been resolved and the
limitations of the capital investment plan. Given the critical role that
DHS's EA should play in the department's transformation efforts, which we
have identified as a high-risk undertaking, it is important for DHS to
fully address both our existing recommendations and stakeholder comments
on incremental versions of its architecture.
Finally, with regard to stakeholder comments, it is also important for DHS
to ensure that it devotes sufficient time and adopts an effective approach
to obtaining stakeholder comments on future versions. If it does not, the
chances of developing a well-defined EA that is accepted and usable will
be diminished.
Recommendations for Executive Action
To ensure that DHS fully implements our prior EA recommendations and
effectively solicits and addresses stakeholder comments on incremental
versions of its EA, we recommend that the Secretary of Homeland Security
direct the department's CIO to take the following two actions:
o Include in future versions of the department's EA a traceability
matrix that explicitly maps EA content to our recommendations in
sufficient detail to demonstrate their implementation, and
o Ensure that future efforts to solicit stakeholder comments on
the department's EA employ an effective approach that includes
clearly defining the type of information requested and allowing
sufficient time for obtaining and responding to these comments.
We are not making recommendations for addressing limitations in
the department's capital investment plan for implementing its EA
because our existing recommendations for an EA transition plan
address such limitations.
Agency Comments and Our Evaluation
In DHS's written comments on a draft of this report, signed by the
Director, Departmental GAO/OIG Liaison Office, and reprinted in
appendix II, the department stated that the fourth release of its
EA (referred to as HLS EA 2007) addresses many of the issues that
our report identifies. In addition, DHS agreed to include in
future EA releases a traceability matrix that explicitly maps its
EA content to our recommendations, adding that this recommended
tool will allow DHS to better track progress.
However, DHS commented that its current approach to soliciting
architecture stakeholders' input is adequate, noting that this
approach provides stakeholders with unlimited opportunity to
comment and observing that its receipt of nearly 400 comments on
DHS EA 2006 demonstrates this opportunity. Moreover, the
department stated that we had an incorrect perception of how it
treated stakeholder comments, adding that all comments that
require resolution will be addressed in future EA releases.
We do not agree with DHS's comments about the adequacy of its
approach to obtaining and incorporating stakeholder comments for
several reasons, each of which are cited in our report. For
example, the approach did not adequately define the type and
nature of the comments being solicited, and it did not provide
sufficient time for stakeholders to comment, as evidenced by some
stakeholders stating that the time was too limited. Also, most DHS
component organizations, including large ones like the
Transportation Security Agency and the Coast Guard, did not
provide comments. Moreover, about 60 percent of the comments that
were received on DHS EA 2006 were not to be addressed in the next
version (HLS EA 2007), and it was not specified when they would be
addressed. Given that comments were directed at the architecture's
completeness, internal consistency, understandability, and
usability, which are all fundamental characteristics of an EA, we
believe that our recommendation aimed at employing a more
effective approach to soliciting and responding to comments is
warranted.
We are sending copies of this report to the Chairmen and Ranking
Minority Members of other Senate and House committees that have
authorization and oversight responsibilities for homeland
security. We are also sending a copy of this report to the
Secretary of Homeland Security and the Director of OMB. We will
also make copies available to others upon request. In addition,
this report will be available at no charge on the GAO Web site at
http://www.gao.gov .
If you or your staffs have any questions about this report, please
contact me at (202) 512-3439 or [email protected]. Contact points for
our Offices of Congressional Relations and Public Affairs may be
found on the last page of this report. GAO staff members who made
major contributions to this report are listed in appendix III.
Randolph C. Hite
Director, Information Technology Architecture and
Systems Issues
Appendix I: Briefing to the Staffs of the Subcommittees on Homeland
Security Senate and House Committees on Appropriations
Appendix II: Comments from the Department of Homeland Security
Appendix III: GAO Contact and Staff Acknowledgments
GAO Contact
Randolph C. Hite, (202) 512-3439, [email protected]
Staff Acknowledgments
In addition to the person named above, Mark Bird, Assistant
Director; Neil Doherty; Ashfaq Huda; Nancy Glover; Anh Le; Teresa
Smith; Amos Tevelow; William Wadsworth; and Kim Zelonis made key
contributions to this report.
GAO's Mission
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in
meeting its constitutional responsibilities and to help improve
the performance and accountability of the federal government for
the American people. GAO examines the use of public funds;
evaluates federal programs and policies; and provides analyses,
recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at
no cost is through GAO's Web site ( www.gao.gov ). Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of
newly posted products every afternoon, go to www.gao.gov and
select "Subscribe to Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies
are $2 each. A check or money order should be made out to the
Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are
discounted 25 percent. Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM
Washington, D.C. 20548
To order by Phone: Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [email protected] (202)
512-4400 U.S. Government Accountability Office, 441 G Street NW,
Room 7125 Washington, D.C. 20548
Public Affairs
Paul Anderson, Managing Director, [email protected] (202)
512-4800 U.S. Government Accountability Office, 441 G Street NW,
Room 7149 Washington, D.C. 20548
(310641)
www.gao.gov/cgi-bin/getrpt?GAO-07-564 .
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Randolph C. Hite at (202) 512-3439 or
[email protected].
Highlights of [27]GAO-07-564 , a report to congressional committees
May 2007
HOMELAND SECURITY
DHS Enterprise Architecture Continues to Evolve but Improvements Needed
GAO designated the transformation of the Department of Homeland Security
(DHS) as high risk in 2003, and it continues to do so today. One essential
tool for facilitating organizational transformation is an enterprise
architecture (EA)--a corporate blueprint that serves as an authoritative
frame of reference for information technology investment decision making.
The Congress required DHS to submit a report that includes its EA and a
capital investment plan for implementing it. The Congress also required
that GAO review the report. In June 2006, DHS submitted this report to the
Congress. GAO's objective was to assess the status of the EA, referred to
as DHS EA 2006, and the plan for implementing it. To meet this objective,
GAO analyzed architectural documents relative to its prior
recommendations; evaluated stakeholder comments and the process used to
obtain them; and analyzed the implementation plan against relevant
guidance.
[28]What GAO Recommends
GAO is making recommendations to DHS for tracing the implementation of
prior GAO recommendations to EA content, and for more effectively
soliciting and addressing EA stakeholder comments. DHS agreed to trace
GAO's recommendations, but stated that it already adequately deals with
stakeholder comments. GAO does not agree for reasons cited in this report,
and thus stands by its recommendation.
DHS EA 2006 has evolved beyond prior versions, but missing architecture
content and limited stakeholder input constrain its usability. While the
architecture partially addresses each of the prior GAO recommendations
concerning the content of DHS's architecture, the full depth and breadth
of EA content that the recommendations solicited is still missing. For
example, GAO recommended that DHS use, among other things, an analysis of
the gaps between the current ("as-is") and future ("to-be") states of the
architecture to define missing and needed capabilities and form the basis
for its transition plan. However, DHS EA 2006 does not include a
transition plan and it does not include any evidence of a gap analysis.
In addition, department stakeholders, including component organizations
and the department's EA support contractor, provided a range of comments
relative to the completeness, internal consistency, and understandability
of a draft of DHS EA 2006, but the majority of the comments were not
addressed (see fig.). Moreover, key stakeholders, such as the Coast Guard
and the Transportation Security Administration, did not comment on the
draft. GAO found that the extent of stakeholder participation was limited
because the approach EA officials used to solicit input did not clearly
define the type of information being requested and did not provide
sufficient time for responding.
Furthermore, DHS's capital investment plan for implementing its
architecture is not based on a transition plan and is missing key
information technology (IT) investments. Thus, the plan does not provide a
comprehensive roadmap for transitioning the department to a target
architectural state. Also, the plan does not account for all of DHS's
planned investments in IT (excluding about $2.5 billion in planned IT
investments).
Without an architecture that is complete, internally consistent, and
understandable, the usability of the DHS's EA is diminished, which in turn
limits the department's ability to guide and constrain IT investments in a
way that promotes interoperability, reduces overlap and duplication, and
optimizes overall mission performance.
Resolution of DHS Stakeholder Comments on a Draft of DHS EA 2006 (383
Total comments)
References
Visible links
13. http://www.gao.gov/cgi-bin/getrpt?GAO-03-119
14. http://www.gao.gov/cgi-bin/getrpt?GAO-05-207
15. http://www.gao.gov/cgi-bin/getrpt?GAO-03-760
16. http://www.gao.gov/cgi-bin/getrpt?GAO-04-702
17. http://www.gao.gov/cgi-bin/getrpt?GAO-04-777
27. http://www.gao.gov/cgi-bin/getrpt?GAO-07-564
*** End of document. ***