Defense Business Systems: DOD Needs to Continue Improving Guidance and Plans for Effectively Managing Investments
Highlights
What GAO Found
The Department of Defense (DOD) has made progress in complying with most legislative provisions for managing its defense business systems, but additional actions are needed. For example, the National Defense Authorization Act (NDAA) for Fiscal Year 2016 required DOD and the military departments to issue guidance to address five requirements for reviewing and certifying the department's business systems. While DOD has issued guidance addressing all of these requirements, as of February 2018, the military departments had shown mixed progress.
DOD's and Military Departments' Progress in Issuing Guidance that Addressed Fiscal Year 2016 NDAA Business System Management Requirements
Certification Requirement |
DOD |
Air Force |
Navy |
Army |
Sufficient business process reengineering |
● |
● |
● |
◌ |
Business enterprise architecture compliance |
● |
● |
● |
◌ |
Valid requirements and a viable plan to implement them |
● |
● |
◐ |
◌ |
Acquisition strategy to eliminate or reduce the need to tailor commercial off-the-shelf systems |
● |
◌ |
◌ |
◌ |
Compliance with the department's auditability requirements |
● |
◌ |
◌ |
◌ |
● Fully addressed: The department provided evidence that it fully addressed this requirement.
◐ Partially addressed: The department provided evidence that it addressed some, but not all, portions of this requirement.
◌ Not addressed: The department did not provide any evidence that it addressed this requirement.
Source: GAO analysis of Department of Defense documentation. | GAO-18-130
The military departments' officials described plans to address the gaps in their guidance; however, none had defined when planned actions are to be completed. Without guidance that addresses all five requirements, the military departments risk developing systems that, among other things, are overly complex and costly to maintain.
DOD has efforts underway to improve its business enterprise architecture, but its information technology (IT) architecture is not complete. Specifically, DOD's business architecture includes content called for by the act. However, efforts to improve this architecture to enable the department to better achieve outcomes described by the act, such as routinely producing reliable business and financial information for management, continue to be in progress. In addition, DOD is updating its IT enterprise architecture, which describes, among other things, the department's computing infrastructure. However, the architecture lacks a road map for improving the department's IT and computing infrastructure for each of the major business processes. Moreover, the business and IT enterprise architectures have yet to be integrated, and DOD has not established a time frame for when it intends to do so. As a result, DOD lacks assurance that its IT infrastructure will support the department's business priorities and related business strategies.
Why GAO Did This Study
DOD spends billions of dollars each year on systems that support its key business areas, such as personnel and logistics. For fiscal year 2018, DOD reported that these business system investments are expected to cost about $8.7 billion. The NDAA for Fiscal Year 2016 requires DOD to perform activities aimed at ensuring that business system investments are managed efficiently and effectively, to include taking steps to limit their complexity and cost.
The NDAA also includes a provision for GAO to report every 2 years on the extent to which DOD is complying with the act's provisions on business systems. For this report, GAO assessed, among other things, the department's guidance for managing defense business system investments and its business and IT enterprise architectures (i.e., descriptions of DOD's current and future business and IT environments and plans for transitioning to future environments). To do so, GAO compared the department's system certification guidance and architectures to the act's requirements. GAO also interviewed cognizant DOD officials.
Recommendations
GAO is making six recommendations, including that DOD and the military departments establish time frames for, and issue, required guidance; and that DOD develop a complete IT architecture and integrate its business and IT architectures. DOD concurred with three and partially concurred with three recommendations. GAO continues to believe all of the recommendations are warranted as discussed in this report.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Office of the Secretary of Defense | The Secretary of Defense should define a specific time frame for finalizing, and ensure the issuance of (1) policy requiring full consideration of sustainability and technological refreshment requirements for its defense business system investments; and (2) policy requiring that best systems engineering practices are used in the procurement and deployment of commercial systems, modified commercial systems, and defense-unique systems to meet DOD missions. (Recommendation 1) |
DOD has implemented this recommendation. In August 2019, the Office of the Chief Management Officer (CMO) provided a written response stating that it had verified existing policy for both requirements. Specifically, the Office of the CMO stated that department policy requires full consideration of sustainability and technological refreshment requirements for its defense business systems investments. In addition, the department provided us its DOD Instruction 5000.75, DOD Directive 5000.01, and DOD Financial Management Regulation Volume 2B, which include policy requiring consideration of sustainability and technological refreshment. DOD also stated that department policy requires best systems engineering practices be used in the procurement and deployment of commercial systems, modified commercial systems, and defense-unique systems to meet DOD missions. In addition, the office of the CMO provided us its DOD Directive 5000.01, which includes policy to help ensure that best systems engineering practices are used in the procurement and deployment of commercial systems, modified commercial systems, and defense-unique systems.
|
Office of the Secretary of the Air Force | The Secretary of the Air Force should define a specific time frame for finalizing, and ensure the issuance of guidance for certifying the department's business systems on the basis of (1) having an acquisition strategy designed to eliminate or reduce the need to tailor commercial off-the-shelf systems to meet unique requirements, incorporate unique requirements, or incorporate unique interfaces to the maximum extent practicable; and (2) being in compliance with DOD's auditability requirements. (Recommendation 2) |
The Department of the Air Force has implemented this recommendation. The department's April 2018 updated guidance states that the Air Force Deputy CMO has approval authority for any defense business system below $250 million over the current future-years defense plan, and that the Air Force Deputy CMO will assert compliance with auditability requirements. In addition, the department's May 2019 Air Force guidance memo states that the Deputy CMO or the DOD CMO will certify that a system satisfies the requirements outlined in the memo, which include ensuring that each defense business system developed, deployed, or operated by the Air Force must continue to satisfy the requirement to have an acquisition strategy and utilize an acquisition and sustainment strategy that prioritizes commercial software and business practices. In addition, Air Force's August 2019 OEP guidebook for defense business systems states that each defense business system developed, deployed or operated by the Department of Defense must utilize an acquisition and sustainment strategy that prioritizes commercial software and business practices.
|
Department of the Navy | The Secretary of the Navy should define a specific time frame for finalizing, and ensure the issuance of guidance for certifying the department's business systems on the basis of (1) having a viable plan to implement the system's requirements; (2) having an acquisition strategy designed to eliminate or reduce the need to tailor commercial off-the-shelf systems to meet unique requirements, incorporate unique requirements, or incorporate unique interfaces to the maximum extent practicable; and (3) being in compliance with DOD's auditability requirements. (Recommendation 3) |
In March 2018, the Department of the Navy issued updated guidance for certifying business systems that addressed this recommendation. Specifically, this guidance addressed certifying business systems on the basis of having a viable plan to implement the system's requirements; having an acquisition strategy designed to eliminate or reduce the need to tailor commercial off-the-shelf systems to meet unique requirements, incorporate unique requirements, or incorporate unique interfaces to the maximum extent practicable; and being in compliance with DOD's auditability requirements. As a result, the Department of the Navy is better positioned to help ensure that its systems have valid requirements and a viable plan to implement them; limit unnecessary systems complexity; and support the Department of Defense's efforts to meet its auditability requirements.
|
Department of the Army | The Secretary of the Army should define a specific time frame for finalizing, and ensure the issuance of guidance for certifying the department's business systems on the basis of (1) being reengineered to be as streamlined and efficient as practicable, and determining that implementation of the system will maximize the elimination of unique software requirements and unique interfaces; (2) being in compliance with the business enterprise architecture; (3) having valid, achievable requirements and a viable plan to implement the requirements; (4) having an acquisition strategy designed to eliminate or reduce the need to tailor commercial off-the-shelf systems to meet unique requirements, incorporate unique requirements, or incorporate unique interfaces to the maximum extent practicable; and (5) being in compliance with DOD's auditability requirements. (Recommendation 4) |
The Department of the Army has implemented the recommendation. As of 2018, the department's policy addressed two elements of the recommendation but did not address the other three elements. Specifically, it included policy for certifying the department's business systems on the basis of (1) being reengineered to be as streamlined and efficient as practicable, and determining that implementation of the system will maximize the elimination of unique software requirements and unique interfaces; and (2) being in compliance with the business enterprise architecture. However, it did not address certifying the department's business systems on the basis of (1) having valid, achievable requirements and a viable plan to implement the requirements; (2) having an acquisition strategy designed to eliminate or reduce the need to tailor commercial off-the-shelf systems to meet unique requirements, incorporate unique requirements, or incorporate unique interfaces to the maximum extent practicable; and (3) being in compliance with DOD's auditability requirements. In August 2019, Army issued its Fiscal Year 2020 Defense Business Systems Annual Certification and Portfolio Review Guidance. This updated guidance addressed the remaining three elements of the recommendation.
|
Office of the Secretary of Defense | The Secretary of Defense should ensure that the DOD Chief Information Officer (CIO) develops an IT enterprise architecture which includes a transition plan that provides a road map for improving the department's IT and computing infrastructure, including for each of its business processes. (Recommendation 5) |
As of July 2024, the Department of Defense (DOD) has not demonstrated that it has taken sufficient steps to address this recommendation. In May 2024, DOD stated that it plans to modernize the Information Enterprise Architecture (IEA) to provide clear requirements and key performance indicators for IT and computing infrastructure. In addition, DOD stated that the Chief Information Officer (CIO) published the IEA Version 3 Increment 2 in December 2023. Further, the department stated that the DOD CIO is working to complete the IEA Increment 3 by December 31, 2024. We will continue to follow-up with the department and update this status as DOD makes progress and provides additional information.
|
Office of the Secretary of Defense | The Secretary of Defense should ensure that the DOD CIO and Chief Management Officer work together to define a specific time frame for when the department plans to integrate its business and IT architectures and ensure that the architectures are integrated. (Recommendation 6) |
As of July 2024, the Department of Defense (DOD) has not demonstrated that it has taken sufficient steps to address this recommendation. In May 2024, DOD provided an update on the Information Environment Architecture (IEA) and stated that Version 3 Increment 2 of the IEA was published in December 2023. Further, the department added that the DOD Chief Information Officer is working on Increment 3 and is on track to publish the entirety of IEA Version 3 by December 31, 2024. Additionally, DOD stated it will develop a plan to integrate the IEA and Business Enterprise Architecture within enterprise-level capabilities by December 31, 2024. We will continue to follow-up with the department and update this status as DOD makes progress and provides additional information.
|