Homeland Security: DHS Enterprise Architecture Continues to	 
Evolve but Improvements Needed (09-MAY-07, GAO-07-564). 	 
                                                                 
GAO designated the transformation of the Department of Homeland  
Security (DHS) as high risk in 2003, and it continues to do so	 
today. One essential tool for facilitating organizational	 
transformation is an enterprise architecture (EA)--a corporate	 
blueprint that serves as an authoritative frame of reference for 
information technology investment decision making. The Congress  
required DHS to submit a report that includes its EA and a	 
capital investment plan for implementing it. The Congress also	 
required that GAO review the report. In June 2006, DHS submitted 
this report to the Congress. GAO's objective was to assess the	 
status of the EA, referred to as DHS EA 2006, and the plan for	 
implementing it. To meet this objective, GAO analyzed		 
architectural documents relative to its prior recommendations;	 
evaluated stakeholder comments and the process used to obtain	 
them; and analyzed the implementation plan against relevant	 
guidance.							 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-07-564 					        
    ACCNO:   A69368						        
  TITLE:     Homeland Security: DHS Enterprise Architecture Continues 
to Evolve but Improvements Needed				 
     DATE:   05/09/2007 
  SUBJECT:   Agency evaluation					 
	     Enterprise architecture				 
	     Federal agency reorganization			 
	     Homeland security					 
	     Information technology				 
	     Investment planning				 
	     Usability						 
	     Capital investment planning			 
	     Program implementation				 
	     Stakeholder consultations				 
	     GAO High Risk Series				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-07-564

   

     * [1]DHS EA 2006 Has Evolved beyond Prior Versions, but Missing A
     * [2]Conclusions
     * [3]Recommendations for Executive Action
     * [4]Agency Comments and Our Evaluation
     * [5]GAO Contact
     * [6]Staff Acknowledgments
     * [7]GAO's Mission
     * [8]Obtaining Copies of GAO Reports and Testimony

          * [9]Order by Mail or Phone

     * [10]To Report Fraud, Waste, and Abuse in Federal Programs
     * [11]Congressional Relations
     * [12]Public Affairs

Report to Congressional Committees

United States Government Accountability Office

GAO

May 2007

HOMELAND SECURITY

DHS Enterprise Architecture Continues to Evolve but Improvements Needed

GAO-07-564

Contents

Letter 1

DHS EA 2006 Has Evolved beyond Prior Versions, but Missing Architecture
Content and Limited Stakeholder Input Constrain Its Usability 2
Conclusions 3
Recommendations for Executive Action 4
Agency Comments and Our Evaluation 4
Appendix I Briefing to the Staffs of the Subcommittees on Homeland
Security Senate and House Committees on Appropriations 7
Appendix II Comments from the Department of Homeland Security 75
Appendix III GAO Contact and Staff Acknowledgments 77

Abbreviations

CBP Customs and Border Protection
CIO chief information officer
CURE create, update, reference, and eliminate
DHS Department of Homeland Security
EA enterprise architecture
EAMMF Enterprise Architecture Management Maturity Framework
FEMA Federal Emergency Management Agency
ICE Immigration and Customs Enforcement
IT information technology
OMB Office of Management and Budget
TRM technical reference model
TSA Transportation Security Administration
US-VISIT United States Visitor and Immigrant Status Indicator Technology
USSS United States Secret Service

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office
Washington, DC 20548

May 9, 2007

The Honorable Robert C. Byrd
Chairman
The Honorable Thad Cochran
Ranking Minority Member
Subcommittee on Homeland Security
Committee on Appropriations
United States Senate

The Honorable David E. Price
Chairman
The Honorable Harold Rogers
Ranking Minority Member
Subcommittee on Homeland Security
Committee on Appropriations
House of Representatives

Information technology (IT) is a critical tool in the Department of
Homeland Security's (DHS) quest to transform 22 diverse and distinct
agencies into one cohesive, high-performing department. Because of the
importance of this transformation and the magnitude of the associated
challenges, we designated the department's implementation and
transformation as a high-risk undertaking in 2003.^1 In 2003 and in 2004,
we reported that DHS needed to, among other things, develop and implement
an enterprise architecture (EA)--a corporate blueprint that serves as an
authoritative frame of reference to guide and constrain IT investment
decision making, promoting interoperability, minimizing wasteful
duplication and redundancy, and optimizing departmentwide mission
performance.^2

^1GAO, High-Risk Series: An Update, [13]GAO-03-119 (Washington, D.C.:
January 2003); High-Risk Series: An Update, [14]GAO-05-207 (Washington,
D.C.: January 2005).

^2GAO, Homeland Security: Efforts to Improve Information Sharing Need to
Be Strengthened, [15]GAO-03-760 (Washington, D.C.: Aug. 27, 2003) and
Department of Homeland Security: Formidable Information and Technology
Management Challenge Requires Institutional Approach, [16]GAO-04-702
(Washington, D.C.: Aug. 27, 2004).

Recognizing the importance that an EA plays in effectively leveraging IT
for organizational transformation, DHS issued an initial version of its
architecture in September 2003. Following our review of this EA and
recommendations for its improvement,^3 the department issued a second
version in October 2004. The DHS Appropriations Act of 2006 required the
department's chief information officer (CIO) to submit to Congress a
report that includes, among other things, an EA and a capital investment
plan for implementing the architecture.^4 It also required GAO to review
the report. On June 16, 2006, the CIO submitted its report, which included
the third version of the department's EA and a plan for implementing it,
which DHS referred to as DHS EA 2006 and Capital Investment Plan for
Implementing the DHS Enterprise Architecture.

Our objective was to assess the status of DHS EA 2006, including the
capital investment plan for implementing it. On February 28, 2007, we
briefed your staffs on the results of our review, which included sensitive
information. This report transmits the slides from that briefing, with
sensitive information removed. These slides, along with our scope and
methodology, are included as appendix I.

DHS EA 2006 Has Evolved beyond Prior Versions, but Missing Architecture Content
and Limited Stakeholder Input Constrain Its Usability

DHS EA 2006 partially addresses the content shortcomings in earlier
versions of the department's architecture, which we had reported on and
made recommendations to correct. However, the full depth and breadth of EA
content that our 41 recommendations provided for is not reflected in DHS
EA 2006. For example, we recommended that the architecture include a data
dictionary, which is a repository of standard definitions of key terms. In
response, DHS EA 2006 provides a data dictionary, but it does not include
definitions of all key terms (e.g., first responder). We also recommended
that DHS base its EA transition plan on, among other things, an analysis
of the gaps between the current ("as-is") and future ("to-be") states of
the architecture to define missing and needed capabilities.^5 However, DHS
EA 2006 does not include a transition plan, and it does not include any
evidence of a gap analysis--a comparison of the "as-is" and "to-be"
architectures to identify capability differences.

^3GAO, Homeland Security: Efforts Under Way to Develop Enterprise
Architecture, but Much Work Remains, [17]GAO-04-777 (Washington, D.C.:
Aug. 6, 2004).

^4The act also required DHS's CIO report to include a description of the
IT capital planning and investment control (CPIC) process and an IT human
capital plan.

^5An EA describes how an entity currently operates (the "as-is"
architecture) and how it plans to operate in the future (the "to-be"
architecture); it also includes a plan for making that transition (the
transition plan).

Moreover, this version of the architecture does not address the majority
of the 383 comments made on a draft of it by DHS stakeholders, including
component organizations and the department's EA support contractor. For
example, Immigration and Customs Enforcement commented that the inputs it
provided had not been incorporated, represented, or otherwise accommodated
in any way. Of the comments, 139 were categorized as fully addressed, 27
as partially addressed, 101 as not addressed but to be resolved in a later
EA version. The remaining 116 had no resolutions specified. In general,
comments were raised about the architecture's completeness, internal
consistency, and understandability. In addition, concerns were raised
about the architecture's usability as a departmental frame of reference
for informing IT investment decisions.

In addition, the approach DHS used in soliciting comments did not clearly
define the type of information requested and did not provide sufficient
time for detailed responses. Also, the extent to which comments were
obtained was limited. For example, key stakeholders, such as the Coast
Guard and Transportation Security Administration, chose to not comment on
a draft of DHS EA 2006.

Lastly, DHS's capital investment plan for implementing its architecture is
not based on an EA transition plan and is missing key IT investments. For
example, the plan does not account for all of DHS's planned investments in
IT nor does it include information on certain major IT capital
investments.

Conclusions

DHS's approach to developing its EA through incremental releases or
versions is reasonable, given the size and complexity of the department
and the volumes of information needed to produce a complete,
understandable, and usable architecture. As the department's third version
of its EA, DHS EA 2006 is an improvement over prior versions, as evidenced
by it at least partially addressing our prior recommendations. Moreover,
DHS EA 2006 is partially responsive to stakeholder comments on a draft of
it.

Nevertheless, DHS EA 2006 is still not sufficiently complete and usable,
given those aspects of our recommendations that it did not fully address
the range of stakeholder comments that have not been resolved and the
limitations of the capital investment plan. Given the critical role that
DHS's EA should play in the department's transformation efforts, which we
have identified as a high-risk undertaking, it is important for DHS to
fully address both our existing recommendations and stakeholder comments
on incremental versions of its architecture.

Finally, with regard to stakeholder comments, it is also important for DHS
to ensure that it devotes sufficient time and adopts an effective approach
to obtaining stakeholder comments on future versions. If it does not, the
chances of developing a well-defined EA that is accepted and usable will
be diminished.

Recommendations for Executive Action

To ensure that DHS fully implements our prior EA recommendations and
effectively solicits and addresses stakeholder comments on incremental
versions of its EA, we recommend that the Secretary of Homeland Security
direct the department's CIO to take the following two actions:

           o Include in future versions of the department's EA a traceability
           matrix that explicitly maps EA content to our recommendations in
           sufficient detail to demonstrate their implementation, and
           o Ensure that future efforts to solicit stakeholder comments on
           the department's EA employ an effective approach that includes
           clearly defining the type of information requested and allowing
           sufficient time for obtaining and responding to these comments.

           We are not making recommendations for addressing limitations in
           the department's capital investment plan for implementing its EA
           because our existing recommendations for an EA transition plan
           address such limitations.

 		   Agency Comments and Our Evaluation

           In DHS's written comments on a draft of this report, signed by the
           Director, Departmental GAO/OIG Liaison Office, and reprinted in
           appendix II, the department stated that the fourth release of its
           EA (referred to as HLS EA 2007) addresses many of the issues that
           our report identifies. In addition, DHS agreed to include in
           future EA releases a traceability matrix that explicitly maps its
           EA content to our recommendations, adding that this recommended
           tool will allow DHS to better track progress.

           However, DHS commented that its current approach to soliciting
           architecture stakeholders' input is adequate, noting that this
           approach provides stakeholders with unlimited opportunity to
           comment and observing that its receipt of nearly 400 comments on
           DHS EA 2006 demonstrates this opportunity. Moreover, the
           department stated that we had an incorrect perception of how it
           treated stakeholder comments, adding that all comments that
           require resolution will be addressed in future EA releases.

           We do not agree with DHS's comments about the adequacy of its
           approach to obtaining and incorporating stakeholder comments for
           several reasons, each of which are cited in our report. For
           example, the approach did not adequately define the type and
           nature of the comments being solicited, and it did not provide
           sufficient time for stakeholders to comment, as evidenced by some
           stakeholders stating that the time was too limited. Also, most DHS
           component organizations, including large ones like the
           Transportation Security Agency and the Coast Guard, did not
           provide comments. Moreover, about 60 percent of the comments that
           were received on DHS EA 2006 were not to be addressed in the next
           version (HLS EA 2007), and it was not specified when they would be
           addressed. Given that comments were directed at the architecture's
           completeness, internal consistency, understandability, and
           usability, which are all fundamental characteristics of an EA, we
           believe that our recommendation aimed at employing a more
           effective approach to soliciting and responding to comments is
           warranted.

           We are sending copies of this report to the Chairmen and Ranking
           Minority Members of other Senate and House committees that have
           authorization and oversight responsibilities for homeland
           security. We are also sending a copy of this report to the
           Secretary of Homeland Security and the Director of OMB. We will
           also make copies available to others upon request. In addition,
           this report will be available at no charge on the GAO Web site at
           http://www.gao.gov .

           If you or your staffs have any questions about this report, please
           contact me at (202) 512-3439 or [email protected]. Contact points for
           our Offices of Congressional Relations and Public Affairs may be
           found on the last page of this report. GAO staff members who made
           major contributions to this report are listed in appendix III.

           Randolph C. Hite
		   Director, Information Technology Architecture and
             Systems Issues
			 
           Appendix I: Briefing to the Staffs of the Subcommittees on Homeland
           Security Senate and House Committees on Appropriations

           Appendix II: Comments from the Department of Homeland Security

           Appendix III: GAO Contact and Staff Acknowledgments

           GAO Contact

           Randolph C. Hite, (202) 512-3439, [email protected]
		   
		   Staff Acknowledgments

           In addition to the person named above, Mark Bird, Assistant
           Director; Neil Doherty; Ashfaq Huda; Nancy Glover; Anh Le; Teresa
           Smith; Amos Tevelow; William Wadsworth; and Kim Zelonis made key
           contributions to this report.
		   
		   GAO's Mission

           The Government Accountability Office, the audit, evaluation and
           investigative arm of Congress, exists to support Congress in
           meeting its constitutional responsibilities and to help improve
           the performance and accountability of the federal government for
           the American people. GAO examines the use of public funds;
           evaluates federal programs and policies; and provides analyses,
           recommendations, and other assistance to help Congress make
           informed oversight, policy, and funding decisions. GAO's
           commitment to good government is reflected in its core values of
           accountability, integrity, and reliability.
		   
		   Obtaining Copies of GAO Reports and Testimony

           The fastest and easiest way to obtain copies of GAO documents at
           no cost is through GAO's Web site ( www.gao.gov ). Each
           weekday, GAO posts newly released reports, testimony, and
           correspondence on its Web site. To have GAO e-mail you a list of
           newly posted products every afternoon, go to www.gao.gov and
           select "Subscribe to Updates."
		   
		   Order by Mail or Phone

           The first copy of each printed report is free. Additional copies
           are $2 each. A check or money order should be made out to the
           Superintendent of Documents. GAO also accepts VISA and Mastercard.
           Orders for 100 or more copies mailed to a single address are
           discounted 25 percent. Orders should be sent to:

           U.S. Government Accountability Office 441 G Street NW, Room LM
           Washington, D.C. 20548

           To order by Phone: Voice: (202) 512-6000
		   TDD: (202) 512-2537
		   Fax: (202) 512-6061
		   
		   To Report Fraud, Waste, and Abuse in Federal Programs

           Contact:

           Web site: www.gao.gov/fraudnet/fraudnet.htm
		   E-mail: [email protected]
		   Automated answering system: (800) 424-5454 or (202) 512-7470
		   
		   Congressional Relations

           Gloria Jarmon, Managing Director, [email protected] (202)
           512-4400 U.S. Government Accountability Office, 441 G Street NW,
           Room 7125 Washington, D.C. 20548
		   
		   Public Affairs

           Paul Anderson, Managing Director, [email protected] (202)
           512-4800 U.S. Government Accountability Office, 441 G Street NW,
           Room 7149 Washington, D.C. 20548

(310641)

www.gao.gov/cgi-bin/getrpt?GAO-07-564 .

To view the full product, including the scope
and methodology, click on the link above.

For more information, contact Randolph C. Hite at (202) 512-3439 or
[email protected].

Highlights of [27]GAO-07-564 , a report to congressional committees

May 2007

HOMELAND SECURITY

DHS Enterprise Architecture Continues to Evolve but Improvements Needed

GAO designated the transformation of the Department of Homeland Security
(DHS) as high risk in 2003, and it continues to do so today. One essential
tool for facilitating organizational transformation is an enterprise
architecture (EA)--a corporate blueprint that serves as an authoritative
frame of reference for information technology investment decision making.
The Congress required DHS to submit a report that includes its EA and a
capital investment plan for implementing it. The Congress also required
that GAO review the report. In June 2006, DHS submitted this report to the
Congress. GAO's objective was to assess the status of the EA, referred to
as DHS EA 2006, and the plan for implementing it. To meet this objective,
GAO analyzed architectural documents relative to its prior
recommendations; evaluated stakeholder comments and the process used to
obtain them; and analyzed the implementation plan against relevant
guidance.

[28]What GAO Recommends

GAO is making recommendations to DHS for tracing the implementation of
prior GAO recommendations to EA content, and for more effectively
soliciting and addressing EA stakeholder comments. DHS agreed to trace
GAO's recommendations, but stated that it already adequately deals with
stakeholder comments. GAO does not agree for reasons cited in this report,
and thus stands by its recommendation.

DHS EA 2006 has evolved beyond prior versions, but missing architecture
content and limited stakeholder input constrain its usability. While the
architecture partially addresses each of the prior GAO recommendations
concerning the content of DHS's architecture, the full depth and breadth
of EA content that the recommendations solicited is still missing.  For
example, GAO recommended that DHS use, among other things, an analysis of
the gaps between the current ("as-is") and future ("to-be") states of the
architecture to define missing and needed capabilities and form the basis
for its transition plan. However, DHS EA 2006 does not include a
transition plan and it does not include any evidence of a gap analysis.

In addition, department stakeholders, including component organizations
and the department's EA support contractor, provided a range of comments
relative to the completeness, internal consistency, and understandability
of a draft of DHS EA 2006, but the majority of the comments were not
addressed (see fig.). Moreover, key stakeholders, such as the Coast Guard
and the Transportation Security Administration, did not comment on the
draft. GAO found that the extent of stakeholder participation was limited
because the approach EA officials used to solicit input did not clearly
define the type of information being requested and did not provide
sufficient time for responding.

Furthermore, DHS's capital investment plan for implementing its
architecture is not based on a transition plan and is missing key
information technology (IT) investments. Thus, the plan does not provide a
comprehensive roadmap for transitioning the department to a target
architectural state. Also, the plan does not account for all of DHS's
planned investments in IT (excluding about $2.5 billion in planned IT
investments).

Without an architecture that is complete, internally consistent, and
understandable, the usability of the DHS's EA is diminished, which in turn
limits the department's ability to guide and constrain IT investments in a
way that promotes interoperability, reduces overlap and duplication, and
optimizes overall mission performance.

Resolution of DHS Stakeholder Comments on a Draft of DHS EA 2006 (383
Total comments)

References

Visible links
  13. http://www.gao.gov/cgi-bin/getrpt?GAO-03-119
  14. http://www.gao.gov/cgi-bin/getrpt?GAO-05-207
  15. http://www.gao.gov/cgi-bin/getrpt?GAO-03-760
  16. http://www.gao.gov/cgi-bin/getrpt?GAO-04-702
  17. http://www.gao.gov/cgi-bin/getrpt?GAO-04-777
  27. http://www.gao.gov/cgi-bin/getrpt?GAO-07-564
*** End of document. ***