This is the accessible text file for GAO report number GAO-06-831 entitled 'Enterprise Architecture: Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation' which was released on September 12, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Chairman, Committee on Government Reform, House of Representatives: August 2006: Enterprise Architecture: Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation: GAO-06-831: GAO Highlights: Highlights of GAO-06-831, a report to the Chairman, Committee on Government Reform, House of Representatives Why GAO Did This Study: A well-defined enterprise architecture is an essential tool for leveraging information technology (IT) to transform business and mission operations. GAO’s experience has shown that attempting to modernize and evolve IT environments without an architecture to guide and constrain investments results in operations and systems that are duplicative, not well integrated, costly to maintain, and ineffective in supporting mission goals. In light of the importance of enterprise architectures, GAO developed a five stage architecture management maturity framework that defines what needs to be done to effectively manage an architecture program. Under GAO’s framework, a fully mature architecture program is one that satisfies all elements of all stages of the framework. As agreed, GAO’s objective was to determine the status of major federal department and agency enterprise architecture efforts. What GAO Found: The state of the enterprise architecture programs at the 27 major federal departments and agencies is mixed, with several having very immature programs, several having more mature programs, and most being somewhere in between. Collectively, the majority of these architecture efforts can be viewed as a work-in-progress with much remaining to be accomplished before the federal government as a whole fully realizes their transformational value. More specifically, seven architecture programs have advanced beyond the initial stage of the GAO framework, meaning that they have fully satisfied all core elements associated with the framework’s second stage (establishing the management foundation for developing, using, and maintaining the architecture). Of these seven, three have also fully satisfied all the core elements associated with the third stage (developing the architecture). None have fully satisfied all of the core elements associated with the fourth (completing the architecture) and fifth (leveraging the architecture for organizational change) stages. Nevertheless, most have fully satisfied a number of the core elements across the stages higher than the stage in which they have met all core elements, with all 27 collectively satisfying about 80, 78, 61, and 52 percent of the stage two through five core elements, respectively (see figure). Further, most have partially satisfied additional elements across all the stages, and seven need to fully satisfy five or fewer elements to achieve the fifth stage. The key to these departments and agencies building upon their current status, and ultimately realizing the benefits that they cited architectures providing, is sustained executive leadership, as virtually all the challenges that they reported can be addressed by such leadership. Examples of the challenges are organizational parochialism and cultural resistance, adequate resources (human capital and funding), and top management understanding; examples of benefits cited are better information sharing, consolidation, improved productivity, and reduced costs. Figure: Percentage of Framework Elements Collectively Satisfied by All Departments and Agencies in Each Stage: [See PDF for Image] Source: GAO analysis of department/agency data. Note: There are no framework elements in stage 1. [End of Figure] What GAO Recommends: To increase the maturity of federal enterprise architecture efforts, GAO is making a recommendation to each department and agency aimed at improving their respective architecture programs. In commenting on a draft of this report, all but one department fully agreed with its recommendation and all but six departments and agencies fully agreed with our findings about its program. Two departments did not comment. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-831]. To view the full product, including the scope and methodology, click on the link above. For more information, contact Randolph C. Hite at (202) 512-3439 or hiter@gao.gov. [End of Section] Contents: Letter: Results in Brief: Background: Overall State of Enterprise Architecture Management Is a Work-in- Progress, Although a Few Agencies Have Largely Satisfied Our Framework: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendixes: Appendix I: Reported Enterprise Architecture Costs Vary, with Contractors and Personnel Accounting for Most Costs: Appendix II: Departments and Agencies Reported Experiences with Their Architecture Tools and Frameworks: Appendix III: Objective, Scope, and Methodology: Appendix IV: Detailed Assessments of Individual Departments and Agencies against Our EA Management Maturity Framework: Appendix V: Comments from the Department of Commerce: Appendix VI: Comments from the Department of Defense: GAO Comments: Appendix VII: Comments from the Department of Education: Appendix VIII: Comments from the Department of Energy: Appendix IX: Comments from the Department of Homeland Security: GAO Comments: Appendix X: Comments from the Department of Housing and Urban Development: Appendix XI: Comments from the Department of the Interior: Appendix XII: Comments from the Department of Justice: GAO Comments: Appendix XIII: Comments from the Department of State: GAO Comments: Appendix XIV: Comments from the Department of the Treasury: Appendix XV: Comments from the Department Veterans Affairs: Appendix XVI: Comments from the Environmental Protection Agency: GAO Comments: Appendix XVII: Comments from the General Services Administration: Appendix XVIII: Comments from the National Aeronautics and Space Administration Appendix XIX: Comments from the Social Security Administration: GAO Comments: Appendix XX: Comments from the U.S. Agency for International Development: Appendix XXI: GAO Contact and Staff Acknowledgements: Tables: Table 1: Federal Enterprise Architecture Reference Models: Table 2: OMB Enterprise Architecture Assessment Framework Capability Areas: Table 3: Summary of EAMMF Version 1.1: Core Elements Categorized by Group: Table 4: Maturity Stage of Major Department and Agency Enterprise Architecture Programs: Table 5: Percent of Framework Elements Satisfied by Department and Agency Architecture Programs within Each Maturity Stage: Table 6: Departments and Agencies That Need to Satisfy 5 or Fewer Core Elements to Achieve Stage 5: Table 7: Degree to Which Departments and Agencies Are Experiencing Enterprise Architecture Challenges: Table 8: Enterprise Architecture Benefits Reported As Being or To Be Achieved to a Significant Extent: Table 9: Department and Agency Reported Satisfaction with Tools: Table 10: Department and Agency Framework Satisfaction Levels: Table 11: List of Architecture Programs Included in this Report: Table 12: Stage 2 Evaluation Criteria: Table 13: Stage 3 Evaluation Criteria: Table 14: Stage 4 Evaluation Criteria: Table 15: Stage 5 Evaluation Criteria: Table 16: Department of Agriculture Satisfaction of EAMMF: Table 17: Department of the Air Force Satisfaction of EAMMF: Table 18: Department of the Army Satisfaction of EAMMF: Table 19: Department of Commerce Satisfaction of EAMMF: Table 20: DOD Business Enterprise Architecture Satisfaction of EAMMF: Table 21: DOD Global Information Grid Satisfaction of EAMMF: Table 22: Department of Education Satisfaction of EAMMF: Table 23: Department of Energy Satisfaction of EAMMF: Table 24: Department of Health and Human Services Satisfaction of EAMMF: Table 25: Department of Homeland Security Satisfaction of EAMMF: Table 26: Department of Housing and Urban Development Satisfaction of EAMMF: Table 27: Department of the Interior Satisfaction of EAMMF: Table 28: Department of Justice Satisfaction of EAMMF: Table 29: Department of Labor Satisfaction of EAMMF: Table 30: Department of the Navy Satisfaction of EAMMF: Table 31: Joint Enterprise Architecture Satisfaction of EAMMF: Table 32: Department of Transportation Satisfaction of EAMMF: Table 33: Department of the Treasury Satisfaction of EAMMF: Table 34: Department of Veterans Affairs Satisfaction of EAMMF: Table 35: Environmental Protection Agency Satisfaction of EAMMF: Table 36: General Services Administration Satisfaction of EAMMF: Table 37: National Aeronautics and Space Administration Satisfaction of EAMMF: Table 38: National Science Foundation Satisfaction of EAMMF: Table 39: Nuclear Regulatory Commission Satisfaction of EAMMF: Table 40: Office of Personnel Management Satisfaction of EAMMF: Table 41: Small Business Administration Satisfaction of EAMMF: Table 42: Social Security Administration Satisfaction of EAMMF: Table 43: U. S. Agency for International Development Satisfaction of EAMMF: Figures: Figure 1: Summary of EAMMF Version 1.1: Maturity Stages, Critical Success Attributes, and Core Elements: Figure 2: Overall Satisfaction of Core Elements Associated with Architecture Governance Figure 3: Overall Satisfaction of Core Elements Associated with Architecture Content: Figure 4: Overall Satisfaction of Core Elements Associated with Architecture Use: Figure 5: Overall Satisfaction of Core Elements Associated with Architecture Measurement: Figure 6: Department/Agency Maturity Stage Based on Fully Versus Partially Satisfied Criterion: Figure 7: Reported Development Costs to Date for Departments and Agencies: Figure 8: Reported Estimated Completion Costs for Departments and Agencies: Figure 9: Reported Estimated Annual Maintenance Costs for Departments and Agencies: Figure 10: Breakdown of Enterprise Architecture Development Costs for all Departments and Agencies: Figure 11: Reported Enterprise Architecture Contractor Costs by Category: Figure 12: Enterprise Architecture Tools Used by Departments and Agencies: Figure 13: Frameworks Used by Departments and Agencies: Abbreviations: BEA: Business Enterprise Architecture: CIO: Chief Information Officer: DHS: Department of Homeland Security: DOD: Department of Defense: DODAF: Department of Defense Architecture Framework: DOJ: Department of Justice: EA: Enterprise Architecture: EAMMF: Enterprise Architecture Management Maturity Framework: EAMS: Enterprise Architecture Management System: EPA: Environmental Protection Agency: FAA: Federal Aviation Administration: FBI: Federal Bureau of Investigation: FEAF: Federal Enterprise Architecture Framework: FEAPMO: Federal Enterprise Architecture Program Management Office: GIG: Global Information Grid: GSA: General Services Administration: HHS: Department of Health and Human Services: HUD: Department of Housing and Urban Development: IT: Information Technology: IV&V: Independent Verification and Validation: NASA: National Aeronautics and Space Administration: NIST: National Institute of Standards and Technology: NRC: Nuclear Regulatory Commission: NSF: National Science Foundation: OMB: Office of Management and Budget: OPM: Office of Personnel Management: SBA: Small Business Administration: SSA: Social Security Administration: TOGAF: The Open Group Architecture Framework: USAID: United States Agency for International Development: USDA: United States Department of Agriculture: VA: Department of Veterans Affairs: August 14, 2006: The Honorable Tom Davis: Chairman: Committee on Government Reform: House of Representatives: A well-defined enterprise architecture[Footnote 1] is an essential tool for leveraging information technology (IT) in the transformation of business and mission operations. Our experience with federal departments and agencies has shown that attempting to modernize and evolve IT environments without an enterprise architecture to guide and constrain investments often results in operations and systems that are duplicative, not well integrated, unnecessarily costly to maintain and interface, and ineffective in supporting mission goals. Moreover, the development, implementation, and maintenance of architectures are widely recognized as hallmarks of successful public and private organizations, and their use is required by the Clinger-Cohen Act and the Office of Management and Budget (OMB). In light of the importance of these architectures, you requested that we determine the current status of major federal department and agency enterprise architecture efforts. To accomplish our objective, we surveyed 27 major federal departments and agencies using a questionnaire that was based on our maturity framework for assessing and improving enterprise architecture management,[Footnote 2] and we collected and reviewed documentation to verify agency responses. We then analyzed the results to determine the extent to which each of the 27 satisfied our maturity framework,[Footnote 3] and the challenges and benefits that each department and agency sees. We also collected information about, for example, department and agency architecture costs and architecture framework and tool use and satisfaction, which is summarized in appendixes I and II. Because our framework defines what needs to be done to effectively manage an enterprise architecture program, and not the details surrounding how it needs to be done, the scope of our review did not include assessing the quality of enterprise architecture products and activities and associated management structures and processes that make up our framework. As such, scoring high on our maturity scale should be viewed as an indicator of, and not a guarantee that, a department or agency necessarily has a well-defined architecture and that it is being effectively implemented. We conducted our work in accordance with generally accepted government auditing standards. Details of our objective, scope, and methodology are in appendix III. Results in Brief: The state of the enterprise architecture programs at the 27 major federal departments and agencies is varied, with several having very immature programs, several having more mature programs, and most being somewhere in between. Collectively, this means that the bulk of the federal government's enterprise architecture efforts can be viewed as a work in process with much to be accomplished before their transformation value is fully realized. To effectively establish and leverage enterprise architectures as instruments of organizational transformation, research by us and others show that architecture programs should be founded upon both an institutional commitment to the architecture and a measured and verified organizational capability to properly develop and use it to affect operational and technological change. Our five stage architecture framework for managing and evaluating the status of architecture efforts consists of 31 core elements related to architecture governance, content, use, and measurement that reflect these basic attributes.[Footnote 4] Of the 27 departments and agencies, 7 have advanced beyond the initial stage of our framework, meaning that they have fully satisfied all the core elements associated with the framework's second stage (establishing the management foundation for developing, using, and maintaining the architecture). Of these seven, four have also fully satisfied all the core elements associated with the third stage (developing the architecture). None have fully satisfied all of the core elements associated with the fourth (completing the architecture) and fifth (leveraging the architecture for organizational change) stages. Nevertheless, most of the departments and agencies have fully satisfied a number of the core elements across stages higher than that at which they have met all core elements. When this is considered, the profile shows that about 77 percent of the programs reviewed have fully satisfied the architecture governance core elements, 68 percent have fully satisfied the architecture content core elements, 52 percent have fully satisfied the architecture use core elements, and 47 have fully satisfied the architecture measurement core elements. Moreover, most of the departments and agencies have also partially satisfied additional core elements across all the stages. Seventeen of the departments and agencies have at least partially satisfied the core elements associated with achieving the framework's third stage, with four having partially satisfied the elements associated with achieving higher stages. As we have previously reported, the key to these departments and agencies building upon their current status, and ultimately realizing the many benefits that they cited architectures providing, will be sustained executive leadership, as virtually all the barriers that the agencies reported can be addressed through such leadership. Examples of these barriers or challenges are overcoming organizational parochialism and cultural resistance, having adequate resources (human capital and funding), and fostering top management understanding. Examples of the benefits include better information sharing, consolidation, improved productivity, and reduced costs. To assist the departments and agencies in addressing their architectural barriers, managing their architecture programs, and realizing their architecture benefits, we are making recommendations to heads of major departments and agencies for developing and implementing plans aimed at satisfying all of the conditions in our architecture management maturity framework. We received written or oral comments on a draft of this report from 25 of the departments and agencies in our review.[Footnote 5] Of the 25, 24 fully agreed with our recommendation and one department partially agreed. Nineteen departments and agencies agreed with our findings and six partially agreed. Of the six that disagreed with certain aspects of our findings, the disagreements largely centered around (1) the adequacy of the documentation that they provided to demonstrate satisfaction of a specific core element and (2) recognition of steps that they reported taking after we concluded our review. For the most part, these isolated areas of disagreement did not result in any changes to our findings for two primary reasons. First, our findings across the departments and agencies were based on consistently applied evaluation criteria governing the adequacy of documentation, and were not adjusted to accommodate any one particular department or agency. Second, our findings represent the state of each architecture program as of March 2006, and thus to be consistent do not reflect activities that may have occurred after this time. Beyond these comments, several departments and agencies offered suggestions for improving our framework, which we will consider in issuing the next version of the framework, and several provided technical comments, which we have incorporated, as appropriate, in this report. Background: An enterprise architecture is a blueprint that describes the current and desired state of an organization or functional area in both logical and technical terms, as well as a plan for transitioning between the two states. Enterprise architectures are a recognized tenet of organizational transformation and IT management in public and private organizations. Without an enterprise architecture, it is unlikely that an organization will be able to transform business processes and modernize supporting systems to minimize overlap and maximize interoperability. The concept of enterprise architectures originated in the mid-1980s; various frameworks for defining the content of these architectures have been published by government agencies and OMB. Moreover, legislation and federal guidance requires agencies to develop and use architectures. For more than a decade, we have conducted work to improve agency architecture efforts. To this end, we developed an enterprise architecture management maturity framework that provides federal agencies with a common benchmarking tool for assessing the management of their enterprise architecture efforts and developing improvement plans. Enterprise Architecture Description and Importance: An enterprise can be viewed as either a single organization or a functional area that transcends more than one organization (e.g., financial management, homeland security). An architecture can be viewed as the structure (or structural description) of any activity. Thus, enterprise architectures are basically systematically derived and captured descriptions--in useful models, diagrams, and narrative. More specifically, an architecture describes the enterprise in logical terms (such as interrelated business processes and business rules, information needs and flows, and work locations and users) as well as in technical terms (such as hardware, software, data, communications, and security attributes and performance standards). It provides these perspectives both for the enterprise's current or "as-is" environment and for its target or "to-be" environment, as well as a transition plan for moving from the "as-is" to the "to-be" environment. The importance of enterprise architectures is a basic tenet of both organizational transformation and IT management, and their effective use is a recognized hallmark of successful public and private organizations. For over a decade, we have promoted the use of architectures, recognizing them as a crucial means to a challenging end: optimized agency operations and performance. The alternative, as our work has shown, is the perpetuation of the kinds of operational environments that burden most agencies today, where a lack of integration among business operations and the IT resources supporting them leads to systems that are duplicative, poorly integrated, and unnecessarily costly to maintain and interface.[Footnote 6] Employed in concert with other important IT management controls (such as portfolio- based capital planning and investment control practices), architectures can greatly increase the chances that the organizations' operational and IT environments will be configured so as to optimize mission performance. Brief History of Architecture Frameworks and Management Guidance: During the mid-1980s, John Zachman, widely recognized as a leader in the field of enterprise architecture, identified the need to use a logical construction blueprint (i.e., an architecture) for defining and controlling the integration of systems and their components.[Footnote 7] Accordingly, Zachman developed a structure or framework for defining and capturing an architecture, which provides for six perspectives or "windows" from which to view the enterprise.[Footnote 8] Zachman also proposed six abstractions or models associated with each of these perspectives.[Footnote 9] Zachman's framework provides a way to identify and describe an entity's existing and planned component parts and the parts' relationships before the entity begins the costly and time-consuming efforts associated with developing or transforming itself. Since Zachman introduced his framework, a number of frameworks have emerged within the federal government, beginning with the publication of the National Institute of Standards and Technology (NIST) framework in 1989. Since that time, other federal entities have issued frameworks, including the Department of Defense (DOD) and the Department of the Treasury. In September 1999, the federal Chief Information Officers (CIO) Council published the Federal Enterprise Architecture Framework (FEAF), which was intended to provide federal agencies with a common construct for their architectures, thereby facilitating the coordination of common business processes, technology insertion, information flows, and system investments among federal agencies. The FEAF described an approach, including models and definitions, for developing and documenting architecture descriptions for multi-organizational functional segments of the federal government.[Footnote 10] More recently, OMB established the Federal Enterprise Architecture Program Management Office (FEAPMO) to develop a federal enterprise architecture according to a collection of five reference models (see table 1). These models are intended to facilitate governmentwide improvement through cross-agency analysis and the identification of duplicative investments, gaps, and opportunities for collaboration, interoperability, and integration within and across government agencies. Table 1: Federal Enterprise Architecture Reference Models: Reference model: Performance Reference Model; Description: Provides a common set of general performance outputs and measures for agencies to use to achieve business goals and objectives. Reference model: Business Reference Model; Description: Describes the business operations of the federal government independent of the agencies that perform them, including defining the services provided to state and local governments. Reference model: Service Component Reference Model; Description: Identifies and classifies IT service (i.e., application) components that support federal agencies and promotes the reuse of components across agencies. Reference model: Data and Information Reference Model; Description: Describes, at an aggregate level, the types of data and information that support program and business line operations, and the relationships among these types. Reference model: Technical Reference Model; Description: Describes how technology is supporting the delivery of service components, including relevant standards for implementing the technology. Source: GAO. [End of table] OMB has identified multiple purposes for the Federal Enterprise Architecture, such as the following: * informing agency enterprise architectures and facilitating their development by providing a common classification structure and vocabulary; * providing a governmentwide framework that can increase agency awareness of IT capabilities that other agencies have or plan to acquire, so that they can explore opportunities for reuse; * helping OMB decision makers identify opportunities for collaboration among agencies through the implementation of common, reusable, and interoperable solutions; and: * providing the Congress with information that it can use as it considers the authorization and appropriation of funding for federal programs. Although these post-Zachman frameworks differ in their nomenclatures and modeling approaches, each consistently provides for defining an enterprise's operations in both logical and technical terms, provides for defining these perspectives for the enterprise's current and target environments, and calls for a transition plan between the two. Several laws and regulations address enterprise architecture. For example, the Clinger-Cohen Act of 1996 directs the CIOs of major departments and agencies to develop, maintain, and facilitate the implementation of information technology architectures as a means of integrating agency goals and business processes with information technology.[Footnote 11] Also, OMB Circular A-130, which implements the Clinger-Cohen Act, requires that agencies document and submit their initial enterprise architectures to OMB and that agencies submit updates when significant changes to their enterprise architectures occur.The circular also directs OMB to use various reviews to evaluate the adequacy and efficiency of each agency's compliance with the circular. A Decade of GAO Work Has Focused on Improving Agency Enterprise Architecture Efforts: We began reviewing federal agencies' use of enterprise architectures in 1994, initially focusing on those agencies that were pursuing major systems modernization programs that were high risk. These included the National Weather Service systems modernization,[Footnote 12] the Federal Aviation Administration (FAA) air traffic control modernization,[Footnote 13] and the Internal Revenue Service tax systems modernization.[Footnote 14] Generally, we reported that these agencies' enterprise architectures were incomplete, and we made recommendations that they develop and implement complete enterprise architectures to guide their modernization efforts. Since then, we have reviewed enterprise architecture management at other federal agencies, including the Department of Education (Education),[Footnote 15] the Customs Service,[Footnote 16] the Immigration and Naturalization Service,[Footnote 17] the Centers for Medicare and Medicaid Services,[Footnote 18] FAA,[Footnote 19] and the Federal Bureau of Investigation (FBI).[Footnote 20] We have also reviewed the use of enterprise architectures for critical agency functional areas, such as the integration and sharing of terrorist watch lists across key federal departments[Footnote 21] and DOD financial management,[Footnote 22] logistics management,[Footnote 23] combat identification,[Footnote 24] and business systems modernization.[Footnote 25] These reviews continued to identify the absence of complete and enforced enterprise architectures, which in turn has led to agency business operations, systems, and data that are duplicative, incompatible, and not integrated; these conditions have either prevented agencies from sharing data or forced them to depend on expensive, custom-developed system interfaces to do so. Accordingly, we made recommendations to improve the respective architecture efforts. In some cases progress has been made, such as at DOD and FBI. As a practical matter, however, considerable time is needed to completely address the kind of substantive issues that we have raised and to make progress in establishing more mature architecture programs. In 2002 and 2003, we also published reports on the status of enterprise architectures governmentwide. The first report (February 2002)[Footnote 26] showed that about 52 percent of federal agencies self-reported having at least the management foundation that is needed to successfully develop, implement, and maintain an enterprise architecture, and that about 48 percent of agencies had not yet advanced to that basic stage of maturity. We attributed this state of architecture management to four management challenges: (1) overcoming limited executive understanding, (2) inadequate funding, (3) insufficient number of skilled staff, and (4) organizational parochialism. Additionally, we recognized OMB's efforts to promote and oversee agencies' enterprise architecture efforts. Nevertheless, we determined that OMB's leadership and oversight could be improved by, for example, using a more structured means of measuring agencies' progress and by addressing the above management challenges. The second report (November 2003)[Footnote 27] showed the percentage of agencies that had established at least a foundation for enterprise architecture management was virtually unchanged. We attributed this to long-standing enterprise architecture challenges that had yet to be addressed. In particular, more agencies reported lack of agency executive understanding of enterprise architecture and the scarcity of skilled architecture staff as significant challenges. OMB generally agreed with our findings and the need for additional agency assessments. Further, it stated that fully implementing our recommendations would require sustained management attention, and that it had begun by working with the CIO Council to establish the Chief Architect Forum and to increase the information OMB reports on enterprise architecture to Congress. Since then, OMB has developed and implemented an enterprise architecture assessment tool. According to OMB, the tool helps better understand the current state of an agency's architecture and assists agencies in integrating architectures into their decision-making processes. The latest version of the assessment tool (2.0) was released in December 2005 and includes three capability areas: (1) completion, (2) use, and (3) results. Table 2 describes each of these areas. Table 2: OMB Enterprise Architecture Assessment Framework Capability Areas: Capability area: Completion; Description: Addresses ensuring that architecture products describe the agency in terms of processes, services, data, technology, and performance and that the agency has developed a transition strategy. Capability area: Use; Description: Addresses the establishment of important management practices, processes, and policies, such as configuration management, communications, and integration of the architecture with capital planning processes. Capability area: Results; Description: Addresses the effectiveness and value of the architecture by encouraging performance measurements and using it to ensure agency policies align to OMB IT policy. Source: OMB. [End of table] The tool also includes criteria for scoring an agency's architecture program on a scale of 0 to 5.[Footnote 28] In early 2006, the major departments and agencies were required by OMB to self assess their architecture programs using the tool. OMB then used the self assessment to develop its own assessment. These assessment results are to be used in determining the agency's e-Government score within the President's Management Agenda. GAO's Enterprise Architecture Management Maturity Framework (EAMMF): In 2002, we developed version 1.0 of our Enterprise Architecture Management Maturity Framework (EAMMF) to provide federal agencies with a common benchmarking tool for planning and measuring their efforts to improve enterprise architecture management, as well as to provide OMB with a means for doing the same governmentwide. We issued an update of the framework (version 1.1) in 2003.[Footnote 29] This framework is an extension of A Practical Guide to Federal Enterprise Architecture, Version 1.0, published by the CIO Council.[Footnote 30] Version 1.1 of the framework arranges 31 core elements (practices or conditions that are needed for effective enterprise architecture management) into a matrix of five hierarchical maturity stages and four critical success attributes that apply to each stage. Within a given stage, each critical success attribute includes between one and four core elements. Based on the implicit dependencies among the core elements, the EAMMF associates each element with one of five maturity stages (see fig. 1). The core elements can be further categorized by four groups: architecture governance, content, use, and measurement. EAMMF Stages: Stage 1: Creating EA awareness. At stage 1, either an organization does not have plans to develop and use an architecture, or it has plans that do not demonstrate an awareness of the value of having and using an architecture. While stage 1 agencies may have initiated some enterprise architecture activity, these agencies' efforts are ad hoc and unstructured, lack institutional leadership and direction, and do not provide the management foundation necessary for successful enterprise architecture development as defined in stage 2. Stage 2: Building the EA management foundation. An organization at stage 2 recognizes that the enterprise architecture is a corporate asset by vesting accountability for it in an executive body that represents the entire enterprise. At this stage, an organization assigns enterprise architecture management roles and responsibilities and establishes plans for developing enterprise architecture products and for measuring program progress and product quality; it also commits the resources necessary for developing an architecture--people, processes, and tools. Specifically, a stage 2 organization has designated a chief architect and established and staffed a program office responsible for enterprise architecture development and maintenance. Further, it has established a committee or group that has responsibility for enterprise architecture governance (i.e., directing, overseeing, and approving architecture development and maintenance). This committee or group membership has enterprisewide representation. At stage 2, the organization either has plans for developing or has started developing at least some enterprise architecture products, and it has developed an enterprisewide awareness of the value of enterprise architecture and its intended use in managing its IT investments. The organization has also selected a framework and a methodology that will be the basis for developing the enterprise architecture products and has selected a tool for automating these activities. Stage 3: Developing the EA. An organization at stage 3 focuses on developing architecture products according to the selected framework, methodology, tool, and established management plans. Roles and responsibilities assigned in the previous stage are in place, and resources are being applied to develop actual enterprise architecture products. At this stage, the scope of the architecture has been defined to encompass the entire enterprise, whether organization-based or function-based. Although the products may not be complete, they are intended to describe the organization in terms of business, performance, information/data, service/application, and technology (including security explicitly in each) as provided for in the framework, methodology, tool, and management plans.[Footnote 31] Further, the products are to describe the current (as-is) and future (to-be) states and the plan for transitioning from the current to the future state (the sequencing plan). As the products are developed and evolve, they are subject to configuration management. Further, through the established enterprise architecture management foundation, the organization is tracking and measuring its progress against plans, identifying and addressing variances, as appropriate, and then reporting on its progress. Stage 4: Completing the EA. An organization at stage 4 has completed its enterprise architecture products, meaning that the products have been approved by the enterprise architecture steering committee (established in stage 2) or an investment review board, and by the CIO. The completed products collectively describe the enterprise in terms of business, performance, information/data, service/application, and technology for both its current and future operating states, and the products include a plan for transitioning from the current to the future state. Further, an independent agent has assessed the quality (i.e., completeness and accuracy) of the enterprise architecture products. Additionally, evolution of the approved products is governed by a written enterprise architecture maintenance policy approved by the head of the organization. Stage 5: Leveraging the EA to manage change. An organization at stage 5 has secured senior leadership approval of the enterprise architecture products and a written institutional policy stating that IT investments must comply with the architecture, unless granted an explicit compliance waiver. Further, decision makers are using the architecture to identify and address ongoing and proposed IT investments that are conflicting, overlapping, not strategically linked, or redundant. As a result, stage 5 entities avoid unwarranted overlap across investments and ensure maximum systems interoperability, which in turn ensures the selection and funding of IT investments with manageable risks and returns. Also, at stage 5, the organization tracks and measures enterprise architecture benefits or return on investment, and adjustments are continuously made to both the enterprise architecture management process and the enterprise architecture products. EAMMF Attributes: Attribute 1: Demonstrates commitment. Because the enterprise architecture is a corporate asset for systematically managing institutional change, the support and sponsorship of the head of the enterprise are essential to the success of the architecture effort. An approved enterprise policy statement provides such support and sponsorship, promoting institutional buy-in and encouraging resource commitment from participating components. Equally important in demonstrating commitment is vesting ownership of the architecture with an executive body that collectively owns the enterprise. Attribute 2: Provides capability to meet commitment. The success of the enterprise architecture effort depends largely on the organization's capacity to develop, maintain, and implement the enterprise architecture. Consistent with any large IT project, these capabilities include providing adequate resources (i.e., people, processes, and technology), defining clear roles and responsibilities, and defining and implementing organizational structures and process management controls that promote accountability and effective project execution. Attribute 3: Demonstrates satisfaction of commitment. Satisfaction of the organization's commitment to develop, maintain, and implement an enterprise architecture is demonstrated by the production of artifacts (e.g., the plans and products). Such artifacts demonstrate follow through--that is, actual enterprise architecture production. Satisfaction of commitment is further demonstrated by senior leadership approval of enterprise architecture documents and artifacts; such approval communicates institutional endorsement and ownership of the architecture and the change that it is intended to drive. Attribute 4: Verifies satisfaction of commitment. This attribute focuses on measuring and disclosing the extent to which efforts to develop, maintain, and implement the enterprise architecture have fulfilled stated goals or commitments of the enterprise architecture. Measuring such performance allows for tracking progress that has been made toward stated goals, allows appropriate actions to be taken when performance deviates significantly from goals, and creates incentives to influence both institutional and individual behaviors. Figure 1: Summary of EAMMF Version 1.1: Maturity Stages, Critical Success Attributes, and Core Elements: [See PDF for image] Source: GAO. Note: Each stage includes all elements of previous stages. [End of figure] EAMMF Groups: The framework's 31 core elements can also be placed in one of four groups of architecture related activities, processes, products, events, and structures. The groups are architecture governance, content, use, and measurement. These groups are generally consistent with the capability area descriptions in the previously discussed OMB enterprise architecture assessment tool. For example, OMB's completion capability area addresses ensuring that architecture products describe the agency in terms of processes, services, data, technology, and performance and that the agency has developed a transition strategy. Similarly, our content group includes developing and completing these same enterprise architecture products. In addition, OMB's results capability area addresses performance measurement as does our measurement group, and OMB's use capability area addresses many of the same elements in our governance and use groups. Table 3 lists the core elements according to EAMMF group. Table 3: Summary of EAMMF Version 1.1: Core Elements Categorized by Group: Group: Governance; Core element: Adequate resources exist (stage 2); Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA (stage 2); Program office responsible for EA development and maintenance exists (stage 2); Chief architect exists (stage 2); EA being developed using a framework, methodology, and automated tool (stage 2); EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan (stage 2); EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology (stage 2); EA plans call for business, performance, information/data, application/service, and technology to address security (stage 2); Written and approved policy exists for EA development (stage 3); Written and approved policy exists for EA maintenance (stage 4); Organization CIO has approved EA (stage 4); Committee or group representing the enterprise or the investment review board has approved current version of EA (stage 4); Written and approved organization policy exists for IT investment compliance with EA (stage 5); Organization head has approved current version of EA (stage 5). Group: Content; Core element: EA products are under configuration management (stage 3); EA products describe or will describe "as-is" environment, "to-be" environment and sequencing plan (stage 3); Both "as-is" and "to-be" environments are described or will be described in terms given in stage 2 (stage 3); These descriptions address or will address security (stage 3); EA products and management processes undergo independent verification and validation (stage 4); EA products describe "as-is" environment, "to-be" environment, and sequencing plan (stage 4); Both "as-is" and "to-be" environments are described in terms given in stage 2 (stage 4); These descriptions address security (stage 4); Process exists to formally manage EA change (stage 5); EA products are periodically updated (stage 5). Group: Use; Core element: EA is integral component of IT investment management process (stage 5); Measurement: IT investments comply with EA (stage 5). Group: Measurement; Core element: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment (stage 2); Progress against EA plans is measured and reported (stage 3); Quality of EA products is measured and reported (stage 4); Return on EA investment is measured and reported (stage 5); Compliance with EA is measured and reported (stage 5). Source: GAO. [End of table] Overall State of Enterprise Architecture Management Is a Work-in- Progress, Although a Few Agencies Have Largely Satisfied Our Framework: Most of the 27 major departments and agencies have not fully satisfied all the core elements associated with stage 2 of our maturity framework. At the same time, however, most have satisfied a number of core elements at stages 3, 4, and 5. Specifically, although only seven have fully satisfied all the stage 2 elements, the 27 have on average fully satisfied 80, 78, 61, and 52 percent of the stage 2, 3, 4, and 5 elements, respectively. Of the core elements that have been fully satisfied, 77 percent of those related to architecture governance have been fully satisfied, while 68, 52, and 47 percent of those related to architecture content, use, and measurement, respectively, have been fully satisfied. Most of the 27 have also at least partially satisfied a number of additional core elements across all the stages. For example, all but 7 have at least partially satisfied all the elements required to achieve stage 3 or higher. Collectively, this means efforts are underway to mature the management of most agency enterprise architecture programs, but overall these efforts are uneven and still a work-in-progress and they face numerous challenges that departments and agencies identified. It also means that some architecture programs provide examples from which less mature programs could learn and improve. Without mature enterprise architecture programs, some departments and agencies will not realize the many benefits that they attributed to architectures, and they are at risk of investing in IT assets that are duplicative, not well-integrated, and do not optimally support mission operations. The Degree to which Major Departments and Agencies Have Fully Satisfied Our Framework's Core Elements Is Uneven and Their Collective Efforts Can Be Viewed as a Work-in-Progress: To qualify for a given stage of maturity under our architecture management framework, a department or agency had to fully satisfy all of the core elements at that stage. Using this criterion, three departments and agencies are at stage 2, meaning that they demonstrated to us through verifiable documentation that they have established the foundational commitments and capabilities needed to manage the development of an architecture. In addition, four are at stage 3, meaning that they similarly demonstrated that their architecture development efforts reflect employment of the basic control measures in our framework. Table 4 summarizes the maturity stage of each architecture program that we assessed. Appendix IV provides the detailed results of our assessment of each department and agency architecture program against our maturity framework. Table 4: Maturity Stage of Major Department and Agency Enterprise Architecture Programs: Department/Agency: Department of Housing and Urban Development (HUD); Stage when program required to fully satisfy all elements in one stage to advance to the next: 3. Department/Agency: Department of the Interior (Interior); Stage when program required to fully satisfy all elements in one stage to advance to the next: 3. Department/Agency: Department of Justice (DOJ); Stage when program required to fully satisfy all elements in one stage to advance to the next: 3. Department/Agency: Department of Labor (Labor); Stage when program required to fully satisfy all elements in one stage to advance to the next: 3. Department/Agency: Department of Agriculture (USDA); Stage when program required to fully satisfy all elements in one stage to advance to the next: 2. Department/Agency: Department of Homeland Security (DHS); Stage when program required to fully satisfy all elements in one stage to advance to the next: 2. Department/Agency: Office of Personnel Management (OPM); Stage when program required to fully satisfy all elements in one stage to advance to the next: 2. Department/Agency: Department of the Air Force (Air Force); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: Department of the Army (Army); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: Department of Commerce (Commerce); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: Department of Defense - Business Enterprise Architecture (BEA); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: Department of Defense - Global Information Grid (GIG); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: Department of Education (Education); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: Department of Energy (Energy); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: Department of Health and Human Services (HHS); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: Department of the Navy (Navy); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: Department of State (State); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: Department of the Treasury (Treasury); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: Department of Transportation (Transportation); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: Department of Veterans Affairs (VA); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: Environmental Protection Agency (EPA); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: General Services Administration (GSA); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: National Aeronautics and Space Administration (NASA); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: National Science Foundation (NSF); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: Nuclear Regulatory Commission (NRC); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: Small Business Administration (SBA); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: Social Security Administration (SSA); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Department/Agency: U.S. Agency for International Development (USAID); Stage when program required to fully satisfy all elements in one stage to advance to the next: 1. Source: GAO analysis of department and agency data. [End of table] While using this criterion provides an important perspective on the state of department and agency architecture programs, it can mask the fact that the programs have met a number of core elements across higher stages of maturity. When the percentage of core elements that have been fully satisfied at each stage is considered, the state of the architecture efforts generally shows both a larger number of more robust architecture programs as well as more variability across the departments and agencies. Specifically, 16 departments and agencies have fully satisfied more than 70 percent of the core elements. Examples include Commerce, which has satisfied 87 percent of the core elements, including 75 percent of the stage 5 elements, even though it is at stage 1 because its enterprise architecture approval board does not have enterprisewide representation (a stage 2 core element). Similarly, SSA, which is also a stage 1 because the agency's enterprise architecture methodology does not describe the steps for developing, maintaining, and validating the agency's enterprise architecture (a stage 2 core element), has at the same time satisfied 87 percent of all the elements, including 63 percent of the stage 5 elements. In contrast, the Army, which is also in stage 1, has satisfied but 3 percent of all framework elements. Overall, 10 agency architecture programs fully satisfied more than 75 percent of the core elements, 14 between 50 and 75 percent, and 4 fewer than 50 percent. These four included the three military departments. Table 5 summarizes for each department and agency the percentage of core elements fully satisfied in total and by maturity stage. Table 5: Percent of Framework Elements Satisfied by Department and Agency Architecture Programs within Each Maturity Stage: Stage 3; Departments/Agencies and Maturity Stages: Department of the Interior; Percent of framework elements satisfied: 97; Percent of stage 2 elements satisfied: 100; Percent of stage 3 elements satisfied: 100; Percent of stage 4 elements satisfied: 88; Percent of stage 5 elements satisfied: 100. Stage 3; Departments/Agencies and Maturity Stages: Department of Housing and Urban Development; Percent of framework elements satisfied: 94; Percent of stage 2 elements satisfied: 100; Percent of stage 3 elements satisfied: 100; Percent of stage 4 elements satisfied: 75; Percent of stage 5 elements satisfied: 100. Stage 3; Departments/Agencies and Maturity Stages: Department of Labor; Percent of framework elements satisfied: 87; Percent of stage 2 elements satisfied: 100; Percent of stage 3 elements satisfied: 100; Percent of stage 4 elements satisfied: 88; Percent of stage 5 elements satisfied: 63. Stage 3; Departments/Agencies and Maturity Stages: Department of Justice; Percent of framework elements satisfied: 77; Percent of stage 2 elements satisfied: 100; Percent of stage 3 elements satisfied: 100; Percent of stage 4 elements satisfied: 63; Percent of stage 5 elements satisfied: 50. Stage 2; Departments/Agencies and Maturity Stages: Office of Personnel Management; Percent of framework elements satisfied: 94; Percent of stage 2 elements satisfied: 100; Percent of stage 3 elements satisfied: 83; Percent of stage 4 elements satisfied: 88; Percent of stage 5 elements satisfied: 100. Stage 2; Departments/Agencies and Maturity Stages: Department of Homeland Security; Percent of framework elements satisfied: 77; Percent of stage 2 elements satisfied: 100; Percent of stage 3 elements satisfied: 83; Percent of stage 4 elements satisfied: 75; Percent of stage 5 elements satisfied: 50. Stage 2; Departments/Agencies and Maturity Stages: Department of Agriculture; Percent of framework elements satisfied: 61; Percent of stage 2 elements satisfied: 100; Percent of stage 3 elements satisfied: 67; Percent of stage 4 elements satisfied: 50; Percent of stage 5 elements satisfied: 25. Stage 1; Departments/Agencies and Maturity Stages: Department of Commerce; Percent of framework elements satisfied: 87; Percent of stage 2 elements satisfied: 89; Percent of stage 3 elements satisfied: 100; Percent of stage 4 elements satisfied: 88; Percent of stage 5 elements satisfied: 75. Stage 1; Departments/Agencies and Maturity Stages: Social Security Administration; Percent of framework elements satisfied: 87; Percent of stage 2 elements satisfied: 89; Percent of stage 3 elements satisfied: 100; Percent of stage 4 elements satisfied: 100; Percent of stage 5 elements satisfied: 63. Stage 1; Departments/Agencies and Maturity Stages: Department of Education; Percent of framework elements satisfied: 84; Percent of stage 2 elements satisfied: 89; Percent of stage 3 elements satisfied: 100; Percent of stage 4 elements satisfied: 75; Percent of stage 5 elements satisfied: 75. Stage 1; Departments/Agencies and Maturity Stages: Department of Energy; Percent of framework elements satisfied: 77; Percent of stage 2 elements satisfied: 89; Percent of stage 3 elements satisfied: 83; Percent of stage 4 elements satisfied: 88; Percent of stage 5 elements satisfied: 50. Stage 1; Departments/Agencies and Maturity Stages: National Aeronautics and Space Administration; Percent of framework elements satisfied: 71; Percent of stage 2 elements satisfied: 67; Percent of stage 3 elements satisfied: 100; Percent of stage 4 elements satisfied: 63; Percent of stage 5 elements satisfied: 63. Stage 1; Departments/Agencies and Maturity Stages: Small Business Administration; Percent of framework elements satisfied: 71; Percent of stage 2 elements satisfied: 78; Percent of stage 3 elements satisfied: 67; Percent of stage 4 elements satisfied: 75; Percent of stage 5 elements satisfied: 63. Stage 1; Departments/Agencies and Maturity Stages: Department of the Treasury; Percent of framework elements satisfied: 71; Percent of stage 2 elements satisfied: 78; Percent of stage 3 elements satisfied: 83; Percent of stage 4 elements satisfied: 63; Percent of stage 5 elements satisfied: 63. Stage 1; Departments/Agencies and Maturity Stages: Department of Health and Human Services; Percent of framework elements satisfied: 71; Percent of stage 2 elements satisfied: 89; Percent of stage 3 elements satisfied: 100; Percent of stage 4 elements satisfied: 38; Percent of stage 5 elements satisfied: 63. Stage 1; Departments/Agencies and Maturity Stages: Environmental Protection Agency; Percent of framework elements satisfied: 74; Percent of stage 2 elements satisfied: 89; Percent of stage 3 elements satisfied: 83; Percent of stage 4 elements satisfied: 88; Percent of stage 5 elements satisfied: 38. Stage 1; Departments/Agencies and Maturity Stages: Department of Defense - Global Information Grid; Percent of framework elements satisfied: 71; Percent of stage 2 elements satisfied: 89; Percent of stage 3 elements satisfied: 67; Percent of stage 4 elements satisfied: 75; Percent of stage 5 elements satisfied: 50. Stage 1; Departments/Agencies and Maturity Stages: Department of Defense - Business Enterprise Architecture; Percent of framework elements satisfied: 68; Percent of stage 2 elements satisfied: 78; Percent of stage 3 elements satisfied: 67; Percent of stage 4 elements satisfied: 63; Percent of stage 5 elements satisfied: 63. Stage 1; Departments/Agencies and Maturity Stages: Department of Veterans Affairs; Percent of framework elements satisfied: 65; Percent of stage 2 elements satisfied: 78; Percent of stage 3 elements satisfied: 83; Percent of stage 4 elements satisfied: 50; Percent of stage 5 elements satisfied: 50. Stage 1; Departments/Agencies and Maturity Stages: Department of Transportation; Percent of framework elements satisfied: 65; Percent of stage 2 elements satisfied: 78; Percent of stage 3 elements satisfied: 83; Percent of stage 4 elements satisfied: 50; Percent of stage 5 elements satisfied: 50. Stage 1; Departments/Agencies and Maturity Stages: Department of State; Percent of framework elements satisfied: 58; Percent of stage 2 elements satisfied: 67; Percent of stage 3 elements satisfied: 67; Percent of stage 4 elements satisfied: 63; Percent of stage 5 elements satisfied: 38. Stage 1; Departments/Agencies and Maturity Stages: General Services Administration; Percent of framework elements satisfied: 55; Percent of stage 2 elements satisfied: 67; Percent of stage 3 elements satisfied: 50; Percent of stage 4 elements satisfied: 50; Percent of stage 5 elements satisfied: 50. Stage 1; Departments/Agencies and Maturity Stages: Nuclear Regulatory Commission; Percent of framework elements satisfied: 55; Percent of stage 2 elements satisfied: 67; Percent of stage 3 elements satisfied: 83; Percent of stage 4 elements satisfied: 50; Percent of stage 5 elements satisfied: 25. Stage 1; Departments/Agencies and Maturity Stages: National Science Foundation; Percent of framework elements satisfied: 52; Percent of stage 2 elements satisfied: 78; Percent of stage 3 elements satisfied: 67; Percent of stage 4 elements satisfied: 25; Percent of stage 5 elements satisfied: 38. Stage 1; Departments/Agencies and Maturity Stages: Department of the Air Force; Percent of framework elements satisfied: 45; Percent of stage 2 elements satisfied: 56; Percent of stage 3 elements satisfied: 67; Percent of stage 4 elements satisfied: 38; Percent of stage 5 elements satisfied: 25. Stage 1; Departments/Agencies and Maturity Stages: Agency for International Development; Percent of framework elements satisfied: 39; Percent of stage 2 elements satisfied: 67; Percent of stage 3 elements satisfied: 50; Percent of stage 4 elements satisfied: 13; Percent of stage 5 elements satisfied: 25. Stage 1; Departments/Agencies and Maturity Stages: Department of the Navy; Percent of framework elements satisfied: 32; Percent of stage 2 elements satisfied: 44; Percent of stage 3 elements satisfied: 50; Percent of stage 4 elements satisfied: 25; Percent of stage 5 elements satisfied: 13. Stage 1; Departments/Agencies and Maturity Stages: Department of the Army; Percent of framework elements satisfied: 3; Percent of stage 2 elements satisfied: 11; Percent of stage 3 elements satisfied: 0; Percent of stage 4 elements satisfied: 0; Percent of stage 5 elements satisfied: 0. Source: GAO analysis of department and agency data. [End of table] Notwithstanding the additional perspective that the percentage of core elements fully satisfied across all stages provides, it is important to note that the staged core elements in our framework represent a hierarchical or systematic progression to establishing a well-managed architecture program, meaning that core elements associated with lower framework stages generally support the effective execution of higher maturity stage core elements. For instance, if a program has developed its full suite of "as-is" and "to-be" architecture products, including a sequencing plan (stage 4 core elements), but the products are not under configuration management (stage 3 core element), then the integrity and consistency of the products will be not be assured. Our analysis showed that this was the case for a number of architecture programs. For example, State has developed certain "as-is" and "to-be" products for the Joint Enterprise Architecture, which is being developed in collaboration with USAID, but an enterprise architecture configuration management plan has not yet been finalized. Further, not satisfying even a single core element can have a significant impact on the effectiveness of an architecture program. For example, not having adequate human capital with the requisite knowledge and skills (stage 2 core element), not using a defined framework or methodology (stage 2 core element), or not using an independent verification and validation agent (stage 4 core element), could significantly limit the quality and utility of an architecture. The DOD's experience between 2001 and 2005 in developing its BEA is a case in point. During this time, we identified the need for the department to have an enterprise architecture for its business operations, and we made a series of recommendations grounded in, among other things, our architecture management framework to ensure that it was successful in doing so.[Footnote 32] In 2005,[Footnote 33] we reported that the department had not implemented most of our recommendations. We further reported that despite developing multiple versions of a wide range of architecture products, and having invested hundreds of millions of dollars and 4 years in doing so, the department did not have a well- defined architecture and that what it had developed had limited utility. Among other things, we attributed the poor state of its architecture products to ineffective program governance, communications, program planning, human capital, and configuration management, most of which are stage 2 and 3 foundational core elements. To the department's credit, we recently reported that it has since taken a number of actions to address these fundamental weaknesses and our related recommendations and that it is now producing architecture products that provide a basis upon which to build. The significance of not satisfying a single core element is also readily apparent for elements associated with the framework's content group. In particular, the framework emphasizes the importance of planning for, developing, and completing an architecture that includes the "as-is" and the "to-be" environments as well as a plan for transitioning between the two. It also recognizes that the "as-is" and "to-be" should address the business, performance, information/data, application/service, technology, and security aspects of the enterprise. To the extent these aspects are not addressed in this way, the quality of the architecture and thus its utility will suffer. In this regard, we found examples of departments and agencies that were addressing some but not all of these aspects. For example, HUD has yet to adequately incorporate security into its architecture. This is significant because security is relevant to all the other aspects of its architecture, such as information/data and applications/services. As another example, NASA's architecture does not include a plan for transitioning from the "as-is" to the "to-be" environments. According to the administration's Chief Enterprise Architect, a transition plan has not yet been developed because of insufficient time and staff. Looking across all the departments and agencies at core elements that are fully satisfied, not by stage of maturity, but by related groupings of core elements, provides an additional perspective on the state of the federal government's architecture efforts. As noted earlier, these groupings of core elements are architecture governance, content, use, and measurement. Overall, departments and agencies on average have fully satisfied 77 percent of the governance-related elements. In particular, 93 and 96 percent of the agencies have established an architecture program office and appointed a chief architect, respectively. In addition, 93 percent have plans that call for their respective architectures to describe the "as-is" and the "to-be" environments, and for having a plan for transitioning between the two (see fig. 2). In contrast, however, the core element associated with having a committee or group with representation from across the enterprise directing, overseeing, and approving the architecture was fully satisfied by only 57 percent of the agencies. This core element is important because the architecture is a corporate asset that needs to be enterprisewide in scope and accepted by senior leadership if it is to be leveraged for organizational change. Figure 2: Overall Satisfaction of Core Elements Associated with Architecture Governance: [See PDF for image] Source: GAO analysis of department/agency data. Note: Numbers might not add to 100 percent due to rounding. [End of figure] In contrast to governance, the extent of full satisfaction of those core elements that are associated with what an architecture should contain varies widely (see fig. 3). For example, the three content elements that address prospectively what the architecture will contain, either in relation to plans or some provision for including needed content, were fully satisfied about 90 percent of the time. However, the core elements addressing whether the products now contain such content were fully satisfied much less frequently (between 54 and 68 percent of the time, depending on the core element), and the core elements associated with ensuring the quality of included content, such as employing configuration management and undergoing independent verification and validation, were also fully satisfied much less frequently (54 and 21 percent of the time, respectively). The state of these core elements raises important questions about the quality and utility of the department and agency architectures. Figure 3: Overall Satisfaction of Core Elements Associated with Architecture Content: [See PDF for image] Source: GAO analysis of department/agency data. Note: Numbers might not add to 100 percent due to rounding. [End of figure] The degree of full satisfaction of those core elements associated with the remaining two groups--use and measurement--is even lower (see figs. 4 and 5, respectively). For example, the architecture use-related core elements were fully satisfied between 39 and 64 percent of the time, while the measurement-related elements were satisfied between 14 and 71 percent. Of particular note is that only 39 percent of the departments and agencies could demonstrate that IT investments comply with their enterprise architectures, only 43 percent of the departments and agencies could demonstrate that compliance with the enterprise architecture is measured and reported, and only 14 percent were measuring and reporting on their respective architecture program's return on investment. As our work and related best practices show, the value in having an architecture is using it to affect change and produce results. Such results, as reported by the departments and agencies include improved information sharing, increased consolidation, enhanced productivity, and lower costs, all of which contribute to improved agency performance. To realize these benefits, however, IT investments need to comply with the architecture and measurement of architecture activities, including accrual of expected benefits, needs to occur. Figure 4: Overall Satisfaction of Core Elements Associated with Architecture Use: [See PDF for image] Source: GAO analysis of department/agency data. Note: Numbers might not add to 100 percent due to rounding. [End of figure] Figure 5: Overall Satisfaction of Core Elements Associated with Architecture Measurement: [See PDF for image] Source: GAO analysis of department/agency data. Note: Numbers might not add to 100 percent due to rounding. [End of figure] Most Agencies Have at Least Partially Satisfied Most Framework Elements: In those instances where departments and agencies have not fully satisfied certain core elements in our framework, most have at least partially satisfied[Footnote 34] these elements. To illustrate, 4 agencies would improve to at least stage 4 if the criterion for being a given stage was relaxed to only partially satisfying a core element. Moreover, 11 of the remaining agencies would advance by two stages under such a less demanding criterion, and only 6 would not improve their stage of maturity under these circumstances. A case in point is Commerce, which could move from stage 1 to stage 5 under these circumstances because it has fully satisfied all but four core elements and these remaining four (one each at stages 2 and 4 and two at stage 5) are partially satisfied. Another case in point is the SSA, which has fully satisfied all but four core elements (one at stage 2 and three at stage 5) and has partially satisfied three of these remaining four. If the criterion used allowed advancement to the next stage by only partially satisfying core elements, the administration would be stage 4. (See fig. 6 for a comparison of department and agency program maturity stages under the two criteria.) Figure 6: Department/Agency Maturity Stage Based on Fully Versus Partially Satisfied Criterion: [See PDF for image] Source: GAO analysis of department/agency data. [End of figure] As mentioned earlier, departments and agencies can require considerable time to completely address issues related to their respective enterprise architecture programs. It is thus important to note that even though certain core elements are partially satisfied, fully satisfying some of them may not be accomplished quickly and easily. It is also important to note the importance of fully, rather than partially, satisfying certain elements, such as those that fall within the architecture content group. In this regard, 18, 18, and 21 percent of the departments and agencies partially satisfied the following stage 4 content-related core elements, respectively: "EA products describe 'as-is' environment, 'to-be' environment and sequencing plan"; "Both 'as-is' and 'to-be' environments are described in terms of business, performance, information/data, application/service, and technology"; and "These descriptions fully address security." Not fully satisfying these elements can have important implications for the quality of an architecture, and thus its usability and results. Seven Departments or Agencies Need to Satisfy Five or Fewer Core Elements to Be at Stage 5: Seven departments or agencies would meet our criterion for stage 5 if each was to fully satisfy one to five additional core elements (see table 6). For example, Interior could achieve stage 5 by satisfying one additional element: "EA products and management processes undergo independent verification and validation." In this regard, Interior officials have drafted a statement of work intended to ensure that independent verification and validation of enterprise architecture products and management processes is performed. The other six departments and agencies are HUD and OPM, which could achieve stage 5 by satisfying two additional elements; Commerce, Labor, and SSA, which could achieve the same by satisfying four additional elements; and Education which could be at stage 5 by satisfying five additional elements. Of these seven, five have not fully satisfied the independent verification and validation core element. Notwithstanding the fact that five or fewer core elements need to be satisfied by these agencies to be at stage 5, it is important to note that in some cases the core elements not being satisfied are not only very important, but also neither quickly nor easily satisfied. For example, one of the two elements that HUD needs to satisfy is having its architecture products address security. This is extremely important as security is an integral aspect of the architecture's performance, business, information/data, application/service, and technical models, and needs to be reflected thoroughly and consistently across each of them. Table 6: Departments and Agencies That Need to Satisfy 5 or Fewer Core Elements to Achieve Stage 5: Department/agency: Department of the Interior; Number of unsatisfied elements: 1; Unsatisfied element(s): * EA products and management processes undergo independent verification and validation. Department/agency: Department of Housing and Urban Development; Number of unsatisfied elements: 2; Unsatisfied element(s): * EA products and management processes undergo independent verification and validation; * Business, performance, information/data, application/ service, and technology descriptions address security. Department/agency: Office of Personnel Management; Number of unsatisfied elements: 2; Unsatisfied element(s): * Progress against EA plans is measured and reported; * EA products and management processes undergo independent verification and validation. Department/agency: Department of Commerce; Number of unsatisfied elements: 4; Unsatisfied element(s): * Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; * Committee or group representing the enterprise or the investment review board has approved current version of EA; * Written and approved organization policy exists for IT investment compliance with EA; * IT investments comply with EA. Department/agency: Department of Labor; Number of unsatisfied elements: 4; Unsatisfied element(s): * EA products and management processes undergo independent verification and validation; * IT investments comply with EA; * Return on EA investment is measured and reported; * Compliance with EA is measured and reported. Department/agency: Social Security Administration; Number of unsatisfied elements: 4; Unsatisfied element(s): * EA is being developed using a framework, methodology, and automated tool; * Organization head has approved current version of EA; * Return on EA investment is measured and reported; * Compliance with EA is measured and reported. Department/agency: Department of Education; Number of unsatisfied elements: 5; Unsatisfied element(s): * Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; * EA products and management processes undergo independent verification and validation; * Committee or group representing the enterprise or the investment review board has approved current version of EA; * Organization head has approved current version of EA; * Return on EA investment is measured and reported. Source: GAO. [End of table] Departments and Agencies Report Numerous Challenges Facing Them in Developing and Using Enterprise Architectures: The challenges facing departments and agencies in developing and using enterprise architectures are formidable. The challenge that most departments and agencies cited as being experienced to the greatest extent is the one that having and using an architecture is intended to overcome--organizational parochialism and cultural resistance to adopting an enterprisewide mode of operation in which organizational parts are sub-optimized in order to optimize the performance and results of the enterprise as a whole. Specifically, 93 percent of the departments and agencies reported that they encountered this challenge to a significant (very great or great) or moderate extent. Other challenges reported to this same extent were ensuring that the architecture program had adequate funding (89 percent), obtaining staff skilled in the architecture discipline (86 percent), and having the department or agency senior leaders understand the importance and role of the enterprise architecture (82 percent). As we have previously reported, sustained top management leadership is the key to overcoming each of these challenges. In this regard, our enterprise architecture management maturity framework provides for such leadership and addressing these and other challenges through a number of core elements. These elements contain mechanisms aimed at, for example, establishing responsibility and accountability for the architecture with senior leaders and ensuring that the necessary institutional commitments are made to the architecture program, such as through issuance of architecture policy and provision of adequate resources (both funding and people). See table 7 for a listing of the reported challenges and the extent to which they are being experienced. Table 7: Degree to Which Departments and Agencies Are Experiencing Enterprise Architecture Challenges: Challenge: Overcoming parochialism/cultural resistance; Percentage of departments and agencies experiencing the challenge to a great or very great extent: 76. Challenge: Ensuring adequate funding; Percentage of departments and agencies experiencing the challenge to a great or very great extent: 52. Challenge: Fostering top management understanding; Percentage of departments and agencies experiencing the challenge to a great or very great extent: 48. Challenge: Obtaining skilled staff; Percentage of departments and agencies experiencing the challenge to a great or very great extent: 48. Source: GAO analysis based on department/agency data. [End of table] Many Departments and Agencies Reported That They Have Already Realized Significant Architecture Benefits, While Most Expect to Do So in the Future: A large percentage of the departments and agencies reported that they have already accrued numerous benefits from their respective architecture programs (see table 8). For example, 70 percent said that have already improved the alignment between their business operations and the IT that supports these operations to a significant extent. Such alignment is extremely important. According to our IT investment management maturity framework,[Footnote 35] alignment between business needs and IT investments is a critical process in building the foundation for an effective approach to IT investment management. In addition, 64 percent responded that they have also improved information/knowledge sharing to a significant or moderate extent. Such sharing is also very important. In 2005, for example, we added homeland security information sharing to our list of high-risk areas because despite the importance of information to fighting terrorism and maintaining the security of our nation, many aspects of homeland security information sharing remain ineffective and fragmented.[Footnote 36] Other examples of mission- effectiveness related benefits reported as already being achieved to a significant or moderate extent by roughly one-half of the departments and agencies included improved agency management and change management and improved system and application interoperability. Beyond these benefits, departments and agencies also reported already accruing, to a significant or moderate extent, a number of efficiency and productivity benefits. For example, 56 percent reported that they have increased the use of enterprise software licenses, which can permit cost savings through economies of scale purchases; 56 percent report that they have been able to consolidate their IT infrastructure environments, which can reduce the costs of operating and maintaining duplicative capabilities; 41 percent reported that they have been able to reduce the number of applications, which is a key to reducing expensive maintenance costs; and 37 percent report productivity improvements, which can free resources to focus on other high priority matters. Notwithstanding the number and extent of benefits that department and agency responses show have already been realized, these same responses also show even more benefits that they have yet to realize (see table 8). For example, 30 percent reported that they have thus far achieved, to little or no extent, better business and IT alignment. They similarly reported that they have largely untapped many other effectiveness and efficiency benefits, with between 36 and 70 percent saying these benefits have been achieved to little or no extent, depending on benefit. Moreover, for all the cited benefits, a far greater percentage of the departments and agencies (74 to 93 percent) reported that they expect to realize each of the benefits to a significant or moderate extent sometime in the future. What this suggests is that the real value in the federal government from developing and using enterprise architecture remains largely unrealized potential. Our architecture maturity framework recognizes that a key to realizing this potential is effectively managing department and agency enterprise architecture programs. However, knowing whether benefits and results are in fact being achieved requires having associated measures and metrics. In this regard, very few (21 percent) of the departments and agencies fully satisfied our stage 5 core element, "Return on EA investment is measured and reported." Without satisfying this element, it is unlikely that the degree to which expected benefits are accrued will be known. Table 8: Enterprise Architecture Benefits Reported As Being or To Be Achieved to a Significant Extent: Benefit: Improved business and information technology alignment; Percent reporting that the benefit is being achieved: 70; Percent reporting that the benefit will be achieved: 93. Benefit: Improved information/knowledge sharing; Percent reporting that the benefit is being achieved: 64; Percent reporting that the benefit will be achieved: 93. Benefit: Improved agency and change management; Percent reporting that the benefit is being achieved: 54; Percent reporting that the benefit will be achieved: 89. Benefit: Increased infrastructure consolidation; Percent reporting that the benefit is being achieved: 56; Percent reporting that the benefit will be achieved: 81. Benefit: Increased use of enterprise licenses; Percent reporting that the benefit is being achieved: 56; Percent reporting that the benefit will be achieved: 89. Benefit: Improved systems interoperability; Percent reporting that the benefit is being achieved: 48; Percent reporting that the benefit will be achieved: 93. Benefit: Improved application interoperability; Percent reporting that the benefit is being achieved: 46; Percent reporting that the benefit will be achieved: 81. Benefit: Fewer applications; Percent reporting that the benefit is being achieved: 41; Percent reporting that the benefit will be achieved: 89. Benefit: Optimized business processes; Percent reporting that the benefit is being achieved: 41; Percent reporting that the benefit will be achieved: 89. Benefit: Improved data integration; Percent reporting that the benefit is being achieved: 39; Percent reporting that the benefit will be achieved: 89. Benefit: Enhanced productivity; Percent reporting that the benefit is being achieved: 37; Percent reporting that the benefit will be achieved: 81. Benefit: Improved data reuse; Percent reporting that the benefit is being achieved: 33; Percent reporting that the benefit will be achieved: 93. Benefit: Lower system-related costs; Percent reporting that the benefit is being achieved: 30; Percent reporting that the benefit will be achieved: 85. Benefit: Reduced system complexity; Percent reporting that the benefit is being achieved: 30; Percent reporting that the benefit will be achieved: 74. Source: GAO based on department and agency data. Note: Significant extent means a very great, great, or moderate extent. [End of table] Conclusions: If managed effectively, enterprise architectures can be a useful change management and organizational transformation tool. The conditions for effectively managing enterprise architecture programs are contained in our architecture management maturity framework. While a few of the federal government's 27 major departments and agencies have fully satisfied all the conditions needed to be at stage 2 or above in our framework, many have fully satisfied a large percentage of the core elements across most of the stages, particularly those elements related to architecture governance. Nevertheless, most departments and agencies are not yet where they need to be relative to architecture content, use, and measurement and thus the federal government is not as well positioned as it should be to realize the significant benefits that a well-managed architecture program can provide. Moving beyond this status will require most departments and agencies to overcome some significant obstacles and challenges. The key to doing so continues to be sustained organizational leadership. Without such organizational leadership, the benefits of enterprise architecture will not be fully realized. Recommendations for Executive Action: To assist the 27 major departments and agencies in addressing enterprise architecture challenges, managing their architecture programs, and realizing architecture benefits, we recommend that the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Attorney General; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; the Directors of the National Science Foundation and the Office of Personnel Management; and the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs ensure that their respective enterprise architecture programs develop and implement plans for fully satisfying each of the conditions in our enterprise architecture management maturity framework. Agency Comments and Our Evaluation: We received written or oral comments on a draft of this report from 25 of the departments and agencies in our review.[Footnote 37] Of the 25 departments and agencies, all but one department fully agreed with our recommendation. Nineteen departments and agencies agreed and six partially agreed with our findings. Areas of disagreement for these six centered on (1) the adequacy of the documentation that they provided to demonstrate satisfaction of certain core elements and (2) recognition of steps that they reported taking to satisfy certain core elements after we concluded our review. For the most part, these isolated areas of disagreement did not result in any changes to our findings for two primary reasons. First, our findings across the departments and agencies were based on consistently applied evaluation criteria governing the adequacy of documentation, and were not adjusted to accommodate any one particular department or agency. Second, our findings represent the state of each architecture program as of March 2006, and thus to be consistent do not reflect activities that may have occurred after this time. Beyond these comments, several agencies offered suggestions for improving our framework, which we will consider prior to issuing the next version of the framework. The departments' and agencies' respective comments and our responses, as warranted, are as follows: * Agriculture's Associate CIO provided e-mail comments stating that the department will incorporate our recommendation into its enterprise architecture program plan. * Commerce's CIO stated in written comments that the department concurred with our findings and will consider actions to address our recommendation. Commerce's written comments are reproduced in appendix V. * DOD's Director, Architecture and Interoperability, stated in written comments that the department generally concurred with our recommendation to the five DOD architecture programs included in our review. However, the department stated that it did not concur with the one aspect of the recommendation directed at the GIG architecture concerning independent verification and validation (IV&V) because it believes that its current internal verification and validation activities are sufficient. We do not agree for two reasons. First, these internal processes are not independently performed. As we have previously reported, IV&V is a recognized hallmark of well managed programs, including architecture programs, and to be effective, it must be performed by an entity that is independent of the processes and products that are being reviewed. Second, the scope of the internal verification and validation activities only extends to a subset of the architecture products and management processes. The department also stated that it did not concur with one aspect of our finding directed at BEA addressing security. According to DOD, because GIG addresses security and the GIG states that it extends to all defense mission areas, including the business mission area, the BEA in effect addresses security. We do not fully agree. While we acknowledge that GIG addresses security and states that it is to extend to all DOD mission areas, including the business mission area, it does not describe how this will be accomplished for BEA. Moreover, nowhere in the BEA is security addressed, either through statement or reference, relative to the architecture's performance, business, information/data, application/service, and technology products. DOD's written comments, along with our responses, are reproduced in appendix VI. * Education's Assistant Secretary for Management and Acting CIO stated in written comments that the department plans to address our findings. Education's written comments are reproduced in appendix VII. * Energy's Acting Associate CIO for Information Technology Reform stated in written comments that the department concurs with our report. Energy's written comments are reproduced in appendix VIII. * DHS's Director, Departmental GAO/OIG Liaison Office, stated in written comments that the department has taken, and plans to take, steps to address our recommendation. DHS's written comments, along with our responses to its suggestions for improving our framework, are reproduced in appendix IX. DHS also provided technical comments via e- mail, which we have incorporated, as appropriate, in the report. * HUD's CIO stated in written comments that the department generally concurs with our findings and is developing a plan to address our recommendation. The CIO also provided updated information about activities that the department is taking to address security in its architecture. HUD's written comments are reproduced in appendix X. * Interior's Assistant Secretary, Policy, Management and Budget, stated in written comments that the department agrees with our findings and recommendation and that it has recently taken action to address them. Interior's written comments are reproduced in appendix XI. * DOJ's CIO stated in written comments that our findings accurately reflect the state of the department's enterprise architecture program and the areas that it needs to address. The CIO added that our report will help guide the department's architecture program and provided suggestions for improving our framework and its application. DOJ's written comments, along with our responses to its suggestions, are reproduced in appendix XII. * Labor's Deputy CIO provided e-mail comments stating that the department concurs with our findings. The Deputy CIO also provided technical comments that we have incorporated, as appropriate, in the report. * State's Assistant Secretary for Resource Management and Chief Financial Officer provided written comments that summarize actions that the department will take to fully satisfy certain core elements and that suggest some degree of disagreement with our findings relative to three other core elements. First, the department stated that its architecture configuration management plan has been approved by both the State and USAID CIOs. However, it provided no evidence to demonstrate that this was the case as of March 2006 when we concluded our review, and thus we did not change our finding relative to architecture products being under configuration management. Second, the department stated that its enterprise architecture has been approved by State and USAID executive offices. However, it did not provide any documentation showing such approval. Moreover, it did not identify which executive offices it was referring to so as to allow a determination of whether they were collectively representative of the enterprise. As a result, we did not change our finding relative to whether a committee or group representing the enterprise or an investment review board has approved the current version of the architecture. Third, the department stated that it provided us with IT investment score sheets during our review that demonstrate that investment compliance with the architecture is measured and reported. However, no such score sheets were provided to us. Therefore, we did not change our finding. The department's written comments, along with more detailed responses, are reproduced in appendix XIII. * Treasury's Associate CIO for E-Government stated in written comments that the department concurs with our findings and discussed steps being taken to mature its enterprise architecture program. The Associate CIO also stated that our findings confirm the department's need to provide executive leadership in developing its architecture program and to codify the program into department policy. Treasury's written comments are reproduced in appendix XIV. * VA's Deputy Secretary stated in written comments that the department concurred with our recommendation and that it will provide a detailed plan to implement our recommendation. VA's written comments are reproduced in appendix XV. * EPA's Acting Assistant Administrator and CIO stated in written comments that the agency generally agreed with our findings and that our assessment is a valuable benchmarking exercise that will help improve agency performance. The agency also provided comments on our findings relative to five core elements. For one of these core elements, the comments directed us to information previously provided about the agency's architecture committee that corrected our understanding and resulted in us changing our finding about this core element. With respect to the other four core elements concerning use of an architecture methodology, measurement of progress against program plans, integration of the architecture into investment decision making, and management of architecture change, the comments also directed us to information previously provided but this did not result in any changes to our findings because evidence demonstrating full satisfaction of each core element was not apparent. EPA's written comments, along with more detailed responses to each, are reproduced in appendix XVI. * GSA's Administrator stated in written comments that the agency concurs with our recommendation. The Administrator added that our findings will be critical as the agency works towards further implementing our framework's core elements. GSA's written comments are reproduced in appendix XVII. * NASA's Deputy Administrator stated in written comments that the agency concurs with our recommendation. NASA's written comments are reproduced in appendix XVIII. NASA's GAO Liaison also provided technical comments via e-mail, which we have incorporated, as appropriate, in the report. * NSF's CIO provided e-mail comments stating that the agency will use the information in our report, where applicable, for future planning and investment in its architecture program. The CIO also provided technical comments that we have incorporated, as appropriate, in the report. * NRC's GAO liaison provided e-mail comments stating that the agency substantially agrees with our findings and describing activities it has recently taken to address them. * OPM's CIO provided e-mail comments stating that the agency agrees with our findings and describing actions it is taking to address them. * SBA's GAO liaison provided e-mail comments in which the agency disagreed with our findings on two core elements. First, and notwithstanding agency officials' statements that its architecture program did not have adequate resources, the liaison did not agree with our "partially satisfied" assessment for this core element because, according to the liaison, the agency has limited discretionary funds and competing, but unfunded, federal mandates to comply with that limit discretionary funding for an agency of its size. While we acknowledge SBA's challenges, we would note that they are not unlike the resource constraints and competing priority decisions that face most agencies, and that while the reasons why an architecture program may not be adequately resourced may be justified, the fact remains that any assessment of the architecture program's maturity, and thus its likelihood of success, needs to recognize whether adequate resources exist. Therefore, we did not change our finding on this core element. Second, the liaison did not agree with our finding that the agency did not have plans for developing metrics for measuring architecture progress, quality, compliance, and return on investment. However, our review of documentation provided by SBA and cited by the liaison showed that while such plans address metric development for architecture progress, quality, and compliance, they do not address architecture return on investment. Therefore, we did not change our finding that this core element was partially satisfied. * SSA's Commissioner stated in written comments that the report is both informative and useful, and that the agency agrees with our recommendation and generally agrees with our findings. Nevertheless, the agency disagreed with our findings on two core elements. First, the agency stated that documentation provided to us showed that it has a methodology for developing, maintaining, and validating its architecture. We do not agree. In particular, our review of SSA provided documentation showed that it did not adequately describe the steps to be followed relative to development, maintenance, or validation. Second, the agency stated that having the head of the agency approve the current version of the architecture is satisfied in SSA's case because the Clinger-Cohen Act of 1996 vests its CIO with enterprise architecture approval authority and the CIO has approved the architecture. We do not agree. The core element in our framework concerning enterprise architecture approval by the agency head is derived from federal guidance and best practices upon which our framework is based. This guidance and related practices, and thus our framework, recognize that an enterprise architecture is a corporate asset that is to be owned and implemented by senior management across the enterprise, and that a key characteristic of a mature architecture program is having the architecture approved by the department or agency head. Because the Clinger-Cohen Act does not address approval of an enterprise architecture, our framework's core element for agency head approval of an enterprise architecture is not inconsistent with, and is not superseded by, that act. SSA's written comments, along with more detailed responses, are reproduced in appendix XIX. * USAID's Acting Chief Financial Officer stated in written comments stated that the agency will work with State to implement our recommendation. USAID's written comments are reproduced in appendix XX. As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies of this report to the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, Small Business Administration, and U.S. Agency for International Development; the Attorney General; the Commissioners of the Nuclear Regulatory Commission and Social Security Administration; the Directors of the National Science Foundation and the Office of Personnel Management; and the Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, Interior, Labor, State, Transportation, Treasury, and Veterans Affairs. We will also make copies available to others upon request. In addition, the report will be available at no charge on the GAO Web site at [Hyperlink, http://www.gao.gov]. If you have any questions concerning this information, please contact me at (202) 512-3439 or by e-mail at hiter@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix XXI. Sincerely yours, Signed by: Randolph C. Hite: Director, Information Technology Architecture and Systems Issues: [End of section] Appendix I: Reported Enterprise Architecture Costs Vary, with Contractors and Personnel Accounting for Most Costs: Department-and agency-reported data show wide variability in their costs to develop and maintain their enterprise architectures. Generally, the costs could be allocated to several categories with the majority of costs attributable to contractor support and agency personnel. Architecture Development and Maintenance Costs Vary: As we have previously reported, the depth and detail of the architecture to be developed and maintained is dictated by the scope and nature of the enterprise and the extent of enterprise transformation and modernization envisioned. Therefore, the architecture should be tailored to the individual enterprise and that enterprise's intended use of the architecture. Accordingly, the level of resources that a given department or agency invests in its architecture is likely to vary. Departments and agencies reported that they have collectively invested a total of $836 million to date on enterprise architecture development. Across the 27 departments and agencies, these development costs ranged from a low of $2 million by the Department of the Navy to a high of $433 million by the Department of Defense (DOD) on its Business Enterprise Architecture (BEA). Department and agency estimates of the costs to complete their planned architecture development efforts collectively total about $328 million. The department and agencies combined estimates of annual architecture maintenance costs is about $146 million. These development and maintenance estimates, however, do not include the Departments of the Army and Justice because neither provided these cost estimates. Figures 7 through 9 depict the variability of cost data reported by the departments and agencies. Figure 7: Reported Development Costs to Date for Departments and Agencies: [See PDF for image] Source: Cited departments and agencies. Note: The Departments of the Army and Justice did not provide development costs. [End of figure] Figure 8: Reported Estimated Completion Costs for Departments and Agencies: [See PDF for image] Source: Cited departments and agencies. Note: The Departments of the Air Force, Army, Energy, Justice, and Navy, the DOD's BEA and Global Information Grid (GIG), and OPM did not provide completion costs. NSF reported completion costs ($15,000), which are not identified on this figure. [End of figure] Figure 9: Reported Estimated Annual Maintenance Costs for Departments and Agencies: [See PDF for image] Source: Cited departments and agencies. Note: The Departments of the Army, Justice, and Navy did not provide maintenance costs. [End of figure] Contractor Support Accounts for the Majority of Architecture Development Costs: All of the departments and agencies reported developing their architecture in-house using contractor support. All but two of the departments and agencies allocated their respective architecture development costs to the following cost categories:[Footnote 38] contractor support, agency personnel, tools, methodologies, training, and other.[Footnote 39] These 26 agencies accounted for about $741 million of the $836 million total development costs cited above. The vast majority (84 percent) of the $741 million were allocated to contractor services ($621 million), followed next by agency personnel (13 percent or $94 million). The remaining $26 million were allocated as follows: $12 million (2 percent) to architecture tools; $9 million (1 percent) to "other" costs; $4 million (1 percent) to architecture methodologies; and $2 million (less than 1 percent) to training. (See fig. 10.) Figure 10: Breakdown of Enterprise Architecture Development Costs for all Departments and Agencies: [See PDF for image] Source: GAO analysis of department and agency data. Note: Numbers do not add to 100 percent due to rounding. [End of figure] Architecture Development Activities Were Reported as Largest Component of Contractor-Related Costs: The departments and agencies allocated the reported $621 million in contractor-related costs to the following five contractor cost categories: architecture development, independent verification and validation, methodology, support services, and other.[Footnote 40] Of these categories, architecture development activities accounted for the majority of costs--about $594 million (87 percent). The remaining $85 million was allocated as follows: $51 million (7 percent) to support services, $13 million (2 percent) to "other" costs, $11 million (2 percent) to independent verification and validation, and $10 million (1 percent) to methodologies. (See fig. 11.) Figure 11: Reported Enterprise Architecture Contractor Costs by Category: [See PDF for image] Source: GAO analysis of department and agency data. Note: Numbers do not add to 100 percent due to rounding. [End of figure] [End of section] Appendix II: Departments and Agencies Reported Experiences with Their Architecture Tools and Frameworks: Departments and agencies reported additional information related to the implementation of their enterprise architectures. This information includes architecture tools and frameworks. Departments and Agencies Reported Using a Variety of Enterprise Architecture Tools with Varying Degrees of Satisfaction: As stated in our enterprise architecture management maturity framework, an automated architecture tool serves as the repository of architecture artifacts, which are the work products that are produced and used to capture and convey architectural information. An agency's choice of tool should be based on a number of considerations, including agency needs and the size and complexity of the architecture.[Footnote 41] The departments and agencies reported that they use various automated tools to develop and maintain their enterprise architectures, with 12 reporting that they use more than one tool. In descending order of frequency, the architecture tools identified were System Architect (18 instances), Microsoft Visio (17), Metis (12), Rational Rose (8), and Enterprise Architecture Management System (EAMS) (4). In addition, 21 departments and agencies reported using one or more other architecture tools.[Footnote 42] Figure 12 shows the number of departments and agencies using each architecture tool, including the other tools.[Footnote 43] Figure 12: Enterprise Architecture Tools Used by Departments and Agencies: [See PDF for image] Source: GAO analysis of department and agency data. [End of figure] The departments and agencies also reported various levels of satisfaction with the different enterprise architecture tools. Specifically, about 75 percent of those using Microsoft Visio were either very or somewhat satisfied with the tool, as compared to about 67 percent of those using Metis, about 63 percent of those using Rational Rose, about 59 percent of those using System Architect, and 25 percent of those using EAMS. This means that the percentage of departments and agencies that were dissatisfied, either somewhat or very, with their respective tools ranged from a high of 75 percent of those using EAMS, to a low of about 6 percent of those using System Architect. No departments or agencies that used Metis, Rational Rose, or Microsoft Visio reported any dissatisfaction. See table 9 for a summary of department and agency reported satisfaction with their respective tools. Table 9: Department and Agency Reported Satisfaction with Tools: Tool name (Vendor): EAMS; Using tool: 4; Very satisfied or somewhat satisfied: 1; Number of departments and agencies: Neither satisfied nor dissatisfied: 0; Somewhat or very dissatisfied: 3; Undecided (too early to say): 0. Tool name (Vendor): Metis (Troux Technologies); Using tool: 12; Very satisfied or somewhat satisfied: 8; Number of departments and agencies: Neither satisfied nor dissatisfied: 1; Somewhat or very dissatisfied: 0; Undecided (too early to say): 3. Tool name (Vendor): Rational Rose (IBM Corporation); Using tool: 8; Very satisfied or somewhat satisfied: 5; Number of departments and agencies: Neither satisfied nor dissatisfied: 2; Somewhat or very dissatisfied: 0; Undecided (too early to say): 1. Tool name (Vendor): System Architect (Popkin Software/Telelogic AB); Using tool: 18; Very satisfied or somewhat satisfied: 10; Number of departments and agencies: Neither satisfied nor dissatisfied: 4; Somewhat or very dissatisfied: 1; Undecided (too early to say): 2. Tool name (Vendor): Visio (Microsoft Corporation); Using tool: 17; Very satisfied or somewhat satisfied: 12; Number of departments and agencies: Neither satisfied nor dissatisfied: 3; Somewhat or very dissatisfied: 0; Undecided (too early to say): 1. Tool name (Vendor): Other; Using tool: 21; Very satisfied or somewhat satisfied: 17; Number of departments and agencies: Neither satisfied nor dissatisfied: 0; Somewhat or very dissatisfied: 0; Undecided (too early to say): 1. Source: GAO based on department and agency data. Note: One agency did not indicate its satisfaction or dissatisfaction with System Architect and Visio. [End of table] Departments and Agencies Reported Using a Variety of Enterprise Architecture Frameworks with Varying Levels of Satisfaction: As we have previously stated, an enterprise architecture framework provides a formal structure for representing the architecture's content and serves as the basis for the specific architecture products and artifacts that the department or agency develops and maintains. As such, a framework helps ensure the consistent representation of information from across the organization and supports orderly capture and maintenance of architecture content. The departments and agencies reported using various frameworks to develop and maintain their enterprise architectures. The most frequently cited frameworks were the Federal Enterprise Architecture Program Management Office (FEAPMO) Reference Models (25 departments and agencies), the Federal Enterprise Architecture Framework (FEAF)[Footnote 44] (19 departments and agencies), and the Zachman Framework (17 departments and agencies), with 24 reporting using more than one framework. Other, less frequently reported frameworks were the Department of Defense Architecture Framework (DODAF), the National Institute of Standards and Technology (NIST) framework, and The Open Group Architecture Framework (TOGAF). See figure 13 for a summary of the number of departments and agencies that reported using each framework. Figure 13: Frameworks Used by Departments and Agencies: [See PDF for image] Source: GAO analysis of department and agency data. [End of figure] Departments and agencies also reported varying levels of satisfaction with their respective architecture. Specifically, about 72 percent of those using the FEAF indicated that they were either very or somewhat satisfied, and about 67 and 61 percent of those using the Zachman framework and the FEAPMO reference models, respectively, reported that they were similarly satisfied.[Footnote 45] As table 10 shows, few of the agencies that responded to our survey reported being dissatisfied with any of the frameworks.[Footnote 46] Table 10: Department and Agency Framework Satisfaction Levels: Framework (source): DODAF (Department of Defense); Using framework: 7; Very satisfied or somewhat satisfied: 4; Number of Departments and Agencies: Neither satisfied nor dissatisfied: 2; Somewhat or very dissatisfied: 0; Undecided (too early to say): 0. Framework (source): FEAF (CIO Council); Using framework: 19; Very satisfied or somewhat satisfied: 13; Number of Departments and Agencies: Neither satisfied nor dissatisfied: 3; Somewhat or very dissatisfied: 1; Undecided (too early to say): 1. Framework (source): FEAPMO Reference Models (OMB); Using framework: 25; Very satisfied or somewhat satisfied: 14; Number of Departments and Agencies: Neither satisfied nor dissatisfied: 4; Somewhat or very dissatisfied: 3; Undecided (too early to say): 2. Framework (source): NIST Framework (NIST); Using framework: 2; Very satisfied or somewhat satisfied: 1; Number of Departments and Agencies: Neither satisfied nor dissatisfied: 0; Somewhat or very dissatisfied: 1; Undecided (too early to say): 0. Framework (source): TOGAF (The Open Group); Using framework: 1; Very satisfied or somewhat satisfied: 1; Number of Departments and Agencies: Neither satisfied nor dissatisfied: 0; Somewhat or very dissatisfied: 0; Undecided (too early to say): 0. Framework (source): Zachman Framework (The Zachman Institute for Framework Advancement); Using framework: 17; Very satisfied or somewhat satisfied: 10; Number of Departments and Agencies: Neither satisfied nor dissatisfied: 4; Somewhat or very dissatisfied: 1; Undecided (too early to say): 0. Framework (source): Other; Using framework: 3; Very satisfied or somewhat satisfied: 3; Number of Departments and Agencies: Neither satisfied nor dissatisfied: 0; Somewhat or very dissatisfied: 0; Undecided (too early to say): 0. Source: GAO based on department and agency data. [End of table] [End of section] Appendix III: Objective, Scope, and Methodology: Our objective was to determine the current status of federal department and agency enterprise architecture efforts. To accomplish this objective, we focused on 28 enterprise architecture programs relating to 27 major departments and agencies. These 27 included the 24 departments and agencies included in the Chief Financial Officers Act.[Footnote 47] In addition, we included the three military services (the Departments of the Army, Air Force, and Navy) at the request of Department of Defense (DOD) officials. For the DOD, we also included both of its departmentwide enterprise architecture programs--the Global Information Grid and the Business Enterprise Architecture. The U.S. Agency for International Development (USAID), which is developing a USAID enterprise architecture and working with the Department of State (State) to develop a Joint Enterprise Architecture, asked that we evaluate its efforts to develop the USAID enterprise architecture. State officials asked that we evaluate their agency's enterprise architecture effort based the Joint Enterprise Architecture being developed with USAID. We honored both of these requests. Table 11 lists the 28 department and agency enterprise architecture programs that formed the scope of our review. Table 11: List of Architecture Programs Included in this Report: Agency: Department of Agriculture. Agency: Department of the Air Force. Agency: Department of the Army. Agency: Department of Commerce. Agency: Department of Defense - Business Enterprise Architecture. Agency: Department of Defense - Global Information Grid. Agency: Department of Education. Agency: Department of Energy. Agency: Department of Health and Human Services. Agency: Department of Homeland Security. Agency: Department of Housing and Urban Development. Agency: Department of the Interior. Agency: Department of Justice. Agency: Department of Labor. Agency: Department of the Navy. Agency: Department of State. Agency: Department of Transportation. Agency: Department of the Treasury. Agency: Department of Veterans Affairs. Agency: Environmental Protection Agency. Agency: General Services Administration. Agency: National Aeronautics and Space Administration. Agency: National Science Foundation. Agency: Nuclear Regulatory Commission. Agency: Office of Personnel Management. Agency: Small Business Administration. Agency: Social Security Administration. Agency: U.S. Agency for International Development. Source: GAO. [End of table] To determine the status of each of these architecture programs, we developed a data collection instrument based on our Enterprise Architecture Management Maturity Framework (EAMMF),[Footnote 48] and related guidance, such as OMB Circular A-130[Footnote 49] and guidance published by the federal Chief Information Officers (CIO) Council,[Footnote 50] and our past reports and guidance on the management and content of enterprise architectures.[Footnote 51] We pretested this instrument at one department and one agency. Based on the results of the pretest, we modified our instrument as appropriate to ensure that our areas of inquiry were complete and clear. Next, we identified the Chief Architect or comparable official at each of the 27 departments and agencies, and met with them to discuss our scope and methodology, share our data collection instrument, and discuss the type and nature of supporting documentation needed to verify responses to our instrument questions.[Footnote 52] On the basis of department and agency provided documentation to support their respective responses to our data collection instrument, we analyzed the extent to which each satisfied the 31 core elements in our architecture maturity framework. To guide our analysis, we defined detailed evaluation criteria for determining whether a given core element was fully satisfied, partially satisfied, or not satisfied. The criteria for the stage 2, 3, 4, and 5 core elements are contained in tables 12, 13, 14, and 15 respectively. To fully satisfy a core element, sufficient documentation had to be provided to permit us to verify that all aspects of the core element were met. To partially satisfy a core element, sufficient documentation had to be provided to permit us to verify that at least some aspects of the core element were met. Core elements that were neither fully nor partially satisfied were judged to be not satisfied. Table 12: Stage 2 Evaluation Criteria: Core element: Adequate resources exist; Evaluation criteria: Agency responded that "very adequate," "somewhat adequate," or "neither adequate nor inadequate" resources exist for funding, personnel, and tools. Core element: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Evaluation criteria: Agency (1) responded that a committee or group representing the enterprise is responsible for direction, oversight, and approval of the enterprise architecture; (2) provided a charter or other documentation supporting the group's responsibilities; and (3) provided sample meeting minutes or other documentation confirming that meetings have been held. Core element: Program office responsible for EA development and maintenance exists; Evaluation criteria: Agency (1) responded that a program office is responsible for EA development and maintenance and (2) provided documentation supporting their assertion. Core element: Chief architect exists; Evaluation criteria: Agency (1) responded that chief architect exists and (2) provided documentation or assertion that the chief architect is responsible and accountable for EA and serves as the EA program manager. Core element: EA being developed using a framework, methodology, and automated tool; Evaluation criteria: Agency (1) responded that the enterprise architecture is being developed using a framework, methodology, and automated tool; (2) provided documentation supporting the use of a framework and automated tool; and (3) provided a documented methodology that includes steps for developing, maintaining, and validating the enterprise architecture. Core element: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Evaluation criteria: Agency (1) responded that EA plans call for describing the "as-is" and "to-be" environments and a sequencing plan and (2) provided plans that document this assertion; or agency (1) responded that the EA describes the "as- is" and "to-be" environments and a sequencing plan and (2) provided documentation to support this assertion. Core element: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Evaluation criteria: Agency (1) responded that EA plans call for describing the enterprise in terms of business, performance, information/data, application/service, and technology and (2) provided plans that document this assertion; or agency (1) responded that the EA describes the enterprise in terms of business, performance, information/data, application/service, and technology and (2) provided documentation to support this assertion. Core element: EA plans call for business, performance, information/ data, application/service, and technology to address security; Evaluation criteria: Agency (1) responded that EA plans call for business, performance, information/data, application/service, and technology descriptions to address security and (2) provided plans that document this assertion; or agency (1) responded that the business, performance, information/data, application/service, and technology descriptions address security and (2) provided documentation to support this assertion. Core element: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Evaluation criteria: Agency (1) responded that EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment and (2) provided plans to support this assertion; or responded (1) that EA progress, quality, compliance, and/or return on investment is measured and reported and (2) provided support for this assertion. Source: GAO. [End of table] Table 13: Stage 3 Evaluation Criteria: Core element: Written and approved policy exists for EA development; Evaluation criteria: Agency (1) responded that a written and approved organization policy exists for EA development and (2) provided a policy that supported this assertion. Core element: EA products are under configuration management; Evaluation criteria: Agency (1) responded that EA products are under configuration management and (2) provided their formally documented configuration management approach. Core element: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Evaluation criteria: Agency (1) responded that EA plans call for describing the "as-is" and "to-be" environments and a sequencing plan, (2) provided plans that document this assertion, and (3) responded that it is "in the process of developing the EA" or that it "has developed an EA"; or agency (1) responded that the EA describes the "as-is" and "to-be" environments and a sequencing plan and (2) provided documentation to support this assertion. Core element: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Evaluation criteria: Agency (1) responded that EA plans call for describing the enterprise in terms of business, performance, information/data, application/service, and technology; (2) provided plans that document this assertion; and (3) responded that it is "in the process of developing the EA" or that it "has developed an EA"; or agency (1) responded that the EA describes the enterprise in terms of business, performance, information/data, application/service, and technology and (2) provided documentation to support this assertion. Core element: These descriptions address or will address security; Evaluation criteria: Agency (1) responded that EA plans call for business, performance, information/data, plans that document this assertion; and (3) responded that it is "in the process of developing the EA" or that it "has developed an EA"; or agency (1) responded that the business, performance, information/data, application/service, and technology descriptions address security and (2) provided documentation to support this assertion. Core element: Progress against EA plans is measured and reported; Evaluation criteria: Agency (1) responded that it measures and reports progress against plans; (2) provided a description of how progress against plans is measured and reported; and (3) provided sample reports that include sample measures. Source: GAO. [End of table] Table 14: Stage 4 Evaluation Criteria: Core element: Written and approved policy exists for EA maintenance; Evaluation criteria: Agency (1) responded that a written and approved organization policy exists for EA maintenance and (2) provided a policy that supported this assertion. Core element: EA products and management processes undergo independent verification and validation; Evaluation criteria: Agency (1) responded that EA products and management processes undergo independent verification and validation; (2) provided proof that independent verification and validation activities were conducted by an independent third party and reported outside the span of control of the chief architect; and (3) provided sample independent verification and validation reports to the audit team. Independence was a critical element for satisfaction of this item. Core element: EA products describe "as-is" environment, "to-be" environment, and sequencing plan; Evaluation criteria: Agency (1) responded that the EA describes the "as- is" and "to-be" environments and a sequencing plan; (2) provided documentation to support this assertion; and (3) responded that it has developed an EA. In addition, an agency could not receive full credit for satisfying this element unless it fully satisfied the element, "Both 'as-is' and 'to-be' environments are described in terms of business, performance, information/data, application/service, and technology.". Core element: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Evaluation criteria: Agency (1) responded that the EA describes the enterprise in terms of business, performance, information/data, application/service, and technology; (2) provided documentation to support this assertion; and (3) responded that it has developed an EA. Agencies that completed four or five required descriptions in both the "as-is" and "to-be" environments received a yes for this item. Agencies that addressed less that two of the five required descriptions in both the "as-is" and "to- be" environments received a no for this element. Core element: These descriptions address security; Evaluation criteria: Agency (1) responded that the business, performance, information/data, application/service, and technology descriptions address security; (2) provided documentation to support this assertion; and (3) responded that it has developed an EA. Core element: Organization CIO has approved EA; Evaluation criteria: Agency (1) responded that that CIO has approved the current version of the EA and (2) provided a signature page or other proof that the CIO has approved current version of EA. Core element: Committee or group representing the enterprise or the investment review board has approved current version of EA; Evaluation criteria: Agency (1) responded that a committee or group representing the enterprise or the investment review board has approved current version of EA and (2) provided meeting minutes or other proof that a committee or group representing the enterprise or the investment review board has approved current version of EA. Core element: Quality of EA products is measured and reported; Evaluation criteria: Agency (1) responded that it measures and reports product quality, (2) provided a description of how quality is measured and reported, and (3) provided sample reports that include sample measures. Source: GAO. [End of table] Table 15: Stage 5 Evaluation Criteria: Core element: Written and approved organization policy exists for IT investment compliance with EA; Evaluation criteria: Agency (1) responded that a written and approved organization policy exists for IT investment compliance with EA and (2) provided a written policy to support this assertion. Core element: Process exists to formally manage EA change; Evaluation criteria: Agency (1) responded that a process exists to formally manage EA change and (2) provided evidence to support this assertion. Core element: EA is integral component of IT investment management process; Evaluation criteria: Agency (1) responded that EA is an integral component of IT investment management process; (2) provided documentation describing how the EA is used when making IT investment decisions; (3) provided evidence that a sequencing plan exists to guide IT investments; and (4) partially or fully satisfied at least one of the following stage 3 elements: (a) EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan, (b) both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology, or (c) these descriptions address or will address security. Core element: EA products are periodically updated; Evaluation criteria: Agency (1) responded that EA products are periodically updated and (2) provided a description of the process used for updating EA products. Core element: IT investments comply with EA; Evaluation criteria: Agency (1) responded that IT investments comply with EA; (2) provided evidence that IT is not selected and approved under the organization's capital planning and investment control process unless it is compliant with the EA; and (3) partially or fully satisfied at least one of the following stage 3 elements: (a) EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan, (b) both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology, or (c) these descriptions address or will address security. Core element: Organization head has approved current version of EA; Evaluation criteria: Agency (1) responded that the organization head has approved the current version of the EA; (2) provided a signature page or other proof that organization head or a deputy organization head has approved current version of EA or provided proof of formal delegation of this activity and subsequent approval; and (3) partially or fully satisfied at least one of the following stage 3 elements: (a) EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan, (b) both "as-is" and "to-be" environments are described or will be described in terms given in Stage 2, or (c) these descriptions address or will address security. Core element: Return on EA investment is measured and reported; Evaluation criteria: Agency (1) responded that it measures and reports return on investment; (2) provided a description of how return on investment is measured and reported; and (3) provided sample reports that included sample measures. Core element: Compliance with EA is measured and reported; Evaluation criteria: Agency (1) responded that it measures and reports compliance, (2) provided a description of how compliance is measured and reported, and (3) provided sample reports that included sample measures. Source: GAO. [End of table] Our evaluation included first analyzing the extent to which each department and agency satisfied the core elements in our framework, and then meeting with department and agency representatives to discuss core elements that were not fully satisfied and why. As part of this interaction, we sought, and in some cases were provided, additional supporting documentation. We then considered this documentation in arriving at our final determinations about the degree to which each department and agency satisfied each core element in our framework. In applying our evaluation criteria, we analyzed the results of our analysis across different core elements to determine patterns and issues. Our analysis made use of computer programs that were developed by an experienced staff; these programs were independently verified. Through our data collection instrument, we also solicited from each department and agency information on enterprise architecture challenges and benefits, including the extent to which they had been or were expected to be experienced. In addition, we solicited information on architecture costs, including costs to date and estimated costs to complete and maintain each architecture. We also solicited other information, such as use of and satisfaction with architecture tools and frameworks. We analyzed these additional data to determine relevant patterns. We did not independently verify these data. The results presented in this report reflect the state of department and agency architecture programs as of March 8, 2006.[Footnote 53] We conducted our work in the Washington, D.C., metropolitan area, from May 2005 to June 2006, in accordance with generally accepted government auditing standards. [End of section] Appendix IV: Detailed Assessments of Individual Departments and Agencies against Our EA Management Maturity Framework: Department of Agriculture: Table 16 shows USDA's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 16: Department of Agriculture Satisfaction of EAMMF: Stages and core elements: Stage 1: Creating EA awareness: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stages and core elements: Stage 2: Building the EA management foundation: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements:Stage 2: Building the EA management foundation: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA being developed using a framework, methodology, and automated tool; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for developing metrics to measure and report EA progress, quality, compliance, and return on investment; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: EA products are under configuration management; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: USDA plans to develop specific steps for configuration management. However, specific configuration management steps have not been developed. Stages and core elements: Stage 3: Developing EA products: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: Progress against EA plans is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: USDA has limited reporting of EA progress. However, progress is not measured and reported relative to an EA program plan. Stages and core elements: Stage 4: Completing EA products: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: EA products and management processes undergo independent verification and validation; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to USDA's EA division, USDA component agencies conduct reviews of the EA products of other component agencies. However, the documentation provided did not address verification and validation of EA management processes and did not provide sufficient assurance that the EA product reviews were independent. Stages and core elements: Stage 4: Completing EA products: EA products describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to USDA's EA division, EA products describe the "as-is" environment. However, a description of the "to-be" environment and a sequencing plan have not been developed. Stages and core elements: Stage 4: Completing EA products: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to USDA's EA division, the "as-is" environment is described in terms of business and service/application. However, the "as-is" environment is not described in terms of performance, information/data, and technology and the "to-be" descriptions have not been developed. Stages and core elements: Stage 4: Completing EA products: These descriptions address security; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to USDA's EA division, it has begun developing a security architecture. However, the security architecture is still under development and does not address all the requisite descriptions. Stages and core elements: Stage 4: Completing EA products: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: USDA has a policy that encourages IT investment compliance with the EA. However, the policy does not explicitly require IT investment compliance with the EA. Stages and core elements: Stage 5: Leveraging the EA for managing change: Process exists to formally manage EA change; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: USDA has assigned responsibility for formally managing EA change to a board and has begun to develop a process to formally manage EA change. However, evidence of this process was not provided. Stages and core elements: Stage 5: Leveraging the EA for managing change: EA is integral component of IT investment management process; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: USDA provided documentation indicating that EA is an integral component of the IT investment management process. However, the EA does not include a sequencing plan to guide such investments. Stages and core elements: Stage 5: Leveraging the EA for managing change: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: IT investments comply with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to USDA EA officials, IT investments comply with the EA. However, documentation provided to GAO did not clearly indicate that all IT investments comply with the EA. Stages and core elements: Stage 5: Leveraging the EA for managing change: Organization head has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to USDA EA officials, they are beginning to measure and report return on EA investment. However, documentation indicated that these reports address the integration of applications as a result of specific initiatives that are independent of the EA. Stages and core elements: Stage 5: Leveraging the EA for managing change: Compliance with EA is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: Compliance with USDA component agency architectures, which are segments of the departmentwide EA, is measured and reported. However, USDA did not provide documentation that compliance with the department EA as a whole is measured and reported. Source: GAO analysis of agency provided data. [End of table] Department of the Air Force: Table 17 shows the Air Force's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 17: Department of the Air Force Satisfaction of EAMMF: Stages and core elements: Stage 1: Creating EA awareness: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stages and core elements: Stage 2: Building the EA management foundation: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: The Air Force has three committees representing the enterprise, each of which is responsible for directing, overseeing, and approving one of three segments of the EA. However, the charter for one of these committees is not approved and no evidence was provided to support that this committee has conducted any meetings. Stages and core elements: Stage 2: Building the EA management foundation: Program office responsible for EA development and maintenance exists; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: A program office responsible for EA development and maintenance exists. However, the directive establishing this office has not been approved. Stages and core elements: Stage 2: Building the EA management foundation: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA being developed using a framework, methodology, and automated tool; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: The Air Force uses a framework and automated tool to develop their EA. However, our analysis of the Department of Defense Architecture Framework (DODAF), which was cited as the Air Force's EA methodology, determined that it is not an EA methodology. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: The Air Force plans to develop metrics to measure EA progress, compliance, and return on investment. However, plans to develop metrics to measure EA quality were not provided. Stages and core elements: Stage 3: Developing EA products: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: EA products are under configuration management; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to Air Force Architecture Policy and Guidance Office officials, EA products are not under configuration management. Stages and core elements: Stage 3: Developing EA products: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: Progress against EA plans is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: The Air Force has limited reporting of EA progress. However, progress is not measured and reported relative to an EA program plan. Stages and core elements: Stage 4: Completing EA products: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: EA products and management processes undergo independent verification and validation; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the Air Force Architecture Policy and Guidance Office, EA products and management processes have not undergone independent verification and validation. Stages and core elements: Stage 4: Completing EA products: EA products describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the Air Force Architecture Policy and Guidance Office, EA products describe the "as-is" environment and "to-be" environment but do not describe a sequencing plan. Stages and core elements: Stage 4: Completing EA products: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: These descriptions address security; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the Air Force Architecture Policy and Guidance Office, the "as-is" and "to-be" descriptions do not address security. Stages and core elements: Stage 4: Completing EA products: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the Air Force Architecture Policy and Guidance Office, a committee or group representing the enterprise has not approved the current version of the EA. Stages and core elements: Stage 4: Completing EA products: Quality of EA products is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the Air Force Architecture Policy and Guidance Office, quality of EA products is not measured and reported. Stages and core elements: Stage 5: Leveraging the EA for managing change: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Process exists to formally manage EA change; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the Air Force Architecture Policy and Guidance Office, a process exists to formally manage EA change. However, the process by which changes are made to the EA is not documented. Stages and core elements: Stage 5: Leveraging the EA for managing change: EA is integral component of IT investment management process; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the Air Force Architecture Policy and Guidance Office, EA is not currently an integral component of the IT investment management process. Stages and core elements: Stage 5: Leveraging the EA for managing change: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: IT investments comply with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the Air Force Architecture Policy and Guidance Office, IT investments comply with the EA. However, no documentation of IT investment compliance with the Air Force EA was provided. Stages and core elements: Stage 5: Leveraging the EA for managing change: Organization head has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the Air Force Architecture Policy and Guidance Office, the organization head has not approved the current version of the EA. Stages and core elements: Stage 5: Leveraging the EA for managing change: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the Air Force Architecture Policy and Guidance Office, return on EA investment is not measured and reported. Stages and core elements: Stage 5: Leveraging the EA for managing change: Compliance with EA is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the Air Force Architecture Policy and Guidance Office, compliance with the EA is measured and reported. However, compliance measurement and reporting is with respect to only one segment of the EA. Source: GAO analysis of agency provided data. [End of table] Department of the Army: Table 18 shows Army's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 18: Department of the Army Satisfaction of EAMMF: Stages and core elements: Stage 1: Creating EA awareness: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stages and core elements: Stage 2: Building the EA management foundation: Adequate resources exist; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to Army officials, adequate tools exist. However, according to these same officials, personnel resources are somewhat inadequate and funding resources are very inadequate. Stages and core elements: Stage 2: Building the EA management foundation: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to Army officials, committees or groups address architecture issues. However, no committee or group has specific responsibility for EA. Further, documentation did not include a charter or other description of a committee or group representing the enterprise that is responsible for directing, overseeing, and approving the EA. Stages and core elements: Stage 2: Building the EA management foundation: Program office responsible for EA development and maintenance exists; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to Army officials, a program office responsible for EA development and maintenance exists. However, the program office charter is not approved. Stages and core elements: Stage 2: Building the EA management foundation: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA being developed using a framework, methodology, and automated tool; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: EA is being developed using a framework and automated tool. However, according to Army officials, the EA is not developed using a methodology. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to Army officials, EA plans call for describing the "as-is" environment, "to-be" environment, and sequencing plan. However, these EA plans are not approved. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to Army officials, EA plans call for describing the enterprise in terms of business, performance, information/data, application/service, and technology. However, these EA plans are not approved. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for business, performance, information/ data, application/service, and technology to address security; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to Army officials, EA plans call for business, performance, information/data, application/service, and technology to address security. However, documentation of these plans were not provided. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to Army officials, EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment. However, documentation of plans for developing metrics to measure compliance and return on investment were not provided. Stages and core elements: Stage 3: Developing EA products: Written and approved organization policy exists for EA development; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: The Army policy for EA development is not approved. Stages and core elements: Stage 3: Developing EA products: EA products are under configuration management; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: Some but not all EA products are under configuration management. Stages and core elements: Stage 3: Developing EA products: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to Army officials, EA products will describe the "as-is" environment, "to-be" environment, and sequencing plan. However, plans to develop these EA descriptions are not approved. Stages and core elements: Stage 3: Developing EA products: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to Army officials, EA plans call for describing the enterprise in terms of business, performance, information/data, application/service, and technology. However, these EA plans are not approved. Stages and core elements: Stage 3: Developing EA products: These descriptions address or will address security; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to Army officials, EA plans call for business, performance, information/data, application/service, and technology to address security. However, documentation of these plans was not provided. Stages and core elements: Stage 3: Developing EA products: Progress against EA plans is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: Progress against plans is measured and reported for one portion of Army EA. However, progress against EA plans is not measured and reported for other EA segments that are under development. Stages and core elements: Stage 4: Completing EA products: Written and approved organization policy exists for EA maintenance; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: The Army policy for EA maintenance is not approved. Stages and core elements: Stage 4: Completing EA products: EA products and management processes undergo independent verification and validation; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to Army officials, EA products undergo review by engineering boards and others. However, they did not provide evidence that these reviews are independent, constitute verification and validation, and include EA management processes. Stages and core elements: Stage 4: Completing EA products: EA products describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to Army officials, the EA currently consists of a partial description of the "as-is" environment. These officials stated that a complete description of the "as-is" environment as well as descriptions of the "to-be" environment and sequencing plan will be developed in the future. Stages and core elements: Stage 4: Completing EA products: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to Army officials, the "as-is" environment is described in terms of technology. These officials stated that descriptions of the "as-is" environment in terms of business, performance, and information/data as well as descriptions of the "to-be" architecture will be developed in the future. Stages and core elements: Stage 4: Completing EA products: These descriptions address security; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to Army officials, business, performance, information/data, application/service, and technology descriptions address security. However, documentation of these descriptions was not provided. Stages and core elements: Stage 4: Completing EA products: Organization CIO has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to Army officials, the organization chief information officer has not approved the EA. Stages and core elements: Stage 4: Completing EA products: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to Army officials, a committee or group representing the enterprise or the investment review board has not approved the current version of the EA. Stages and core elements: Stage 4: Completing EA products: Quality of EA products is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to Army officials, the quality of EA products is measured and reported. Further, documentation indicated that a quality evaluation was performed. However, documentation of the evaluation results was not provided. Stages and core elements: Stage 5: Leveraging the EA for managing change: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: Army officials did not provide a written and approved organization policy that explicitly requires IT investment compliance with the EA. Stages and core elements: Stage 5: Leveraging the EA for managing change: Process exists to formally manage EA change; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: Army officials did not provide evidence of a process to formally manage EA change. Stages and core elements: Stage 5: Leveraging the EA for managing change: EA is integral component of IT investment management process; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: Army officials did not provide documentation indicating that EA is an integral component of the IT investment management process. Stages and core elements: Stage 5: Leveraging the EA for managing change: EA products are periodically updated; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to Army officials, EA products are not periodically updated. Stages and core elements: Stage 5: Leveraging the EA for managing change: IT investments comply with EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: Army officials did not provide documentation indicating that IT investments comply with the EA. Stages and core elements: Stage 5: Leveraging the EA for managing change: Organization head has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to Army officials, the organization head has not approved the current version of the EA. Stages and core elements: Stage 5: Leveraging the EA for managing change: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: Army officials did not provide documentation indicating that return on EA investment is measured and reported. Stages and core elements: Stage 5: Leveraging the EA for managing change: Compliance with EA is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: Army officials did not provide documentation indicating that compliance with EA is measured and reported. Source: GAO analysis of agency provided data. [End of table] Department of Commerce: Table 19 shows Commerce's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 19: Department of Commerce Satisfaction of EAMMF: Stages and core elements: Stage 1: Creating EA awareness: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stages and core elements: Stage 2: Building the EA management foundation: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: Commerce provided evidence that the Enterprise Architecture Advisory Group and the Enterprise Architecture Review Board are responsible for directing, overseeing, and approving EA. However, the documentation did not indicate that either group represents the enterprise. Stages and core elements: Stage 2: Building the EA management foundation: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA being developed using a framework, methodology, and automated tool; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: EA products are under configuration management; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: Progress against EA plans is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: EA products and management processes undergo independent verification and validation; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: EA products describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: These descriptions address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: Commerce provided evidence that the EA Review Board has approved the current version of the EA. However, the documentation did not indicate that the board represents the enterprise. Stages and core elements: Stage 4: Completing EA products: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: Commerce provided evidence that includes general references to IT investment compliance EA. However, the documentation, including a draft policy, did not require IT investment compliance with the EA. Stages and core elements: Stage 5: Leveraging the EA for managing change: Process exists to formally manage EA change; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: EA is integral component of IT investment management process; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: IT investments comply with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: Commerce provided evidence that some but not all IT investments comply with the EA. Stages and core elements: Stage 5: Leveraging the EA for managing change: Organization head has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Return on EA investment is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Compliance with EA is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Source: GAO analysis of agency provided data. [End of table] Department of Defense - Business Enterprise Architecture: Table 20 shows the BEA's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 20: DOD Business Enterprise Architecture Satisfaction of EAMMF: Stages and core elements: Stage 1: Creating EA awareness: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stages and core elements: Stage 2: Building the EA management foundation: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA being developed using a framework, methodology, and automated tool; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to BEA officials, the BEA will address security as evidenced by the fact that the GIG extends to all DOD missions areas, including the business mission area. However, documented plans for how and when this will be accomplished for the business mission were not provided. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: EA plans call for developing metrics to measure EA progress, quality, and compliance. However, according to the chief architect, EA plans do not call for developing metrics to measure return on investment. Stages and core elements: Stage 3: Developing architecture products: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing architecture products: EA products are under configuration management; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to BEA officials, EA products are under configuration management, consistent with the configuration management plan they provided. However, no documentation was provided to show that BEA is complying with this plan. Stages and core elements: Stage 3: Developing architecture products: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing architecture products: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing architecture products: These descriptions address or will address security; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to BEA officials, the BEA will address security as evidenced by the fact that the GIG extends to all DOD missions areas, including the business mission area. However, documented plans for how and when this will be accomplished for the business mission were not provided. Stages and core elements: Stage 3: Developing architecture products: Progress against EA plans is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing architecture products: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing architecture products: EA products and management processes undergo independent verification and validation; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing architecture products: EA products describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: EA products describe the "to-be" environment and sequencing plan. However, EA products do not yet describe the "as-is" environment. Stages and core elements: Stage 4: Completing architecture products: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: The "to-be" environment is described in the requisite terms. However, the "as-is" environment is not yet described. Stages and core elements: Stage 4: Completing architecture products: These descriptions address security; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, these descriptions do not address security. Stages and core elements: Stage 4: Completing architecture products: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing architecture products: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing architecture products: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Process exists to formally manage EA change; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to BEA officials, a process exists to formally manage EA change. However, BEA officials provided a configuration management plan, which begins to address EA change management, but did not provide evidence that EA change management processes are fully documented. Stages and core elements: Stage 5: Leveraging the EA for managing change: EA is integral component of IT investment management process; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: IT investments comply with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, IT investments comply with the EA to some or little extent. However, BEA officials provided evidence that some investments have been assessed for their compliance with the BEA. Stages and core elements: Stage 5: Leveraging the EA for managing change: Organization head has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, return on EA investment is not measured and reported. Stages and core elements: Stage 5: Leveraging the EA for managing change: Compliance with EA is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Source: GAO analysis of agency provided data. [End of table] Department of Defense - Global Information Grid: Table 21 shows the GIG's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 21: DOD Global Information Grid Satisfaction of EAMMF: Stages and core elements: Stage 1: Creating EA awareness: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stages and core elements: Stage 2: Building the EA management foundation: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA being developed using a framework, methodology, and automated tool; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for developing metrics to measure and report EA progress, quality, compliance, and return on investment; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: A GIG official provided plans that call for developing metrics to measure and report EA progress, quality, and compliance. However, plans that call for developing metrics to measure and report return on EA investment were not provided. Stages and core elements: Stage 3: Developing EA products: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: EA products are under configuration management; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to a GIG official, EA products are under configuration management and they provided documentation of configuration management procedures. However, the documentation did not describe detailed steps to ensure the integrity and consistency of EA products. Stages and core elements: Stage 3: Developing EA products: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: Progress against EA plans is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to a GIG official, progress against EA plans is measured and reported. However, the evidence provided consisted of (1) EA plans but no reports of progress relative to those plans and (2) contractor progress reports that did not relate to the EA plans. Stages and core elements: Stage 4: Completing EA products: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: EA products and management processes undergo independent verification and validation; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to a GIG official, EA products and management processes undergo independent verification and validation. However, the evidence provided consisted of reports on a subset of EA products and processes. Stages and core elements: Stage 4: Completing EA products: EA products describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to a GIG official, EA products describe the "as-is" environment and "to-be" environment. However, only one of six planned sequencing plans has been completed. Stages and core elements: Stage 4: Completing EA products: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: These descriptions address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Process exists to formally manage EA change; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: EA is integral component of IT investment management process; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to a GIG official, EA is an integral component of the IT investment management process. However, five of six sequencing plans to guide IT investments have not been completed. Stages and core elements: Stage 5: Leveraging the EA for managing change: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: IT investments comply with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to a GIG official, IT investments comply with the EA. However, documentation indicated that IT investments comply with the Information Assurance portion of the GIG. Stages and core elements: Stage 5: Leveraging the EA for managing change: Organization head has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to a GIG official, return on EA investment is not measured and reported. Stages and core elements: Stage 5: Leveraging the EA for managing change: Compliance with EA is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to a GIG official, compliance with the EA is measured and reported. However, documentation indicated that compliance is measured and reported relative to a portion of the EA. Source: GAO analysis of agency provided data. [End of table] Department of Education: Table 22 shows Education's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 22: Department of Education Satisfaction of EAMMF: Stages and core elements: Stage 1: Creating EA awareness: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stages and core elements: Stage 2: Building the EA management foundation: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the EA executive steering committee is responsible for directing and overseeing the EA and the investment review board is responsible for approving the EA. However, the investment review board charter does not discuss approving the EA and no documentation of investment review board approval was provided. Stages and core elements: Stage 2: Building the EA management foundation: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA being developed using a framework, methodology, and automated tool; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: EA products are under configuration management; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: Both "as- is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: Progress against EA plans is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: EA products and management processes undergo independent verification and validation; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: Some EA products have undergone independent verification and validation. However, according to the chief architect, EA management processes have not undergone independent verification and validation. Stages and core elements: Stage 4: Completing EA products: EA products describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: These descriptions address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the investment review board has approved the current version of the EA. However, no documentation of investment review board approval was provided. Stages and core elements: Stage 4: Completing EA products: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Process exists to formally manage EA change; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: EA is integral component of IT investment management process; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: IT investments comply with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Organization head has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the organization head has not explicitly approved the current version of the EA. Stages and core elements: Stage 5: Leveraging the EA for managing change: Return on EA investment is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: Return on EA investment is measured and reported. However, this activity is limited to one EA segment. Stages and core elements: Stage 5: Leveraging the EA for managing change: Compliance with EA is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Source: GAO analysis of agency provided data. [End of table] Department of Energy: Table 23 shows Energy's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 23: Department of Energy Satisfaction of EAMMF: Stages and core elements: Stage 1: Creating EA awareness: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stages and core elements: Stage 2: Building the EA management foundation: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA being developed using a framework, methodology, and automated tool; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for developing metrics to measure and report EA progress, quality, compliance, and return on investment; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: EA plans call for developing metrics to measure and report EA progress, quality, and compliance. However, they do not call for developing metrics to measure and report EA return on investment. Stages and core elements: Stage 3: Developing EA products: Written and approved organization policy exists for EA development; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, a written and approved organization policy for EA development does not exist. Stages and core elements: Stage 3: Developing EA products: EA products are under configuration management; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: Progress against EA plans is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Written and approved organization policy exists for EA maintenance; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, a written and approved organization policy for EA maintenance does not exist. Stages and core elements: Stage 4: Completing EA products: EA products and management processes undergo independent verification and validation; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: EA products describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: These descriptions address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Process exists to formally manage EA change; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, a process exists to formally manage EA change. However, the process does not include specific steps to be followed. Stages and core elements: Stage 5: Leveraging the EA for managing change: EA is integral component of IT investment management process; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: IT investments comply with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, IT investments comply with the EA to a "great extent." However, evidence provided to GAO shows that some IT investments do not meet Energy's EA compliance criteria. Stages and core elements: Stage 5: Leveraging the EA for managing change: Organization head has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the organization head has not approved the current version of the EA. Stages and core elements: Stage 5: Leveraging the EA for managing change: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, return on EA investment is not measured and reported. Stages and core elements: Stage 5: Leveraging the EA for managing change: Compliance with EA is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Source: GAO analysis of agency provided data. [End of table] Department of Health and Human Services: Table 24 shows HHS's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 24: Department of Health and Human Services Satisfaction of EAMMF: Stages and core elements: Stage 1: Creating EA awareness: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stages and core elements: Stage 2: Building the EA management foundation: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: The HHS CIO council is responsible for directing, overseeing, and approving EA. However, a charter for the council is under development. Stages and core elements: Stage 2: Building the EA management foundation: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA being developed using a framework, methodology, and automated tool; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 2: Building the EA management foundation: EA plans call for developing metrics to measure and report EA progress, quality, compliance, and return on investment; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: EA products are under configuration management; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 3: Developing EA products: Progress against EA plans is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: EA products and management processes undergo independent verification and validation; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: EA products and management processes have not undergone independent verification and validation. Stages and core elements: Stage 4: Completing EA products: EA products describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: EA products describe the "as-is" environment and "to-be" environment. However, a sequencing plan has been developed for some EA segments but has not been completed. Stages and core elements: Stage 4: Completing EA products: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: Both "as-is" and "to-be" environments are described. However, the chief architect indicated that HHS plans to develop the descriptions in more detail. Stages and core elements: Stage 4: Completing EA products: These descriptions address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 4: Completing EA products: Organization CIO has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the EA has not been approved by the chief information officer. Stages and core elements: Stage 4: Completing EA products: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the current EA has not been approved by a committee or group representing the enterprise. Stages and core elements: Stage 4: Completing EA products: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Process exists to formally manage EA change; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: EA is integral component of IT investment management process; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: HHS provided evidence that EA is an integral component of the IT investment management process. However, a sequencing plan to guide IT investments has not been completed. Stages and core elements: Stage 5: Leveraging the EA for managing change: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: IT investments comply with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Stage 5: Leveraging the EA for managing change: Organization head has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the organization head has not approved the current version of the EA. Stages and core elements: Stage 5: Leveraging the EA for managing change: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, HHS plans to measure and report return on EA investment. However, return on EA investment is not currently measured and reported. Stages and core elements: Stage 5: Leveraging the EA for managing change: Compliance with EA is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Source: GAO analysis of agency provided data. [End of table] Department of Homeland Security: Table 25 shows DHS's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 25: Department of Homeland Security Satisfaction of EAMMF: Stage 1: Stages and core elements: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stage 2: Stages and core elements: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA being developed using a framework, methodology, and automated tool; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 3: Stages and core elements: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are under configuration management; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, EA products are under configuration management. However, the configuration management guidance documents are in draft and not approved. Stages and core elements: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Progress against EA plans is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 4: Stages and core elements: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products and management processes undergo independent verification and validation; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, EA products and management processes undergo independent verification and validation. However, the contractor that reviewed EA products and processes was not independent and the reviews did not include verification and validation. Stages and core elements: EA products describe "as-is" environment, "to- be" environment, and sequencing plan; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, EA products describe the "as-is" environment, "to-be" environment, and sequencing plan. However, the sequencing plan is in draft and not approved. Stages and core elements: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 5: Stages and core elements: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Process exists to formally manage EA change; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, DHS has a process to formally manage EA change. However, the policy that describes EA change management is being revised and is not approved. Stages and core elements: EA is integral component of IT investment management process; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: IT investments comply with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: DHS has an IT investment management process that requires investment compliance with the EA. However, the IT investment management process does not include a methodology with detailed compliance criteria. Stages and core elements: Organization head has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the agency head has not approved the current version of the EA. Stages and core elements: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, return on EA investment is not measured and reported. Stages and core elements: Compliance with EA is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Source: GAO analysis of agency provided data. [End of table] Department of Housing and Urban Development: Table 26 shows HUD's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 26: Department of Housing and Urban Development Satisfaction of EAMMF: Stage 1: Stages and core elements: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stage 2: Stages and core elements: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA being developed using a framework, methodology, and automated tool; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 3: Stages and core elements: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are under configuration management; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Progress against EA plans is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 4: Stages and core elements: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products and management processes undergo independent verification and validation; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, EA products and management processes undergo verification and validation. However, the verification and validation were not independent. Stages and core elements: EA products describe "as-is" environment, "to- be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address security; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: HUD provided evidence that it is addressing security in the requisite descriptions. However, according to HUD officials they recognize the need to further develop these security descriptions. Stages and core elements: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 5: Stages and core elements: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Process exists to formally manage EA change; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA is integral component of IT investment management process; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: IT investments comply with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Organization head has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Return on EA investment is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Compliance with EA is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Source: GAO analysis of agency provided data. [End of table] The Department of the Interior: Table 27 shows DOI's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 27: Department of the Interior Satisfaction of EAMMF: Stage 1: Stages and core elements: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stage 2: Stages and core elements: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA being developed using a framework, methodology, and automated tool; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for developing metrics to measure and report EA progress, quality, compliance, and return on investment; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 3: Stages and core elements: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are under configuration management; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Progress against EA plans is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 4: Stages and core elements: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products and management processes undergo independent verification and validation; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, EA products and management processes undergo independent verification and validation. However, the evidence provided did not show that EA product and process quality were assessed. Stages and core elements: EA products describe "as-is" environment, "to- be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 5: Stages and core elements: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Process exists to formally manage EA change; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA is integral component of IT investment management process; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: IT investments comply with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Organization head has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Return on EA investment is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Compliance with EA is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Source: GAO analysis of agency provided data. [End of table] Department of Justice: Table 28 shows DOJ's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 28: Department of Justice Satisfaction of EAMMF: Stage 1: Stages and core elements: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in Stage 1. Stage 2: Stages and core elements: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA being developed using a framework, methodology, and automated tool; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 3: Stages and core elements: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are under configuration management; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Progress against EA plans is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 4: Stages and core elements: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products and management processes undergo independent verification and validation; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, EA products and management processes have not undergone independent verification and validation. Stages and core elements: EA products describe "as-is" environment, "to- be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, a committee or group representing the enterprise has approved the current version of the EA. However, no documentation of committee approval was provided. Stages and core elements: Quality of EA products is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, DOJ uses the OMB EA assessment tool to measure and report product quality. However, no report documenting a quality assessment or results was provided. Stage 5: Stages and core elements: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Process exists to formally manage EA change; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA is integral component of IT investment management process; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: IT investments comply with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: DOJ has an IT investment management process that requires investment compliance with the EA. However, the IT investment management process does not include a methodology to determine compliance. Stages and core elements: Organization head has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the organization head has not approved the current version of the EA. Stages and core elements: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: DOJ did not provide documentation describing how return on EA investment is measured and reported and no sample reports were provided. Stages and core elements: Compliance with EA is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: DOJ has begun to measure and report IT investment compliance with the EA. However, no compliance reports were provided. [End of table] Source: GAO analysis of agency provided data. Department of Labor: Table 29 shows Labor's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 29: Department of Labor Satisfaction of EAMMF: Stage 1: Creating EA awareness; Stages and core elements: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stage 2: Building the EA management foundation; Stages and core elements: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA being developed using a framework, methodology, and automated tool; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for business, performance, information/ data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for developing metrics to measure and report EA progress, quality, compliance, and return on investment; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 3: Developing EA products; Stages and core elements: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are under configuration management; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Progress against EA plans is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 4: Completing EA products; Stages and core elements: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products and management processes undergo independent verification and validation; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the EA program manager, EA products and management processes undergo independent verification and validation. However, the verification and validation were performed by a contractor that had also performed other EA program activities and therefore were not independent. Stages and core elements: EA products describe "as-is" environment, "to- be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 5: Leveraging the EA for managing change; Stages and core elements: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Process exists to formally manage EA change; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA is integral component of IT investment management process; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: IT investments comply with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the EA program manager, IT investments comply with the EA. However, the evidence provided did not verify that IT investments are not approved unless they comply with the EA. Stages and core elements: Organization head has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the EA program manager, return on EA investment is not measured and reported. Stages and core elements: Compliance with EA is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the EA program manager, compliance with the EA is measured and reported. However, evidence of EA compliance reporting was not provided. Source: GAO analysis of agency provided data. [End of table] Department of the Navy: Table 30 shows Navy's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 30: Department of the Navy Satisfaction of EAMMF: Stage 1: Creating EA awareness; Stages and core elements: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stage 2: Building the EA management foundation. Stages and core elements: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the Navy CIO office, Navy has a committee that is responsible for directing, overseeing, and approving EA. However, the Navy did not provide meeting minutes or other documentation to verify that committee meetings have occurred. Stages and core elements: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA being developed using a framework, methodology, and automated tool; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: The Navy uses a framework and automated tool to develop their EA. However, our analysis of the Department of Defense Architecture Framework (DODAF), which was cited as the Navy's EA methodology, determined that the DODAF is not an EA methodology. Stages and core elements: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: EA plans call for describing the "as-is" and "to-be" environments. However, EA plans do not include describing a sequencing plan. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: EA plans do not include a "to-be" environment description in terms of technology. Stages and core elements: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: EA plans call for developing metrics to measure EA progress, quality, and compliance. However, no evidence was provided indicating plans to measure EA return on investment. Stage 3: Developing EA products; Stages and core elements: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are under configuration management; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: Navy provided evidence of their EA repository tools which Navy officials said they use to track EA product configuration management. However, the evidence did not describe detailed steps that would ensure the integrity and consistency of EA products. Stages and core elements: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: EA plans call for describing the "as-is" and "to-be" environments. However, EA plans do not include describing a sequencing plan. Stages and core elements: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: EA plans do not include a "to-be" environment description in terms of technology. Stages and core elements: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Progress against EA plans is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 4: Completing EA products; Stages and core elements: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products and management processes undergo independent verification and validation; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: Navy indicated EA products and management processes are subject to quality, integration, and verification reviews. However, these reviews are not performed by independent entities. Stages and core elements: EA products describe "as-is" environment, "to- be" environment, and sequencing plan; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: EA products describe the "as-is" environment. However, according to the Department of the Navy CIO office, their EA products will include descriptions of the "to-be" environment and sequencing plan in the future. Stages and core elements: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: The "as-is" environment is described in business, information/data, application/ service, and technology, but not performance terms. However, according to the Navy CIO office, their "to-be" environment will be described in the future. Stages and core elements: These descriptions address security; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the Navy CIO office, EA descriptions will explicitly address security in the future. Stages and core elements: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the Navy CIO office, EA approvals are rendered by either the Assistant Secretary for Research and Development or a duly appointed representative, in addition to the Navy CIO. However, a committee or group representing the enterprise does not approve the EA. Stages and core elements: Quality of EA products is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the Navy CIO office, quality of EA products is measured and reported. However, Navy officials provided evidence that quality of EA products is measured and reported for the Marine Corps portion of the architecture, but did not provide documentation that quality of Navy architecture products are measured and reported. Stage 5: Leveraging the EA for managing change; Stages and core elements: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: Navy policy does not explicitly require IT investment compliance with the EA. Stages and core elements: Process exists to formally manage EA change; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: Navy officials did not provide evidence of a process to formally manage EA change. Stages and core elements: EA is integral component of IT investment management process; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the Navy CIO office, the department has begun to integrate EA into its IT investment management process. Stages and core elements: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: IT investments comply with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the Navy CIO office, IT investments comply with the EA. However, documentation of IT investment compliance with the EA was not provided. Stages and core elements: Organization head has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the Navy CIO office, the organization head has not approved the EA. Stages and core elements: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the Navy CIO office, the department does not currently measure and report return on EA investment. Stages and core elements: Compliance with EA is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: Navy provided documentation indicating that compliance with the EA is measured. However, sample measurement reports were not provided. Source: GAO analysis of agency provided data. Note: This analysis primarily focuses on the FORCEnet architecture because FORCEnet was identified by the Department of the Navy as the overall Department of Navy enterprise architecture. Additional information from the Marine Corps Integrated Architecture Picture (MCIAP) was incorporated where appropriate. [End of table] Department of State: Table 31 shows State's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 31: Joint Enterprise Architecture Satisfaction of EAMMF: Stage 1: Creating EA awareness. Stages and core elements: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stage 2: Building the EA management foundation. Stages and core elements: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, State and USAID are developing a governance plan that will describe management processes for directing, overseeing, and approving their EA. However, this plan is not approved. Stages and core elements: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA being developed using a framework, methodology, and automated tool; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the EA is being developed using a framework, methodology, and automated tool. However, the methodology does not describe specific steps for maintenance. Stages and core elements: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: State and USAID have plans to measure and report EA progress, quality, and compliance. However, no plans for developing metrics to measure EA return on investment were provided. Stage 3: Developing EA products; Stages and core elements: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are under configuration management; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: A draft configuration management plan for EA products has been developed. However, this plan has not been approved. Stages and core elements: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Progress against EA plans is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: State has limited reporting of EA progress. However, progress is not measured and reported relative to an EA program plan. Stage 4: Completing EA products; Stages and core elements: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products and management processes undergo independent verification and validation; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, EA products and management processes have not undergone independent verification and validation. Stages and core elements: EA products describe "as-is" environment, "to- be" environment, and sequencing plan; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: EA products describe the "as-is" and "to-be" environments as well as high- level transition activities. However, a sequencing plan for transitioning between the "as-is" and "to-be" environments is currently under development. Stages and core elements: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, a committee or group representing the enterprise has not approved the current version of the EA. Stages and core elements: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 5: Leveraging the EA for managing change; Stages and core elements: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Process exists to formally manage EA change; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, a process to formally manage EA change does not currently exist. Stages and core elements: EA is integral component of IT investment management process; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, EA is an integral component of the IT investment management process. However, the sequencing plan to guide IT investments is currently under development. Stages and core elements: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: IT investments comply with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Organization head has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the organization head has not approved the current version of the EA. Stages and core elements: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, return on EA investment is not measured and reported. Stages and core elements: Compliance with EA is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, compliance with the EA is measured and reported and officials provided a description of how compliance is to be measured. However, no documentation demonstrating compliance reporting was provided. Source: GAO analysis of agency provided data. Note: Department of State officials asked that we evaluate their agency's enterprise architecture based on efforts to develop the Joint Enterprise Architecture, which is being developed by State and the U.S. Agency for International Development. [End of table] Department of Transportation: Table 32 shows Transportation's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 32: Department of Transportation Satisfaction of EAMMF: Stage 1: Creating EA awareness; Stages and core elements: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stage 2: Building the EA management foundation; Stages and core elements: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA being developed using a framework, methodology, and automated tool; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: Program officials stated that the EA is being developed using a framework, methodology, and automated tool. However, the methodology and other documentation did not include steps for EA maintenance. Stages and core elements: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: EA plans call for developing metrics to measure EA progress and quality. However, EA plans do not call for developing metrics to measure compliance and return on investment. Stage 3: Developing EA products; Stages and core elements: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are under configuration management; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: A configuration management plan for EA products is being defined. However, this plan has not been approved. Stages and core elements: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Progress against EA plans is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 4: Completing EA products; Stages and core elements: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products and management processes undergo independent verification and validation; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, EA products and management processes do not undergo independent verification and validation. Stages and core elements: EA products describe "as-is" environment, "to- be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address security; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: The business, performance, information/data, application/service, and technology descriptions do not address security. Stages and core elements: Organization CIO has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the organization CIO has not approved the EA. Stages and core elements: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, a committee or group representing the enterprise or the investment review board has not approved the current version of the EA. Stages and core elements: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 5: Leveraging the EA for managing change. Stages and core elements: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Process exists to formally manage EA change; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, a process exists to formally manage EA change. However, the department provided evidence that a structure is in place to manage EA change, but a description of this process for formally managing EA change was not provided. Stages and core elements: EA is integral component of IT investment management process; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: IT investments comply with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Organization head has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the organization head has not approved the current version of the EA. Stages and core elements: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, return on EA investment is not measured and reported. Stages and core elements: Compliance with EA is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, compliance with the EA is measured and reported. However, department officials did not provide evidence that compliance with the EA is measured and reported. Source: GAO analysis of agency provided data. [End of table] Department of the Treasury: Table 33 shows the Treasury's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 33: Department of the Treasury Satisfaction of EAMMF: Stage 1: Creating EA awareness; Stages and core elements: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stage 2: Building the EA management foundation; Stages and core elements: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: Two committees are responsible for directing and overseeing the EA. However, the committee charters do not indicate that either committee is responsible for approving the EA or represent the enterprise (i.e., include executive-level representation from each line of business). Stages and core elements: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA being developed using a framework, methodology, and automated tool; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for developing metrics to measure and report EA progress, quality, compliance, and return on investment; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the EA program manager, EA plans call for developing metrics to measure and report EA progress, quality, and compliance. However, evidence provided did not include plans for EA compliance or return on investment metrics. Stage 3: Developing EA products; Stages and core elements: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are under configuration management; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Progress against EA plans is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the EA program manager, progress is measured and reported against plans, including an EA program management plan. However, the EA program management plan is in draft. Stage 4: Completing EA products; Stages and core elements: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products and management processes undergo independent verification and validation; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the EA program manager, EA products and management processes have not undergone independent verification and validation. Stages and core elements: EA products describe "as-is" environment, "to- be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: A committee or group representing the enterprise has not approved the current version of the EA. Stages and core elements: Quality of EA products is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the EA program manager, the quality of EA products is measured and reported. Further, evidence showed that a quality evaluation was performed. However, evidence of the evaluation results was not provided. Stage 5: Leveraging the EA for managing change; Stages and core elements: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Process exists to formally manage EA change; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA is integral component of IT investment management process; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: IT investments comply with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the EA program manager, IT investments comply with the EA. However, the documents provided did not demonstrate that the IT investment management process requires IT investments to comply with the EA. Stages and core elements: Organization head has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the EA program manager, the organization head has delegated approval of the EA to the CIO, who has approved the current version. However, the evidence provided did not explicitly show such a delegation. Stages and core elements: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the EA program manager, return on EA investment is not measured and reported. Stages and core elements: Compliance with EA is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Source: GAO analysis of agency provided data. [End of table] Department of Veterans Affairs: Table 34 shows VA's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 34: Department of Veterans Affairs Satisfaction of EAMMF: Stage 1: Creating EA awareness; Stages and core elements: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stage 2: Building the EA management foundation; Stages and core elements: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: A committee representing the enterprise is responsible for directing and overseeing the EA. However, the committee charter does not indicate that the committee is responsible for approving the EA. Stages and core elements: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA being developed using a framework, methodology, and automated tool; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for developing metrics to measure and report EA progress, quality, compliance, and return on investment; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: Metrics to measure and report EA progress and quality have been developed. However, plans do not include developing metrics to measure and report EA compliance and return on investment. Stages and core elements: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are under configuration management; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, EA products are under configuration management, which is accomplished through the version control features of the EA repository. However, configuration management procedures did not define specific steps that would ensure the integrity and consistency of EA products. Stages and core elements: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described or will be described in terms business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Progress against EA plans is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 4: Completing EA products; Stages and core elements: Written and approved policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products and management processes undergo independent verification and validation; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, EA version 4.0 has undergone independent verification and validation. However, no documentation to support this statement was provided. Further, plans for independent verification and validation of EA management processes have not been implemented. Stages and core elements: EA products describe "as-is" environment, "to- be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address security; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to VA officials, their security architecture addresses all the requisite descriptions. However, evidence provided to support this statement shows that the security architecture does not address all of the requisite descriptions. Stages and core elements: Organization CIO has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the CIO delegated EA approval authority to the chief architect. However, no evidence to support this delegation was provided. Stages and core elements: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: No evidence that a committee or group representing the enterprise has approved the current version of the EA was provided. Stages and core elements: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 5: Leveraging the EA for managing change; Stages and core elements: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Process exists to formally manage EA change; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the EA repository is used to manage EA change. VA provided documentation describing the repository and its contents. However, evidence provided did not demonstrate that the repository is used to manage EA change or include detailed steps for managing EA change. Stages and core elements: EA is integral component of IT investment management process; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: IT investments comply with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Organization head has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the organization head delegated EA approval to the CIO, who delegated this authority to the chief architect. However, no evidence to support these delegations was provided. Stages and core elements: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, return on EA investment is measured and reported. However, no evidence that the return on EA investment is measured and reported was provided. Stages and core elements: Compliance with EA is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, compliance with the EA is measured and reported. However, no evidence that compliance with the EA is measured and reported was provided. Source: GAO analysis of agency provided data. [End of table] Environmental Protection Agency: Table 35 shows EPA's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 35: Environmental Protection Agency Satisfaction of EAMMF: Stage 1: Creating EA awareness; Stages and core elements: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stage 2: Building the EA management foundation; Stages and core elements: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA being developed using a framework, methodology, and automated tool; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: EA is being developed using a framework, methodology, and automated tool. However, the methodology does not include steps for maintaining the architecture and has not been approved. Stages and core elements: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 3: Developing EA products. Stages and core elements: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are under configuration management; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Progress against EA plans is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: EPA has limited reporting of EA progress. However, progress is not measured and reported relative to an EA program plan. Stage 4: Completing EA products; Stages and core elements: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products and management processes undergo independent verification and validation; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, EA products and management processes have not undergone independent verification and validation. Stages and core elements: EA products describe "as-is" environment, "to- be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 5: Leveraging the EA for managing change; Stages and core elements: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Process exists to formally manage EA change; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, a process exists to formally manage EA change. However, evidence that the process has been implemented was not provided and the process is not approved. Stages and core elements: EA is integral component of IT investment management process; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: IT investments comply with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: An IT investment management process exists and the process considers investment compliance with the EA. However, evidence that the process has been implemented was not provided. Stages and core elements: Organization head has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the organization head has not approved the current version of the EA. Stages and core elements: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, return on EA investment is not measured and reported. Stages and core elements: Compliance with EA is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, compliance with EA is measured and reported and documentation describes how compliance is to be measured. However, reports documenting measurement were not provided. Source: GAO analysis of agency provided data. [End of table] General Services Administration: Table 36 shows GSA's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 36: General Services Administration Satisfaction of EAMMF: Stage 1: Creating EA awareness; Stages and core elements: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stage 2: Building the EA management foundation; Stages and core elements: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA being developed using a framework, methodology, and automated tool; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief technology officer (CTO), the EA is being developed using a framework, methodology, and automated tool. However, the methodology does not include specific steps to maintain the architecture. Stages and core elements: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: Draft EA plans call for business, performance, information/data, application/service, and technology descriptions to address security. However, these plans are not approved. Stages and core elements: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the CTO, EA plans call for developing metrics. However, these plans do not specifically address EA progress, quality, compliance, and return on investment. Stage 3: Developing EA products; Stages and core elements: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are under configuration management; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the CTO, EA products are under configuration management. However, the configuration management plan is being defined and has not been approved. Stages and core elements: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address or will address security; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: Draft EA plans call for business, performance, information/data, application/service, and technology descriptions to address security. However, these plans are not approved. Stages and core elements: Progress against EA plans is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the CTO, progress against EA plans is not measured and reported. Stage 4: Completing EA products; Stages and core elements: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products and management processes undergo independent verification and validation; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the CTO, EA products and management processes have not undergone independent verification and validation. Stages and core elements: EA products describe "as-is" environment, "to- be" environment, and sequencing plan; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: EA products describe both the "as-is" environment and the "to-be" environment. However, the sequencing plan has not been approved. Stages and core elements: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: Both the "as- is" and "to-be" environments are described in terms of business, application/service, and technology. However, according to the CTO, descriptions of performance and information/data have not been completed. Stages and core elements: These descriptions address security; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the CTO, business, performance, information/data, application/service, and technology descriptions do not address security. Stages and core elements: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 5: Leveraging the EA for managing change; Stages and core elements: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Process exists to formally manage EA change; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the CTO, no process to formally manage EA change exists. Stages and core elements: EA is integral component of IT investment management process; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the CTO, EA is an integral component of the IT investment management process. However, a sequencing plan to guide IT investments has not been approved. Stages and core elements: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: IT investments comply with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Organization head has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the CTO, return on EA investment is not measured and reported. Stages and core elements: Compliance with EA is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the CTO, compliance with the EA is not measured and reported. Source: GAO analysis of agency provided data. [End of table] National Aeronautics and Space Administration: Table 37 shows NASA's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 37: National Aeronautics and Space Administration Satisfaction of EAMMF: Stage 1: Creating EA awareness; Stages and core elements: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stage 2: Building the EA management foundation; Stages and core elements: Adequate resources exist; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief technology officer, NASA has adequate funding and tools. However, the chief technology officer also stated that the EA program has somewhat inadequate EA personnel resources. Stages and core elements: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief technology officer, the operations management council, CIO council, and strategic management council are responsible for directing, overseeing, and approving the EA. However, the charters for these groups are awaiting executive approval and the draft charters provided did not specifically mention EA. Stages and core elements: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA being developed using a framework, methodology, and automated tool; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: The EA is being developed using a framework and automated tool. However, documentation did not indicate the EA is being developed using a methodology that includes specific steps required to develop, maintain, and validate the EA. Stages and core elements: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 3: Developing EA products; Stages and core elements: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are under configuration management; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Progress against EA plans is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 4: Completing EA products; Stages and core elements: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products and management processes undergo independent verification and validation; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products describe "as-is" environment, "to- be" environment, and sequencing plan; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: EA products describe the "as-is" environment. However, EA products do not fully describe the "to-be" environment and do not include a sequencing plan. Stages and core elements: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to NASA's chief technology officer, the "as-is" environment is described in terms of business, application/service, and technology. However, the "as-is" environment is not described in terms of performance and information/data and EA products do not describe the "to-be" environment. Stages and core elements: These descriptions address security; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: The "as-is" description addresses security. However, the "to-be" description does not address security. Stages and core elements: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 5: Leveraging the EA for managing change; Stages and core elements: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Process exists to formally manage EA change; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA is integral component of IT investment management process; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: NASA's IT investment management process guidance recognizes EA as an integral component. However, a sequencing plan to guide IT investments does not exist. Stages and core elements: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: IT investments comply with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: NASA evidence showed that some investments were certified as compliant with the EA. However, evidence of the certification criteria used to assess IT investment compliance was not provided. Stages and core elements: Organization head has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief technology officer, return on EA investment is not measured and reported. Stages and core elements: Compliance with EA is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Source: GAO analysis of agency provided data. [End of table] National Science Foundation: Table 38 shows NSF's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 38: National Science Foundation Satisfaction of EAMMF: Stage 1: Creating EA awareness; Stages and core elements: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stage 2: Building the EA management foundation; Stages and core elements: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: A committee or group representing the enterprise is responsible for directing and overseeing the EA. However, no committee or group has responsibility for approving the EA. Stages and core elements: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA being developed using a framework, methodology, and automated tool; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the EA is being developed using a framework, methodology, and automated tool. However, the methodology does not document steps for EA development. Stages and core elements: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for business, performance, information/ data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 3: Developing architecture products; Stages and core elements: Written and approved policy exists for EA development; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, a policy exists for EA development. However, the policy is not approved. Stages and core elements: EA products are under configuration management; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Progress against EA plans is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, progress against EA plans is measured and reported. However, the plan against which progress is measured is not approved and no documentation of progress reporting was provided. Stage 4: Completing architecture products; Stages and core elements: Written and approved organization policy exists for EA maintenance; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, a policy exists for EA maintenance. However, the policy is not approved. Stages and core elements: EA products and management processes undergo independent verification and validation; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, EA products and management processes have not undergone independent verification and validation. Stages and core elements: EA products describe "as-is" environment, "to- be" environment, and sequencing plan; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, EA products describe the "as-is" environment, "to-be" environment, and sequencing plan. However, the "as- is" environment is not fully described in terms of performance and the "to- be" environment is not fully described in terms of performance and information/data. Stages and core elements: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the "as-is" is not fully described in terms of performance and the "to-be" environment is not fully described in terms of performance and information/data. Stages and core elements: These descriptions address security; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: The business, information/data, application/service, and technology descriptions address security. However, the performance description does not address security. Stages and core elements: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, no committee or group representing the enterprise has approved the current version of the EA. Stages and core elements: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 5: Leveraging the EA for managing change; Stages and core elements: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: The chief architect provided an organization policy for IT investment compliance with the EA. However, the policy is not approved and does not explicitly require IT investment compliance with the EA. Stages and core elements: Process exists to formally manage EA change; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA is integral component of IT investment management process; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: IT investments comply with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, IT investments comply with the EA and NSF provided evidence of procedures intended to determine compliance. However, evidence supporting that IT investments are required to be compliant with the EA before they are approved was not provided. Stages and core elements: Organization head has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: NSF did not provide evidence that the organization head has approved the current version of the EA. Stages and core elements: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, return on EA investment is measured and reported. However, evidence to support this statement was not provided. Stages and core elements: Compliance with EA is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, compliance with the EA is measured and reported, and NSF provided evidence describing how compliance is measured and reported. However, evidence of compliance was not provided. Source: GAO analysis of agency provided data. [End of table] Nuclear Regulatory Commission: Table 39 shows NRC's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 39: Nuclear Regulatory Commission Satisfaction of EAMMF: Stage 1: Creating EA awareness; Stages and core elements: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stage 2: Building the EA management foundation; Stages and core elements: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, a committee or group representing the enterprise is responsible for directing, overseeing, and approving the EA. However, the charter for this committee does not clearly state that it is responsible for directing, overseeing, and approving the EA and the charter is not approved. Stages and core elements: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Chief architect exists; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: A chief architect has been designated. However, the chief architect's roles and responsibilities do not include functioning as the EA program manager. Stages and core elements: EA being developed using a framework, methodology, and automated tool; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: EA plans call for developing metrics to measure EA progress, quality, and compliance. However, EA plans do not call for developing metrics to measure return on investment. Stage 3: Developing EA products; Stages and core elements: Written and approved organization policy exists for EA development; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: A draft policy exists for EA development. However, this policy has not been approved. Stages and core elements: EA products are under configuration management; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Progress against EA plans is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 4: Completing EA products; Stages and core elements: Written and approved organization policy exists for EA maintenance; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: A draft policy exists for EA maintenance. However, this policy has not been approved. Stages and core elements: EA products and management processes undergo independent verification and validation; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: EA products and management processes have not undergone independent verification and validation. Stages and core elements: EA products describe "as-is" environment, "to- be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, a committee or group representing the enterprise or the investment review board has not approved the current version of the EA. Stages and core elements: Quality of EA products is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: NRC provided information on how quality of EA products is to be measured and reported. However, documentation demonstrating that quality is actually being measured and reported was not provided. Stage 5: Leveraging the EA for managing change; Stages and core elements: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: A draft policy exists for IT investment compliance with EA. However, this policy has not been approved. Stages and core elements: Process exists to formally manage EA change; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, a process exists to formally manage EA change. However, evidence that the process has been implemented was provided for some EA products but not others. Stages and core elements: EA is integral component of IT investment management process; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: IT investments comply with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, IT investments comply with the EA and evidence demonstrates that EA is considered during the IT investment management process. However, documentation provided did not demonstrate IT investment compliance. Stages and core elements: Organization head has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the organization head has not approved the current version of the EA. Stages and core elements: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to NRC officials, return on EA investment is not measured and reported. Stages and core elements: Compliance with EA is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, compliance with EA is measured and reported. However, documentation demonstrating that compliance is actually being measured and reported was not provided. Source: GAO analysis based on agency provided data. [End of table] Office of Personnel Management: Table 40 shows OPM's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 40: Office of Personnel Management Satisfaction of EAMMF: Stage 1: Creating EA awareness; Stages and core elements: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stage 2: Building the EA management foundation; Stages and core elements: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA being developed using a framework, methodology, and automated tool; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for business, performance, information/ data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 3: Developing EA products; Stages and core elements: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are under configuration management; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Progress against EA plans is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: OPM has limited reporting of EA progress. However, progress is not measured and reported relative to an EA program plan. Stage 4: Completing EA products; Stages and core elements: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products and management processes undergo independent verification and validation; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, EA products and management processes have not undergone independent verification and validation. The chief architect stated that the cost of independent verification and validation is not justified. Stages and core elements: EA products describe "as-is" environment, "to- be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 5: Leveraging the EA for managing change; Stages and core elements: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Process exists to formally manage EA change; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA is integral component of IT investment management process; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: IT investments comply with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Organization head has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Return on EA investment is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Compliance with EA is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Source: GAO analysis of agency provided data. [End of table] Small Business Administration: Table 41 shows SBA's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 41: Small Business Administration Satisfaction of EAMMF: Stage 1: Creating EA awareness; Stages and core elements: Agency is aware of EA; Satisfied?: n/a; GAO basis for partial or not satisfied determination: No core element exists in stage 1. Stage 2: Building the EA management foundation; Stages and core elements: Adequate resources exist; Satisfied?: Partial; GAO basis for partial or not satisfied determination: According to SBA officials, the agency has EA program activities that do not have adequate resources. Stages and core elements: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: Chief architect exists; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: EA being developed using a framework, methodology, and automated tool; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: EA plans call for developing metrics to measure and report EA progress, quality, compliance, and return on investment; Satisfied?: Partial; GAO basis for partial or not satisfied determination: EA plans call for developing metrics to measure and report EA progress, quality, and compliance. However, documentation did not include plans for developing metrics to measure and report EA return on investment. Stage 3: Developing EA products; Stages and core elements: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: EA products are under configuration management; Satisfied?: No; GAO basis for partial or not satisfied determination: Configuration management procedures provided to GAO do not describe steps to ensure the integrity and consistency of EA products. Stages and core elements: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: Progress against EA plans is measured and reported; Satisfied?: No; GAO basis for partial or not satisfied determination: SBA officials did not provide evidence that the agency is measuring and reporting progress against EA plans. Stage 4: Completing EA products; Stages and core elements: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: EA products and management processes undergo independent verification and validation; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: EA products describe "as-is" environment, "to- be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: These descriptions address security; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: No; GAO basis for partial or not satisfied determination: According to SBA officials, a committee or group representing the enterprise approved the current version of the EA. However, documentation indicated approval of the 2003 EA program policies and procedures, not the current version of the EA. Stages and core elements: Quality of EA products is measured and reported; Satisfied?: No; GAO basis for partial or not satisfied determination: According to SBA officials, the quality of EA products is measured and reported. However, SBA did not provide documentation that supports this statement. Stage 5: Leveraging the EA for managing change; Stages and core elements: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: Process exists to formally manage EA change; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: EA is integral component of IT investment management process; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: EA products are periodically updated; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: IT investments comply with EA; Satisfied?: Yes; GAO basis for partial or not satisfied determination: [Empty]. Stages and core elements: Organization head has approved current version of EA; Satisfied?: No; GAO basis for partial or not satisfied determination: According to SBA officials, the organization head has approved the current version of the EA. However, documentation indicated approval of the 2003 EA program policies and procedures, not the current version of the EA. Stages and core elements: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partial or not satisfied determination: According to SBA officials, return on EA investment is not measured and reported. Stages and core elements: Compliance with EA is measured and reported; Satisfied?: No; GAO basis for partial or not satisfied determination: According to SBA officials, compliance with EA is measured and reported. However, these officials did not provide documentation that supports this statement. Source: GAO analysis of agency provided data. [End of table] Social Security Administration: Table 42 shows SSA's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 42: Social Security Administration Satisfaction of EAMMF: Stage 1: Creating EA awareness. Stages and core elements: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stage 2: Building the EA management foundation; Stages and core elements: Adequate resources exist; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA being developed using a framework, methodology, and automated tool; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the EA is being developed using a framework, methodology, and automated tool. However, the methodology does not include steps for developing, maintaining, and validating the agency's EA. Stages and core elements: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 3: Developing EA products; Stages and core elements: Written and approved organization policy exists for EA development; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are under configuration management; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Progress against EA plans is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 4: Completing EA products. Stages and core elements: Written and approved organization policy exists for EA maintenance; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products and management processes undergo independent verification and validation; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products describe "as-is" environment, "to- be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Quality of EA products is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stage 5: Leveraging the EA for managing change. Stages and core elements: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Process exists to formally manage EA change; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA is integral component of IT investment management process; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: IT investments comply with EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Organization head has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: SSA officials stated that CIO approval of the current version of the EA constitutes approval by the organization head. However, they did not provide documentation delegating EA approval authority from the organization head to the CIO. Stages and core elements: Return on EA investment is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, return on EA investment is measured and reported and a description of how return on investment is measured and reported was provided. However, sample measures and reports were not provided. Stages and core elements: Compliance with EA is measured and reported; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, compliance with the EA is measured and reported and a description of how compliance is measured and reported was provided. However, sample measures and reports were not provided. Source: GAO analysis of agency provided data. [End of table] U.S. Agency for International Development: Table 43 shows USAID's satisfaction of framework elements in version 1.1 of GAO's EAMMF. Table 43: U. S. Agency for International Development Satisfaction of EAMMF: Stage 1: Creating EA awareness; Stages and core elements: Agency is aware of EA; Satisfied?: n/a; GAO basis for partially satisfied or not satisfied determination: No core element exists in stage 1. Stage 2: Building the EA management foundation. Stages and core elements: Adequate resources exist; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, USAID has "somewhat inadequate" EA resources. Stages and core elements: Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Program office responsible for EA development and maintenance exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Chief architect exists; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA being developed using a framework, methodology, and automated tool; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, USAID is developing their architecture using a framework, methodology, and automated tool. However, the methodology does not describe steps required to maintain and validate the architecture. Stages and core elements: EA plans call for describing "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for describing enterprise in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for business, performance, information/data, application/service, and technology to address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: EA plans call for developing metrics to measure EA progress, quality, compliance, and return on investment; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, USAID has plans for developing metrics to measure EA progress, quality, compliance, and return on investment. USAID provided documentation of its plans to measure and report EA compliance. However, documentation of plans to develop the other metrics was not provided. Stage 3: Developing EA products; Stages and core elements: Written and approved organization policy exists for EA development; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, USAID does not have a written and approved policy for EA development. Stages and core elements: EA products are under configuration management; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: USAID provided evidence that discusses the need for EA products to be under configuration management. However, the evidence did not describe detailed steps that would ensure the integrity and consistency of EA products. Stages and core elements: EA products describe or will describe "as-is" environment, "to-be" environment, and sequencing plan; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Both "as-is" and "to-be" environments are described or will be described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: These descriptions address or will address security; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Progress against EA plans is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, progress against EA plans is not measured and reported. Stage 4: Completing EA products; Stages and core elements: Written and approved organization policy exists for EA maintenance; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, USAID does not have a written and approved policy for EA maintenance. Stages and core elements: EA products and management processes undergo independent verification and validation; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: EA products and management processes have undergone independent verification and validation. However, the current EA version has not undergone independent verification and validation. Stages and core elements: EA products describe "as-is" environment, "to- be" environment, and sequencing plan; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, EA products do not fully describe the "as-is" environment, "to-be" environment, and sequencing plan. Stages and core elements: Both "as-is" and "to-be" environments are described in terms of business, performance, information/data, application/service, and technology; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: Both "as-is" and "to-be" environment descriptions are being developed. However, the descriptions currently address only one segment of the architecture. Stages and core elements: These descriptions address security; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: The "as-is" and "to-be" environment descriptions partially address security. However, the descriptions currently address only one segment of the architecture and do not address security in each of the required terms. Stages and core elements: Organization CIO has approved current version of EA; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: Committee or group representing the enterprise or the investment review board has approved current version of EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, committees representing the enterprise have approved the current version of the EA. However, documentation of these approvals was not provided. Stages and core elements: Quality of EA products is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, USAID has not implemented plans to measure and report quality of EA products. Stage 5: Leveraging the EA for managing change; Stages and core elements: Written and approved organization policy exists for IT investment compliance with EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: USAID has a program plan that encourages IT investment compliance with the EA. However, the plan does not explicitly require IT investment compliance with the EA. Stages and core elements: Process exists to formally manage EA change; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, USAID has chartered a configuration control board to manage EA change. However, USAID did not provide any documentation that this board is functioning as chartered. Stages and core elements: EA is integral component of IT investment management process; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: USAID provided documentation indicating that EA is an integral component of its IT investment management process. However, USAID does not have an enterprisewide sequencing plan to guide IT investments. Stages and core elements: EA products are periodically updated; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Stages and core elements: IT investments comply with EA; Satisfied?: Partial; GAO basis for partially satisfied or not satisfied determination: USAID provided documentation indicating IT investments comply with the EA. However, investment compliance is limited to the one segment of the EA that has been developed. Stages and core elements: Organization head has approved current version of EA; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, the organization head has not approved the current version of the EA. Stages and core elements: Return on EA investment is measured and reported; Satisfied?: No; GAO basis for partially satisfied or not satisfied determination: According to the chief architect, USAID is developing metrics for measuring and reporting return on EA investment, but these metrics have not been completed. Stages and core elements: Compliance with EA is measured and reported; Satisfied?: Yes; GAO basis for partially satisfied or not satisfied determination: [Empty]. Source: GAO analysis of agency provided data. Note: The U.S. Agency for International Development is working with the Department of State to develop the Joint Enterprise Architecture. However, USAID asked that we evaluate its agency's enterprise architecture based on efforts to develop the USAID enterprise architecture. [End of table] [End of section] Appendix V: Comments from the Department of Commerce: United States Department Of Commerce: Chief Information Officer: Washington, D.C. 20230: June 15 2006: Mr. Randolph C. Hite: Director, Information Technology Architecture and Systems Issues: United States Government Accountability Office: Washington, DC 20548: Mr. Hite: Thank you for the Government Accountability Office's draft report entitled "Enterprise Architecture: Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation (GAO-06-831)." We appreciate the thoroughness of your review, concur with your findings regarding the Department of Commerce, and will consider actions to address your concerns. Sincerely, Signed by: Barry C. West: [End of section] Appendix VI: Comments from the Department of Defense: Assistant Secretary Of Defense: 6000 Defense Pentagon: Washington, DC 20301-6000: June 30, 2006: Networks And Information Integration: Mr. Randolph C. Hite: Director, Information Technology and Systems Issues, U.S. Government Accountability Office, 441 G Street, NW Washington, D.C. 20548. Dear Mr. Hite, "This is the Department of Defense (DoD) response to the GAO draft report, 'Enterprise Architecture: Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation,' dated May 31, 2006, (GAO Code 310604/GAO-06-831). " DoD has reviewed the Draft Report and plans to use the GAO Enterprise Architecture maturity framework as one of the benchmark best practices as DoD components continuously work to improve enterprise architecture management maturity. In general, DoD concurs with the GAO recommendation but with one exception, and that is the criteria for independent validation and verification as it pertains to the Global Information Grid architecture. Also we take exception to one of the technical findings published in Appendix IV of the GAO report as it pertains to the Business Transformation Agency. Specific comments regarding these statements are enclosed. My action officer for this effort is Mr. Roy Mabry, (703) 380-0964, roy.mabry@osd.mil: Signed by: George Wauer: Director, Architecture and Interoperability: (Office of the Deputy CIO): Enclosures: As stated: cc: Head, Business Transformation Agency: Department of the Army, Chief Information Officer: Department of the Navy, Chief Information Officer: Department of the Air Force, Chief Information Officer: GAO Draft Report - Dated May 31, 2006 GAO CODE 310604/GAO-06-831: "Enterprise Architecture: Leadership Remains Key To Establishing And Leveraging Architectures For Organizational Transformation" Department Of Defense Comments On The Recommendation: Recommendation: The GAO recommended that the Secretary of Defense ensure that respective enterprise architecture programs develop and implement plans for fully satisfying each of the conditions in GAO's Enterprise Architecture Management Maturity Framework. GAO CODE 310604/ GAO-06-83 (p. 41/GAO Draft Report): DOD Response: The GAO framework will be used as one of the benchmark best practices as DoD components continuously work to improve enterprise architecture management maturity. In general DoD concurs with the GAO recommendation with one exception, and that is the criteria for independent validation and verification as it pertains to the Global Information Grid architecture. DoD believes that the internal DoD process for reviewing and validating is sufficient and meets the intent of this GAO criteria and therefore will remain the DoD practice until otherwise changed. However, DoD will revisit this position as implementation plans for fully satisfying each of the conditions in the GAO Enterprise Architecture Management Maturity framework are developed. Regarding the GAO findings, which are shown in Appendix IV of the GAO report, it is clear that DoD components do not fully meet the criteria of the GAO Enterprise Architecture Management Maturity Framework at this time, although some DoD components are further along than others. Even after further discussions between GAO and DoD, there are findings in the report with which DoD continues to disagree. The Business Transformation Agency (BTA) maintains that the Stage Two and Three security/information assurance findings, for reasons previously stated in written technical comments and discussions with the GAO audit team, do not accurately reflect the situation and therefore DoD must non- concur with those findings as presented in Appendix IV of the GAO Report. The DoD view is that the GIG architecture defines how all members of DoD EA will address security/information assurance and that its application must be accepted by GAO as sufficient representation in the DoD EA component parts such as BTA otherwise having each component adopt security/information assurance other than that of the GIG negates one of the fundamental tenants of the GIG architecture and therefore fundamentally works counter to the DoD efforts. GAO Comments: 1. We do not agree for two reasons. First, DOD's internal processes for reviewing and validating the Global Information Grid (GIG), while important and valuable to ensuring architecture quality, are not independently performed. As we have previously reported, independent verification and validation is a recognized hallmark of well-managed programs, including architecture programs.[Footnote 54] To be effective, it should be performed by an entity that is independent of the processes and products that are being reviewed to help ensure that it is done in an unbiased manner and that is based on objective evidence. Second, the scope of these internal review and validation efforts only extends to a subset of GIG products and management processes. According to our framework, independent verification and validation should address both the architecture products and the processes used to develop them. 2. While we acknowledge that GIG program plans provide for addressing security, and our findings relative to the GIG reflect this, this is not the case for DOD's Business Enterprise Architecture (BEA). More specifically, how security will be addressed in the BEA performance, business, information/data, application/service, and technology products is not addressed in the BEA either by explicit statement or reference. This finding relative to the BEA is consistent with our recent report on DOD's Business System Modernization.[Footnote 55] [End of section] Appendix VII: Comments from the Department of Education: United States Department of Education: Office of Management: JUN 21 2006: Mr. Randolph C. Hite: Director, Information Technology Architecture and Systems: U. S. Government Accountability Office: 441 G Street, NW Room 4085: Washington, DC 20548: Dear Mr. Hite: Thank you for the opportunity to review the draft report Enterprise Architecture: Leadership Remains Key To Establishing and Leveraging Architectures for Organizational Transformation (GAO-06-831). The Department of Education uses Enterprise Architecture (EA) as a strategic planning tool to drive the Department's operational performance and deliver business results. The Department has made significant progress in improving its EA maturity, and plans to continue its progress toward greater EA maturity. Figure 6 of the report reflects that the Department needs to satisfy five or fewer core elements in order to achieve an. "Optimized" score of 5 in which all core elements are fully or partially satisfied. With respect to these remaining core elements, the Department plans to take the following steps: * With respect to the "Committed or group representing the enterprise is responsible for...approving EA" core element, the Department's investment review board (IRB) charter will be amended to reflect this responsibility more explicitly, and future IRB minutes will also reflect this approval more explicitly. * With respect to the "EA products and management processes undergo independent verification and validation" core element, the Department is considering the business need and available alternatives for independent verification and validation of the Department's Enterprise Architecture products and management processes. * With respect to the ".the investment review board has approved current version of EA" core element, future Department IRB meeting minutes will more explicitly reflect the IRB's approval. * With respect to the "Organization head has approved current version of the EA" core element, the Department's IRB charter will be amended to more explicitly reflect delegation of EA approval authority to the Chief Operating Officer as the Chair of the Investment Review Board. * With respect to the "Return on EA investment is measured and reported" core element, the Department plans to implement a value metrics framework to improve Return on Investment (ROI) and Value of Investment (VOI) measurements in support of capital planning. Again, thank you for the opportunity to review and comment on the draft report. The Department is continuing to work to improve its Enterprise Architecture. Sincerely, Signed by: Michell Clark: [End of section] Appendix VIII: Comments from the Department of Energy: Department of Energy: Washington, DC 20585: June 22, 2006: Michael P. Holland: Senior Information Technology Analyst: U.S. Government Accountability Office: 441 G St, NW, Room 4Q26: Washington, DC 20548: Dear Mr. Holland: We have reviewed the draft Government Accountability Office report entitled, "Enterprise Architecture: Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation (GAO-06-831)" and concur with the report with no further comment. Thank you for the opportunity to participate in the development of this report. If you have any questions, please contact Ms. Valerie Young at (202)586-8853 or via email at valerie.young@hq.doe.gov. Sincerely, Signed by: TheAnne Gordon: Acting Associate Chief Information Officer for Information Technology Reform: [End of section] Appendix IX: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: June 28, 2006: Mr. Randolph C. Hite: Director: Information Technology Architecture and Systems Issues: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Hite: RE: Draft Report GAO-06-831, Enterprise Architecture: Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation (GAO Job Code 310604): The Department of Homeland Security (DHS) appreciates the opportunity to review and comment on the draft report. The Government Accountability Office (GAO) recommends that DHS and 26 other major departments and agencies ensure that our "respective enterprise architecture programs develop and implement plans for fully satisfying each of the conditions in [GAO's] enterprise architecture management maturity framework." We have taken and continue to take steps to do so. DHS is encouraged by GAO's recognition of the significant progress made since GAO commented on the HLS Enterprise Architecture program in 2004[Footnote 56] and again last year when homeland security information sharing was first added to the GAO High Risk Series.[Footnote 57] We were pleased to see your assessment in Table 5 that found DHS already satisfies 75% of the Stage 4 elements and half of Stage 5 elements. In our mission to protect the homeland, issues of system survivability and vulnerability affect information technology investment choices in a way not necessarily applicable to many agencies. Priority has been, of necessity, rightly given to our mission of securing the homeland, during a period of natural disasters and a very real war on terror. DHS, as mentioned in prior GAO reports on the subject, has developed a business process that reviews and evaluates planned investments for compliance to a formal Enterprise Architecture vision as an integral step in the annual budget development process. Since the development of the 2005 High Risk report, DHS has made significant progress in definition and management of appropriate information sharing technologies, policies and procedures. Newly implemented initiatives, [like Homeland Security Operations Center (HSOC), United States Public and Private Partnership (USP-3), Integrated Public Alert and Warning System (IPAWS), Emergency Data Exchange Language (EDXL) and National Information Exchange Model Compliance (NIEM) standards, alongside assessment efforts in Data Fusion, Screening, and Alerts and Warnings], capitalize on technology investments with management of resources and operating practices to improve processes based on previous GAO findings. The Department has moved to implement the philosophies of Enterprise Architecture as a means to assuring mission performance, while developing the Department and its functional infrastructure. To continue to make progress in meeting all of its oversight requirements, DHS would like to recommend that GAO work with the Office of Management and Budget to coordinate and align their respective definitions of Enterprise Architecture maturity. As the Department matures, so will the architectural documents and formal procedures, but the success of the mission must always be given priority to safeguard our nation. We agree with GAO's assertion that the key to building upon our current progress and status is executive leadership. We believe that based on demonstrated progress to date such leadership exists at the Department of Homeland Security. We are providing technical comments to your office under separate cover. Sincerely, Signed by: Steven J. Pecinovsky: Director: Departmental GAO/OIG Liaison Office: GAO Comments: 1. We acknowledge this recommendation and offer three comments in response. First, we have taken a number of steps over the last 5 years to coordinate our framework with OMB. For example, in 2002, we based version 1.0 of our framework on the OMB-sponsored CIO Council Practical Guide to Federal Enterprise Architecture,[Footnote 58] and we obtained concurrence on the framework from the practical guide's principal authors. Further, we provided a draft of this version to OMB for comment, and in our 2002 report in which we assessed federal departments and agencies against this version, we recommended that OMB use the framework to guide and assess agency architecture efforts.[Footnote 59] In addition, in developing the second version of our framework in 2003,[Footnote 60] we solicited comments from OMB as well as federal departments and agencies. We also reiterated our recommendation to OMB to use the framework in our 2003 report in which we assessed federal departments and agencies against the second version of the framework.[Footnote 61] Second, we have discussed alignment of our framework and OMB's architecture assessment tool with OMB officials. For example, after OMB developed the first version of its architecture assessment tool in 2004, we met with OMB officials to discuss our respective tools and periodic agency assessments. We also discussed OMB's plans for issuing the next version of its assessment tool and how this next version would align with our framework. At that time, we advocated the development of comprehensive federal standards governing all aspects of architecture development, maintenance, and use. In our view, neither our framework nor OMB's assessment tool provide such comprehensive standards, and in the case of our framework, it is not intended to provide such standards. Nevertheless, we plan to continue to evolve, refine, and improve our framework, and will be issuing an updated version that incorporates lessons learned from the results of this review. In doing so, we will continue to solicit comments from federal departments and agencies, including OMB. Third, we believe that while our framework and OMB's assessment tool are not identical, they nevertheless consist of a common cadre of best practices and characteristics, as well as other relevant criteria that, taken together, are complementary and provide greater direction to, and visibility into, agency architecture programs than either does alone. [End of section] Appendix X: Comments from the Department of Housing and Urban Development: U.S. Department Of Housing And Urban Development: Washington, D.C. 20410-3000: The Chief Information Officer: June 21, 2006: Mr. Randolph C. Hite: Director, Information Technology Architecture And System Issue: United States Government Accountability Office: Dear Mr. Hite: The Department of Housing and Urban Development (HUD) would like to thank you for the opportunity to review and provide comments on the Draft Enterprise Architecture (EA) Report GAO 310604. We are providing the following comments on the report findings and recommended actions: * We agree that our EA practice has been assessed accurately as a Stage 3 practice, and, in accordance with the report recommendations, we are in the process of developing and implementing as EA program plan to satisfy each of the core elements in the enterprise architecture management maturity framework (EAMMF) in 2007. * We request that information describing the status of HUD's security architecture on page 27 and pages 35-36 of the draft report be written to reflect work that is currently underway to develop an enterprise security architecture. While we agree with a "Partial" assessment for this Stage 4 core element, we believe that the attached information (Attachment(s) 1) demonstrates that a security architecture will be completed by January 2007, and will be reflected thoroughly and consistently across each element of the Department's enterprise architecture. HUD is committed to ensuring the continued development of the enterprise architecture program by implementing plans for fully satisfying each of the conditions in GAO's enterprise architecture management maturity framework. Thank you again for the opportunity to review and comment on the draft report. In the interim, if you have any questions regarding the information provided please contact Beverly Hacker, Chief Architect, Department of Housing and Urban Development, Office of the Chief Information Officer on 202-708-0614 x 8338. Attachment(s): Sincerely yours, Signed by: Lisa Schlosser: Chief Information Officer: Attachment 1: Security Architecture Development: The Department of Housing and Urban Development (HUD) recognizes the importance of incorporating security into the Enterprise Architecture (EA). Consequently, the Office of IT Security is in the process of documenting the integration of security within each applicable element of HUD's EA. As early as April 7, 2005, HUD initiated a project to update the Technical Reference Model (TRM) to include security products. The overall goal of this effort was not only intended to identify applicable security products within the TRM, but also to begin the process of fully integrating security within all applicable elements of HUD's EA. Ultimately, the results of this project contributed to an improvement in HUD's ability to protect systems and the information that directly support the business needs of HUD. The process included: * Identification and integration of relevant security standards and products into the HUD Technical Reference Model (TRM), * Expansion of HUD's EA version 1.0's TRM to include recommended security product upgrades, and: * Identification and mapping of applicable TRM security products with components, applications, and/or technologies within HUD's EA version 1.0's Business Reference Model (BRM) and Service Reference Model (SRM). A follow-on project was initiated on Jan. 30, 2006 and is scheduled to be completed by January 2007. This effort is intended to: * Develop,a security architecture that supports the achievement of HUD's business objectives, and: * Incorporate IT security throughout the HUD EA. This project further emphasizes the need to integrate security within HUD's EA using principles that directly correlate to HUD's business functions, recommended standards, applicable policies, best practices, and technology trends. The principles and recommendations and work being performed are driven by HUD's IT security policies and procedures. The outcome of this project will produce the following: * HUD's Baseline for Network Infrastructure Security Architecture, * Security requirements within the components of the BRM, * Identification of the security requirements for the SRM component, * Security requirements for the TRM component, * A process to continuously integrate security into HUD's EA, and: * Formal HUD EA Security Architecture documentation. To date, this project has yielded the following results: * Identified Federal mandates, policies and guidelines and industry best practices that are applicable for inclusion into HUD's Network Infrastructure Security Architecture, * Developed a preliminary list of legislation, regulations, guidelines, and policies related to HUD EA/Security integration, * Created an approach for EA/Security integration, and: * Developed a list of potential EA/Security requirements from the BRM. Lastly, HUD is dedicated to ensuring that the integration of security into EA is a continuous process. This will enable refinement of the EA as necessary to keep it aligned with federally mandated initiatives, business strategy requirements, emerging standards, and changing technology pertaining to security. The results of this ongoing project, as well as any future integration efforts, shall be fully in HUD's enterprise architecture commencing in 2007. [End of section] Appendix XI: Comments from the Department of the Interior: United States Department of the Interior: Office Of The Assistant Secretary: Policy, Management And Budget: Washington, DC 20240: Jun 20 2006: Mr. Randolph C. Hite: Director, Information Technology Architecture and Systems: U.S. Government Accountability Office: Washington, D.C. 20548: Dear Mr. Hite: Thank you for the opportunity to review and provide comments on the U.S. Government Accountability Office's (GAO) draft report GAO-06-831 titled Enterprise Architecture - Leadership Remains Key to Establishing and Leveraging Architecture for Organizational Transformation. The Department of the Interior (DOI) has reviewed the report and considers it reflective of the current state of maturity of its enterprise architecture (EA) program with respect to the GAO's EA Management Maturity Framework (EAMMF) Version l. l. The draft report identifies that DOI has met 97% of all criteria within the maturity framework and needs only to complete one criterion: "EA products and management processes undergo Independent Verification and Validation" to achieve a stage 5 maturity and satisfy 100% of all elements. To that end, DOI has recently awarded a contract to conduct an independent verification and validation (IV&V) of its EA program which will satisfy this remaining element. DOI takes the results of independent assessments and reviews of its EA program seriously and incorporates recommendations for improvement to continually mature its EA program. DOI is committed to utilizing its EA to guide the overall management and maturation of its IT portfolio and infrastructure to improve its overall mission performance. If you have any questions, please contact W. Hord Tipton, DOI CIO, at 202-208-6194. Staff may contact Ms. Colleen Coggins, DOI Chief Architect, at 202-208-5911. Sincerely, Signed by: R. Thomas Weimer: Assistant Secretary: [End of section] Appendix XII: Comments from the Department of Justice: U.S. Department of Justice: Washington, D.C. 20530: Jun 21 2006: Randolph C. Hite: Director: Information Technology Architecture and Systems Issues: Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Hite: Thank you for the opportunity to review and comment on the Government Accountability Office's (GAO) draft report entitled "Enterprise Architecture: Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation (GAO-06-831/310604). The Department believes that your draft report accurately reflects the state of our enterprise architecture (EA) program and our needed focus areas for the future. Overall, the feedback and analysis in this report is beneficial to our program, and will help guide our efforts going forward. Of the seven Core Elements in Stages 4 and 5 identified as partially or not satisfied in the assessment, all are being analyzed and incorporated into our plans for the program. In particular, the elements relating to EA compliance and utilizing the EA in the investment process are a key near-term focus of our program and we are making significant strides in these areas. Also, we are establishing processes to capture and report the impact of the EA program to allow us to demonstrate the return on investment for the program. We would also like to take this opportunity to address some potential improvements for GAO's EA evaluation and oversight process from our perspective. There are several areas that would assist us in streamlining our responses and improve our EA program, including the following: * Align the GAO assessment criteria with the OMB framework - Although there are many common themes between the two frameworks, the focus is different many areas requiring us to develop separate submission packages for evaluation. We also feel that there are some key areas in the latest OMB framework, particularly relating to the use of the EA, which could enhance the GAO framework. * Incorporate the principles of federated and segmented architecture development - this is a key principle of our program, as it is for most large department level programs. This approach addresses the need to collaborate with component or bureau-level EA programs to capture mission specific requirements and institutionalize the program. * Provide a mechanism to share best practices - The DOJ EA could benefit from the insights that GAO gains through its evaluations of programs across the federal government. Although programs need to be tailored to the particular agencies, there are many foundational elements that are common, and could be leveraged across multiple agencies for greater efficiency. Again, we appreciate the assessment and feedback of our EA program, and we look forward to additional collaboration to assist us in further improving our implementation of EA at DOJ. The DOJ EA program has made significant strides over the past year, and we plan to continue with this momentum and leverage the work to make a significant impact across the Department. If you have any questions regarding our comments, please contact Richard P. Theis, Assistant Director, Audit Liaison Group on (202) 514- 0469. Sincerely, Signed by: Vance E. Hitch: Chief Information Officer: GAO Comments: 1. See DHS comment 1 in appendix IX. Also, while we do not have a basis for commenting on the content of the department's OMB evaluation submission package because we did not receive it, we would note that the information that we solicit to evaluate a department or agency against our framework includes only information that should be readily available as part of any well-managed architecture program. 2. We understand the principles of federated and segmented architectures, but would emphasize that our framework is intentionally neutral with respect to these and other architecture approaches (e.g., service-oriented). That is, the scope of the framework, by design, does not extend to defining how various architecture approaches should specifically be pursued, although we recognize that supplemental guidance on this approach would be useful. Our framework was created to organize fundamental (core) architecture management practices and characteristics (elements) into a logical progression. As such, it was intended to fill an architecture management void that existed in 2001 and thereby provide the context for more detailed standards and guidance in a variety of areas. It was not intended to be the single source of all relevant architecture guidance. 3. We agree, and believe that this report, by clearly identifying those departments and agencies that have fully satisfied each core element, serves as the only readily available reference tool of which we are aware for gaining such best practice insights. [End of section] Appendix XIII: Comments from the Department of State: United States Department of State: Assistant Secretary for Resource Management and Chief Financial Officer: Washington, D.C. 20520: Ms. Jacquelyn Williams-Bridgers: Managing Director: International Affairs and Trade: Government Accountability Office: 441 G Street, N. W. Washington, D.C. 20548-0001: Jun 9 2006: Dear Ms. Williams-Bridgers: We appreciate the opportunity to review your draft report, "Enterprise Architecture: Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation," GAO Job Code 310604. The enclosed Department of State comments are provided for incorporation with this letter as an appendix to the final report. If you have any questions concerning this response, please contact Chan Kim, IT Specialist, Bureau of Information Resource Management, at (202) 663-1066. Sincerely, Signed by: Bradford R. Higgins: cc: GAO - Mark Bird: IRM - James Vanderhoff: State/OIG - Mark Duda: Department of State Comments on GAO Draft Report: Enterprise Architecture: Leadership Remains Kev to Establishing and Leveraging Architectures for Organizational Transformation, (GAO-06- 831, GAO Code 310604): Thank you for the opportunity to comment on the GAO's report on Enterprise Architecture: Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation. The Department of State agrees with the GAO findings and recommendations. The Department is engaged in a unique Joint Enterprise Architecture (JEA) effort to identify common areas of collaboration with the U.S. Agency for International Development (USAID). This fact makes senior management involvement essential in making Enterprise Architecture decisions affecting the two agencies. This joint relationship adds overall complexity to the effort as well. The Department's Undersecretary for Management and USAID's Deputy Administrator chair the Joint Management Council (JMC) executive committee. They have endorsed the use of Enterprise Architecture methodology and have made it a critical component of their evolving governance process. We are providing comments to address the partially satisfied or negative criteria in Table 1: Joint Enterprise Architecture Satisfaction of EAMMF under Appendix IV: Detailed Assessments of Individual Departments and Agencies. Stage 2: Building the Enterprise Architecture (EA) management foundation: a. Committee or group representing the enterprise is responsible for directing, overseeing, and approving EA: GAO Comment: According to the chief architect, State, and USAID are developing a governance plan that will describe management processes for directing overseeing, and approving their EA. However, this plan is not approved. Dept EA Comment: The Joint Management Council (JMC) will approve the Joint Enterprise Architecture (JEA) Governance plan as part of the JMC Governance Plan. b. EA being developed using a framework, methodology, and automated tool: GAO Comment: According to the chief architect, the EA is being developed using a framework, methodology, and automated tool. However, the methodology does not describe specific steps for the maintenance. Dept EA Comment: The JEA Governance plan will support this function. c. EA Plans call for developing metrics to measure EA progress, quality, compliance, and return on investment: GAO Comment: State and USAID have plans to measure and report EA progress, quality and compliance. However, no plans for developing metrics to measure EA return on investment were provided. Dept EA Comment: The new JMC Governance process will provide an opportunity to incorporate appropriate metrics to show EA return on investment. Stage 3: Developing EA products: a. EA products are under configuration management: GAO Comment: A draft configuration management plan for EA products has been developed. However this plan has not been approved. Dept EA Comment: The draft JEA configuration plan was submitted to OMB in February 2006. It was approved by both State's and USAID's CIOs. b. Progress against EA plans is measured and reported: GAO Comment: State has limited reporting of EA progress. However, progress is not measured and reported relative to an EA program plan. Dept EA Comment: The Joint State/USAID EA Team reports its progress to OMB on a quarterly basis. The JEA Team is also developing future EA metrics to comply with GAO and OMB recommendations as part of its EA Program Plan revision. Stage 4: Completing EA products: a. EA products and management processes undergo independent verification and validation: GAO Comment: According to the chief architect, EA products and management processes have not undergone independent verification and validation. Dept EA Comment: Independent verification and validation will be included as part of the JEA's new governance process. To our knowledge, no federal agency EA products currently enjoy such scrutiny. b. EA Products describe "as-is" environment, "to-be" environment, and sequencing plan: GAO Comment: EA products describe the "as-is" and "to-be" environments as well as high level transition activities. However, a sequencing plan for transitioning between the "as-is" and "to-be" environments is currently under development. Dept EA Comment: The revised JEA Transition Strategy will meet this requirement. c. Committee or group representing the enterprise or the investment review board has approved the current version of EA: GAO Comment: According to the chief architect, a committee or group representing the enterprise has not approved the current version of the EA. Dept EA Comment: All previous and current versions of the JEA have been approved by the executive offices of both State and USAID. Stage 5: Leveraging the EA for management change: a. Process exists to formally manage EA change. GAO Comment: According to the chief architect, a process to formally manage EA change does not exist. Dept EA Comment: The draft JMC JEA Governance process will address this requirement. b. EA is an integral component of IT investment management process: GAO Comment: According to the chief architect, EA is an integral component of the IT investment management process. However, the sequencing plan to guide investments is currently under development. Dept EA Comment: The revised JEA Transition Strategy will meet this requirement. c. Organization head has approved current version of EA: GAO Comment: According to the chief architect, the organization head has not approved the current version of the EA. Dept EA Comment: Both State's and USAID's CIOs have approved the current version of the JEA. The new JMC Governance process will address the issue of gaining Organization Head approval for future versions of the JEA. d. Return on EA investment is measured and reported: GAO Comment: According to the chief architect, return on EA investment is not measured and reported. Dept EA Comment: The new JMC Governance process will provide an opportunity to incorporate appropriate metrics to show EA return on investment. e. Compliance with EA is measured and reported: GAO Comment: According to the chief architect, compliance with EA is measured and reported and officials provided a description of how compliance is to be measured. However, no documentation demonstrating compliance reporting was provided. Dept EA Comment: EA is an integral part of the CPIC process at State, including providing project management training, evaluating and scoring project proposals against EA alignment. EA IT Investment score-sheets were provided to GAO as examples of EA/CPIC compliance. GAO Comments: 1. We acknowledge the comment that both CIOs approved the configuration management plan. However, the department did not provide us with any documentation to support this statement. 2. We acknowledge the comment that the architecture has been approved by State and USAID executive offices. However, the department did not provide any documentation describing to which executive offices the department is referring to allow a determination of whether they were collectively representative of the enterprise. Moreover, as we state in the report, the chief architect told us that a body representative of the enterprise has not approved the current version of the architecture, and according to documentation provided, the Joint Management Council is to be responsible for approving the architecture. 3. We acknowledge that steps have been taken and are planned to treat the enterprise architecture as an integral part of the investment management process, as our report findings reflect. However, our point with respect to this core element is whether the department's investment portfolio compliance with the architecture is being measured and reported to senior leadership. In this regard, State did not provide the score sheets referred to in its comments, nor did it provide any other evidence that such reporting is occurring. [End of section] Appendix XIV: Comments from the Department of the Treasury: Department Of The Treasury: Washington, D.C. 20220: JUN 23 2006: Mr. Michael P. Holland: Senior Information Technology Analyst: U.S. Government Accountability Office: General Accounting Office: 441 G Street, N.W. Washington, D.C. 20548: Dear Mr. Holland: Thank you for the opportunity to review and comment on the General Accounting Office (GAO) draft report, "Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation (GAO Report # 06-831). Overall, our review of the "Draft" report found the report to be consistent with our own assessment of the Treasury Department's Enterprise Architecture at the time of the GAO review. The Department of Treasury recognized the need to take proactive steps to mature its Enterprise Architecture program and took the following affirmative steps in FY2005: -Hired Executive (Associate Chief Information Officer for Electronic Government) to develop and lead the Department's Enterprise Architecture Program. -Adopted the enterprise-wide repository toolset (Metis) to normalize data collection and streamline the EA Department's Data Capture requirements. The above actions, in conjunction with effective leadership and collaboration across the Department, resulted in Treasury receiving a score of three out of a possible five on its Federal Enterprise Architecture (FEA) Assessment. The score of three raised the Department's rating from "Red" to "Yellow" in Enterprise Architecture in the October 2005, President's Management Agenda, E-Government Scorecard. The GAO report confirms and highlights the Department's need to continue to provide executive leadership to the developing Enterprise Architecture program, and to codify the program into Departmental policy. The Department is committed to continuing the Enterprise Architecture maturation process and, subsequently, identified a vendor to perform an Independent Verification and Validation of the Departments Enterprise Architecture \program. A key deliverable from the IV&V is a comprehensive "Gap Analysis". The Chief Enterprise Architect utilizing the "Gap Analysis" will identify Program deficiencies, and formulate appropriate mitigation strategies to continue maturing the Treasury "One Enterprise Architecture". Thank you again for the opportunity to review the "Draft" GAO report. If you have any questions regarding these comments, please contact me at (202) 622-1200 or via e-mail at Lawrence.Gross@do.Treas.gov. Signed by: Lawrence Gross: Associate CIO E-Government: Office of the Chief Information Officer: U.S. Department of the Treasury: [End of section] Appendix XV: Comments from the Department Veterans Affairs: The Deputy Secretary Of Veterans Affairs: Washington: June 21, 2006: Mr. Randolph C. Hite: Director, Information Technology Architecture and Systems Issues: Information Technology Team: U. S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Hite: The Department of Veterans Affairs (VA) has reviewed your draft report, Enterprise Architecture: Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation (GAO-06 831). VA concurs with your recommendation that VA's enterprise architecture programs develop and implement plans for fully satisfying each of the conditions in the Government Accountability Office's (GAO) enterprise architecture management maturity framework. The Department will provide a detailed plan to implement GAO's recommendation when commenting on your final report. VA appreciates the opportunity to comment on your draft report. Sincerely yours, Signed by: Gordon H. Mansfield: [End of section] Appendix XVI: Comments from the Environmental Protection Agency: United States Environmental Protection Agency: Washington, D.C. 20460: Jun 20 2006: Office Of Environmental Information: Mr. Randolph C. Hite, Director: Information Technology Architecture and Systems Issues: U.S. General Accountability Office: 441 G Street, NW: Washington, D.C. 20548: Dear Mr. Hite: Thank you for the opportunity to respond to the U.S. General Accounting Office (GAO) draft Report to Congressional Requesters "Enterprise Architecture: Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation" GAO-06-831). The U.S. Environmental Protection Agency (EPA) is pleased to note that the reviewers acknowledge the Agency's significant efforts to mature the management of its Enterprise Architecture (EA) Program. The Agency agrees with the reviewers' findings on most of the EA Management Maturity Framework (EAMMF) core elements. However, the current assessment of some core elements does not accurately reflect our true status. EPA formally requests that GAO reconsider its assessment before issuance of the final Report. We recognize the complexity of GAO's task, and provide the following evidence and rationale for changing EPA's assessment from the current Stage 1 to Stage 3. EA Committee (2.2) - EPA's Quality Information Council (QIC) is the Agency oversight committee for the Enterprise Architecture and is responsible for directing, overseeing, and approving the EA. The QIC operates a formal integrated process for all quality and information management responsibilities as a corporate board of Agency senior executives, including the Chief Financial Officer and the CIO. All EA management decisions are brought to QIC and I, as CIO and QIC Chair, have the authority to approve the QIC's direction and oversight of the Enterprise Architecture. The `CIO Delegation of authority' and the `QIC Charter' formally document this statement. EA Methodology (2.5) - EPA's EA methodology does include steps for maintaining the architecture, which were documented and approved within the official 2002 release of the EPA EA as the EPA EA Practice and Proposed Policy, and the EPA EA Approach. EPA has since established formal 'EA Policy' and 'EA Governance Procedure' which further authorizes and requires the use of a standardized EA methodology, framework, and automated toolset for the update and maintenance of the EA. EA Progress Measurement (3.6) - EPA's EA Transition Strategy and Sequencing Plan illustrates how EPA's progress in building out the target architecture is documented arid measured. The principle metric used was the rate of incorporation of EPA's shared service components in the individual business cases within the IT Portfolio. This metric was reported to the Chief Architect, the CIO, and to OMB. Additionally, progress against EPA's EA Project Plan is tracked and reported to Chief Architect and CIO representatives on a monthly basis. Also, EPA's EA management is more mature on two Stage 5 core elements than this report reflects: EPA's IT investments do comply with EPA's EA, and the EA change management process is more mature than stated. However, we recognize that there is one Stage 4 core element that has not yet been achieved, and thus our maturity assessment is appropriately a `3' on this scale. EPA requests that GAO revise the assessment to reflect EPA's EA maturity at Stage 3 before issuing the final report. All of the above referenced supportive materials have been provided to GAO in previous responses to this assessment inquiry. We would be happy to guide GAO to some specific language in the documentation we have provided that substantiates the above rationale. Again, thank you for the opportunity to respond to this important report. EPA is proud of our successful Enterprise Architecture as recognized by OMB's "green" EA maturity assessment in 2006. We consider this GAO assessment to be a valuable benchmarking exercise that will help us improve our performance. If you have any questions relating to this information, please contact Steve Tiber, EPA-GAO Liaison, at 202- 564-5184. Sincerely, Signed by: Linda A. Travers: Acting Assistant Administrator and Chief Information Officer: cc: Maryann Froehlich, Acting CFO: GAO Comments: 1. We agree and have modified our report to recognize evidence contained in the documents. 2. We do not agree. The 2002 documents do not contain steps for architecture maintenance. Further, evidence was not provided demonstrating that the recently prepared methodology documents were approved prior to the completion of our evaluation. 3. We do not agree. While we do not question whether EPA's EA Transition Strategy and Sequencing Plan illustrates how annual progress in achieving the target architectural environment is measured and reported, this is not the focus of this core element. Rather, this core element addresses whether progress against the architecture program management plan is tracked and reported. While we acknowledge EPA's comment that it tracks and reports such progress against plans on a monthly basis, neither a program plan nor reports of progress against this plan were provided as documentary evidence to support this statement. 4. We do not agree. First, while EPA's IT investment management process provides for consideration of the enterprise architecture in investment selection and control activities, no evidence was provided demonstrating that the process has been implemented. Second, while EPA provided a description of its architecture change management process, no evidence was provided that this process has been approved and implemented. [End of section] Appendix XVII: Comments from the General Services Administration: GSA: GSA Administrator: July 14, 2006: The Honorable David M. Walker: Comptroller General of the United States: Government Accountability Office: Washington, DC 20548: Dear Mr. Walker: Thank you for the opportunity to respond to the Government Accountability Office (GAO) draft report entitled: "Enterprise Architecture: Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation" (GAO-06-831). We are proud that GSA has achieved significant progress in implementing an agency wide enterprise architecture and anticipate realizing significant benefits from this effort. We have reviewed the draft report and we concur with the recommendation contained in the report that each agency "ensure that their respective enterprise architecture programs develop and implement plans for fully satisfying each of the conditions in the GAO enterprise architecture management maturity framework." In particular, the table 1, in Appendix IV, indicating GSA's satisfaction of framework elements, will be critical as we work in fiscal year 2007 to further implement core elements of the Enterprise Architecture Framework. Should you have any questions regarding this matter, please feel free to contact me. Staff inquiries may be directed to Mrs. Viola Hubbard, Audits, Office of the Chief Information Officer, on (202) 208-6155. Sincerely, Signed by: Lurita Doan: Administrator: U.S. General Services Administration: 1800 F Street, NW: Washington, DC 20405-0002 Telephone: (202) 501-0800: Fax: (202) 219-1243: www.gsa.gov: [End of section] Appendix XVIII: Comments from the National Aeronautics and Space Administration: National Aeronautics and Space Administration: Office of the Administrator: Washington, DC 20546-0001: June 15, 2006: Mr. Randolph C. Hite Director: Information Technology Architecture and Systems Issues: United States Government Accountability Office: Washington, DC 20548: Dear Mr. Hite: NASA has reviewed the draft Government Accountability Office (GAO) report "Enterprise Architecture: Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation" (GAO- 06-831). Thank you for the opportunity to provide comments on the recommendations in the draft report. The draft report contains one recommendation addressed to several Government entities, including NASA, that recommends these agencies, "ensure that their respective enterprise architecture programs develop and implement plans for fully satisfying each of the conditions in [GAO's] enterprise architecture management maturity framework." NASA concurs with this recommendation. The NASA Administrator continues to fully support the efforts of the NASA Chief Enterprise Architect to develop and implement the NASA Enterprise Architecture. NASA remains committed to achieving Stage 5 of GAO's Enterprise Architecture management maturity framework. If you have any questions, or require additional information, please contact Dr. John McManus, NASA Chief Enterprise Architect, at (202) 358- 1802 or Mr. Ken Griffey, NASA Deputy Chief Enterprise Architect, located at the Marshall Space Flight Center, at (228) 813-6209. Sincerely, Signed by: Shana Dale: Deputy Administrator: [End of Section] Appendix XIX: Comments from the Social Security Administration: Social Security Administration: The Commissioner: June 20, 2006: Mr. Randolph C. Hite: Director, Information Technology Architecture and Systems Issues: U.S. Government Accountability Office: 441 G Street, NW: Washington, D.C. 20548: Dear Mr. Hite: Thank you for the opportunity to review the draft report, "Enterprise Architecture: Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation" (GAO-06-831). Our comments are enclosed. If you have any questions, please have your staff contact Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965- 4636. Sincerely, Signed by: JoAnne B. Barnhart: Enclosure: Social Security Administration Baltimore MD 21235-0001: Comments Of The Social Security Administration (SSA) On The Government Accountability Office (GAO) Draft Report, "Enterprise Architecture: Leadership Remains Key To Establishing And Leveraging Architectures For Organizational Transformation (GAO-06-831): Thank you for the opportunity to review and provide comments on this GAO draft report. We appreciate GAO's effort to evaluate the state of enterprise architecture (EA) within the major federal government departments and agencies. This information is both informative and useful in the strategic planning of our EA program. We agree with GAO's conclusions and recommendation for executive action contained in this GAO report. GAO Recommendation: To assist departments and agencies in addressing enterprise architecture challenges, managing their architecture programs, and realizing architecture benefits, GAO recommends that SSA ensure that its enterprise architecture program develop and implement plans for fully satisfying each of the conditions of GAO's enterprise architecture management maturity framework. SSA Comment: We agree. We have formed an Enterprise Architecture Governance Committee and have dedicated EA staff to ensure continued development and maturity of our EA program in accordance with GAO's Enterprise Architecture Management Maturity Framework (EAMMF) and the Federal Enterprise Architecture Program Management Office EA Assessment Framework 2.0 requirements. Since the time this GAO effort was completed, we have improved and documented our EA framework, models, documentation and implementation. As a result, the Office of Management and Budget (OMB) scored SSA's Framework 2.0 assessment as Green in all categories (Completion, Use and Results) during OMB's March 2006 review. Other Comments: We have the following comments on the Appendix IV table pertaining to SSA with regard to SSA satisfaction of core elements of the noted EAMMF stages. Satisfaction of Stage 2 Core Element - "EA is being developed using a framework methodology, and automated tool" The GAO report states in the Appendix IV table (and also on page 24) that the SSA EA methodology does not describe the steps for developing, maintaining and validating the Agency's EA. We disagree. The Enterprise Architecture Governance Committee charter and the formal Configuration Management Plans previously submitted to GAO follow full Systems Development Life Cycle practices and thus adequately describe the steps for developing, maintaining and validating the Agency's EA. Satisfaction of Stage 5 Core Element - " Organization head has approved current version of EA" The GAO report states SSA did not provide documentation delegating EA approval authority from the organization head to the Chief Information Officer (CIO). We believe the Clinger-Cohen Act of 1996, and specifically 40 U.S.C. 11315, vests the Agency CIO with that authority and therefore, no formal delegation in writing from the Agency head to the CIO is required. In consideration of the above comments concerning Stages 2 and 5, it appears from GAO's evaluation and comments that if the Stage 2 core element discussed above is satisfied by the referenced documents, then SSA's EA Maturity level would rise from a "1" to a "4" for the stage where all elements are fully satisfied. It also follows that if the Stage 5 core element discussed above is satisfactory, then SSA's EA Maturity level would rise from "4" to "5" in the stage where all elements are at least partially satisfied. GAO Comments: 1. We do not agree. Neither the governance committee charter nor the configuration management plan explicitly describe a methodology that includes detailed steps to be followed for developing, maintaining, and validating the architecture. Rather, these documents describe, for example, the responsibilities of the architecture governance committee and architecture configuration management procedures. 2. We do not agree. The core element in our framework concerning enterprise architecture approval by the agency head is derived from federal guidance and best practices upon which our framework is based. This guidance and related practices, and thus our framework, recognize that an enterprise architecture is a corporate asset that is to be owned and implemented by senior management across the enterprise, and that a key characteristic of a mature architecture program is having the architecture approved by the department or agency head. Because the Clinger-Cohen Act does not address approval of an enterprise architecture, our framework's core element for agency head approval of an enterprise architecture is not inconsistent with, and is not superseded by, that act. [End of section] Appendix XX: Comments from the U.S. Agency for International Development: USAID: From The American People: June 22, 2006: Randolph C. Hite, Director: Information Technology Architecture and Systems Issues: U.S. Government Accountability Office: 441 G Street, N.W. Washington, D.C. 20548: Dear Mr. Hite: I am pleased to provide the U.S. Agency for International Development's (USAID) formal response on the draft GAO report entitled "Enterprise Architecture: Leadership Remains Key to Establishing and Leveraging Architectures for Organizational Transformation (GAO-06-831)" (August 2006). By OMB direction, the Agency is focusing most of its resources in developing a Joint Department of State and USAID Enterprise Architecture. As both agencies now receive a combined Annual EA Assessment, we will work together to implement the recommendations from this report. Thank you for the opportunity to respond to the GAO draft report and for the courtesies extended by your staff in the conduct of this review. Sincerely, Signed by: David Ostermeyer: Acting Chief Financial Officer: U.S. Agency for International Development: U.S. Agency for International Development: 1300 Pennsylvania Avenue, NW: Washington, DC 20523: www.usaid.gov: [End of section] Appendix XXI GAO Contact and Staff Acknowledgements: GAO Contact: Randolph C. Hite, (202) 512-3439: Staff Acknowledgments: In addition to the person named above, Edward Ballard, Naba Barkakati, Mark Bird, Jeremy Canfield, Jamey Collins, Ed Derocher, Neil Doherty, Mary J. Dorsey, Marianna J. Dunn, Joshua Eisenberg, Michael Holland, Valerie Hopkins, James Houtz, Ashfaq Huda, Cathy Hurley, Cynthia Jackson, Donna Wagner Jones, Ruby Jones, Stu Kaufman, Sandra Kerr, George Kovachick, Neela Lakhmani, Anh Le, Stephanie Lee, Jayne Litzinger, Teresa M. Neven, Freda Paintsil, Altony Rice, Keith Rhodes, Teresa Smith, Mark Stefan, Dr. Rona Stillman, Amos Tevelow, and Jennifer Vitalbo made key contributions to this report. (310604): FOOTNOTES [1] An enterprise architecture is a blueprint for organizational change defined in models that describe (in both business and technology terms) how the entity operates today and how it intends to operate in the future; it also includes a plan for transitioning to this future state. [2] GAO, Information Technology: A Framework for Assessing and Improving Enterprise Architecture Management (Version 1.1), GAO-03- 584G (Washington, D.C.: April 2003). [3] Our analysis reflects the state of department and agency architecture efforts as of March 2006. [4] GAO-03-584G. [5] The Department of Defense submitted a single letter that included comments from the Departments of the Air Force, Army, and Navy. Representatives of the Departments of Health and Human Services and Transportation stated that they did not have comments. [6] See, for example, GAO, Homeland Security: Efforts Under Way to Develop Enterprise Architecture, but Much Work Remains, GAO-04-777 (Washington, D.C.: Aug. 6, 2004); DOD Business Systems Modernization: Limited Progress in Development of Business Enterprise Architecture and Oversight of Information Technology Investments, GAO-04-731R (Washington, D.C.: May 17, 2004); Information Technology: Architecture Needed to Guide NASA's Financial Management Modernization, GAO-04-43 (Washington, D.C.: Nov. 21, 2003); DOD Business Systems Modernization: Important Progress Made to Develop Business Enterprise Architecture, but Much Work Remains, GAO-03-1018 (Washington, D.C.: Sept. 19, 2003); and Information Technology: DLA Should Strengthen Business Systems Modernization Architecture and Investment Activities, GAO-01-631 (Washington, D.C.: June 29, 2001). [7] J. A. Zachman, "A Framework for Information Systems Architecture," IBM Systems Journal vol. 26, no. 3 (1987). [8] The windows include (1) the strategic planner, (2) the system user, (3) the system designer, (4) the system developer, (5) the subcontractor, and (6) the system itself. [9] The models cover (1) how the entity operates, (2) what the entity uses to operate, (3) where the entity operates, (4) who operates the entity, (5) when entity operations occur, and (6) why the entity operates. [10] Similar to the Zachman framework, FEAF's proposed models describe an entity's business, data necessary to conduct the business, applications to manage the data, and technology to support the applications. [11] 40 U.S.C. sections 11101-11703. [12] GAO, Weather Forecasting: Systems Architecture Needed for National Weather Service Modernization, GAO/AIMD-94-28 (Washington, D.C.: Mar. 11, 1994). [13] GAO, Air Traffic Control: Complete and Enforced Architecture Needed for FAA Systems Modernization, GAO/AIMD-97-30 (Washington, D.C.: Feb. 3, 1997). [14] GAO, Tax Systems Modernization: Blueprint Is a Good Start but Not Yet Sufficiently Complete to Build or Acquire Systems, GAO/AIMD/GGD-98- 54 (Washington, D.C.: Feb. 24, 1998). [15] GAO, Student Financial Aid Information: Systems Architecture Needed to Improve Programs' Efficiency, GAO/AIMD-97-122 (Washington, D.C.: July 29, 1997). [16] GAO, Customs Service Modernization: Architecture Must Be Complete and Enforced to Effectively Build and Maintain Systems, GAO/AIMD-98-70 (Washington, D.C.: May 5, 1998). [17] GAO, Information Technology: INS Needs to Better Manage the Development of Its Enterprise Architecture, GAO/AIMD-00-212 (Washington, D.C.: Aug. 2000). [18] GAO, Medicare: Information Systems Modernization Needs Stronger Management and Support, GAO-01-824 (Washington, D.C.: Sept. 20, 2001). [19] GAO, Federal Aviation Administration: Stronger Architecture Program Needed to Guide Systems Modernization Efforts, GAO-05-266 (Washington, D.C.: April 2005). [20] GAO, Information Technology: FBI is Taking Steps to Develop an Enterprise Architecture, but Much Remains to Be Accomplished, GAO-05- 363 (Washington, D.C.: Sept. 9, 2005). [21] GAO, Information Technology: Terrorist Watch Lists Should Be Consolidated to Promote Better Integration and Sharing, GAO-03-322 (Washington, D.C.: April 15, 2003). [22] GAO, Information Technology: Architecture Needed to Guide Modernization of DOD's Financial Operations, GAO-01-525 (Washington, D.C.: May 17, 2001). [23] GAO-01-631. [24] GAO, Combat Identification Systems: Strengthened Management Efforts Needed to Ensure Required Capabilities, GAO-01-632 (Washington, D.C.: June 25, 2001). [25] GAO, DOD Business Systems Modernization: Improvements to Enterprise Architecture Development and Implementation Efforts Needed, GAO-03-458 (Washington, D.C.: Feb. 28, 2003); Information Technology: Observations on Department of Defense's Draft Enterprise Architecture, GAO-03-571R (Washington, D.C.: Mar. 28, 2003); DOD Business Systems Modernization: Longstanding Management and Oversight Weaknesses Continue to Put Investments at Risk, GAO-03-553T (Washington, D.C.: Mar. 31, 2003); Business Systems Modernization: Summary of GAO's Assessment of the Department of Defense's Initial Business Enterprise Architecture, GAO- 03-877R (Washington, D.C.: July 7, 2003); DOD Business Systems Modernization: Long-Standing Weaknesses in Enterprise Architecture Development Need to Be Addressed, GAO-05-702 (Washington, D.C.: July 22, 2005). [26] GAO, Information Technology: Enterprise Architecture Use across the Federal Government Can Be Improved, GAO-02-6 (Washington, D.C.: Feb. 19, 2002). [27] GAO, Information Technology: Leadership Remains Key to Agencies Making Progress on Enterprise Architecture Efforts, GAO-04-40 (Washington, D.C.: Nov. 17, 2003). [28] A score of 0 means undefined, 1 means initial, 2 means managed, 3 means utilized, 4 means results-oriented, and 5 means optimized. [29] GAO-03-584G. [30] CIO Council, A Practical Guide to Federal Enterprise Architecture, Version 1.0 (February 2001). [31] This set of products is consistent with OMB's federal enterprise architecture reference models. [32] See, for example, GAO-01-525, GAO-03-458, GAO-04-731R, GAO-05-702, and GAO, DOD Business Systems Modernization: Important Progress Made in Establishing Foundational Architecture Products and Investment Management Practices, but Much Work Remains, GAO-06-219 (Washington, D.C.: Nov. 23, 2005). [33] GAO-05-702. [34] Partially satisfied means that a department or agency has addressed some, but not all, aspects of the core element. [35] GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity. GAO-04-394G. (Washington, D.C.: Mar. 2004). [36] GAO, High Risk Series: An Update. GAO-05-207. (Washington, D.C.: Jan. 2005). [37] Representatives from the Departments of Health and Human Services and Transportation stated that they did not have comments. [38] The Departments of the Army and Justice did not provide cost data. [39] The "other" cost category includes costs that cannot be allocated to the other categories. [40] The "other" cost category is intended to include costs that cannot be allocated to the categories we specified. [41] GAO-03-584G. [42] The "other" tool category is intended to include various tools that were not listed on our survey. [43] Other tools reported by the departments and agencies include: Adaptive Information Technology Portfolio Manager, Adaptive-USDA EA Repository, Caliber-RM, Catalyze by SteelTrace, Defense Architecture Repository System (DARS), DARS MS Office, Embarcadero-ER Studio, Erwin, FRA Portal, MS Word, OMG Component Collaborative Architecture (Component X Tool), ProSight, Serena Tracker and Version Manager. [44] This framework was issued in September 1999 by the federal CIO Council. [45] Some agencies and departments did not indicate their level of satisfaction or dissatisfaction with the framework(s) they reported using. [46] The number of responses regarding frameworks is larger than the number of agencies surveyed because some agencies reported using more than one framework. [47] This Act requires 24 departments and agencies to establish chief financial officers. See 31 U.S.C. section 901. [48] GAO-03-584G. [49] Office of Management and Budget, Management of Federal Information Resources, Circular A-130 (Nov. 28, 2000). [50] Chief Information Officers Council, Federal Enterprise Architecture Framework, Version 1.1 (September 1999) and Chief Information Officers Council, A Practical Guide to Federal Enterprise Architecture, Version 1.0 (February 2001). [51] GAO-02-6; GAO-04-40; and, for example, GAO-03-1018, GAO-04-777, GAO-05-702, GAO-06-219. [52] The Social Security Administration was the only agency to decline such an initial meeting. [53] The Department of Defense submitted updated information to Congress about its Business Enterprise Architecture on March 15, 2006. This information was also considered as part of our evaluation. [54] GAO-03-584G [55] GAO. Business Systems Modernization: DOD Continues to Improve Institutional Approach, but Further Steps Needed, GAO-06-658. (May 15, 2006). [56] GAO, Homeland Security: Efforts Under Way to Develop Enterprise Architecture but Much Work Remains, GAO-04-777. [57] GAO, High Risk Series: An Update, GAO-05-207. [58] CIO Council, A Practical Guide to Federal Enterprise Architecture, Version 1.0 (February 2001). [59] GAO-02-6 [60] GAO-03-584G [61] GAO-04-40 GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: