GAO: Defense must improve assessment of IT systems

The Defense Department lacks the capability to assess whether its business modernization program is compatible with a broader information technology strategy, according to a new report from the Government Accountability Office.

Comment on this article in The Forum.The report (GAO-08-972) stated that Defense has not adequately demonstrated that the modernization program, which was first designated as high risk by GAO in 1995, fully complies with the department's blueprint for its computer systems, or enterprise architecture.

That means Defense IT "programs are at increased risk of being defined and implemented in a way that does not sufficiently ensure interoperability and avoid duplication and overlap…," the report noted. "Unless this situation changes, the department's business systems modernization efforts will likely remain a high-risk endeavor."

GAO first suggested Defense develop an enterprise architecture in 2001; the project became a higher priority after the fiscal 2005 Defense authorization act required the department to create the blueprint. Defense officials developed a tool to assess whether the department's business systems modernization program is compliant with the enterprise architecture, but according to GAO, the tool is incomplete.

The watchdog agency said the tool does not test the modernization program for compliance with all the relevant pieces of the enterprise architecture, such as technical standards and system characteristics. Those pieces were left out because Defense guidance doesn't require their inclusion and some enterprise architecture products, such as a technical standards profile, have yet to be sufficiently defined.

"Compliance with these products is important because they govern how systems physically communicate with other systems, and they permit the identification of common system components and services that could potentially be shared," the report stated.

In addition, GAO found that Defense's assessment did not identify potential areas of duplication across programs, which was one of the goals of the department's enterprise architecture and decision-making process.

"Potential duplication was not assessed because the compliance guidance does not provide for such analyses to be conducted … As a result, these programs may be investing in duplicative functionality," GAO stated.

The report also highlighted problems with the Navy's enterprise architecture, which is one of the biggest portions of Defense's overall computer system blueprint. GAO said the Navy's portion was not mature and lacked a sufficient description of many key system components. But the business systems modernization program was not tested for compatibility even with the parts of the naval enterprise architecture that were complete, the report noted.

Defense said the department's approach has been to assign accountability to the various component organizations, making it Navy's responsibility to validate its own systems. Naval officials said they did not complete the assessment because they lacked the resources and aspects of the service's architecture were not sufficiently developed.

GAO recommended that Defense amend its policies to require compliance with the enterprise architecture and revise its assessment tool to ensure systems are being modernized properly. Defense officials agreed with the recommendations and said as the enterprise architecture matures, many of the problems identified in the report will be fixed.