Business Systems Modernization: Air Force Needs to Fully Define  
Policies and Procedures for Institutionally Managing Investments 
(31-OCT-07, GAO-08-52). 					 
                                                                 
In 1995, GAO first designated the Department of Defense's (DOD)  
business systems modernization program as "high-risk" and	 
continues to do so today. In 2004, Congress passed legislation	 
reflecting prior GAO recommendations that DOD adopt a corporate  
approach to information technology (IT) business systems	 
investment management including tiered accountability for	 
business systems at the department and component levels. To	 
support GAO's legislative mandate to review DOD's efforts, GAO	 
assessed whether the investment management approach of one of	 
DOD's components--the Department of the Air Force (Air Force)--is
consistent with leading investment management best practices. In 
doing so, GAO applied its IT Investment Management (ITIM)	 
framework and associated methodology, focusing on the stages	 
related to the investment management provisions of the		 
Clinger-Cohen Act of 1996.					 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-52						        
    ACCNO:   A77868						        
  TITLE:     Business Systems Modernization: Air Force Needs to Fully 
Define Policies and Procedures for Institutionally Managing	 
Investments							 
     DATE:   10/31/2007 
  SUBJECT:   Documentation					 
	     Information technology				 
	     Internal controls					 
	     Policy evaluation					 
	     Program management 				 
	     Reporting requirements				 
	     Risk assessment					 
	     Risk management					 
	     Strategic information systems planning		 
	     Strategic planning 				 
	     Systems conversions				 
	     Business operations				 
	     Business planning					 
	     Business transformation				 
	     Policies and procedures				 
	     Program implementation				 
	     GAO High Risk Series				 
	     GAO Information Technology Investment		 
	     Management Framework				 
                                                                 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-52

   

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Committees: 

United States Government Accountability Office: 

GAO: 

October 2007: 

Business Systems Modernization: 

Air Force Needs to Fully Define Policies and Procedures for 
Institutionally Managing Investments: 

Business Systems Modernization: 

GAO-08-52: 

GAO Highlights: 

Highlights of GAO-08-52, a report to congressional committees. 

Why GAO Did This Study: 

In 1995, GAO first designated the Department of Defenseï¿½s (DOD) 
business systems modernization program as ï¿½high-riskï¿½ and continues to 
do so today. In 2004, Congress passed legislation reflecting prior GAO 
recommendations that DOD adopt a corporate approach to information 
technology (IT) business systems investment management including tiered 
accountability for business systems at the department and component 
levels. To support GAOï¿½s legislative mandate to review DODï¿½s efforts, 
GAO assessed whether the investment management approach of one of DODï¿½s 
componentsï¿½the Department of the Air Force (Air Force)ï¿½is consistent 
with leading investment management best practices. In doing so, GAO 
applied its IT Investment Management (ITIM) framework and associated 
methodology, focusing on the stages related to the investment 
management provisions of the Clinger-Cohen Act of 1996. 

What GAO Found: 

The Air Force has established the basic management structures needed to 
effectively manage its IT projects as investments, but has not fully 
implemented many of the related policies and procedures outlined in 
GAOï¿½s ITIM framework (see table). Air Force has fully implemented three 
of the nine key practices that call for project-level management 
structures, policies, and procedures, and has not implemented any of 
the five practices that call for portfolio-level policies and 
procedures. Regarding project-level practices, it has established an IT 
investment board that is responsible for defining and implementing the 
departmentï¿½s business systems investment governance process, has 
developed procedures for identifying and collecting information about 
its business systems to support investment selection and control, and 
has assigned responsibility for ensuring that the information collected 
during project identification meets the needs of the investment 
management process. However, Air Force has not fully documented 
business systems investment policies and procedures for directing 
investment board operations, selecting new investments, reselecting 
ongoing investments, or integrating the investment funding and 
investment selection processes. In addition, it has not implemented any 
of the policies and procedures for developing and maintaining a 
complete business system investment portfolio. 

Air Force officials stated that they are aware of the absence of 
documented policies and procedures in certain areas of project-level 
and portfolio-level management and that they are currently working on 
guidance to address these areas. For example, officials stated that 
they had begun drafting portfolio-level policies and procedures. 
According to Air Force officials, the policies and procedures are 
expected to be completed and approved by December 2007. Until Air Force 
fully defines policies and procedures for both individual projects and 
portfolios of projects, it risks not being able to select and control 
these business system investments in a way that is consistent and 
complete, which in turn increases the chances that these investments 
will not meet mission needs in the most effective manner. 

Table: Status of Air Force's Project-and Portfolio-Level Management 
Capabilities: 

Stage 2: Building the investment foundation: Instituting the investment 
board; 
Key practices executed: 1/2; 
Stage 3: Developing a complete investment portfolio: Defining the 
portfolio criteria; 
Key practices executed: 0/2. 

Stage 2: Building the investment foundation: Meeting business needs; 
Key practices executed: 0/1; 
Stage 3: Developing a complete investment portfolio: Creating the 
portfolio; 
Key practices executed: 0/1. 

Stage 2: Building the investment foundation: Selecting an investment; 
Key practices executed: 0/3; 
Stage 3: Developing a complete investment portfolio: Evaluating the 
portfolio; 
Key practices executed: 0/1. 

Stage 2: Building the investment foundation: Providing investment 
oversight; 
Key practices executed: 0/1; 
Stage 3: Developing a complete investment portfolio: Conducting post 
implementation reviews; 
Key practices executed: 0/1. 

Stage 2: Building the investment foundation: Capturing investment 
information; 
Key practices executed: 2/2; 
Stage 3: Developing a complete investment portfolio: [Empty]; 
Key practices executed: [Empty]. 

Overall; 
Key practices executed: 3/9; 
Stage 3: Developing a complete investment portfolio: [Empty]; 
Key practices executed: 0/5. 

Source: GAO. 

[End of table] 

What GAO Recommends: 

GAO recommends that the Department of the Air Force fully define the 
project and portfolio management policies and procedures discussed in 
GAOï¿½s ITIM framework. In comments on a draft of this report, DOD stated 
that the Air Force has begun to establish a project-level management 
process that will be instituted in formal policies and is applying 
DODï¿½s portfolio management process in its decision making. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.GAO-08-52]. For more information, contact 
Valerie Melvin at (202) 512-6304 or [email protected]. 

[End of section] 

Contents: 

Letter1: 

Results in Brief: 

Background: 

Air Force Has Established the Structures Needed to Effectively Manage 
Business System Investments but Has Not Fully Defined Many of the 
Related Policies and Procedures: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objective, Scope, and Methodology: 

Appendix II: Comments from the Department of Defense: 

Appendix III: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: DOD and Air Force Business System Investment Tiers: 

Table 2: Air Force Investment Management Governance Entities and 
Responsibilities: 

Table 3: Stage 2 Critical Processes--Building the Investment 
Foundation: 

Table 4: Summary of Policies and Procedures for Stage 2 Critical 
Processes--Building the Investment Foundation: 

Table 5: Stage 3 Critical Processes--Developing a Complete Investment 
Portfolio: 

Table 6: Summary of Policies and Procedures for Stage 3 Critical 
Processes--Developing a Complete Investment Portfolio: 

Figures: 

Figure 1: Simplified DOD Organizational Structure: 

Figure 2: Air Force Chief Information Officer Organizational Structure: 

Figure 3: The Five ITIM Stages of Maturity with Critical Processes: 

Figure 4: Working Relationships among DOD Business Investment 
Management System Governance Entities: 

Figure 5: Air Force Precertification Review and Approval Process: 

Abbreviations: 

CPM: certification process manager: 

CIO: chief information officer: 

DAS: Defense Acquisition System: 

DOD: Department of Defense: 

IT: information technology: 

ITIM: Information Technology Investment Management: 

JCIDS: Joint Capabilities Integration and Development System: 

MAJCOM: Major Command: 

OMB: Office of Management and Budget: 

PPBE: Planning, Programming, Budgeting, and Execution: 

United States Government Accountability Office: 

Washington, DC 20548: 

October 31, 2007: 

Congressional Committees: 

For decades, the Department of Defense (DOD) has been challenged in 
modernizing its timeworn business systems.[Footnote 1] In 1995, we 
designated DOD's business systems modernization program as high risk, 
and we continue to designate it as such today.[Footnote 2] Our research 
on public and private sector organizations shows that an essential 
ingredient to a successful systems modernization program is having an 
effective institutional approach to managing information technology 
(IT) investments. 

In May 2001, we recommended that the department establish a corporate 
approach to investment control and decision making.[Footnote 3] Between 
2001 and 2005, we reported that the department's business systems 
modernization program was still not being effectively managed,[Footnote 
4] and we made additional investment-related recommendations. Congress 
subsequently included provisions in the Ronald W. Reagan National 
Defense Authorization Act for Fiscal Year 2005[Footnote 5] that 
reflected our recommendations, including those for establishing and 
implementing effective business system investment management structures 
and processes. 

Between 2005 and 2007,[Footnote 6] we reported that DOD had made 
important progress in establishing and implementing these structures 
and processes; however, much remained to be accomplished. Most 
recently,[Footnote 7] we reported that, according to DOD officials, 
investment management practices are performed at the component level, 
and that departmental policies and procedures established for 
overseeing components' execution of these practices are sufficient. 
However, DOD had not fully defined many of the related policies and 
procedures outlined in GAO's IT Investment Management framework. 

The Fiscal Year 2005 National Defense Authorization Act directs DOD to, 
among other things, establish and implement effective IT business 
system investment management structures and processes. As agreed with 
your offices and to support the legislative mandate that GAO assess 
DOD's actions to comply with this requirement, the objective of our 
review was to determine whether the investment management approach of 
the Department of the Air Force (Air Force) is consistent with leading 
investment management best practices. To accomplish our objective, we 
analyzed documents and interviewed department officials to determine 
whether Air Force has developed the structures, policies, and 
procedures associated with executing those key practices in our IT 
Investment Management (ITIM) framework[Footnote 8] that assist 
departments and agencies in complying with the investment management 
provisions of the Clinger-Cohen Act of 1996.[Footnote 9] 

We performed our work at Air Force offices in Arlington, Virginia, from 
February 2007 through September 2007 in accordance with generally 
accepted government auditing standards. Details on our objective, 
scope, and methodology are contained in appendix I. 

Results in Brief: 

Air Force has established the basic management structures needed to 
effectively manage its IT projects as investments, but it has not fully 
implemented many of the related policies and procedures that our ITIM 
framework outlines. Air Force has fully implemented three of the nine 
key practices that call for project-level management structures and 
project-level policies and procedures. Specifically, it has (1) 
established an investment review board that is responsible for business 
system investment governance, (2) developed procedures for identifying 
and collecting information about its business systems to support 
investment selection and control, and (3) assigned responsibility for 
ensuring that the information collected during project identification 
meets the needs of the investment management process. However, Air 
Force has not fully developed business system investment policies and 
procedures related to the remaining six key project-level management 
practices. For example, policies and procedures do not (1) address how 
investments for systems in operations and maintenance are to be 
governed; (2) define how systems in operations and maintenance will 
support ongoing and future business needs; (3) specify how the full 
range of cost, schedule, and performance data accessible to Air Force 
is to be used in making selection (i.e., precertification) decisions; 
(4) specify how reselection decisions (i.e., annual reviews) consider 
investments that are in operations and maintenance; (5) describe how 
funding decisions are integrated with the process of selecting an 
investment; and (6) provide sufficient oversight and visibility into 
investment management activities, including specifying how corrective 
actions should be taken. 

Further, Air Force has not implemented any of the five practices that 
call for policies and procedures to develop and maintain a complete 
business system portfolio. Specifically, it does not have documented 
policies and procedures for (1) defining the portfolio criteria, (2) 
creating the portfolio, (3) evaluating the portfolio, and (4) 
conducting post-implementation reviews of business systems. In 
addition, the Air Force has not assigned responsibility for managing 
the portfolio criteria. According to ITIM, adequately documenting both 
the policies and associated procedures that govern how an organization 
manages its IT investment portfolios is important because doing so 
provides the basis for having rigor, discipline, and repeatability in 
how investments are selected and controlled across the entire 
organization. 

Air Force officials stated that they are aware of the absence of 
documented policies and procedures in certain areas of project-level 
and portfolio-level management; officials also stated that they are 
currently working on new policies and procedures to address these areas 
that they expect to issue by December 2007. Until Air Force defines 
policies and procedures for both individual projects and portfolios of 
projects--and assigns responsibility for managing its business system 
portfolios--it risks selecting and controlling these business system 
investments in a way that is not consistent and complete, which in turn 
reduces the chances that these investments will meet mission needs in 
the most effective manner. 

To strengthen Air Force's business system management capability, we are 
recommending that the agency fully define the policies and procedures 
associated with project-level and portfolio-level investment management 
and assign responsibility for managing its business system portfolios, 
as discussed in our guidance for IT investment management.[Footnote 10] 

In written comments on a draft of this report, signed by the Deputy 
Under Secretary of Defense (Business Transformation) and reprinted in 
appendix II, DOD partially concurred with the report's recommendations. 
Relative to our recommendations concerning project-level management 
policies and procedures, DOD stated that Air Force has begun to 
establish a project-level management process that, while not codified 
into formal policy, is documented in its investment review guide. 
Further, it stated that Air Force is committed to formalizing its 
policies as the processes expand and mature. Our report recognizes that 
Air Force has drafted a business system investment management process. 
However, we found that it lacks critical elements needed to effectively 
carry out essential investment management activities. Until it fully 
addresses all critical elements needed for investment management, Air 
Force will be at risk of not being able to carry out investment 
management activities in a consistent and disciplined manner. Relative 
to our recommendations concerning portfolio-level management policies 
and procedures, DOD stated that Air Force is applying DOD's IT 
portfolio management process in its decision making. However, as our 
report notes, Air Force has not implemented a process for managing its 
business system portfolios. Until it implements such a process, Air 
Force increases the risk of not selecting the mix of investments that 
best supports its mission needs. 

Background: 

DOD is a massive and complex organization. To illustrate, the 
department reported that its fiscal year 2006 operations involved 
approximately $1.4 trillion in assets and $2.0 trillion in liabilities, 
more than 2.9 million military and civilian personnel, and $581 billion 
in net cost of operations. Organizationally, the department includes 
the Office of the Secretary of Defense, the Chairman of the Joint 
Chiefs of Staff, the military departments, numerous defense agencies 
and field activities, and various unified combatant commands that are 
responsible for either specific geographic regions or specific 
functions. Figure 1 provides a simplified depiction of DOD's 
organizational structure. 

Figure 1: Simplified DOD Organizational Structure: 

This figure is a chart showing the simplified DOD organizational 
structure. 

[See PDF for image] 

Source: GAO, based on DOD documentation. 

[A] The Chairman of the Joint Chiefs of Staff serves as the spokesman 
for the commanders of the combatant commands, particularly for the 
administrative requirements of their commands. 

[End of figure] 

In support of its military operations, DOD performs an assortment of 
interrelated and interdependent business functions, including logistics 
management, procurement, health care management, and financial 
management. As we have previously reported,[Footnote 11] the systems 
environment that supports these business functions is overly complex 
and error prone, and is characterized by (1) little standardization 
across the department, (2) multiple systems performing the same tasks, 
(3) the same data stored in multiple systems, and (4) the need for data 
to be entered manually into multiple systems. 

Air Force's Mission, Organizational Structure, and Use of IT: 

Air Force is a major component of DOD. Its mission is to deliver 
options for the defense of the United States and its global interests 
in air, space, and cyberspace. Air Force relies extensively on IT to 
fulfill these competencies effectively and to meet its organizational 
mission. It has 909 business systems; of these systems, 832 (91 
percent) are in operations and maintenance. In fiscal year 2006, Air 
Force was allocated approximately $651 million[Footnote 12] for its 
business systems, of which about $406 million (62 percent) was 
allocated to systems in operations and maintenance and $245 million (38 
percent) was allocated to systems in development and/or modernization. 

Air Force has created the Office of Warfighting Integration and Chief 
Information Office to provide the IT and supporting infrastructure to 
fulfill its mission. Among the goals of this organization are to: 

* deliver the ability to direct forces while anticipating situations, 
capabilities, and limitations; 

* develop adaptive, trained airmen; 

* shape enterprise investments; 

* provide policy, standards, oversight, and training to enable airmen 
to share and exploit accurate information any place and, anytime; and: 

* transform the communications and information career field to lead Air 
Force in leveraging information for its competitive advantage. 

The Office of Warfighting Integration and Chief Information Office 
consists of several organizations, as depicted in figure 2. 

Figure 2: Air Force Chief Information Officer Organizational Structure: 

This figure is a chart showing the organizational structure of an Air 
Force Chief Information Officer. 

[See PDF for image] 

Source: Air Force. 

[End of figure] 

IT Investment Management Is Critical to Achieving Successful Systems 
Modernization: 

Successful public and private organizations use a corporate approach to 
IT investment management. Recognizing this, Congress enacted the 
Clinger-Cohen Act of 1996,[Footnote 13] which requires the Office of 
Management and Budget (OMB) to establish processes to analyze, track, 
and evaluate the risks and results of major capital investments in IT 
systems made by executive agencies.[Footnote 14] In response to the 
Clinger-Cohen Act and other statutes, OMB has developed policy and 
issued guidance for the planning, budgeting, acquisition, and 
management of federal capital assets.[Footnote 15] We have also issued 
guidance in this area[Footnote 16] that defines institutional 
structures, such as investment review boards; processes for developing 
information on investments (such as costs and benefits); and practices 
to inform management decisions (such as whether a given investment is 
aligned with an enterprise architecture). 

IT Investment Management: A Brief Description: 

IT investment management is a process for linking IT investment 
decisions to an organization's strategic objectives and business plans. 
Consistent with this, the federal approach to IT investment management 
focuses on selecting, controlling, and evaluating investments in a 
manner that minimize risks while maximizing the return on 
investment.[Footnote 17] 

* During the selection phase, the organization (1) identifies and 
analyzes each project's risks and returns before committing significant 
funds to any project and (2) selects those IT projects that will best 
support its mission needs. 

* During the control phase, the organization ensures that projects, as 
they develop and investment expenditures continue, meet mission needs 
at the expected levels of cost and risk. If the project is not meeting 
expectations or if problems arise, steps are quickly taken to address 
the deficiencies. 

* During the evaluation phase, expected results are compared with 
actual results after a project has been fully implemented. This 
comparison is done to (1) assess the project's impact on mission 
performance, (2) identify any changes or modifications to the project 
that may be needed, and (3) revise the investment management process 
based on lessons learned. 

Overview of GAO's ITIM Maturity Framework: 

Our ITIM framework consists of five progressive stages of maturity for 
any given agency relative to selecting, controlling, and evaluating its 
investment management capabilities.[Footnote 18] (See fig. 3 for the 
five ITIM stages of maturity.) This framework is grounded in our 
research of IT investment management practices of leading private and 
public sector organizations. The framework can be used to assess the 
maturity of an agency's investment management processes and as a tool 
for organizational improvement. The overriding purpose of the framework 
is to encourage investment selection and control and to evaluate 
processes that promote business value and mission performance, reduce 
risk, and increase accountability and transparency. We have used the 
framework in several of our evaluations,[Footnote 19] and a number of 
agencies have adopted it. 

ITIM's five maturity stages represent the steps toward achieving stable 
and mature processes for managing IT investments. Each stage builds on 
the lower stages; the successful attainment of each stage leads to 
improvement in the organization's ability to manage its investments. 
With the exception of the first stage, each maturity stage is composed 
of "critical processes" that must be implemented and institutionalized 
in order for the organization to achieve that stage. These critical 
processes are further broken down into key practices that describe the 
types of activities that an organization should be performing to 
successfully implement each critical process. It is not unusual for an 
organization to be performing key practices from more than one maturity 
stage at the same time. However, our research has shown that agency 
efforts to improve investment management capabilities should focus on 
implementing all lower stage practices before addressing the higher 
stage practices. 

Figure 3: The Five ITIM Stages of Maturity with Critical Processes: 

This figure is a chart showing the five ITIM stages of maturity with 
critical processes. 

[See PDF for image] 

Source: GAO. 

[End of figure] 

In the ITIM framework, Stage 2 critical processes lay the foundation 
for sound IT investment management by helping the agency to attain 
successful, predictable, and repeatable investment management processes 
at the project level. Specifically, Stage 2 encompasses building a 
sound investment management foundation by establishing basic 
capabilities for selecting new IT projects. This stage also involves 
developing the capability to control projects so that they finish 
predictably within established cost and schedule expectations and 
developing the capability to identify potential exposures to risk and 
put in place strategies to mitigate that risk. Further, it involves 
evaluating completed projects to ensure they meet business needs and 
collecting lessons learned to improve the IT investment management 
process. The basic management processes established in Stage 2 lay the 
foundation for more mature management capabilities in Stage 3, which 
represents a major step forward in maturity, in which the agency moves 
from project-centric processes to a portfolio approach, evaluating 
potential investments by how well they support the agency's missions, 
strategies, and goals. 

Stage 3 requires that an organization continually assess both proposed 
and ongoing projects as parts of a complete investment portfolio--an 
integrated and competing set of investment options. It focuses on 
establishing a consistent, well-defined perspective on the IT 
investment portfolio and maintaining mature, integrated selection (and 
reselection), control, and post-implementation evaluation processes. 
This portfolio perspective allows decision makers to consider the 
interaction among investments and the contributions to organizational 
mission goals and strategies that could be made by alternative 
portfolio selections, rather than focusing exclusively on the balance 
between the costs and benefits of individual investments. Organizations 
that have implemented Stages 2 and 3 practices have capabilities in 
place that assist in establishing selection; control; and evaluation 
structures, policies, procedures, and practices that are required by 
the investment management provisions of the Clinger-Cohen Act.[Footnote 
20] 

Stages 4 and 5 require the use of evaluation techniques to continuously 
improve both the investment portfolio and the investment processes in 
order to better achieve strategic outcomes. At Stage 4, an organization 
has the capacity to conduct IT succession activities and, therefore, 
can plan and implement the deselection of obsolete, high-risk, or low- 
value IT investments. An organization with Stage 5 maturity conducts 
proactive monitoring for breakthrough information technologies that 
will enable it to change and improve its business performance. 

DOD and Air Force Approach for Identifying, Funding, and Acquiring 
System Investments: 

DOD's major system investments (i.e., weapons and business systems) are 
governed by three management systems that focus on defining needs, 
budgeting for, and acquiring investments to support the mission--the 
Joint Capabilities Integration and Development System (JCIDS); the 
Planning, Programming, Budgeting, and Execution (PPBE) system; and the 
Defense Acquisition System (DAS). In addition, DOD's business systems 
are subject to a fourth management system, which, for purposes of this 
report, we refer to as the Business Investment Management System. For 
each of these systems, DOD relies on its component agencies to execute 
the underlying policies and procedures. According to DOD, the four 
management systems, collectively, are the means by which the 
department--and its components--selects, controls, and evaluates its 
business systems investments. 

Joint Capabilities Integration and Development System: 

JCIDS is a needs-driven, capabilities-based approach to identify 
mission needs and meet future joint forces challenges. It is intended 
to identify future capabilities for DOD; address capability gaps and 
mission needs recognized by the Joint Chiefs of Staff or derived from 
strategic guidance, such as the National Security Strategy 
Report[Footnote 21] or Quadrennial Defense Review;[Footnote 22] and 
identify alternative solutions by considering a range of doctrine, 
organization, training, materiel, leadership and education, personnel, 
and facilities solutions. According to DOD, the Joint Chiefs of Staff-
-through the Joint Requirements Oversight Council--has primary 
responsibility for defining and implementing JCIDS. All JCIDS documents 
are submitted to the Joint Chiefs of Staff, which determines whether 
the proposed system has joint implications or is component-unique. If 
it is designated as joint interest, then the Joint Requirements 
Oversight Council is responsible for approving and validating the 
documents. If it is not designated as having joint interests, the 
sponsoring component is responsible for validation and approval. 

Planning, Programming, Budgeting, and Execution: 

PPBE is a calendar-driven approach that is composed of four phases that 
occur over a moving 2-year cycle. The four phases--planning, 
programming, budgeting, and executing--define how budgets for each DOD 
component and the department as a whole are created, vetted, and 
executed. As recently reported,[Footnote 23] the components start 
programming and budgeting for addressing a JCIDS-identified capability 
gap or mission need several years before actual product development 
begins and before the Office of the Secretary of Defense formally 
reviews the components' programming and budgeting proposals (i.e., 
Program Objective Memorandums). Once reviewed and approved, the 
financial details in the Program Objective Memorandums become part of 
the President's budget request to Congress. During budget execution, 
components may submit program change proposals or budget change 
proposals, or both (e.g., program cost increases or schedule delays). 
According to DOD, the Under Secretary of Defense (Policy), the Director 
for Program Analysis and Evaluation, and the Under Secretary of Defense 
(Comptroller) have primary responsibility for defining and implementing 
the PPBE system. 

Defense Acquisition System: 

DAS[Footnote 24] is a framework-based approach that is intended to 
translate mission needs and requirements into stable, affordable, and 
well-managed acquisition programs. It consists of five key program life-
cycle phases. These five phases are as follows: 

Concept Refinement: Intended to refine the initial JCIDS-validated 
system solution (concept) and create a strategy for acquiring the 
investment solution. A decision is made at the end of this phase 
(Milestone A decision) regarding whether to move to the next phase 
(Technology Development). 

Technology Development: Intended to determine the appropriate set of 
technologies to be integrated into the investment solution by 
iteratively assessing the viability of various technologies while 
simultaneously refining user requirements. Once the technology has been 
demonstrated in a relevant environment, a decision is made (Milestone B 
decision) regarding whether to move to the next phase (System 
Development and Demonstration). 

System Development and Demonstration: Intended to develop a system or a 
system increment and demonstrate through developer testing that the 
system or system increment can function in its target environment. A 
decision is made at the end of this phase (Milestone C decision) 
regarding whether to move to the next phase (Production and 
Deployment). 

Production and Deployment: Intended to achieve an operational 
capability that satisfies the mission needs, as verified through 
independent operational test and evaluation, and ensures that the 
system is implemented at all applicable locations. 

Operations and Support: Intended to operationally sustain the system in 
the most effective manner over its life cycle. 

A key principle of DAS is that investments are assigned a category, 
where programs of increasing dollar value and management interest are 
subject to more stringent oversight. For example, Major Defense 
Acquisition Programs[Footnote 25] and Major Automated Information 
Systems[Footnote 26] are large, expensive programs subject to the most 
extensive statutory and regulatory reporting requirements and unless 
delegated, are reviewed by acquisition boards at the DOD corporate 
level. Smaller and less risky acquisitions are generally reviewed at 
the component executive or lower levels. Another key principle is that 
DAS requires acquisition management under the direction of a milestone 
decision authority.[Footnote 27] The milestone decision authority-- 
with support from the program manager and advisory boards, such as the 
Defense Acquisition Board[Footnote 28] and the IT Acquisition 
Board[Footnote 29]--determines the project's baseline cost, schedule, 
and performance commitments. The Under Secretary of Defense for 
Acquisition, Technology, and Logistics has primary responsibility for 
defining and implementing DAS. 

DOD relies on its components to execute these investment management 
policies and procedures. To implement DOD's JCIDS process, the Air 
Force has designated the Joint Staff Functional Capabilities Board to 
review and approve operational capabilities. The Joint Staff Functional 
Capabilities Board seeks to establish a common understanding of how a 
capability will be used, who will use it, when it is needed, and why it 
is needed to achieve a desired effect. Each capability is assessed 
based on the effects it seeks to generate and the associated 
operational risk of not having it. In addition, the Capabilities Review 
and Risk Assessment process is being used to analyze concepts of 
operation and assess their associated capabilities. This process uses a 
phased approach to produce a prioritized list of capabilities, 
capability gaps or shortfalls, and possible capability solutions. To 
implement the PPBE process, Air Force officials stated that they use 
their Annual Planning and Programming Guidance manual. Finally, to 
implement DAS, Air Force has developed guidance that outlines a 
systematic acquisition framework that mirrors the framework defined by 
DOD and includes the same three event-based milestones and associated 
five program life-cycle phases. 

Business Investment Management System: 

The Business Investment Management System is a calendar-driven approach 
that is described in terms of governance entities, tiered 
accountability, and certification reviews and approvals. This system 
was initiated in 2005, when DOD reassigned responsibility for providing 
executive leadership for the direction, oversight, and execution of its 
business systems modernization efforts to several entities. These 
entities and their responsibilities include the following: 

* The Defense Business Systems Management Committee serves as the 
highest-ranking governance body for business systems modernization 
activities. 

* The Principal Staff Assistants serve as the certification authorities 
for business system modernizations in their respective core business 
missions. 

* The Investment Review Boards are chartered by the principal staff 
assistants and are the review and decision-making bodies for business 
system investments in their respective areas of 
responsibility.[Footnote 30] The boards are also responsible for 
recommending certification for all business system investments costing 
more than $1 million. 

* The component precertification authority is accountable for the 
component's business system investments and acts as the component's 
principal point of contact for communication with the Investment Review 
Boards. The Air Force has designated its CIO to be the precertification 
authority. 

* The Business Transformation Agency is responsible for leading and 
coordinating business transformation efforts across the department. The 
agency is organized into seven directorates, one of which is the 
Defense Business Systems Acquisition Executive--the component 
acquisition executive for DOD enterprise-level (DOD-wide) business 
systems and initiatives. This directorate is responsible for 
developing, coordinating, and integrating enterprise-level projects, 
programs, systems, and initiatives--including managing resources such 
as fiscal, personnel, and contracts for assigned systems and programs. 

Figure 4 provides a simplified illustration of the relationships among 
these entities. 

Figure 4: Working Relationships among DOD Business Investment 
Management System Governance Entities: 

This figure is a chart showing working relationships among DOD business 
investment management system governance entities. 

[See PDF for image] 

Source: GAO, based on DOD documentation. 

[End of figure] 

According to DOD, in 2005 it also adopted a tiered accountability 
approach to business transformation. Under this approach, 
responsibility and accountability for business system investment 
management is allocated among DOD (i.e., Office of the Secretary of 
Defense) and the component agencies, based on the amount of 
development/modernization funding involved and the investment's "tier." 
DOD is responsible for ensuring that all business systems with a 
development/modernization investment in excess of $1 million are 
reviewed by the Investment Review Boards for compliance with the 
business enterprise architecture, certified by the principal staff 
assistants, and approved by the Defense Business Systems Management 
Committee. Components are responsible for certifying development/ 
modernization investments with total costs of $1 million or less. All 
DOD development and modernization efforts are assigned a tier on the 
basis of the acquisition category or the size of the financial 
investment, or both. According to DOD, a system is given a tier 
designation when it passes through the certification process. Table 1 
describes the five investment tiers and identifies the associated 
reviewing and approving entities for DOD and the Air Force. 

Table 1: DOD and Air Force Business System Investment Tiers: 

Tier: Tier 1; 
Description: Major Automated Information Systems and Major Defense 
Acquisition Programs; 
Reviewing/Approving entities: Certified by Investment Review Boards and 
Defense Business Systems Management Committee; precertified by Air 
Force CIO. 

Tier: Tier 2; 
Description: Systems exceeding $10 million in total 
development/modernization costs, but not designated Major Automated 
Information Systems or Major Defense Acquisition Programs; 
Reviewing/ Approving entities: Certified by Investment Review Boards 
and Defense Business Systems Management Committee; precertified by Air 
Force CIO. 

Tier: Tier 3; 
Description: Systems exceeding $1 million and up to $10 million in 
total development/modernization costs; 
Reviewing/Approving entities: Certified by Investment Review Boards and 
Defense Business Systems Management Committee; 
precertified by Air Force CIO. 

Tier: Tier 4; 
Description: All other business systems (i.e., those systems with 
development/modernization costs of $1 million or less); 
Reviewing/Approving entities: Certified by Air Force CIO. 

Tier: Tier 5; 
Description: Systems in operations and maintenance or sustainment; 
Reviewing/Approving entities: Approved by Air Force CIO. 

Sources: DOD and Air Force. 

[End of table] 

DOD's business investment management system includes two types of 
reviews for business systems: certification and annual reviews. 
Certification reviews apply to new modernization projects with total 
costs over $1 million. These reviews focus on program alignment with 
the business enterprise architecture and must be completed before 
components obligate funds for programs. The annual reviews apply to all 
business programs and are undertaken to determine whether the system 
development effort is meeting its milestones and addressing its 
Investment Review Board certification conditions. 

* Certification reviews and approvals: Tier 1 through 3 business system 
investments in development and modernization are certified at two 
levels--component-level precertification and DOD-level certification 
and approval. At the component level, program managers prepare, enter, 
maintain, and update information about their investments in the Air 
Force data repository. The component precertification authority 
validates that the system information is complete and accessible on the 
Air Force data repository, reviews system compliance with the business 
enterprise architecture and enterprise transition plan, and verifies 
the economic viability analysis. This information is then transferred 
to DOD's IT Portfolio Repository.[Footnote 31] The precertification 
authority asserts the status and validity of the investment information 
by submitting a component precertification letter to the appropriate 
Investment Review Board for its review. 

* Annual reviews: Tier 1 through 4 business system investments are 
reviewed annually at the component and DOD-levels. At the component 
level, program managers annually review and update information on all 
tiers of system investments that are identified in their data 
repository. For Tier 1 through 3 systems that are in development or 
being modernized, information is updated on cost, milestone, and risk 
variances and actions or issues related to certification conditions. 
The precertification authority then verifies and submits the 
information for these business system investments for DOD's Investment 
Review Board review in an annual review assertion letter. The letter 
addresses system compliance with the DOD business enterprise 
architecture and the enterprise transition plan and includes investment 
cost, schedule, and performance information.[Footnote 32] 

At the DOD level, the Investment Review Boards annually review 
investments for certified Tier 1 through 3 business systems that are in 
development or are being modernized. These reviews focus on program 
compliance with the business enterprise architecture, program cost and 
performance milestones, and progress in meeting certification 
conditions. The Investment Review Boards can revoke an investment's 
certification when the system has significantly failed to achieve 
performance commitments (i.e., capabilities and costs). When this 
occurs, the component must address the Investment Review Board's 
concerns and resubmit the investment for certification. 

Air Force's Precertification Process: 

As stated earlier, DOD relies on its components to execute investment 
management policies and procedures. Air Force has developed a 
precertification process, which is intended to ensure that new or 
existing systems undergo proper scrutiny prior to being precertified by 
the Air Force CIO. First, the certification package is to be prepared 
by the Program Manager and reviewed by the Major Command (MAJCOM) and 
functional portfolio managers. 

The package is then to be provided to the Air Force Certification 
Process Manager, who is to review the package for completeness based on 
certification requirements and transmit the package to the 
Certification Review Team--which is composed of subject matter experts-
-to assess compliance with their relevant areas of expertise, such as 
the business enterprise architecture and information assurance. Once 
the certification review is complete, the package is to be sent to the 
Senior Working Group. This group is responsible for reviewing the 
package and approving or disapproving the package. Finally, the 
Precertification Authority is to precertify the system for submission 
to the relevant Investment Review Board. 

Table 2 lists decision-making personnel involved in Air Force's 
investment management process and provides a description of their key 
responsibilities. 

Table 2: Air Force Investment Management Governance Entities and 
Responsibilities: 

Entity: Precertification Authority; 
Roles and responsibilities: 
* Air Force Precertification Authority has the responsibility and 
authority to precertify any modernization investment in excess of $1 
million and certify any modernization investment less than or equal to 
$1million (Tier 4); 
Composition: The Secretary of the Air Force has the CIO as the Air 
Force Business Investment Approval Authority and Precertification 
Authority. 

Entity: Senior Working Group; 
Roles and responsibilities: 
* The Senior Working Group functions as the Investment Review Board at 
the component level. It provides cross-functional review and 
recommendations to the Air Force Precertification Authority regarding 
certification and annual review of business system investments; 
* The Senior Working Group provides guidance for Air Force 
modernization efforts. It also supports the CIO in ensuring compliance 
with public law and federal, DOD, and Air Force directives regulating 
the management and operation of IT investments; 
Composition: The Senior Working Group members are composed of general 
officers and senior executive service members from headquarter 
functional organizations. It is chaired by a representative from the 
Office of the CIO and has representation from various Air Force 
departments such as financial management and acquisition. 

Entity: Certification Review Team; 
Roles and responsibilities: 
* The Certification Review Team is comprised of subject matter experts 
tasked with reviewing each certification package for compliance with 
enterprise architecture, funding, information assurance, joint 
requirements, and the enterprise transition plan; 
Composition: The review team consists of Subject Matter Experts on 
Enterprise Architecture, Funding, Information Assurance, Joint 
Requirements, and the Enterprise Transition Plan. 

Entity: Certification Process Manager; 
Roles and responsibilities: 
* The Air Force Certification Process Manager is responsible for 
executing the certification and annual review processes. In support of 
this effort, the Certification Process Manager tracks certification 
conditions, and communicates and documents certification decisions; 
Composition: The Air Force Certification Process Manager has a unit 
within the Office of the CIO tasked with supporting investment 
activities. 

Entity: Functional Portfolio Manager; 
Roles and responsibilities: 
* Functional portfolio managers (functional CIOs) are responsible for 
managing the Air Force functional portfolios; 
* Managers are responsible for establishing a cross-functional 
investment review board to conduct portfolio management activities; 
Composition: These managers consist of Air Force's various functional 
portfolios, which include Acquisition, Financial Management, Human 
Resource Management, and Logistics. 

Entity: Major Command Portfolio Manager; 
Roles and responsibilities: 
* MAJCOM Portfolio Managers are responsible for managing a MAJCOM 
portfolio that includes the subject business system; 
* Managers are responsible for reviewing investment management 
documentation (e.g., Balanced Scorecard, Functions Gap/Redundancy 
Assessment, Architecture Alignment) on submitted initiatives, reviewing 
certification packages, and approving or disapproving the certification 
package; 
* Managers are responsible for establishing a cross-mission investment 
review board, which conducts portfolio management activities across the 
mission areas; 
Composition: These managers consist of Air Force's various major 
commands. These include Air Combat Command, Air Education and Training 
Command, Air Force Materiel Command, Air Force Reserve Command, Air 
Force Space Command, Air Force Special Operations Command, Air Mobility 
Command, Pacific Air Forces, and U.S. Air Forces in Europe. 

Entity: System Program Manager; 
Roles and responsibilities: 
* The Program Manager is responsible for managing a business system. 
Program managers are responsible for complete, current, and accurate 
information contained in the Air Force data repository relevant to 
their systems. They are also responsible for completing initial 
certification packages and modifying certification packages to address 
issues from all levels of review; 
Composition: These managers are responsible for the development, 
implementation, and maintenance of their individual systems. 

Source: GAO analysis of Air Force data. 

[End of table] 

Figure 5 shows the relationship among the key players in Air Force's 
precertification review and approval process. 

Figure 5: Air Force Precertification Review and Approval Process: 

This figure is a chart showing the Air Force precertification review 
and approval process. 

[See PDF for image] 

Source: GAO, based on Air Force documentation. 

[End of figure] 

Air Force Has Established the Structures Needed to Effectively Manage 
Business System Investments but Has Not Fully Defined Many of the 
Related Policies and Procedures: 

DOD relies on its components to execute investment management policies 
and procedures.[Footnote 33] However, while Air Force has established 
the basic management structures needed to effectively manage its IT 
projects as investments, it has not fully implemented many of the 
related policies and procedures outlined in our ITIM framework. 
Relative to its business system investments, Air Force has implemented 
three of nine practices that call for project-level structures, 
policies, and procedures, and has not defined any of the five practices 
that call for portfolio-level policies and procedures. Air Force 
officials stated that they are aware of the absence of documented 
policies and procedures, and they are currently working on guidance to 
address these areas. For example, these officials stated that they have 
drafted policies and procedures to establish portfolio-level practices 
and are currently obtaining the necessary approvals. Air Force plans to 
complete and approve these policies and procedures by December 2007. 
According to our framework, adequately documenting both the policies 
and the associated procedures that govern how an organization manages 
its IT investment portfolio is important because doing so provides the 
basis for having rigor, discipline, and repeatability in how 
investments are selected and controlled across the entire organization. 

Until Air Force has fully defined policies and procedures for both 
individual projects and the portfolio of projects, it risks selecting 
and controlling these business system investments in an inconsistent, 
incomplete, and ad hoc manner, which in turn could reduce the chances 
that these investments will meet mission needs in the most effective 
manner. 

Air Force Has Begun to Build a Foundation for Project-Level Investment 
Management but Has Not Yet Fully Defined Key Policies and Procedures: 

At ITIM Stage 2, an organization has attained repeatable and successful 
IT project-level investment control processes and basic selection 
processes. Through these processes, the organization can identify 
project expectation gaps early and take the appropriate steps to 
address them. ITIM Stage 2 critical processes include (1) defining 
investment board operations, (2) identifying the business needs for 
each investment, (3) developing a basic process for selecting new 
proposals and reselecting ongoing investments, (4) developing project- 
level investment control processes, and (5) collecting information 
about existing investments to inform investment management decisions. 
Table 3 describes the purpose of each of these Stage 2 critical 
processes. 

Table 3: Stage 2 Critical Processes--Building the Investment 
Foundation: 

Critical process: Instituting the investment board; 
Purpose: To define and establish an appropriate investment management 
structure and the processes for selecting, controlling, and evaluating 
investments. 

Critical process: Meeting business needs; 
Purpose: To ensure that investments support the organization's business 
needs and meet users' needs. 

Critical process: Selecting an investment; 
Purpose: To ensure that a well-defined and disciplined process is used 
to select new proposals and reselect ongoing investments. 

Critical process: Providing investment oversight; 
Purpose: To review the progress of investments, using predefined 
criteria and checkpoints, in meeting cost, schedule, risk, and benefit 
expectations and to take corrective action when these expectations are 
not being met. 

Critical process: Capturing investment information; 
Purpose: To make information available to decision makers to evaluate 
the impacts and opportunities created by proposed (or continuing) 
investments. 

Source: GAO. 

[End of table] 

Within these five critical processes are nine key practices required 
for effective project-level management. Air Force has fully defined the 
policies and procedures for three of these nine practices. 
Specifically, Air Force has established a management structure by 
instituting a business system Investment Review Board, called the 
Senior Working Group. This group is composed of senior executives from 
the functional business units, including the Office of the Air Force 
Chief Information Officer, and the members are responsible for 
establishing and implementing investment policies. In addition, Air 
Force has established policies and procedures for capturing information 
about its IT projects and systems and submitting, updating, and 
maintaining this information in its data repository. Finally, it has 
assigned the Certification Process Manager the responsibility of 
ensuring that specific investment information contained in the Air 
Force data repository is accurate and complete. 

However, the Air Force's policies and procedures associated with the 
remaining six project-level management practices are missing critical 
elements needed to effectively carry out essential investment 
management activities. For example: 

* Policies and procedures for directing the Investment Review Board's 
operations do not define how investments that are in operations and 
maintenance are to be governed by the Investment Review Board. In 
addition, procedures do not specify how the business investment 
management process is coordinated with other DOD management systems. 
Without clearly defined guidance and visibility into all investments 
with an understanding of decisions reached through other management 
systems, Air Force cannot be assured that consistent investment 
management decisions are being made. 

* Policies and procedures do not define how systems in operations and 
maintenance will support ongoing and future business needs. This 
increases the risk that Air Force will continue to maintain legacy 
investments that no longer support current organizational objectives. 

* Policies and procedures for selecting new systems do not specify how 
the full range of cost, schedule, and performance data are being 
considered in making selection (i.e., precertification) decisions. 
Without documenting how factors such as cost, schedule, and performance 
are considered when making precertification decisions, Air Force cannot 
ensure that it consistently and objectively selects system investments 
that best meet the department's needs and priorities. 

* Policies and procedures do not include a structured method that 
defines how the criteria will be evaluated when the precertification 
authority makes reselection decisions. In addition, policies and 
procedures do not define an approach to annually reviewing systems in 
operations and maintenance. Given that Air Force spends millions of 
dollars annually in operating and maintaining business systems, this is 
significant. Without an understanding of how the precertification 
authority is to consider these investments when making reselection 
decisions, Air Force's ability to make informed and consistent 
reselection and termination decisions is limited. 

* Policies and procedures do not specify how funding decisions are 
integrated with the process of selecting an investment. Without 
considering budget constraints and opportunities, Air Force risks 
making investment decisions that do not effectively consider the 
relative merits of various projects and systems when funding 
limitations exist. 

* Policies and procedures do not provide for sufficient oversight and 
visibility into investment management activities. Air Force has 
predefined criteria for adherence to cost, schedule, and performance 
milestones, but does not have policies and procedures that guide the 
implementation of corrective actions when program expectations are not 
met. Without such policies and procedures, the agency risks investing 
in systems that are duplicative, stovepiped, nonintegrated, and 
unnecessarily costly to manage, maintain, and operate. 

Table 4 summarizes our findings relative to Air Force's execution of 
the nine key practices that call for the policies and procedures needed 
to manage IT investments at the project level. 

Table 4: Summary of Policies and Procedures for Stage 2 Critical 
Processes--Building the Investment Foundation: 

Critical process: Instituting the investment board; 
Key practice: 1. An enterprisewide IT investment board composed of 
senior executives from IT and business units is responsible for 
defining and implementing the organization's IT investment governance 
process; 
Rating: Executed; 
Summary of evidence: Air Force has established an investment board--the 
Senior Working Group--composed of senior executives from the functional 
business units, including the office of the Air Force Chief Information 
Officer. The board is responsible for establishing and implementing 
policies governing the organization's investment process. 

Critical process: [Empty]; 
Key practice: 2. The organization has a documented IT investment 
process directing each investment board's operations; 
Rating: Not executed; 
Summary of evidence: Air Force has an IT investment process for 
directing its investment board, which explains the roles and 
responsibilities of the board and the individuals involved. Air Force 
assigns the Investment Review Board accountability for systems 
throughout the investment life cycle, including investments that are in 
the operations and maintenance phase. However, Air Force's policies and 
procedures do not define the process by which these systems will be 
reviewed by the Investment Review Board. In addition, according to our 
ITIM guidance, the department's investment guidance should specify the 
manner in which investment-related processes will be coordinated with 
other organizational plans, processes, and documents. However, Air 
Force's Investment Review Guide does not specify how the business 
investment management system is coordinated with other DOD management 
systems, such as JCIDS, PPBE, and DAS. 

Critical process: Meeting business needs; 
Key practice: 1. The organization has documented policies and 
procedures for identifying IT projects or systems that support the 
organization's ongoing and future business needs; 
Rating: Not executed; 
Summary of evidence: Although Air Force has begun to review systems in 
operations and maintenance, it does not have policies and procedures 
for ensuring that these systems support ongoing and future business 
needs. Air Force guidance dictates that investments undergoing the 
certification process must demonstrate that they support ongoing and 
future business needs by complying with the Enterprise Transition Plan 
and Business Enterprise Architecture. However, Air Force certification 
guidance does not apply to system investments in operations and 
maintenance, which account for about 60 percent of Air Force's overall 
IT budget. 

Critical process: Selecting an investment; 
Key practice: 1. The organization has documented policies and 
procedures for selecting a new investment; 
Rating: Not executed; 
Summary of evidence: While the Investment Review Guide defines Air 
Force's roles and responsibilities for certifying and approving 
investments and includes predefined criteria, such as meeting cost, 
schedule, and performance milestones, for selecting investments, it 
does not contain a structured approach for how precertification 
decisions are reached. For example, the guidance does not specify how 
factors, such as cost, schedule, and performance data, are to be used 
in making precertification decisions. 

Critical process: [Empty]; 
Key practice: 2. The organization has documented policies and 
procedures for reselecting ongoing investments; 
Rating: Not executed; 
Summary of evidence: Air Force's Investment Review Guide defines Air 
Force's approach for annually reviewing investments. However, this 
guidance does not include a structured method that defines how the 
criteria, such as meeting cost, schedule and performance milestones, 
will be evaluated when the precertification authority makes reselection 
decisions. In addition, the Investment Review Guide only addresses 
systems in development/ modernization (Tier 1 through 4) and does not 
define an approach for annually reviewing systems in operations and 
maintenance. 

Critical process: [Empty]; 
Key practice: 3. The organization has documented policies and 
procedures for integrating funding with the process of selecting an 
investment; 
Rating: Not executed; 
Summary of evidence: Air Force policies and procedures do not specify 
how investment funding and selection are to be integrated nor how the 
precertification authority is to use funding information to make 
certification or approval decisions. 

Critical process: Providing investment oversight; 
Key practice: 1. The organization has documented policies and 
procedures for management oversight of IT projects and systems; 
Rating: Not executed; 
Summary of evidence: Air Force does not have documented policies and 
procedures for overseeing the management of IT projects and systems. 
For example, while Air Force has predefined criteria and checkpoints 
for meeting cost, schedule, and performance milestones, and requires 
the development of corrective actions when a project deviates from 
milestones, it does not have policies and procedures that guide 
implementation of corrective actions. Further, Air Force may certify a 
system and impose conditions that must be met in order to obligate 
system funding. However, there are no policies and procedures that 
define the process for tracking conditions until they are resolved. 

Critical process: Capturing investment information; 
Key practice: 1. The organization has documented policies and 
procedures for identifying and collecting information about IT projects 
and systems to support the investment management process; 
Rating: Executed; 
Summary of evidence: The Air Force Investment Review Guidance describes 
the procedures for submitting, updating, and maintaining information in 
its data repository. 

Critical process: [Empty]; 
Key practice: 2. An official is assigned responsibility for ensuring 
that the information collected during project and systems 
identification meets the needs of the investment management process; 
Rating: Executed; 
Summary of evidence: The Air Force Investment Review Guidance assigns 
the Program Manager responsibility to ensure investment information 
contained in its data repository is accurate and complete. The guidance 
also assigns the Certification Process Manager with responsibility for 
verifying these data. 

Source: GAO. 

[End of table] 

Air Force officials stated that they are aware of the absence of 
documented procedures in certain areas of project-level management, and 
plan to issue new policies and procedures addressing these areas by 
December 2007. However, until Air Force fully documents IT investment 
management policies and procedures for Stage 2 activities and specifies 
the linkages between the various related processes, and describes how 
system investments in operations and maintenance are to be governed, it 
risks not being able to carry out investment management activities in a 
consistent and disciplined manner. Moreover, the Air Force risks 
selecting investments that will not effectively meet its mission needs. 

Air Force Has Assigned Responsibility but Has Not Defined the Policies 
and Procedures Associated with Effective Portfolio-Level Management: 

At Stage 3, an organization has defined critical processes for managing 
its investments as a portfolio or a set of portfolios.[Footnote 34] 
Portfolio management is a conscious, continuous, and proactive approach 
to allocating limited resources among competing initiatives in light of 
the investments' relative benefits. Taking a departmentwide perspective 
enables an organization to consider its investments comprehensively, so 
that collectively the investments optimally address the organization's 
missions, strategic goals, and objectives. Managing IT investments as 
portfolios also allows an organization to determine its priorities and 
make decisions about which projects to fund on the basis of analyses of 
the relative organizational value and risks of all projects, including 
projects that are proposed, under development, and in operation. 
Although investments may initially be organized into subordinate 
portfolios--on the basis of, for example, business lines or life-cycle 
stages--and managed by subordinate investment boards, they should 
ultimately be aggregated into enterprise-level portfolios. 

According to ITIM, Stage 3 involves four critical processes (1) 
defining the portfolio criteria; (2) creating the portfolio; (3) 
evaluating (i.e., overseeing) the portfolio; and (4) conducting post-
implementation reviews. Within these critical processes are five key 
practices that call for policies and procedures to ensure effective 
portfolio management. Table 5 summarizes the purpose of each of the 
critical processes. 

Table 5: Stage 3 Critical Processes--Developing a Complete Investment 
Portfolio: 

Critical process: Defining the portfolio criteria; 
Purpose: To ensure that the organization develops and maintains 
portfolio selection criteria that support its mission, organizational 
strategies, and business priorities. 

Critical process: Creating the portfolio; 
Purpose: To ensure that investments are analyzed according to the 
organization's portfolio selection criteria and to ensure that an 
optimal investment portfolio with manageable risks and returns is 
selected and funded. 

Critical process: Evaluating the portfolio; 
Purpose: To review the performance of the organization's investment 
portfolio(s) at agreed- upon intervals and to adjust the allocation of 
resources among investments as necessary. 

Critical process: Conducting post-implementation reviews; 
Purpose: To compare the results of recently implemented investments 
with the expectations that were set for them and to develop a set of 
lessons learned from these reviews. 

Source: GAO. 

[End of table] 

Air Force has begun to establish a governance structure for portfolio- 
level management, but it has not executed any of the five practices 
within the Stage 3 critical processes that call for policies and 
procedures associated with effective portfolio-level management. 
Specifically, Air Force has assigned the Senior Working Group the 
responsibility of establishing a governance forum to oversee business 
system portfolio activities. However, the Senior Working Group has not 
developed and approved charters outlining the roles and 
responsibilities to be assigned to subordinate Investment Review Boards 
that are intended to establish and manage the portfolios. 

In addition, Air Force has not fully defined policies and procedures 
needed to effectively execute portfolio management practices. 
Specifically, Air Force does not have policies and procedures for 
defining the portfolio criteria or creating and evaluating the 
portfolio. In addition, while DOD has policies and procedures for 
conducting post-implementation reviews for Tier 1 systems as part of 
the Defense Acquisition System, Air Force has not established policies 
or procedures for conducting post-implementation reviews for systems in 
the remaining tiers. Finally, Air Force has not established procedures 
detailing how lessons learned from these reviews are to be used during 
investment reviews as the basis for management and process 
improvements. Table 6 summarizes the rating for each critical process 
required to manage investments as a portfolio and summarizes the 
evidence that supports these ratings. 

Table 6: Summary of Policies and Procedures for Stage 3 Critical 
Processes--Developing a Complete Investment Portfolio: 

Critical process-: Defining the portfolio criteria; 
Key practice-: 1. The organization has documented policies and 
procedures for creating and modifying IT portfolio selection criteria; 
Rating-: Not executed; 
Summary of evidence: While Air Force has assigned the Major Command and 
Functional Investment Review Boards responsibility for creating and 
modifying portfolio criteria (e.g., prioritization and investment trade-
offs) for business system investments, it has not yet finalized draft 
policies, procedures, or criteria for conducting IT portfolio 
selection. According to Air Force officials, the policies and 
procedures are expected to be finalized and approved by December 2007. 

Key practice-: Critical process-Creating the portfolio: 2. 
Responsibility is assigned to an individual or group for managing the 
development and modification of the IT portfolio selection criteria; 
Rating-: Critical process-Creating the portfolio: Not executed; 
Summary of evidence: Critical process-Creating the portfolio: Air Force 
has assigned responsibility for overseeing portfolio management to the 
Senior Working Group. However, although Air Force officials stated that 
subordinate Major Command and Functional Investment Review Boards are 
to be responsible for managing specific portfolios, it has yet to 
officially assign responsibility to these groups. 

Critical process-: Creating the portfolio; 
Key practice-: 1. The organization has documented policies and 
procedures for analyzing, selecting, and maintaining the investment 
portfolios; 
Rating-: Not executed; 
Summary of evidence: Air Force is currently revising its instruction on 
the IT portfolio management process, to include policies and procedures 
for analyzing, selecting, and maintaining the investment portfolios. 
However, Air Force officials could not identify a date for when the 
instruction would be finalized and approved. 

Critical process-: Evaluating the portfolio; 
Key practice-: 1. The organization has documented policies and 
procedures for reviewing, evaluating, and improving the performance of 
its portfolio(s); 
Rating- : Not executed; 
Summary of evidence: While the Major Command and Functional Investment 
Review Board draft charters state that they are responsible for 
reviewing factors associated with portfolio management, such as 
architecture alignment, capability delivery, and risk, there are no 
policies and procedures indicating how they should use these factors 
and project indicators--such as cost, schedule, and risk--to review, 
evaluate, and improve their portfolios. 

Critical process-: Conducting post-implementation reviews; 
Key practice-: 1. The organization has documented policies and 
procedures for conducting post-implementation reviews; 
Rating-: Not executed; 
Summary of evidence: While DOD requires post-implementation reviews for 
Tier 1 systems as part of DAS, Air Force has not developed policies or 
procedures for conducting such reviews for systems in the remaining 
tiers. Moreover, there are no policies and procedures directing the Air 
Force Senior Working Group, which is accountable for Air Force business 
system investments, to consider information gathered and to develop 
lessons learned from these post-implementation reviews. 

Source: GAO. 

[End of table] 

Air Force officials are aware that they need to develop the appropriate 
portfolio management processes, and in this regard, have drafted some 
portfolio management guidance, such as the Air Force Operational 
Support Portfolio Investment Review Process. According to Air Force 
officials, this guidance is expected to be completed and approved by 
December 2007. Until policies and procedures for managing business 
systems investment portfolios are defined and implemented, Air Force is 
at risk of not consistently selecting the mix of investments that best 
supports the department mission needs and ensuring that investment- 
related lessons learned are shared and applied departmentwide. 

Conclusions: 

Given the importance of business systems modernization to Air Force's 
mission, performance, and outcomes, it is vital for the department to 
adopt and employ an effective institutional approach to managing 
business system investments. However, while the department acknowledges 
these shortcomings and the importance of addressing them and has 
established aspects of such an approach, it is lacking important 
elements, such as policies and procedures needed for project-level and 
portfolio-level investment management. This means that Air Force lacks 
an institutional capability to ensure that it is investing in business 
systems that best support its strategic needs and that ongoing projects 
meet cost, schedule, and performance expectations. Until Air Force 
develops this capability, the department will be impaired in its 
ability to optimize business mission area performance and 
accountability. 

Recommendations for Executive Action: 

To strengthen Air Force's business system investment management 
capability and address the weaknesses discussed in this report, we 
recommend that the Secretary of Defense direct the Secretary of the Air 
Force to ensure that well-defined and disciplined business system 
investment management policies and procedures are developed and issued. 
At a minimum, this should include project-level management policies and 
procedures that address the six key practices areas: 

* Specifying how systems that are in operations and maintenance will be 
reviewed and specifying how Air Force's business investment management 
system is coordinated with JCIDS, PPBE, and DAS. 

* Ensuring that systems in operations and maintenance are aligned with 
ongoing and future business needs. 

* Selecting investments, including specifying how factors, such as 
cost, schedule, and performance data are to be used in making 
certification decisions. 

* Reselecting ongoing investments, including specifying how factors, 
such as cost, schedule, and performance data are to be used in making 
reselection decisions during the annual review process and providing 
for the reselection of investments that are in operations and 
maintenance. 

* Integrating funding with the process of selecting an investment, 
including specifying how the precertification authority is using 
funding information in carrying out decisions on system certification 
and approvals. 

* Overseeing IT projects and systems, including specifying policies and 
procedures that guide the implementation of corrective actions when 
program expectations are not met. 

These well-defined and disciplined business system investment 
management policies and procedures should also include portfolio-level 
management policies and procedures that address the following five 
areas: 

* Creating and modifying IT portfolio selection criteria for business 
system investments. 

* Defining the roles and responsibilities for the development and 
modification of the IT portfolio selection criteria. 

* Analyzing, selecting, and maintaining business system investment 
portfolios. 

* Reviewing, evaluating, and improving the performance of the 
portfolio(s) by using project indicators, such as cost, schedule, and 
risk. 

* Conducting post-implementation reviews for all investment tiers and 
directing the investment boards to consider the information gathered to 
develop lessons learned from these reviews. 

Agency Comments and Our Evaluation: 

In written comments on a draft of this report, signed by the Deputy 
Under Secretary of Defense (Business Transformation) and reprinted in 
appendix II, DOD partially concurred with the report's recommendations. 
The department further stated that our recommendations and feedback 
were helpful in guiding its business transformation and related 
improvement efforts. 

Regarding our recommendation that DOD direct Air Force to ensure that 
well-defined and disciplined business system investment management 
policies and procedures are developed and issued, DOD stated that Air 
Force has a well-defined business system investment management process 
that, while not codified into formal policy, has been documented in 
investment review guides. Further, it stated that Air Force is 
committed to formalizing its policies as the processes expand and 
mature. Our report recognizes that Air Force has drafted a business 
system investment management process. However, as our report states, 
the draft review guide lacks critical elements needed to effectively 
carry out essential investment management activities. Until Air Force 
completes and issues IT investment management policies and procedures 
that fully address these elements, it risks not being able to carry out 
investment management activities in a consistent and disciplined 
manner. 

Regarding our recommendation that DOD direct Air Force to ensure that 
the well-defined and disciplined business system investment management 
policies and procedures also include portfolio-level management 
policies and procedures, the department stated that DOD Instruction 
8115.02 defines the DOD IT portfolio management process, which Air 
Force is applying in its decisionmaking. However, as our report notes, 
Air Force has not implemented a process for managing its business 
system portfolios. Until Air Force defines and implements such a 
process, it is at risk of not consistently selecting the mix of 
investments that best supports the Air Force's mission needs and 
ensuring that investment-related lessons learned are shared and applied 
departmentwide. 

We are sending copies of this report to interested congressional 
committees; the Director, Office of Management and Budget; the 
Secretary of Defense; the Deputy Secretary of Defense; the Secretary of 
Air Force; the Air Force Chief Information Officer, and the Under 
Secretary of Defense for Acquisition, Technology, and Logistics. Copies 
of this report will be made available to other interested parties on 
request. This report will also be available at no charge on our Web 
site at [hyperlink, http://www.gao.gov]. 

Should you or your staffs have any questions on matters discussed in 
this report, please contact me at (202) 512-6304 or [email protected]. 
Contact points for our Offices of Congressional Relations and Public 
Affairs may be found on the last page of this report. GAO staff who 
made major contributions to this report are listed in appendix III. 

Signed by: 

Valerie C. Melvin: 

Director, Human Capital and Management: 

Information Systems Issues: 

List of Committees: 

The Honorable Carl Levin: 
Chairman: 
The Honorable John McCain: 
Ranking Member: 
Committee on Armed Services: 
United States Senate: 

The Honorable Daniel Inouye: 
Chairman: 
The Honorable Ted Stevens: 
Ranking Member: 
Subcommittee on Defense: 
Committee on Appropriations: 
United States Senate: 

The Honorable Ike Skelton: 
Chairman: 
The Honorable Duncan Hunter: 
Ranking Member: 
Committee on Armed Services: 
House of Representatives: 

The Honorable John P. Murtha: 
Chairman: 
The Honorable C.W. Bill Young: 
Ranking Member: 
Subcommittee on Defense: 
Committee on Appropriations: 
House of Representatives: 

[End of section] 

Appendix I: Objective, Scope, and Methodology: 

Our objective was to determine whether the investment management 
approach of the Department of the Air Force (a major Department of 
Defense (DOD) component) is consistent with leading investment 
management best practices. Our analysis was based on the best practices 
contained in GAO's Information Technology Investment Management (ITIM) 
framework and the framework's associated evaluation methodology, and 
focused on Air Force's establishment of policies and procedures for 
business system investments needed to assist organizations in complying 
with the investment management provisions of the Clinger-Cohen Act of 
1996 (Stages 2 and 3). 

To address our objective, we asked Air Force to complete a self- 
assessment of its investment management process and provide the 
supporting documentation. We then reviewed the results of the 
department's self-assessment of Stages 2 and 3 organizational 
commitment practices--meaning those practices related to structures, 
policies, and procedures--and compared them with our ITIM framework. We 
focused on Stages 2 and 3 because these stages represent the processes 
needed to meet the standards of the Clinger-Cohen Act, and they 
establish the foundation for effective acquisition management. We also 
validated and updated the results of the self-assessment through 
document reviews and interviews with officials, such as the Air Force 
Chief Information Officer and Certification Process Manager. In doing 
so, we reviewed written policies, procedures, and guidance and other 
documentation providing evidence of executed practices, including the 
Air Force Information Technology Investment Review Guide, Air Force 
Operations of Capabilities Based Acquisition System Instruction, Air 
Force IT Investment Architecture Compliance Guide, Senior Working Group 
charter and meeting minutes, the Investment Review Board Concept of 
Operations and Guidance, and the Business Transformation Guidance. 

We compared the evidence collected from our document reviews and 
interviews with the key practices in ITIM. We rated the key practices 
as "executed" on the basis of whether the department demonstrated (by 
providing evidence of performance) that it had met all of the criteria 
of the key practice. A key practice was rated as "not executed" when we 
found insufficient evidence of all elements of a practice being fully 
performed or when we determined that there were significant weaknesses 
in Air Force's execution of the key practice. In addition, we provided 
Air Force with the opportunity to produce evidence for the key 
practices rated as "not executed." 

We conducted our work at the Air Force offices in Arlington, Virginia, 
from February 2007 through September 2007 in accordance with generally 
accepted government auditing standards. 

[End of section] 

Appendix II: Comments from the Department of Defense: 

Office Of The Under Secretary Of Defense: 
3000 Defense Pentagon: 
Washington, DC 20301-3000: 

ACQUISITION, TECHNOLOGY AND LOGISTICS: 

October 18, 2007: 

Ms. Valerie C. Melvin:
Director, Human Capital and Management Information Systems Issues: 
U.S. Government Accountability Office: 
441 G Street, N.W.: 
Washington, DC 20548: 

Dear Ms. Melvin:

This is the Department of Defense (DoD) response to the GAO draft 
report GAO-08-52, "Business Systems Modernization: Air Force Needs to 
Fully Define Policies and Procedures for Institutionally Managing 
Investments," dated September 17, 2007 (GAO Code 310635). 

The Department partially concurs with GAO's first recommendation. The 
Air Force has established a well-defined business system investment 
management process that, while not codified into formal policy, has 
been documented in its investment review guides. Furthermore, the Air 
Force is committed to formalizing its policies as the processes expand 
and mature. 

The Department also partially concurs with the second recommendation. 
DoD Instruction 8115.02 defines the DoD Information Technology (IT) 
portfolio management process and the Air Force is applying this process 
in its decision- making. This process is also maturing. 

GAO continues to be a valuable and constructive partner in the 
Department's business transformation efforts. The recommendations and 
feedback provided will help to further guide DoD's process of continual 
improvement. We look forward to your participation in our future 
efforts. 

Signed by: 

Paul A. Brinkley: 

Deputy Under Secretary of Defense: 
(Business Transformation): 

GAO Draft Report Dated September 17, 2007 GAO-08-52 (GAO CODE 310635):  

"Business Systems Modernization: Air Force Needs To Fully Define 
Policies And Procedures For Institutionally Managing Investments": 

Department Of Defense Comments To The Gao Recommendation: 

Recommendation 1: The GAO recommended that the Secretary of Defense 
direct the Secretary of the Air Force to ensure that well-defined and 
disciplined business system investment management policies and 
procedures are developed and issued. At a minimum, these should include 
project-level management policies and procedures that address: 

* How systems that are in operations and maintenance will be reviewed 
and specifying how Air Force's business investment management system is 
coordinated with Joint Capabilities Integration and Development System 
(JCIDS), Planning, Programming, Budgeting and Execution (PPBE), and 
Defense Acquisition System (DAS). 

* Ensuring that systems in operations and maintenance are aligned with 
ongoing and future business needs. 

* Selecting investments, including specifying how factors, such as 
cost, schedule, and performance data are to be used in making 
certification decisions. 

* Reselecting ongoing investments, including specifying how factors, 
such as cost, schedule, and performance data are to be used in making 
reselection decisions during the annual review process and providing 
for the reselection of investments that are in operations and 
maintenance. 

* Integrating funding with the process of selecting an investment, 
including specifying how the pre-certification authority is using 
funding information in carrying out decisions on system certification 
and approvals. 

* Overseeing Information Technology (IT) projects and systems, 
including specifying policies and procedures that guide the 
implementation of corrective actions when program expectations are not 
met. 

(p. 38/GAO Draft Report): 

DOD Response: Partially concur: 

The Department partially concurs. The Air Force does have a well-
defined and disciplined business system investment management system 
process documented in investment review guides. The process is maturing 
but has not been codified in formal policies. The documented investment 
review and architecture guides are in use and distributed throughout 
the Air Force. The business system investment review process is 
expanding to capture investments in the warfighting and enterprise 
infrastructure environment mission areas. These processes will be 
instituted in formal policies. 

Recommendation 2: The GAO recommended that the Secretary of Defense 
direct the Secretary of the Air Force to ensure that the above well-
defined and disciplined business system investment management policies 
and procedures also include portfolio- level management policies and 
procedures that address: 

* Creating and modifying IT portfolio selection criteria for business 
system investments.

* Defining roles and responsibilities for the development and 
modification of the IT portfolio selection criteria. 

* Analyzing, selecting, and maintaining business system investment 
portfolios. 

* Reviewing, evaluating, and improving the performance of the 
portfolio(s) by using project indicators, such as cost, schedule, and 
risk. 

* Conduct post-implementation reviews for all investment tiers and 
directing the investment boards to consider the information gathered to 
develop lessons learned from these reviews. 

(p. 38/GAO Draft Report): 

DOD Response: Partially concur: 

DoD instruction 8115.02 defines the DoD IT portfolio management 
process. This process is maturing and the Air Force is applying 
portfolio management discipline in their information technology 
decision making. 

[End of section] 

Appendix III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Valerie C. Melvin, (202) 512-6304 or [email protected]: 

Staff Acknowledgments: 

In addition to the contact person named above, key contributors to this 
report were Tonia Johnson, Assistant Director; Idris Adjerid; Sharhonda 
Deloach; Nancy Glover; and Freda Paintsil. 

[End of section] 

Footnotes: 

[1] Business systems are information systems that include financial and 
nonfinancial systems and support DOD's business operations, such as 
civilian personnel, finance, health, logistics, military personnel, 
procurement, and transportation. 

[2] GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: 
January 2007). 

[3] GAO, Information Technology: Architecture Needed to Guide 
Modernization of DOD's Financial Operations, GAO-01-525 (Washington, 
D.C.: May 17, 2001). 

[4] See, for example, GAO, DOD Business Systems Modernization: Long- 
standing Weaknesses in Enterprise Architecture Development Need to Be 
Addressed, GAO-05-702 (Washington, D.C.: July 22, 2005); DOD Business 
Systems Modernization: Billions Being Invested without Adequate 
Oversight, GAO-05-381 (Washington, D.C.: Apr. 29, 2005); DOD Business 
Systems Modernization: Limited Progress in Development of Business 
Enterprise Architecture and Oversight of Information Technology 
Investments, GAO-04-731R (Washington, D.C.: May 17, 2004); DOD Business 
Systems Modernization: Important Progress Made to Develop Business 
Enterprise Architecture, but Much Work Remains, GAO-03-1018 
(Washington, D.C.: Sept. 19, 2003); and GAO-01-525. 

[5] Ronald W. Reagan National Defense Authorization Act for Fiscal Year 
2005, Pub. L. No. 108-375, ï¿½ 332, 118 Stat. 1811, 1851-1856 (Oct. 28, 
2004) (codified in part at 10 U.S.C. ï¿½2222). 

[6] GAO, Business Systems Modernization: DOD Needs to Fully Define 
Policies and Procedures for Institutionally Managing Investments, GAO-
07-538 (Washington, D.C.: May 11, 2007); Defense Business 
Transformation: A Comprehensive Plan, Integrated Efforts, and Sustained 
Leadership Are Needed to Assure Success, GAO-07-229T (Washington, D.C.: 
Nov. 16, 2006); Business Systems Modernization: DOD Continues to 
Improve Institutional Approach, but Further Steps Needed, GAO-06-658 
(Washington, D.C.: May 15, 2006); and DOD Business Systems 
Modernization: Important Progress Made in Establishing Foundational 
Architecture Products and Investment Management Practices, but Much 
Work Remains, GAO-06-219 (Washington, D.C.: Nov. 23, 2005). 

[7] GAO-07-538. 

[8] We rated the key practices as "executed" on the basis of whether 
the agency demonstrated (by providing evidence of performance) that it 
had met all of the criteria of the key practice. A key practice was 
rated as "not executed" when we found insufficient evidence of any 
elements of a practice being fully performed or when we determined that 
there were significant weaknesses in Air Force's execution of the key 
practice. 

[9] GAO, Information Technology Investment Management: A Framework for 
Assessing and Improving Process Maturity, GAO-04-394G (Washington, 
D.C.: March 2004). 

[10] GAO-04-394G. 

[11] GAO-06-658. 

[12] According to Air Force program officials, the total amount spent 
on its business systems includes the amount spent on the Operational 
Support IT Business Mission Area, Warfighting Mission Area, and 
Enterprise Information Environment. Approximately $651 million reflects 
the budget for the Operational Support IT mission area business systems 
and does not include the amount budgeted for the Warfighting Mission 
Area and Enterprise Information Environment business systems. 

[13] The Clinger-Cohen Act of 1996, 40 U.S.C. 11101-11704. This act 
expanded the responsibilities of OMB and the agencies that had been set 
under the Paperwork Reduction Act with regard to IT management. See 44 
U.S.C. 3504(a)(1)(B)(vi) (OMB); and 44 U.S.C. 3506(h)(5) (agencies). 

[14] We have made recommendations to improve OMB's process for 
monitoring high-risk IT investments; see GAO, Information Technology: 
OMB Can Make More Effective Use of Its Investment Reviews, GAO-05-276 
(Washington, D.C.: Apr. 15, 2005). 

[15] This policy is set forth and guidance is provided in OMB Circular 
A-11 (Nov. 2, 2005) (section 300) and in OMB's Capital Programming 
Guide, which directs agencies to develop, implement, and use a capital 
programming process to build their capital asset portfolios. 

[16] See, for example, GAO-04-394G; GAO, Information Technology: A 
Framework for Assessing and Improving Enterprise Architecture 
Management (Version 1.1), GAO-03-584G (Washington, D.C.: April 2003); 
and Assessing Risks and Returns: A Guide for Evaluating Federal 
Agencies' IT Investment Decision-making, GAO/AIMD-10.1.13 (Washington, 
D.C.: February 1997). 

[17] GAO-04-394G; GAO/AIMD-10.1.13; GAO, Executive Guide: Improving 
Mission Performance Through Strategic Information Management and 
Technology, GAO/AIMD-94-115 (Washington, D.C.: May 1994); and Office of 
Management and Budget, Evaluating Information Technology Investments, A 
Practical Guide (Washington, D.C.: November 1995). 

[18] GAO-04-394G. 

[19] GAO, Information Technology: Centers for Medicare and Medicaid 
Services Needs to Establish Critical Investment Management 
Capabilities, GAO-06-12 (Washington, D.C.: Oct. 28, 2005); Information 
Technology: HHS Has Several Investment Management Capabilities in 
Place, but Needs to Address Key Weaknesses, GAO-06-11 (Washington, 
D.C.: Oct. 28, 2005); Information Technology: FAA Has Many Investment 
Management Capabilities in Place, but More Oversight of Operational 
Systems Is Needed, GAO-04-822 (Washington, D.C.: Aug. 20, 2004); Bureau 
of Land Management: Plan Needed to Sustain Progress in Establishing IT 
Investment Management Capabilities, GAO-03-1025 (Washington, D.C.: 
Sept. 12, 2003); Information Technology: Departmental Leadership 
Crucial to Success of Investment Reforms at Interior, GAO-03-1028 
(Washington, D.C.: Sept. 12, 2003); United States Postal Service: 
Opportunities to Strengthen IT Investment Management Capabilities, GAO- 
03-3 (Washington, D.C.: Oct. 15, 2002); and Information Technology: DLA 
Needs to Strengthen Its Investment Management Capability, GAO-02-314 
(Washington, D.C.: Mar. 15, 2002). 

[20] The Clinger-Cohen Act of 1996, 40 U.S.C. ï¿½ï¿½ 11311-11313. 

[21] The National Security Strategy Report required by 50 U.S.C. 404a 
is a comprehensive report on the national security strategy of the 
United States submitted by the President to Congress. 

[22] See 10 U.S.C. 118. The Quadrennial Defense Review is a 
comprehensive examination of the national defense strategy, force 
structure, force modernization plans, infrastructure, budget plan, and 
other elements of the defense program and policies of the United States 
with a view toward determining and expressing the defense strategy of 
the United States and establishing a defense program for the next 20 
years. 

[23] GAO, Best Practices: An Integrated Portfolio Management Approach 
to Weapon System Investments Could Improve DOD's Acquisition Outcomes, 
GAO-07-388 (Washington, D.C.: Mar. 30, 2007). 

[24] As described in DOD Directive 5000.1, May 12, 2003 and DOD 
Instruction 5000.2, May 12, 2003. 

[25] A Major Defense Acquisition Program is an acquisition program that 
is estimated by the Under Secretary of Defense for Acquisition, 
Technology, and Logistics to require an eventual total expenditure for 
research, development, and test and evaluation of more than $365 
million (fiscal year 2000 constant dollars) or, for procurement, of 
more than $2 billion (fiscal year 2000 constant dollars). 

[26] A Major Automated Information System is a program or initiative 
that is so designated by the Assistant Secretary of Defense (Networks 
and Information Integration)/Chief Information Officer or that is 
estimated to require program costs in any single year in excess of $32 
million (fiscal year 2000 constant dollars), total program costs in 
excess of $126 million (fiscal year 2000 constant dollars), or total 
life-cycle costs in excess of $378 million (fiscal year 2000 constant 
dollars). 

[27] According to DOD, the milestone decision authority is the 
designated individual who has overall responsibility for an investment. 
This person has the authority to approve an investment's progression in 
the acquisition process and is responsible for reporting cost, 
schedule, and performance results. For example, the milestone decision 
authority for a Major Defense Acquisition Program, when not delegated 
to the component level, is the Under Secretary of Defense for 
Acquisition, Technology, and Logistics, and the milestone decision 
authority for a Major Automated Information System is the Assistant 
Secretary of Defense (Networks and Information Integration)/Chief 
Information Officer or a designee. 

[28] The Defense Acquisition Board--chaired by the Under Secretary of 
Defense for Acquisition, Technology, and Logistics--conducts reviews 
for Major Defense Acquisition Programs at major program milestones and 
documents the decisions resulting from the review in an Acquisition 
Decision Memorandum. 

[29] The IT Acquisition Board--chaired by the Assistant Secretary of 
Defense (Networks and Information Integration)/Chief Information 
Officer--conducts reviews for Major Automated Information System at 
major program milestones and documents the decision(s) resulting from 
the review in an Acquisition Decision Memorandum. 

[30] The four Investment Review Boards are (1) financial management, 
established by the Deputy Under Secretary of Defense for Financial 
Management; (2) weapon systems life-cycle management and materiel 
supply and services management; (3) real property and installations 
life-cycle management, both established by the Under Secretary of 
Defense (Acquisition, Technology, and Logistics); and (4) human 
resources management, established by the Under Secretary of Defense for 
Personnel and Readiness. 

[31] DOD's IT Portfolio Repository is DOD's authoritative repository 
for certain information about DOD's business systems, such as system 
names and the responsible DOD components that are required for the 
certification, approval, and annual reviews of these business system 
investments. 

[32] In addition, each component precertification authority submits a 
list of system names to the Investment Review Boards on a semiannual 
basis, to include Tier 4 systems and systems in operations and 
maintenance that have been reviewed at the component level. 

[33] These investment management policies and procedures include 
precertifying Tier 1 through 3 business system investments by the 
component. These systems are then reviewed and certified by DOD. Tier 4 
systems are certified by the components. 

[34] Investment portfolios are integrated agencywide collections of 
investments that are assessed and managed collectively on the basis of 
common criteria. 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation, and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, DC 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: [email protected]: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, [email protected]: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, DC 20548: 

Public Affairs: 

Chuck Young, Managing Director, [email protected]: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, DC 20548: 

*** End of document. ***