DOD Business Systems Modernization: Important Management Controls
Being Implemented on Major Navy Program, but Improvements Needed 
in Key Areas (08-SEP-08, GAO-08-896).				 
                                                                 
The Department of Defense (DOD) has long been challenged in	 
implementing key information technology (IT) management controls 
on its thousands of business system investments. For this and	 
other reasons, GAO has designated DOD's business systems	 
modernization efforts as high-risk. One of the larger business	 
system investments is the Department of the Navy's Enterprise	 
Resource Planning (Navy ERP) program. Initiated in 2003, the	 
program is to standardize the Navy's business processes, such as 
acquisition and financial management. It is being delivered in	 
increments, the first of which is to cost about $2.4 billion over
its useful life and be fully deployed in fiscal year 2013. GAO	 
was asked to determine whether key IT management controls are	 
being implemented on the program. To do this, GAO analyzed, for  
example, requirements management, economic justification, earned 
value management, and risk management.				 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-896 					        
    ACCNO:   A84036						        
  TITLE:     DOD Business Systems Modernization: Important Management 
Controls Being Implemented on Major Navy Program, but		 
Improvements Needed in Key Areas				 
     DATE:   09/08/2008 
  SUBJECT:   Cost analysis					 
	     Cost overruns					 
	     Defense capabilities				 
	     Defense cost control				 
	     Earned value management systems			 
	     Enterprise architecture				 
	     Financial management systems			 
	     Information systems investments			 
	     Information technology				 
	     Internal controls					 
	     IT investment management				 
	     Naval procurement					 
	     Performance measures				 
	     Procurement planning				 
	     Program management 				 
	     Risk management					 
	     Schedule slippages 				 
	     Standards						 
	     Systems conversions				 
	     Business planning					 
	     Business transformation				 
	     Cost estimates					 
	     Program implementation				 
	     GAO High Risk Series				 
	     Navy Enterprise Resource Planning System		 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-896

   

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to [email protected]. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Subcommittee on Readiness and Management Support, 
Committee on Armed Services, U.S. Senate: 

United States Government Accountability Office: 
GAO: 

September 2008: 

DOD Business Systems Modernization: 

Important Management Controls Being Implemented on Major Navy Program, 
but Improvements Needed in Key Areas: 

GAO-08-896: 

GAO Highlights: 

Highlights of GAO-08-896, a report to the Subcommittee on Readiness and 
Management Support, Committee on Armed Services, U.S. Senate. 

Why GAO Did This Study: 

The Department of Defense (DOD) has long been challenged in 
implementing key information technology (IT) management controls on its 
thousands of business system investments. For this and other reasons, 
GAO has designated DODï¿½s business systems modernization efforts as high-
risk. One of the larger business system investments is the Department 
of the Navyï¿½s Enterprise Resource Planning (Navy ERP) program. 
Initiated in 2003, the program is to standardize the Navyï¿½s business 
processes, such as acquisition and financial management. It is being 
delivered in increments, the first of which is to cost about $2.4 
billion over its useful life and be fully deployed in fiscal year 2013. 
GAO was asked to determine whether key IT management controls are being 
implemented on the program. To do this, GAO analyzed, for example, 
requirements management, economic justification, earned value 
management, and risk management. 

What GAO Found: 

DOD has implemented key IT management controls on its Navy ERP program 
to varying degrees of effectiveness. To its credit, the control 
associated with managing system requirements is being effectively 
implemented. In addition, important aspects of other controls have at 
least been partially implemented, including those associated with 
economically justifying investment in the program and proactively 
managing program risks. Nevertheless, other aspects of these controls, 
as well as the bulk of what is needed to effectively implement earned 
value management, which is a recognized means for measuring program 
progress, have not been effectively implemented. Among other things, 
these control weaknesses have contributed to the more than 2-year 
schedule delay and the almost $600 million cost overruns already 
experienced on the program since it began, and they will likely 
contribute to future delays and overruns if they are not corrected. 
Examples of the weaknesses are provided below. 

* Investment in the program has been economically justified on the 
basis of expected benefits that far exceed estimated costs ($8.6 
billion versus $2.4 billion over a 20-year life cycle). However, 
important estimating practices, such as using historical cost data from 
comparable programs and basing the cost estimate on a reliable schedule 
baseline were not employed. While these weaknesses are important 
because they limit the reliability of the estimates, GAOï¿½s analysis 
shows that they would not have altered the estimates to the point of 
not producing a positive return on investment. 

* Earned value management has not been effectively implemented. To its 
credit, the program office has elected to implement program-level 
earned value management. In doing so, however, basic prerequisites for 
effectively managing earned value have not been executed. In 
particular, the integrated master schedule was not derived in 
accordance with key estimating practices, and an integrated baseline 
review has not been performed on any of the first incrementï¿½s releases. 

* A defined process for proactively avoiding problems, referred to as 
risk management, has been established, but risk mitigation strategies 
have not been effectively implemented for all significant risks, such 
as those associated with data conversion and organizational change 
management, as well the risks associated with the above-cited 
weaknesses. 

The reasons that program management and oversight officials cited for 
these practices not being executed range from the complexity and 
challenges of managing and implementing a program of this size to 
limitations in the program officeï¿½s scope and authority. 
Notwithstanding the effectiveness with which important aspects of 
several controls have been implemented, the above-cited weaknesses put 
DOD at risk of investing in a system solution that does not optimally 
support corporate mission needs and mission performance, and meet 
schedule and cost commitments. 

What GAO Recommends: 

GAO is making recommendations to the Secretary of Defense aimed at 
improving cost and schedule estimating, earned value management, and 
risk management weaknesses. DOD largely agreed with GAOï¿½s 
recommendations and described actions planned or under way to address 
them. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-896]. For more 
information, contact Randolph C. Hite at (202) 512-3439 or 
[email protected]. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Implementation of Key DOD and Related IT Acquisition Management 
Controls on Navy ERP Varies: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objective, Scope, And Methodology: 

Appendix II: Comments From The Department Of Defense: 

Appendix III: GAO Contact And Staff Acknowledgments: 

Tables: 

Table 1: Description and Status of the Navy ERP Pilots: 

Table 2: Navy ERP Template 1 Releases: 

Table 3: Organizations Responsible for Navy ERP Oversight and 
Management: 

Table 4: Description of Business System IT Acquisition Management 
Controls: 

Table 5: Summary of Cost Estimating Characteristics That the Cost 
Estimate Satisfies: 

Table 6: Satisfaction of Schedule Estimating Key Practices: 

Figures: 

Figure 1: Navy ERP Time Line: 

Figure 2: Navy ERP Milestones for Beginning Deployment: 

Figure 3: Navy ERP Life Cycle Cost Estimates in Fiscal Years 2003, 
2004, and 2007: 

Figure 4: Cumulative Cost Variance for Navy ERP over a 17-Month Period: 

Figure 5: Cumulative Schedule Variance of the Navy ERP Program over a 
17-Month Period: 

Abbreviations: 

BEA: business enterprise architecture: 

BTA: Business Transformation Agency: 

CIO: Chief Information Officer: 

DBSMC: Defense Business Systems Management Committee: 

DOD: Department of Defense: 

DON: Department of the Navy: 

EVM: earned value management: 

FOC: full operational capability: 

GCSS-MC: Global Combat Support System-Marine Corps: 

IOC: initial operational capability: 

IRB: investment review board: 

IT: information technology: 

MDA: milestone decision authority: 

NAVAIR: Naval Air Systems Command: 

NAVSEA: Naval Sea Systems Command: 

NAVSUP: Naval Supply Systems Command: 

Navy ERP: Navy Enterprise Resource Planning: 

NTCSS: Naval Tactical Command Support System: 

OMB: Office of Management and Budget: 

PMB: performance measurement baseline: 

SAP: Systems Applications and Products: 

SPAWAR: Space and Naval Warfare Systems Command: 

TC-AIMS II: Transportation Coordinators' Automated Information for 
Movements System: 

[End of section] 

United States Government Accountability Office:
Washington, DC 20548: 

September 8, 2008: 

The Honorable Daniel K. Akaka: 
Chairman: 
The Honorable John Thune: 
Ranking Member: 
Subcommittee on Readiness and Management Support: 
Committee on Armed Services: 
United States Senate: 

The Honorable John Ensign: 
United States Senate: 

For decades, the Department of Defense (DOD) has been challenged in 
modernizing its timeworn business systems.[Footnote 1] In 1995, we 
designated DOD's business systems modernization program as high risk, 
and continue to do so today.[Footnote 2] Our reasons include the 
modernization's large size, complexity, and its critical role in 
addressing other long-standing transformation and financial management 
challenges. Other reasons are that DOD has yet to institutionalize key 
system modernization management controls, and it has not demonstrated 
the ability to consistently deliver promised system capabilities and 
benefits on time and within budget. 

Nevertheless, DOD continues to invest billions of dollars in thousands 
of business systems, including about a hundred that the department has 
labeled as business transformational programs, 12 of which account for 
about 50 percent of these programs' costs. The Navy Enterprise Resource 
Planning (Navy ERP) program is one such program. Initiated in 2003, 
Navy ERP is to standardize the Navy's acquisition, financial, program 
management, maintenance, plant and wholesale supply, and workforce 
management business processes across its dispersed organizational 
environment. As envisioned, the program consists of a series of major 
increments, the first of which includes three releases and is expected 
to cost approximately $2.4 billion over its 20-year life cycle and to 
be fully operational in fiscal year 2013. 

As agreed, our objective was to determine whether the Department of the 
Navy (DON)[Footnote 3] is effectively implementing information 
technology (IT) management controls on Navy ERP. To accomplish this, we 
focused on the program's first increment by analyzing a range of 
program documentation and interviewing cognizant officials relative to 
the following management areas: architectural alignment, economic 
justification, earned value management (EVM), requirements management, 
and risk management. We conducted this performance audit from June 2007 
to September 2008, in accordance with generally accepted government 
auditing standards. Those standards require that we plan and perform 
the audit to obtain sufficient, appropriate evidence to provide a 
reasonable basis for our findings and conclusions based on our audit 
objective. We believe that the evidence obtained provides a reasonable 
basis for our findings and conclusions based on our audit objective. 
Additional details on our objective, scope, and methodology are in 
appendix I. 

Results In Brief: 

DOD has implemented key IT management controls on its Navy ERP program 
to varying degrees of effectiveness. To its credit, one of the controls 
has been fully implemented; important aspects of other controls have 
not. Collectively, these management controls are to ensure that a given 
system investment represents the right solution to filling a mission 
need, meaning that the system is defined to (1) minimize overlap and 
duplication and maximize interoperability with related systems and (2) 
produce mission benefits commensurate with costs over its useful life. 
The controls are also to ensure that the system is acquired and 
deployed the right way, meaning that it is done in a way to maximize 
the chances of delivering defined system capabilities and benefits on 
time and within budget. Given that deployment of Navy ERP is more than 
2 years behind schedule and is to cost about $570 million[Footnote 4] 
more than was originally envisioned, these goals have already not been 
fully met, in part because DOD program management and oversight 
entities have not fully implemented several key IT management controls. 
As a result, the department has yet to adequately demonstrate that the 
program's first increment, as it has been defined, is the right 
solution, and it is likely that the department will continue to add to 
the program's cost overruns and schedule delays that the program has 
already experienced to date. The strengths and weaknesses associated 
with each of the IT management controls that we evaluated are described 
here: 

* Navy ERP compliance with DOD's federated business enterprise 
architecture (BEA) has not been sufficiently demonstrated. To its 
credit, the program office followed DOD's architecture compliance 
assessment guidance and used the related assessment tool. However, this 
guidance and tool do not adequately provide for addressing all relevant 
aspects of architectural compliance. Specifically, the program's 
compliance assessment (1) did not include all relevant architecture 
products, such as those that describe technical and system elements; 
(2) was not used to identify potential areas of duplication across 
programs; and (3) did not address compliance with the DON enterprise 
architecture. These important steps were not performed because of 
policy, guidance, and tool limitations, and because aspects of the 
corporate BEA and the DON enterprise architecture, which are both major 
components of DOD's federated BEA, have yet to be sufficiently defined 
to permit thorough compliance determinations in these areas. In 
addition, program oversight and approval authorities did not validate 
the program office's compliance assessments. As a result, the 
department does not have a sufficient basis for knowing if Navy ERP has 
been defined to minimize overlap with, and duplication of other 
programs' functions, and is being defined and designed to maximize 
interoperability among related programs. 

* Investment in Navy ERP has been economically justified on the basis 
of expected life cycle benefits that far exceed estimated life cycle 
costs ($8.6 billion versus $2.4 billion over a 20-year life cycle). 
However, these benefit estimates have not been subject to analysis of 
how uncertainty in assumptions and data could impact them, as 
prescribed in relevant guidance. According to program officials, such 
uncertainty analysis is not warranted because they have taken and 
continue to take steps to validate the assumptions and the data, such 
as using the latest budget data associated with retiring legacy 
systems, and monitoring changes to the systems' retirement dates. While 
these steps are positive, they do not eliminate the need for 
uncertainty analysis. Accordingly, we assessed key uncertainty 
variables and found that while the inherent uncertainty in the 
estimates would reduce expected savings, the reduction would be small 
relative to a total benefit estimate of $8.6 billion. 

With respect to the cost estimate, our analysis showed that it was not 
derived using all key estimating practices contained in relevant 
guidance. For example, the estimate was not grounded in a historical 
record of comparable data from similar programs and was not based on a 
reliable schedule baseline, which are both necessary to having a cost 
estimate that can be considered credible and accurate. These practices 
were not employed for various reasons, including DOD's lack of 
historical data from similar programs and the lack of an integrated 
master schedule for the program's first increment that includes all 
three releases. Notwithstanding the fact that these limitations could 
materially increase the $2.4 billion cost estimate, it is nevertheless 
unlikely that they would increase the cost estimate to a level close to 
the uncertainty-adjusted benefit expectations. Therefore, we have no 
reason to believe that Navy ERP will not produce a positive return on 
investment. 

* EVM, which is a means for determining and disclosing actual program 
performance in comparison with estimates, is not being effectively 
implemented in Navy ERP. To its credit, the program office has elected 
to implement program-level EVM.[Footnote 5] In doing so, however, basic 
EVM activities have not been executed, which has produced, and will 
likely continue to produce, actual program costs and schedules that do 
not track close to estimates. For example, an integrated baseline 
review, which is to verify that the program's costs and schedule are 
reasonable given the program's scope of work and associated risks, has 
not been performed on any of the first increment's releases. According 
to program officials, this is because of the time it took to establish 
program-level EVM capabilities and because of their focus on deploying 
and stabilizing the first release. However, they recently stated that 
one has been tentatively scheduled for August 2008. By not having an 
integrated master schedule that has been subject to a baseline review, 
as well as not employing other industry standards as discussed in this 
report, Navy ERP will be challenged in implementing EVM effectively, 
and cost overruns and lengthy schedule delays beyond those already 
experienced by the program will likely occur. Our analysis of the 
latest estimate for completing just the budgeted development work for 
all three releases, which is about $844 million, shows that this 
estimate will most likely have an overrun of about $152 million. 

* An important requirements management activity has been effectively 
implemented in Navy ERP. Specifically, the program office has ensured 
that system requirements for the first release are traceable, as 
evidenced by our analysis of 60 randomly selected system-level 
requirements in which we confirmed that 58 are traceable backward to 
operational requirements and forward to design specifications and test 
results. Such traceability is important because it increases the 
chances of delivering a system that performs as intended. Our analysis 
of requirements in this sample also confirmed that system requirements 
that had been reallocated from the first release to the other releases 
were traceable, thus demonstrating traceability among product releases. 

* The program office has defined a process for proactively managing 
risks that reflects key practices governing how this IT management 
control should be performed. However, it has not effectively 
implemented this process for all identified risks. In particular, steps 
taken to mitigate the risks associated with converting data from 
existing systems to the new system and positioning user organizations 
for the operational changes associated with the new system were not 
effective. According to program officials, these mitigation strategies 
could not be effectively implemented because the program office does 
not have the authority to compel the user organizations to execute 
their part of the mitigation strategy. As a result, the first user 
organization to receive the Navy ERP experienced significant problems 
during recent operational testing, and these problems will take 
additional time and resources to correct. In addition, not all known 
risks have been captured in the risk inventory. For example, the risks 
associated with the two above discussed control weaknesses (not having 
adequately demonstrated the program's architectural alignment and not 
having implemented program-level EVM according to industry practices) 
are not included in the risk inventory and are thus not being disclosed 
and addressed. This is important because not having effectively 
addressed such risks has contributed to schedule delays and will likely 
contribute to more cost and schedule shortfalls. 

Notwithstanding the effectiveness with which several program management 
controls have been implemented on Navy ERP, the above-cited weaknesses 
in implementing other management controls put DOD at risk of investing 
in a system solution that does not optimally support corporate mission 
needs and mission performance and continuing to fall short of program 
schedule and cost commitments. Accordingly, we are making 
recommendations to the Secretary of Defense aimed at addressing the 
cost and schedule estimating, EVM, and risk management weaknesses, 
thereby better ensuring that the program is managed to deliver the 
right solution, the right way. We are not making recommendations in 
this report for addressing the architecture compliance weaknesses 
because we recently completed other work that is more broadly focused 
on this management control across multiple programs. 

In written comments on a draft of this report, signed by the Deputy 
Under Secretary of Defense (Business Transformation) and reprinted in 
appendix II, the department stated that it concurred with two, and 
partially concurred with two, of our four recommendations. Further, it 
stated that it has taken steps to address some of our recommendations, 
adding that it is committed to implementing recommendations that 
contribute to the program's success. 

In partially concurring with two of the recommendations, DOD concurred 
with most aspects of both. Nevertheless, for our recommendation aimed 
at improving the program's cost estimates, it stated that it did not 
concur with one aspect--ensuring that future cost estimates reflect the 
risk of not having cost data for comparable programs. In doing so, DOD 
stated that while the program had limited comparable data on which to 
base the program's cost estimate, it had accounted for this limitation 
in the cost estimate's uncertainty analysis. We do not agree that this 
risk was reflected in the uncertainty analysis. We examined this 
analysis as part of our review and found that it did not recognize this 
risk. Moreover, DOD's comments did not include any evidence to the 
contrary. 

In addition, for our recommendation aimed at improving the program's 
integrated master schedule, the department partially concurred with one 
of the five components of the recommendation--defining a critical path 
that incorporates all three releases of the system. In doing so, DOD 
stated what our report already recognized, namely that the schedule 
reflects a separate critical path for each release and that this is due 
to the size and complexity of the releases. However, DOD offers no new 
information in its comments. Further, our report also recognizes that 
to be successful, large and complex programs that involve thousands of 
activities need to ensure that their schedules integrate these 
activities. In this regard, we support the department's commitment to 
explore the feasibility of implementing this part of our 
recommendation. 

While concurring with all components of our other two recommendations, 
the department nevertheless provided comments relative to the program's 
use of EVM to explain why Release 1.0 of the system was not subject to 
an integrated baseline review. For several reasons discussed in the 
agency comments section of this report, we do not agree with these 
additional comments. In addition, the department's comments described 
actions planned or under way to address our recommendations. If fully 
and properly implemented, DOD's described actions should go a long way 
in addressing the weaknesses that we identify in the report. 

Background: 

DON's primary mission is to organize, train, maintain, and equip combat-
ready naval forces capable of winning the global war on terrorism and 
any other armed conflict, deterring aggression by would-be foes, 
preserving freedom of the seas, and promoting peace and security. To 
support this mission, DON performs a variety of interrelated and 
interdependent business functions (e.g., acquisition and financial 
management), relying heavily on IT systems. In fiscal year 2008, DON's 
budget for business systems and associated infrastructure was about 
$2.7 billion, of which $2.2 billion was allocated to operations and 
maintenance of existing systems and the remaining $500 million to 
systems in development and modernization. Of the approximately 3,000 
business systems that DOD reports in its current inventory, DON 
accounts for 904, or about 30 percent, of the total. Navy ERP is one 
such system investment. 

Navy ERP: A Brief Description: 

In July 2003, the Assistant Secretary of the Navy for Research, 
Development, and Acquisition established Navy ERP to "converge" four 
separate pilot programs that were under way at four separate Navy 
commands.[Footnote 6] This program is to leverage a commercial, off- 
the-shelf software known as an enterprise resource planning product. 
Such products consist of multiple, integrated functional modules that 
perform a variety of business-related tasks, such as acquisition and 
financial management. Table 1 provides a brief description and status 
of each of the pilots. 

Table 1: Description and Status of the Navy ERP Pilots: 

Pilot: SIGMA; 
Description and status: Deployed at Naval Air Systems Command 
(NAVAIR)[A] to support and link such business functions as program 
management, contracting, financial, and human resources management. It 
was retired in the first quarter of fiscal year 2008. 

Pilot: CABRILLO; 
Description and status: Deployed at Space and Naval Warfare Systems 
Command (SPAWAR)[B] to support Navy Working Capital Fund financial 
management. It is to be retired in fiscal year 2010. 

Pilot: NEMAIS; 
Description and status: Deployed at Naval Sea Systems Command 
(NAVSEA)[C] to support regional maintenance, including intermediate-
level maintenance[D] management and human resources. It is to be 
retired in fiscal year 2011. 

Pilot: SMART; 
Description and status: Deployed at Naval Supply Systems Command 
(NAVSUP)[E] and NAVAIR to support national and local supply management, 
intermediate-level maintenance management and to interface with 
aviation depots. It was retired in fiscal year 2005. 

Source: GAO analysis of DON data. 

[A] NAVAIR is responsible for developing, delivering, and supporting 
aircraft and weapons used by sailors and marines. 

[B] SPAWAR is responsible for developing, delivering, and supporting 
specialized command and control technologies, business information 
technology, and space capabilities. 

[C] NAVSEA is responsible for acquiring and maintaining the Navy's 
ships and submarines. 

[D] Intermediate-level maintenance is for repair or maintenance of 
items that do not have to go to the depot level for major work but 
cannot be maintained or repaired at the organizational level. 

[E] NAVSUP is responsible for supply, fuel, and transportation, as well 
as other logistics programs. 

[End of table] 

According to DOD, Navy ERP is to address the Navy's long-standing 
problems related to financial transparency and asset visibility. 
Specifically, the program is intended to standardize the Navy's 
acquisition, financial, program management, maintenance, plant and 
wholesale supply, and workforce management business processes across 
its dispersed organizational components. When the program is fully 
implemented, it is to support over 86,000 users. 

Navy ERP is being developed in a series of increments using the Systems 
Applications and Products (SAP) commercial software package, augmented 
as needed by customized software. SAP consists of multiple, integrated 
functional modules that perform a variety of business related tasks, 
such as finance and acquisition. The first increment, called Template 
1, is currently the only funded portion of the program and consists of 
three releases: 1.0 Financial and Acquisition, 1.1 Wholesale and Retail 
Supply, and 1.2 Intermediate-Level Maintenance. Release 1.0 is the 
largest of the three releases in terms of the functional requirements 
being addressed. Specifically, it is to provide about 56 percent of 
Template 1 requirements. See table 2 for a description of these 
releases. 

Table 2: Navy ERP Template 1 Releases: 

Release: 1.0 Financial and Acquisition; 
Functionality: General Fund and Navy Working Capital Fund finance 
applications, such as billing, budgeting, and cost planning; 
Acquisition applications, such as activity based costing, contract 
awards, and budget exhibits; Workforce management applications, such as 
personnel administration, and training and events management. 

Release: 1.1 Wholesale and Retail Supply; 
Functionality: Wholesale applications, such as supply and demand 
planning, order fulfillment, and supply forecasting; Retail supply 
applications, such as inventory management, supply and demand 
processing, and warehouse management. 

Release: 1.2 Intermediate-Level Maintenance; 
Functionality: Maintenance applications, such as maintenance 
management, quality management, and calibration management. 

Source: GAO analysis of DON data. 

[End of table] 

DON estimates the life cycle cost for the program's first increment to 
be about $2.4 billion, including about $1 billion for acquisition, and 
$1.4 billion for operations and maintenance. The life cycle cost of the 
entire program has not yet been determined because future increments 
have not been defined. The program office reported that approximately 
$400 million was spent from fiscal year 2004 through fiscal year 2007 
on the first increment. For fiscal year 2008, about $200 million is 
planned to be spent. 

Program Oversight and Management Roles and Responsibilities: 

To manage the acquisition and deployment of Navy ERP, DON established a 
program management office within the Program Executive Office for 
Executive Information Systems. The program office manages the program's 
scope and funding and is responsible for ensuring that the program 
meets its objectives. To accomplish this, the program office is 
responsible for key program management areas, such as architectural 
alignment, economic justification, earned value management, 
requirements management, and risk management. In addition, various DOD 
and DON organizations share program oversight and review activities. A 
listing of key entities and their roles and responsibilities is in 
table 3. 

Table 3: Organizations Responsible for Navy ERP Oversight and 
Management: 

Entity: Under Secretary of Defense for Acquisition, Technology, and 
Logistics; 
Roles and responsibilities: Serves as the milestone decision authority 
(MDA), which according to DOD, has overall responsibility for the 
program, to include approving the program to proceed through its 
acquisition cycle on the basis of, for example, the acquisition plan, 
an independently evaluated economic analysis, and the Acquisition 
Program Baseline. 

Entity: Assistant Secretary of the Navy, Research, Development, and 
Acquisition; 
Roles and responsibilities: Serves as DON's oversight organization for 
the program, to include enforcement of Under Secretary of Defense for 
Acquisition, Technology, and Logistics policies and procedures. 

Entity: Department of the Navy, Program Executive Office for Executive 
Information Systems; 
Roles and responsibilities: Oversees a portfolio of large-scale 
projects and programs designed to enable common business processes and 
provide standard capabilities, to include reviewing the acquisition 
plan, economic analysis, and the Acquisition Program Baseline prior to 
approval by the MDA. 

Entity: Department of the Navy Chief Information Officer (CIO); 
Roles and responsibilities: Supports the department's planning, 
programming, budgeting, and execution processes by ensuring that the 
program has achievable and executable goals and conforms to financial 
management regulations, and DON, DOD, and federal IT policies in 
several areas (e.g., security, architecture, and investment 
management); works closely with the program office during milestone 
review assessments. 

Entity: Office of the Secretary of Defense, Office of the Director for 
Program Analysis and Evaluation; 
Roles and responsibilities: Verifies and validates the reliability of 
cost and benefit estimates found in economic analyses and provides its 
results to the MDA. 

Entity: Naval Center for Cost Analyses; 
Roles and responsibilities: Performs independent costs estimates. 

Entity: Defense Business Systems Management Committee (DBSMC); 
Roles and responsibilities: Serves as the highest ranking governance 
body for business systems modernization activities and approves 
investments costing more than $1 million, as, for example, being 
compliant with the BEA. 

Entity: Investment Review Board (IRB); 
Roles and responsibilities: Reviews business system investments and has 
responsibility for recommending certification for all business system 
investments costing more than $1 million that are asserted as compliant 
with the BEA. 

Entity: Business Transformation Agency (BTA); 
Roles and responsibilities: Coordinates business transformation efforts 
across DOD and supports the IRBs and DBSMC. 

Entity: Navy ERP Program Management Office; 
Roles and responsibilities: Performs day-to-day program management and, 
as such, is the single point of accountability for managing the 
program's objectives through development, deployment, and sustainment. 

Source: DOD. 

[End of table] 

Overview of Navy ERP's Status: 

The first increment of Navy ERP is currently in the production and 
deployment phase of the defense acquisition system.[Footnote 7] The 
system consists of five key program life cycle phases and three related 
milestone decision points. These five phases and related milestones, 
along with a summary of key program activities completed during or 
planned for each phase, are as follows: 

1. Concept Refinement: The purpose of this phase is to refine the 
initial system solution (concept) and create a strategy for acquiring 
the solution. This phase began in July 2003, at which time DON began to 
converge the four pilot programs into Navy ERP and developed its first 
cost estimate in September 2003. This phase of the program was combined 
with the next phase, thus creating a combined Milestone A/B decision 
point. 

2. Technology Development: The purpose of this phase is to determine 
the appropriate set of technologies to be integrated into the 
investment solution by iteratively assessing the viability of the 
various technologies while simultaneously refining user requirements. 
During the combined Concept Refinement and Technology Development 
phase, the program office prepared a concept of operations and 
operational requirements document; performed an analysis of 
alternatives, business case analysis, and economic analysis; and 
established its first Acquisition Program Baseline. It also selected 
SAP as the commercial off-the-shelf ERP software. The combined phase 
was completed in August 2004, when the MDA approved Milestone A/B to 
allow the program to move to the next phase. 

3. System Development and Demonstration: The purpose of this phase is 
to develop a system and demonstrate through developer testing that the 
system can function in its target environment. This phase was completed 
in September 2007, when Release 1.0 passed development testing and its 
deployment to NAVAIR began. This was 17 months later than the program's 
original schedule set in August 2004 but on time according to the 
revised schedule set in December 2006. 

In September 2004, the program office awarded a $176 million system 
integration contract to BearingPoint for full system design, 
development, and delivery using SAP's off-the-shelf product and related 
customized software. In January 2006, the program office (1) reduced 
the contractor's scope of work from development and integration of the 
first increment to only development of the first release and (2) 
assumed responsibility and accountability for overall system 
integration. According to the program office, reasons for this change 
included the need to change the development plan to reflect 
improvements in the latest SAP product released and the lack of 
authority by the contractor to adjudicate and reconcile differences 
among the various Navy user organizations (i.e., Navy commands). 

In December 2006, the program office revised its Acquisition Program 
Baseline to reflect an increase of about $461 million in the life cycle 
cost estimate due, in part, to restructuring the program (e.g., 
changing the order of the releases, changing the role of system 
integrator from contractor to the program office) and resolving 
problems related to, among other things, converting data from legacy 
systems to run on Navy ERP and establishing interfaces between legacy 
systems and Navy ERP. In addition, the program office awarded a $151 
million contract for Release 1.1 and 1.2 configuration and development 
to IBM in June 2007. In September 2007, prior to entering the next 
phase, the program revised its Acquisition Program Baseline again to 
reflect a $9 million decrease in the life cycle cost estimate and a 5- 
month increase in its program schedule. Soon after, the MDA approved 
Milestone C to move to the next phase. 

4. Production and Deployment: The purpose of this phase is to achieve 
an operational capability that satisfies the mission needs, as verified 
through independent operational test and evaluation, and to implement 
the system at all applicable locations. This phase began in September 
2007, focusing first on achieving initial operational capability (IOC) 
of Release 1.0 at NAVAIR by May 2008. This date is 22 months later than 
the baseline established for Milestone A/B in August 2004, and 4 months 
later than the new baseline established in September 2007. According to 
program documentation, these delays were due, in part, to challenges 
experienced at NAVAIR in converting data from legacy systems to run on 
the new system and implementing new business procedures associated with 
the system. 

In light of the delays at NAVAIR in achieving IOC, the deployment 
schedules for the other commands were also revised. Specifically, 
Release 1.0 is still to be deployed at NAVSUP on October 2008, but 
Release 1.0 deployment at SPAWAR is now scheduled 18 months later than 
planned (October 2009), and deployment at NAVSEA general fund and Navy 
Working Capital Fund is now scheduled to be 12 months later than 
planned (October 2010 and 2011, respectively). Because of the Release 
1.0 delays, Release 1.1 is now planned for deployment at NAVSUP 7 
months later than planned (February 2010). Release 1.2 is still 
scheduled to be released at Regional Maintenance Centers in October 
2010. 

The program office is currently in the process of again re-baselining 
the program, and DON plans to address any cost overruns through 
reprogramming of fiscal year 2008 DON funds.[Footnote 8] It estimates 
that this phase will be completed with full operational capability 
(FOC)[Footnote 9] by August 2013 (26 months later than the baseline 
established in 2004, and 5 months later than the re-baseline 
established in September 2007). 

5. Operations and Support: The purpose of this phase is to 
operationally sustain the system in the most cost-effective manner over 
its life cycle. In this phase, the program plans to provide centralized 
support to its users across all system commands. Each deployment site 
is expected to perform complementary support functions, such as data 
maintenance. 

Overall, Increment 1 was originally planned to reach FOC in fiscal year 
2011, and its estimated life cycle cost was about $1.87 billion. 
[Footnote 10] The estimate was later baselined[Footnote 11] in August 
2004 at about $2.0 billion.[Footnote 12] In December 2006 and again in 
September 2007, the program was re-baselined. FOC is now planned for 
fiscal year 2013, and the estimated life cycle cost is about $2.4 
billion (31 percent increase over the original estimate).[Footnote 13] 
Key activities for each phase are depicted in figure 1, changes in the 
deployment schedule are depicted in figure 2, and cost estimates are 
depicted in figure 3. 

Figure 1: Navy ERP Time Line: 

[See PDF for image] 

This figure is an illustration of the Navy ERP time line, as follows: 

Phase: Concept refinement and technology development; 
Program established: Prior to the 2004 plan. 

Phase: System development and demonstration; 
2004 plan: mid-2004 through mid-2006; 
* Template 1 contract rescoped to Release 1.0 in early 2006. 
2007 plan: mid-2004 through end 2007; 
* Template 1 contract awarded late 2004; 
* Rebaselined early 2007; 
* Releases 1.1 and 1,2 contract awarded, mid-2007; 
* Rebaselined, end 2007. 

Phase: production and deployment; 
2004 plan: mid-2006 through mid-2011; 
* IOC, late 2006; 
* FOC, late 2011; 
2007 plan: late 2007 through late 2013; 
* IOC, early 2008; 
* FOC, late 2013. 

Source: GAO analysis of DON data. 

[End of figure] 

Figure 2: Navy ERP Milestones for Beginning Deployment: 

[See PDF for image] 

This figure is an illustration of the Navy ERP milestones for beginning 
deployment, as follows: 

Release: 1.0, Financial and Acquisition: 
Milestone: NAVAIR: late 2007 (2007 plan); 
Milestone: NAVSUP: late 2008 (2007 plan and 2008 plan); 
Milestone: SPAWAR: mid-2008 (2007 plan); early 2010 (2008 plan); 
Milestone: NAVSEA dor General Fund: early 2010 (2007 plan); early 2011 
(2008 plan); 
Milestone: NAVSEA for Working Capital Fund: early 2011 (2007 plan); 
early 2012 (2008 plan). 

Release: 1.1, Wholesale and Retail Supply; 
Milestone: NAVSUP: late 2009 (2007 plan); mid-2010 (2008 plan). 

Release 1.2, Intermediate-level Maintenance; 
Milestone: Regional Maintenance Centers: early 2011 (2007 plan and 2008 
plan). 

Source: GAO analysis of DON data. 

[End of figure] 

Figure 3: Navy ERP Life Cycle Cost Estimates in Fiscal Years 2003, 
2004, and 2007: 

[See PDF for image] 

This figure is a vertical bar graph depicting the following data: 

Navy ERP Life Cycle Cost Estimates in Fiscal Years 2003, 2004, and 
2007: 
Fiscal year: 2003: $1.87 billion; 
Fiscal year: 2004: $1.99 billion; 
Fiscal year: 2007: $2.44 billion. 

Source: GAO analysis of DON data. 

[End of figure] 

Use of IT Acquisition Management Controls Maximizes Chances for 
Success: 

IT acquisition management controls are tried and proven methods, 
processes, techniques, and activities that organizations define and use 
to minimize program risks and maximize the chances of a program's 
success. Using these controls can result in better outcomes, including 
cost savings, improved service and product quality, and a better return 
on investment. For example, two software engineering analyses of nearly 
200 systems acquisition projects indicate that teams using systems 
acquisition controls that reflected best practices produced cost 
savings of at least 11 percent over similar projects conducted by teams 
that did not employ the kind of rigor and discipline embedded in these 
practices.[Footnote 14] In addition, our research shows that these 
controls are a significant factor in successful acquisition outcomes, 
including increasing the likelihood that programs and projects will be 
executed within cost and schedule estimates.[Footnote 15] 

We and others have identified and promoted the use of a number of IT 
acquisition management controls associated with acquiring IT 
systems.[Footnote 16] See table 4 for a description of several of these 
activities. 

Table 4: Description of Business System IT Acquisition Management 
Controls: 

Business system acquisition practice: Architectural alignment; To 
ensure that the acquisition is consistent with the organization's 
enterprise architecture; 
Description: Architectural alignment is the process for analyzing and 
verifying that the proposed architecture of the system being acquired 
is consistent with the enterprise architecture for the organization 
acquiring the system. Such alignment is needed to ensure that acquired 
systems can interoperate and are not unnecessarily duplicative of one 
another. 

Business system acquisition practice: Economic justification; To ensure 
that system investments are economically justified; 
Description: Economic justification is the process for ensuring that 
acquisition decisions are based on reliable analyses of the proposed 
investment's likely costs versus benefits over its useful life, as well 
as an analysis of the risks associated with actually realizing the 
acquisition's forecasted benefits for its estimated costs. Economic 
justification is not a one-time event but rather is performed 
throughout an acquisition's life cycle in order to permit informed 
investment decision making. 

Business system acquisition practice: Earned value management; To 
ensure that actual progress against cost and schedule expectations is 
being measured; 
Description: EVM is a tool that integrates the technical, cost, and 
schedule parameters of a contract and measures progress against them. 
During the planning phase, an integrated program baseline is developed 
by time phasing budget resources for defined work. As work is performed 
and measured against the baseline, the corresponding budget value is 
"earned." Using this earned value metric, cost and schedule variances, 
as well as cost and time to complete estimates, can be determined and 
analyzed. 

Business system acquisition practice: Requirements management; To 
ensure that requirements are traceable, verifiable, and controlled; 
Description: Requirements management is the process for ensuring that 
the requirements are traceable, verifiable, and controlled. 
Traceability refers to the ability to follow a requirement from origin 
to implementation and is critical to understanding the interconnections 
and dependencies among the individual requirements and the impact when 
a requirement is changed. Requirements management begins when the 
solicitation's requirements are documented and ends when system 
responsibility is transferred to the support organization. 

Business system acquisition practice: Risk management; To ensure that 
risks are identified and systematically mitigated; 
Description: Risk management is the process for identifying potential 
acquisition problems and taking appropriate steps to avoid their 
becoming actual problems. Risk management occurs early and continuously 
in the acquisition life cycle. 

Source: GAO. 

[End of table] 

Prior GAO Reviews Have Identified IT Acquisition Management Control 
Weaknesses on DOD Business System Investments: 

We have previously reported[Footnote 17] that DOD has not effectively 
managed a number of business system investments. Among other things, 
our reviews of individual system investments have identified weaknesses 
in such things as architectural alignment and informed investment 
decision making, which are also the focus areas of the Fiscal Year 2005 
Defense Authorization Act business system provisions.[Footnote 18] Our 
reviews have also identified weaknesses in other system acquisition and 
investment management areas--such as EVM, economic justification, 
requirements management, and risk management. 

In July 2007, we reported that the Army's approach for investing about 
$5 billion over the next several years in its General Fund Enterprise 
Business System, Global Combat Support System-Army Field/Tactical, 
[Footnote 19] and Logistics Modernization Program did not include 
alignment with the Army enterprise architecture or use of a portfolio-
based business system investment review process.[Footnote 20] Moreover, 
we reported that the Army did not have reliable analyses, such as 
economic analyses, to support its management of these programs. We 
concluded that, until the Army adopts a business system investment 
management approach that provides for reviewing groups of systems and 
making enterprise decisions on how these groups will collectively 
interoperate to provide a desired capability, it runs the risk of 
investing significant resources in business systems that do not provide 
the desired functionality and efficiency. Accordingly, we made 
recommendations aimed at improving the department's efforts to achieve 
total asset visibility and enhancing its efforts to improve its control 
and accountability over business system investments. The department 
agreed with our recommendations. 

We also reported that DON had not, among other things, economically 
justified its ongoing and planned investment in the Naval Tactical 
Command Support System (NTCSS)[Footnote 21] and had not invested in 
NTCSS within the context of a well-defined DOD or DON enterprise 
architecture. In addition, we reported that DON had not effectively 
performed key measurement, reporting, budgeting, and oversight 
activities and had not adequately conducted requirements management and 
testing activities. We concluded that, without this information, DON 
could not determine whether NTCSS, as defined, and as being developed, 
is the right solution to meet its strategic business and technological 
needs. Accordingly, we recommended that the department develop the 
analytical basis to determine if continued investment in NTCSS 
represents prudent use of limited resources and to strengthen 
management of the program, conditional upon a decision to proceed with 
further investment in the program. The department largely agreed with 
our recommendations. 

In addition, we reported that the Army had not defined and developed 
its Transportation Coordinators' Automated Information for Movements 
System II (TC-AIMS II)--a joint services system with the goal of 
helping to manage the movement of forces and equipment within the 
United States and abroad--in the context of a DOD enterprise 
architecture.[Footnote 22] In addition, we reported that the Army had 
not economically justified the program on the basis of reliable 
estimates of life cycle costs and benefits and had not effectively 
implemented risk management. As a result, we concluded that the Army 
did not know if its investment in TC-AIMS II, as planned, was warranted 
or represented a prudent use of limited DOD resources. Accordingly, we 
recommended that the department, among other things, develop the 
analytical basis needed to determine if continued investment in TC-AIMS 
II represents prudent use of limited defense resources. In response, 
the department agreed with our recommendations and has since reduced 
the program's scope by canceling future investments. 

Furthermore, in 2005, we reported that DON had invested approximately 
$1 billion in the four previously cited ERP pilots without marked 
improvement in its day-to-day operations.[Footnote 23] More 
specifically, we reported that the program office had not implemented 
an EVM system. We also identified significant challenges and risks as 
the project moved forward, such as developing and implementing system 
interfaces, converting data from legacy systems into the ERP system, 
meeting its estimated completion date of 2011 at an estimated cost of 
$800 million, and achieving alignment with DOD's BEA. To address these 
areas, we made recommendations that DOD improve oversight of Navy ERP, 
including developing quantitative metrics to evaluate the program. DOD 
generally agreed with our recommendations. 

Implementation Of Key DOD And Related IT Acquisition Management 
Controls On Navy ERP Varies: 

DOD IT-related acquisition policies and guidance, along with other 
relevant guidance, provide an acquisition management control framework 
within which to manage business system programs like Navy ERP. 
Effective implementation of this framework can minimize program risks 
and better ensure that system investments are defined in a way to 
optimally support mission operations and performance, as well as 
deliver promised system capabilities and benefits on time and within 
budget. To varying degrees of effectiveness, Navy ERP has been managed 
in accordance with aspects of this framework. However, implementation 
of key management controls has not been effective. Specifically, 

* compliance with DOD's federated BEA has not been sufficiently 
demonstrated; 

* investment in the program has been economically justified on the 
basis of expected life cycle benefits that will likely exceed estimated 
life cycle costs, although some estimating limitations nevertheless 
exist; 

* earned value management has not been effectively implemented; 

* an important requirements management activity has been effectively 
implemented; and: 

* a risk management process has been defined, but not effectively 
implemented for all risks. 

The reasons that program management and oversight officials cited for 
why these key practices have not been sufficiently executed range from 
limitations in the applicable DOD guidance and tools to the complexity 
and challenges of managing and implementing a program of this size. 
Each of these reasons is described in the applicable sections of this 
report. By not effectively implementing all the above key IT 
acquisition management functions, the program is at increased risk of 
(1) not being defined in a way that best meets corporate mission needs 
and enhances performance and (2) adding to the more than 2 years in 
program schedule delays and about $570 million in program cost 
increases experienced to date. 

Navy ERP Compliance with DOD's Federated BEA Has Not Been Sufficiently 
Demonstrated: 

DOD and other guidance,[Footnote 24] recognize the importance of 
investing in business systems within the context of an enterprise 
architecture.[Footnote 25] Moreover, the Fiscal Year 2005 Defense 
Authorization Act requires that defense business systems be compliant 
with DOD's federated BEA.[Footnote 26] Our research and experience in 
reviewing federal agencies show that not making investments within the 
context of a well-defined enterprise architecture often results in 
systems that are duplicative, are not well integrated, are 
unnecessarily costly to interface and maintain, and do not optimally 
support mission outcomes.[Footnote 27] 

To its credit, the program office has followed DOD's BEA compliance 
guidance.[Footnote 28] However, this guidance does not adequately 
provide for addressing all relevant aspects of BEA compliance. 
Moreover, DON's enterprise architecture, which is a major component of 
DOD's federated BEA, as well as key aspects of DOD's corporate BEA, 
have yet to be sufficiently defined to permit thorough compliance 
determinations. In addition, current policies and guidance do not 
require DON investments to comply with its enterprise architecture. 
This means that the department does not have a sufficient basis for 
knowing if Navy ERP has been defined to minimize overlap with and 
duplication of other programs' functionality and maximize 
interoperability among related programs. Each of these architecture 
alignment limitations is discussed here: 

* The program's compliance assessments did not include all relevant 
architecture products. In particular, the program did not assess 
compliance with the BEA's technical standards profile, which outlines, 
for example, the standards governing how systems physically communicate 
with other systems and how they secure data from unauthorized access. 
This is particularly important because systems like Navy ERP need to 
share information with other systems and, for these systems to 
accomplish this effectively and efficiently, they need to employ common 
standards. A case in point is the relationship between Navy ERP and the 
Global Combat Support System--Marine Corps (GCSS-MC) program.[Footnote 
29] Specifically, Navy ERP has identified 25 technical standards that 
are not in the BEA technical standards profile, and GCSS-MC has 
identified 13 technical standards that are not in the profile. Among 
these non-BEA standards are program-unique information sharing 
protocols, which could limit information sharing between Navy ERP and 
GCSS-MC, and with other systems. 

In addition, the program office did not assess compliance with the BEA 
products that describe system-level characteristics. This is important 
because doing so would create a body of information about programs that 
could be used to identify common system components and services that 
could potentially be shared by the programs, thus avoiding wasteful 
duplication. For example, our analysis of Navy ERP program 
documentation shows that it contains system functions related to 
receiving goods, taking physical inventories, and returning goods, 
which are also system functions cited by the GCSS-MC program. However, 
because compliance with the BEA system products was not assessed, the 
extent to which these functions are potentially duplicative was not 
considered. 

Furthermore, the program office did not assess compliance with BEA 
system products that describe data exchanges among systems. As we 
previously reported, establishing and using standard system interfaces 
is a critical enabler to sharing data.[Footnote 30] For example, Navy 
ERP program documentation indicates that it is to exchange inventory 
order and status data with other systems. System interfaces are 
important for understanding how information is to be exchanged between 
systems. However, since the program was not assessed for compliance 
with these products, it does not have the basis for understanding how 
its approach to exchanging information differs from that of other 
systems that it is to interface with. Compliance against each of these 
BEA products was not assessed because DOD's compliance guidance does 
not provide for doing so and, according to BTA officials, because some 
BEA system products are not sufficiently defined. According to these 
officials, BTA plans to continue to define these products as the BEA 
evolves. 

* The compliance assessment was not used to identify potential areas of 
duplication across programs, which DOD has stated is an explicit goal 
of its federated BEA and associated investment review and decision- 
making processes. More specifically, even though the compliance 
guidance provides for assessing programs' compliance with the BEA 
product that defines DOD operational activities, and Navy ERP was 
assessed for compliance with this product, the results were not used to 
identify programs that support the same operational activities and 
related business processes. Given that the federated BEA is intended to 
identify and avoid not only duplications within DOD components, but 
also between components, it is important that such commonality be 
addressed. For example, BEA compliance assessments for Navy ERP and 
GCSS-MC, as well as two Air Force programs (Defense Enterprise 
Accounting and Management System--Air Force and the Air Force 
Expeditionary Combat Support System) show that each program supports at 
least six of the same BEA operational activities (e.g., conducting 
physical inventory, delivering property and services) and three of 
these four programs support at least 18 additional operational 
activities (e.g., performing budgeting, managing receipt and 
acceptance). However, since the potential overlap among these and other 
programs was not assessed, these programs may be investing in 
duplicative functionality. Reasons for this were that the compliance 
guidance does not provide for such analyses to be conducted and 
programs have not been granted access rights to use this functionality 
in the compliance tool. 

* The program's compliance assessment did not address compliance 
against DON's enterprise architecture, which is one of the biggest 
members of the federated BEA. This is particularly important given that 
DOD's approach to fully satisfying the architecture requirements of the 
Fiscal Year 2005 Defense Authorization Act is to develop and use a 
federated architecture in which component architectures are to provide 
the additional details needed to supplement the thin layer of corporate 
policies, rules, and standards included in the corporate BEA.[Footnote 
31] As we recently reported,[Footnote 32] DON's enterprise architecture 
is not mature because, among other things, it is missing a sufficient 
description of its current and future environments in terms of business 
and information/data. However, certain aspects of an architecture 
nevertheless exist and, according to DON CIO officials, these aspects 
will be leveraged in its efforts to develop a complete enterprise 
architecture. For example, the FORCEnet architecture is intended to 
document Navy's technical infrastructure. Therefore, opportunities 
exist for DON to assess its programs in relation to these architecture 
products, and to understand where its programs are exposed to risks 
because products do not exist, are not mature, or at odds with other 
Navy programs. According to DOD officials, compliance with the DON 
architecture was not assessed because DOD compliance policy is limited 
to compliance with the corporate BEA, and a number of aspects of the 
DON enterprise architecture have yet to be sufficiently developed. 

* The program's compliance assessment was not validated by DON or DOD 
investment oversight and decision-making authorities. More 
specifically, neither the DOD IRBs nor the DBSMC, nor the BTA in 
supporting both of these investment oversight and decision-making 
authorities, reviewed the program's assessments. According to BTA 
officials, under DOD's tiered approach to investment accountability, 
these entities are not responsible for validating programs' compliance 
assessments. Rather, this is a component responsibility, and thus they 
rely on the military departments and defense agencies to validate the 
assessments. 

However, DON Office of the CIO, which is responsible for precertifying 
investments as compliant before they are reviewed by the IRB, did not 
validate any of the program's compliance assessments. According to 
Office of the CIO officials, they rely on Functional Area Managers to 
validate a program's compliance assessments. However, no DON policy or 
guidance exists that describes how the Functional Area Managers should 
conduct such validations. CIO officials stated that this is because 
these authorities do not have the resources that they need to validate 
the assessments, and because a number of aspects of the DON 
architecture are not yet sufficiently developed. 

Validation of program assessments is further complicated by the absence 
of information captured in the assessment tool about what program 
documentation or other source materials were used by the program office 
in making its compliance determinations. Specifically, the tool is only 
configured, and thus was only used, to capture the results of a 
program's comparison of program architecture products to BEA products. 
Thus, it was not used to capture the system products used in making 
these determinations. 

The limitations in existing BEA compliance-related policy and guidance, 
the supporting compliance assessment tool, and the federated BEA, put 
programs like Navy ERP at increased risk of being defined and 
implemented in a way that does not sufficiently ensure interoperability 
and avoid duplication and overlap. We recently completed a review 
examining multiple programs' compliance with the federated BEA, 
including Navy ERP, for the Senate Armed Services Committee, 
Subcommittee on Readiness and Management Support. We addressed the 
architectural compliance guidance, tool, and validation limitations as 
part of this review.[Footnote 33] 

Investment in Navy ERP Has Been Economically Justified, but Important 
Estimating Practices Were Not Implemented: 

The investment in Navy ERP has been economically justified on the basis 
of expected life cycle benefits that far exceed estimated life cycle 
costs. According to the program's benefit/cost analysis, Navy ERP will 
produce about $8.6 billion in estimated benefits for an estimated cost 
of about $2.4 billion over its 20-year life cycle. While these benefit 
estimates were not subject to any analysis of how uncertainty in 
assumptions and data could impact the estimates, as called for by 
relevant guidance, our examination of key uncertainty variables, such 
as the timing of legacy systems' retirement, showed that the savings 
impact would be relatively minor. However, the reliability of the cost 
estimate is limited because it was derived using several, but not all, 
key estimating practices. For example, the estimate was not grounded in 
a historical record of comparable data from similar programs and was 
not based on a reliable schedule baseline, which are both necessary to 
having a cost estimate that can be considered credible and accurate. 
These practices were not employed for various reasons, including DOD's 
lack of historical data from similar programs and the lack of an 
integrated master schedule for the program that includes all releases. 

Notwithstanding the fact that these limitations could materially 
increase the $2.4 billion cost estimate, it is nevertheless unlikely 
that these factors would increase the estimate to a level approaching 
the program's benefit expectations. Therefore, we have no reason to 
believe that Navy ERP will not produce a positive return on investment. 

Benefit Estimates Are Sufficiently Reliable Despite Absence of 
Uncertainty Analysis: 

Forecasting expected benefits over the life of a program is a key 
aspect of economically justifying an investment. The Office of 
Management and Budget (OMB) guidance[Footnote 34] advocates 
economically justifying investments on the basis of expected benefits, 
costs, and risks. Since estimates of benefits can be uncertain because 
of the imprecision in both the underlying data and modeling assumptions 
used, the guidance also provides for analyzing and reporting the 
effects of this uncertainty. By doing this, informed investment 
decision making can occur through the life of the program, and a 
baseline can be established against which to compare the accrual of 
actual benefits from deployed system capabilities. 

The most recent economic analysis, dated August 2007, includes 
monetized benefit estimates for fiscal years 2004-2023, in three key 
areas--about $2.7 billion in legacy system cost savings, $3.3 billion 
in cost savings from inventory reductions, and $2.7 billion in cost 
savings from labor productivity improvements. Collectively, these 
benefits total about $8.6 billion.[Footnote 35] 

The program office calculated expected benefits in terms of cost 
savings, which is consistent with established practices and guidance. 
For example, the program is to result in the retirement of 138 legacy 
systems (including the 4 pilot systems) between fiscal years 2005 and 
2015, and the yearly maintenance costs for a single system are expected 
to be as high as about $39 million.[Footnote 36] According to relevant 
guidance, cost saving estimates should also be analyzed in terms of how 
uncertainty in assumptions and data could impact them. However, the 
program office did not perform such uncertainty analysis. According to 
program officials, uncertainty analysis is not warranted because they 
have taken and continue to take steps to validate the assumptions and 
the data, such as using the latest budget data associated with the 
legacy systems, and monitoring changes to the systems' retirement 
dates. While these steps are positive, they do not eliminate the need 
for uncertainty analysis. Accordingly, we assessed key uncertainty 
variables, such as the timing of the legacy systems' retirement, and 
found that the retirement dates of some of these systems have changed 
since the estimate was prepared, due to, among other things, schedule 
delays in the program. While the inherent uncertainty in these dates 
would reduce expected savings (e.g., only $11 million based on the 134 
legacy systems that we examined),[Footnote 37] the reduction would be 
small relative to a total benefit estimate of $8.6 billion. 

The Cost Estimate Was Not Reliably Derived: 

A reliable cost estimate is a key variable in calculating return on 
investment, and it provides the basis for informed investment decision 
making, realistic budget formulation and program resourcing, meaningful 
progress measurement, proactive course correction, and accountability 
for results. According to OMB,[Footnote 38] programs must maintain 
current and well-documented cost estimates, and these estimates must 
encompass the full life cycle of the program. OMB states that 
generating reliable cost estimates is a critical function necessary to 
support OMB's capital programming process. Without reliable estimates, 
programs are at increased risk of experiencing cost overruns, missed 
deadlines, and performance shortfalls. 

Our research has identified a number of practices that are the basis of 
effective program cost estimating. We have issued guidance that 
associates these practices with four characteristics of a reliable cost 
estimate.[Footnote 39] Specifically, these four characteristics are as 
follows: 

* Comprehensive: The cost estimates should include both government and 
contractor costs over the program's full life cycle, from the inception 
of the program through design, development, deployment, and operation 
and maintenance to retirement. They should also provide an appropriate 
level of detail to ensure that cost elements are neither omitted nor 
double counted and include documentation of all cost-influencing ground 
rules and assumptions. 

* Well-documented: The cost estimates should have clearly defined 
purposes and be supported by documented descriptions of key program or 
system characteristics (e.g., relationships with other systems, 
performance parameters). Additionally, they should capture in writing 
such things as the source data used and their significance, the 
calculations performed and their results, and the rationale for 
choosing a particular estimating method or reference. Moreover, this 
information should be captured in such a way that the data used to 
derive the estimate can be traced back to, and verified against, their 
sources. The final cost estimate should be reviewed and accepted by 
management on the basis of confidence in the estimating process and the 
estimate produced by the process. 

* Accurate: The cost estimates should provide for results that are 
unbiased and should not be overly conservative or optimistic (i.e., 
they should represent most likely costs). In addition, the estimates 
should be updated regularly to reflect material changes in the program, 
and steps should be taken to minimize mathematical mistakes and their 
significance. Among other things, the estimate should be grounded in a 
historical record of cost estimating and actual experiences on 
comparable programs. 

* Credible: The cost estimates should discuss any limitations in the 
analysis performed due to uncertainty or biases surrounding data or 
assumptions. Further, the estimates' derivation should provide for 
varying any major assumptions and recalculating outcomes based on 
sensitivity analyses, and their associated risks and inherent 
uncertainty should be disclosed. Also, the estimates should be verified 
based on cross-checks using other estimating methods and by comparing 
the results with independent cost estimates. 

The $2.4 billion life cycle cost estimate for Navy ERP reflects many of 
the practices associated with a reliable cost estimate, including all 
practices associated with being comprehensive and well-documented, and 
several related to being accurate and credible (see table 5). However, 
several important practices related to accuracy and credibility were 
not performed. To be reliable, a cost estimate should be comprehensive, 
well-documented, accurate, and credible. 

Table 5: Summary of Cost Estimating Characteristics That the Cost 
Estimate Satisfies: 

Characteristic of reliable estimates: Comprehensive; 
Satisfied?[A]: Yes. 

Characteristic of reliable estimates: Well-documented; 
Satisfied?[A]: Yes. 

Characteristic of reliable estimates: Accurate; 
Satisfied?[A]: Partially. 

Characteristic of reliable estimates: Credible; 
Satisfied?[A]: Partially. 

Source: GAO analysis of DON data. 

[A] "Yes" means that the program office provided documentation 
demonstrating satisfaction of the criterion. "Partially" means that the 
program office provided documentation demonstrating satisfaction of 
part of the criterion. "No" means that the program office has yet to 
provide documentation demonstrating satisfaction of the criterion. 

[End of table] 

The cost estimate is comprehensive because it includes both the 
government and contractor costs specific to development, acquisition 
(nondevelopment), implementation, and operations and support over the 
program's 20-year life cycle. Moreover, the estimate clearly describes 
how the various subelements are aggregated to produce amounts for each 
cost category, thereby ensuring that all pertinent costs are included, 
and no costs are double counted. Finally, cost-influencing ground rules 
and assumptions, such as the program's schedule, labor rates, and 
inflation rates are documented. 

The cost estimate is also well-documented in that the purpose of the 
cost estimate is clearly defined, and the technical baseline includes, 
among other things, the hardware components and planned performance 
parameters. Furthermore, the calculations and results used to derive 
the estimate are documented, including descriptions of the 
methodologies used and evidence of traceability back to source data 
(e.g., vendor quotes, salary tables). Also, the cost estimate was 
reviewed by the Naval Center for Cost Analysis and the Office of the 
Secretary of Defense, Director for Program Analysis and Evaluation, 
which adds a level of confidence in the estimating process and the 
estimate produced. 

However, the estimate lacks accuracy because not all important 
practices related to this characteristic were performed. Specifically, 
while the estimate is grounded in documented assumptions (e.g., 
hardware refreshment every 5 years) and periodically updated to reflect 
changes to the program, it is not adequately grounded in historical 
experience with comparable programs. While the program office did 
leverage historical cost data from the Navy ERP pilot programs, program 
officials told us that the level of cost accounting on these programs 
did not provide sufficient data. As stated in our guide, estimates 
should be based on historical records of cost and schedule estimates 
from comparable programs, and such historical data should be maintained 
and used for evaluation purposes and future estimates on comparable 
programs. The importance of doing so is evident by the fact that Navy 
ERP's cost estimate has increased by about $570 million since fiscal 
year 2003, which program officials attributed to, among other things, 
site implementation costs (e.g., training and converting legacy system 
data) not included in the original cost estimate, schedule delays, and 
the lack of historical data from similar ERP programs. 

This lack of cost data for large-scale ERP programs is, in part, due to 
DOD not having a standardized cost element structure for these programs 
that can be used for capturing actual cost data, which is a 
prerequisite to capturing and maintaining the kind of historical data 
that can inform cost estimates on similar programs. This means that 
programs like Navy ERP will not be able to ground their cost estimates 
in actual costs from comparable programs. According to officials with 
the Defense Cost and Resource Center,[Footnote 40] such cost element 
structures are needed, along with a requirement for programs to report 
on their costs, but approval and resources have yet to be gained for 
either these structures or the reporting of their costs. We recently 
completed work that addressed standardization of DOD's ERP cost element 
structure and maintenance of a database for historical ERP cost data 
for use on ERP programs.[Footnote 41] 

Compounding the estimate's limited accuracy are limitations in its 
credibility. Specifically, while the estimate satisfies some of the key 
practices for a credible cost estimate (e.g., confirming key cost 
drivers, performing sensitivity analyses,[Footnote 42] and having an 
independent cost estimate prepared by the Naval Center for Cost 
Analysis that was within 11 percent of the program's estimate), the 
program lacks a reliable schedule baseline, which is a key component of 
a reliable cost estimate because it serves as the basis for future work 
to be performed. Other factors that limit confidence in the cost 
estimate's accuracy are (1) past increases in the program's cost 
estimate (as discussed earlier) and (2) trends in EVM data (as 
discussed later). Taken together, the program's cost estimate is not 
sufficiently credible and accurate and thus not reliable. 

While important cost estimating practices were not implemented, it is 
nevertheless unlikely that these limitations would materially increase 
the $2.4 billion cost estimate to a level approaching the program's 
$8.6 billion benefit expectations. 

Earned Value Management Has Not Been Effectively Implemented: 

Measuring and reporting progress against cost and schedule commitments 
(i.e., baselines) is a vital element of effective program management. 
EVM provides a proven means for measuring such progress and thereby 
identifying potential cost overruns and schedule delays early, when 
their impact can be minimized. 

To its credit, the program has elected to implement program-level EVM, 
which is a best practice that has rarely been implemented in the 
federal government. In doing so, however, basic EVM activities have not 
been executed. In particular, an integrated baseline review, which is 
to verify that the program's cost and schedule are reasonable given the 
program's scope of work and associated risks, has not been performed. 
Moreover, other accepted industry standards have not been sufficiently 
implemented, and surveillance of EVM implementation by an entity 
independent of the program office has not occurred. Not performing 
these important practices has contributed to the cost overruns and 
lengthy schedule delays already experienced on Release 1.0, and they 
will likely result in more. In fact, our analysis of the latest 
estimate to complete just the budgeted development work for all three 
releases, which is about $844 million, shows that this estimate will 
most likely be exceeded by about $152 million. 

The Program Has Elected to Implement Program-Level EVM: 

As we previously reported,[Footnote 43] EVM offers many benefits when 
done properly. In particular, it allows performance to be measured, and 
it serves as an early warning system for deviations from plans. It, 
therefore, enables a program office to mitigate the risks of cost and 
schedule overruns. OMB policy recognizes the use of EVM as an important 
part of program management and decision making.[Footnote 44] 

Implementing EVM at the program level rather than just the contract 
level is considered a best practice, and OMB recently began requiring 
it to measure how well a program's approved cost, schedule, and 
performance goals are being met. According to OMB, integrating 
government and contractor cost, schedule, and performance status should 
result in better program execution through more effective management. 
In addition, integrated EVM data can be used to better justify budget 
requests. 

To minimize the risk associated with its decision to transition 
responsibility for Navy ERP system integration from the contractor to 
the government and to improve cost and schedule performance, the 
program office elected in October 2006 to perform EVM at the program 
level. We support the use of program-level EVM. However, if not 
implemented effectively, this program-level approach will be of little 
value. 

An Integrated Baseline Review Has Not Been Performed: 

A fundamental aspect of effective EVM is the development of a 
performance measurement baseline (PMB), which represents the cumulative 
value of planned work and serves as the baseline against which 
variances are calculated. According to relevant best practice guidance, 
a PMB consists of: 

* a complete work breakdown structure; 

* a complete integrated master schedule, and: 

* accurate budgets for all planned work.[Footnote 45] 

To validate the PMB, an integrated baseline review is performed to 
obtain stakeholder agreement on the baseline. According to DOD guidance 
and best practices, such a review should be held within 6 months of a 
contract award and conducted on an as needed basis throughout the life 
of a program to ensure that the baseline reflects (1) all tasks in the 
statement of work, (2) adequate resources (staff and materials) to 
complete the tasks, and (3) integration of the tasks into a well-
defined schedule. Further, the contract performance reports that are to 
be used to monitor performance against the PMB should be validated 
during the integrated baseline review.[Footnote 46] 

The program office has satisfied some of the prerequisites for having a 
reliable PMB, such as developing a work breakdown structure and 
specifying the contract performance reports that are to be used to 
monitor performance. However, it has not conducted an integrated 
baseline review. Specifically, a review was not conducted for Release 
1.0, even though the contract was finalized about 30 months ago 
(January 2006). Also, while the review for Release 1.1 was recently 
scheduled for August 2008, this is 8 months later than when such a 
review should be held, according to DOD guidance and best practices. 
This means that the reasonableness of the program's scope and schedule 
relative to the program risks has not been assured, and has likely 
been, and will likely continue to be a primary contributor to future 
cost increases and schedule delays. 

According to program officials, a review was not performed on the first 
release because development of this release was largely complete by the 
time the program office established the underlying capabilities needed 
to perform program-level EVM. In addition, program officials stated 
that an integrated baseline review has yet to be performed on the other 
two releases because their priority has been on deploying and 
stabilizing the first release. In our view, not assuring the validity 
of the PMB precludes effective implementation of EVM. Until a review is 
conducted, DOD will not have reasonable assurance that the program's 
scope and schedule are achievable, and thus, additional cost and 
schedule overruns are likely. 

Industry EVM Standards Have Not Been Fully Implemented And 
Independently Surveilled: 

In 1996, DOD adopted industry EVM guidance[Footnote 47] that identifies 
32 essential practices organized into five categories: (1) 
organization; (2) planning, scheduling and budgeting; (3) accounting; 
(4) analysis and management reports; and (5) revisions and data 
maintenance. DOD requires that all programs' implementation of EVM 
undergo a compliance audit against the 32 industry practices. In 
addition, DOD policy and guidance[Footnote 48] state that independent 
surveillance of EVM should occur over the life of the program to 
guarantee the validity of the performance data and ensure that EVM is 
being used effectively to manage cost, schedule, and technical 
performance. 

On Navy ERP, compliance with the 32 accepted industry practices has not 
been verified, and surveillance of EVM by an independent entity has not 
occurred. Therefore, the program does not have the required basis for 
ensuring that EVM is being effectively implemented on Navy ERP. 
According to program officials, surveillance was performed by NAVAIR 
for Release 1.0. However, NAVAIR officials said that they did not 
perform such surveillance because they did not receive the Release 1.0 
cost performance data needed to do so. Program officials also stated 
that DON's Center for Earned Value Management[Footnote 49] has 
conducted an initial assessment of their EVM management system, and 
that they intend to have the Center perform surveillance. However, they 
did not have a plan for accomplishing this. Until compliance with the 
standards is verified and continuous surveillance occurs, and 
deviations are addressed, the program will likely continue to 
experience cost overruns and schedule delays. 

Estimated Schedule Baseline Was Not Derived In Accordance With All Key 
Schedule Estimating Practices: 

The success of any program depends in part on having a reliable 
schedule of when the program's work activities will occur, how long 
they will take, and how they are related to one another. As such, the 
schedule not only provides a road map for the systematic execution of a 
program but also provides the means by which to estimate costs, gauge 
progress, identify and address potential problems, and promote 
accountability. Our research has identified nine practices associated 
with effective schedule estimating.[Footnote 50] These practices are 
(1) capturing key activities, (2) sequencing key activities, (3) 
establishing the duration of key activities, (4) assigning resources to 
key activities, (5) integrating key activities horizontally and 
vertically, (6) establishing the critical path for key activities, (7) 
identifying "float time"[Footnote 51] between key activities, (8) 
distributing reserves to high-risk activities, and (9) performing a 
schedule risk analysis. 

The program's estimated schedule was developed using some of these 
practices, but several key practices were not fully employed that are 
fundamental to having a schedule that provides a sufficiently reliable 
basis for estimating costs, measuring progress and forecasting 
slippages. On the positive side, the schedule for the first two 
releases captures key activities and their durations and is integrated 
horizontally and vertically, meaning that multiple teams executing 
different aspects of the program can effectively work to the same 
master schedule. Moreover, for these two releases, the program has 
established float time between key activities and distributed schedule 
reserve to high-risk activities. However, the program has not 
adequately sequenced and assigned resources to key program activities. 
Moreover, the estimated schedule for the first increment is not 
grounded in an integrated master schedule of all the releases, and thus 
the schedule for this increment does not reflect the program's critical 
path of work that must be performed to achieve the target completion 
date. Also, it does not reflect the results of a schedule-risk analysis 
across all three releases with schedule reserve allocated to high-risk 
activities because such risks were not examined. See table 6 for the 
results of our analyses relative to each of the nine practices. 

Table 6: Satisfaction of Schedule Estimating Key Practices: 

Practice: Capturing key activities; 
Explanation: The schedule should reflect all key activities (e.g., 
steps, events, outcomes) as defined in the program's work breakdown 
structure, to include activities to be performed by both the government 
and its contractors; 
Satisfied?[A]: Yes; 
GAO analysis: The program's estimated schedules for the first two 
releases reflect both government and contractor activities, such as 
development and testing of the software components, as well as key 
milestones for measuring progress. 

Practice: Sequencing key activities; 
Explanation: The schedule should be planned so that it can meet 
critical program dates. To meet this objective, key activities need to 
be logically sequenced in the order that they are to be carried out. In 
particular, activities that must be finished prior to the start of 
other activities (i.e., predecessor activities), as well as activities 
that cannot begin until other activities are completed (i.e., successor 
activities) should be identified. By doing so, interdependencies among 
activities that collectively lead to the accomplishment of events or 
milestones can be established and used as a basis for guiding work and 
measuring progress; 
Satisfied?[A]: Partially; 
GAO analysis: The schedules for the first two releases include the 
logical sequencing of most, but not all, activities. For example, 234 
of 2,445 activities in the Release 1.1 schedule were not sequenced 
properly. By not identifying the correct interdependencies and properly 
sequencing key activities, the schedule may not facilitate the 
meaningful tracking of progress. 

Practice: Establishing the duration of key activities; 
Explanation: The schedule should realistically reflect how long each 
activity will take to execute. In determining the duration of each 
activity, the same rationale, historical data, and assumptions used for 
cost estimating should be used for schedule estimating. Further, these 
durations should be as short as possible, and they should have specific 
start and end dates. Excessively long periods needed to execute an 
activity should prompt further decomposition of the activity so that 
shorter execution durations will result; 
Satisfied?[A]: Yes; 
GAO analysis: The schedules for the first two releases establish 
realistic durations of key activities. For example, the schedule for 
Release 1.1 is based on historical data from Release 1.0, which 
provides a level of confidence that the durations are reasonable. 

Practice: Assigning resources to key activities; 
Explanation: The schedule should reflect what resources (i.e., labor, 
material, and overhead) are needed to do the work, whether all required 
resources will be available when they are needed, and whether any 
funding or time constraints exist; 
Satisfied?[A]: Partially; 
GAO analysis: The schedules for the first two releases include the 
allocation of resources, such as personnel, to activities, but it does 
not reflect whether all resources will be available when they are 
needed because the identified resources are shared across the three 
releases. Restated, personnel are assigned to activities across 
multiple releases, each of which is managed according to a separate 
schedule. Therefore, if one of the schedules were to be delayed, the 
other schedules that required the same resources would likely also be 
delayed. 

Practice: Integrating key activities horizontally and vertically; 
Explanation: The schedule should be horizontally integrated, meaning 
that it should link the products and outcomes associated with already 
sequenced activities. These links are commonly referred to as 
"handoffs" and serve to verify that activities are arranged in the 
right order to achieve aggregated products or outcomes. The schedule 
should also be vertically integrated, meaning that traceability exists 
among varying levels of activities and supporting tasks and subtasks. 
Such mapping or alignment among levels enables different groups to work 
to the same master schedule; 
Satisfied?[A]: Yes; 
GAO analysis: The schedules for the first two releases are both 
horizontally and vertically integrated, meaning that the activities 
across the multiple teams are arranged in the right order to achieve 
aggregated products or outcomes. In addition, traceability exists among 
varying levels of activities, which allows multiple teams (i.e., 
development, testing) to work to the same master schedule. 

Practice: Establishing the critical path for key activities; 
Explanation: Using scheduling software, the critical path--the longest 
duration path through the sequenced list of key activities--should be 
identified. The establishment of a program's critical path is necessary 
for examining the effects of any activity slipping along this path. 
Potential problems that might occur along or near the critical path 
should also be identified and reflected in the scheduling of the time 
for high-risk activities (see next practice); 
Satisfied?[A]: Partially; 
GAO analysis: While the program has established the critical path for 
the first two releases separately, it has not done so for the entire 
first increment. This is because the program maintains separate 
schedules for each release, and in doing so, cannot identify the 
longest duration of tasks through the entire first increment. Without 
doing so, the effects of any slippage along the critical path on future 
releases cannot be determined. 

Practice: Identifying "float time" between key activities; 
Explanation: The schedule should identify float time--the time that a 
predecessor activity can slip before the delay affects successor 
activities--so that schedule flexibility can be determined. As a 
general rule, activities along the critical path typically have the 
least amount of float time; 
Satisfied?[A]: Yes; 
GAO analysis: The schedules for the first two releases identify float 
time between key activities. 

Practice: Distributing reserves to high-risk activities; 
Explanation: The baseline schedule should include a buffer or a reserve 
of extra time. Schedule reserve for contingencies should be calculated 
by performing a schedule risk analysis (see next practice). As a 
general rule, the reserve should be applied to high-risk activities, 
which are typically found along the critical path; 
Satisfied?[A]: Partially; 
GAO analysis: The schedule allocates reserve for high-risk activities 
on the critical path for Release 1.0. However, because the program has 
not established a critical path for the first increment, it cannot 
allocate reserve for the high-risk activities on the entire program's 
critical path. 

Practice: Schedule risk analysis should be performed; 
Explanation: A schedule risk analysis should be performed using 
statistical techniques to predict the level of confidence in meeting a 
program's completion date. This analysis focuses not only on critical 
path activities but also on activities near the critical path, since 
they can potentially affect program status; 
Satisfied?[A]: Partially; 
GAO analysis: A schedule risk analysis on the entire program was not 
performed. A schedule risk analysis has been done on Release 1.0, and 
the program office plans to do one for Release 1.1. However, without 
analyzing the risks associated with the program's entire schedule, the 
program cannot determine the level of confidence in meeting the 
program's completion date. 

Source: GAO analysis of DON data. 

[A] "Yes" means that the program provided documentation demonstrating 
satisfaction of the practice. "Partially" means that the program 
provided documentation demonstrating satisfaction of part of the 
practice. "No" means that the program has yet to provide documentation 
demonstrating satisfaction of the practice. 

[End of table] 

According to program documentation, they have plans to address the 
logical sequencing of activities (to ensure that it reflects how work 
is to be performed), but program officials stated that they do not plan 
to combine all three releases into a single integrated master schedule 
for the entire first increment of the program because doing so would 
produce an overly complex and nonexecutable schedule involving as many 
as 15,000 activities. However, our research of and experience in 
evaluating major programs' use of EVM and integrated master schedules 
show that while large, complex programs necessitate schedules involving 
thousands of activities, successful programs ensure that their 
schedules integrate these activities. In our view, not adequately 
performing these practices does not allow the program to effectively 
assign resources, identify the critical path, and perform a schedule 
risk analysis that would allow it to understand, disclose, and 
compensate for its schedule risks. This means that the program is not 
well-positioned to understand progress and forecast its impact. To 
illustrate, the program recently experienced delays in deploying its 
first release at NAVAIR, which according to a recent operational test 
and evaluation report[Footnote 52] has significantly affected the 
schedule's critical path. These schedule impacts are because resources 
supporting the deployment at NAVAIR began to shift to the next 
scheduled deployment site and thus are no longer available to resolve 
critical issues at NAVAIR. Since the schedule baseline is not 
integrated across all releases, the impact of this delay on other 
releases, and thus the program as a whole, cannot be readily 
determined. 

Trends in EVM Data Show Pattern of Cost Overruns and Schedule 
Slippages: 

Program data show a pattern of actual cost overruns and schedule delays 
between January 2007 and May 2008. Moreover, our analysis of the data 
supports a most likely program cost growth of about $152 million to 
complete all three releases. 

Differences from the PMB are measured in both cost and schedule 
variances.[Footnote 53] Positive variances indicate that activities are 
costing less or are completed ahead of schedule. Negative variances 
indicate that activities are costing more or are falling behind 
schedule. These cost and schedule variances can then be used in 
forecasting the cost and time needed to complete the program. 

Based on program-provided data for the first increment over a 17-month 
period ending May 2008, the program has experienced negative cost 
variances. Specifically, while these cost variances have fluctuated 
during this period, they have consistently been negative. (See fig. 4.) 
Moreover, our analysis of the cost to complete just the budgeted 
development work (also known as the PMB) for all three releases, which 
is about $844 million,[Footnote 54] will be exceeded by between about 
$102 million and $316 million, with a most likely overrun of about $152 
million.[Footnote 55] In contrast, the program office reports that the 
overrun at completion will be $55 million but has yet to provide us 
with documentation supporting this calculation. Moreover, our 
calculation does not reflect the recent problems discovered during the 
operational test and evaluation at NAVAIR and thus the overrun is 
likely to be higher. 

Figure 4: Cumulative Cost Variance for Navy ERP over a 17-Month Period: 

[See PDF for image] 

This figure is a line graph depicting the following data: 

Date: January, 2007: 
Cost variance: $2.567 million. 

Date: February, 2007: 
Cost variance: $0.387 million. 

Date: March, 2007: 
Cost variance: -$1.628 million. 

Date: April, 2007: 
Cost variance: $0.905 million. 

Date: May, 2007: 
Cost variance: -$4.047 million. 

Date: June, 2007: 
Cost variance: -$15.995 million. 

Date: July, 2007: 
Cost variance: -$16.36 million. 

Date: August, 2007: 
Cost variance: -$15.2 million. 

Date: September, 2007: 
Cost variance: -$10.544 million. 

Date: October, 2007: 
Cost variance: -$12.828 million. 

Date: November, 2007: 
Cost variance: -$24.932 million. 

Date: December, 2007: 
Cost variance: -$24.747 million. 

Date: January, 2008: 
Cost variance: -$19.044 million. 

Date: February, 2008: 
Cost variance: -$19.073 million. 

Date: March, 2008: 
Cost variance: -$15.685 million. 

Date: April, 2008: 
Cost variance: -$15.171 million. 

Date: May, 2008: 
Cost variance: -$17.289 million. 

Source: GAO analysis based on Navy ERP data. 

[End of figure] 

During this same 17-month period, the program has experienced negative 
schedule variances and, since January 2008, they have almost doubled 
each month. Further, as of May 2008, the program had not completed 
about $24 million in scheduled work. (See fig. 5.) An inability to meet 
schedule performance is a frequent indication of future cost increases, 
as more spending is often necessary to resolve schedule delays. 

Figure 5: Cumulative Schedule Variance of the Navy ERP Program over a 
17-Month Period: 

[See PDF for image] 

This figure is a line graph depicting the following data: 

Date: January, 2007: 
Cost variance: -$1.258 million. 

Date: February, 2007: 
Cost variance: -$1.655 million. 

Date: March, 2007: 
Cost variance: -$1.885 million. 

Date: April, 2007: 
Cost variance: -$1.84 million. 

Date: May, 2007: 
Cost variance: -$2.384 million. 

Date: June, 2007: 
Cost variance: -$4.98 million. 

Date: July, 2007: 
Cost variance: -$6.938 million. 

Date: August, 2007: 
Cost variance: -$7.646 million. 

Date: September, 2007: 
Cost variance: -$4.542 million. 

Date: October, 2007: 
Cost variance: -$4.715 million. 

Date: November, 2007: 
Cost variance: -$1.863 million. 

Date: December, 2007: 
Cost variance: -$2.548 million. 

Date: January, 2008: 
Cost variance: -$4.504 million. 

Date: February, 2008: 
Cost variance: -$8.069 million. 

Date: March, 2008: 
Cost variance: -$10.93 million. 

Date: April, 2008: 
Cost variance: -$17.703 million. 

Date: May, 2008: 
Cost variance: -$25.62 million. 

Source: GAO analysis based on Navy ERP data. 

[End of figure] 

Because the program office has not performed important reliability 
checks, such as EVM validation and integrated baseline reviews, as 
discussed above, we cannot be certain that the PMB is reliable (i.e., 
reflects all the work to be done and has identified all the risks). As 
a result, the overrun that we are forecasting could be higher. 

[See PDF for image] 

[End of figure] 

By not executing basic EVM practices, the program has and will likely 
continue to experience cost and schedule shortfalls. Until the program 
office implements these important EVM practices, it will likely not be 
able to track actual program costs and schedules close to estimates. 

Important Requirements Management Activity Has Been Effectively 
Implemented: 

Well-defined and managed requirements are recognized by DOD guidance as 
essential, and they can be viewed as a cornerstone of effective system 
acquisition. One aspect of effective requirements management is 
requirements traceability.[Footnote 56] By tracing requirements both 
backward from system requirements to higher level business or 
operational requirements and forward to system design specifications 
and test plans, the chances of the deployed product satisfying 
requirements is increased, and the ability to understand the impact of 
any requirement changes and thus make informed decisions about such 
changes, is enhanced. 

The program office is effectively implementing requirements 
traceability for its 1,733 Release 1.0 system requirements. To verify 
this traceability, we randomly selected and analyzed 60 of the 1,733 
system requirements and confirmed that 58 of the 60 were traceable both 
backward to higher level requirements and forward to design 
specifications and test results. The remaining 2 had been allocated to 
the other releases, and thus we also confirmed the program's ability to 
maintain traceability between product releases. In doing so, the 
program utilized a tool called DOORS, which if implemented properly, 
allows each requirement to be linked from its most conceptual 
definition to its most detailed definition, as well as to design 
specifications and test cases. In effect, the tool maintains the 
linkages among requirement documents, design documents, and test cases 
even if requirements change. 

If DON continues to effectively implement requirements traceability, it 
will increase the chances that system requirements will be met by the 
deployed system. 

A Risk Management Process Has Been Defined, but All Risks Have Not Been 
Effectively Mitigated: 

Proactively managing program risks is a key acquisition management 
control and, if defined and implemented properly, it can increase the 
chances of programs delivering promised capabilities and benefits on 
time and within budget. To the program office's credit, it has defined 
a risk management process that meets relevant guidance. However, it has 
not effectively implemented the process for all identified risks. As a 
result, these risks have not been proactively mitigated and either have 
contributed to cost and schedule shortfalls, or could potentially 
contribute to such shortfalls. 

DOD acquisition management guidance, as well as other relevant guidance 
advocates identifying facts and circumstances that can increase the 
probability of an acquisition's failing to meet cost, schedule, and 
performance commitments and then taking steps to reduce the probability 
of their occurrence and impact.[Footnote 57] In brief, effective risk 
management consists of: (1) establishing a written plan for managing 
risks; (2) designating responsibility for risk management activities; 
(3) encouraging program-wide participation in the identification and 
mitigation of risks; (4) defining and implementing a process that 
provides for the identification, analysis, and mitigation of risks; and 
(5) examining the status of identified risks in program milestone 
reviews. 

The program office has developed a written plan for managing risks and 
established a process that together provide for the above-cited risk 
management practices. Moreover, it has largely followed its plan and 
process as per the following examples: 

* The program manager has been assigned overall responsibility for 
managing risks and serves as the chair of the risk management board. 
[Footnote 58] Also, a functional team lead (i.e., subject matter 
expert) is assigned responsibility for analyzing and mitigating each 
identified risk. 

* Program-wide participation in the identification, analysis, and 
mitigation of risks is encouraged. Specifically, a manager for each 
release is responsible for providing risk management guidance to the 
staff, which includes staff identification and analysis of risks. Also, 
according to the program office's risk management plan, all program 
personnel can submit a risk for approval. In addition, stakeholders 
participate in risk management activities during acquisition milestone 
reviews. 

* The program office has identified and categorized individual risks. 
As of June 2008, the risk database contained 15 active risks--3 high, 8 
medium, and 4 low.[Footnote 59] 

* Program risks are considered during program milestone reviews. For 
example, during the program's critical design review, which is a key 
event of the system development and demonstration phase, key risks 
regarding implementing new business processes and legacy system changes 
were discussed. Furthermore, the program manager receives a monthly 
risk report that describes the status of program risks. 

However, the program office has not consistently followed other aspects 
of its process. In particular, it has not effectively implemented steps 
for mitigating the risks associated with (1) converting data from 
NAVAIR's legacy systems to run on Navy ERP and (2) positioning NAVAIR 
for adopting the new business processes embedded in Navy ERP. As we 
have previously reported, it is important for organizations that are to 
operate and use commercial off-the-shelf software products, such as 
Navy ERP, to proactively manage and position themselves for the 
organizational impact of introducing functionality embedded in the 
commercial products. If they do not, the organization's performance 
will suffer.[Footnote 60] 

To the program office's credit, it identified numerous risks associated 
with data conversion and organizational change management and developed 
and implemented strategies that were intended to mitigate these risks. 
However, it closed these risks even though they were never effectively 
mitigated, as evidenced by the results of recently completed DON 
operational test and evaluation. According to the June 2008 operational 
test and evaluation report for NAVAIR, significant problems relating to 
both legacy system data conversion and adoption of new business 
processes were experienced. The report states that these problems have 
contributed to increases in the costs to operate the system, including 
unexpected manual effort. It further states that these problems have 
rendered the deployed version not operationally effective and that 
deployment of the system to other sites should not occur until the 
change management process has been analyzed and improved. It also 
attributed the realization of the problems to the program office and 
NAVAIR not having adequately engaged and communicated early with each 
other to coordinate and resolve differences in organizational 
perspectives and priorities and provide intensive pre-deployment 
preparation and training. Program officials acknowledged these 
shortcomings and attributed them to their limited authority over the 
commands. In this regard, they have previously surfaced these risks 
with department oversight and approval authorities, but actions were 
not taken by these authorities that ensured that the risks were being 
effectively mitigated. 

Beyond not effectively mitigating these risks, the program office has 
not ensured that all risks are captured in the risk inventory. For 
example, the inventory does not include the risks described in this 
report that are associated with not having adequately demonstrated the 
program's alignment to the federated BEA and not having implemented 
program-level EVM in a manner that reflects industry practices. This 
means that these risks are not being disclosed or mitigated. 

By not effectively addressing all risks associated with the program, 
these risks can and have become problems that contribute to cost and 
schedule shortfalls. Until all significant risks are proactively 
addressed, to include ensuring that all associated mitigation steps are 
implemented and that they accomplished their intended purpose, the 
program will likely experience further problems at subsequent 
deployment sites. 

Conclusions: 

DOD's success in delivering large-scale business systems, such as Navy 
ERP, is in large part determined by the extent to which it employs the 
kind of rigorous and disciplined IT management controls that are 
reflected in department policies and related guidance. While 
implementing these controls does not guarantee a successful program, it 
does minimize a program's exposure to risk and thus the likelihood that 
it will fall short of expectations. In the case of Navy ERP, living up 
to expectations is important because the program is large, complex, and 
critical to addressing the department's long-standing problems related 
to financial transparency and asset visibility. 

The effectiveness to which key IT management controls have been 
implemented in Navy ERP varies, with one control and several aspects of 
others being effectively implemented, and others less so. Moreover, 
those controls that have not been effectively implemented have, in 
part, contributed to the sizable cost and schedule shortfalls 
experienced to date on the program. Unless this changes, more 
shortfalls can be expected. 

While the program office is primarily responsible for ensuring that 
effective IT management controls are implemented, other oversight and 
stakeholder organizations share responsibility. For example, even 
though the program has not demonstrated its alignment with the 
federated BEA, it nevertheless followed established DOD architecture 
compliance guidance and used the related compliance assessment tool in 
assessing and asserting its compliance. The root cause for not 
demonstrating compliance thus is not traceable to the program office 
but rather is due to, among other things, the limitations of the 
compliance guidance and tool, and the program's oversight entities not 
validating the compliance assessment and assertion. Also, the reason 
that the program's cost estimate was not informed by the cost 
experiences of other programs of the same size and scope is because DOD 
does not have a standard ERP cost element structure and has not 
maintained a historical database of costs for like programs to use. In 
contrast, effective implementation of other management controls, such 
as implementing EVM, requirements traceability, and risk management is 
the responsibility of the program office. 

All told, addressing the management control weaknesses requires the 
combined efforts of the various organizations that share responsibility 
for managing and overseeing the program. By doing so, the department 
can better assure itself that Navy ERP will optimally support its 
performance goals and will deliver promised capabilities and benefits 
on time and within budget. 

Because we recently completed work that more broadly addresses the 
above cited architectural alignment and comparable program cost data 
limitations, we are not making recommendations in this report for 
addressing them. 

Recommendations for Executive Action: 

To strengthen Navy ERP management control and better provide for the 
program's success, we are making the following recommendations: 

* To improve the reliability of Navy ERP benefit estimates and cost 
estimates, we recommend that the Secretary of Defense direct the 
Secretary of the Navy, through the appropriate chain of command, to 
ensure that future Navy ERP estimates include uncertainty analyses of 
estimated benefits, reflect the risks associated with not having cost 
data for comparable ERP programs, and are otherwise derived in full 
accordance with the other key estimating practices, and economic 
analysis practices discussed in this report. 

* To enhance Navy ERP's use of EVM, we recommend that the Secretary of 
Defense direct the Secretary of the Navy, through the appropriate chain 
of command, to ensure that (1) an integrated baseline review on the 
last two releases of the first increment is conducted, (2) compliance 
against the 32 accepted industry EVM practices is verified, and (3) a 
plan to have an independent organization perform surveillance of the 
program's EVM system is developed and implemented. 

* To increase the quality of the program's integrated master schedule, 
we recommend that the Secretary of Defense direct the Secretary of the 
Navy, through the appropriate chain of command, to ensure that the 
schedule (1) includes the logical sequencing of all activities, (2) 
reflects whether all required resources will be available when needed, 
(3) defines a critical path that integrates all three releases, (4) 
allocates reserve for the high-risk activities on the entire program's 
critical path, and (5) incorporates the results of a schedule risk 
analysis for all three releases and recalculates program cost and 
schedule variances to more accurately determine a most likely cost and 
schedule overrun. 

* To improve Navy ERP's management of program risks, we recommend that 
the Secretary of Defense direct the Secretary of the Navy, through the 
appropriate chain of command, to ensure that (1) the plans for 
mitigating the risks associated with converting data from legacy 
systems to Navy ERP and positioning the commands for adopting the new 
business processes embedded in the Navy ERP are re-evaluated in light 
of the recent experience with NAVAIR and adjusted accordingly, (2) the 
status and results of these and other mitigation plans' implementation 
are periodically reported to program oversight and approval 
authorities, (3) these authorities ensure that those entities 
responsible for implementing these strategies are held accountable for 
doing so, and (4) each of the risks discussed in this report are 
included in the program's inventory of active risks and managed 
accordingly. 

Agency Comments and Our Evaluation: 

In written comments on a draft of this report, signed by the Deputy 
Under Secretary of Defense (Business Transformation) and reprinted in 
appendix II, DOD stated that it concurred with two of our four 
recommendations and partially concurred with the remaining two. 
Further, it stated that it has taken steps to address some of our 
recommendations, adding that it is committed to implementing 
recommendations that contribute to the program's success. The 
department's comments relative to both of the recommendations that it 
partially concurred with, as well as additional comments, are discussed 
below. 

For our recommendation associated with improving the program's benefit 
and cost estimates, DOD concurred with two of the recommendation's 
three parts, but it did not concur with one part--ensuring that future 
cost estimates reflect the risk of not having cost data for comparable 
programs. While acknowledging that the program had limited cost data 
from comparable programs on which to base its cost estimate, DOD stated 
that an uncertainty analysis had been applied to the estimate to 
account for the risk associated with not having such data. The 
department further stated that actual experience on the program will 
continue to be used to refine the program's cost estimating 
methodology. While we support DOD's stated commitment to using actual 
program cost experience in deriving future estimates, we do not agree 
that the latest estimate accounted for the risk of not having cost data 
from comparable programs. We examined the uncertainty analysis as part 
of our review, and found that it did not recognize this risk. Moreover, 
DOD's comments offered no new evidence to the contrary. 

For our recommendation associated with improving the program's schedule 
estimating, DOD concurred with four of the recommendation's five parts, 
and partially concurred with one part--ensuring that the schedule 
defines a critical path that integrates all releases. In taking this 
position, the department stated that a critical path has been 
established for each release rather than across all three releases, and 
it attributes this to the size and complexity of the program. We do not 
take issue with either of these statements, as they are already 
recognized in our report. However, DOD offers no new information in its 
comments. Further, our report also recognizes that to be successful, 
large and complex programs that involve thousands of activities need to 
ensure that their schedules integrate these activities. In this regard, 
we support the department's commitment to explore the feasibility of 
implementing this part of our recommendation. 

In addition, while stating that it concurred with all parts of our 
recommendation associated with improving the program's use of EVM, DOD 
nevertheless provided additional comments as justification for having 
not conducted an integrated baseline review on Release 1.0. 
Specifically, it stated that when it rebaselined this release in 
December 2006, the release's development activities were essentially 
complete and the release was in the latter stages of testing. Further, 
it stated that the risks associated with the Release 1.0 schedule were 
assessed 3 months after this rebaselining, and these risks were 
successfully mitigated. To support this statement, it said that Release 
1.0 achieved its "Go-Live" as scheduled at NAVAIR. We do not agree with 
these comments for several reasons. First, at the time of the 
rebaselining, about 9 months of scheduled Release 1.0 development 
remained, and thus the release was far from complete. Moreover, the 
significance of the amount of work that remained, and still remains 
today on Release 1.0 is acknowledged in DOD's own comment that the 
scheduled integrated baseline review for Release 1.1 will also include 
remaining Release 1.0 work. Second, the Release 1.0 contract was 
awarded in January 2006, and DOD's own guidance requires that an 
integrated baseline review be conducted within 6 months of a contract's 
award. Third, although DOD states that the program achieved "Go-Live" 
as scheduled on October 1, 2007, the program achieved initial 
operational capability 7 months later than established in the December 
2006 baseline. 


In addition to these comments, the department also described actions 
under way or planned to address our recommendations. We support the 
actions described, as they are consistent with the intent of our 
recommendations. If fully and properly implemented, these actions will 
go a long way in addressing the management control weaknesses that our 
recommendations are aimed at correcting. 

We are sending copies of this report to interested congressional 
committees; the Director, Office of Management and Budget; the 
Congressional Budget Office; the Secretary of Defense; and the 
Department of Defense Office of the Inspector General. We also will 
make copies available to others upon request. In addition, the report 
will be available at no charge on the GAO Web site at [hyperlink, 
http://www.gao.gov]. 

If you or your staff have any questions about this report, please 
contact me at (202) 512-3439 or [email protected]. Contact points for our 
Offices of Congressional Relations and Public Affairs may be found on 
the last page of this report. GAO staff who made major contributions to 
this report are listed in appendix III. 

Signed by: 

Randolph C. Hite: 
Director, Information Technology Architecture and Systems Issues: 

[End of section] 

Appendix I: Objective, Scope, and Methodology: 

[End of section] 

Our objective was to determine whether the Department of the Navy is 
effectively implementing information technology management controls on 
the Navy Enterprise Resource Planning (Navy ERP) program. To accomplish 
this, we focused on the first increment of Navy ERP and the following 
management areas (1) architectural alignment, (2) economic 
justification, (3) earned value management (EVM), (4) requirements 
management, and (5) risk management. 

* To determine whether Navy ERP was aligned with the Department of 
Defense's (DOD) federated business enterprise architecture (BEA), we 
reviewed the program's BEA compliance assessments and system 
architecture products, as well as Versions 4.0, 4.1, and 5.0 of the 
BEA, and compared them with the BEA compliance requirements described 
in the Fiscal Year 2005 Defense Authorization Act[Footnote 61] and 
DOD's BEA compliance guidance, and we evaluated the extent to which the 
compliance assessments addressed all relevant BEA products. We also 
determined the extent to which the program-level architecture 
documentation supported the BEA compliance assessments. We obtained 
documentation, such as the BEA compliance assessments from the Navy ERP 
and Global Combat Support System--Marine Corps programs, as well as the 
Air Force's Defense Enterprise Accounting and Management System and Air 
Force Expeditionary Combat Support System programs. We then compared 
these assessments to identify potential redundancies or opportunities 
for reuse and determined if the compliance assessments examined 
duplication across programs, and if the tool that supports these 
assessments is being used to identify such duplication. In doing so, we 
interviewed program officials and officials from the Department of the 
Navy, Office of the Chief Information Officer and reviewed recent GAO 
reports to determine the extent to which the programs were assessed for 
compliance against the Department of the Navy enterprise architecture. 
We also interviewed program officials and officials from the Business 
Transformation Agency and the Department of the Navy, including the 
logistics Functional Area Manager, and obtained guidance documentation 
from these officials to determine the extent to which the compliance 
assessments were subject to oversight or validation. 

* To determine whether the program had economically justified its 
investment in Navy ERP, we reviewed the latest economic analysis to 
determine the basis for the cost and benefit estimates. This included 
evaluating the analysis against Office of Management and Budget 
guidance and GAO's Cost Assessment Guide.[Footnote 62] In doing so, we 
interviewed cognizant program officials, including the program manager 
and cost analysis team, regarding their respective roles, 
responsibilities, and actual efforts in developing and/or reviewing the 
economic analysis. We also interviewed officials at the Office of 
Program Analysis and Evaluation and Naval Center for Cost Analysis as 
to their respective roles, responsibilities, and actual efforts in 
developing and/or reviewing the economic analysis. We did not verify 
the validity of the source data used to calculate estimated benefits, 
such as those data used to determine the yearly costs associated with 
legacy systems planned for retirement. 

* To determine the extent to which the program had effectively 
implemented EVM, we reviewed relevant documentation, such as contract 
performance reports, acquisition program baselines, performance 
measurement baseline, and schedule estimates and compared them with DOD 
policies and guidance.[Footnote 63] To identify trends that could 
affect the program baseline in the future, we assessed cost and 
schedule performance and, in doing so, we applied earned value analysis 
techniques[Footnote 64] to data from contract performance reports. We 
compared the cost of work completed with the budgeted costs for 
scheduled work over a 17-month period, from January 2007 to May 2008, 
to show trends in cost and schedule performance. We also used data from 
the reports to estimate the likely costs at completion of the program 
through established earned value formulas. This resulted in three 
different values, with the middle value being the most likely. We 
checked EVM data to see if there were any mathematical errors or 
inconsistencies that would lead to the data being unreliable. We 
interviewed cognizant officials from the Naval Air Systems Command and 
program officials to determine whether the program had conducted an 
integrated baseline review, whether the EVM system had been validated 
against industry guidelines,[Footnote 65] and to better understand the 
anomalies in the EVM data and determine what outside surveillance was 
being done to ensure that the industry standards are being met. We also 
reviewed the program's schedule estimates and compared them with 
relevant best practices[Footnote 66] to determine the extent to which 
they reflect key estimating practices that are fundamental to having a 
reliable schedule. In doing so, we interviewed cognizant program 
officials to discuss their use of best practices in creating the 
program's current schedule. 

* To determine the extent to which the program has effectively 
implemented requirements management, we reviewed relevant program 
documentation, such as the program management plan and baseline list of 
requirements. To determine the extent to which the program has 
maintained traceability backward to high-level business operation 
requirements and system requirements, and forward to system design 
specifications, and test plans, we randomly selected 60 program 
requirements and traced them both backward and forward. This sample was 
designed with a 5 percent tolerable error rate at the 95 percent level 
of confidence so that, if we found 0 problems in our sample, we could 
conclude statistically that the error rate was less than 5 percent. In 
addition, we interviewed program officials involved in the requirements 
management process to discuss their roles and responsibilities for 
managing requirements. 

* To determine the extent to which the program implemented risk 
management, we reviewed relevant risk management documentation, such as 
the program's risk management plan and risk database reports 
demonstrating the status of the program's major risks and compared the 
program office's activities with DOD acquisition management guidance 
and related industry practices.[Footnote 67] We also reviewed the 
program's mitigation process with respect to key risks to determine the 
extent to which these risks were effectively managed. In doing so, we 
interviewed cognizant program officials, such as the program manager 
and risk manager, to discuss their roles and responsibilities and 
obtain clarification on the program's approach to managing risks 
associated with acquiring and implementing Navy ERP. 

We conducted this performance audit at DOD offices in the Washington, 
D.C., metropolitan area and Annapolis, Md., from June 2007 to September 
2008, in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objective. We 
believe that the evidence obtained provides a reasonable basis for our 
findings and conclusions based on our audit objective. 

[End of section] 

Appendix II: Comments from the Department of Defense: 

Office Of The Under Secretary Of Defense: 
Acquisition Technology And Logistics: 
3000 Defense Pentagon: 
Washington, DC 20301-3000: 

August 19, 2008: 

Mr. Randolph C. Hite: 
Director, Information Technology Architecture and Systems Issues: 
U.S. Government Accountability Office: 
441 G Street, N.W. 
Washington, DC 20548: 

Dear Mr. Hite: 

This is the Department of Defense (Dot)) response to the GAO draft 
report GAO-08-896, "Defense Business Systems Modernization: Important 
Management Controls Being Implemented on Major Navy Program, But 
Improvements Needed in Key Areas," dated July 18, 2008 (GAO Code 
310659). Detailed comments on the report recommendations are enclosed. 

The Department concurred with two recommendations and partially 
concurred with the remaining two. The Department has already taken 
steps to address some of GAO's recommendations and the Navy Enterprise 
Resource Planning (ERP) program office is committed to implementing 
recommendations that will contribute to the program's success. 

We appreciate the GAO's input on the Department's progress with its 
business transformation efforts and continue to value our partnership. 

Sincerely, 

Signed by: 

Paul A. Brinkley: 
Deputy Under Secretary of Defense (Business Transformation): 

Enclosure: As stated: 

GAO Draft Report Dated July 18, 2008: 
GAO-08-896 (GAO Code 310659): 

"DOD Business Systems Modernization: Important Management Controls 
Being Implemented On Major Navy Program, But Improvements Needed In Key 
Areas" 

Department Of Defense Comments To The GAO Recommendations: 

Recommendation 1: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy, through the appropriate chain of 
command, to ensure that future Navy Enterprise Resource Planning (ERP) 
estimates include uncertainty analyses of estimated benefits, reflect 
the risk associated with not having cost data for comparable ERP 
programs, and are otherwise derived in full accordance with the other 
key estimating practices, and economic analysis practices discussed in 
this report. (Page 52/GAO Draft Report) 

DOD Response: Partially Concur. Future Navy ERP estimates will include 
uncertainty analyses of estimated benefits and be derived in full 
accordance with key estimating and economic analysis practices. In 
future estimates, uncertainty surrounding the assumptions driving the 
benefit estimate will have probability distributions applied. The point 
estimate reported will be generated using the expected values of the 
probability distributions. 

The Department does not concur with the second element of 
Recommendation 1, that future Navy ERP estimates reflect the risk 
associated with not having cost data for comparable ERP programs. At 
Milestone .A/B, the program estimate was based on commercial best 
practices and standards used to implement System Application Program 
(SAP) functionality as well as engineering inputs and expertise 
developed during the Navy's pilot ERP programs. This approach was 
considered the best approach given the limited comparable enterprise 
program system implementation data currently available in DoD. 
Furthermore, the industry standards and the functional scope definition 
had uncertainty analysis applied to account for the risk associated 
with not having comparable DoD programmatic data. As the program began 
execution, the methodology was and continues to be refined as actual 
experience is gained by the Navy ERP program. 

Recommendation 2: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy, through the appropriate chain of 
command, to ensure that: (1) an integrated baseline review on the last 
two releases of the first increment is conducted: (2) compliance 
against the 32 accepted industry earned value management (EVM) 
practices is verified: and (3) a plan to have an independent 
organization perform surveillance of the program's EVM system is 
developed and implemented. (Page 52/GAO Draft Report) 

DOD Response: Concur. The Department appreciates the importance of 
Earned Value Management (EVM) as an effective management tool that 
promotes efficient management of programs such as Navy ERP. Navy ERP 
has been implementing "Program-Level" EVM since 2006. During that time, 
the Navy ERP Program Office has received detailed guidance and advice 
from various government and industry groups since Program-Level EVM is 
rare and requires tailoring to achieve compliance with best practices.
A key part of this implementation is the Integrated Baseline Review 
(IBR), which has been scheduled for Navy ERP Release 1.1 in August 
2008. Although this IBR will focus on Release 1.1, it will also include 
the remaining Release 1.0 deployments. The IBR will focus on the health 
of the baseline, assessing schedule and associated resourcing. Navy ERP 
will also conduct IBR on future releases. 

An IBR was not conducted on Release 1.0 because once the rebaselining 
was approved in December 2006, development was essentially complete and 
the release was in the latter stages of testing. However, a Schedule 
Risk Assessment (SRA) of Release 1.0 was conducted in March 2007. The 
main finding was that the Integrated Master Schedule (IMS) was high 
risk for achieving Go-Live due to the lack of integration of the Navy 
ERP schedule with the schedule of Naval Air System Command (NAVAIR), 
the customer. Navy ERP took corrective measures to mitigate this risk 
by developing a cut-over schedule that integrated with NAVAIR's 
schedule. Navy ERP has made it a requirement to incorporate customer 
schedules in all future releases. The corrective measures successfully 
mitigated the risk associated with 1.0 as indicated by the Program 
achieving Go-Live as scheduled. 

Navy ERP follows the direction of the Assistant Secretary of the Navy 
for Research. Development and Acquisition (ASN(RDA)) to work with the 
Navy Center for Earned Value Management (CEVM) to validate that 
management processes meet the intent of the 32 guidelines described in 
the American National Standards Institute/Electronic Industries 
Alliance (ANSI/EIA) standard ANSI/EIA-748. CEVM will also perform 
ongoing surveillance of Navy ERP processes and EVM data, addressing the 
last element of GAO's recommendation. Additionally, as of August 2008, 
Navy ERP is complying with the Under Secretary of Defense for 
Acquisition, Technology, and Logistics (AT&L) memo issued July 11, 2007 
on the implementation of the Central Repository System. This memo 
requires that all Acquisition Category I programs submit monthly cost 
and schedule performance reports via the Defense Cost and Resource 
Center (DCARC) Earned Value Repository. 

Recommendation 3: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy, through the appropriate chain of 
command, to ensure that the schedule: (1) includes the logical 
sequencing of all activities; (2) reflects whether all required 
resources will be available when needed; (3) defines a critical path 
that integrates all three releases; (4) allocates reserve for the high-
risk activities on the entire program's critical path; and (5) 
incorporates the results of a schedule risk analysis for all three 
releases, and recalculates program cost and schedule variances to more 
accurately determine a most likely cost and schedule overrun. (Page 
52/GAO Draft Report) 

DOD Response: Partially Concur. The Department's EVM policy recognizes 
that the preparation of an Integrated Master Schedule (IMS) is a best 
practice. The Department concurs with the following elements of the 
recommendation and the Navy ERP Program Office will ensure that the 
schedule: 

* Includes the logical sequencing of all activities: Navy ERP has 
implemented a logically sequenced schedule for Release 1.1 of all 
activities based on experience gained from Navy ERP Release 1.0. 
Improvements have been made and the schedule is continuously monitored 
through weekly schedule metrics. 

* Reflects whether all required resources will be available when 
needed: The Navy ERP IMS has a resource-loaded, time-phased schedule 
for each release that identifies resource allocation and is aligned 
with the Program's approved staffing plan. 

* Allocates reserve for the high-risk activities on the entire 
program's critical path: Navy ERP has actively begun refining the risk 
identification process to incorporate risk and potential impact to the 
program schedule utilizing schedule inputs. As this process matures, 
the result will be used to assist in identify adequate resources 
required in managing integrated program activities across all three 
releases. 

* Incorporates the results of a schedule risk analysis (SRA) for all 
releases: The Results of the SRA for Release 1.1 will be compared to 
the results of the SRA for Release 1.0 and incorporated into the 
variance analysis for cost and schedule to avoid any potential 
overruns. Navy ERP is implementing an estimate at completion (EAC) 
process for quarterly updates beginning in Fiscal Year 2009.
The Department partially concurs with the third element of the 
recommendation, that the schedule defines a critical path that 
integrates all three releases. Navy ERP utilizes a critical path for 
each release. This approach recognizes the size and complexity of the 
Navy's implementation releases and still allows the Navy to remain 
focused on the true dependencies the individual releases have with one 
another. The Program Office will review this recommendation with Navy 
leadership to determine feasibility for Navy [RP. 

Recommendation 4: The GAO recommends that the Secretary of Defense 
direct the Secretary of the Navy, through the appropriate chain of 
command, to ensure that: (1) the plans for mitigating the risks 
associated with converting data from legacy systems to Navy ERP and 
positioning the commands for adopting the new business processes 
embedded in the Navy ERP are re-evaluated in light of the recent 
experience with Naval Air Systems Command (NAVAIR) and adjust 
accordingly; (2) the status and results of these and other mitigation 
plans' implementation are periodically reported to program oversight 
and approval authorities; (3) these authorities ensure that those 
entities responsible for implementing these strategies are held 
accountable for doing so; and (4) each of the risks discussed in this 
report are included in the program's inventory of active risks, and 
managed accordingly. (Page 53/GAO Draft Report) 

DOD Response: Concur. Navy ERP incorporated lessons learned from NAVAIR 
into the Navy ERP Program Command Implementation Guidance. The 
guidance, a copy of which is attached for reference, incorporates key 
lessons learned from prior deployments and provides a detailed overview 
of the implementation process and key information required in 
structuring a Command's implementation team and activities needed for 
success. The Navy ERP Program Command Implementation Guidance also 
identifies critical success factors based on extensive commercial and 
Navy ERP implementation experience and provides a time-phased checklist 
to help focus a Command's resources on the right actions, at the right 
time. It has been reviewed by the Navy System Command Commanders and is 
being used by the Navy Supply System Command (NAVSUP) in preparation 
for the next deployment of Navy ERP Release 1.0. 

The Readiness Assessment checklist in the Navy ERP Program Command 
Implementation Guidance helps to identify risks, and through the Navy 
ERP Risk Program process, elevate the risk appropriately to the right 
level of management to facilitate mitigation planning. In addition to 
those risks identified by the program, Navy ERP will add the risks 
identified by GAO to its risk inventory. Risks and mitigation plans are 
formally captured by the Navy ERP Risk Management Board in its Risk 
Radar tracking tool. 

Furthermore, in light of the experience learned with deployment to 
NAVAIR, Navy ERP has completed a full review and reevaluation of all 
active risks and corresponding mitigation plans. This review included 
two areas noted by GAO in the report: (I) conversion of data from 
legacy systems to Navy ERP and (2) transformation change management to 
position Commands to adopt Navy ERP. 

Since Navy's ERP's deployment of Release 1.0 to NAVAIR, the enterprise 
governance structure that reviews program risks has evolved. Governance 
now includes the Navy Component Acquisition Executive's review process, 
the Navy ERP Senior Integration Board, and Enterprise Risk Assessment 
Methodology (ERAM) assessments. The Navy will work through these 
governance bodies and with other appropriate oversight and approval 
authorities to determine additional reporting mechanisms for risks with 
associated mitigation plans, to ensure commitment and accountability 
across the Navy Enterprise. Direction received from these authorities 
with respect to risk and risk management will be incorporated into the 
Navy ERP Risk Management Program. Through the Navy and Office of the 
Secretary of Defense (OSD) governance bodies. including the Milestone 
Decision Authority (MDA), Deputy Under Secretary of Defense (Business 
Transformation), as well as Navy Enterprise Senior Integration Board 
(NESIB), the Navy ERP Program Manager is held accountable for overall 
program performance, including implementing risk mitigation strategies. 
This aligns to Department of Defense Directive 5000.1, paragraph 3.5, 
which states that the Program Manager is accountable for credible cost, 
schedule, and performance reporting to the MDA. 

[End of section] 

Appendix III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Randolph C. Hite, (202) 512-3439, or [email protected]: 

Staff Acknowledgments: 

In addition to the individual named above, key contributors to this 
report were Neelaxi Lakhmani, Assistant Director; Monica Anatalio; 
Harold Brumm; Neil Doherty; Cheryl Dottermusch; Nancy Glover; Mustafa 
Hassan; Michael Holland; Ethan Iczkovitz; Anh Le; Josh Leiling; Emily 
Longcore; Lee McCracken; Madhav Panwar; Karen Richey; Melissa 
Schermerhorn; Karl Seifert; Sushmita Srikanth; Jonathan Ticehurst; and 
Adam Vodraska. 

[End of section] 

Footnotes: 

[1] Business systems are information systems, including financial and 
nonfinancial systems, that support DOD business operations, such as 
civilian personnel, finance, health, logistics, military personnel, 
procurement, and transportation. 

[2] GAO, High-Risk Series: An Update, [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-07-310] (Washington, D.C.: 
January 2007). 

[3] The Department of the Navy is a major component of DOD, consisting 
of two uniformed services: the Navy and the Marine Corps. 

[4] This amount is the difference between the September 2007 estimated 
life cycle cost of $2,445.0 million and the September 2003 estimated 
life cycle cost of $1,873.1 million. 

[5] Program-level means that EVM covers all aspects of the program, 
regardless of whether they are performed by the government or the 
contractor. In contrast, EVM has historically been implemented on a 
contract-by-contract basis, and has not included government performed 
work. 

[6] These commands are Naval Air, Naval Sea, Space and Naval Warfare, 
and Naval Supply Systems. 

[7] The defense acquisition system is a framework-based approach that 
is intended to translate mission needs and requirements into stable, 
affordable, and well-managed acquisition programs. 

[8] Congressional defense committees have established reprogramming 
guidelines, including setting dollar thresholds that direct DOD to seek 
the prior approval of the committees before executing the reprogramming 
of appropriated funds. In accordance with these guidelines, DOD's 
financial management regulation provides that DOD does not need 
congressional committee approval when the amount to be reprogrammed 
falls below certain thresholds (referred to as a "below-threshold 
reprogramming"). As relevant here, as of fiscal year 2005, the 
threshold is $10 million or 20 percent of the program's appropriation, 
whichever is less. To fund shortfalls in Navy ERP, DON plans to 
reprogram amounts below this threshold from other programs. 

[9] FOC means that the system has been successfully deployed in all 
intended locations. 

[10] This 2003 estimate, which was prepared to assist in budget 
development and support the Milestone A/B approval, was for 
development, deployment, and sustainment costs in fiscal years 2003 
through 2021. 

[11] According to DOD's acquisition guidebook, an Acquisition Program 
Baseline is a program manager's estimated cost, schedule, and 
performance goals. Goals consist of objective values, which represent 
what the user desires and expects, and threshold values, which 
represent acceptable limits. When the program manager determines a 
current cost, schedule or performance threshold value will not be 
achieved, the MDA must be notified, and a new baseline developed, 
reviewed by decision makers, and, if the program is to continue, 
approved by the MDA. 

[12] According to the August 2004 Acquisition Program Baseline, this 
estimate is for acquisition, operations, and support for fiscal years 
2004 through 2021. 

[13] According to the September 2007 Acquisition Program Baseline, this 
estimate is for acquisition, operations, and support for fiscal years 
2004 through 2023. 

[14] Donald E. Harter, Mayuram S. Krishnan, and Sandra A. Slaughter, 
"Effects of Process Maturity on Quality, Cycle Time, and Effort in 
Software Product Development," Management Science, 46, no. 4 (2000); 
and Bradford K. Clark, "Quantifying the Effects of Process Improvement 
on Effort," IEEE Software (November/December 2000). 

[15] GAO, Information Technology: DOD's Acquisition Policies and 
Guidance Need to Incorporate Additional Best Practices and Controls, 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-722] (Washington, 
D.C.: July 30, 2004). 

[16] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-722]. 

[17] See, for example, GAO, DOD Business Transformation: Lack of an 
Integrated Strategy Puts the Army's Asset Visibility System Investments 
at Risk, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-860] 
(Washington, D.C.: July 27, 2007); GAO, Information Technology: DOD 
Needs to Ensure That Navy Marine Corps Intranet Program Is Meeting 
Goals and Satisfying Customers, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-07-51] (Washington, D.C.: Dec. 8, 2006); GAO, Defense 
Travel System: Reported Savings Questionable and Implementation 
Challenges Remain, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-
980] (Washington, D.C.: Sept. 26, 2006); GAO, DOD Systems 
Modernization: Uncertain Joint Use and Marginal Expected Value of 
Military Asset Deployment System Warrant Reassessment of Planned 
Investment, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-171] 
(Washington, D.C.: Dec. 15, 2005); and GAO, DOD Systems Modernization: 
Planned Investment in the Navy Tactical Command Support System Needs to 
Be Reassessed, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-
215] (Washington, D.C.: Dec. 5, 2005). 

[18] Ronald W. Reagan National Defense Authorization Act for Fiscal 
Year 2005, Pub. L. No. 108-375, ï¿½ 332 (2004) (codified at 10 U.S.C. ï¿½ï¿½ 
186 and 2222). 

[19] Field/tactical refers to Army units that are deployable to 
locations around the world, such as Iraq or Afghanistan. 

[20] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-860]. 

[21] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-215]. 

[22] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-171]. 

[23] GAO, DOD Business Systems Modernization: Navy ERP Adherence to 
Best Business Practices Critical to Avoid Past Failures, [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-05-858] (Washington, D.C.: Sept. 
29, 2005). 

[24] Department of Defense Architecture Framework, Version 1.0, Volume 
1 (February 2004); GAO, Information Technology: A Framework for 
Assessing and Improving Enterprise Architecture Management (Version 
1.1), [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-584G] 
(Washington, D.C.: Apr. 1, 2003); Chief Information Officer Council, A 
Practical Guide to Federal Enterprise Architecture, Version 1.0 
(February 2001); and Institute of Electrical and Electronics Engineers 
(IEEE), Standard for Recommended Practice for Architectural Description 
of Software-Intensive Systems 1471-2000 (Sept. 21, 2000). 

[25] A well-defined enterprise architecture provides a clear and 
comprehensive picture of an entity, whether it is an organization 
(e.g., a federal department) or a functional or mission area that cuts 
across more than one organization (e.g., personnel management). This 
picture consists of snapshots of both the enterprise's current or "as 
is" environment and its target or "to be" environment, as well as a 
capital investment road map for transitioning from the current to the 
target environment. These snapshots consist of integrated "views," 
which are one or more architecture products that describe, for example, 
the enterprise's business processes and rules; information needs and 
flows among functions, supporting systems, services, and applications; 
and data and technical standards and structures. 

[26] DOD has adopted a federated approach for developing its business 
mission area enterprise architecture, which includes the corporate BEA 
representing the thin layer of DOD-wide corporate architectural 
policies, capabilities, rules, and standards; component architectures 
(e.g., Navy enterprise architecture); and program architectures (e.g., 
Navy ERP architecture). 

[27] See, for example, GAO, Information Technology: FBI Is Taking Steps 
to Develop an Enterprise Architecture, but much Remains to Be 
Accomplished, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-363] 
(Washington, D.C.: Sept. 9, 2005); GAO, Homeland Security: Efforts 
Under Way to Develop Enterprise Architecture, but Much Work Remains, 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-777] (Washington, 
D.C.: Aug. 6, 2004); GAO, Information Technology: Architecture Needed 
to Guide NASA's Financial Management Modernization, [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-04-43] (Washington, D.C.: Nov. 
21, 2003); GAO, DOD Business Systems Modernization: Important Progress 
Made to Develop Business Enterprise Architecture, but Much Work 
Remains, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-1018] 
(Washington, D.C.: Sept. 19, 2003); GAO, Information Technology: DLA 
Should Strengthen Business Systems Modernization Architecture and 
Investment Activities, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-01-631] (Washington, D.C.: June 29, 2001); and GAO, 
Information Technology: INS Needs to Better Manage the Development of 
Its Enterprise Architecture, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO/AIMD-00-212] (Washington, D.C.: Aug. 1, 2000). 

[28] DOD, Business Enterprise Architecture Compliance Guidance (Apr. 
10, 2006). 

[29] Initiated in 2003, GCSS-MC is to modernize the Marine Corps 
logistics systems and thereby provide the decision makers with timely 
and complete logistics information to support the warfighter. Moreover, 
according to program officials, both GCSS-MC and Navy ERP are under the 
leadership of Navy's Program Executive Office for Enterprise 
Information Systems, which is responsible for developing, acquiring, 
and deploying seamless enterprise-wide information technology systems. 

[30] GAO, DOD Business Systems Modernization: Progress in Establishing 
Corporate Management Controls Needs to be Replicated Within Military 
Departments, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-705] 
(Washington, D.C.: May 15, 2008). 

[31] As we recently reported, while the corporate BEA includes 
corporate policies, capabilities, rules, and standards, it is still 
evolving and will continue to add additional details. See [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-08-705]. 

[32] GAO, DOD Business Systems Modernization: Military Departments Need 
to Strengthen Management of Enterprise Architecture Programs, 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-519] (Washington, 
D.C.: May 12, 2008). 

[33] GAO, DOD Business Systems Modernization: Key Navy Programs' 
Compliance with DOD's Federated Business Enterprise Architecture Needs 
to Be Adequately Demonstrated, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-08-972] (Washington, D.C.: Aug. 7, 2008). 

[34] Office of Management and Budget, Circular No. A-94: Guidelines and 
Discount Rates for Benefit-Cost Analysis of Federal Programs (Oct. 29, 
1992). 

[35] The benefits estimates for the areas are rounded; therefore, they 
add to more than $8.6 billion. 

[36] For example, the Uniform Accounting Data Process System-Inventory 
Control Points has yearly maintenance costs of $39.3 million. 

[37] These reductions in expected savings represent the costs of 
maintaining the legacy systems during the period in which the systems' 
retirement dates have been delayed. 

[38] OMB, Circular No. A-11, Preparation, Submission, and Execution of 
the Budget (Washington, D.C.: Executive Office of the President, June 
2006); Circular No. A-130 Revised, Management of Federal Information 
Resources (Washington, D.C.: Executive Office of the President, Nov. 
28, 2000); and Capital Programming Guide: Supplement to Circular A-11, 
Part 7, Preparation, Submission, and Execution of the Budget 
(Washington, D.C.: Executive Office of the President, June 2006). 

[39] GAO, Cost Assessment Guide: Best Practices for Estimating and 
Managing Program Costs, Exposure Draft, [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-07-1134SP] (Washington, D.C.: 
July 2, 2007). 

[40] The Defense Cost and Resource Center is responsible for collecting 
current and historical major defense acquisition program cost and 
software resource data in a joint service environment and making those 
data available for use by authorized government analysts when 
estimating the cost of ongoing and future government programs. 

[41] GAO, DOD Business Systems Modernization: Key Marine Corps System 
Acquisition Needs to Be Better Justified, Defined, and Managed, 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-822] (Washington, 
D.C.: July 28, 2008). 

[42] Sensitivity analysis reveals how the cost estimate is affected by 
a change in a single assumption or cost driver while holding all other 
variables constant. 

[43] GAO, Missile Defense: Additional Knowledge Needed in Developing 
System for Intercepting Long-Range Missiles, [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-03-600] (Washington, D.C.: Aug. 
21, 2003). 

[44] OMB, Preparation, Submission, and Execution of the Budget, 
Circular A-11 (Washington, D.C.: Executive Office of the President, 
June 2006), part 7, Planning, Budgeting, Acquisition, and Management of 
Capital Assets, sec. 300. [hyperlink, 
http://www.whitehouse.gov/omb/circulars/index.html]. 

[45] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-1134SP]. 

[46] Defense Contract Management Agency, Department of Defense Earned 
Value Management Implementation Guide (Washington, D.C.: October 2006); 
and [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-1134SP]. 

[47] American National Standards Institute (ANSI)/Electronic Industries 
Alliance (EIA) Standard, EVM Systems Standard, ANSI/EIA-748-A-1998 
(R2002), approved May 19, 1998; revised January 2002. 

[48] Defense Contract Management Agency, Department of Defense Earned 
Value Management Implementation Guide (Washington, D.C.: October 2006). 
See also DOD Memorandum: Revision to DOD Earned Value Management Policy 
(Washington, D.C.: Mar. 7, 2005). 

[49] DON established the Center for Earned Value Management in April 
2007 to, among other things, work with program offices to improve the 
accuracy of EVM data and to provide independent assistance to program 
managers when requested. 

[50] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-1134SP]. 

[51] Float time is the amount of time an activity can slip before 
affecting the critical path. 

[52] Department of the Navy, Commander, Operational Test and Evaluation 
Force, Navy Enterprise Resource Planning System Initial Operational 
Test and Evaluation, OT-C1 Final Report to the Chief of Naval 
Operations (Norfolk, VA: June 13, 2008). 

[53] Cost variances compare the earned value of the completed work with 
the actual cost of the work performed. For example, if a contractor 
completed $5 million worth of work, and the work actually cost $6.7 
million, there would be a negative $1.7 million cost variance. Schedule 
variances are also measured in dollars, but they compare the earned 
value of the work actually completed as of a point in time to the value 
of work that was expected to be completed. For example, if a contractor 
completed $5 million worth of work at the end of the month but was 
budgeted to complete $10 million worth of work, there would be a 
negative $5 million schedule variance. 

[54] This figure is the total estimated budget for the program. It 
represents the cumulative value of the budgeted cost of work scheduled 
over the life of the program. 

[55] To make these assessments, we applied earned value analysis 
techniques to data from the program's contract performance reports. 
These techniques compare budget versus actual costs versus project 
status in dollar amounts. For our analysis, we used standard earned 
value formulas to calculate cost and schedule variance and forecast the 
range of cost overrun at completion. 

[56] DOD, Defense Acquisition Guidebook, Version 1.0 (Oct. 17, 2004). 
Software Engineering Institute, Software Acquisition Capability 
Maturity Modelï¿½ version 1.03, CMU/SEI-2002-TR-010 (Pittsburgh, PA: 
March 2002). 

[57] Department of Defense, Risk Management Guide for DOD Acquisition, 
6th Edition, Version 1.0., [hyperlink, 
http://www.acq.osd.mil/sse/ed/docs/2006-RM-Guide-4Aug06-final-
version.pdf] (accessed March 13, 2008) and Software Engineering 
Institute, CMMI for Acquisition, Version 1.2, CMU/SEI-2007- TR-017 
(Pittsburgh, PA: November 2007). 

[58] The risk management board oversees risk management activities by 
assigning risk owners, approving and directing resources to facilitate 
risk handling strategies, and reviewing risk handling status. 

[59] Risk levels of high, medium or low are assigned using quantitative 
measurements of the probability of the risk occurring and the potential 
impact to the program's cost, schedule, and performance. Based on that 
assessment, a risk level is assigned to represent the risk's 
significance. 

[60] See, for example, GAO, Office of Personnel Management: Retirement 
Systems Modernization Program Faces Numerous Challenges, [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-05-237] (Washington, D.C.: Feb. 
28, 2005); and GAO, Information Technology: Customs Automated 
Commercial Environment Program Progressing, but Need for Management 
Improvements Continues, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-05-267] (Washington, D.C.: Mar. 14, 2005). 

[61] Ronald W. Reagan National Defense Authorization Act for Fiscal 
Year 2005, Pub. L. No. 108-375, ï¿½ 332 (2004) (codified at 10 U.S.C. ï¿½ï¿½ 
186 and 2222). 

[62] Office of Management and Budget, Circular No. A-94: Guidelines and 
Discount Rates for Benefit-Cost Analysis of Federal Program (Oct. 29, 
1992), [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-1134SP]. 

[63] Defense Contract Management Agency, Department of Defense Earned 
Value Management Implementation Guide (Washington, D.C.: Apr. 7, 2005). 
See also DOD Memorandum: Revision to DOD Earned Value Management Policy 
(Washington, D.C.: Mar. 7, 2005). 

[64] The earned value concept is applied as a means of placing a dollar 
value on project status. The techniques we used compared the program's 
budget to actual costs and project status in dollar amounts. We used 
standard earned value formulas to calculate cost and schedule variance 
and forecast the range of cost overrun at program completion. 

[65] American National Standards Institute (ANSI) /Electronic 
Industries Alliance (EIA) EVM Systems Standard, ANSI/EIA-748-A-1998 
(R2002), approved May 19, 1998; revised January 2002. 

[66] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-1134SP]. 

[67] Department of Defense, Risk Management Guide for DOD Acquisition, 
6th Edition, Version 1.0., [hyperlink, 
http://www.acq.osd.mil/sse/ed/docs/2006-RM-Guide-4Aug06-final-
version.pdf] (accessed March 13, 2008) and Software Engineering 
Institute, CMMI for Acquisition, Version 1.2, CMU/SEI-2007-TR-017 
(Pittsburgh, PA: November 2007). 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: [email protected]: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, [email protected]: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, [email protected]: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: 

*** End of document. ***