Robert J. Garrity Jr., a 29-year veteran of the Federal Bureau of Investigation, is no stranger to solving intricate information infrastructure issues. In the year 2000, Garrity was serving as one of eight inspectors, based in FBI headquarters in Washington, D.C., when the FBI realized that one of its agents, Robert Hanssen, had been engaged in espionage against the United States for decades. Because Garrity had a background in counter-espionage, he was asked to determine how Hanssen had achieved almost unfettered access to the FBI’s information systems for such a long period of time, and to ensure that it didn’t happen again.
Garrity put together a team to look at the FBI’s information security policies, practices and procedures, while the Attorney General of the United States and an independent commission also began to study the issue. Eventually, Garrity and his team made 85 specific recommendations on how the FBI could tighten its information security posture.
As that assignment was coming to an end, it came to light that the FBI had not turned over all the relevant documents in its possession to the defense attorneys for Timothy McVeigh, the Oklahoma City bomber, delaying McVeigh’s execution. Garrity was asked to look at the FBI’s records management procedure. “How had we failed in our administration and management of records to recognize that we had not turned over all the documents?” he asked. The answer was not difficult to discover. “We had abolished our records management division in 1993 as part of a reorganization,” Garrity said. “And now we were wondering why we couldn’t manage records.”
In the years since the records management division had been terminated, responsibility for records had been jettisoned to other parts of the FBI. Garrity found that five different organizations within the FBI had some records management responsibilities. “There was no central manager who was responsible for records,” he said. Garrity was designated as the interim records officer, and when a records management professional was hired to manage the FBI records office, Garrity served as his deputy.
The Hanssen and McVeigh cases had demonstrated deep-seated problems with information management at the FBI. In the first case, a spy had access to information to which he was not entitled. In the second, the FBI did not access all the needed information it had in a timely fashion.
Even Bigger Problems
But the shortcomings of the FBI’s information management infrastructure were to become even more apparent. The investigations that followed the 9-11 terrorist attacks on the World Trade Center and Washington, D.C., showed that some aspects of the infrastructure were antiquated and outmoded. For example, different FBI offices had information about some of the activities of some of the hijackers, but there was no way to share that information among offices. Moreover, nobody could pull together information stored in different systems. There was no way to do a global search and it could take hours to look for information in different databases.
In response, the FBI stepped up an initiative called the Virtual Case File system. The idea was to allow investigators and agents to share information in real time. Intended to be a major weapon in the fight against terrorism, the Virtual Case File effort ran into delay after delay. Then, in early 2005, after an expenditure of nearly $170 million, FBI Director Robert Mueller decided to pull the plug on the project. Concluding it did not warrant further investment, Mueller asked Garrity, who was then in charge of the FBI office in Jackson, MS, to return to Washington to guide a new process for a project the FBI code-named Sentinel. He was named deputy chief information officer and business process reengineering executive.
A Business Process Approach
The Virtual Case File system had failed for several reasons. One serious problem, Garrity noted, was that the FBI had asked contractors to develop a case management system that mirrored the process that the FBI already had in place. “Some in the business process reengineering world would call that paving the cow paths,” Garrity said. “We asked them to adapt their technology to our systems and processes.”
For Sentinel, the FBI plans to use as much commercial and government-owned off-the-shelf technology as possible. “If faced with the choice of changing software to meet our processes or changing our processes to match the software, we will do the latter, as long as it will not have an adverse impact on our mission,” Garrity said.
In fact, as part of the Sentinel project, Garrity is leading an extensive business process reengineering effort. “Our highest priority is to ensure that Sentinel succeeds,” he said. “We are going through the investigative, intelligence and operational procedures that will be needed and mapping out the existing baseline processes.”
Currently, Garrity is convening teams of agents, analysts and support employees from the field and headquarters staff to map current processes from beginning to end. Working with outside facilitators, the teams are modeling “as is” conditions and then working to identify inefficiencies, bottlenecks and chokepoints. The next step is to model a target condition.
An Ambitious Task
“The FBI is a 97-year-old organization,” Garrity pointed out. “We have a lot of heritage and a lot of legacy ways of doing things. But the director is committed to changing the way that the FBI does business.”
The Bureau is also committed to using proven and tested techniques. The starting point for the business process reengineering effort was a federal enterprise architecture effort launched by the Office of Management and Budget. “The OMB has come down with lines of business for all federal agencies,” Garrity said.
At the top level, the FBI has identified six lines-of-business (LOBs). The largest and most visible is Investigative, Intelligence and Analytical Support. The second LOB, Law Enforcement Support Services, recognizes the FBI’s contributions to local, state, federal and international agencies, such as investigative support, forensic examinations, training and the national fingerprint and criminal history system. The third LOB, Core Infrastructure Systems, accounts for the IT systems used daily. Administration/Managerial Support, the nuts and bolts of running the agency, is fourth. The fifth is Electronic Surveillance/Collection Systems, and Information Assurance and Security Systems is the final top-level LOB.
Garrity’s teams are drilling down into processes underlying the major line of business Investigative, Intelligence and Analytical Support. As is commonly the case, it is a process in itself. “As we map a process,” Garrity said, “We discover a sub process. Then we realize the sub process has a sub process of its own.” Currently, 118 processes are being explored. And, as one team of consultants maps and models the process, another enters the models into Business Process Modeling Notation (BPMN) so at the appropriate time it can be incorporated into the enterprise architecture. BPMN is a graphical notation that depicts the steps in a business process and has been specifically designed to coordinate the sequence of processes, and the messages that flow between different process participants, in a related set of activities. “We will have it in an architecture library and will have something to give to the successful contractor,” Garrity said.
Unique Challenges
Reengineering FBI processes presents some unique challenges. Teams are currently working on surveillance processes. In the FBI, two distinct groups perform surveillance. Special agents, that is, sworn law enforcement agents, conduct more dangerous surveillance activities when violence is likely. For counter-intelligence and counter-terrorism surveillance, surveillance professionals are used.
Reengineering the processes associated with surveillance requires more than bringing the two groups of specialists together. It also involves program managers and lawyers. “Why was a policy ordained in the first place?” Garrity said. “Many of the things we do are constrained by policy, statute, Attorney General guidelines or internal FBI guidelines. If it is an internal FBI policy, is it changeable?”
For example, FBI agents who conduct interviews that may result in testimony at a trial must file a specific form and the original handwritten notes must be retained. Currently, the original pages are ripped out of the agent’s notebook and stored for future use. If, years later, the case comes to trial and the agent refers to the notes, the opposing counsel has the right to review them as well. The question is–would it be acceptable to scan the notes and store them electronically, rather than retaining the original paper pages? “There is the best evidence rule and then there are our business practices,” Garrity said. “If we adopt this as a best practice, will the courts accept scanned images of notes in lieu of the original pages of the notebook?”
Similarly, when surveillance is conducted, every member of the team has to sign a surveillance log, attesting to what that person actually saw. Current business practice calls for the log to be passed to each surveillance team member, which can take several days. “Can we do this electronically, using public key infrastructure and electronic signatures?” Garrity wondered.
Everybody could electronically initial what they saw and then each section of the log could be merged into a composite. Digital images could be appended to the log as well. Today, the FBI’s internal system cannot handle images at all.
In fact, records at the FBI are still paper-centric. “Our official records are paper,” Garrity said. “We have an electronic record-keeping system but it has never been certified as a system of records by the National Archives.”
Good Chance for Success
Despite the challenges, Garrity and his team believe that there is a good chance that both Sentinel and the business process reengineering effort underway will succeed. After all, noted Sanjeev Bhagowalia, who heads the Office of IT Policy and Planning, Office of the CIO at the FBI, despite its high-profile missteps, the FBI has successfully reengineered many of its processes and implemented technologically sophisticated systems. “We have reengineered our own IT business processes,” said Bhagowalia, who is responsible for the FBI’s enterprise architecture and adherence of all proposed IT projects to the FBI’s newly created Lifecycle Management Directive. “We are conforming with world-class best practices: the Capability Maturity Model Integration.” The CMMI is a model to measure an enterprise’s capacity to effectively use its software technologies.
Although records management efforts have lagged, Bhagowalia acknowledged, in many of the operational areas the FBI’s use of technology is state of the art. Moreover, he said, the Bureau had learned from the Virtual Case File episode. “We have created a requirements document that is very tight,” he said. “With the Virtual Case File, there was requirements creep. There are now stringent checks and balances so that what happened with the Virtual Case File won’t happen again.” The requirements were developed in accordance with a lifecycle management directive that starts with a business needs statement and ends with decommissioning.
The FBI has more than 500 information systems, Bhagowalia observed. Currently, those systems are being actively incorporated into the federal government’s overall enterprise architecture strategy. Along the same lines of CMMI, the Government Accountability Office has issued what it calls the Enterprise Architecture Management Maturity Framework for defining best practices in enterprise architecture. “We have done our work to make sure there is a link between BPM and enterprise architecture,” Bhagowalia said. The last piece of the puzzle is establishing more open communication between the Bureau and the contractor who will eventually put Sentinel in place. “We have been secretive,” Bhagowalia said. “We are part of the intelligence community and don’t want people to know what we do.” But this time the Bureau has published an enterprise architecture document, so everybody shares the same vision.
The Results
This upfront work should have several benefits. First, the FBI will be in a position to give the winning contractor a clear blueprint for Sentinel. Second, though the focus is now on the processes associated with Sentinel, the business process reengineering effort will continue. “The director wants us to do a top to bottom scrub to make sure the FBI has critically examined what it does,” Garrity said.
The examination will be guided by four questions. Does the FBI need to be involved in an activity? If it does need to be done, what is its priority? Can it be leveraged by technology? Can the funding be found to deploy needed technology? “You don’t want to raise expectations unrealistically by starting a reengineering effort when you haven’t made an effort to acquire the funding,” Garrity said.
But the real payoff will be that the Bureau operates more efficiently. “Our 32,000 employees will embrace it,” Garrity predicted. “They are starved for improvements in the systems. If it works the way we have designed it, there will be an exponential improvement and a groundswell of acceptance.”
