This is the accessible text file for GAO report number GAO-03-751 entitled 'Information Technology: Executive office for U.S. Attorneys Needs to Institutionalize Key IT Management Disciplines' which was released on August 12, 2003. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. On January 8, 2004, this document was revised to add various footnote references missing in the text of the body of the document. Report to Congressional Requesters: July 2003: Information Technology: Executive Office for U.S. Attorneys Needs to Institutionalize Key IT Management Disciplines: GAO-03-751: GAO Highlights: Highlights of GAO-03-751, a report to congressional requesters Why GAO Did This Study: The Executive Office for United States Attorneys (EOUSA) of the Department of Justice is responsible for managing information technology (IT) resources for the United States Attorneys’ Offices. GAO was asked to determine the extent to which EOUSA has institutionalized key IT management capabilities that are critical to achieving Justice’s strategic goal of improving the integrity, security, and efficiency of its IT systems. What GAO Found: To varying degrees, EOUSA has partially defined and implemented certain IT management disciplines that are critical to successfully achieving the Justice Department’s strategic goal of improving the integrity, security, and efficiency of its IT systems. However, it has yet to institutionalize any of these disciplines, meaning that it has not defined existing policies and procedures in accordance with relevant guidance, and it has yet to fully implement what it has defined. In particular, while EOUSA has developed an enterprise architecture—a blueprint for guiding operational and technological change—the architecture was not developed in accordance with certain best practices. In addition, while the office has implemented certain process controls for selecting, controlling, and evaluating its IT investments, it has not yet implemented others that are necessary in order to develop an effective foundation for investment management. Further, it has not implemented important management practices that are associated with an effective security program. In contrast, it has defined—and is implementing on a major system that we reviewed—most, but not all, of the management practices associated with effective systems acquisition. Institutionalization of these IT management disciplines has not been an agency priority and is not being guided by plans of action or sufficient resources. Until each discipline is given the priority it deserves, EOUSA will not have the IT management capabilities it needs to effectively achieve the department’s strategic goal of improving the integrity, security, and efficiency of its IT systems. What GAO Recommends: To strengthen EOUSA’s IT management capacity and to increase its chances of effectively leveraging IT to improve its mission performance, GAO recommends that the Attorney General direct the Director of EOUSA to (1) designate institutionalization of each of the IT management disciplines as priorities and (2) develop and implement action plans in each of the four IT disciplines to address the weaknesses that are identified in this report. EOUSA agreed with the majority of GAO’s findings and recommendations, and stated that it will address most of the recommendations. It also stated that it has made notable progress in institutionalizing the IT management disciplines, particularly information security, and that each is currently an office priority. www.gao.gov/cgi-bin/getrpt?GAO-03-751. To view the full product, including the scope and methodology, click on the link above. For more information, contact Randolph C. Hite at 202-512-3439 or hiter@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: EOUSA Has Yet to Institutionalize Key IT Management Disciplines: Conclusions: Recommendations: Agency Comments and Our Evaluation: Appendixes: Appendix I: Objective, Scope, and Methodology: Appendix II: Assessment of ECMS Acquisition Practices against Level 2 of SEI's Software Acquisition Capability Maturity Model: Appendix III: Comments from the Department of Justice: GAO Comments: Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: Acknowledgments: Tables: Table 1: Summary of Version 1.0 of GAO's EA Management Maturity Framework Stages: Table 2: Assessment of EOUSA's EA Efforts against GAO's EA Maturity Framework: Table 3: The Five Stages of GAO's ITIM Maturity Framework: Table 4: Assessment of EOUSA's ITIM Efforts against Stage 2 of GAO's ITIM Maturity Framework: Table 5: SA-CMM Levels and Descriptions: Table 6: Assessment of ECMS Acquisition against SEI's SA-CMM Level 2 Key Process Area: Table 7: Software Acquisition Planning: Table 8: Solicitation: Table 9: Requirements Development and Management: Table 10: Project Management: Table 11: Contract Tracking and Oversight: Table 12: Evaluation: Figures: Figure 1: Simplified Diagram of EOUSA's Network Connections: Figure 2: Estimated IT Expenditures for Fiscal Year 2003: Abbreviations: CIO: chief information officer: EA: enterprise architecture: ECMS: Enterprise Case Management System: EOUSA: Executive Office for United States Attorneys: GWAC: Governmentwide Acquisition Contracts: IRB: Investment Review Board: IT: information technology: ITIM: IT investment management: JCN: Justice Consolidated Network: LIONS: Legal Information Office Network System: SA-CMM: Software Acquisition Capability Maturity Model: SEI: Software Engineering Institute: USAO: United States Attorneys' Office: VANITS: Value Added Niche Information Technology Service: VPN: virtual private network: WAN: wide-area network: Letter July 25, 2003: The Honorable F. James Sensenbrenner, Jr. Chairman The Honorable John Conyers, Jr. Ranking Minority Member Committee on the Judiciary House of Representatives: The Honorable Christopher Cannon Chairman The Honorable Melvin L. Watt Ranking Minority Member Subcommittee on Commercial and Administrative Law House of Representatives: This report is one of a series in response to your request that we evaluate the management activities of the Executive Office for United States Attorneys (EOUSA) and the U.S. Attorneys' Offices (USAO). As part of this request, you asked us to determine the extent to which EOUSA--the organization responsible for managing information technology (IT) resources for the USAOs--has institutionalized key IT management capabilities critical to achieving the Department of Justice's strategic goal of improving the integrity, security, and efficiency of its IT systems. As agreed, to meet this objective, we focused on whether EOUSA had institutionalized four important IT management disciplines: enterprise architecture management, investment management, system acquisition management, and security management. Research shows that these disciplines are institutionally employed by leading public and private sector organizations. They are also provided for in legislation and federal guidance.[Footnote 1] Details on our objective, scope, and methodology are in appendix I. Results in Brief: To varying degrees, EOUSA has partially defined and implemented each of four key IT management disciplines that are critical to successfully achieving the Department of Justice's strategic goal of improving the integrity, security, and efficiency of its IT systems. However, it has yet to institutionalize any of these disciplines--meaning that it has not defined its policies and procedures in accordance with relevant guidance--and it has yet to fully implement what it has defined. In particular, while EOUSA has an enterprise architecture--a blueprint for guiding operational and technological change--it has not developed the architecture in accordance with certain best practices. In addition, while the office has implemented certain process controls for selecting, controlling, and evaluating its IT investments, it has not yet implemented others that are necessary in order to develop an effective foundation for investment management. Further, it has not implemented important management practices that are associated with an effective security program, such as implementing and monitoring security policies and controls and promoting security awareness. To its credit, the office has defined--and is implementing on a major system- -most, though not all, of the management practices associated with effective systems acquisition. The institutionalization of these IT management disciplines has not been a sufficiently high priority for EOUSA, as evidenced by the absence of plans for fully implementing best practices for each discipline and, in some cases, an absence of requisite resources. Until each discipline is given the priority it deserves, EOUSA will not have the IT management capabilities that are critical to effectively achieving the Justice Department's strategic goal of improving the integrity, security, and efficiency of its IT systems. We are making recommendations to the Attorney General to strengthen management of each of these disciplines. In its written comments on a draft of this report, EOUSA agreed with our specific findings for three of the four IT management disciplines, and stated that it would address the weaknesses that we identified in each. However, it stated that its security program is strong, citing a number of security initiatives, including ones recently planned or started that are consistent with our recommendations for addressing security weaknesses. We do not question the initiatives that EOUSA cited. However, our analysis of its security program, including these initiatives, identified serious security weaknesses, and as a result, we do not agree that EOUSA's security program is strong. Further, it stated that institutionalization of each of the IT disciplines is currently an office priority and that the state of its IT management capabilities is not an impairment to achieving departmental strategic goals. However, it did not dispute either of our two reasons for concluding otherwise; namely, that it did not have a plan for fully implementing best practices for each discipline, and it had not allocated adequate resources to support such a plan. EOUSA's comments are summarized and evaluated in the Agency Comments and Our Evaluation section of this report. Background: U.S. Attorneys prosecute criminal cases brought forward by the federal government, prosecute and defend civil cases in which the United States is a party, and collect debts owed to the federal government that are administratively uncollectible. EOUSA was established in 1953 as a component of the Department of Justice to, among other things, provide general executive assistance and administrative and operational support to the 93 USAOs located throughout the 50 states, the District of Columbia, Guam, the Marianas Islands, Puerto Rico, and the U. S. Virgin Islands[Footnote 2] and to coordinate with other Department of Justice organizational units and other federal agencies on behalf of the U.S. Attorneys. One of EOUSA's key responsibilities is managing the USAOs' IT resources, including preparing their annual IT budget submissions and supporting their acquisition and maintenance of IT assets. IT plays an important role in helping the USAOs meet their mission objectives and, according to EOUSA planning documents, the USAOs' reliance on IT is to increase in response to expected growth in the number and complexity of their cases. Currently, EOUSA manages an IT environment consisting of central and distributed computing and communication resources in Washington, D.C., and 93 USAOs, respectively. Connectivity among these offices, Justice headquarters, and Justice's Data Center in Rockville, MD,[Footnote 3] is through a virtual private network (VPN)[Footnote 4] connection on the Justice Consolidated Network (JCN), with such security: safeguards as firewalls[Footnote 5] between USAO local area networks and JCN. The VPN/firewall combination, which provides the foundation for secure communications between EOUSA and the sites mentioned above, is currently being replaced. Figure 1 generally depicts EOUSA's network topology. The USAOs' support is also provided by such application systems as the Legal Information Office Network System, which is a case management system that compiles, maintains, and tracks information about defendants, crimes, criminal charges, court events, and witnesses, and the Victim Notification System, which notifies crime victims of the status of their cases and assists with checking compliance with regulations and policies concerning victim notification. Figure 1: Simplified Diagram of EOUSA's Network Connections: [See PDF for image] [End of figure] Recognizing the importance of IT to achieving the USAOs' mission, EOUSA appointed a Chief Information Officer (CIO) in May 2001 and assigned the CIO accountability and responsibility for managing central and distributed IT resources and services, including: * managing the IT budget for the office and all of the USAOs; * developing and acquiring new systems, including case management systems, and providing support for existing systems; * managing network, telephone, and video communications; and: * securing IT assets (data, applications, and supporting networks). In fiscal year 2003, EOUSA reports that it plans to spend approximately $125 million on about 20 initiatives. Roughly $110 million of this amount is to be spent on IT infrastructure and office automation projects (e.g., telecommunications programs). The remainder is to be spent on acquiring mission support systems (e.g., Enterprise Case Management System (ECMS),[Footnote 6] Victim Notification System) and maintaining existing ones. Figure 2 shows the breakdown of estimated expenditures for fiscal year 2003. Figure 2: Estimated IT Expenditures for Fiscal Year 2003: [See PDF for image] [End of figure] EOUSA Has Yet to Institutionalize Key IT Management Disciplines: Research into the IT management practices that are employed by leading public-and private-sector organizations has identified key institutional IT management disciplines that are interrelated and critical to ensuring, among other things, the integrity, security, and efficiency of IT systems. These disciplines are also addressed in legislation and federal guidance.[Footnote 7] They include: 1. enterprise architecture management, which involves defining, maintaining, and implementing an institutional blueprint that defines both the business and the supporting technology of the organization's current and target operating environments and a roadmap to achieve the target environment; 2. IT investment management, which involves selecting, controlling, and evaluating a portfolio of investments within the context of an enterprise architecture; 3. IT security management, which involves protecting the integrity, confidentiality, and availability of an organization's IT assets (e.g., data, application systems, and networks) and reducing the risks of tampering, unauthorized intrusions and disclosures, and disruption of operations. 4. system acquisition management, which involves managing selected investments (system projects) in a manner that increases the probability of promised system capabilities being delivered on time and within budget. As we have previously reported,[Footnote 8] to successfully institutionalize these disciplines, organizations should develop integrated plans to guide their efforts that (1) specify measurable goals, objectives, and milestones; (2) specify needed resources; and (3) assign clear responsibility and accountability for accomplishing well-defined tasks. In addition, these plans should be approved by senior management. In implementing these plans, it is important that organizations allocate adequate resources and measure and report progress against planned commitments and that appropriate corrective actions be taken to address deviations. EOUSA has defined and implemented each of the four IT management disciplines mentioned above to some degree. However, none has been institutionalized, meaning that they are not fully defined in accordance with best practices and what has been defined has not been fully implemented. While these disciplines have been given attention since the recent appointment of the CIO, they have not been treated as priorities, in that action plans needed for successful institutionalization have not been developed or resourced. As a result, EOUSA is currently limited in its ability to meet Justice's strategic goal of improving its IT systems, and the USAOs will be challenged in their ability to effectively and efficiently meet their mission goals and priorities. EOUSA Is Not Performing Important Practices Associated with Effective Enterprise Architecture Management: An enterprise architecture (EA) is an investment blueprint that defines, both in logical terms (including business functions and applications, work locations, information needs and users, and the interrelationships among these variables) and in technical terms (including hardware, software, data communications, and security) how an organization operates today ("as is"), how it intends to operate tomorrow ("to be"), and a roadmap for transitioning from today to tomorrow. The development, maintenance, and implementation of architectures are recognized hallmarks of successful public and private organizations. According to a guide published by the federal CIO Council,[Footnote 9]effective architecture management consists of a number of core elements. In February 2002, we published version 1.0 of our EA management maturity framework, which arranges the core elements of the CIO Council's guide into five hierarchical stages.[Footnote 10] The framework provides an explicit benchmark for gauging the effectiveness of architecture management and provides a roadmap for making improvements. Table 1 summarizes the framework's five stages of maturity. Table 1: Summary of Version 1.0 of GAO's EA Management Maturity Framework Stages: Stage: Stage 5: Leveraging the EA to manage change (includes all elements in stage 4); Description: This stage entails, among other things, incorporating the EA into corporate decision making to (1) avoid unwarranted overlap across investments, (2) enable maximum systems interoperability, and (3) ensure selection and funding of IT investments with manageable risks and returns. Stage: Stage 4: Completing the EA products (includes all elements in stage 3); Description: This stage is characterized by having EA products that have been approved by the EA steering committee (established in stage 2) or an investment review board, and by the CIO. Stage: Stage 3: Developing the EA products (includes all elements in stage 2); Description: This stage focuses on developing EA products according to the selected framework, methodology, tool, and established management plans. Stage: Stage 2: Building the EA management foundation; Description: This stage focuses on assigning EA management roles and responsibilities, establishing plans for developing EA products, and committing the resources necessary for developing these products. Stage: Stage 1: Creating EA awareness; Description: This stage is characterized either by no plans to develop and use an EA or by plans that do not demonstrate an awareness of the value of having and using an EA. Source: GAO. [End of table] EOUSA has satisfied many of the framework's core elements. Specifically, it has satisfied about 80 percent of the elements associated with building the EA management foundation--stage 2 of our EA management maturity framework--and half of the 12 core elements associated with higher maturity stages. At stage 2, it has established a chief architect and has selected a framework (the Federal Enterprise Architecture Framework) and, according to officials, selected a tool (the Enterprise Architecture Management System) to serve as a repository for its EA artifacts. At the higher stages of our framework, the CIO, for example, approved a version of an EA in May 2002 that describes the "as is" and "to be" environments for its core business functions. However, the office has yet to satisfy several of the core elements that are critical to effective EA management. For example, a committee or group representing the enterprise has not yet been established to guide and oversee the development of future versions of the architecture. Instead, the current version of its architecture has been primarily guided and directed by the CIO's office. Until a committee or group representing the enterprise is established, there is increased risk that the architecture will not represent a corporate decision- making tool and will not be viewed and endorsed officewide as such a tool. Another example is the absence of a written or approved policy for maintaining the EA. Without a documented, approved policy for EA maintenance that, for example, assigns responsibility and accountability for configuration management and version control, EOUSA risks allowing its architecture to become outdated and irrelevant, thus limiting its effectiveness in selecting and guiding IT investments. EOUSA does not have a written plan of action for strengthening EA management and evolving the current version of its EA, because, according to the CIO, developing such a plan is not a priority. Table 2 shows EOUSA's performance in addressing the core elements of our maturity framework. Table 2: Assessment of EOUSA's EA Efforts against GAO's EA Maturity Framework: Stage: Stage 5: Leveraging the EA for managing change; (includes all elements from stage 4); Core element: Written/approved policy exists for EA maintenance; Satisfied?: No; Comments: According to agency officials, there is no written/ approved policy for EA maintenance. Core element: EA steering committee, investment review board, or agency head has approved EA; Satisfied?: No; Comments: The EA has not been reviewed by any steering committee or investment review board or by the agency head. Core element: Metrics exist for measuring EA benefits; Satisfied?: No; Comments: According to agency officials, metrics for measuring EA benefits have not been developed. Stage: Stage 4: Completing architecture products; (includes all elements from stage 3); Core element: Written/approved policy exists for IT investment compliance with EA; Satisfied?: No; Comments: While there are criteria for ranking IT investments that call for determining compliance with the EA, no written/approved policy addresses this. Core element: EA products describe the enterprise's business--and the data, applications, and technology that support it; Satisfied?: Yes; Comments: EA products describe EOUSA's core business functions and the data, applications, and technology that support them. Core element: EA products describe the "as is" environment, the "to be" environment, and a sequencing plan; Satisfied?: Yes; Comments: EA products describe the "as is" environment, the "to be" environment, and a sequencing plan. Core element: Agency CIO has approved EA; Satisfied?: Yes; Comments: The CIO approved the EA in May 2002. Stage: Stage 3: Developing architecture products; (includes all elements from stage 2); Core element: Written/approved policy exists for EA development; Satisfied?: No; Comments: According to agency officials, there is no approved policy for EA development. Core element: EA products are under configuration management; Satisfied?: No; Comments: Although agency officials reported that EA products are under configuration management, they could not provide documentation to support this statement. Core element: EA products describe or will describe the enterprise's business--and the data, applications, and technology that support it; Satisfied?: Yes; Comments: EA products describe core business functions and the data, applications, and technology that support them. Core element: EA products describe or will describe the "as is" environment, the "to be" environment, and a sequencing plan; Satisfied?: Yes; Comments: EA products describe the "as is" environment, the "to be" environment, and a sequencing plan. Core element: EA scope is enterprise-focused; Satisfied?: Yes; Comments: EA products describe the "as is" and "to be" environments for the enterprise's core business functions. Stage: Stage 2: Building the EA management foundation; Core element: Committee or group representing the enterprise is responsible for directing, overseeing, or approving EA; Satisfied?: No; Comments: There is no committee or group representing the enterprise that is responsible for directing, overseeing, or approving the EA. The CIO is currently responsible for direction, oversight, and approval of the architecture. Core element: Program office responsible for EA development exists; Satisfied?: Yes; Comments: Roles and responsibilities for developing the EA were assigned to a group of individuals. Core element: Chief architect exists; Satisfied?: Yes; Comments: The CIO has been designated as the chief architect. Core element: EA is being developed using a framework and an automated tool; Satisfied?: Yes; Comments: The EA was developed using the Federal Enterprise Architecture Framework. In addition, agency officials reported that they are using the Enterprise Architecture Management System as their EA tool. Core element: EA plans call for describing the enterprise in terms of business, data, applications, or technology; Satisfied?: Yes; Comments: EA products describe core business functions and the data, applications, and technology that support them. Core element: EA plans call for describing "as is" environment, "to be" environment, or sequencing plan; Satisfied?: Yes; Comments: EA products describe the "as is" environment, the "to be" environment, and a sequencing plan. Stage: Stage 1: EA awareness; Core element: Agency is aware of EA; Satisfied?: Yes; Comments: In August 2002, the CIO issued a memo to agency staff notifying them of the need to use the EA to inform investment management decisions. Source: GAO. [End of table] EOUSA Has Not Established Key Capabilities Needed to Effectively Manage IT Investments: Effective IT investment management provides for evaluating each proposed and ongoing investment, based on EA alignment and measurable risks and returns and for selecting and controlling these investments as a portfolio of competing investment options. We have developed a framework that defines and measures an organization's maturity in IT investment management (ITIM) and provides a basis for improving investment management.[Footnote 11] This framework, which is based on the IT investment management practices of leading private-and public- sector organizations, is structured to permit progression through five maturity stages (shown in table 3). Each maturity stage consists of critical processes and key practices that should be implemented for an organization to become more effective in managing its IT investments. Table 3: The Five Stages of GAO's ITIM Maturity Framework: Stage: Stage 5; Leveraging IT for strategic outcomes; Description: Investment benchmarking and IT-enabled change management techniques are deployed to strategically shape business outcomes. Stage: Stage 4; Improving the investment process; Description: Process evaluation techniques focus on improving the performance and management of the organization's IT investment portfolio. Stage: Stage 3; Developing a complete investment portfolio; Description: Comprehensive techniques are in place for selection and control of the IT investment portfolio that incorporate benefit and risk criteria linked to mission goals and strategies. Stage: Stage 2; Building the investment foundation; Description: Repeatable investment control techniques are in place and the key foundation capabilities have been implemented. Stage: Stage 1; Creating investment awareness; Description: IT management processes are ad hoc, project-centric, and have widely variable outcomes. Source: GAO. [End of table] According to the framework, the first key step toward an effective investment management process is to build the investment foundation. An organization with this foundation (stage 2 maturity) has attained repeatable, successful investment control processes and basic selection processes at the project level. Successful management at this level allows an organization to measure the progress of existing IT projects and to identify variances in cost, schedule, and performance expectations by following established, disciplined processes. The organization should also be able to take corrective action, if appropriate, and should possess basic capabilities for selecting new project proposals. To accomplish this level of basic control, an organization should establish an investment board, identify the business needs and opportunities to be addressed by each project, and use this knowledge in the selection of new proposals. The office has satisfied two of the critical processes for stage 2, but it has not satisfied the other three. Specifically, it has established an investment governing board, known as the Investment Review Board (IRB) and developed a guide to direct its operations. It is also defining project needs in alignment with the agency's mission goals. However, the office has not, for example, defined procedures for project oversight. In addition, while an IT project and systems inventory exists as part of its "as is" architecture, a policy specifying how it will be used for investment management purposes has not been defined. Until EOUSA satisfies all critical processes for stage 2, it will not have the foundation it needs to build its investment management capability and it will not have an effective investment process. Table 4 summarizes our assessment of stage 2 capabilities. Table 4: Assessment of EOUSA's ITIM Efforts against Stage 2 of GAO's ITIM Maturity Framework: Critical process: IT investment board operation; Description: Define and establish (1) the governing board(s) responsible for selecting, controlling, and evaluating IT investments and (2) a guide directing the board(s) operations; Satisfied?: Yes; Comments: A governing board (the IRB) has been defined and established, and guidance directing the board's operations exists. Critical process: IT project oversight; Description: Regularly oversee each IT project's progress toward cost and schedule milestones, using established criteria, and require corrective actions when milestones are not achieved; Satisfied?: No; Comments: According to agency officials, projects are managed using earned value management[ A] to regularly determine project progress and control project costs and schedules. However, there are no procedures defining how the investment board is to regularly oversee each project's progress and require corrective actions when milestones are not achieved. Critical process: IT project and system identification; Description: Create and maintain an IT project and systems inventory to assist in managerial decision making; Satisfied?: No; Comments: An IT project and systems inventory exists as part of the EA. However, there is no policy defining how this inventory is to be used in managerial decision making. Critical process: Business needs identification for IT projects; Description: Ensure that each IT project supports the organization's business needs and meets users' needs; Satisfied?: Yes; Comments: Business needs and associated users have been identified, and users participate in the management of the project. We verified this for the Enterprise Case Management System project, which officials told us is representative of how they intend to acquire systems. Critical process: Proposal selection; Description: Ensure that an established, structured process is used to select new IT proposals; Satisfied?: No; Comments: A selection process using risk and return criteria is defined. However, officials stated that this selection process has not yet been used. Source: GAO. [A] Earned value is a management technique that relates resource planning to schedules and to technical cost and schedule requirements. There are two major objectives of an earned value system: to encourage contractors to use effective internal cost and schedule management control systems, and to permit the customer to rely on timely data produced by those systems for determining product-oriented contract status. [End of table] EOUSA has not demonstrated that maturing its IT investment management process is a priority by developing a plan for doing so and devoting resources to execute the plan. Until the office develops and implements a plan for establishing mature IT investment management processes (including all critical processes for building the investment management foundation), EOUSA will not have the full suite of capabilities it needs to ensure that project selection and control processes are repeatable or that it has the best mix of investments to meet agency priorities. EOUSA Has Not Implemented Effective Security Practices: Effective information security management is critical to EOUSA's ability to ensure the reliability, availability, and confidentiality of its information assets, and thus it is fundamental to its ability to perform its mission. Our research into public- and private-sector organizations with strong information security programs shows that leading organizations' programs include (1) establishing a central security focal point with appropriate resources, (2) continuously assessing business risks, (3) implementing and maintaining policies and controls, (4) promoting awareness, and (5) monitoring and evaluating the effectiveness of policies and controls.[Footnote 12] Currently, EOUSA is not fully satisfying any of these tenets of effective security. In addition, it has not demonstrated that institutionalizing effective security practices is a priority by developing a plan to guide its efforts to address security weaknesses and committing resources to perform essential security functions. Until such a plan is developed and effectively implemented, data, systems, and networks are at risk of inadvertent or deliberate misuse, fraud, improper disclosure, or destruction--possibly without detection. For example, the reliability and integrity of case information may be compromised, or sensitive crime victim information may be improperly disclosed. Central Security Focal Point Is Established but Has Not Been Appropriately Resourced: According to our framework, central management of key security functions is the foundation of an effective information security program, because it allows knowledge and expertise to be incorporated and applied on an enterprisewide basis. Having a central security focal point supported by appropriate resources is especially important for managing the increased risks associated with a highly connected computing environment, such as JCN, where security weaknesses in one segment of an organization's network can compromise the security of another segment's IT assets. In addition, centralizing the security management function provides a focal point for coordinating the activities associated with the other four elements of a strong information security program. In June 2001, EOUSA appointed a security officer with responsibility for centrally managing all aspects of IT security. However, EOUSA has not assigned sufficient staff to adequately carry out these responsibilities. For example, no staff has been assigned to monitor firewall logs[Footnote 13] or support the development of a centrally managed IT security training program--activities that fall under the security officer's purview. Each of these activities is discussed further in the following sections. Officials said that they recognize the need for additional staff resources to perform these activities. They also stated that they were in the process of hiring two people to support security functions, but they agreed that this would still not allow for performance of key security responsibilities. Without an appropriately resourced security program, security breaches may not be detected or addressed in a timely manner, awareness of security requirements across the organization may be inconsistent, and vulnerabilities in the current IT environment may not be appropriately addressed. Risks Have Not Always Been Assessed: According to our framework, identifying and assessing business risks is an essential step in determining what IT security controls are needed and what resources should be invested in these controls. Federal guidance advocates performing risk assessments at least once every 3 years--or when a significant change in a system or the systems environment (e.g., new threats) has occurred. These assessments should address the risks that are introduced through connections to other networks and the impact on an organization's mission should network security be compromised. In line with this guidance, EOUSA's certification and accreditation[Footnote 14] process requires that a risk assessment be completed for each system before any office can use it. According to EOUSA, a major system that recently underwent EOUSA's certification and accreditation process is the replacement for the existing firewall/VPN system. This system is intended to be the foundation for secure communications between EOUSA, Justice, and the geographically dispersed USAOs. Accordingly, we analyzed this system and found that while the firewall/VPN replacement system has been certified and accredited, the existing firewall/VPN system--which was deployed in 1996 and, as of May 9, 2003, was operating at 75 of the 240 sites[Footnote 15]--had not had a risk assessment performed and had not been certified and accredited. Officials told us that they have not performed such an assessment on this network because (1) it is not cost-effective to use limited resources to perform an assessment on a network that is to be fully replaced by June 30, 2003, and (2) the risks inherent in the network are minimal, given that it resides on Justice's JCN, for which they said they assume Justice had performed risk assessments. We agree that it does not make sense at this point to perform a risk assessment on the existing firewall/VPN system given that the replacement system is expected to be fully deployed by the end of June 2003. However, this does not change the fact that EOUSA has operated the network for about 7 years without understanding its exposure to risk. This is particularly important, because EOUSA officials could not provide us with evidence to support the assumption that Justice had performed a risk assessment for JCN. Moreover, previous studies have shown that Justice has had long-standing weaknesses in several aspects of its IT security program.[Footnote 16] According to EOUSA, its recently established certification and accreditation program will not allow this to happen again. Key Security Controls Have Not Been Implemented: According to our framework, risk-based, cost-effective security policies and related technology controls (such as firewalls configured to explicit rules and intrusion detection devices[Footnote 17] located to monitor key network assets) and procedural controls (such as contingency plans) are needed to protect a system from compromise, subversion, and tampering. Federal and Justice guidance also advocate establishing these policies and controls. While EOUSA is guided by many Justice security policies, it has not yet implemented key security controls that are needed to satisfy them. For example, CIO officials told us that the existing firewall/VPN system, which, as of May 9, 2003, was operating at 75 sites, is not based on explicit firewall rules. Moreover, according to these officials, no intrusion detection devices monitor the wide-area network (WAN)[Footnote 18] routers, firewalls, and VPN devices. Rather, the intrusion detection devices that are currently implemented are located only within the local area network environment (i.e., within a USAO). Also, the contingency plan developed for the replacement firewall/VPN system was not prepared according to federal guidelines. For example, the contingency plan does not specify procedures for notifying recovery personnel or assessing damage to systems. CIO officials told us that they had not implemented these security controls because, as previously noted, they believe the risks inherent in the network are minimal given that it resides on Justice's JCN, for which they said they assumed Justice had performed risk assessments. However, as previously stated, EOUSA provided no evidence to support this assumption, and Justice has had longstanding security weaknesses. Until EOUSA implements security controls, it may be unaware of vulnerabilities, increasing the risk that intruders may take control of network devices or that data passing through its firewalls can be read or manipulated. In addition, EOUSA may not be able to respond to security breaches adequately and in a timely manner. This is particularly threatening given the sensitivity of the information used by the USAOs in performing their work. EOUSA Does Not Adequately Promote User Awareness: According to our framework, promoting user awareness through education and training is essential to successfully implementing information security policies, achieving user understanding of security policies, and ensuring that security controls are instituted properly. This is because computer users--and others with access to information resources--are not able to comply with policies of which they are unaware or which they do not fully understand. Our framework suggests that a central group be tasked with educating users about current information security risks and helping to ensure consistent understanding and administration of policies. As previously mentioned, the security officer is responsible for promoting awareness of computer security. However, the security officer does not carry out this responsibility because provision of the resources to do so has not been viewed as an agency priority. According to the security officer, each district is thus responsible for managing its own IT training program, and the security officer does not know to what extent these programs address awareness of computer security. Without a centralized approach to security education and training, the security officer cannot adequately ensure that users are consistently aware of or fully understand the organizational policies and procedures with which they are expected to comply, thus risking the integrity, reliability, and confidentiality of data and systems. According to EOUSA officials, they plan to hire staff to develop and implement a centralized program by August 2003. EOUSA Is Not Monitoring the Effectiveness of Security Controls: Our framework recognizes the need to continuously monitor controls, through tests and evaluations, to ensure that the controls have been appropriately implemented and are operating as intended. Further, Justice's policy requires annual testing of security controls and requires EOUSA to (1) verify that the policies and procedures in component organizations are consistent with this policy and (2) enforce compliance with component and Justice security policies, including identifying sanctions and penalties for noncompliance. In addition, our framework and related best practices--as well as Justice's own policy- -advocate keeping summary records of security incidents, to allow measurement of the frequency of various types of violations and the damage suffered from these incidents. This type of oversight is critical because it enables management to identify problems and their causes--and to make the necessary corrections. CIO officials told us that testing has never been conducted to determine whether EOUSA's policies and procedures are consistent with Justice's and whether security controls are generally effective. According to these officials, testing has not been a priority because they assumed that Justice was performing tests of the WAN environment. However, Justice officials told us that, although they had evaluated the contractor's management of the WAN's circuits, they had not performed any tests to determine the effectiveness of technical and other controls associated with the WAN. The lack of testing heightens the risk that individuals both within and outside Justice could compromise EOUSA's external and internal security controls to gain extensive unauthorized access to its networks and to networks to which it is connected. EOUSA officials also told us that, contrary to Justice's policy, they do not maintain summary records of security incidents. Specifically, the production firewall/VPN software and routers at over 240 locations do not have audit logs that are activated, and the replacement routers, firewalls, and VPN devices are being implemented with no audit logs activated. According to these officials, they have not activated the audit logs because resources have not been allocated to provide for this security control. This lack of auditing heightens the risk of undetected intruders using EOUSA's systems to modify, bypass, or negate its firewalls and routers. Additionally, without these audit logs the office would be unable to reconstruct security-related incidents. EOUSA Is Employing Important Acquisition Management Practices on a Key System: Rigorous and disciplined system acquisition processes and practices can reduce the risk of fielding systems that do not perform as intended, are delivered late, or cost more than planned. The Software Engineering Institute (SEI), recognized for its expertise in acquiring software- intensive systems, has published models and guides for determining an organization's acquisition process maturity. One of those models, referred to as the Software Acquisition Capability Maturity Model (SA- CMM),[Footnote 19] addresses an organization's acquisition management ability.[Footnote 20] The SA-CMM model defines organizational maturity according to five levels (see table 5). Table 5: SA-CMM Levels and Descriptions: Level: Level 5: Optimizing; Description: Continuous process improvement is empowered by quantitative feedback from the process and from piloting innovative ideas and technologies. Level: Level 4: Quantitative; Description: Detailed measures of the acquisition processes, products, and services are quantitatively and qualitatively understood and controlled. Level: Level 3: Defined; Description: The acquisition organization's software acquisition process is documented and standardized. All projects use an approved, tailored version of the organization's standard process for acquiring their products and services. Level: Level 2: Repeatable; Description: Basic management processes for acquisition projects are established to plan all aspects of the acquisition, manage requirements, track project team and contractor team performance, manage the project's cost and schedule baselines, evaluate the products and services, and successfully transition to its support organization. The necessary process discipline is in place to repeat earlier successes on projects in similar domains. Level: Level 1: Initial; Description: The acquisition process is characterized as ad hoc, and occasionally even chaotic. Few processes are defined and success depends on individual effort. Source: SEI. [End of table] According to SEI, level 2 (the repeatable level) demonstrates that basic management processes, known as key process areas, have been established to track performance, cost, and schedule, and that the organization has the means to repeat earlier successes on similar projects. An organization that has these processes in place is in a much better position to successfully acquire software-intensive systems than an organization that does not. As a Justice component, EOUSA must comply with all departmental policies and procedures, including Justice's system development life- cycle management guidance. Since EOUSA officials told us that the Enterprise Case Management System (ECMS), which is intended to be the enterprise solution for managing and tracking case workload within the USAOs, is the first acquisition effort to follow Justice guidance from its inception, we compared this project, and the Justice guidance used to manage it, against SEI's SA-CMM, and we found that the project was being managed in accordance with the majority of the applicable level 2 practices. Table 6 represents a summary of our findings for this acquisition (see app. I for an expanded analysis). Table 6: Assessment of ECMS Acquisition against SEI's SA-CMM Level 2 Key Process Area: SA-CMM level 2 key process area: Software acquisition planning; Description: Ensure that reasonable planning for the acquisition is conducted and that all elements of the project are included; Total key practices: 15; Key practices performed: 13; Key practices not performed: 2. SA-CMM level 2 key process area: Solicitation; Description: Ensure that award is made to the contractor most capable of satisfying the specified requirements; Total key practices: 18; Key practices performed: 16; Key practices not performed: 2. SA-CMM level 2 key process area: Requirements development and management; Description: Establish a common and unambiguous definition of acquisition requirements to be used by the acquisition team, the system's users, and the contractor; Total key practices: 14; Key practices performed: 14; Key practices not performed: 0. SA-CMM level 2 key process area: Project management; Description: Manage the activities of the project office and supporting contractor(s) to ensure a timely, efficient, and effective acquisition; Total key practices: 16; Key practices performed: 16; Key practices not performed: 0. SA-CMM level 2 key process area: Contract tracking and oversight; Description: Ensure that the activities under contract are being performed in accordance with contractual requirements and that products and services will satisfy contract requirements; Total key practices: 17; Key practices performed: 16; Key practices not performed: 1. SA-CMM level 2 key process area: Evaluation; Description: Determine that the acquired products and services satisfy contract requirements before accepting and supporting them; Total key practices: 15; Key practices performed: 6; Key practices not performed: 9. Source: GAO: [End of table] More specifically, the office has performed all of the key practices in the requirements development and management and project management key process areas. These include (1) establishing a written policy for developing and managing system-related contractual requirements; (2) having bi-directional traceability between the contractual requirements and the contractor's work products and services; (3) measuring and reporting to management on the status of requirements development and management activities; (4) designating responsibility for project management; (5) keeping plans current during the life of the project as re-planning occurs, issues are resolved, requirements are changed, and new risks are discovered; and (6) tracking the risks associated with cost, schedule, resources, and the technical aspects of the project. EOUSA has also performed the majority of the key practices in the remaining four process areas. However, it does not have written policies for either the contract tracking and oversight or the software acquisition planning key process areas. Policies in general are key to establishing well-defined and enduring processes and procedures. In these two areas, policies would ensure that the office's approach to tracking and overseeing contractors and planning the acquisition is defined in a repeatable and measurable fashion. In addition, during the solicitation process, the office did not document its plans for solicitation activities, which would provide those involved with objectives for the solicitation process and a defined way to manage and control solicitation activities and decisions. In evaluation, the office has yet to satisfy 9 of the 15 required practices. Officials told us that they intend to satisfy them but that they do not have a plan for addressing those practices or for implementing all of the required practices on future system acquisitions. According to these officials, developing such a plan is currently not a priority. By developing and implementing a plan for satisfying all of these key process areas on ECMS and future acquisitions, EOUSA can increase its chances of successfully acquiring needed system capabilities on time and within budget. Conclusions: EOUSA has taken important steps to define and implement four key IT management disciplines. Nevertheless, key aspects of each discipline have yet to be institutionalized, leaving the office challenged in its ability to achieve the department's strategic goal of improving the integrity, security, and efficiency of its IT systems. Critical to the office's success going forward will be treating institutionalization of each of these management disciplines as priority matters by developing integrated plans of action for addressing the weaknesses that we identified in each and effectively implementing these plans--including assignment of appropriate resources and measurement and reporting of progress. Without taking these steps, EOUSA is unlikely to fully establish the IT management capabilities it needs. Recommendations: To strengthen the office's IT management capacity and increase its chances of improving the integrity, security, and efficiency of its IT systems, we recommend that the Attorney General direct the EOUSA Director to treat institutionalization of EA management, IT investment management, IT security management, and system acquisition management as priorities by developing and implementing action plans to address the weaknesses in each discipline that are identified in this report. These plans should, at a minimum, provide for accomplishing the following: For EA management, * establish a committee or group representing the enterprise that is responsible for directing, overseeing, or approving the EA; * ensure that EA products are under configuration management; * define, approve, and implement a policy for IT investment compliance with the EA; * specify metrics for measuring EA benefits; and: * define, approve, and implement a policy for maintaining the EA. For IT investment management, * regularly oversee each IT project's progress toward cost and schedule milestones, using established criteria, and require corrective actions when milestones have not been achieved; * define and implement a policy for using the IT project and systems inventory for managerial decision making; and: * ensure that an established, structured process is used to select new IT proposals. For IT security management, * allocate the appropriate resources to enable the responsibilities of the security officer to be fully performed; * ensure that risk assessments are performed on all existing and future systems; * implement intrusion detection devices to monitor activity at the routers, firewalls, and VPN devices, and implement other network security controls as noted in the report; * develop and implement a centralized approach to security education and training; and: * perform regular tests to determine compliance with policies and procedures and the effectiveness of security controls. For system acquisition management, * develop and implement a policy for contract tracking and oversight; * develop and implement a policy for system acquisition planning; and: * address the remaining key practices associated with evaluation as ECMS progresses in the life cycle; and: * ensure that the Software Engineering Institute acquisition practices identified in this report are used in future system acquisitions. In developing these plans, the Director should ensure that each plan (1) is integrated with the other three plans; (2) defines clear and measurable goals, objectives, and milestones; (3) specifies resource needs; and (4) assigns clear responsibility and accountability for implementing the plan. In implementing each plan, the Director should ensure that the needed resources are provided and that progress is measured and reported periodically to the Attorney General. Agency Comments and Our Evaluation: In written comments on a draft of this report signed by the EOUSA Director (reprinted in app. III), the office agreed with our findings relative to enterprise architecture management, IT investment management, and system acquisition management. EOUSA also agreed with our recommendations in these three areas and stated that it intends to implement the recommendations. However, EOUSA stated that it disagreed with our findings and our recommendations regarding information security management, although at the same time it cited certain actions that it intends to take, such as implementing a centralized security training program and monitoring security audit logs, that are consistent with our security findings and associated recommendations. Further, the office disagreed that the state of its efforts to institutionalize best management practices in the four areas is due to it not treating each area as an office priority. It also disagreed with our conclusion that the state of its efforts to institutionalize best practices currently limits its ability to meet Justice's strategic goal of improving its IT systems, and that the USAOs will be challenged in their ability to effectively and efficiently meet mission goals and priorities. Each of these three areas of disagreement is addressed below. First, with respect to information security management, EOUSA stated that it has one of the strongest security programs in Justice, and perhaps the federal government. To support this statement, the office cited 10 security initiatives it has implemented, such as certification and accreditation of more than eight systems, real-time encryption of all data in laptops and handheld devices, and conduct of vulnerability assessments and penetration testing. It also noted, among other things, that it had added 10 field security positions and 2 headquarters positions, and that its data are monitored 24 hours a day, seven days a week, and have never been compromised. We do not question these statements concerning the office's information security program and associated activities because (1) the purpose and scope of our review was not to compare EOUSA to other Justice component organizations or other federal agencies, and thus EOUSA's relative standing is not relevant to the findings in our report and (2) the message of our report is not that EOUSA has not taken steps to improve its information security posture, but rather that the office's information security management efforts, including ongoing and complete improvement steps, are weak in a number of areas relative to information security management best practices. Accordingly, we make recommendations aimed at addressing identified weaknesses, including a recommendation to implement network intrusion detection devices and other security controls. While EOUSA's comments cited plans that are consistent with many of our security-related recommendations, it disagreed with the recommendation relative to its wide area network on the grounds that this network is managed, secured, and monitored by Justice and Sprint. We understand that the WAN is not managed by EOUSA, and accordingly our recommendation was aimed at actively monitoring the network routers, firewalls, and VPN devices, which are managed by EOUSA. To avoid any confusion about this recommendation, we have clarified its wording to better reflect our intentions. Similarly, in light of the recent progress that EOUSA has made replacing its VPN system, we have adjusted our finding and recommendation concerning the office's exposure to risk from its old VPN system. Second, with respect to our statements that EOUSA has not treated institutionalization of each of the four IT management disciplines-- enterprise architecture management, IT investment management, system acquisition management, and information security management--as agency priorities, the office stated that these statements were unfair and that it did not agree with them. To support its position, EOUSA made the following two points: (1) it has made tremendous progress, as evidenced by our report recognizing those best practices that it is satisfying, and (2) it has received the highest level of support from Justice, as evidenced by the establishment of the EOUSA CIO position in 2001, the progress that has been made in the last 2 years compared to other Justice component organizations, and EOUSA's being viewed by Justice senior management as a leader in IT management. We do not challenge EOUSA's two points because they are not relevant to our position regarding treating institutionalization of each of the four IT management disciplines as agency priorities. Our position is based on two facts that EOUSA did not dispute: (1) plans for addressing the weaknesses cited in our report do not exist and (2) limitations in resources to address these weaknesses were cited by EOUSA officials as the reason why the weaknesses exist. In our view, if each of these areas were an agency priority, then plans would be in place to address the weaknesses, and resources to execute the plans would be committed. Third, with respect to our conclusion that EOUSA is currently limited in its ability to meet Justice's strategic goal of improving its IT systems, and that the USAOs are thereby challenged in their ability to effectively and efficiently meet their mission goals and objectives, the office disagreed but did not offer any comments to counter our conclusion beyond those cited above. Given that any organization's ability to effectively leverage technology is determined in large part by its institutionalized capabilities in these four IT disciplines, we have not modified our conclusion. EOUSA provided additional comments that have been incorporated in the report as appropriate. EOUSA's written comments are reproduced in appendix III, along with our detailed evaluation of each comment. As arranged with your office, unless you publicly announce its contents earlier, we plan no further distribution of this report until 30 days after the date of this letter. At that time, we will send copies of this report to interested congressional committees. We will also send copies to the Director of the Office of Management and Budget, the Attorney General of the United States, the EOUSA Director, and the EOUSA CIO. We will also send copies to others upon request. In addition, copies will be available at no charge on our Web site at www.gao.gov. Signed by: Should you or your offices have questions on matters discussed in this report, please contact me at (202) 512-3439. I can also be reached by E-mail at hiter@gao.gov. An additional GAO contact and staff acknowledgments are listed in appendix IV. Signed by: Randolph C. Hite: Director, Information Technology Architecture and Systems Issues: [End of section] Appendixes: Appendix I: Objective, Scope, and Methodology: Our objective was to determine the extent to which the Executive Office for United States Attorneys (EOUSA) has institutionalized key information technology (IT) management capabilities to achieve the Department of Justice's strategic goal of improving the integrity, security, and efficiency of its IT systems. To meet this objective, we focused on whether EOUSA had institutionalized four key IT management disciplines: enterprise architecture management, IT investment management, information security management, and system acquisition management. * To evaluate EOUSA's enterprise architecture (EA) management, we first solicited responses to an EA management questionnaire, reviewed EA plans and products, and interviewed officials to verify their responses. Next, we compared the information that we had collected with GAO's February 2002 EA management maturity framework[Footnote 21] to determine the extent to which EOUSA was employing effective EA management practices. This framework is based on the Practical Guide to Federal Enterprise Architecture, published by the Chief Information Officers' (CIO) Council.[Footnote 22] We did not use the revised framework issued in April 2003[Footnote 23] because, by then, we had already completed our work. * To evaluate EOUSA's IT investment management (ITIM), we used GAO's ITIM framework[Footnote 24] and assessed the extent to which EOUSA had satisfied the critical processes associated with stage 2 of the five- stage framework--building the investment foundation. We focused on stage 2 processes because officials told us that they had only recently begun defining and implementing the specific practices that are associated with this stage. To conduct our assessment, we reviewed relevant EOUSA and Justice policies, procedures, guidance, and documentation--including the office's investment management guide and associated memorandums, project proposals, and budget documents. We also interviewed the CIO and the senior official who is responsible for implementing IT investment management. We then compared this information with our maturity framework to determine the extent to which the office was employing effective IT investment management practices. * To evaluate EOUSA's information security management, we used our executive guide for information security management,[Footnote 25] as well as Justice policy and guidance and relevant EOUSA U.S. Attorney Procedures.[Footnote 26]We reviewed internal Justice and other reports identifying security weaknesses at Justice and EOUSA and information on how these weaknesses will be addressed. We also reviewed the certification and accreditation package and the deployment schedule for the virtual private network[Footnote 27] that the office is currently deploying, because EOUSA and the USAOs rely on this network to carry out its mission. We interviewed Justice officials and EOUSA officials within the Office of the CIO about the office's security management. * To evaluate EOUSA's system acquisition management, we used the Software Engineering Institute's Software Acquisition Capability Maturity Model,[Footnote 28] focusing on six of the seven key process areas that are defined for level 2 of the model's five-level maturity scale.[Footnote 29] We focused on level 2 processes because they represent the minimum level of maturity needed to effectively manage system acquisition projects. We used the office's acquisition of the Enterprise Case Management System as a case study because officials stated that it is representative of how they intend to acquire systems. In addition, this system will be critical in providing fundamental support to the U.S. Attorneys as they work to achieve mission goals. We reviewed key project documentation, such as the concept of operations, project plan, and requirements traceability matrix, and we interviewed system acquisition officials. We also reviewed the Justice guidance used to manage the project. We then compared this information to the Software Acquisition Capability Maturity Model to determine the extent to which the office was employing effective system acquisition management practices. We performed our work at EOUSA headquarters in Washington, D.C., from November 2002 to May 2003, in accordance with generally accepted government auditing standards. [End of section] Appendix II: Assessment of ECMS Acquisition Practices against Level 2 of SEI's Software Acquisition Capability Maturity Model: Table 7: Software Acquisition Planning: Common feature: Commitment 1; CMM key practice: The acquisition organization has a written policy for planning the software acquisition; Satisfied?: No; Comments: EOUSA does not have a written policy for planning the software acquisition. Common feature: Commitment 2; CMM key practice: Responsibility for software acquisition activities is designated; Satisfied?: Yes; Comments: Responsibility for software acquisition activities was designated to the ECMS project manager. Common feature: Ability 1; CMM key practice: A group that is responsible for planning the software acquisition exists; Satisfied?: Yes; Comments: A group responsible for planning exists and includes the project manager, administrative contract officer's technical representative, and assistant directors of Case Management staff. Common feature: Ability 2; CMM key practice: The acquisition organization provides experienced software acquisition management personnel to support project software acquisition planning; Satisfied?: Yes; Comments: The acquisition organization provided experienced software acquisition management personnel to support project software acquisition planning. Common feature: Ability 3; CMM key practice: Adequate resources are provided for software acquisition planning activities; Satisfied?: Yes; Comments: According to EOUSA officials, adequate resources were provided for software acquisition planning activities. Common feature: Activity 1; CMM key practice: Software acquisition planning personnel are involved in system acquisition planning; Satisfied?: Yes; Comments: Software acquisition planning personnel were involved in system acquisition planning. Common feature: Activity 2; CMM key practice: The project's software acquisition planning is accomplished in conjunction with system acquisition planning; Satisfied?: Yes; Comments: The project's software acquisition planning was accomplished in conjunction with system acquisition planning. Common feature: Activity 3; CMM key practice: The software acquisition strategy for the project is developed and documented; Satisfied?: No; Comments: There is no software acquisition strategy document. Common feature: Activity 4; CMM key practice: Software acquisition planning addresses the elements of the software acquisition process; Satisfied?: Yes; Comments: Software acquisition planning addresses most critical elements of the software acquisition process. Common feature: Activity 5; CMM key practice: The project's software acquisition planning is documented, and the planning documentation is maintained over the life of the project; Satisfied?: Yes; Comments: Software acquisition planning information is included in the project management plan, which has been updated once. Common feature: Activity 6; CMM key practice: Life-cycle support of the software is included in software acquisition planning documentation; Satisfied?: Yes; Comments: Certain life-cycle support provisions (user training, system growth) are documented in the project management plan. Common feature: Activity 7; CMM key practice: Life-cycle cost and schedule estimates for the software products and services being acquired are prepared and independently reviewed; Satisfied?: Yes; Comments: Life-cycle cost and schedule estimates for the initial release of ECMS were prepared by the project team and independently reviewed by the administrative contract officer's technical representative. Common feature: Measurement 1; CMM key practice: Measurements (e.g., planned vs. completed works) are made and used to determine the status of the software acquisition planning activities and resultant products; Satisfied?: Yes; Comments: Measurements (e.g., estimated vs. actual cost and schedule) were made by the project team and used to determine the status of the software acquisition planning activities and resultant products. Common feature: Verification 1; CMM key practice: Software acquisition planning activities are reviewed by acquisition organization management on a periodic basis; Satisfied?: Yes; Comments: The project team reviews software acquisition planning activities on a periodic basis. Common feature: Verification 2; CMM key practice: Software acquisition planning activities are reviewed by the project manager on both a periodic and event-driven basis; Satisfied?: Yes; Comments: The project manager reviews software acquisition planning activities on both a periodic and event-driven basis. Source: Key practice data from SEI; analysis and comments from GAO. [End of table] Table 8: Solicitation: Common feature: Commitment 1; CMM key practice: The acquisition organization has a written policy for the conduct of the solicitation; Satisfied?: Yes; Comments: The acquisition organization used the Department of Transportation's Value Added Niche Information Technology Services (VANITS) vehicle, which provides federal, state, and local government clients with access to specialized technology services and support. Common feature: Commitment 2; CMM key practice: Responsibility for the software portion of the solicitation was designated; Satisfied?: Yes; Comments: Responsibility for the software portion of the solicitation was designated to a technical point of contact and an administrative contract officer's technical representative. Common feature: Commitment 3; CMM key practice: A selection official was designated to be responsible for the selection process and the decision; Satisfied?: Yes; Comments: The technical point of contact and the administrative contract officer's technical representative were responsible for the selection process and the decision. Common feature: Ability 1; CMM key practice: A group that is responsible for coordinating and conducting the solicitation activities exists; Satisfied?: Yes; Comments: A group consisting of assistant directors of the information technology staff exists. With the technical point of contact as the chair, this group conducted an evaluation of vendors' proposals. Common feature: Ability 2; CMM key practice: Adequate resources were provided for the solicitation activities; Satisfied?: Yes; Comments: Adequate resources were provided for solicitation activities. EOUSA budgeted and paid a fee for using services provided under the VANITS vehicle. Common feature: Ability 3; CMM key practice: Individuals performing the solicitation activities have experience or receive training; Satisfied?: Yes; Comments: According to EOUSA officials, individuals performing the solicitation activities have formal training or experience. Common feature: Ability 4; CMM key practice: The groups supporting the solicitation (e.g., end user, system engineering, and application domain experts) receive orientation on the solicitation's objectives and procedures; Satisfied?: No; Comments: The supporting groups received an orientation, but this did not cover solicitation procedures. Common feature: Activity 1; CMM key practice: The project's solicitation activities were performed in accordance with its plans; Satisfied?: No; Comments: The project team did not document its plans for solicitation activities. Common feature: Activity 2; CMM key practice: Solicitation activities are conducted in a manner compliant with relevant laws, policies, and guidance; Satisfied?: Yes; Comments: The project team followed standard procedures required by the Governmentwide Acquisition Contracts (GWAC). Common feature: Activity 3; CMM key practice: The software and evaluation requirements are incorporated into the solicitation package and resulting contract; Satisfied?: Yes; Comments: The project team incorporated the software and evaluation requirements into the solicitation package and resulting contract. Common feature: Activity 4; CMM key practice: The project's proposal evaluation activities were performed in accordance with its plans; Satisfied?: Yes; Comments: According to EOUSA officials, the project's proposal evaluation activities were performed in accordance with its plans. Common feature: Activity 5; CMM key practice: Cost and schedule estimates for the software activity were prepared; Satisfied?: Yes; Comments: Cost and schedule estimates for the software activity were prepared by the project team. Common feature: Activity 6; CMM key practice: The software cost and schedule estimates were independently reviewed for comprehensiveness and realism; Satisfied?: Yes; Comments: Software cost and schedule estimates were independently reviewed for comprehensiveness and realism by the administrative contracting officer's representative. Common feature: Activity 7; CMM key practice: The selection official uses proposal evaluation results to support his or her decision to select an offerer; Satisfied?: Yes; Comments: The selection official used proposal evaluation results to support his decision. Common feature: Activity 8; CMM key practice: The project team and the offerer(s) review the project's software requirements and plans during negotiations to ensure mutual understanding; Satisfied?: Yes; Comments: The team reviewed four proposals and asked contractors to provide presentations to ensure mutual understanding. Common feature: Measurement 1; CMM key practice: Measurements were made and used to determine the status of the solicitation activities and resultant products; Satisfied?: Yes; Comments: The acquisition organization used the Department of Transportation's Value Added Niche Information Technology Services (VANITS) vehicle, which provides federal, state, and local government clients with access to specialized technology services and support: Responsibility for the software portion of the solicitation was designated to a technical point of contact and an administrative contract officer's technical representative: The technical point of contact and the administrative contract officer's technical representative were responsible for the selection process and the decision: A group consisting of assistant directors of the information technology staff exists. With the technical point of contact as the chair, this group conducted an evaluation of vendors' proposals: Adequate resources were provided for solicitation activities. EOUSA budgeted and paid a fee for using services provided under the VANITS vehicle: According to EOUSA officials, individuals performing the solicitation activities have formal training or experience: The supporting groups received an orientation, but this did not cover solicitation procedures: The project team did not document its plans for solicitation activities: The project team followed standard procedures required by the Governmentwide Acquisition Contracts (GWAC): The project team incorporated the software and evaluation requirements into the solicitation package and resulting contract: According to EOUSA officials, the project's proposal evaluation activities were performed in accordance with its plans: Cost and schedule estimates for the software activity were prepared by the project team: Software cost and schedule estimates were independently reviewed for comprehensiveness and realism by the administrative contracting officer's representative: The selection official used proposal evaluation results to support his decision: The team reviewed four proposals and asked contractors to provide presentations to ensure mutual understanding: The VANITS program office kept the project team informed of the status of all activities. Measurements used to determine the status included the length of time taken for each activity. Common feature: Verification 1; CMM key practice: The activities for solicitation were reviewed by acquisition organization management on a periodic basis; Satisfied?: Yes; Comments: The acquisition organization used the Department of Transportation's Value Added Niche Information Technology Services (VANITS) vehicle, which provides federal, state, and local government clients with access to specialized technology services and support: Responsibility for the software portion of the solicitation was designated to a technical point of contact and an administrative contract officer's technical representative: The technical point of contact and the administrative contract officer's technical representative were responsible for the selection process and the decision: A group consisting of assistant directors of the information technology staff exists. With the technical point of contact as the chair, this group conducted an evaluation of vendors' proposals: Adequate resources were provided for solicitation activities. EOUSA budgeted and paid a fee for using services provided under the VANITS vehicle: According to EOUSA officials, individuals performing the solicitation activities have formal training or experience: The supporting groups received an orientation, but this did not cover solicitation procedures: The project team did not document its plans for solicitation activities: The project team followed standard procedures required by the Governmentwide Acquisition Contracts (GWAC): The project team incorporated the software and evaluation requirements into the solicitation package and resulting contract: According to EOUSA officials, the project's proposal evaluation activities were performed in accordance with its plans: Cost and schedule estimates for the software activity were prepared by the project team: Software cost and schedule estimates were independently reviewed for comprehensiveness and realism by the administrative contracting officer's representative: The selection official used proposal evaluation results to support his decision: The team reviewed four proposals and asked contractors to provide presentations to ensure mutual understanding: The activities for solicitation were reviewed bi-weekly by the designated selection official or acquisition organization management. Common feature: Verification 2; CMM key practice: The activities for solicitation were reviewed by the project manager or designated selection official on both a periodic and an event-driven basis; Satisfied?: Yes; Comments: The acquisition organization used the Department of Transportation's Value Added Niche Information Technology Services (VANITS) vehicle, which provides federal, state, and local government clients with access to specialized technology services and support: Responsibility for the software portion of the solicitation was designated to a technical point of contact and an administrative contract officer's technical representative: The technical point of contact and the administrative contract officer's technical representative were responsible for the selection process and the decision: A group consisting of assistant directors of the information technology staff exists. With the technical point of contact as the chair, this group conducted an evaluation of vendors' proposals: Adequate resources were provided for solicitation activities. EOUSA budgeted and paid a fee for using services provided under the VANITS vehicle: According to EOUSA officials, individuals performing the solicitation activities have formal training or experience: The supporting groups received an orientation, but this did not cover solicitation procedures: The project team did not document its plans for solicitation activities: The project team followed standard procedures required by the Governmentwide Acquisition Contracts (GWAC): The project team incorporated the software and evaluation requirements into the solicitation package and resulting contract: According to EOUSA officials, the project's proposal evaluation activities were performed in accordance with its plans: Cost and schedule estimates for the software activity were prepared by the project team: Software cost and schedule estimates were independently reviewed for comprehensiveness and realism by the administrative contracting officer's representative: The selection official used proposal evaluation results to support his decision: The team reviewed four proposals and asked contractors to provide presentations to ensure mutual understanding: The activities for solicitation were reviewed by the project manager on both a periodic and an event-driven basis. [End of table] Source: Key practice data from SEI; analysis and comments from GAO. Table 9: Requirements Development and Management: Common feature: Commitment 1; CMM key practice: The acquisition organization has a written policy for developing and managing software- related requirements; Satisfied?: Yes; Comments: The project management plan includes guidelines for defining and controlling technical and nontechnical (software-related) requirements. Common feature: Commitment 2; CMM key practice: Responsibility for requirements development and management is designated; Satisfied?: Yes; Comments: The ECMS project team is responsible for requirements development and management. Common feature: Ability 1; CMM key practice: A group that is responsible for performing requirements development and management activities exists; Satisfied?: Yes; Comments: A Joint Application Development group is responsible for performing requirements development. The contractor is responsible for performing requirements management. Common feature: Ability 2; CMM key practice: Adequate resources are provided for requirements development and management activities; Satisfied?: Yes; Comments: According to EOUSA officials, adequate resources were provided for requirements development and management activities. Common feature: Ability 3; CMM key practice: Individuals performing requirements development and management activities have experience or receive training; Satisfied?: Yes; Comments: According to EOUSA officials, individuals performing requirements development and management activities have experience or received training. Common feature: Activity 1; CMM key practice: The project team performs its activities in accordance with its documented requirements development and management plans; Satisfied?: Yes; Comments: EOUSA officials reported that the project team performs its activities in accordance with its documented requirements development and management plans. Common feature: Activity 2; CMM key practice: The project team develops, baselines, and maintains software-related contractual requirements; Satisfied?: Yes; Comments: According to EOUSA officials, the project team develops, baselines, and maintains software-related contractual requirements. Common feature: Activity 3; CMM key practice: The project team appraises requests for changes to system requirements for their impact on the software being acquired; Satisfied?: Yes; Comments: The project team reviews requests for changes to system requirements for their impact on ECMS. Common feature: Activity 4; CMM key practice: The project team appraises all changes to the software-related contractual requirements for their impact on performance, architecture, supportability, system resource utilization, and contract schedule and cost; Satisfied?: Yes; Comments: The project team reviews all changes to the software-related contractual requirements for their impact on performance, architecture, supportability, system resource utilization, and contract schedule and cost. Common feature: Activity 5; CMM key practice: Bi-directional traceability between the contractual requirements and the contractor team's software work products and services is maintained throughout the effort; Satisfied?: Yes; Comments: Bi-directional traceability between the contractual requirements and the contractor's team software work products and services is maintained by the project team. Common feature: Activity 6; CMM key practice: The end user and other affected groups are involved in the development of all software-related contractual requirements and any subsequent change activity; Satisfied?: Yes; Comments: EOUSA officials reported that the end user and other affected groups are involved in the development of all software-related contractual requirements and any subsequent change activity. Common feature: Measurement 1; CMM key practice: Measurements are made and used to determine the status of the requirements development and management activities and resultant products; Satisfied?: Yes; Comments: Measurements are made and used by the project team to determine the status of the requirements development and management activities and resultant products. Common feature: Verification 1; CMM key practice: Requirements development and management activities are reviewed by acquisition organization management (and the contractor) on a periodic basis; Satisfied?: Yes; Comments: Requirements development and management activities are reviewed by the project team (and the contractor) on a periodic basis. Common feature: Verification 2; CMM key practice: Requirements development and management activities are reviewed by the project manager on both a periodic and event-driven basis; Satisfied?: Yes; Comments: Requirements development and management activities are reviewed by the project manager on both a periodic and event-driven basis. [End of table] Source: Key practice data from SEI; analysis and comments from GAO. Table 10: Project Management: Common feature: Commitment 1; CMM key practice: The acquisition organization has a written policy for executing the software project; Satisfied?: Yes; Comments: A policy memo was issued requiring all information technology projects to follow a streamlined life-cycle methodology. Common feature: Commitment 2; CMM key practice: Responsibility for project management is designated; Satisfied?: Yes; Comments: Responsibility for project management is designated to the ECMS project manager. Common feature: Ability 1; CMM key practice: A team that is responsible for performing the project's software acquisition management exists; Satisfied?: Yes; Comments: A team that is responsible for performing the project's software acquisition management exists. It includes a project manager and case management staff. Common feature: Ability 2; CMM key practice: Adequate resources for the project team are provided for the duration of the software acquisition project; Satisfied?: Yes; Comments: According to EOUSA officials, adequate resources for the project team are provided for the duration of the software acquisition project. Common feature: Ability 3; CMM key practice: When project trade-offs are necessary, the project manager is permitted to alter the performance, cost, or schedule software acquisition baseline; Satisfied?: Yes; Comments: When project trade-offs are necessary, the project manager is permitted to alter the performance, cost, or schedule software acquisition baseline after appropriate review. Common feature: Ability 4; CMM key practice: The project team has experience or receives training in project software acquisition management activities; Satisfied?: Yes; Comments: EOUSA officials reported that the project team members have experience or received training in project software acquisition management activities. Common feature: Activity 1; CMM key practice: The project team performs its activities in accordance with its documented software acquisition management plans; Satisfied?: Yes; Comments: EOUSA officials reported that the project team performs its activities in accordance with its project management plan. Common feature: Activity 2; CMM key practice: The roles, responsibilities, and authority for the project functions are documented, maintained, and communicated to affected groups; Satisfied?: Yes; Comments: The roles, responsibilities, and authority for the project functions are documented in the ECMS project plan, maintained, and communicated to affected groups. Common feature: Activity 3; CMM key practice: The project team's commitments, and changes to commitments, are communicated to affected groups; Satisfied?: Yes; Comments: The project team's commitments, and changes to commitments, are communicated to affected groups via an on-line discussion forum. Common feature: Activity 4; CMM key practice: The project team tracks the risks associated with cost, schedule, resources, and the technical aspects of the project; Satisfied?: Yes; Comments: Project-wide risks are documented in the risk management plan. Ancillary risks that affect project execution, and plans for mitigating those risks, are documented in the weekly reports. Common feature: Activity 5; CMM key practice: The project team tracks project issues, status, execution, funding, and expenditures against project plans and takes action; Satisfied?: Yes; Comments: According to EOUSA officials, the project team tracks project issues, status, execution, funding, and expenditures against project plans and takes action. Common feature: Activity 6; CMM key practice: The project team implements a corrective action system for the identification, recording, tracking, and correction of problems discovered during the software acquisition; Satisfied?: Yes; Comments: The project team identifies, records, and tracks issues using Rational's ClearQuest product. These data are then used to correct problems discovered during the software acquisition. The team is moving toward using Merant's PVCS Dimensions software. Common feature: Activity 7; CMM key practice: The project team keeps its plans current during the life of the project as re-planning occurs, issues are resolved, requirements are changed, and new risks are discovered; Satisfied?: Yes; Comments: The project team updates its plans during the life of the project as re-planning occurs, issues are resolved, requirements are changed, and new risks are discovered. Common feature: Measurement 1; CMM key practice: Measurements are made and used to determine the status of project management activities and the resultant products; Satisfied?: Yes; Comments: Measurements are made and used by the ECMS project team to determine the status of project management activities and the resultant products. Common feature: Verification 1; CMM key practice: Project management activities are reviewed by acquisition organization management on a periodic basis; Satisfied?: Yes; Comments: Project management activities are reviewed by acquisition organization management on a bi-weekly basis. Common feature: Verification 2; CMM key practice: Project management activities are reviewed by the project manager on both a periodic and an event-driven basis; Satisfied?: Yes; Comments: Project management activities are reviewed by the project manager on both a periodic and an event-driven basis. Source: Key practice data from SEI; analysis and comments from GAO. [End of table] Table 11: Contract Tracking and Oversight: Common feature: Commitment 1; CMM key practice: The acquisition organization has a written policy for the contract tracking and oversight of the contracted software effort; Satisfied?: No; Comments: The acquisition organization does not have a written policy for the contract tracking and oversight of the contracted software effort. Common feature: Commitment 2; CMM key practice: Responsibility for contract tracking and oversight is designated; Satisfied?: Yes; Comments: Responsibility is designated to the project manager and the administrative contracting officer's representative. Common feature: Commitment 3; CMM key practice: The project team includes contracting specialists in the execution of the contract; Satisfied?: Yes; Comments: These specialists include the operations staff, the contract officer's technical representative, and contracting and procurement staff. Common feature: Ability 1; CMM key practice: A group that is responsible for managing contract tracking and oversight activities exists; Satisfied?: Yes; Comments: The project management team is responsible for managing contract tracking and oversight activities. Common feature: Ability 2; CMM key practice: Adequate resources are provided for contract tracking and oversight activities; Satisfied?: Yes; Comments: According to EOUSA officials, adequate resources are provided for contract tracking and oversight activities. Common feature: Ability 3; CMM key practice: Individuals performing contract tracking and oversight activities have experience or receive training; Satisfied?: Yes; Comments: According to EOUSA officials, individuals performing contract tracking and oversight activities have experience or receive training. Common feature: Activity 1; CMM key practice: The project team performs its activities in accordance with its documented contract tracking and oversight plans; Satisfied?: Yes; Comments: The project team performs its activities in accordance with its documented contract tracking and oversight plans. Several reporting mechanisms are used to monitor and control the contractor's performance, including sticking to the project schedule and reporting any problems that are encountered. Common feature: Activity 2; CMM key practice: The project team reviews required contractor software planning documents which, when satisfactory, are used to oversee the contractor team's software engineering effort; Satisfied?: Yes; Comments: The project team reviews required contractor software planning documents, which provide a basis for overseeing the contractor team's software engineering efforts. Common feature: Activity 3; CMM key practice: The project team conducts periodic reviews and interchanges with the contractor team; Satisfied?: Yes; Comments: There are weekly meetings and monthly written status reports between the project team and the contractor. Common feature: Activity 4; CMM key practice: The actual cost and schedule of the contractor's software engineering effort are compared to planned schedules and budgets, and issues are identified; Satisfied?: Yes; Comments: Actual cost and schedule of the contractor's software engineering effort are compared to the planned costs and schedule, and issues are identified. Issues so far are primarily related to the contractor's staff getting the security clearances needed to do the work. Common feature: Activity 5; CMM key practice: The size, critical computer resources, and technical activities associated with the contractor team's work products are tracked, and issues are identified; Satisfied?: Yes; Comments: The contractor provides information about the size, critical computer resources, and technical activities to the ECMS project team for tracking purposes and issue identification. Common feature: Activity 6; CMM key practice: The project team reviews and tracks the development of the software engineering environment required to provide life-cycle support for the acquired software, and issues are identified; Satisfied?: Yes; Comments: The project team reviews and tracks the development of the software engineering environment. Common feature: Activity 7; CMM key practice: Any issues found by the project team during contract tracking and oversight are recorded in the appropriate corrective action system, action is taken, and the issue is tracked to closure; Satisfied?: Yes; Comments: According to EOUSA officials, any issues found by the project team during contract tracking and oversight are recorded in the appropriate corrective action system, action is taken, and the issue is tracked to closure. Common feature: Activity 8; CMM key practice: The project team ensures that changes to the software-related contractual requirements are coordinated with all affected groups and individuals, such as the contracting official, contractor, and end user; Satisfied?: Yes; Comments: The project team ensures that changes to the software- related contractual requirements are coordinated with all affected groups and individuals, including the administrative contracting officer's representative and end users. Common feature: Measurement 1; CMM key practice: Measurements are made and used to determine the status of the contract tracking and oversight activities and resultant products; Satisfied?: Yes; Comments: Measurements are made and used by the administrative contracting officer's representative to determine the status of the contract tracking and oversight activities and resultant products. Common feature: Verification 1; CMM key practice: Contract tracking and oversight activities are reviewed by acquisition organization management on a periodic basis; Satisfied?: Yes; Comments: The administrative contracting officer's representative reviews contract tracking and oversight activities on a periodic basis. Common feature: Verification 2; CMM key practice: Contract tracking and oversight activities are reviewed by the project manager on both a periodic and event-driven basis; Satisfied?: Yes; Comments: The project manager, on both a periodic and an event- driven basis, reviews contract tracking and oversight activities. Source: Key practice data from SEI; analysis and comments from GAO. [End of table] Table 12: Evaluation: Common feature: Commitment 1; CMM key practice: The acquisition organization has a written policy for managing the evaluation of the acquired software products and services; Satisfied?: Yes; Comments: The acquisition organization has defined guidelines for testing and certifying ECMS. Common feature: Commitment 2; CMM key practice: Responsibility for evaluation activities is designated; Satisfied?: Yes; Comments: Responsibility for evaluation activities is designated to the ECMS project team. Common feature: Ability 1; CMM key practice: A group that is responsible for planning, managing, and performing evaluation activities for the project exists; Satisfied?: Yes; Comments: The ECMS project team is responsible for planning, managing, and performing evaluation activities for the project. Common feature: Ability 2; CMM key practice: Adequate resources are provided for evaluation activities; Satisfied?: Yes; Comments: According to EOUSA officials, the evaluation activities have been budgeted. Common feature: Ability 3; CMM key practice: Individuals performing evaluation activities have experience or receive training; Satisfied?: Yes; Comments: Individuals performing evaluation activities have experience or receive training. The contractors were required to submit resumes along with their proposals. Common feature: Ability 4; CMM key practice: Members of the project team and groups supporting the software acquisition receive orientation on the objectives of the evaluation approach; Satisfied?: No; Comments: Because of ECMS's stage in the life cycle (design phase), this key practice has not yet been addressed. Common feature: Activity 1; CMM key practice: The project team performs its activities in accordance with its documented evaluation plans; Satisfied?: No; Comments: Because of ECMS's stage in the life cycle (design phase), this key practice has not yet been addressed. Common feature: Activity 2; CMM key practice: The project's evaluation requirements are developed in conjunction with the development of the system or software technical requirements; Satisfied?: No; Comments: Because of ECMS's stage in the life cycle (design phase), this key practice has not yet been addressed. Common feature: Activity 3; CMM key practice: The project's evaluation activities are planned to minimize duplication and take advantage of all evaluation results, where appropriate; Satisfied?: No; Comments: Because of ECMS's stage in the life cycle (design phase), this key practice has not yet been addressed. Common feature: Activity 4; CMM key practice: The project team appraises the contractor team's performance over the full period of the contract for compliance with requirements; Satisfied?: Yes; Comments: The project team assesses the contractor team's performance continuously. Common feature: Activity 5; CMM key practice: Planned evaluations are performed on the evolving software products and services prior to acceptance and operational use; Satisfied?: No; Comments: Because of ECMS's stage in the life cycle (design phase), this key practice has not yet been addressed. Common feature: Activity 6; CMM key practice: Results of the evaluations are analyzed and compared with the contract's requirements to establish an objective basis to support the decision to accept the products and services or to take further action; Satisfied?: No; Comments: Because of ECMS's stage in the life cycle (design phase), this key practice has not yet been addressed. Common feature: Measurement 1; CMM key practice: Measurements are made and used to determine the status of the evaluation activities and resultant products; Satisfied?: No; Comments: Because of ECMS's stage in the life cycle (design phase), this key practice has not yet been addressed. Common feature: Verification 1; CMM key practice: Evaluation activities are reviewed by acquisition organization management on a periodic basis; Satisfied?: No; Comments: Because of ECMS's stage in the life cycle (design phase), this key practice has not yet been addressed. Common feature: Verification 2; CMM key practice: Evaluation activities are reviewed by the project manager on both a periodic and an event-driven basis; Satisfied?: No; Comments: Because of ECMS's stage in the life cycle (design phase), this key practice has not yet been addressed. Source: Key practice data from SEI; analysis and comments from GAO. [End of table] [End of section] Appendix III: Comments from the Department of Justice: U.S. Department of Justice: Executive Office for United States Attorneys Office of the Director: Main Justice Building, Room 1616 (202) 514-2121 950 Pennsylvania Avenue, N. W. Washington, DC 20530: June 16, 2003: Mr. Randolph C. Hite Director: Information Technology Architecture and Systems U.S. General Accounting Office: 441 G Street, N.W. Washington, D.C. 20548: Dear Mr. Hite: SUBJECT: EOUSA Response to GAO Audit Findings (GAO-03-751): The Executive Office for United States Attorneys (EOUSA) appreciates the opportunity to comment on GAO's report (GAO-03-751). "GAO was asked to determine the extent to which EOUSA has institutionalized key IT management capabilities..." and focused on Enterprise Architecture (EA), Information Technology Investment Management (ITIM), Information Security, and System Acquisition. We disagree with the finding that the institutionalization of these key IT management capabilities are not priorities of EOUSA and the Department of Justice and, in particular, take exception with the finding that information security is not an agency priority. We believe that EOUSA has made tremendous progress in insitutionalizing these key IT management capabilities and as detailed by this report has met a majority of the key elements of each. EOUSA is responsible for the management of information technology on behalf of the United States Attorneys and operates as a component of the DOJ-wide IT infrastructure in compliance with the Department of Justice's policies and procedures. EOUSA has several IT staffs dedicated to working with the Department on policy development and information technology systems. We believe it is important to note that the EOUSA Office of Chief Information Officer (OCIO) was established in January 2001 and since then has expanded to include one additional staff to support and manage Information Systems Security. FINDING: EOUSA Has Yet to Institutionalize Key IT Management Disciplines. "The office has defined and implemented each of the four IT management disciplines mentioned above to some degree. However, none has been institutionalized; they are not fully defined in accordance with best practices, and what has been defined has not yet been fully implemented. While these disciplines have been given attention since the recent appointment of the CIO, they have not been designated as priorities, and action plans needed for successful institutionalization have not been developed. As a result, EOUSA is currently limited in its ability to meet Justice's strategic goal of improving its IT systems, and the USAOs will be challenged in their ability to effectively and efficiently meet their mission goals and priorities.": RESPONSE: We disagree with the opinion of the team that "... EOUSA is currently limited in its ability to meet Justice's strategic goal of improving its IT systems, and the USAOs will be challenged in their ability to effectively and efficiently meet their mission goals and priorities.": The IT program of the United States Attorneys has received the highest level of support of the Department of Justice (DOJ). With the allocation of a senior level position in 2001, DOJ recognized the critical role of United States Attorneys. Since that time, EOUSA is the first DOJ component to publish an Information Technology Strategic Plan; an Enterprise Architecture; and institute an Information Technology Investment Management plan. EOUSA has been successful in gaining Level III software maturity model for its applications development process; it has insitutionalized an active Information Security program and has put its ITIM process under configuration management. We believe the finding that these processes are not a priority for this organization is unfair. EOUSA and the USAOs are viewed as leaders within the Department of Justice and senior management is very committed to the success of our IT program. Likewise, the USAOs, are leaders in the law enforcement community and effectively meet their mission goals and priorities. FINDING: Enterprise Architecture: EOUSA is Not Performing Important Practices Associated with Effective Enterprise Architecture Management: RESPONSE: We agree with the finding in this area and acknowledgement our accomplishment of 80% of the elements of the GAO EA maturity framework. EOUSA will work to implement the remaining 5 elements that consist of written polices and the formal establishment of sterring committees. In May 2002 the OLIO published the very first Enterprise Architecture for the USAOs that describes the "as is" and "to be" environment. Senior EOUSA management approved the EA and submitted it to the Department's Chief Information Officer (CIO) for approval. The DOJ CIO approved the USAOs EA in December 2002. The EA is maintained in the Department's EAMS. At the same time the department launched an initiative to develop a department-wide EA. EOUSA welcomed this opportunity and designated a chief architect to participate in the departmental working group charged with developing the new version of the EA for the DOJ. The chief architect was tasked with ensuring that USAOs EA is considered when developing the new EA. EOUSA did not "suspend its EA effort,"instead, EOUSA is actively participating in the EA Project of the entire Department of Justice, ensuring that our EA is consistent with the other agencies of the Department. FINDING: EOUSA Has Not Established Key Capabilities Needed to Effectively Manage IT Investments: RESPONSE: EOUSA agrees with GAO's finding that a selection process has not yet been used, with the following caveat that EOUSA has not engaged in any new initiatives meeting IRB review requirements since March 2003 when the IRB was put in place. EOUSA published its first ITIM in May 2002. After review and approval by senior management, EOUSA established an Investment Review Board (IRB) and conducted its first session in March 2003. At that session, the IRB was fully trained on the investment review process, reviewed four programs/projects currently underway (the Enterprise Case Management System, Voice over IP, Victim Notification, and IT Security), and reviewed the project rating and ranking criteria and process. In its current state, EOUSA ITIM meets 3 out of 5 elements of stage two of the GAO's ITIM maturity framework. The remaining 2 elements will be achieved this year by defining more detailed policies and procedures to address IT project oversight and IT project and system identification. FINDING: EOUSA Has Not Implemented Effective Security Practices: RESPONSE: We do not agree with this finding. EOUSA has one of the strongest security programs within the Department of Justice and perhaps the federal government. The data of the United States Attorneys has never been comprised and is monitored on a 24x7x365 basis. We strongly disagree with the finding of GAO that " security has not been an agency priority." Security has been and continues to be a high priority of the Department of Justice leadership and EOUSA management. Since the establishment of the new position OLIO has implemented the following security projects: 1. Replacement of the old virtual private network (VPN) 2. Implementation of the largest (24x7x365) intrusion detection system (IDS) within DOJ[NOTE 1] 3. Secure Remote Access for Dial-up connection: 4. Certification and Accreditation of more than 8 systems: 5. Implementation of virus detectors on all hardware devices 6. Real-time encryption of all data in laptops and handheld devices: 7. Use of proximity sensors for equipment used in common areas 8. Vulnerability assessment: 9. Penetration testing: 10. More than 223 security CERT risk analysis have been reviewed during the past six months: There are more examples of EOUSA's commitment to the security of our IT resources, including the allocation of 10 additional security positions for the districts and two additional FTEs to the Information Systems Security Office. The Department of Justice Inspector General conducted a security audit of several USAOs last year and they found ten vulnerabilities in those offices. All but one of those findings have been resolved, the last being related to our outdated VPN and review of the audit logs. From a practical standpoint, it does not make sense to invest in a costly and time consuming risk assessment of the old VPN when it will be completely replaced by the end of July 2003. To declare our risk assessment program inadequate due to one outgoing system not having a formal, documented risk assessment is an over- generalization. We perform formal facilitated risk assessments on every system and additionally an automated quantitative assessment on all major systems. Also, a project is underway to implement automated tools to review audit logs, as we do not have the resources to analyze the mass amount of data generated by audit logs. Regular tests will be conducted to determine the compliance of information technology systems with policies and procedures. EOUSA does have plans in place to address security issues. In accordance with Government Information Security Reform Act (GISRA) requirements, we have a plan of action and milestones for weaknesses identified during Certification and Accreditation (C&A). We also have contingency plans for all C&A'd systems, which are tested prior to certification. We are currently engaged in annual testing of contingency plans. Our C&A certification testing is based on DOJ Order 2640.2D. EOUSA is also working with the Department to implement a centralized security training program for all users within the USAOs. This training program will be in place before the end of August 2003. FINDING: EOUSA Is Employing Important Acquisition Management Practices on a Key System: We agree with these findings as noted herein. The system that was reviewed for acquisition strategy is still under development. The Enterprise Case Management System follows a very rigorous System Development Lifecycle Methodology (SDLC); however, it is not the first development effort to follow the SDLC. Even at its current stage of development, GAO reports that ELMS meets 80 out of 94 elements of the Level 2 of SEI's Software Acquisition Capability Maturity Model. EOUSA is committed to a mature software development environment. The LIONS application, which is currently in production, was certified at SEI Capability Maturity Model Level III by an independent vendor. The news of this success will soon be published in Government Computer News and Federal Computer Weekly. It should be noted that EOUSA acquisitions are all processed through the Department and must comply with all Departmental policies and procedures. EOUSA did not develop separate: acquisition policies; however, GAO's recommendations will be implemented and additional policies will be developed for oversight and contract tracking. In conclusion, I thank the members of the team that worked with us in this audit. We are fully committed to supporting the mission and strategies of the Department of Justice and support: of the United States Attorneys' offices. I believe that the accomplishments of our Information Technology Staff are noteworthy and they serve as a model for the Department of Justice. We will continue to work to improve our processes and our systems and thank you again for the opportunity to comment on this report. Sincerely, Guy A. Lewis Director: Signed for Guy A. Lewis: CC: Vickie Sloan: Director, Audit Liaison Office: NOTE: [1] GAO recommended the implementation of an IDS solution. EOUSA has an IDS in place for all of its offices; however, EOUSA does not have the authority to implement an IDS for the wide area network. The Justice Consolidated network is managed, secured, and monitored by the department and Sprint. The following are GAO's comments on the Department of Justice's letter dated June 16, 2003. GAO Comments: 1. We disagree. Our position that institutionalization has not been a priority is based on two facts that EOUSA did not dispute: (1) plans for addressing the weaknesses cited in our report do not exist and (2) limitations in resources to address these weaknesses were cited by EOUSA officials as the reason why the weaknesses exist. If each of these areas were an agency priority, then plans would be in place to address the weaknesses, and resources to execute the plans would be committed. 2. We do not question EOUSA's statement that it has made "tremendous progress." Our work focused on determining the extent to which EOUSA currently satisfies key practices in the four IT management disciplines. It did not include developing a baseline from which to measure progress. To EOUSA's credit, our review showed that the office has satisfied many key practices in each discipline, and we have noted this in our report. 3. We agree and include both of these facts in our report. 4. We disagree. EOUSA's comments did not include any information to refute our conclusion. Given that it did not have a plan for fully implementing best practices for each discipline, and had not allocated adequate resources to support such a plan, we have not modified our conclusion. 5. We do not question these statements about the position of EOUSA and the USAOs relative to other Justice components. Such a comparison was not part of the scope of our work. 6. We disagree. EOUSA has not gained this maturity level. Rather, according to EOUSA, the contractor that maintains its LIONS application is certified as a level 3 software developer. In contrast, our work focused on EOUSA's capabilities as a software acquirer, and thus addresses a different organization, discipline, and maturity model. 7. See comment 1. 8. We do not question this statement because the position of EOUSA and the USAOs relative to other Justice components or other law enforcement entities was not part of the scope of our work. 9. As noted in our report, EOUSA satisfied about 80 percent of the elements of just stage 2 of the EA management framework. It has satisfied about 60 percent of the elements (12 out of 19) of the entire framework. 10. We have modified the report to reflect this comment. 11. We agree. However, according to GAO's IT Investment Management Framework, to satisfy the proposal selection critical process, EOUSA would need to demonstrate the use of the criteria it has defined. Because it has not yet done so, it is not satisfying the critical process and thus has met two out of five elements of stage 2 of the framework. 12. We disagree. Our assessment is based on EOUSA's satisfaction of key practices laid out in our executive guide for information security management.[Footnote 30] This assessment showed that EOUSA has not fully satisfied any of these key practices. For example, EOUSA does not (1) have a central security focal point with appropriate resources, (2) adequately promote user awareness, and (3) regularly monitor the effectiveness of security controls. Until EOUSA addresses these and other security weaknesses we identify in our report, it will not have implemented effective security practices. 13. See comment 8. 14. We do not question this statement because determining whether the data of the United States Attorneys have never been compromised and are monitored 24 hours a day, 7 days a week was not within the scope of our work and EOUSA did not provide any evidence supporting its assertions. 15. See comment 1. Additionally, our finding is that the institutionalization of information security management has not been an agency priority. 16. We do not question these security initiatives. Additionally, we emphasize that our message is not that EOUSA has not taken steps to improve its information security posture, but rather that the office's information security management efforts, including ongoing and completed improvement steps, are weak in a number of areas relative to information security management best practices. 17. We agree, but would add that our recommendation could be addressed by actively monitoring activity at the routers, firewalls, and wide area network devices, which we understand are remotely managed by EOUSA. To avoid any potential confusion on this point, we have clarified our recommendation. Implementing an intrusion detection system to monitor activity at the routers, firewalls, and other network devices would enable EOUSA to detect hostile attempts to manage those devices. 18. We do not question EOUSA's statement that it has been working to resolve vulnerabilities identified during a security audit conducted by the Justice Inspector General. The scope of the Inspector General's audit, however, was narrower than ours in that it focused on EOUSA's local area network environment. 19. We agree that given EOUSA's recent progress in deploying the replacement network its exposure to risk is currently limited. We have modified the security risk assessment section of the report and the associated recommendation to reflect this change in circumstances. 20. We agree and thus do not conclude that EOUSA's risk assessment program is inadequate. Rather, based on the fact that a risk assessment was not performed on the network that EOUSA has operated since 1996 and, until recently, relied exclusively on, we conclude that EOUSA has not always performed risk assessments. Additionally, to recognize the recent change in circumstances we have modified our recommendation concerning risk assessments. 21. We do not question these statements. We support the use of automated tools to review audit logs, particularly because these logs were not being reviewed, and EOUSA attributed this to a lack of resources. We also support EOUSA's plan to conduct regular tests to determine compliance with policies and procedures. Both of these planned actions are consistent with our recommendations. 22. We do not question this statement. However, as noted in our report, the office did not have a plan to address the issues that are discussed in our report. 23. We do not question these statements because our review did not address contingency plans for all certified and accredited systems. As stated in the report, while a contingency plan was developed for the replacement network, it was not prepared in accordance with federal guidelines. For example, the plan did not specify procedures for notifying recovery personnel. To clarify our position, we have added examples to the report of this plan's noncompliance with federal guidelines. 24. We support EOUSA's stated commitment to establish a centralized security training program. Establishing such a program is consistent with our recommendations. 25. We have modified the report to reflect that the Enterprise Case Management System is the first acquisition to follow the Justice life- cycle methodology from its inception. 26. See comment 6. 27. We have modified the report to reflect that EOUSA's acquisitions are processed through the department and must comply with all departmental policies and procedures. [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: Lester P. Diamond, (202) 512-7957: Acknowledgments: In addition to the individual named above, Nabajyoti Barkakati, Jamey Collins, Joanne Fiorino, Anh Q. Le, Sabine R. Paul, and William F. Wadsworth made key contributions to this report. (310257): FOOTNOTES [1] See, for example, Clinger-Cohen Act of 1996, Public Law 104-106; Office of Management and Budget, Management of Federal Information Resources, Circular No. A-130 (February 1996); Office of Management and Budget, Funding Information Systems Investments, Memorandum M-97-02; and National Institute of Standards and Technology, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14 (September 1996). [2] U.S. Attorneys' Offices and their branches comprise over 240 sites. [3] Access to the Internet and to research services is provided through Justice's Rockville, MD, Data Center. [4] A virtual private network uses a public or shared telecommunication infrastructure to provide remote users with secure access to an organization's network. [5] Network firewalls are devices or systems that control the flow of traffic between networks with different security requirements. Organizations employ firewalls to prevent unauthorized access to their respective systems and resources. [6] ECMS is intended to replace the Legal Information Office Network System (LIONS) and a system for reporting data stored in LIONS and to be the enterprise solution for managing and tracking case workload within the USAOs. [7] See, for example, Clinger-Cohen Act of 1996, Public Law 104-106; Office of Management and Budget, Management of Federal Information Resources, Circular No. A-130 (February 1996); Office of Management and Budget, Funding Information Systems Investments, Memorandum M-97-02; and National Institute of Standards and Technology, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14 (September 1996). [8] U.S. General Accounting Office, Information Technology: INS Needs to Better Manage the Development of Its Enterprise Architecture, GAO/ AIMD-00-212 (Washington, D.C: August 2000); Information Technology: DLA Needs to Strengthen Its Investment Management Capability, GAO-02- 314 (Washington, D.C: March 2002). [9] Chief Information Officers Council, A Practical Guide to Federal Enterprise Architecture, Version 1.0 (February 2001). [10] U.S. General Accounting Office, Information Technology: Enterprise Architecture Use across the Federal Government Can Be Improved, GAO-02- 6 (Washington, D.C: February 2002). We issued version 1.1 of the framework in April 2003--A Framework for Assessing and Improving Enterprise Architecture Management, GAO-03-584G--but did not use it for our evaluation because we had already completed our audit work evaluating EOUSA against the initial framework. [11] U.S. General Accounting Office, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity (Exposure Draft), GAO/AIMD-10.1.23 (Washington, D.C: May 2000). [12] U.S. General Accounting Office, Information Security Management: Learning from Leading Organizations, GAO/AIMD-98-68 (Washington, D.C: May 1998). [13] Logs keep track of accesses to and attempts to access the networks that the firewalls are intended to secure. [14] Certification is the technical and nontechnical evaluation that is conducted to verify that IT systems comply with security requirements. Accreditation is the formal declaration that the appropriate safeguards have been properly implemented and that the residual risk is acceptable. [15] EOUSA is responsible for IT operations at 93 geographically dispersed USAOs and their branches, which comprise about 240 sites. [16] U.S. Department of Justice, FY 2000 Performance Report-FY 2002 Performance Plan, April 2001; U.S. General Accounting Office, Major Management Challenges and Program Risks: Department of Justice, GAO-03- 105 (January 2003). [17] Intrusion detection devices are software or hardware systems that monitor network traffic and help identify cyberthreats. [18] A wide-area network is a network that provides data communications to a large number of independent users and spans a relatively large geographical area. [19] Carnegie Mellon University's Software Engineering Institute, Software Acquisition Capability Maturity Model, Version 1.02, CMU/SEI- 99-TR-002 (April 1999). [20] EOUSA officials told us that they primarily acquire their systems. [21] U.S. General Accounting Office, Information Technology: Enterprise Architecture Use across the Federal Government Can Be Improved, GAO-02- 6 (Washington, D.C: February 2002). [22] Chief Information Officers Council, A Practical Guide to Federal Enterprise Architecture, Version 1.0 (February 2001). [23] U.S. General Accounting Office, A Framework for Assessing and Improving Enterprise Architecture Management, Version 1.1, GAO-03-584G (Washington, D.C: April 2003). [24] U.S. General Accounting Office, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity (Exposure Draft), GAO/AIMD-10.1.23 (Washington, D.C: May 2000). [25] U.S. General Accounting Office, Information Security Management: Learning from Leading Organizations, GAO/AIMD-98-68 (Washington, D.C: May 1998). [26] See, for example, U.S. Department of Justice, Information Technology Security (DOJ 2640.2D (July 2001) and EOUSA, Access to Sensitive But Unclassified IT Resources, USAP 3-16.010.30.001(M) (March 2002). [27] A virtual private network uses a public or shared telecommunication infrastructure to provide remote users with secure access to an organization's network. [28] Carnegie Mellon University's Software Engineering Institute, Software Acquisition Capability Maturity Model, Version 1.02, CMU/SEI- 99-TR-002 (April 1999). [29] The six key process areas that we evaluated are software acquisition planning, solicitation, requirements development and management, project management, contract tracking and oversight, and evaluation. We did not include the seventh key process area--transition to support--in our evaluation because the system that we assessed had not yet progressed to the point that this process area was relevant. [30] U.S. General Accounting Office, Information Security Management: Learning from Leading Organizations, GAO/AIMD-98-68 (Washington, D.C: May 1998). GAO's Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: