This is the accessible text file for GAO report number GAO-10-215 entitled 'Military Personnel: Additional Actions Are Needed to Strengthen DOD's and the Coast Guard's Sexual Assault Prevention and Response Programs' which was released on February 24, 2010. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Chairman, Subcommittee on National Security and Foreign Affairs, Committee on Oversight and Government Reform, House of Representatives: United States Government Accountability Office: GAO: February 2010: Military Personnel: Additional Actions Are Needed to Strengthen DOD's and the Coast Guard's Sexual Assault Prevention and Response Programs: GAO-10-215: GAO Highlights: Highlights of GAO-10-215, a report to the Chairman, Subcommittee on National Security and Foreign Affairs, Committee on Oversight and Government Reform, House of Representatives. Why GAO Did This Study: Sexual assault is a crime with negative implications to military readiness and esprit de corps. In response to a congressional request, GAO, in 2008, reviewed Department of Defense (DOD) and U.S. Coast Guard sexual assault prevention and response programs and recommended a number of improvements. GAO was subsequently asked to evaluate the extent to which (1) DOD has addressed GAO’s 2008 recommendations and further developed its programs, (2) DOD has established a sexual assault database, and (3) the Coast Guard has addressed GAO’s 2008 recommendations and further developed its programs. To do so, GAO analyzed legislative requirements and program guidance, interviewed officials, and compared database implementation efforts to key information technology best practices. What GAO Found: DOD has addressed four of GAO’s nine recommendations from 2008 regarding the oversight and implementation of its sexual assault prevention and response programs. For example, the Office of the Secretary of Defense (OSD) evaluated department program guidance for joint and deployed environments, and it evaluated factors that may hinder access to health care following a sexual assault. But DOD’s efforts to address the other recommendations reflect less progress. For example, GAO recommended that DOD develop an oversight framework, to include long-term goals and milestones, performance goals and strategies, and criteria for measuring progress. However, GAO found that the draft framework lacks key elements needed for comprehensive oversight of DOD’s programs, such as criteria for measuring progress and an indication of how it will use the information derived from such measurement to improve its programs. Until OSD incorporates all key elements into its draft oversight framework, it will remain limited in its ability to effectively manage program development to help prevent and respond to sexual assault incidents. DOD acknowledges that more work remains in order to fully develop its oversight framework. DOD has taken steps to begin acquiring a centralized sexual assault database. However, it did not meet a legislative requirement to establish the database by January 2010, and it is unclear when the database will be established because DOD does not yet have a reliable schedule to guide its efforts. Also, key system acquisition best practices associated with successfully acquiring and deploying information technology systems, such as economically justifying the proposed system solution and effectively developing and managing requirements, have largely not been performed. OSD officials said they intend to employ these acquisition best practices. Until this is accomplished the program will be at increased risk of not delivering promised mission capabilities and benefits on time and within budget. While the Coast Guard has partially implemented one of GAO’s two recommendations for further developing its sexual assault prevention and response program, it has not implemented the other. In June 2009, the Coast Guard began assessing its program staff’s workload, which represents progress in addressing GAO’s recommendation to evaluate its processes for staffing key installation-level positions in its program. However, it has not addressed GAO’s recommendation to develop an oversight framework. Further, the Coast Guard lacks a systematic process for assembling, documenting, and maintaining sexual assault incident data, and lacks quality control procedures to ensure that the program data being collected are reliable. In fiscal year 2008, for example, different Coast Guard offices documented conflicting numbers of sexual assault reports: the Coast Guard Program Office documented 30, while the Investigative Office documented 78. The Coast Guard had to resolve this significant discrepancy before it could provide its data to DOD. Without a systematic process for tracking its data, the Coast Guard lacks reliable knowledge on the occurrence of sexual assaults. What GAO Recommends: To strengthen program implementation, GAO recommends that DOD take steps, including incorporating all key elements into its draft oversight framework and adhering to key system acquisition best practices, as it develops its database. GAO also recommends that the Coast Guard take steps, including establishing a systematic process to track program data and establishing quality control procedures. DOD and the Coast Guard concurred with the recommendations. View [hyperlink, http://www.gao.gov/products/GAO-10-215] or key components. For more information, contact Brenda S. Farrell at (202) 512-3604 or farrellb@gao.gov or Randolph C. Hite at (202) 512-3439 or hiter@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: DOD's Efforts to Address GAO's Recommendations from 2008 Reflect Varying Levels of Progress: DOD Has Yet to Establish a Centralized Sexual Assault Database: Coast Guard Has Partially Implemented One of Our Two Recommendations from 2008: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Scope and Methodology: Appendix II: Comments from the Department of Defense: Appendix III: Comments from the U.S. Coast Guard: Appendix IV: GAO Contacts and Staff Acknowledgments: Tables: Table 1: Nine Improvement Opportunities and Selected Corresponding Target Improvement Initiatives Contained in OSD's Draft Oversight Framework: Table 2: Summary of Increments and Phases for Acquiring DOD's Defense Sexual Assault Incident Database: Abbreviations: DOD: Department of Defense: MDA: Milestone Decision Authority: OMB: Office of Management and Budget: OSD: Office of the Secretary of Defense: [End of section] United States Government Accountability Office: Washington, DC 20548: February 3, 2010: The Honorable John F. Tierney: Chairman: Subcommittee on National Security and Foreign Affairs: Committee on Oversight and Government Reform: House of Representatives: Dear Mr. Chairman: Sexual assault is a crime that has a far-reaching negative impact on communities, families, and individuals and has additional implications for the military services because it undermines their core values, degrades mission readiness and esprit de corps, subverts strategic goodwill, and raises financial costs. Since we reported on these implications in 2008, incidents of sexual assault have continued to occur; in fiscal year 2008, the Department of Defense (DOD) reported nearly 3,000 alleged sexual assault cases, and the U.S. Coast Guard reported about 80.[Footnote 1] However, it is impossible to accurately analyze trends or to draw conclusions from these data about the incidence of sexual assault in the military services because, as we have previously reported, DOD and the Coast Guard have not been using standardized reporting requirements.[Footnote 2] Since 2004, Congress has repeatedly taken steps to address sexual assault in the military, including passing legislation that directs the Secretary of Defense to develop a comprehensive policy for DOD on the prevention of and response to sexual assaults involving members of the Armed Forces. The comprehensive policy is to include procedures for confidentially reporting sexual assault incidents. Further, the Secretary of Defense is required to submit an annual report to Congress on reported sexual assault incidents involving servicemembers.[Footnote 3] In 2008, we issued two reports that have helped inform congressional deliberations on sexual assault in the military; the first, in January 2008,[Footnote 4] addressed sexual assault at the DOD and Coast Guard academies, while the second, in August 2008,[Footnote 5] addressed sexual assault in the military and Coast Guard services. Our August 2008 report found that while DOD and the Coast Guard have taken positive steps to prevent and respond to sexual assault, program implementation was hindered by several issues, such as the lack of an oversight framework--that is, a plan to improve the Office of the Secretary of Defense's (OSD) oversight of the programs; limited support from some commanders; and training that was not consistently effective.[Footnote 6] Accordingly, we made a number of recommendations to improve DOD and Coast Guard programs, including recommending the development of an oversight framework to assess program effectiveness and the evaluation of program guidance, training, and installation-level staffing processes to enhance program implementation. We also raised as a matter for congressional consideration that the Coast Guard be required to annually submit to Congress sexual assault incident and program data that are methodologically comparable to those required of DOD. DOD and the Coast Guard concurred with all of the recommendations in our August 2008 report, which are reprinted in the Background section of this report. In addition, we testified twice before your Subcommittee: in July 2008,[Footnote 7] to discuss our preliminary observations on DOD's and the Coast Guard's sexual assault prevention and response programs, and in September 2008, to discuss the findings and recommendations included in our August 2008 report.[Footnote 8] In November 2008, you requested that we continue to monitor DOD and Coast Guard efforts to strengthen the implementation and oversight of their respective sexual assault prevention and response programs. This report builds upon our previous work related to sexual assault in the military services, and assesses the extent to which (1) DOD has taken steps to implement our recommendations from 2008 and has further developed its programs to prevent and respond to sexual assault; (2) DOD has taken steps to address a congressional requirement to establish a centralized, case-level sexual assault incident database; and (3) the Coast Guard has taken steps to implement our recommendations from 2008 and has further developed its programs to prevent and respond to sexual assault. To assess the extent to which DOD has implemented our previous recommendations, we reviewed current DOD policies and programs and compared them with our prior findings and recommendations. We also interviewed DOD officials to supplement our analyses of program modifications. To assess the extent to which DOD has addressed the congressional requirement to establish a centralized, case-level sexual assault database, we reviewed applicable legislation[Footnote 9] to identify statutory provisions that direct DOD to make changes to its processes for collecting and maintaining sexual assault data. We also reviewed applicable DOD documentation, compared it to DOD, federal, and industry guidance and to key system acquisition best practices; and interviewed DOD officials to obtain information on the status of the department's efforts to establish the database. To assess the extent to which the Coast Guard has implemented our previous recommendations, we reviewed current Coast Guard policies and programs and compared them with our prior findings and recommendations. We also interviewed Coast Guard officials to supplement our analyses of program modifications. Further details about our scope and methodology can be found in appendix I. We conducted this performance audit from February 2009 to February 2010 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Results in Brief: DOD has taken steps to implement our August 2008 recommendations to improve its sexual assault prevention and response program; however, its efforts reflect various levels of progress, and opportunities exist for further program improvements. In August 2008, we made nine recommendations to address the program issues we identified, and DOD has taken a number of steps to implement four of these recommendations.[Footnote 10] For example, OSD suggested policy revisions that have led to interim guidance for implementing sexual assault prevention and response programs in joint and deployed environments. Also, OSD chartered the Health Affairs Sexual Assault Task Force, which evaluated and subsequently issued recommendations to address factors that may hinder access to health care following a sexual assault. However, DOD's steps toward implementing the five other recommendations from 2008 reflect less progress, which is likely to hinder the effectiveness of DOD's efforts to oversee its programs. For example, although OSD has drafted an oversight framework, as we recommended, to guide the implementation and assessment of the department's sexual assault prevention and response programs, the framework does not contain all the key elements needed for comprehensive oversight. Specifically, it lacks criteria for measuring progress, although OSD does plan to develop these within the next 2 years. The framework also lacks an indication of how it will use the information derived from such measurement to improve its programs. Our 2008 recommendation called for the oversight framework to include long- term goals, objectives, and milestones; performance goals and strategies; and criteria for measuring progress. Our prior work has also shown that results-oriented organizations use the resulting information to guide the development of future initiatives and identify how to budget available resources to achieve program goals.[Footnote 11] But OSD's draft oversight framework does not identify how it will use or report the results of its performance assessments, does not identify how OSD's budgeting of resources relates to its achievement of strategic program objectives, and does not correlate with the program's two strategic plans. Until OSD incorporates these key elements into its draft oversight framework, it will be limited in its ability to effectively manage program development and determine the extent to which its programs help prevent the occurrence of sexual assaults. We are recommending that OSD strengthen its oversight of sexual assault prevention and response programs by incorporating all key elements into its oversight framework. DOD has taken preliminary steps to establish the Defense Sexual Assault Incident Database---a centralized, case-level sexual assault incident system--but given what has been accomplished to date and what remains to be accomplished, DOD officials did not develop this database in time to meet the statutorily mandated January 2010 implementation deadline.[Footnote 12] Moreover, DOD lacks a reliable schedule to guide acquisition and implementation tasks and activities. In addition, other key information technology management practices that are essential to successfully acquiring and implementing the database also remain to be accomplished. These include assessing the program's potential overlap with and duplication of related programs, justifying investment in the program on the basis of reliable estimates of life cycle costs and benefits, effectively developing and managing system requirements, adequately testing system capabilities, and effectively managing program risks. DOD officials agree that these key practices need to be implemented; however, they have yet to develop plans or timeframes for doing so. Therefore, until these practices are implemented effectively, DOD could face challenges in successfully delivering a database that meets mission needs and does not exceed cost and schedule commitments. As DOD moves forward with its development of the Defense Sexual Assault Incident Database, we are recommending that it adhere to key system development and acquisition management processes and controls. While the Coast Guard has partially implemented one of our recommendations to further develop its sexual assault prevention and response program, it has not implemented the other. In August 2008, we reported that the Coast Guard's sexual assault prevention and response program was hindered by several issues, and we made two recommendations to strengthen its program's implementation.[Footnote 13] To its credit, in June 2009, the Coast Guard began assessing its program staff's workload to address our recommendation to evaluate its processes for staffing key installation-level positions in its sexual assault prevention and response program. However, while the Coast Guard has broadly identified program objectives, it has not addressed our recommendation to develop an oversight framework that provides comprehensive and specific guidance for operating its program. As a result, the Coast Guard is unable to measure program progress, accurately identify program needs, and optimize the use of available resources. Moreover, the Coast Guard lacks a systematic process for assembling, documenting, and maintaining sexual assault incident data, and lacks quality control procedures to ensure that the program data being collected are reliable. In fiscal year 2008, for example, different Coast Guard offices documented conflicting numbers of sexual assault reports: the Coast Guard Program Office documented 30, while the Investigative Office documented 78. Without a systematic process for tracking its data, the Coast Guard lacks reliable knowledge on the occurrence of sexual assaults. We are recommending that the Coast Guard develop a systematic process for tracking its data to ensure that program information collected is valid and reliable. In written comments on a draft of this report, both DOD and the Coast Guard concurred with all of our recommendations. DOD further noted in its comments that while it concurred with our recommendations, our report contains technical inaccuracies and misstatements that diminish the department's efforts. We believe that our report accurately represents DOD's progress to address our recommendations from 2008 and we incorporated technical corrections from DOD, where appropriate. DOD's comments are reprinted in appendix II, and the Coast Guard's comments are reprinted in appendix III. Background: Department of Defense: In October 2004, Congress included a provision in the Ronald W. Reagan National Defense Authorization Act for Fiscal Year 2005 that required the Secretary of Defense to develop a comprehensive policy for DOD on the prevention of and response to sexual assaults involving members of the Armed Forces.[Footnote 14] The legislation required that the policy be based on the recommendations of the Defense Task Force on Care for Victims of Sexual Assaults and on other matters as the Secretary deemed appropriate.[Footnote 15] Among other things, the legislation requires the Secretary to establish a standardized departmentwide definition of sexual assault, and to develop a policy, using the standardized definition, to address a number of issues, including the confidential reporting of sexual assault incidents and the uniform collection of data on the incidence of sexual assault. The law also requires DOD to submit an annual report to Congress on reported sexual assault incidents involving members of the Armed Forces. In October 2005, DOD issued DOD Directive 6495.01, which contains its policy for the prevention of and response to sexual assault.[Footnote 16] In June 2006, DOD issued DOD Instruction 6495.02, which provides guidance for implementing this policy.[Footnote 17] DOD's directive defines sexual assault as follows: "intentional sexual contact, characterized by use of force, threats, intimidation, abuse of authority, or when the victim does not or cannot consent. Sexual assault includes rape, forcible sodomy (oral or anal sex), and other unwanted sexual contact that is aggravated, abusive or wrongful (to include unwanted and inappropriate sexual contact), or attempts to commit these acts. "Consent" means words or overt acts indicating a freely given agreement to the sexual conduct at issue by a competent person. An expression of lack of consent through words or conduct means there is no consent. Lack of verbal or physical resistance or submission resulting from the accused's use of force, threat of force, or placing another person in fear does not constitute consent. A current or previous dating relationship by itself or the manner of dress of the person involved with the accused in the sexual conduct at issue shall not constitute consent." In October 2008, Congress passed the Duncan Hunter National Defense Authorization Act for Fiscal Year 2009, which includes a provision requiring the Secretary of Defense to implement a centralized, case- level database for the collection and maintenance of information regarding sexual assaults involving members of the Armed Forces. [Footnote 18] The law specifies that the database include information, if available, about the nature of the assault, the victim, the offender, and the outcome of any legal proceedings associated with the assault, and requires DOD to implement the database by January 2010-- which is 15 months from the day of its enactment. In OSD, the Under Secretary of Defense for Personnel and Readiness has the responsibility for developing the overall policy and guidance for the department's sexual assault prevention and response program. Under the Office of the Under Secretary of Defense for Personnel and Readiness, OSD's Sexual Assault Prevention and Response Office (within the Office of the Deputy Under Secretary of Defense for Plans) serves as the department's single point of responsibility for sexual assault policy matters.[Footnote 19] These responsibilities include providing the military services with guidance and technical support and facilitating the identification and resolution of issues; developing programs, policies, and training standards for the prevention of, reporting of, and response to sexual assault; developing strategic program guidance and joint planning objectives; overseeing the department's collection and maintenance of data on reported alleged sexual assaults involving servicemembers; establishing mechanisms to measure the effectiveness of the department's sexual assault prevention and response program; and preparing the department's annual report to Congress. The Deputy Under Secretary of Defense for Plans has the responsibility for programming, budgeting, and allocating funds and other resources for the Sexual Assault Prevention and Response Office. Each military service has established a sexual assault prevention and response office with responsibility for overseeing and managing its sexual assault matters. Further, DOD's instruction requires the military services to establish Sexual Assault Response Coordinator positions and states that at the services discretion, these positions may be staffed by members of the military, civilian employees, or DOD contractors.[Footnote 20] Sexual Assault Response Coordinators are generally responsible for implementing their respective services' sexual assault prevention and response programs, including coordinating the response to and reporting of sexual assault incidents. Other responders include victim advocates, judge advocates, medical and mental health providers, criminal investigative personnel, law enforcement personnel, and chaplains. Coast Guard: The Coast Guard has had a sexual assault prevention and response program in place since 1997, and in December 2007, the Coast Guard updated its instruction to generally mirror DOD's policy. According to Coast Guard officials, in January 2009, they revised their instruction to incorporate what officials have stated is a more comprehensive definition of the term "sexual assault," modify titles of certain program personnel to better reflect their responsibility, and clarify processes for reporting a sexual assault.[Footnote 21] The Coast Guard's Office of Work-Life (within the Health, Safety, and Work-Life Directorate, which is under the Office of the Assistant Commandant for Human Resources) is responsible for overseeing and managing sexual assault matters. At the installation level, the Coast Guard has established Employee Assistance Program Coordinators to manage the response to and reporting of sexual assault incidents. Like DOD's, the Coast Guard's sexual assault prevention and response program utilizes other responders to manage sexual assault incidents, including victim advocates, judge advocates, medical and mental health providers, criminal investigative personnel, law enforcement personnel, and chaplains. Recommendations from 2008 GAO Report[Footnote 22] In August 2008, we issued a report containing nine recommendations to DOD and two recommendations to the Coast Guard to improve program implementation.[Footnote 23] With respect to DOD, we recommended that the Secretary of Defense take the following actions: * Review and evaluate the department's policies for the prevention of and response to sexual assault to ensure that adequate guidance is provided to effectively implement the program in deployed environments and joint environments. * Direct the military service secretaries to emphasize to all levels of command their responsibility for supporting the program, and review the extent to which commanders support the program and resources are available to raise servicemembers' awareness of sexual assault matters. * Systematically evaluate and develop an action plan to address any factors that may prevent or discourage servicemembers from accessing health services following a sexual assault. * Direct the Defense Task Force on Sexual Assault in the Military Services to begin its examination immediately, now that all members of the task force have been appointed, and to develop a detailed plan with milestones to guide its work. * Require the Sexual Assault Prevention and Response Office to develop an oversight framework to guide continued program implementation and to evaluate program effectiveness. At a minimum, such a framework should contain long-term goals, objectives, and milestones; performance goals; strategies to be used to accomplish goals; and criteria for measuring progress. * Review and evaluate sexual assault prevention and response training to ensure that the military services are meeting training requirements and to enhance the effectiveness of the training. * Evaluate the military services' processes for staffing and designating key installation-level program positions--such as coordinators--at installations in the United States and overseas, to ensure that these individuals have the ability and resources to fully carry out their responsibilities. * Direct the military service secretaries to provide installation- level incident data to the Sexual Assault Prevention and Response Office annually or as requested to facilitate the analysis of sexual assault-related data and to better target resources over time. * Improve the usefulness of the department's annual report as an oversight tool both internally and for congressional decision makers by establishing baseline data to permit the analysis of data over time and to distinguish cases in which (1) evidence was insufficient to substantiate an alleged assault, (2) a victim recanted, or (3) the allegations of sexual assault were unfounded. With respect to the Coast Guard, we recommended that the Commandant of the Coast Guard take the following actions: * Evaluate the Coast Guard's processes for staffing key installation- level program positions--such as coordinators--to ensure that these individuals have the ability and resources to fully carry out their responsibilities. * Develop an oversight framework to guide continued program implementation and to evaluate program effectiveness. At a minimum, such a framework should contain long-term goals, objectives, and milestones; performance goals; strategies to be used to accomplish goals; and criteria for measuring progress. We also suggested as a matter for congressional consideration that the Coast Guard be required to annually submit to Congress sexual assault incident and program data that are methodologically comparable to those required of DOD. In commenting on a draft of that report, both DOD and the Coast Guard concurred with all of our recommendations. [Footnote 24] DOD's Efforts to Address GAO's Recommendations from 2008 Reflect Varying Levels of Progress: DOD has made varying levels of progress in implementing our recommendations from 2008 to improve its sexual assault prevention and response programs. To its credit, DOD has implemented four of the nine recommendations in our August 2008 report. However, DOD's efforts toward implementing the other five recommendations reflect less progress, which is likely to hinder the effectiveness of DOD's efforts to oversee its programs. DOD Has Implemented Four of Our Recommendations from 2008: During fiscal years 2008 and 2009, DOD implemented four of the recommendations in our August 2008 report on DOD and Coast Guard sexual assault prevention and response programs. First, OSD established a working group to address our recommendation to review and evaluate the adequacy of DOD policies for implementing its sexual assault prevention and response program in joint and deployed environments. Based on the working group's findings, OSD submitted a memorandum to the Joint Staff in April 2009 detailing its suggested revisions to joint policy, which a Joint Staff official told us they are using to modify related publications. Additionally, according to a Joint Staff official, the Joint Staff has issued interim guidance to support the implementation of sexual assault prevention and response programs in joint and deployed environments until the new joint publications are approved.[Footnote 25] Second, the military service secretaries have taken a variety of steps to address our recommendation to emphasize responsibility for program support to all levels of command. For example, the military services' top leadership spoke at their respective services' sexual assault prevention summits, during which they emphasized the need for "ownership" of the programs and commitment to the prevention of and response to sexual assault. Specifically, in the spring of 2009, the Secretary of the Army spoke to noncommissioned officers--the personnel responsible for program implementation--on the importance of modifying the Army's culture to actively reject sexual assault and other inappropriate behavior. In the fall of 2009, the Secretaries of the Air Force and Navy and the Commandant of the Marine Corps gave similar presentations to their personnel, during which they stressed their commitment to eradicating sexual assault in the military services. The military services have taken even more far-reaching steps to relay their support for and to commit resources to sexual assault prevention and response programs. For example, the Secretary of the Navy recently established the Navy's Sexual Assault Prevention and Response Office that reports directly to the Secretary, which Navy officials assert will foster additional support and accountability for its sexual assault program initiatives. The Marine Corps, following a review of its program staffing, established full-time Sexual Assault Response Coordinator positions at four installations with the highest troop concentrations and is in the process of establishing full-time coordinator positions at installations with at least 1,000 troops as a way to better manage its sexual assault prevention and response programs. Additionally, the Army has incorporated an assessment of sexual assault program awareness into promotional boards for noncommissioned officers to promote accountability for the implementation of prevention and response initiatives. DOD has also taken a variety of steps to emphasize support for and to further develop its sexual assault prevention and response programs. For example, in fiscal year 2008, representatives from OSD and the military services visited selected military installations to assess, among other things, the extent to which commanders--company and field grade officers--support sexual assault prevention and response programs. OSD found that while most program personnel had demonstrable support from their command, command support of sexual assault prevention and response programs varied from installation to installation, and stronger command support of the program was required. OSD further reported that it is working with its stakeholders to address its findings. Additionally, each of the military services has incorporated interactive, scenario-based training programs to promote increased involvement by participants and to enhance the retention of the material being presented. For example, the Army contracts with a company that offers a nationally recognized presentation called "Sex Signals"--a 90-minute program that uses interactive skits to address the topics of dating, rape, consent, and intervention. The Air Force has implemented bystander intervention training that incorporates techniques such as role-playing to motivate servicemembers to take actions if they see, hear, or otherwise recognize signs of an inappropriate or unsafe situation. The Marine Corps has implemented and the Navy is in the process of adopting a program called Mentors in Violence Prevention training. Like the Air Force's program, this consists of role-playing exercises that allow students to construct and practice ways to respond or intervene in incidents of harassment, abuse, or violence. Third, OSD chartered the Health Affairs Sexual Assault Task Force to address our recommendation to evaluate and develop an action plan to address factors that may prevent or discourage servicemembers from seeking health services. In March 2009, the task force made a number of recommendations intended to improve the availability of health care, such as (1) chartering a military health system Sexual Assault Health Care Integrated Policy Team to review department-level policies regarding clinical practice guidelines, standards of care, research gaps and opportunities, personnel and staffing, training requirements and responsibilities, continuity of care, and in-theater equipment and supplies; (2) drafting model memorandums of understanding for use by all service military treatment facilities as they establish continuity of care relationships with local community providers; and (3) reviewing DOD policy, including performing peer reviews of sexual assault cases to ensure that they are aligned with civilian practices. Fourth, in August 2008, the Defense Task Force on Sexual Assault in the Military Services began its examination of matters relating to sexual assault, as we recommended. According to task force staff, the task force has conducted interviews and focus groups with sexual assault prevention and response program personnel at approximately 60 locations throughout the world. However, the task force did not meet its August 11, 2009, reporting deadline. It was granted an extension, which it met by releasing its report on December 1, 2009.[Footnote 26] DOD's Efforts toward Implementing the Five Other Recommendations from 2008 Reflect Less Progress: DOD's efforts to implement the five other recommendations we made in our report issued in August 2008 reflect less progress. Further, remaining issues with OSD's strategic planning efforts and DOD's annual report to Congress on alleged sexual assault incidents are likely to hinder the effectiveness of DOD's efforts to oversee its programs. OSD's Oversight Framework Has Been Drafted, but It Lacks Key Elements Necessary for Comprehensive Oversight: OSD recently drafted an oversight framework, but the framework only partially satisfies our recommendation in that the framework does not contain all the elements that we previously recommended as necessary for effective strategic planning and program implementation. Further, the draft oversight framework cannot be implemented until it is approved--a step that OSD officials stated will occur once they have incorporated revisions from and obtained the endorsements of the military service secretaries. Based on our prior work on the importance of strategic program planning guidance and our finding that OSD had not established an oversight framework to guide the implementation of its programs, we recommended in August 2008 that OSD develop an oversight framework that includes, at a minimum, (1) long- term goals, objectives, and milestones; (2) performance goals and strategies to be used to accomplish goals; and (3) criteria for measuring progress.[Footnote 27] To its credit, OSD, in October 2009, completed drafting and is preparing to begin a 3-year implementation of its oversight framework to improve the oversight and integration of the department's sexual assault prevention and response programs. This draft oversight framework contains long-term goals, objectives, and milestones for implementation. For example, it identifies nine objective-like elements--called "improvement opportunities"--to facilitate program oversight. Examples of the improvement opportunities include defining core oversight roles and responsibilities, standardizing performance measures and reports, and improving communication with stakeholders. The draft framework also identifies action-oriented steps that correspond with and are designed to facilitate the achievement of these opportunities. For example, the draft framework specifies that OSD will "define and document the policy development, coordination, and approval process" and "define and document the process to review alignment between policy and program development" as specific steps toward the achievement of its objective of defining core oversight roles and responsibilities. Table 1 details the nine opportunities and selected steps for achieving them that are contained in the draft framework. Table 1: Nine Improvement Opportunities and Selected Corresponding Target Improvement Initiatives Contained in OSD's Draft Oversight Framework: Improvement opportunity: Standardize core oversight processes; Target improvement initiatives: * Define policy development, coordination, and approval process; * Define process to review alignment between policy and program guidance. Improvement opportunity: Develop and standardize performance measures; Target improvement initiatives: * Develop baseline measures for program performance data; * Develop standard data collection and management plan to be tracked across DOD. Improvement opportunity: Promote command support of programs; Target improvement initiatives: * Develop and execute survey to gauge combatant command planning status for program implementation in contingency operations; * Assess education/training for commanders and establish required training. Improvement opportunity: Leverage inspectors general in evaluation of compliance with policy; Target improvement initiatives: * Identify success factors of program policy to be communicated to DOD and service inspectors general; * Provide training to DOD and service inspectors general on emerging sexual assault prevention and response topics. Improvement opportunity: Improve working group/subcommittee structure; Target improvement initiatives: * Evaluate whether the Sexual Assault Advisory Council operating structure could be improved to better meet DOD community needs; * Develop subcommittee and working group charters to better define roles and responsibilities. Improvement opportunity: Capture victim experience data; Target improvement initiatives: * Develop and implement a mechanism to capture victim experience data; * Integrate victim quality assurance mechanism into existing victim inquiry process. Improvement opportunity: Implement DOD quarterly review meetings; Target improvement initiatives: * Conduct DOD-specific oversight meetings outside of the Sexual Assault Advisory Council operating structure; * Review budget programming by services and commands to support adequate staffing levels. Improvement opportunity: Collaborate with external partners; Target improvement initiatives: * Establish common understanding of data definitions within DOD sexual assault prevention and response community; * Improve sharing of research and effective practices. Improvement opportunity: Improve proactive communication of information to stakeholders; Target improvement initiatives: * Develop and execute a comprehensive communications plan that incorporates proactive communication strategies and key messaging for core stakeholders; * Develop capability for OSD staff to regularly provide military services with relevant legislative affairs data. Source: DOD. [End of table] OSD's draft oversight framework is a positive step toward stronger management of the department's sexual assault prevention and response programs. Further, OSD recently restructured its Sexual Assault Advisory Council and established the Oversight Steering Committee to more actively involve DOD's top leadership in the development and implementation of the department's sexual assault prevention and response initiatives. For example, DOD's instruction specifies that the Sexual Assault Advisory Council shall be chaired by the Under Secretary of Defense for Personnel and Readiness and shall comprise top DOD leadership, including the Deputy Under Secretary of Defense for Plans, the military departments' assistant secretaries for manpower and reserve affairs, and the Vice Chairman of the Joint Chiefs of Staff. While the establishment of such committees is an important step toward successful implementation of the oversight framework, implementation will require the personal involvement of top DOD leadership to maintain the long-term focus on and accountability for program objectives. Further, OSD's draft oversight framework is missing key elements that are needed to provide comprehensive oversight of DOD's sexual assault prevention and response programs. Specifically, OSD's framework lacks performance measures, does not identify how it will use or report the results of its performance assessments, does not identify how OSD's budgeting of resources relates to its achievement of strategic program objectives, and does not correlate with the program's two strategic plans. Draft Oversight Framework Lacks Performance Measures and Details on How Measures Will Be Used to Guide Program Improvements: OSD's draft oversight framework does not satisfy our recommendation from 2008 in that it does not yet contain performance measures, which are needed to facilitate the evaluation of program performance and the identification of areas needing improvement. Our prior work has shown that managers can use performance information to identify problems and develop solutions that will improve program results.[Footnote 28] Currently, OSD has plans to develop a standardized set of performance measures and targets by the second year of its 3-year plan for implementing its oversight framework. We note that our prior work has highlighted the importance of performance measures and that they should include quantifiable, numerical targets or other measurable values for determining (1) whether the desired performance results are being achieved and (2) overall program progress.[Footnote 29] Until performance measures are established, OSD cannot accurately assess the progress of the department's initiatives or correctly identify and implement actions to improve program performance. OSD's Draft Oversight Framework Does Not Identify How Its Budgeting of Resources Relates to the Achievement of Strategic Objectives: In addition to its lack of performance measures, OSD's framework does not identify how OSD's budgeting of resources relates to its achievement of strategic program objectives, which limits the department's ability to inform budget formulation and execution decisions according to performance considerations. Our prior work has demonstrated that by linking program plans with budgets, organizations can more explicitly guide budget discussions and can assist management by correlating total resources consumed with actual results achieved. [Footnote 30] While these correlations have not been made in the draft framework, OSD officials told us that the process of developing the framework helped to identify the need and gain approval for 21 full- time employees, which is three times the number of staff originally approved for that office. However, until OSD explicitly correlates its budgeting of resources to the achievement of strategic program objectives, it will be challenged in its justification of future budget requests. Draft Oversight Framework Does Not Correlate with the Program's Strategic Plans: OSD's strategic planning documents do not correlate with the program's two strategic plans. Our prior work has shown that clear linkages among long-term strategic goals, objectives, strategies, and day-to- day activities are critical for enabling a strategic plan to drive an organization's operations. In addition to its draft oversight framework, OSD drafted an internal strategic plan to guide the initiatives of DOD's Sexual Assault Prevention and Response Office, and a DOD-wide strategic plan to guide initiatives across the larger DOD community. According to OSD officials, the oversight framework, when approved, will support OSD's ability to meet the goals of its strategic plans, which were designed to serve as the overarching program planning guidance. However, the intended correlation among these three documents is not clear because they do not use similar terminology to clearly link their purposes. For example, OSD's internal strategic plan is based on five "strategic objectives" that are identical to the five "strategic sexual assault prevention and response priorities" contained in the DOD-wide strategic plan. In contrast, the draft oversight framework contains terminology that is different from both strategic plans, and it refers to its nine objective-like elements as "future state improvement opportunities." As a result, the correlation between these three documents is not clear. Further, the two strategic plans and the draft oversight framework do not clearly illustrate how each supports the achievement of the objectives and strategies contained in the other two documents. In commenting on a draft of this report, DOD further defined the relationship between the draft oversight framework and its two strategic plans for sexual assault prevention and response programs. DOD also noted that the objective-like elements in its draft oversight framework were purposely not tied to the program objectives in the two strategic plans. However, without consistent terminology and clearly correlated objectives and strategies among these three documents, the prioritization of and responsibility for these initiatives will remain unclear. (See appendix II for DOD's comments) Training Effectiveness Cannot Be Fully Determined without Performance Measures: While OSD has taken steps to evaluate the effectiveness of the sexual assault prevention and response training provided to DOD servicemembers, training programs cannot be assessed because OSD's strategic plans and draft oversight framework do not contain measures against which to benchmark performance. As we reported in August 2008, DOD's sexual assault prevention and response training was not consistently administered or evaluated for effectiveness. Accordingly, we recommended that DOD undertake an evaluation of the department's training programs.[Footnote 31] To its credit, OSD's training subcommittee reviewed the military services' training policies and found that they continue to provide initial and refresher training for all personnel. However, it also found that a greater level of detail was needed in policy to guide the execution of training requirements. OSD's training subcommittee developed an action plan for fiscal year 2009 that included visits to selected military installations to review sexual assault prevention and response training programs. Nevertheless, OSD's draft oversight framework does not include performance measures, thus limiting OSD's ability to assess the effectiveness of training programs and other initiatives. OSD officials, as part of their recent strategic planning efforts, have acknowledged the need for and are planning to develop a standard set of DOD-wide performance measures over the next few years for DOD sexual assault prevention and response programs. However, they have stated that these performance measures will not be established until at least the second year of DOD's 3-year implementation plan for the oversight framework. Until these measures are established, we continue to assert that OSD cannot ensure that the department's sexual assault prevention and response training effectively imparts an awareness of the subject matter to servicemembers. Staffing of Key Installation-Level Program Positions Has Not Been Evaluated: DOD has not implemented our recommendation to evaluate the military services' processes for staffing key installation-level program positions to ensure that they have the ability and resources to fully carry out their responsibilities. In fiscal year 2008, OSD and the military services examined program staffing processes during OSD's assessments of selected military installations, and similarly concluded that DOD's policy on selection criteria and scope of duty for key program personnel should be further evaluated. However, OSD officials stated that they had not taken action to address their findings because personnel from the congressionally mandated Defense Task Force on Sexual Assault in the Military Services advised OSD that they would be making related recommendations in their December 2009 report to Congress. Until DOD implements our 2008 recommendation, it cannot ensure that it is able to adequately staff and resource its sexual assault prevention and response programs. Installation-Level Data Are Not Being Collected While Centralized Database Is under Development: While the military services have agreed to provide installation-level data on sexual assault incidents, OSD officials told us that they will not collect them until they have implemented the statutorily mandated centralized database to maintain these data. (For a discussion of this database, see a later section of this report.) As we reported in our August 2008 report, OSD could not conduct a comprehensive cross- service trend analysis because it did not have access to installation- level data on sexual assault incidents from the military services. [Footnote 32] As such, we recommended that the military services provide these data to OSD to facilitate the analysis of sexual assault- related data and to better target resources over time. However, OSD is not currently collecting these data, despite their availability, because it has not yet completely standardized its data definitions and data elements. OSD and its stakeholders have started to create a standardized set of sexual assault data elements, thus delineating the types of data to be provided by each of the services. However, OSD officials told us that the process of developing and training the numerous program personnel worldwide to collect and report standardized data elements will be a very complex and time-consuming undertaking. Further, OSD officials stated that they plan to finalize the data definitions in the coming months, but added that similar to the data elements, they will not require that the definitions be used by the military services until the implementation of DOD's sexual assault incident database, the date of which is not yet known. Therefore, it is unknown when OSD will establish baseline data, which are needed to conduct trend analyses of the military services' sexual assault data. DOD's Annual Report to Congress Is Not Comprehensive: While OSD introduced some changes in DOD's annual report to Congress, these changes have not sufficiently improved the report to ensure that congressional stakeholders are better informed on DOD's prevention of and response to incidents of sexual assault. As we previously reported, DOD's annual report may not have been effectively characterizing incidents of sexual assault in the military services, and thus we recommended that the department improve the usefulness of its annual report as an oversight tool.[Footnote 33] To its credit, OSD incorporated new charts and graphics into DOD's fiscal year 2008 annual report that more specifically illustrated the demographics of individuals involved and the locations in which sexual assaults in the military have been occurring. Further, OSD and its stakeholders have started to create a standardized set of sexual assault data elements and definitions. However, the standardization is not yet complete, and as noted previously, OSD officials told us that developing definitions and data elements for and training the numerous program personnel worldwide on how to consistently report on the data elements collected, is very complex and time-consuming. OSD officials added that the standardization of data definitions is something that they expect to accomplish in the near term, while standardizing data elements will take longer since it is a task that will be completed in conjunction with their development of a centralized sexual assault database. Further, OSD has not provided its own analysis of the military services' reports and programs, and we do not believe that it will be able to do so until it establishes performance measures with which it can assess program effectiveness. We believe that the format of the information provided in DOD's annual report to Congress continues to complicate the reader's ability to establish a comprehensive understanding of the department's sexual assault prevention and response programs. Our prior work shows that the usefulness of data ultimately depends on the degree of confidence that users have in the data being presented. Higher confidence can be achieved by providing key information about the data being reported, including efforts to validate data and the implications of the data limitations that have been identified.[Footnote 34] However, we believe the sexual assault incident data are not qualified at the outset of DOD's annual report to disclose that incident data may include an alleged sexual assault that occurred prior to the victim's or perpetrator's military service or outside of the year in which it was reported. Our prior work shows that standardized data with common definitions are critical to ensuring that comparable information from multiple sources is accurately represented.[Footnote 35] However, the military services' sections in the annual report contain similar but not comparable types of information. For example, the Army and Air Force structure their respective reports according to the category of program information, and the Navy and Marine Corps structure their report according to the responses received from program personnel involved in their sexual assault prevention and response initiatives. While we do not advocate for one military service's approach over another's, the dissimilar report formats make it difficult, if not impossible, to compare program efforts. OSD officials told us that they have taken initial steps to address some data inconsistencies by providing the military services with a data collection template to begin the process of standardizing the collection and reporting of sexual assault program information in DOD's fiscal year 2009 annual report to Congress. This is an important first step; however, it does not fully address our concerns in that the military services may still be reporting data that are based on different criteria. Further, while we recognize that the complete standardization of the type, amount, and format of the military services' data will be a significant undertaking, OSD will not be able to report consistent data on the status and condition of DOD's sexual assault prevention and response programs until these issues are resolved. Until OSD and the military services reach consensus on the data elements and begin disseminating the new data collection and reporting requirements to program personnel, DOD will continue to lack key information needed for oversight. DOD Has Yet to Establish a Centralized Sexual Assault Database: DOD has taken preliminary steps to implement a centralized, case-level sexual assault incident database. However, the database was not implemented by the statutorily mandated deadline of January 2010. Moreover, when the database will be implemented is uncertain because a reliable schedule to guide acquisition and implementation tasks and activities has yet to be developed. In addition, other key information technology management practices that are essential to successfully acquiring and implementing the database also remain to be accomplished. DOD officials agreed that these key practices need to be implemented; however, they have yet to develop plans or time frames for doing so. The National Defense Authorization Act for Fiscal Year 2009 required DOD to implement a centralized, case-level database for collecting and maintaining information on sexual assaults involving members of the Armed Forces, including information, if available, about the nature of the assault, the victim, the offender, and the outcome of any legal proceedings in connection with the assault.[Footnote 36] The law also required the Secretary of Defense to submit a concept plan for this database to Congress by January 2009 and to implement the database by January 2010. In response to these statutory requirements, the Under Secretary of Defense for Personnel and Readiness instructed the Sexual Assault Prevention and Response Office to develop the Defense Sexual Assault Incident Database. According to OSD officials, this database is to generate congressionally mandated annual reports, run ad hoc queries, track sexual assault victim support services, support program administration, meet program reporting requirements, and perform data analysis. Among other things, the database is also to ensure the privacy and restricted reporting options of victims. DOD Did Not Meet the Statutory Deadline for Implementing the Database, and It Does Not Have a Schedule with Reliable Time Frames for Doing So: DOD has established conceptual plans for acquiring and deploying a centralized sexual assault incident database. According to these plans, the database will be delivered in two increments, with the first increment consisting of four phases. (See table 2 for a description of the increments and phases.) However, these phases have not yet been decomposed into meaningful work tasks, activities, and events, including timeframes and resources needed to execute them. Moreover, other important practices associated with creating a reliable schedule of when and how these phases will be accomplished have yet to be satisfied. Specifically, our research has identified nine practices associated with developing and maintaining a reliable schedule.[Footnote 37] These practices are (1) capturing all key activities, (2) sequencing all key activities, (3) assigning resources to all key activities, (4) integrating all key activities horizontally and vertically, (5) establishing the duration of all key activities, (6) establishing the critical path for all key activities, (7) identifying float between key activities, (8) conducting a schedule risk analysis, and (9) updating the schedule using logic and durations to determine the dates for all key activities. According to program officials, the steps and associated time frames for the increments and phases identified in table 2 cannot be reliably determined until the development and implementation contractor is hired, which will not occur until sometime after March 31, 2010. This means that the program office currently lacks the necessary means by which to execute a system acquisition, gauge progress, identify and address potential problems, and promote accountability. Table 2: Summary of Increments and Phases for Acquiring DOD's Defense Sexual Assault Incident Database: Increment: 1; Phase: 1; Description: * Configure the database, and establish roles and permission lists, initial reporting, data entry/case management and interface development; * Present proof-of-concept to Congress to demonstrate that the database addresses initial reporting concerns. Increment: 1; Phase: 2; Description: * Develop reporting and data entry/case management requirements and successful interfaces between the database and the Air Force's Investigative Information Management System and Automated Military Justice Analysis and Management System; * Evolve proof-of-concept to include reporting, data entry/case management and interface development. Increment: 1; Phase: 3; Description: * Develop interfaces between the database and the Army's Sexual Assault Data Management System and the Marine Corps Sexual Assault Incident Reporting Database; * Provide proof-of-concept presentations for Congress regarding business management. Increment: 1; Phase: 4; Description: * Develop business management requirements and interfaces between the database and the Navy's Sexual Assault Victim Intervention, the Department of Navy's Criminal Justice Information System, and the Consolidated Law Enforcement Operations Center. Increment: 2; Description: * Expand data entry/case management functionality to address National Guard requirements; * Expand interfaces to capture any updates to military service- specific systems based on new data requirements; * Expand reporting functionality. Source: DOD. [End of table] In addition, DOD's current plans include a few general milestones. For example, OSD officials told us that the first phase of the initial increment was to have been achieved when they provided a "proof-of- concept" document to Congress in January 2010. However, this document has yet to be approved. Further, they stated that they intend to release a Request for Proposals for a database developer in the second quarter of fiscal year 2010. Based on these milestones and the absence of a reliable program schedule, DOD did not meet its legislative mandate to implement the database by January 2010, and when it will implement the database is uncertain. DOD's Success in Acquiring and Implementing the Database Depends on Its Use of Key Management Practices: OSD program officials stated that they received milestone approval in July 2009 from the milestone decision authority,[Footnote 38] the Acting Deputy Under Secretary of Defense for Program Integration, to conclude the Materiel Solution Analysis (previously Concept Refinement) phase and begin the Technology Development phase of DOD's acquisition system.[Footnote 39] Associated with this progression, DOD has taken steps to begin employing a number of key information technology acquisition management disciplines that are provided for in DOD and related guidance.[Footnote 40] Our research and evaluations of information technology programs across the federal government have shown that adhering to such disciplines is essential to delivering promised system capabilities and benefits on time and within budget. Among other things, these disciplines include assessing a program's overlap with and duplication of related programs through architecture compliance, justifying investment in the proposed system solution on the basis of reliable estimates of life cycle costs and benefits, effectively developing and managing system requirements, adequately testing system capabilities, and effectively managing program risks. However, DOD has yet to progress to the point that it can demonstrate that these disciplines have been fully implemented, as discussed below. Until it does, the chances of it successfully delivering the database are reduced. * Architectural alignment: DOD's guidance and other guidance[Footnote 41] recognize the importance of investing in business systems within the context of an enterprise architecture.[Footnote 42] Additionally, our experience in reviewing federal agencies has shown that making investments without the context of a well-defined enterprise architecture often results in systems that are, among other things, duplicative of other systems.[Footnote 43] Within DOD, the means for avoiding business system duplication and overlap is the department's process for assessing compliance with DOD's business enterprise architecture and its associated investment review and decision-making processes. DOD officials told us that the database was assessed for compliance with the business enterprise architecture and received investment review board approval as compliant in July 2009. However, a complete set of system-level architecture products needed to perform a thorough and meaningful compliance assessment are not yet available. As we have previously reported,[Footnote 44] architecture compliance is not a onetime event but rather a determination that needs to be made at key junctures in a system's acquisition life cycle. If it is not, unnecessary overlap and duplication with other systems, as well as system interoperability shortfalls, can occur. * Economic justification: Our prior work has shown that a reliable cost estimate is critical to informed investment decision making, realistic budget formulation and justification, program resourcing, meaningful progress measurement, proactive course correction, and accountability for results. Further, according to Office of Management and Budget (OMB) guidance,[Footnote 45] justifications for an investment should include an analysis of the investment's total life cycle cost.[Footnote 46] DOD developed a business case for the database in June 2009 that provides the department's proposal and justification for its database (i.e., system solution), and this business case includes a program cost estimate of $12.6 million. While the cost estimate was derived in accordance with some best practices identified in relevant cost estimating guidance, such as estimating software costs with a parametric tool that incorporates GAO cost estimating best practices and relying on the costs of analogous existing systems, it was not done in accordance with others.[Footnote 47] For example, it does not include all costs over the system's life cycle, and it has not been adjusted to account for program risks. More specifically, program officials stated that the $12.6 million does not include program office and management costs, relevant development costs (e.g., testing), or sustainment costs (i.e., operations and maintenance). OSD officials told us that they intend to develop a reliable cost estimate once the development contract is awarded. Without reliable estimates, a proposed system solution cannot be adequately justified on the basis of costs and benefits, and DOD may be at increased risk of experiencing cost overruns, schedule slippages, and performance shortfalls. Beyond not having a reliable cost estimate, DOD's business case does not comply with other OMB guidance.[Footnote 48] According to OMB, the economic analysis used to justify an investment should meet certain criteria to be considered reasonable, including comparing alternatives on the basis of net present value and conducting an uncertainty analysis of benefits. While the business case includes an explanation of why the database is needed, it does not address the costs and benefits associated with each of the four database alternatives that were considered (i.e., commercial-off-the-shelf case management system software product, custom-built system, enhancement of an existing military service system, or maintenance of the status quo). Moreover, the four alternatives were not assessed on the basis of net present value, including using the proper discount rate to account for inflation. Instead, only the selected alternative was evaluated quantitatively. Without a meaningful analysis of alternatives, DOD lacks sufficient assurance that it has selected the most cost- effective system solution. * Requirements development and management: Well-defined and well- managed requirements are the cornerstone of effective system development and acquisition.[Footnote 49] Effective requirements development and management includes, among other things, (1) effectively eliciting user needs early and continuously in the system life cycle process, (2) establishing a stable baseline set of requirements and placing the baseline under configuration management, (3) ensuring that system-level requirements can be traced back to higher-level business or operational requirements (e.g., concept of operations) and forward to system design documents (e.g., software requirements specification) and test plans, and (4) controlling changes to baseline requirements. DOD has begun to take steps to engage users in the development of requirements. For example, it formed a working group composed of representatives from each of the military services and the National Guard to develop high-level system requirements. Further, program officials stated that additional actions are planned or under way to reach agreement on system interfaces, which is important given that the database is to draw data from multiple systems to satisfy statutory requirements. They also said that users will be further involved in developing requirements. For example, DOD is working with the Air Force and National Guard to define more specific functional, performance, and data requirements, and has initiated discussions with the Army, Navy, and Marine Corps to do the same. In addition, program officials stated that once the high- level system requirements are baselined, the Change Control Board, comprising representatives from DOD and the user community, will be established to control changes to the baseline requirements. While these ongoing and planned actions are positive, they represent only the beginning of a series of actions that are associated with effectively defining and managing requirements over a system's acquisition life cycle. To the extent that this series of actions is not well detailed and implemented, the risk of the database not performing as intended, and costing more and taking longer to implement than necessary, is increased. * Test management: According to DOD and other relevant guidance, system testing should be progressive, meaning that it should consist of a series of test events that first focus on the performance of individual system components, then on the performance of integrated system components, followed by system-level tests that focus on whether the system (or major system increments) are acceptable, interoperable with related systems, and operationally suitable to users.[Footnote 50] Among other things, effective testing should ensure that (1) all test events are governed by a well-defined test management structure, (2) each test event is executed in accordance with well-defined plans, and (3) the results of each test event are captured and used to ensure that problems discovered are disclosed and corrected. Program officials stated that they plan to work with the development contractor to establish an effective test management structure, develop test plans, and capture and resolve problems found during testing. In addition, they plan to engage an independent test organization. However, DOD has not yet developed milestones for its testing plans or activities. Unless adequate testing is performed and key test management structures and controls are established, it is unlikely that the database will meet user expectations and mission needs, and the risk of it costing more and taking longer than planned is increased. * Risk management: Proactively managing program risks is a key acquisition management control that if done properly, can increase the chances of programs delivering promised capabilities and benefits on time and within budget. Relevant guidance, including DOD's Risk Management Guide for DOD Acquisition, recognizes the importance of conducting effective risk management.[Footnote 51] Among other things, effective risk management includes (1) establishing and implementing a written plan and defined process for risk identification, analysis, and mitigation; (2) assigning responsibility for managing risks to key stakeholders; (3) encouraging programwide participation in risk management; and (4) examining the status of identified risks during program milestone reviews. Program officials stated that they intend to document and implement a risk management strategy that is consistent with DOD's Risk Management Guide. To its credit, the program office has begun to identify key risks. For example, it cited identified risks related to (1) what officials believed to be an unattainable congressionally mandated database implementation date of January 2010; (2) staffing shortages that complicate the office's ability to develop and gain approval of a large number of key documents (e.g., privacy impact assessments, documentation required for investment reviews, and updates of relevant DOD instructions, etc.); (3) potential shortfalls in system development and maintenance funding issues; (4) limitations of the military services' systems, which are expected to provide data to DOD's database; and (5) the military services' competing priorities, which may jeopardize their support and involvement.[Footnote 52] However, they have yet to begin proactively managing these risks. Unless this is done, the risks could evolve into actual cost, schedule, and performance shortfalls. Coast Guard Has Partially Implemented One of Our Two Recommendations from 2008: The Coast Guard has partially implemented one of our recommendations from 2008 to further develop its sexual assault prevention and response program, but it has not addressed the other. To its credit, the Coast Guard conducted an assessment of its processes for staffing key program positions and has continued to develop, through a variety of initiatives, other components of its sexual assault prevention and response program. However, the Coast Guard has not addressed our recommendation to develop an oversight framework, and its program is challenged by the lack of a systematic process for collecting, documenting, and maintaining sexual assault data and by the lack of training for program coordinators. The Coast Guard Has Taken Steps to Implement One of Our Recommendations from 2008 and Has Continued Developing Its Programs: The Coast Guard has taken steps to implement our previous recommendation to evaluate its processes for staffing key program positions. As we previously reported, Coast Guard officials told us that its Sexual Assault Response Coordinators do not have the time to effectively implement a sexual assault prevention and response program. Thus we recommended that the Coast Guard evaluate its processes for staffing key program positions to ensure that they have the ability and resources to fully carry out their responsibilities. [Footnote 53] Coast Guard officials told us that current levels of full-time staffing continue to hinder their ability to appropriately implement various components of their sexual assault prevention and response program, adding that the continuity of care for victims is negatively affected since its coordinators do not possess the time or the training to provide consistent case management services. To address this, the Coast Guard, in June 2009 initiated an assessment of the current workload requirements and resource allocations for its Sexual Assault Response Coordinators. Officials told us that they plan to use the results of this assessment to determine whether the responsibilities of the position or associated resource levels need to be revised. Coast Guard officials also noted that the assessment is to be completed by December 2009, and that they hope to address any program recommendations within 2 years of the assessment's completion. While these are positive first steps, they do not fully address our findings and recommendation from 2008 because the Coast Guard has yet to complete its assessment and decide what, if any, program modifications it will make. The Coast Guard also established two new program positions in response to findings in our previous report. Specifically, in September 2008, the Coast Guard established a headquarters-level program manager position to oversee the management of, training for, and evaluation of its sexual assault prevention and response program. The Coast Guard also established a Sexual Assault Response Coordinator position at its academy to manage its sexual assault prevention and response program. While the Coast Guard is not generally subject to the departmental direction or statutory requirements that apply to DOD, it has developed an instruction that charges responsible personnel with establishing policies and procedures for its program.[Footnote 54] To the Coast Guard's credit, Coast Guard officials stated that they frequently leverage program information and materials obtained through their regular participation in OSD's Sexual Assault Advisory Council subcommittees and working groups and the military services' conferences and summits. For example, the Coast Guard recently modeled its victim advocate training after the Navy's curriculum, and it is revising its data collection requirements to mirror those of DOD. The Coast Guard is also modifying its sexual assault prevention and response program instruction to clarify its definition of sexual assault and revise its description of selected program positions to better reflect program responsibilities. Coast Guard officials stated that they plan to issue the revised instruction in spring 2010. The Coast Guard Has Not Implemented Our Second Recommendation from 2008, and Its Program Is Hindered by Accountability Issues: With respect to our second recommendation, the Coast Guard's efforts to establish a program oversight framework have been limited. Although the Coast Guard has identified broad program objectives, it has not addressed our recommendation to develop an oversight framework that provides comprehensive and specific guidance for operating its programs. Further, the Coast Guard's program lacks a systematic process for assembling, documenting, and maintaining sexual assault incident data, lacks quality control procedures to ensure that the program data being collected are reliable, and the Coast Guard has yet to complete the development and implementation of training for key program personnel. As a result, the Coast Guard's program development efforts continue to be hindered by its inability to evaluate program effectiveness, to accurately account for sexual assault incidents, to prioritize program initiatives, and to help ensure that program personnel are trained to properly execute their responsibilities. Coast Guard Has Not Developed an Oversight Framework: The Coast Guard has not developed an oversight framework to guide its program development and implementation, despite its concurrence with our August 2008 recommendation that it do so. Our prior work has demonstrated the importance of results-oriented performance measures to successful program oversight, and has shown that having an effective plan for implementing initiatives and measuring progress can help decision makers determine whether initiatives are achieving their desired result.[Footnote 55] As we previously reported, the Coast Guard was not able to fully evaluate the results achieved by its efforts, and thus we recommended that it develop an oversight framework that at a minimum includes long-term goals, objectives, and milestones; performance goals; strategies to be used to accomplish goals; and criteria for measuring progress.[Footnote 56] The Coast Guard revised its program instruction to clarify departmental oversight roles, and it has developed an action plan that broadly defines program goals, objectives, strategies, milestones, and criteria. However, based on our prior work on developing and enhancing program oversight, the Coast Guard's efforts do not sufficiently encompass the key components of an oversight framework. For example, the Coast Guard's action plan does not contain performance measures, nor does it identify how it plans to use the results of its program evaluations to revise its future program objectives. Furthermore, the strategies identified in its action plan are too vague to enable an assessment of whether they would help achieve program goals and objectives. For example, the Coast Guard's action plan includes as one of the long-term program objectives, "provide updated, consistent information on program reporting options and resources," and the corresponding strategy is simply, "purchase and distribute marketing materials to the field," without specifying how or when it plans to achieve this objective. Further, the Coast Guard has not correlated program objectives and strategies with its internal budget requests, which limits its ability to effectively allocate and account for program resources. As we noted previously, our prior work shows that having program plans clearly linked with budgets allows an organization to more explicitly guide budget discussions and can assist program management by connecting total resources consumed with actual results achieved.[Footnote 57] Thus, we continue to believe that our recommendation has merit, and that the Coast Guard will remain limited in its ability to manage and evaluate its sexual assault prevention and response program until it develops and implements an oversight framework. Coast Guard Does Not Have a Systematic Process to Collect, Document, and Maintain Sexual Assault Incident Information: The Coast Guard does not have a systematic process to collect, document, and maintain its sexual assault data and related program information. The Coast Guard's instruction charges responsible program personnel with establishing a reporting system to evaluate statistical data related to sexual assault incidents, maintaining records to identify victims and track services provided, and providing oversight of quality assurance review processes to ensure the provision of quality services.[Footnote 58] Additionally, our prior work has shown that organizations striving to meet program goals must have information systems in place to meet the modern need for fast, reliable, and accurate information.[Footnote 59] However, the Coast Guard's sexual assault program does not currently have a systematic process to collect, document, and maintain its sexual assault incident data. One individual maintains a hard copy log, informed by reports from coordinators in the field, and if necessary, may call these coordinators to get additional information. At the conclusion of our review, Coast Guard officials told us that they are in the process of developing a prototype to enable personnel to electronically manage sexual assault cases, and that they expect to conduct an assessment of prototype capabilities in early 2010. However, until the Coast Guard establishes a systematic process for the collection, documentation, and maintenance of these data, it will be challenged in its ability to efficiently retrieve data and its visibility over sexual assault incidents will remain limited. Additionally, the Coast Guard has not instituted quality control processes to ensure the reliability of the sexual assault incident and program data being collected. Our prior work has highlighted the importance of organizations assessing the quality of their program data and ensuring that these data are complete and reliable.[Footnote 60] However, the Coast Guard has not established a process to periodically assess the sufficiency of the program information it collects. For example, Coast Guard officials noted that in fiscal year 2008, the Coast Guard Investigative Service, in the course of its investigations, documented 78 reports of sexual assault, while Coast Guard Headquarters, using the hard copy log of reports from its coordinators, had documented only 30. Further, the Coast Guard's sexual assault prevention and response instruction requires that commanding officers "ensure completion of mandatory annual training on sexual assault prevention by all unit personnel." However, officials told us that the current system used to track training is designed to report training compliance at the unit level, and while individual training compliance can be discerned, the process to do so is overly cumbersome. As a result, this practice complicates the Coast Guard's ability to oversee whether personnel are completing their required training. Officials added that unit compliance with training is assessed during inspections that occur every 2 to 3 years, and the responsible command is notified if any problems are identified. Further, Coast Guard officials told us that while there is no systematic process for following up on the findings from these inspections, they are confident that the issues are taken seriously and appropriately addressed. However, we believe that until the Coast Guard establishes a systematic process to assess the quality and reliability of its data, it cannot be sure that the information it collects is relevant to and sufficient for the achievement of its program goals. The Coast Guard Has Not Trained Its Program Coordinators: The Coast Guard recently developed and is starting to conduct training for its victim advocates however, it has not provided training for its Sexual Assault Response Coordinators--the personnel who manage the victim advocates. The Coast Guard's instruction requires that all Coast Guard Sexual Assault Response Coordinators be trained to perform relevant duties, and prohibits them from accepting a restricted sexual assault report until the training has been completed. However, Coast Guard officials stated that they have not developed a curriculum or implemented training for the Coast Guard's 16 Sexual Assault Response Coordinators, because, alternatively, they were developing and implementing a training curriculum for victim advocates. Coast Guard officials initially told us that it would likely take up to 2 years to develop a formalized curriculum for Coast Guard Sexual Assault Response Coordinators, but that in the meantime, they have scheduled a training session for coordinators in January 2010 to review policy revisions and reporting processes. At the conclusion of our review, Coast Guard officials stated that they have since updated their plans to train Sexual Assault Response Coordinators, noting that they plan to complete a formalized curriculum by May 2010 and have scheduled training for the Coordinators during the week of May 4, 2010. However, until such training is administered, Sexual Assault Response Coordinators will lack formalized Coast Guard sexual assault prevention and response training, and according to Coast Guard officials, they will rely instead only on the general mandated training provided to all personnel, their own professional experience, and their interpretation of the Coast Guard's sexual assault prevention and response policy. Additionally, the Coast Guard's Sexual Assault Program Manager plans to travel to Coast Guard installations throughout the country to administer annual victim advocate training, which will eventually be administered by coordinators. However, this may not be the most effective use of resources, as the training could be administered by trained Sexual Assault Response Coordinators. Until a formal curriculum is developed and implemented, the Coast Guard cannot be sure that it has effectively imparted program responsibilities and requirements to its Sexual Assault Response Coordinators. Conclusions: Since the release of our August 2008 report, DOD has taken a number of positive steps toward addressing our recommendations to further strengthen its sexual assault prevention and response programs and to develop the statutorily mandated sexual assault incident database. Additionally, each service has proactively developed and implemented a variety of initiatives--beyond what we recommended--to increase program awareness and to improve prevention of and response to occurrences of sexual assault. While such progress is noteworthy, DOD's efforts have not fully established a sound management framework, which must build upon the foundation of a comprehensive strategic framework that guides program development and implementation. Without such a foundation, DOD's programs lack the institutional support, long- term perspective, and clear lines of accountability that are needed to withstand the administrative, fiscal, and political pressures that confront federal programs on a daily basis. Until OSD finalizes and fully implements its oversight framework and strategic plans, it will continue to lack the ability to synergize its prevention and response initiatives, and it may not be able to effect the change in military culture that is needed to ensure that programs are institutionalized. Additionally, successful implementation of the oversight framework will require the personal involvement of top DOD leadership to maintain the long-term focus on and accountability for program objectives. While the Coast Guard is not generally subject to the departmental program direction or statutory requirements that apply to DOD, it continues to proactively develop its sexual assault prevention and response program. The Coast Guard has, however, experienced challenges similar to those of DOD because it lacks the long-term strategic perspective needed to structure its program development and implementation. Until the Coast Guard develops an oversight framework that includes specific management improvement steps, key milestones, and performance measures, it will be unable to accurately demonstrate that its programs are achieving its goals of establishing a culture of prevention, sensitive response, and accountability. Further, the Coast Guard may not be able to demonstrate that program elements, such as its sexual assault prevention and response training, are being implemented in a manner that most effectively ensures its achievement of program goals. Recommendations for Executive Action: We recommend that the Secretary of Defense take the following 10 actions: * To improve the management, strategic planning, and comprehensiveness of OSD's oversight of the department's sexual assault prevention and response programs, direct the Under Secretary of Defense for Personnel and Readiness to strengthen OSD's oversight framework by: - identifying how the results of performance assessments will be used to guide the development of future program initiatives, - identifying how OSD's program resources correlate to its achievement of strategic program objectives, and: - correlating its oversight framework to the program's two strategic plans so that program objectives, timelines, and strategies for achieving objectives are synchronized. * To enhance visibility over the incidence of sexual assaults involving DOD servicemembers, the department's sexual assault prevention and response programs, and the pending implementation of the Defense Sexual Assault Incident Database, direct the Under Secretary of Defense for Personnel and Readiness to standardize the type, amount, and format of the data in the military services' annual report submissions. * To enhance the oversight of the sexual assault prevention and response program in DOD, direct the Under Secretary of Defense for Personnel and Readiness to ensure that the development and implementation of the Defense Sexual Assault Incident Database includes adherence to the following key system development and acquisition management processes and controls: - developing a reliable integrated master schedule that addresses the nine key practices discussed in this report, - adequately assessing the program's overlap with and duplication of related programs through architecture compliance, - adequately justifying investment in the proposed approach on the basis of reliable estimates of life cycle costs and benefits, - effectively developing and managing system requirements, - adequately testing system capabilities, and: - effectively managing program risks. We are recommending that the Commandant of the Coast Guard take the following three actions: * To improve the oversight and accountability of the Coast Guard's sexual assault prevention and response program: - establish a systematic process for collecting, documenting, and maintaining sexual assault incidence data, and: - establish quality control processes to ensure that program information collected is valid and reliable. * To improve execution of sexual assault prevention and response programs, we recommend that the Commandant of the Coast Guard establish and administer a curriculum for all key program personnel to ensure that they can provide proper advice to Coast Guard personnel. Agency Comments and Our Evaluation: In written comments on a draft of this report, both DOD and the Coast Guard concurred with all of our recommendations. DOD noted in its comments that our report contained technical inaccuracies, which we addressed where appropriate, based on the technical comments received from both DOD and the Coast Guard. Further, DOD asserted that the report also contained misstatements that improperly diminished the department's efforts to address our recommendations. We believe that our report accurately represents DOD's progress to address our recommendations from 2008. DOD's comments are reprinted in appendix II, and the Coast Guard's comments are reprinted in appendix III. In concurring with our recommendations aimed at improving the management, strategic planning, and comprehensiveness of OSD's oversight of the department's sexual assault prevention and response programs--including that OSD should strengthen its oversight framework by (1) identifying how the results of performance assessments will be used to guide the development of future program initiatives, (2) identifying how OSD's program resources correlate with its achievement of strategic program objectives, and (3) correlating its oversight framework with the program's two strategic plans--DOD commented that several efforts are underway or are planned to address these issues. For example, DOD stated that in the early part of 2010, it will have a plan in place that details how it will track its progress toward the performance objectives laid out in the DOD-wide strategic plan, and it will develop a procedure to report back on progress toward objectives and any needed corrective steps. DOD also stated that starting with the 2012 budget cycle, OSD plans to align its budget categories with specific performance objectives laid out in its strategic plan. Further, DOD noted that the process it plans to use to track its progress toward performance objectives will also allow the department to synchronize the objectives, timelines, and strategies of its two strategic plans. We commend DOD for taking immediate steps in response to our recommendations, and encourage the department to continue taking positive actions toward fully implementing them. In its concurrence with our recommendation that the department standardize the type, amount, and format of the data in the military services' annual report submissions, DOD acknowledged that achieving uniformity among the military services for all required data elements will greatly enhance its oversight capabilities. DOD added that it recently established definitions for case disposition data and developed a standardized program report template, and that both are being used by the military services to compile their respective data for the department's fiscal year 2009 report on sexual assault in the military services. DOD stated that the comprehensive process of linking all of its data elements will ultimately be accomplished through its development of the Defense Sexual Assault Incident Database. Our report credits DOD with taking initial steps toward developing standardized data elements and definitions, and acknowledges the data template it developed and is using to collect a more standardized set of data from the military services for the department's fiscal year 2009 annual report to Congress. However, as we noted in our report, OSD officials stated that full standardization of data elements and definitions will not be achieved until it implements the Defense Sexual Assault Incident Database--for which DOD does not currently have a reliable implementation schedule. While we recognize that this will be a complex and time-consuming task, we continue to assert that the full establishment and implementation of standardized data elements and definitions will facilitate a more comprehensive understanding of DOD's sexual assault prevention and response programs. In concurring with our recommendation to develop a reliable integrated master schedule for the Defense Sexual Assault Incident Database, DOD stated that it will give priority to doing so, and will follow GAO schedule estimating guidance. However, it added that while the department has thus far developed schedules that it characterized as capturing broader scope key activities, it would not be able to capture key schedule activities or estimate a timeframe for identifying key activities that are fundamental to developing a reliable schedule until it acquired the assistance of the system development contractor. DOD noted that this is because only the contractor will know the steps and time required to adopt proprietary materials to DOD's requirements for the database. We understand the role that the development contractor plays in developing a reliable integrated master schedule, which is why our recommendation does not specify a timeframe for developing the schedule, and thus allows DOD to first acquire a contractor's services. Further, while we agree with the department's comment that our report does not include an assessment of the viability of a 15-month deadline contained in statute[Footnote 61] for the database's design, acquisition, and implementation, we note that we told program officials during the course of our review that such an assessment was not part of the scope of our work because the 15-month deadline was a statutory requirement rather than a DOD schedule-driven milestone. In concurring with our recommendation to adequately assess the program's overlap with related programs through architecture compliance, the department stated that it acknowledges the benefits derived from doing so. It added, however, that our report inaccurately asserts that DOD has not complied with DOD guidance governing architecture compliance by stating that a complete set of system-level architecture products are not yet available to perform a thorough architecture compliance assessment. In this regard, it stated that DOD guidance does not call for the development of system-level architecture products until the Technology Development Phase in the Defense Acquisition System. We agree with the department's comment as to the timing of system-level architecture products, which is why we do not conclude that DOD has not assessed architecture compliance. As stated in this report, architecture compliance is not a onetime event but rather a determination that needs to be made at key junctures in a system's acquisition life cycle. Thus, the intent of our statement and our recommendation is to emphasize the importance of conducting compliance activities once a complete set of system-level architecture products is available. In concurring with our recommendation to adequately justify investment in the proposed database approach on the basis of reliable estimates of life cycle costs and benefits, the department stated that it agreed that the cost estimate in the existing business case does not account for all life cycle costs and risks. However, it added that DOD guidance does not require comprehensive cost estimates in the business case and that the cost estimate in the business case was derived using cost estimating best practices. While we agree that DOD guidance does not explicitly state that business case cost estimates must be comprehensive, both DOD guidance and OMB guidance state that these cost estimates should include all costs over the system's life cycle, which is a recognized best practice. Further, while the cost estimate was derived in accordance with some cost estimating best practices, such as estimating software costs with a parametric tool and relying on the costs of analogous existing systems, it was not done in accordance with others. For example, it was not risk adjusted. Further the business case did not include a comparison of alternatives on the basis of net present value. In concurring with our recommendation to effectively develop and manage system requirements, DOD noted that it has continued to work with the military services in developing system requirements and that its progress in doing so is much greater than our report states. It also noted that since the database was legislated, Congress expanded its annual sexual assault reporting requirements, which in turn necessitated additional requirements development work with stakeholders. Further, it stated that it will institute a Change Control Board, which is a key requirements management control mechanism, and is using a range of system life cycle management tools that support requirements development and management. We support DOD's continued efforts to work with stakeholders to further develop requirements and capture them in a range of requirements documents, as such efforts are consistent with our recommendation. Also consistent with our recommendation are its plans to institute a Change Control Board and use relevant requirements-related tools. In concurring with our recommendation to adequately test system capabilities, DOD stated that our report does not sufficiently describe its efforts to develop a detailed test plan defining the program's testing approach and strategy, including the entrance and exit criteria for each testing phase. We agree that our report does not cite the development of this plan because no such plan was provided to us as part of the documentation set submitted for the database's milestone acquisition approval, nor were we made aware of the existence of such a plan. Moreover, program officials told us that a test plan would be developed after the contractor was hired, and DOD's comments on our draft report acknowledge that a final test plan has yet to be created. In concurring with our recommendation to effectively manage program risks, DOD noted that our statement that risk management has yet to begin is incorrect because key risks have been identified. We agree that risk identification, which is the first step in risk management, has begun, as our report recognizes. We also agree that the statement in our draft report that risk management has yet to begin is not consistent with its recognition of these risk identification efforts. As a result, we have modified the report to note that many aspects of risk management have yet to begin, which DOD also states in its comments on our draft report. The Coast Guard also concurred with our recommendations aimed at improving the oversight, accountability, and execution of its sexual assault prevention and response programs, including (1) establishing a systematic process for collecting, documenting, and maintaining sexual assault incidence data; (2) establishing quality control processes to ensure that program information collected is valid and reliable; and (3) establishing and administering a curriculum for all key program personnel to ensure that they can provide proper advice to Coast Guard personnel. In commenting on our draft report, the Coast Guard noted that it has several initiatives underway to continue developing its sexual assault prevention and response program. For example, the Coast Guard stated that an electronic database to track sexual assault reports is in the prototype development phase, and based on current progress, it expects to complete the database in 2010. Further, the Coast Guard noted that it has completed an assessment of workload requirements and resource allocations for its Sexual Assault Response Coordinators, and upon release of the final report, the Coast Guard plans to review and analyze the recommendations and, as appropriate, incorporate additional resource requirements into its annual budget process. We commend the Coast Guard for the steps it has taken and its plans for further developing its sexual assault prevention and response program, and we encourage the service to continue taking positive actions toward fully implementing our recommendations. As agreed with your office, unless you publicly announce the contents of this report earlier, we plan no further distribution until thirty days from the report date. At that time, we will send copies to interested members of Congress; the Secretaries of Defense, Homeland Security, the Army, the Navy, and the Air Force; the Commandant of the Marine Corps; and the Commandant of the Coast Guard. The report also will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you or your staff have any questions concerning this report, please contact Brenda Farrell at (202) 512-3604 or farrellb@gao.gov or Randolph Hite at (202) 512-3439 or hiter@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix IV. Sincerely yours, Signed by: Brenda S. Farrell: Director, Defense Capabilities and Management: Signed by: Randolph C. Hite: Director, Information Technology Architecture and Systems: [End of section] Appendix I: Scope and Methodology: To determine the extent to which the Department of Defense (DOD) has taken steps to address our previous recommendations in GAO-08-924 regarding programs to prevent and respond to sexual assault, we reviewed relevant statutory requirements and obtained and analyzed DOD's policies, guidance, and procedures for the prevention of and response to sexual assault incidents. We also interviewed officials in DOD, the Army, the Air Force, the Navy, the Marine Corps, and the Defense Task Force on Sexual Assault in the Military Services to gain a comprehensive understanding of their efforts to address our previous recommendations. We also obtained and analyzed the Office of the Secretary of Defense's (OSD) strategic plans and draft oversight framework for the department's sexual assault prevention and response efforts to determine whether they contained the elements necessary for effective program implementation. In addition, we obtained and analyzed DOD's annual reports to Congress on sexual assault in the military services for fiscal years 2007 and 2008 to assess the extent to which OSD addressed our recommendation to improve the usefulness of DOD's annual report. To determine the extent to which DOD has taken steps to address a statutory requirement to establish a centralized, case-level sexual assault incident database, we reviewed statutory provisions related to DOD's process for collecting and maintaining sexual assault data. We also interviewed DOD officials to obtain information on the department's efforts to establish the database; reviewed documentation related to database development; and compared this documentation to relevant DOD, federal, GAO, and industry guidance. To determine the extent to which the U.S. Coast Guard has taken steps to address our previous recommendations regarding policies and programs to prevent and respond to sexual assault, we identified relevant legislative requirements and obtained and analyzed the Coast Guard's policies, guidance, and procedures for the prevention of and response to sexual assault incidents. We also interviewed Coast Guard officials to gain a comprehensive understanding of their efforts to address our previous recommendations. We also obtained and analyzed the Coast Guard's action plan for sexual assault prevention and response to determine the extent to which it consisted of the elements that we recommended be included in an oversight framework. We visited or contacted the following organizations during our review: Department of Defense: * Defense Task Force on Sexual Assault in the Military Services, Alexandria, Virginia: * Sexual Assault Prevention and Response Office, Arlington, Virginia: * Office of the Assistant Secretary of Defense for Health Affairs, Falls Church, Virginia: - Defense Center of Excellence for Psychological Health and Traumatic Brain Injury, Rosslyn, Virginia: Office of the Chairman, Joint Chiefs of Staff: * J-1, Manpower and Personnel, Washington, D.C. Department of the Army: * Sexual Harassment/Assault Response and Prevention Program Office, Washington, D.C. Department of the Air Force: * Office of the Assistant Secretary (Manpower and Reserve Affairs), Washington, D.C. - Office of the Deputy Assistant Secretary (Force Management Integration), Washington, D.C. * Deputy Chief of Staff for Manpower, Personnel and Services, Washington, D.C. - Sexual Assault Prevention and Response Program Office, Washington, D.C. Department of the Navy: * Sexual Assault Prevention and Response Office, Washington, D.C. United States Marine Corps: * Manpower and Reserve Affairs: - Sexual Assault Prevention and Response Office, Quantico, Virginia: U.S. Coast Guard: * Health, Safety and Work-Life Directorate, Office of Work-Life, Washington, D.C. We conducted this performance audit from February 2009 through February 2010 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Comments from the Department of Defense: Office Of The Under Secretary Of Defense: Personnel And Readiness: 4000 Defense Pentagon: Washington, D.C. 20301-4000: January 8, 2010: Ms. Brenda S. Farrell: Director, Defense Capabilities and Management: U.S. Government Accountability Office: 441 G Street, N.W. Washington, DC 20548: Dear Ms. Farrell: I appreciate the opportunity to respond to the General Accountability Office's proposed report, Military Personnel: Additional Actions are Needed to Strengthen DoD's and the Coast Guard's Sexual Assault Prevention and Response Programs (GAO-10215). The attached comments will pertain only to the sections identified for DoD action. The report recognized the progress the Department has made in the few months since the GAO published its prior report on the Sexual Assault Prevention and Response (SAPR) Program in August 2008. As the GAO noted in both this and the prior report, the Department has invested considerable time, attention, and resources to assist victims, prevent sexual assault, and implement this very important program. The Department concurs with all GAO recommendations. We acknowledge that this report comes only 16 months after the 2008 report on the same topic was issued. Despite the very short time between reports, the Department was able to fully implement four of the nine original recommendations. Given sufficient time, the Department will demonstrate further progress by implementing the remaining recommendations. Notwithstanding the Department's agreement with all recommendations, the present report contains technical inaccuracies and misstatements that improperly diminish the Department's considerable efforts to implement the five remaining GAO recommendations. The attached comments more comprehensively summarize the Department's work in these areas. There were 13 technical corrections noted by DoD, including the Air Force and Navy, that were forwarded separately to the GAO staff. Again, the opportunity to clarify the Department's progress is appreciated. As you know, my point of contact is Kaye Whitley, Director, SAPRO. She may be reached at 703-696-9422. Sincerely, Signed by: Gail H. McGinn: Deputy Under Secretary of Defense (Plans): Performing the Duties of the Under Secretary of Defense (Personnel and Readiness): Enclosure: As stated: [End of letter] GAO Draft Report Dated December 8, 2009 GAO-10-215 (GAO Code 351324): "Military Personnel: Additional Actions Are Needed To Strengthen DOD's And The Coast Guard's Sexual Assault Prevention And Response Programs" Department Of Defense Comments To The GAO Recommendations: Introduction And Clarification: The Department concurs with all GAO recommendations. Despite the Department's agreement with all recommendations, the present report contains technical inaccuracies and misstatements. The Department's corrections are included in Tab B. However, the GAO Report text indicates some confusion about the relationship between the three documents mentioned here: Oversight Framework, DoD-Wide Strategic Plan, and SAPRO Strategic Plan. As an initial clarification, the unique role played by each document is laid out below: Oversight Framework for Sexual Assault Prevention and Response: Purpose: Lay out roadmap to institutionalize the oversight activity. This document lays out the oversight process for the entire Department to implement over a three-year timeframe, with SAPRO taking the lead responsibility. Department of Defense-Wide Sexual Assault Prevention and Response Strategic Plan: Purpose: Relate SAPRO and Service activities to the five DoD-wide strategic SAPR priorities. This document provides an overview of the connection between SAPRO and Service goals and objectives and each of the five strategic SAPR priorities. OSD-SAPRO Strategic Plan: Purpose: Connect detailed SAPRO-specific activities to DoD-wide SAPR priorities. Building off of the contents of the DoD-wide strategic plan, the SAPRO strategic plan goes to the next level of detail needed for the office to develop and track performance objectives. The two strategic plans are considered "living documents" in that they will be reviewed annually to consider modification. The Oversight Framework will be implemented during the coming three years, with progress toward the implementation tracked as part of the SAPRO strategic plan. Response To Recommendations: Recommendation 1: The GAO recommends that the Secretary of Defense direct the Under Secretary of Defense for Personnel and Readiness to strengthen OSD's oversight framework by identifying how the results of performance assessments will be used to guide the development of future program initiatives. DOD Response: Concur: As noted in the GAO Report, OSD and the Services have efforts underway to measure the activities outlined in the DoD-wide strategic plan as well as the SAPRO strategic plan. Once those measures and performance objectives are clarified, SAPRO is reviewing several different options for tracking progress against objectives. For example, the Executive Secretariat uses an online tracking system to follow performance objectives listed in the Personnel and Readiness strategic plan as well as to track progress on mandates and recommendations related to the Wounded, Ill and Injured. SAPRO is considering the adoption of a similar system. Early in 2010, SAPRO will have a plan in place for how SAPRO will track progress toward performance objectives laid out in the DoD-wide strategic plan. The system will allow for revisions to the tracked objectives as they may need to be revised following an annual review. In addition, SAPRO will develop a procedure to report back on progress toward objectives, and any needed corrective steps. Recommendation 2: The GAO recommends that the Secretary of Defense direct the Under Secretary of Defense for Personnel and Readiness to strengthen OSD's oversight framework by identifying how OSD's program resources correlate to its achievement of strategic program objectives. DOD Response: Concur: In the past, SAPRO has aligned its budget categories with the broad categories of activities pursued by the Office. (The Services separately budget for their implementation efforts.) With upcoming budget cycles (starting with 2012), building off the new strategic plan, SAPRO will align its budget categories with specific performance objectives laid out in the plan. Spending plans for the year will connect activities and resources, and periodic reviews will take place to ensure these spending plans are tracking with the activities needed to ensure achievement of performance objectives. Recommendation 3: The GAO recommends that the Secretary of Defense direct the Under Secretary of Defense for Personnel and Readiness to strengthen OSD's oversight framework by correlating its oversight framework to the program's two strategic plans so that program objectives, timelines, and strategies for achieving objectives are synchronized. DOD Response: Concur: See response to Recommendation 1. The online tracking procedure will allow SAPRO to coordinate the synchronization of objectives, timelines, and strategies laid out in the DoD-wide strategic plan and the SAPRO strategic plan. As clarification, in referring to the Framework document, the GAO report mentions "nine objective-like elements as 'future state improvement opportunities.'" These framework elements are intentionally not directly tied to the program objectives laid out in the DoD-wide and SAPRO strategic plans. The elements are what will be used as guides in forming and instituting the framework process. They will not be tied to a timeframe laid out in the strategic plans; that is, once in place, the elements will be enduring guidelines for how oversight will be done. In contrast, the two strategic plans have objectives-—tied to specific program needs--which will by definition evolve over time as needed. Recommendation 4: The GAO recommends that the Secretary of Defense direct the Under Secretary of Defense for Personnel and Readiness to standardize the type, amount, and format of the data in military services' existing report submissions. (p. 43/GAO Draft Report) DOD Response: Concur: DoD believes that comprehensive data collection and analysis is vital to policy analysis and program implementation. DoD also agrees that achieving uniformity among the Services for all required data elements will greatly enhance its oversight capabilities, and is poised to continue the cross-Service data standardization process. DoD currently requires the Services to use the newly-established case disposition data definitions in their collection and reporting of SAPR data, and is providing technical assistance as needed to increase the reliability of the provided data. The FY09 Annual Report Data Call also required these additional data points to be provided to DoD in support of its Annual Report to Congress on Sexual Assault in the Military. DoD revised its FY09 Data Call to include standardized program report templates, which will enable SAPRO to more effectively analyze the Services' reports and increase the amount of comparable information they contain. The FY09 Data Call also provided revised and standardized quantitative data collection templates that include the new disposition data definitions agreed to by SAPRO and the Services, as well as a refined reporting matrix for case synopses that more clearly defines the data that they must provide and the format they must use. SAPRO is also officially requiring that Service data and information should only be reported to SAPRO after the Services coordinate with their respective Judge Advocate General for verification, completeness and explanations, as appropriate. Achieving complete data uniformity among the Services for all reported information will greatly enhance DoD's oversight capabilities, and this comprehensive data element linkage process will ultimately be accomplished through the development of the Defense Sexual Assault Incident Database. In support of this Department-wide initiative, SAPRO has conferred with DoD IG on the need to define remaining investigative process terms to ensure data uniformity across the Services as currently provided in existing report submissions and as reported through DSAID in the future. Recommendation 5: The GAO recommends that the Secretary of Defense direct the Under Secretary of Defense for Personnel and Readiness to ensure that the development and implementation of the Defense Sexual Assault Incident Database includes adherence to key system development and acquisition management processes and controls including developing a reliable integrated master schedule that addresses the nine key practices discussed in the report. (p. 44/GAO Draft Report) DOD Response: Concur: The Department is committed to the timely and lawful development of the Defense Sexual Assault Incident Database (DSAID). The Department will follow the proffered GAO guidance and prioritize the development of a reliable, integrated master schedule for the Defense Sexual Assault Incident Database (DSAID) deployment. The first practice the GAO associates with developing and maintaining a reliable schedule is "capturing all key activities." As noted in the report, the Department has made efforts to develop schedules to capture broader scope key activities that support individual policy, requirements, and acquisition tasks with available information. Unfortunately, the Department cannot capture key activities or even estimate a timeframe for identifying key activities associated with development and implementation without the assistance of the system developer. While GAO guidance identifies estimation methods, only the developer will know the steps and time required to adapt their proprietary materials to meet DSAID system requirements and functionality. At this time, the goal of schedule reliability cannot be attained without the developer's assistance. The Request for Proposal for a DSAID developer is scheduled for release early in the second quarter of FY10. This process is constrained by Federal contracting law[Footnote 62] and cannot be further expedited. Through the acquisition process, the Department has been able to validate the system deployment steps cited in the GAO report (p 28). However, contracting specialists have advised that, again, only the developer can ascribe a time and order to those steps. Notably missing from the GAO report was an assessment of the viability of a fifteen-month deadline for data system design, acquisition and implementation that takes into account the GAO's thorough planning guidance, Departmental policy requirements, and Federal contracting law. A complete DSAID integrated master schedule will be created once a contract for development is awarded and a technical solution is identified. This schedule will not only integrate GAO guidance but also leverage the technical expertise of the developer. Recommendation 6: The GAO recommends that the Secretary of Defense direct the Under Secretary of Defense for Personnel and Readiness to ensure that the development and implementation of the Defense Sexual Assault Incident Database includes adherence to key system development and acquisition management processes and controls including adequately assessing the program's overlap with and duplication of related programs through architecture compliance. DOD Response: Concur: The Department acknowledges the benefits derived from assessing DSAID's integration with extant DoD systems. As noted by the GAO, "...architecture compliance is not a "one time" event but rather a determination that needs to be made at key junctures in a system's acquisition life cycle." In the Department, these "key junctures" are known as Milestone A (entry into the Technology Development Phase) Milestone B (entry into the Engineering and Manufacturing Development Phase also known as "Program Initiation",), and Milestone C (entry into the Production and Deployment Phase). As documented by the GAO, DSAID obtained Milestone A approval in July 2009. The OV-1, High Level Operational Concept Graphic, OV-5a, Operational Activity Model, and SV- 4, Systems Functionality Description, constitute the three enterprise architecture documents required for Milestone A approval. These three documents were included in the approved package. The GAO further notes, "...a complete set of system-level architecture products needed to perform a thorough and meaningful compliance assessment are not yet available." As written, this statement inaccurately asserts that the Department has somehow failed to comply with enterprise architecture requirements. This is not the case. According to DoD Instruction 5000.02, Operation of Defense Acquisition System, the "system-level" enterprise architecture products desired by GAO are developed during the Technology Development Phase and are required for a favorable Milestone B approval. The Department is currently evaluating DSAID's placement in its architecture and is producing the documentation required for Milestone B approval. The GAO is welcome to review all future architecture documents once the Milestone Decision Authority approves them. Recommendation 7: The GAO recommends that the Secretary of Defense direct the Under Secretary of Defense for Personnel and Readiness to ensure that the development and implementation of the Defense Sexual Assault Incident Database includes adherence to key system development and acquisition management processes and controls including adequately justifying investment in the proposed approach on the basis of reliable estimates of life-cycle costs and benefits. DOD Response: Concur: The Department agrees and must justify its investment in the proposed approach for DSAID as part of the acquisition process. In the report, GAO notes, "DOD developed a business case for the database in June 2009...and this business case includes a program cost estimate of $12.6 million. However, the cost estimate is not reliable because it was not derived in accordance with the best practices identified in relevant cost estimating guidance. For example, it does not include all costs over the system's life-cycle, and it has not been adjusted to account for program risks." The Department agrees that the cost estimate in the business case did not account for all life-cycle costs and risks. However, DoD Instruction 5000.02, Operation of Defense Acquisition System, does not require comprehensive cost estimates in the business case. The Department contends that best practices in cost estimation were indeed used to produce the cost estimate in the business case submitted for Milestone A. The cost estimate relied on vendor input, the costs of analogous existing systems, and SEER for Software (SEER- SEMTm) by Galorath Incorporated. It was through the SEER-SEMTm software that the GAO Cost Estimating and Assessment Guidelines were applied in the development of the cost estimate. Moreover, Dan Galorath, of Galorath Incorporated was an expert used in developing the GAO Cost Estimate and Assessment Guide.[Footnote 63] The Department of Defense Manual on Cost Analysis Guidance and Procedures and the Society of Cost Estimating and Analysis' principles were also used in the development of the cost estimate. The GAO Report further states, "OSD officials told us that they intend to develop a reliable cost estimate once the development contract is awarded." While this is an accurate statement, it does not capture the work accomplished to date to satisfy the requirements of the acquisition process. Since the cost estimate was developed for Milestone A, the cost estimate was updated to facilitate assessment of proposals from prospective developers. Cost estimates have been refined to include risk, additional Congressional requirements, Operations and Maintenance (O&M), and testing. However, full O&M costs cannot be estimated until a technical solution is selected. Recommendation 8: The GAO recommends that the Secretary of Defense direct the Under Secretary of Defense for Personnel and Readiness to ensure that the development and implementation of the Defense Sexual Assault Incident Database includes adherence to key system development and acquisition management processes and controls including effectively developing and managing system requirements. DOD Response: Concur: The Department agrees that a Requirements Management Plan is a best practice[Footnote 64] that has been employed in DSAID development. As acknowledged in the report, the Department has "begun to take steps to engage users in the development of requirements for DSAID." However, Department progress in this area is much greater than what is inferred in the report. GAO's summary did not capture that the Department has continued work with the Army, Marine Corps, Navy, Air Force, and National Guard to develop system requirements. Specifically, the Department has completed development of data element requirements/attributes, usage, and definitions for a comprehensive DSAID baseline covering Victim Case Management; Incident information; Subject Demographics; Subject Disposition; and SAPR Program Administration data. This information is captured in the following documents: Requirements Package Overview and Supplemental Requirements; * Use Case Models and Use Case documents; * Report and Ad-Hoc Queries Specification; * Air Force Systems Interface Mapping Data; * Army Systems Interface Mapping Data; and; * Department of Navy Systems Interface Mapping Data. Additionally, interface mapping activities have been completed for the Air Force and National Guard and considerable progress has been made with the Army, Marine Corps and the Navy. It should be noted that since the database was legislated, Congress expanded its annual reporting requirements, necessitating additional work with stakeholders. Once these high-level system requirements are baselined, the Department will institute a Change Control Board (CCB) to manage emerging DSAID requirements to ensure they are appropriately addressed. In addition, the requirements and development efforts are being managed within a suite of tools that provide consistency in products and allow for better control of requested changes to baseline requirements and/or system development. Specifically, the tools provide: * life cycle management and control of software development assets; * tracking of defects and changes; * centralized control of test activity management, execution, and reporting; and; * management of the requirements and documentation of the software development process from start to finish. Recommendation 9: The GAO recommends that the Secretary of Defense direct the Under Secretary of Defense for Personnel and Readiness to ensure that the development and implementation of the Defense Sexual Assault Incident Database includes adherence to key system development and acquisition management processes and controls including adequately testing system capabilities. DOD Response: Concur: However, the GAO's synopsis does not sufficiently describe the Department's progress in this area and omitted mention of the detailed test plan developed as a part of the documentation for Milestone A. This test plan identifies how the incremental functional requirements are to be tested, prior to and post release. The plan also defines the testing approach and strategy, including the entrance and exit criteria for each testing phase. Additionally, the plan outlines additional testing cycles to address changes required by the identified DSAID technical solution. Throughout the development and implementation of DSAID, many types of testing will be conducted, to include Systems Interface Testing (SIT), Unit Testing, Integration Testing, System Testing, Regression Testing, User Acceptance Testing (UAT), and Performance Testing. All testing will ensure baseline requirements are met, intended business functions are captured, and that data is properly interfaced with existing Service systems. In addition to the DSAID Test Plan created for Milestone A, a final testing plan with an independent tester will be created for Milestone B in accordance with DoD Directive 5000.02, Operation of Defense Acquisition System. The Department will work with the developer once selected to define how it will document and provide results. Throughout the process, all testing documents will be refined at key junctures to ensure all issues are addressed. The DSAID Test Plan will provide the framework through which SAPRO and the developer will evaluate whether the functionality delivered meets the requirements as described in the requirements documentation. The developer will also be required to conduct regression testing of the system to validate that new requirements do not pose any adverse impact to current functionality. RECOMMENDATION 10: The GAO recommends that the Secretary of Defense direct the Under Secretary of Defense for Personnel and Readiness to ensure that the development and implementation of the Defense Sexual Assault Incident Database includes adherence to key system development and acquisition management processes and controls including effectively managing program risks. (p. 44/GAO Draft Report) DOD Response: Concur: However, the GAO report comment that DSAID "...risk management has yet to begin..." is incorrect. According to the GAO recommended resource,[Footnote 65] the first step in risk management is "Risk Identification." The Department has identified a number of risks associated with DSAID, has incorporated them in to its Risk Communications Strategy, and has conveyed those risks to targeted stakeholders. The Department's DSAID briefing to GAO and other stakeholders included these risks. The GAO's ability to accurately incorporate five of these risks into its report on pages 34 and 35 is evidence itself that the initial step in risk management has begun. However, the Department acknowledges that there are many steps remaining in Risk Management that must be addressed. The Department will apply the approach recommended in the Risk Management Guide for DOD Acquisition,[Footnote 66] which identifies that management is a continuous process that is accomplished throughout DSAID's life cycle. The risk management strategy will make certain that task requirements are executed with proper mitigation of technical, operational, and management risks. It will employ a consistent, five step approach to identify, analyze, plan, act, and monitor and learn about real and potential risks to ensure improved and sustained product delivery. [End of section] Appendix III: Comments from the U.S. Coast Guard: U.S. Department of Homeland Security: Washington, DC 20528: January 6, 2010: Ms. Brenda S. Farrell: Director, Defense Capabilities and Management: U.S. Government Accountability Office: 441 G St., N.W. Washington, D.C. 20548: Dear Ms. Farrell: Thank you for the opportunity to review and provide comments on the Government Accountability Office's (GAO) draft report titled, Military Personnel: Additional Actions Are Needed to Strengthen DOD's and the Coast Guard's Sexual Assault Prevention and Response Programs (GA0-10- 215). The Department of Homeland Security (DHS) has reviewed the referenced report and concurs with the recommendations. We would like to note that the United States Coast Guard (USCG) continues to make progress in the development of its Sexual Assault Prevention and Response Program. USCG-specific Sexual Assault Response Coordinator (SARC) training for all personnel performing SARC duties, including Employee Assistance Program Coordinators (EAPC) and Family Advocacy Specialists, is scheduled for May 2010. Victim Advocate Training also continues throughout the USCG, with several more sessions scheduled for 2010. A Work-Life Information System (an electronic database designed to help track sexual assault reports) is in the prototype development phase and current progress suggests that it should be completed within 2010. A Manpower Requirements Analysis on the EAPCs has been completed, and the final report is expected to be released in early 2010. Initial review of the data suggests that additional EAPCs may be needed. Upon release of a final report, the USCG will carefully review and analyze all recommendations. Requests for additional resource requirements will be submitted, as appropriate, for review as part of the USCG's annual budget build process. Thank you for the opportunity to review and provide comments to the draft report and we look forward to working with you on future homeland security issues. Sincerely, Signed by: Jerald E. Levine: Director: Audit Liaison: [End of section] Appendix IV: GAO Contacts and Staff Acknowledgments: GAO Contacts: Brenda S. Farrell, (202) 512-3604 or farrellb@gao.gov: Randolph C. Hite, (202) 512-3439 or hiter@gao.gov: Acknowledgments: In addition to the contacts named above, key contributors to this report include Marilyn K. Wasleski, Assistant Director; Neelaxi Lakhmani, Assistant Director; Divya Bali; Stacy Bennett; Steve Caldwell; Elizabeth Curda; Matt Dove; K. Nicole Harms; Jim Houtz; Ron La Due Lake; Kim Mayo; Geoffrey Peck; Adam Vodraska; and Cheryl A. Weissman. [End of section] Footnotes: [1] In fiscal year 2008, DOD reported 2,908 alleged incidents of sexual assault involving military servicemembers, and the Coast Guard reported 84. However, data on the reported alleged sexual assault incidents in DOD and the Coast Guard are imprecise representations of the extent to which sexual assault is occurring in the military services because they may include incidents that occurred before a victim's military service began or before fiscal year 2008. Furthermore, these data are reported regardless of the final outcome and therefore some of these reports may turn out to be unsubstantiated. The military services' fiscal year 2009 sexual assault incident data were not included in our report because they will not be published by DOD until March 15, 2010. [2] GAO, Military Personnel: DOD's and the Coast Guard's Sexual Assault Prevention and Response Programs Face Implementation and Oversight Challenges, [hyperlink, http://www.gao.gov/products/GAO-08-924] (Washington, D.C.: Aug. 29, 2008). [3] Pub. L. No. 108-375, § 577 (2004). [4] GAO, Military Personnel: The DOD and Coast Guard Academies Have Taken Steps to Address Incidents of Sexual Harassment and Assault, but Greater Federal Oversight Is Needed, [hyperlink, http://www.gao.gov/products/GAO-08-296] (Washington, D.C.: Jan.17, 2008). [5] [hyperlink, http://www.gao.gov/products/GAO-08-924]. [6] [hyperlink, http://www.gao.gov/products/GAO-08-924]. [7] GAO, Military Personnel: Preliminary Observations on DOD's and the Coast Guard's Sexual Assault Prevention and Response Programs, [hyperlink, http://www.gao.gov/products/GAO-08-1013T] (Washington, D.C.: July 31, 2008). [8] GAO, Military Personnel: Actions Needed to Strengthen Implementation and Oversight of DOD's and the Coast Guard's Sexual Assault Prevention and Response Programs, [hyperlink, http://www.gao.gov/products/GAO-08-1146T] (Washington, D.C.: Sept. 10, 2008). [9] Pub. L. No. 110-417, § 563 (2008). [10] [hyperlink, http://www.gao.gov/products/GAO-08-924]. [11] GAO, Managing for Results: Agency Progress in Linking Performance Plans With Budgets and Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-02-236] (Washington, D.C.: Jan. 4, 2002). [12] Pub. L. No. 110-417, § 563 (2008). [13] [hyperlink, http://www.gao.gov/products/GAO-08-924]. [14] Pub. L. No. 108-375, § 577 (2004). [15] In February 2004, the Secretary of Defense directed the Under Secretary of Defense for Personnel and Readiness to undertake a 90-day review to assess sexual assault policies and programs in DOD and the services and recommend changes to increase prevention, promote reporting, enhance the quality of support provided to victims especially within combat theaters, and improve accountability for offender actions. Among the recommendations of the task force was that DOD establish a single point of accountability for all sexual assault policy matters within the department. [16] Department of Defense Directive 6495.01, Sexual Assault Prevention and Response (SAPR) Program (Oct. 6, 2005), as updated by subsequent changes. [17] Department of Defense Instruction 6495.02, Sexual Assault Prevention and Response Program Procedures (June 23, 2006), as updated by subsequent changes. [18] Pub. L. No. 110-417, § 563 (2008). [19] This responsibility does not include responsibility for legal processes provided under the Uniform Code of Military Justice and Manual for Courts-Martial and criminal investigative policy matters that are assigned to the judge advocates general of the military services and DOD's Inspector General, respectively. [20] Department of Defense Instruction 6495.02, Sexual Assault Prevention and Response Program Procedures (Jun. 23, 2006). [21] U.S. Coast Guard Commandant Instruction 1754.10D, Sexual Assault Prevention and Response (SAPR) Program (Jan. 16, 2009). [22] [hyperlink, http://www.gao.gov/products/GAO-08-924]. [23] [hyperlink, http://www.gao.gov/products/GAO-08-924]. [24] [hyperlink, http://www.gao.gov/products/GAO-08-924]. [25] Memorandum for the Director, Joint Staff (J-1), Sexual Assault Prevention and Response Guidance for Joint Publications (Apr. 7, 2009). [26] Section 576 of the Ronald W. Reagan National Defense Authorization Act for Fiscal Year 2005 directed the task force to conduct an examination of matters relating to sexual assault in cases involving members of the Armed Forces, and required the task force to submit a report not later than 1 year after initiation of its examination. Section 566 of the National Defense Authorization Act for Fiscal Year 2010, Pub. L. No. 111-84 (2009), amended the previous statute and provided a deadline of no later than December 1, 2009. The Report of the Defense Task Force on Sexual Assault in the Military Services was released on December 1, 2009. [27] GAO, The Results Act: An Evaluator's Guide to Assessing Agency Annual Performance Plans, [hyperlink, http://www.gao.gov/products/GAO/GGD-10.1.20] (Washington, D.C.: April 1998); Managing for Results: Critical Issues for Improving Federal Agencies' Strategic Plans, [hyperlink, http://www.gao.gov/products/GAO/GGD-97-180] (Washington, D.C.: Sept. 16, 1997); and [hyperlink, http://www.gao.gov/products/GAO-08-924]. [28] GAO, Managing for Results: Enhancing Agency Use of Performance Information for Management Decision Making, [hyperlink, http://www.gao.gov/products/GAO-05-927] (Washington, D.C.: Sept. 9, 2005). [29] [hyperlink, http://www.gao.gov/products/GAO/GGD-10.1.20]. [30] [hyperlink, http://www.gao.gov/products/GAO-02-236]. [31] [hyperlink, http://www.gao.gov/products/GAO-08-924]. [32] [hyperlink, http://www.gao.gov/products/GAO-08-924]. [33] [hyperlink, http://www.gao.gov/products/GAO-08-924]. [34] GAO, Agency Performance Plans: Examples of Practices That Can Improve Usefulness to Decisionmakers, [hyperlink, http://www.gao.gov/products/GAO/GGD/AIMD-99-69] (Washington, D.C.: Feb. 26, 1999). [35] GAO, Managing for Results: Barriers to Interagency Coordination, [hyperlink, http://www.gao.gov/products/GAO/GGD-00-106] (Washington, D.C.: Mar. 29, 2000). [36] Pub. L. No. 110-417, § 563 (2008). [37] GAO, GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs, [hyperlink, http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March 2009). [38] According to Department of Defense Directive 5000.01, The Defense Acquisition System (May 12, 2003), a milestone decision authority (MDA) is the designated individual with overall responsibility for the program. The MDA has the authority to approve entry of an acquisition program into the next phase of the acquisition, including approving the program to proceed through its acquisition cycle on the basis of, for example, the acquisition plan, an economic analysis, and the Acquisition Program Baseline. [39] Department of Defense Instruction 5000.02, Operation of the Defense Acquisition System (Dec. 8, 2008), establishes a simplified and flexible management framework for translating capability needs and technology opportunities into stable, affordable, and well-managed acquisition programs. The system consists of five key program life cycle phases and three related milestone decision points--(1) Materiel Solution Analysis (previously Concept Refinement), followed by Milestone A; (2) Technology Development, followed by Milestone B; (3) Engineering and Manufacturing Development (previously System Development and Demonstration), followed by Milestone C; (4) Production and Deployment; and (5) Operations and Support. [40] See, for example, Department of Defense Instruction 5000.02, Operation of the Defense Acquisition System; Institute of Electrical and Electronics Engineers, Standard 1012-2004 for Software Verification and Validation (New York: June 8, 2005); and [hyperlink, http://www.gao.gov/products/GAO-09-3SP]. [41] Department of Defense Architecture Framework, Version 1.5, Volume 1 (April 2007); GAO, Information Technology: A Framework for Assessing and Improving Enterprise Architecture Management (Version 1.1), [hyperlink, http://www.gao.gov/products/GAO-03-584G] (Washington, D.C.: April 2003); Chief Information Officers Council, A Practical Guide to Federal Enterprise Architecture, Version 1.0 (February 2001); and Institute of Electrical and Electronics Engineers (IEEE), Standard for Recommended Practice for Architectural Description of Software- Intensive Systems 1471-2000 (Sept. 21, 2000). [42] A well-defined enterprise architecture provides a clear and comprehensive picture of an entity, whether it is an organization (e.g., a federal department) or a functional or mission area that cuts across more than one organization (e.g., personnel management). This picture consists of snapshots of both the enterprise's current, or "as is," environment and its target or "to be" environment, as well as a capital investment road map for transitioning from the current to the target environment. These snapshots consist of integrated "views," which are one or more architecture products that describe, for example, the enterprise's business processes and rules; information needs and flows among functions, supporting systems, services, and applications; and data and technical standards and structures. [43] See, for example, GAO, Information Technology: FBI Is Taking Steps to Develop an Enterprise Architecture, but Much Remains to Be Accomplished, [hyperlink, http://www.gao.gov/products/GAO-05-363] (Washington, D.C.: Sept. 9, 2005); Homeland Security: Efforts Under Way to Develop Enterprise Architecture, but Much Work Remains, [hyperlink, http://www.gao.gov/products/GAO-04-777] (Washington, D.C.: Aug. 6, 2004); Information Technology: Architecture Needed to Guide NASA's Financial Management Modernization, [hyperlink, http://www.gao.gov/products/GAO-04-43] (Washington, D.C.: Nov.21, 2003); and DOD Business Systems Modernization: Important Progress Made to Develop Business Enterprise Architecture, but Much Work Remains, [hyperlink, http://www.gao.gov/products/GAO-03-1018] (Washington, D.C.: Sept. 19, 2003). [44] GAO, DOD Business System Modernization: Key Navy Programs' Compliance with DOD's Federated Business Enterprise Architecture Needs to Be Adequately Demonstrated, [hyperlink, http://www.gao.gov/products/GAO-08-972] (Washington, D.C.: Aug. 7, 2008). [45] Office of Management and Budget, Circular A-11, Preparation, Submission, and Execution of the Budget (Washington, D.C., Executive Office of the President, August 2009), and Capital Programming Guide: Supplement to Office of Management and Budget, Circular A-11, Part 7, Preparation, Submission, and Execution of the Budget (Washington, D.C., Executive Office of the President, June 2006). [46] Office of Management and Budget, Circular A-94, Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs (Washington, D.C., Executive Office of the President, Oct. 29, 1992), defines "life cycle cost" as "the overall estimated cost for a particular program alternative over the time period corresponding to the life of the program, including direct and indirect initial costs plus any periodic or continuing costs of operation and maintenance." [47] [hyperlink, http://www.gao.gov/products/GAO-09-3SP]. [48] Office of Management and Budget, Circular A-94, Guidelines and Discount Rates for Benefits-Cost Analysis of Federal Programs, and Circular A-11, Part 7, Planning, Budgeting, Acquisition and Management of Capital Assets (Washington, D.C., November 2009). [49] The Capability Maturity Model® Integration for Development, developed by the Software Engineering Institute of Carnegie Mellon University, defines key practices that are recognized hallmarks for successful organizations that if effectively implemented, can greatly increase the chances of successfully developing and acquiring software and systems. Carnegie Mellon University, Software Engineering Institute, Capability Maturity Model® Integration for Development, Version 1.2 (Pittsburgh, August 2006). [50] See, for example, Department of Defense Instruction 5000.02, Operation of the Defense Acquisition System; Defense Acquisition University, Test and Evaluation Management Guide; Institute of Electrical and Electronics Engineers, Standard 1012-2004 for Software Verification and Validation; and Carnegie Mellon University, Software Engineering Institute, Capability Maturity Model Integration for Acquisition, Version 1.2, CMU/SEI-2007-TR-017(Pittsburgh, November 2007). [51] Department of Defense, Risk Management Guide for DOD Acquisition, 6th Edition, Version 1.0, [hyperlink, http://www.acq.osd.mil/sse/ed/docs/2006-RM-Guide-4Aug06-final- version.pdf] (accessed Nov. 27, 2009), and Carnegie Mellon University, Software Engineering Institute, CMMI for Acquisition, Version 1.2. [52] The Department of the Air Force stated that to date, it has not identified any expected limitations for providing data from other systems or expressed any concerns about competing priorities. [53] [hyperlink, http://www.gao.gov/products/GAO-08-924]. [54] U.S. Coast Guard Commandant Instruction 1754.10D, Sexual Assault Prevention and Response (SAPR) Program (Jan. 16, 2009). [55] GAO, Results-Oriented Cultures: Implementation Steps to Assist Mergers and Organizational Transformations, [hyperlink, http://www.gao.gov/products/GAO-03-669] (Washington, D.C.: July 2, 2003). [56] [hyperlink, http://www.gao.gov/products/GAO-08-924]. [57] [hyperlink, http://www.gao.gov/products/GAO-02-236]. [58] The Coast Guard's instruction specifically charges the Sexual Assault Prevention and Response Program Manager with establishing the reporting system, and specifically charges the Employee Assistance Program Coordinator/Sexual Assault Response Coordinator with maintaining records to identify victims and track services provided. [59] GAO, Executive Guide: Effectively Implementing the Government Performance and Results Act, [hyperlink, http://www.gao.gov/products/GAO/GGD-96-118] (Washington, D.C.: June 1996). [60] [hyperlink, http://www.gao.gov/products/GAO/GGD-96-118]. [61] Pub. L. No. 110-417, § 563 (2008). [62] Federal Acquisition Regulation (FAR) and The Competition in Contracting Act of 1984 (CICA), 41 U.S.C. 253. [63] p. 324, GAO Cost Estimate and Assessment Guide. [64] Office of Management and Budget Circular A-94, Guidelines and Discount Rates for Benefits-Cost Analysis of Federal Programs Washington, D.C.: Oct 29, 1992; Office of Management and Budget Circular A-11, part 7, Planning, Budgeting, Acquisition and Management of Capital Assets (Washington, D.C.: Nov 2009). [65] Department of Defense, Risk Management Guide for DOD Acquisition, 6th Edition, Version 1.0, pg 7. [66] Ibid. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: