Defense Acquisitions: Observations on the Procurement of the Navy/Marine
Corps Intranet (Statement/Record, 03/08/2000, GAO/T-NSIAD/AIMD-00-116).

Pursuant to a congressional request, GAO discussed the Navy and Marine
Corps Intranet effort, focusing on whether the: (1) the Navy acquisition
approach and implementation plan are based on appropriate analyses,
resolution of key issues, and adequate risk management activities; and
(2) Office of the Secretary of Defense is overseeing that effort with
adequate review of relevant Navy analyses and other program activities
to ensure that system interoperability and information assurance
safeguards are implemented.

GAO noted that: (1) the Navy's acquisition approach and implementation
plan for developing a Navy/Marine Corps Intranet have a number of
weaknesses that make the effort unnecessarily risky; (2) the Navy has
been working toward awarding a contract in June of this year--the result
of an aggressive, service-established goal to accomplish an initial
level of operational capability by December 2001; (3) however, the Navy
has developed and issued its request for proposals without: (a)
developing a formal analysis of program alternatives and completing a
business case analysis, to determine an appropriate acquisition strategy
for the proposed Intranet; (b) resolving key programmatic issues such as
how the Intranet arrangement is to be managed within the Navy, how the
Intranet will be funded, and how its information technology and other
personnel may be affected by the Intranet; and (c) taking certain risk
mitigation steps such as testing the proposed approach on a smaller
scale; and (4) with regards to the Office of the Secretary of Defense's
oversight of the Navy Intranet effort, GAO found that this organization
has not fully: (a) defined how it will oversee program requirements for
the Intranet effort; and (b) established that the Intranet approach will
be consistent with the Department of Defense's command, control,
communications, computer, and intelligence systems architecture,
particularly the Department's system interoperability and information
assurance requirements.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  T-NSIAD/AIMD-00-116
     TITLE:  Defense Acquisitions: Observations on the Procurement of
	     the Navy/Marine Corps Intranet
      DATE:  03/08/2000
   SUBJECT:  Naval procurement
	     Information resources management
	     Strategic information systems planning
	     Computer networks
	     Computer security
	     Systems compatibility
	     ADP procurement
IDENTIFIER:  DOD Major Automated Information System
	     JCS Joint Vision 2010
	     DOD Defense Information Assurance Program

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************

Before the Subcommittees on Military Readiness and Military Research and
Development, Committee on Armed Services, House of Representatives

For Release on Delivery

Expected at 3:00 p.m., EST

Wednesday,

March 8, 2000

DEFENSE ACQUSITIONS

Observations on the Procurement of the Navy/Marine Corps Intranet

Statement for the Record by Allen Li, Associate Director, Defense
Acquisitions Issues, National Security and International Affairs Division,
and Jack L. Brock, Jr., Director, Governmentwide and Defense Information
Systems, Accounting and Information Management Division

GAO/T-NSIAD/AIMD-00-116

Messrs. Chairmen and Members of the Subcommittees:

Thank you for the opportunity to submit this statement for the record. We
have been reviewing the Navy/Marine Corps Intranet effort (hereafter
referred to as the Intranet) at the request of the Chairman of the Military
Research and Development Subcommittee. This statement provides our
observations on that effort and focuses on determining whether the (1)
Department of the Navy's (hereafter referred to as the Navy) acquisition
approach and implementation plan are based on appropriate analyses,
resolution of key issues, and adequate risk management activities and (2)
Office of the Secretary of Defense is overseeing that effort with adequate
review of relevant Navy analyses and other program activities to ensure that
system interoperability and information assurance safeguards are
implemented.

The scope of the Intranet includes everything necessary for the
transmission, receipt, processing, and display of voice, video, and data-the
capital infrastructure and infrastructure improvements necessary to meet
quality of service requirements, as well as maintenance, training, and
operation of that infrastructure. The Navy's acquisition strategy assumes
that these capabilities can be purchased from commercial vendors as a
service. Under the Navy's acquisition approach, the Intranet contractor will
own and maintain all required desktop and network hardware and software and
provide all required information technology services. The contract service
area is to include the continental United States, Alaska, Hawaii, Guantanamo
Bay (Cuba), Puerto Rico, and Iceland for approximately 360,000 users.

On December 23, 1999, the Navy released a request for proposals for the
Intranet (the Intranet solicitation), with the expectation of awarding a
firm, fixed price contract (with performance incentives) in June 2000. The
Navy states that the Intranet "is intended to develop a long-term
arrangement with the commercial sector which transfers the responsibility
and risk for providing and managing the vast majority of Department of the

Navy (DON) desktop, server, infrastructure and communication assets and
services."

The transfer of responsibility and risk for providing these capabilities to
the contractor is being achieved by the use of a "seat management"
contract-a concept that is relatively new to government contracting. Under a
seat management contract, the government acquires desktop services and
support as a utility and pays for them on a per seat basis. Currently, no
government contract has been awarded that rivals the Navy's expected single
contract for over 360,000 seats for 5 years, with an option for an
additional 3 years and a multibillion dollar cost over its life.

On November 22, 1999, as part of our review, we sent the Assistant Secretary
of Defense for Command, Control, Communications, and Intelligence a letter
asking him to answer several questions concerning the Navy's and his
office's actions focusing on the Intranet. Our analysis of his response,
which we received on February 14, 2000, forms the analytical framework of
our observations. We also had many discussions with his staff and cognizant
Navy officials.

RESULTS IN BRIEF

The Navy's acquisition approach and implementation plan for developing a
Navy/Marine Corps Intranet have a number of weaknesses that make the effort
unnecessarily risky. The Navy has been working toward awarding a contract in
June of this year-the result of an aggressive, service-established goal to
accomplish an initial level of operational capability by December 2001.
However, the Navy has developed and issued its request for proposals without

   * developing a formal analysis of program alternatives and completing a
     business case analysis, to determine an appropriate acquisition
     strategy for the proposed Intranet;

   * resolving key programmatic issues such as how the Intranet arrangement
     is to be managed within the Navy, how the Intranet will be funded, and
     how its information technology and other personnel may be affected by
     the Intranet; and

   * taking certain risk mitigation steps such as testing the proposed
     approach on a smaller scale.

With regards to the Office of the Secretary of Defense's oversight of the
Navy Intranet effort, we found that this organization has not fully

   * defined how it will oversee program requirements for the Intranet
     effort, and
   * established that the Intranet approach will be consistent with the
     Department of Defense's command, control, communications, computer, and
     intelligence systems architecture, particularly the Department's system
     interoperability and information assurance requirements.

ACQUISITION APPROACH AND IMPLEMENTATION

SCHEDULE ARE UNNECESSARILY RISKY

The Navy established its acquisition approach for the Intranet in May 1999
and has been working toward a goal of awarding a contract in June 2000, a
date accelerated from an earlier date of March 2001. The Navy accelerated
its acquisition to provide a level of initial operational capability by
December 2001-an aggressive, service-established goal not driven by specific
mission needs. In the process, the Navy did not complete important
programmatic actions prior to issuing its request for proposals, including

(1) development of a formal analysis of alternative program options and a
business case analysis, (2) resolution of key programmatic issues such as
how the Intranet will be funded, and (3) risk mitigation efforts to offset
the significant risks associated with such a large servicewide
undertaking-actions we believe could significantly reduce the risk of the
Intranet effort.

No Formal Analysis of Alternatives

or Business Case Analysis

DOD Directive 5000.1 and Regulation 5000.2-R contain mandatory and
discretionary policy and procedures for management of large dollar defense
contracts. DOD Regulation 5000.2-R was designed to establish a simplified
and flexible management framework for translating mission needs into stable,
affordable, and well managed Major Defense Acquisition Programs and Major
Automated Information System acquisition programs. The regulation defines a
Major Automated Information System as an automated information system
acquisition program that is estimated to require total life-cycle costs in
excess of $360 million in fiscal year 1996 constant dollars. Navy officials
told us that they do not believe Regulation 5000.2-R applies to the Intranet
effort because they do not believe it represents the type of activity for
which the regulation was intended. Also, in response to our November 22,
1999, letter, the Assistant Secretary of Defense for Command, Control,
Communications and Intelligence stated, without explanation, that the
Intranet "does not meet the definitional criteria for Acquisition Programs
or Major Automated Information Systems (MAIS) Programs as defined in DOD
Regulation 5000.2-R." Given that the regulation is intended to be flexible
and tailorable to meet the needs of individual programs, we have not
received an adequate explanation as to why it is not being used to manage
the Intranet effort. The regulation states that it serves as a general model
for acquisition programs that do not meet the definition of a major
automated information system. While some of the requirements of Regulation
5000.2-R may not be necessary for this effort, which is based on the
assumption that services required for the Intranet currently are
commercially available, in the absence of an agreed upon oversight process,
we have looked to the 5000 series of documents for guidance on expected,
reasonable, and sound management practices.

Regulation 5000.2-R states that an analysis of alternatives is to be
prepared for covered programs at the beginning of the acquisition process to
aid and document decision-making by highlighting the relative advantages and
disadvantages of the alternatives being considered. Where appropriate, the
analysis is to include discussion of interoperability and commonality of
components/systems that are similar in function to other DOD, service, and
agency programs. Additionally, this analysis is intended to foster joint
ownership and afford a better understanding of subsequent decisions by early
identification and discussion of reasonable alternatives among
decisionmakers and staffs at all levels. For Major Automated Information
System acquisitions, the Assistant Secretary of Defense for Command,
Control, Communications and Intelligence is to designate himself or the
service Chief Information Officer as the Milestone Decision Authority-the
individual who approves transitioning an acquisition program from one
acquisition phase to the next. The Milestone Decision Authority may use
those analyses in determining whether to allow the program to transition
into its next acquisition phase.

In our November 22, 1999, letter, we asked the Assistant Secretary of
Defense for Command, Control, Communications and Intelligence-who also
serves as the DOD Chief Information Officer, whether an Analysis of
Alternatives as called for in DOD Regulation 5000.2-R had been developed for
the Intranet. The Assistant Secretary stated that a formal Analysis of
Alternatives had not been developed. He went on to state, however, that
during the first half of 1999, senior Navy leadership reviewed and
considered numerous strategies for acquiring the Navy's information
technology capabilities, including multiple implementations of information
technology capability by region or organization. He also stated that as a
result of that review, the Navy leadership decided that the requirements for
a Navy-wide information technology capability could be provided most
efficiently and effectively by the private sector under a long-term
commercial-type contract for end-to-end information technology services. In
a January 2000 message, the Chief of Naval Operations stated that the
Secretary of the Navy and he had directed the establishment of the
Navy/Marine Corps Intranet and made its use mandatory for all Navy commands.

While it did not develop a formal Analysis of Alternatives, the Navy is
presently developing a business case analysis to demonstrate the viability
of its chosen approach. That analysis is to compare the current state of
information technology affairs within the Navy to the "to be" state called
for in its Intranet solicitation and program plans. However, the Navy did
not complete its business case analysis prior to releasing its request for
proposals. Had the Navy done so, it might have been able to demonstrate the
viability of its approach and the superiority of that solution over other
alternatives.

Key Programmatic Issues Are Unresolved

The Navy decided on its Intranet acquisition strategy and released its
Intranet solicitation without having resolved key programmatic issues.
Specifically:

   * Contract management issues remain to be worked out. The Navy recognizes
     that it must have management policies, procedures, and tools in place
     to exercise operational direction over critical segments of the
     infrastructure at the Navy and Marine Corps level, and by theater
     commands. This operational direction includes the ability to (1) set
     priorities for contracted services and (2) direct changes in network
     security. The Intranet solicitation states that an organization will be
     identified by the government to act as the central point of contact to
     the contractor for Intranet operations. The Navy established a
     committee to determine how it should govern the Intranet, including a
     concept for controlling Intranet operations, and to analyze Intranet
     effort overlap with the Department's Command, Control, Communications
     and Intelligence issues and policies. This committee is still working
     to develop this organization, the roles and responsibilities of the
     various parties in the organization, and the relationship of
     operational control and contract monitoring and administration.

   * The Intranet funding plan is not fully developed. The Navy recognizes
     that funding availability and overall affordability are significant
     risks facing the Intranet program. Navy officials said that they will
     meet again to discuss the funding plan on March 16, 2000, but have no
     firm date to complete the plan, which is to identify the sources and
     amounts of funding available for the Intranet contract. Navy officials
     state that existing funding for information technology contracts and
     services will be adequate to pay for the Intranet contract. However,
     Navy officials also said this existing funding is dispersed in accounts
     that are not always identified as supporting information technology
     activities. The Navy recognizes that the resolution of Intranet funding
     availability and affordability issues may cause reductions in other
     non-information technology operations, and thus other missions may be
     affected.

The Navy may also be significantly underestimating total program costs. The
business case analysis and the associated funding plan are designed to
identify and pay costs directly attributable to the Intranet contract. Other
necessary program costs that will not be accounted for include costs to
integrate existing systems into the Intranet. In a December 1999 briefing on
its preparation for Year 2000 contingencies, the Navy reported that it has
almost 600 mission critical and an additional 1400 mission support systems.
Navy officials told us that an unknown number of these systems use different
technology than planned for the Intranet. As a result, additional costs will
be incurred if they are to be integrated into the Intranet.

   * A plan to manage the disposition of displaced personnel has not been
     completed. Navy officials told us that no one would lose their job as a
     result of an award of an Intranet contract. As a result, the Navy's
     plan should address the costs of personnel who will be displaced by the
     proposed Intranet contract. According to the Navy, the number of such
     personnel will not be known until proposals are evaluated. Given the
     Navy's position, the costs to pay affected information technology staff
     are costs that will require funding in addition to the Intranet
     contract costs. We believe the future roles of the staff likely to be
     affected and their costs to the Navy should have been weighed in
     determining an appropriate acquisition strategy.

Funding for the Navy's Intranet also raises the question of whether the
funding of a multiyear contract for services should be specifically
authorized by Congress. The Navy is proceeding under the authority of 10
U.S.C. 2306(g), which permits the head of an agency to enter into multiyear
contracts for certain services. While 10 U.S.C. 2306b(i)(3) requires that
multiyear contracts for acquisition of property greater than $500 million be
specifically authorized by Congress, there is no similar requirement for
multiyear services contracts under section 2306(g). Navy officials stated
that the Intranet contract represents an acquisition of services, not
property, and therefore the requirement for a specific authorization does
not apply. As a result, the Navy may enter into a multibillion dollar
contract without specific congressional authorization. In addition, a single
contract could be funded through a large number of programs using different
funding sources without Congress having a clear view of the effort's scope,
cost, and required funding. Navy officials stated that they have not sought
congressional authorization for the Intranet effort.

Risk Mitigation Efforts Are Insufficient

The Navy does not plan to undertake certain risk mitigation efforts that we
believe would be appropriate. For example, its acquisition approach does not
use modular contracting and has not been tested.

Intranet does not use modular approach

The Navy's Intranet acquisition approach does not use modular contracting as
suggested by the Clinger-Cohen Act of 1996. That act calls for the head of
each executive agency to use modular contracting for the acquisition of
major systems of information technology to the maximum extent possible. The
Clinger-Cohen Act states that under modular contracting, an acquisition may
be divided into smaller increments that (1) are

easier to manage; (2) address complex objectives incrementally to enhance
the likelihood of achieving workable solutions; and (3) provide for
delivery, implementation, and testing of workable systems or solutions in
discrete increments.

In our November 22, 1999, letter to the Assistant Secretary of Defense for
Command, Control, Communications and Intelligence, we asked whether the
provisions of the Clinger-Cohen Act applied to the Intranet effort and
whether that effort should involve the use of a modular approach. The
Assistant Secretary stated that all the requirements

of the act applied to the Intranet effort, "with the exception of that part
requiring the use of modular contracting." The Assistant Secretary further
stated that the Navy had "determined that it is impracticable to contract
for the NMCI [the Intranet] using modular contacting, because an incremental
contract with a minimal guaranteed revenue stream would not provide
sufficient incentive to attract the investment that the program will require
from industry." We believe that without the benefit of a formal analysis of
alternatives, it is difficult to determine the basis of the Navy's position.
Alternatives to the Navy's current approach were identified. For example, a
Navy Chief Information Officer's May 11, 1999, Intranet briefing to the
Secretary of the Navy left open the question of acquisition approach and
included a program scope recommendation broken into three increments:
increment one comprising base and local area networks; increment two
comprising wide and metropolitan area networks, network distribution
services, management, and security; and increment three consisting of
shipboard local area networks, servers, end user devices, and productivity
tools.

Intranet approach not tested

Despite relying on an untried combination of performance measures and
management mechanisms, the Navy did not test its Intranet approach prior to
the release of the Intranet solicitation, nor does it plan to test that
approach before awarding a contract. The Navy's Intranet approach relies on
a defined set of performance measures that are intended to result in its
obtaining a desired level of end-state service. These performance measures
reflect a combination of measures neither previously used by the Navy nor in
the acquisition of services sized as large as the proposed Intranet.
Additionally, the Navy is still developing a management oversight process
for the Intranet contract-mechanisms that have not been through a pilot
test.

In our letter to the Assistant Secretary of Defense for Command, Control,
Communications, and Intelligence, we asked whether a small test of the
Intranet approach had been considered. The Assistant Secretary stated that a
specific pilot for the Navy Intranet was not done but noted that the Navy
"has extensive experience in ‘pilot projects' such as the Oahu Base
Area Network (OBAN) and personal computer leasing." He further stated that
the Navy also had the benefit of lessons learned from other agencies and
industry experiences. The Navy's Oahu Base Area Network and personal
computer leasing experiences are not similar in scope or approach to the
planned Intranet. Based on our conversations with Navy officials and our
on-site observations of the Navy's Oahu Base Area Network project, the
proposed Intranet contract represents a different approach to attaining the
desired end-state, i.e., a services contract versus a government-owned and
operated network, such as the Oahu Base Area Network. Also, based on our
discussions with Navy officials, the Intranet solicitation defines
performance measures that were derived primarily from industry and
literature sources. The Navy was unable to direct us to a comparable Navy
contract that mirrored the intended approach to be used in their Intranet
effort. In our view, without testing, the Navy cannot be assured that it has
a workable contract approach with measures of performance that ensure it
will obtain the needed capabilities.

We also asked the Assistant Secretary whether the Department planned to
direct that the Navy's single contract, seat management approach be used
departmentwide and across all the services if it was shown to represent a
superior approach to its current means of operations. The Assistant
Secretary responded that while the Navy Intranet approach holds great
promise for the Navy specifically and DOD at large in terms of
standardization and efficiency, it would be premature to mandate it as the
Department's preferred approach. In our opinion, a pilot test could help
provide DOD confidence in the maturity of the Navy approach.

OFFICE OF THE SECRETARY OF DEFENSE HAS

NOT ESTABLISHED ADEQUATE SAFEGUARDS

The Office of the Secretary of Defense has allowed the Navy to undertake its
Intranet acquisition effort without having fully defined how the Department
will oversee the program. In addition, the Office of the Secretary has not
determined that the Navy's approach fully supports the Department's Command,
Control, Communications, Computers and Intelligence systems
architecture-particularly the Department's system interoperability and
information assurance requirements.

Oversight by the Office of the Secretary of Defense is critical as the
Navy's Intranet effort and the form it takes will have departmentwide
implications. For example, the Intranet may present a change in the model
under which the Department acquires long-haul communications
services-presently acquired through the Defense Information Systems Agency.
DOD policy mandates that the Defense Information Systems Agency is to be the
manager and sole provider of long-haul communications for the Department to
ensure effective, efficient, and economical use of long-haul services.
Alteration of that model by one service could significantly affect the way
the other services and DOD agencies implement their information technology
networks-threatening the investment in and benefits of a unified long-haul
approach.

Oversight Process and Program

Requirements Are Undefined

The Office of the Secretary of Defense allowed the Navy to chose an
acquisition approach and release its Intranet solicitation without having
defined a Department of Defense oversight process or set program milestones
and exit criteria consistent with DOD Regulation 5000.2-R. In July 1999, the
Navy briefed the Assistant Secretary of Defense for Command, Control,
Communications and Intelligence on its proposed Navy Intranet acquisition
plan. The Navy subsequently continued its program efforts with the
development and release of a solicitation to acquire the Navy/Marine Corps
Intranet. The Navy did this under the assumption that it was not subject to
the regulatory oversight mechanisms of DOD Regulation 5000.2-R, and without
coming to agreement with the Office of the Secretary of Defense on other
appropriate oversight mechanisms, milestones, and exit criteria. Despite a
prior requirement by the Assistant Secretary of Defense for Command,
Control, Communications and Intelligence that agreement on an oversight
mechanism was to be reached before a solicitation was released, DOD later
agreed with the Navy's release of the Intranet solicitation without having
that oversight process in place.

In response to our November 22, 1999, letter, the Assistant Secretary of
Defense for Command, Control, Communications and Intelligence stated that
the Intranet program does not meet the definition of a Major Automated
Information System acquisition program set forth in Regulation 5000.2-R. The
Assistant Secretary further commented, however, that due to the high
visibility, large dollar value, and significant impact of the Navy effort on
both the Navy and ultimately the Department, the Navy effort "will be"
designated as a initiative of special interest and that a tailored oversight
framework is being jointly developed and will be jointly approved.

In a December 3, 1999, letter to the Navy, the Assistant Secretary set two
requirements on the release of a solicitation for the Navy Intranet.
Specifically, he stated that the Navy and his office needed to (1) ensure
compliance with the requirements of the Clinger-Cohen Act of 1996 and (2)
"clearly define our mutual roles and responsibilities to allow efficient and
effective insight into the N/MCI [the Intranet] program goals and their
achievement." While DOD and the Navy have not yet agreed on an appropriate
oversight process for the Intranet acquisition, DOD agreed to the Navy's
release of its Intranet request for proposals. The Navy has received, and is
evaluating, proposals.

Interoperability and Information Assurance

Objectives Remain Uncertain

In July 1996, the Chairman of the Joint Chiefs of Staff issued Joint Vision
2010 establishing a mission need for "information superiority"-the
capability to collect, process, and disseminate an uninterrupted flow of
information while exploiting or denying an adversary's ability to do the
same. In May 1997, the Commander of the Joint Warfighting Center issued a
"Concepts for Future Operations" that concluded that attainment of
information superiority will require the achievement of a fully integrated,
end-to-end connectivity of military information systems that does not
currently exist. For those visions of information superiority to be
achieved, we believe DOD and the services will need to acquire cost
effective, information technology systems and networks that offer
interoperability and are protected, i.e., provide information assurance.
These goals are reflected in the Intranet goals.

In part, the Intranet's goals are to

   * remove access, connectivity, and throughput impediments to productivity
     and speed of command;
   * quickly and securely share knowledge around the globe;
   * eliminate interoperability problems; and
   * reduce the cost of voice, data, and video services.

Given that the Joint Vision 2010 represents a defensewide need for
information superiority, there is a need to ensure that the Navy will
efficiently and effectively attain that goal because of its implications for
the attainment of defensewide information superiority. Defense Information
Systems Agency and Defense-wide Information Assurance Program reviews of the
Navy's Intranet plans and key documents were not completed prior to the
release of the Intranet solicitation.

A Defense Information Systems Agency official told us that, a couple weeks
prior to the solicitation's scheduled release, the Navy asked the Agency to
review a large volume of Intranet program documents to ensure their
interoperability and information assurance coverage. He said that, given the
volume of documents and the short time provided for review, his organization
was unable to carry out the requested review.

Ensuring information assurance is a critical goal of the Office of the
Secretary of Defense. As we reported to the Subcommittee on Military
Research and Development in June 1998, the Department of Defense is
investing billions of dollars in information superiority related systems to
implement the Joint Vision 2010 concept. That concept critically depends on
the Department's information systems and their protection, i.e., providing
information assurance. In 1997, an Assistant Secretary of Defense for
Command, Control, Communications and Intelligence report noted that the
complexity of managing DOD's information assurance efforts had increased due
to the proliferation of networks across DOD and that its decentralized
assurance management could not deal with it adequately. That report stated
that Department of Defense lacked effective processes to (1) assess the
operational readiness of its information systems and networks, (2) identify
its information assurance requirements, and (3) ensure that those
requirements are programmed and executed in accordance with DOD's
priorities. To deal with these issues, DOD developed its Defense-wide
Information Assurance

Program.

We discussed the Navy Intranet effort with the Director of the Defense-wide
Information Assurance Program. We were told that Defense-wide Information
Assurance Program staff had not reviewed the Intranet solicitation or
program due to a severe staffing shortage. The Director of the Defense-wide
Information Assurance Program noted, for example, that key billets in the
architectural and acquisition divisions remained unfilled.

OBSERVATIONS

Due to the number of significant open issues related to the Intranet effort,
the Navy would be prudent to move forward with an award of an Intranet
contract only after such issues are addressed. A well-defined and
implemented oversight approach, such as the traditional, tailorable process
provided by DOD Regulation 5000.2-R, provides a framework that minimizes
risk. We believe that development of (1) a defined acquisition process with
exit criteria, (2) a formal analysis of existing alternatives, (3) specific
performance measures, (4) a small test of the Intranet approach, and (5) a
funding plan for the Intranet would add assurance that requirements are
understood and that anticipated savings are achievable.

- - - -

This concludes our statement. We appreciate the opportunity to have it
placed in the record.

Contact and Acknowledgement

For further contacts regarding this statement, please contact Allen Li at
(202) 512-4841 or Jack L. Brock, Jr. at (202) 512-6240. Individuals making
key contributions to this statement included Robert Hadley, Joseph
McDermott, Charles Rey, Karen Richey, John Van Schaik, Bruce Thomas, Hai
Tran, and William Woods.

(707457)

ORDERS BY INTERNET

For information on how to access GAO reports on the INTERNET, send an e-mail
message with "info" in the body to

HYPERLINK mailto:[email protected] [email protected]

or visit GAO's World Wide Web Home Page at

HYPERLINK http://www.gao.gov http://www.gao.gov

TO REPORT FRAUD, WASTE, AND ABUSE

IN FEDERAL PROGRAMS

Contact one:

   * website: HYPERLINK http://www.gao.gov/fraudnet/fraudnet.htm
     http://www.gao.gov/fraudnet/fraudnet.htm

   * e-mail: HYPERLINK mailto:[email protected] [email protected]

   * 1-800-424-5454 (automated answering system)

  
*** End of document. ***