Good afternoon, Mr. Chairman, Senator Leahy, and Members of the Committee. Thank you for the opportunity to appear this afternoon and address concerns relating to the FBI's Virtual Case File system, or VCF. As you know, VCF is a case management system constituting the third prong of the FBI's information technology program known as Trilogy. The first two phases of Trilogy have been successfully completed and deployed, and have greatly enhanced our Information Technology (IT) capabilities.

• We have deployed a high-speed, secure network, enabling personnel in FBI offices around the country and around the world to share data, including audio, video and image files. Our new IT infrastructure also provides for secure communications with our Intelligence Community partners.
• We have also replaced outdated hardware with more than 30,000 new desktop computers with modern software applications, nearly 4000 new printers, 1600 scanners, 465 servers, and 1400 routers.

As a result of the implementation of two major prongs of the Trilogy initiative, FBI personnel can now utilize a uniform suite of software that enables them to share information quickly, reliably, and securely. These efforts have also provided a foundation for a number of new capabilities to support the FBI' s counterterrorism mission. The new capabilities include:

• The FBI' s Investigative Data Warehouse (IDW) now provides Special Agents, Intelligence Analysts, and members of Joint Terrorism Task Forces (JTTFs) with a single access point to more than 47 sources of counterterrorism data, including information from FBI files, other government agency data, and open source news feeds, that were previously available only through separate, stove‑piped systems.
• New analytical tools are used across multiple data sources providing a more complete view of the information possessed by the Bureau. Users can search up to 100 million pages of international terrorism‑related documents and other structured records such as addresses and phone numbers in seconds. They can also search rapidly for pictures of known terrorists and match or compare the pictures with other individuals in minutes rather than days. Coupled with sophisticated state-of-the-art search tools, the IDW enhances the FBI' s ability to identify relationships across cases quickly and easily.
• Other critical IT improvements have enabled the FBI to proceed with unprecedented connectivity with our partners in the Intelligence and Law Enforcement Communities. The Top Secret/Sensitive Compartmented Information Operational Network (SCION) gives FBI personnel the ability to electronically receive, disseminate, and share compartmented sources of intelligence information among the FBI' s counterterrorism and counterintelligence operations and with the Intelligence Community. SCION also provides for video teleconferencing at the TOP SECRET level.

Despite these significant improvements, the Virtual Case File -- a case management application for improving efficiency and records management -- is not yet available to our personnel. Mr. Chairman, no one is more frustrated and disappointed than I at the delays we have encountered in deploying VCF. But I believe it is important for the American people to understand what the failure to deliver VCF means -- and what it doesn't mean -- to the FBI Agent on the street.

The FBI Agent on the street has state-of-the-art technology when it comes to surveillance. Without getting into sensitive and classified information, I can assure you that our ability to intercept and decipher communications and to otherwise monitor criminal activity and gather intelligence is among the best in the world. The FBI Agent on the street is able to communicate and share data securely, whether by telephone, computer, or teleconference with our partners, not only in the FBI, but also in the law enforcement and intelligence communities, in the United States and around the world. The Agent on the street is able to access FBI documents electronically on our existing computer systems and to search those documents using multiple search technologies.

What the Agent on the street does not have is a user-friendly format for inputting investigative and intelligence information into his or her computer. Instead, the Agent faces a cumbersome, time-consuming process of preparing a paper record of that information, seeking the necessary approvals, then uploading the document into an existing database. If Agents had the VCF capabilities we envisioned, they could directly input information into their computers, receive electronic approvals, and, with the push of a button, upload information into the database where it would be immediately available to others who need access to it -- Agents, analysts, other federal employees, and state and local officials.

I want to emphasize, however, that although VCF would enable us to do our jobs more efficiently, the absence of VCF does not prevent us from fulfilling our counterterrorism, intelligence and law enforcement missions. Again, VCF is not a database or an analytical tool used to connect the dots -- it is a case management system that will make it easier for Agents to input and share the dots.

Having said that, Mr. Chairman, I thank you for your longstanding interest in the VCF program and your commitment to hold a public hearing to examine the setbacks which have plagued this program. This afternoon, I would like to take the opportunity to answer three basic questions about VCF: (1) What went wrong? (2) Who is responsible for what went wrong? and (3) Where do we go from here?

What Went Wrong?

The development of the VCF application started with a very simple concept -- the FBI's need for a modern case management system. As the FBI's mission evolved over the past several years, so did our technological needs. As a result of these changes and other issues, the FBI faced obstacles in a number of key areas relating to the VCF program.

• We did not have a complete set of defined VCF requirements when the original contract was signed in June 2001.
• The contract was based on hours worked -- cost plus an award fee. We now know these types of contracts are difficult to manage. Although the requirements were solidified in November 2002, the contract remained a cost-plus-award-fee contract.
• We lacked skill sets in our personnel such as qualified software engineering, program management, and contract management. We also experienced a high turnover in Trilogy program managers and Chief Information Officers.
• We underestimated the complexity of interfacing with our legacy system, of addressing our security needs, and of establishing an enterprise architecture.

We will continue to confront these lessons moving forward.

Recognizing our internal limitations, we decided to outsource the development of VCF, including contract management and technology development. The contractor responsible for delivering the user applications component, including VCF, is the Science Applications International Corporation, or SAIC.

Following the establishment of solid requirements in November 2002, the original target date for completing VCF was December 2003. I personally received a demonstration of the VCF software in November 2003 and was impressed with what I saw. I believed that we were on the right track to deliver to our employees' desktops the case management system we were seeking. However, when SAIC delivered the product to us in December 2003, we immediately identified a number of deficiencies in VCF that made it unusable. Upon further examination, we discovered nearly 400 problems with the software and, in April 2004, provided SAIC with a document outlining the corrections needed. SAIC ultimately agreed to remedy the deficiencies and deliver full functionality but only at a cost -- an additional 56 million dollars -- and a timetable -- an additional year -- which were unacceptable to the FBI.

In June 2004, I decided to adopt a new two-track plan for VCF: an Initial Operating Capability, or IOC, and a Full Operating Capability, or FOC. My goal with the IOC was to identify and utilize some portion of the product developed by SAIC, since the fully functional case management system had not been delivered. The portion of VCF currently being piloted in the IOC is the automated workflow process. Last month, several hundred employees in the New Orleans field office began using the system as their document routing system and will continue to do so through the end of March. The purpose of the pilot is to:

• test drive the workflow concept;
• validate the human/machine interface;
• create an electronic interface to our legacy system, the Automated Case Support System, or ACS;
• assess network performance; and
• develop and deliver an enterprise level training curriculum.

The IOC is on track to accomplish these objectives.

As part of Track Two, the FBI contracted with multiple independent vendors to perform the following tasks:

• Examine the VCF application delivered by SAIC in December 2003 to determine if the software as designed will meet the FBI's operational, security, and performance requirements. The contractor, Aerospace Corporation, was also tasked to determine if the VCF application is scalable and can be maintained and enhanced easily.
• Examine the current technologies and vendors, as well as available Commercial Off-The-Shelf, or COTS, software applications and those designed for other agencies, to determine the best combination to meet the FBI's needs. This effort was conducted jointly with the Department of Homeland Security to ensure our case management efforts would be interoperable. In many ways, the pace of technological innovation and the need for information sharing has overtaken our original vision for VCF and there are now products to suit our purposes that did not exist when Trilogy began.
• We have also asked a different contractor to review and revalidate our users' requirements because the mission of the FBI has evolved and there are new requirements for information and intelligence sharing among different entities.

Last week, we received the final version of the Aerospace report and provided copies to the Committee and to the Office of the Inspector General at the Department of Justice.

Who is Responsible for What Went Wrong?

Mr. Chairman, I am responsible, at least in part, for some of the setbacks experienced with Trilogy and VCF. I agree with the OIG's finding that "FBI management did not exercise adequate control over the Trilogy project and its evolution in the early years of the project." Let me also add that I agree with the OIG's finding that "with the new organizational structure and authority given to the CIO in July 2004, project management has been given the attention that was needed throughout the Trilogy project." Mr. Chairman, I will address that new structure and its accomplishments later in my statement.

In addition to our shortcomings in overseeing this project, however, the contractor responsible for VCF bears some responsibility. As discussed above, the FBI retained a not-for-profit, federally funded contractor, Aerospace Corporation, to conduct an independent verification and validation review of the VCF software as delivered by SAIC in December 2003. We asked Aerospace to provide responses to the following three questions:

1. Did SAIC meet the stated requirements?

2. Did SAIC develop a complete and correct Concept of Operations, System Architecture, and System Requirements?

3. What should the FBI do with the VCF software as delivered in December 2003?

Aerospace concluded that "lack of effective engineering discipline has led to inadequate specification, design and development of VCF." In the course of their review, Aerospace could "find no assurance" that the requirements were satisfied, nor that the architecture, Concept of Operations, and requirements were correct and complete. Needless to say, Mr. Chairman, after three and a half years, this was disappointing news.

With regard to the funding of VCF, this Committee has been supportive of our efforts and has generously provided the funding we have needed to overcome obstacles and attempt to move forward. Mr. Chairman, you and the other members are undoubtedly concerned -- as am I -- about losses we have incurred, as well as future investments we will need to make, in VCF. We have invested approximately 170 million dollars in VCF to date. It is my understanding our vendors have delivered services and reusable equipment worth $53.3 million and that we have $12.2 million in unspent obligations on our VCF contracts. This results in a loss of $104.5 million. I am disheartened by this result but remain confident in our ability to deliver a case management system to our employees' desktops in the future.

Where Do We Go from Here?

VCF

The development and deployment of an investigative case management system remains the top priority of the Office of the CIO. Some components of VCF that have been developed will be incorporated into the long-term solution. We will

• Leverage the permanent interface that has been established with our legacy data systems.
• Assess the impact of an automated workflow system on a field office and Headquarters structure, as well as the performance of a case management system on the new Trilogy network, during and at the end of the pilot testing; and,
• Take with us a number of valuable "lessons learned" in contract management, project management, policies and procedures, modular development and deployment, data security, and records management requirements.

Not surprisingly, the pace of technology has overtaken the development of unique software applications for the FBI, and we may turn to Commercial Off-The-Shelf, or COTS-based, products. We are currently reviewing the Aerospace reports which recommend that we discard VCF and start over with COTS-based products, and which provide their evaluation of COTS products as well as products in use by other government agencies. As we do so, we will continue to consult with industry leaders to ensure that we develop a sound, long-term plan for our IT needs.

We will move forward with a phased development and deployment plan as recommended by the National Academy of Sciences and required by Federal information resource management policy. An incremental approach ensures development and acquisition of the best available products on the market. Every phase will provide a set of services that the FBI workforce needs and which was part of the original VCF plan. I cannot at this time estimate when this will occur nor how much in additional funding we will need to invest to get there.

We will also give consideration to a Service Oriented Architecture (SOA), as recommended in the Aerospace report. The concept behind an SOA solution is to standardize enterprise services -- such as searching, reporting, and analyzing data -- so that different groups of users can reuse similar services to access dissimilar data sets throughout the enterprise -- such as our legacy systems of ACS, III, and our Telephone Application. It appears that an SOA approach could provide a flexible solution to the inflexible systems currently existing within the FBI and would help us successfully implement a final product.

FBI Information Technology

With me today is Zal Azmi, who joined the FBI in November 2003 as the Chief Information Officer. Through his leadership, the FBI has implemented a coordinated, strategic approach to information technology.

• Strategic Plan. In December 2004, we completed our first release of the Strategic IT Plan which maps out how IT will support the FBI's and DOJ's Strategic Plan and mission goals over the next five years. All IT projects are required to be consistent with the FBI's and DOJ's Strategic Plans.
• Enterprise Architecture. We established our baseline Enterprise Architecture (EA) in 2004 and are in the process of developing our target EA. We have created an IT Master Systems List identifying all of the IT systems, applications, networks and databases in the FBI and DOJ. All IT projects in the future will be required to be consistent with the FBI's and DOJ's EA.

• Process Improvement. Our Life Cycle Management Directive (LCMD), which governs how IT projects are managed from "cradle to grave," is now consistent with industry best practices and Federal government information resource management policies. All IT Projects and Programs are required to pass through rigorous project and executive level control "gate" reviews for each stage, from inception through disposal. There are 7 gates, 9 phases, and 14 key supporting processes in the LCMD. These reviews are the mechanisms for management control and direction, decision-making, coordination, and confirmation of successful performance.
• Portfolio Management Program. This program focuses on performance assessments of IT investments in the operations and maintenance (O&M) phase of their life cycle. Since the majority of our IT investments currently reside in the O&M phase, these assessments help senior management make more informed decisions about IT investments, in terms of both personnel and money. Portfolio Management recommendations are focused on those investments that should be leveraged, replaced, outsourced or retired.
• Enterprise IT Tool. The IT Portfolio Management Automation project awarded a contract to develop the FBI's Enterprise IT tool. This is a software package that will identify and track IT projects with baselined plans, schedules, and costs. It will also plan and track all FBI IT hardware and software infrastructure procurements at an integrated, enterprise level.
• Capital Planning and Investment Management/Project Assurance. The Investment Management/Project Review Board now reviews and approves new IT investments at specified stages of each IT project's life cycle. We are also in the process of evaluating the FBI's 130+ existing IT projects for overall health and placement within the system development life cycle. This will enable FBI executives to uncover and address cost, schedule and performance risks. IT Investment Management will use our Enterprise IT Tool to track new FBI IT investments to ensure alignment with mission goals.

• Performance and Results-Based Management (IT Metrics). We are updating an IT Metrics program that identifies and measures IT performance according to industry standards, government regulations, and Earned Value Management System (EVMS) principles. Currently, we publish a CIO Monthly IT metrics report using the Balanced Scorecard Methodology. Our plan is to establish EVMS for "major" IT projects. When a program or project metric varies by more than 10 percent of the acceptable thresholds for cost, schedule, and performance, it will trigger closer scrutiny and remedial action by the Investment Management/Project Review Board.
• Acquisition and Financial Reform. IT Acquisition Reform, a joint initiative between the CIO and the Chief Financial Officer of the FBI and DOJ, will standardize and automate all procurement actions, involving all IT acquisitions, as well as focus on increased competition and small business involvement. In 2004, the FBI entered into multi-year enterprise-wide agreements with Microsoft, Oracle and Dell which have saved millions of dollars in licensing fees. The savings derived from these contracts have been reinvested into technology projects, such as SIPRNET and FAMS (FBI Automated Messaging System). SIPRNET gives the FBI desktop connectivity to the Intelligence Community and FAMS is based on the Defense Messaging System (DMS). The FBI is the first civilian agency to operate a classified DMS-like system.

• Leadership. We have begun to train our Program and Project Managers as well as executive management personnel to become certified as Program Management Professionals (PMP), which is in compliance with the federal guidance. We currently have two certified Government and five contractor PMPs. Approximately 25 managers have taken the PMP review course and plan to take the test. Another 20 are currently enrolling in the training program. This and other leadership training provides best practices and techniques to provide better management of the IT projects and the enterprise IT portfolio.
• IT Policy. We are in the process of updating a Master IT Policy List. Once established, any new IT policies or modifications will have to be reviewed and approved by the IT Policy Review Board. The Master List will enable the CIO to monitor all IT projects during the Life Cycle Management Directive control gate review processes and enforce all applicable IT policies.
• Technology Assessment. The FBI's Chief Technology Officer is working closely with the Enterprise Architecture team of the FBI and DOJ to standardize enterprise technology standards, technical reference models, technical architectures, and technical design reviews under the Life Cycle Management Directive and system testing/integration. A unified test and integration facility will allow for centralized technology assessment that provides responsive IT solutions to meet mission goals. These measures mitigate project risks through common, interoperable, supportable and affordable solutions.
• Security and Information Assurance. We have implemented an Information Assurance Program which implements key IT capabilities such as Public Key Infrastructure (PKI) and the Enterprise Security Operations Center (ESOC), to strengthen IT services in the FBI and DOJ and mitigate internal and external threats. Certification and Accreditation is being required for all IT Projects and Systems to further mitigate project risk.

Conclusion

Mr. Chairman, in the aftermath of VCF, the FBI is faced with difficult decisions on how best to proceed with our evolving IT needs and evolving technologies. This Committee and the American people have my personal assurance that we will proceed as expeditiously and as prudently as possible to provide our employees with the automated capabilities they need. We have expanded the team of IT professionals within the FBI, each of whom has demonstrated an ability to perform under adverse circumstances. We have learned many valuable lessons over the past few years and, as a result, will be able to apply these lessons and avoid many of the pitfalls that befell this project in the past.

I would like to close by thanking the Committee, and you in particular, Mr. Chairman, for your support throughout this endeavor, and I look forward to working with you and your staff as we chart our course for the future.