Defense Management
DOD Needs to Establish Clear Goals and Objectives, Guidance, and a Designated Budget to Manage Its Biometrics Activities Gao ID: GAO-08-1065 September 26, 2008The Department of Defense (DOD), in its response to unconventional threats from terrorists, uses biometrics technologies that identify physical attributes, including fingerprints and iris scans. However, coordinating the development and implementation of biometrics and ensuring interoperability across DOD has been difficult to achieve. Biometrics also is an enabling technology for identity management, a concept that seeks to manage personally identifiable information to enable improved governmentwide sharing and analysis of identity information. GAO was asked to examine the extent to which DOD has established biometrics goals and objectives, implementing guidance for managing biometrics activities, and a designated budget. To address these objectives, GAO reviewed documentation, including DOD biometrics policy and directives, and interviewed key DOD officials involved with making policy and funding decisions regarding biometrics.
DOD established, in October 2006, the Principal Staff Assistant, who is the Director of Defense Research and Engineering, and an Executive Committee as part of its attempts to improve the management of its biometrics activities. However, as of August 2008, it had not established management practices that include clearly defined goals and objectives, implementing guidance that clarifies decision-making procedures for the Executive Committee, and a designated biometrics budget. First, while DOD has stated some general goals for biometrics, such as providing recognized leadership and comprehensive planning policy, it has not articulated specific program objectives, the steps needed to achieve those objectives, and the priorities, milestones, and performance measures needed to gauge results. Second, DOD issued a directive in 2008 to establish biometrics policy and assigned general responsibilities to the Executive Committee and the Principal Staff Assistant but has not issued implementing guidance that clarifies decision-making procedures. The Executive Committee is chaired by the Principal Staff Assistant and includes a wide array of representatives from DOD communities such as intelligence, acquisitions, networks and information integration, personnel, and policy and the military services. The Executive Committee is responsible for resolving biometrics management issues, such as issues between the military services and joint interests resulting in duplications of effort. However, the committee does not have guidance for making decisions that can resolve management issues. Past DOD reports have noted difficulties in decision making and accountability in the management of its biometrics activities. Third, DOD also has not established a designated budget for biometrics that links resources to specific objectives and provides a consolidated view of the resources devoted to biometrics activities. Instead, it has relied on initiative-by-initiative requests for supplemental funding, which may not provide a predictable stream of funding for biometrics. Prior GAO work on performance management demonstrates that successful programs incorporate such key management practices, and for several years, DOD reports and studies have also called for DOD to establish such practices for its biometrics activities. Similarly, a new presidential directive issued in June 2008 supports the establishment of these practices in addition to calling for a governmentwide framework for the sharing of biometrics data. DOD officials have said that DOD's focus has been on quickly fielding biometrics systems and maximizing existing systems to address immediate warfighting needs in Afghanistan and Iraq. This focus on responding to immediate warfighting needs and the absence of the essential management practices have contributed to operational inefficiencies in managing DOD's biometrics activities, such as DOD's difficulties in sharing biometrics data within and outside the department. For example, in May 2008 GAO recommended that DOD establish guidance specifying a standard set of biometrics data for collection during military operations in the field. These shortcomings may also impede DOD's implementation of the June 2008 presidential directive and the overall identity management operating concept.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-08-1065, Defense Management: DOD Needs to Establish Clear Goals and Objectives, Guidance, and a Designated Budget to Manage Its Biometrics Activities
This is the accessible text file for GAO report number GAO-08-1065
entitled 'Defense Management: DOD Needs to Establish Clear Goals and
Objectives, Guidance, and a Designated Budget to Manage Its Biometrics
Activities' which was released on September 29, 2008.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
September 2008:
Defense Management:
DOD Needs to Establish Clear Goals and Objectives, Guidance, and a
Designated Budget to Manage Its Biometrics Activities:
GAO-08-1065:
GAO Highlights:
Highlights of GAO-08-1065, a report to congressional requesters.
Why GAO Did This Study:
The Department of Defense (DOD), in its response to unconventional
threats from terrorists, uses biometrics technologies that identify
physical attributes, including fingerprints and iris scans. However,
coordinating the development and implementation of biometrics and
ensuring interoperability across DOD has been difficult to achieve.
Biometrics also is an enabling technology for identity management, a
concept that seeks to manage personally identifiable information to
enable improved governmentwide sharing and analysis of identity
information. GAO was asked to examine the extent to which DOD has
established biometrics goals and objectives, implementing guidance for
managing biometrics activities, and a designated budget. To address
these objectives, GAO reviewed documentation, including DOD biometrics
policy and directives, and interviewed key DOD officials involved with
making policy and funding decisions regarding biometrics.
What GAO Found:
DOD established, in October 2006, the Principal Staff Assistant, who is
the Director of Defense Research and Engineering, and an Executive
Committee as part of its attempts to improve the management of its
biometrics activities. However, as of August 2008, it had not
established management practices that include clearly defined goals and
objectives, implementing guidance that clarifies decision-making
procedures for the Executive Committee, and a designated biometrics
budget. First, while DOD has stated some general goals for biometrics,
such as providing recognized leadership and comprehensive planning
policy, it has not articulated specific program objectives, the steps
needed to achieve those objectives, and the priorities, milestones, and
performance measures needed to gauge results. Second, DOD issued a
directive in 2008 to establish biometrics policy and assigned general
responsibilities to the Executive Committee and the Principal Staff
Assistant but has not issued implementing guidance that clarifies
decision-making procedures. The Executive Committee is chaired by the
Principal Staff Assistant and includes a wide array of representatives
from DOD communities such as intelligence, acquisitions, networks and
information integration, personnel, and policy and the military
services. The Executive Committee is responsible for resolving
biometrics management issues, such as issues between the military
services and joint interests resulting in duplications of effort.
However, the committee does not have guidance for making decisions that
can resolve management issues. Past DOD reports have noted difficulties
in decision making and accountability in the management of its
biometrics activities. Third, DOD also has not established a designated
budget for biometrics that links resources to specific objectives and
provides a consolidated view of the resources devoted to biometrics
activities. Instead, it has relied on initiative-by-initiative requests
for supplemental funding, which may not provide a predictable stream of
funding for biometrics.
Prior GAO work on performance management demonstrates that successful
programs incorporate such key management practices, and for several
years, DOD reports and studies have also called for DOD to establish
such practices for its biometrics activities. Similarly, a new
presidential directive issued in June 2008 supports the establishment
of these practices in addition to calling for a governmentwide
framework for the sharing of biometrics data. DOD officials have said
that DOD‘s focus has been on quickly fielding biometrics systems and
maximizing existing systems to address immediate warfighting needs in
Afghanistan and Iraq. This focus on responding to immediate warfighting
needs and the absence of the essential management practices have
contributed to operational inefficiencies in managing DOD‘s biometrics
activities, such as DOD‘s difficulties in sharing biometrics data
within and outside the department. For example, in May 2008 GAO
recommended that DOD establish guidance specifying a standard set of
biometrics data for collection during military operations in the field.
These shortcomings may also impede DOD‘s implementation of the June
2008 presidential directive and the overall identity management
operating concept.
What GAO Recommends:
To improve DOD‘s management of its biometrics activities, GAO
recommends that the Secretary of Defense ensure that the Principal
Staff Assistant and Executive Committee establish clear goals and
objectives, implementing guidance, and a designated budget for managing
its biometrics activities. DOD concurred with all of GAO‘s
recommendations.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-1065]. For more
information, contact Davi M. D'Agostino at (202) 512-5431 or
dagostinod@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
DOD Biometrics Lacks Clear Goals and Objectives,
Implementing Guidance, and a Designated Budget:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Scope and Methodology:
Appendix II: DOD Actions to Improve Coordination of Biometrics:
Appendix III: GAO Management Letter to the Secretary of Defense:
Appendix IV: DOD Response to GAO Management Letter:
Appendix V: Comments from the Department of Defense:
Appendix VI: GAO Contact and Staff Acknowledgments:
Figures:
Figure 1: Key DOD Actions Related to Management of Biometrics
Activities:
Figure 2: Key DOD Entities Involved in Biometrics Activities:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
September 26, 2008:
The Honorable Solomon P. Ortiz:
Chairman:
The Honorable J. Randy Forbes:
Ranking Member:
Subcommittee on Readiness:
Committee on Armed Services:
House of Representatives:
The Honorable Adam Smith:
Chairman:
The Honorable Mac Thornberry:
Ranking Member:
Subcommittee on Terrorism and Unconventional Threats and Capabilities:
Committee on Armed Services:
House of Representatives:
The U.S. security environment has changed markedly in recent years.
Once focused on the Cold War threat of the Soviet Union with its
massive conventional forces and nuclear arsenal, the Department of
Defense (DOD) now faces not only potential conventional threats from
hostile nations but also unconventional threats from terrorist
organizations or individuals. For example, these terrorists may seek to
blunt U.S. forces by blending anonymously into native populations to
avoid detection until an attack is launched. DOD uses fingerprint
records, iris scans, and other biometrics technologies to help
establish the identity of such persons. Biometrics technologies can be
useful because they measure physical attributes of individuals, such as
the whorls, arches, and furrows of their fingerprints or the random
patterns of the iris muscle of the eye, which are thought to be unique
to an individual. Biometrics data not only can help establish a
person's identity with greater confidence but also help improve the
ability to link individuals to their past activities and previously
used identities.[Footnote 1] According to DOD, biometrics technology is
revolutionizing DOD operations and is used in many organizations and in
many missions, including military operations such as population
control, counterintelligence screening, and detainee management and
interrogation, and in business operations such as base access control
to verify Common Access Card credentials.[Footnote 2]
Biometrics activities are dispersed throughout DOD at many
organizational levels. These DOD organizations use a variety of
different systems to collect, store, and analyze biometrics data.
However, with many organizations developing the use of biometrics,
coordination has been difficult to achieve across the department,
according to several DOD reports. DOD efforts to formally organize and
manage its biometrics activities date back to at least 2000 when
Congress designated the U.S. Army as the Executive Agent responsible
for leading and coordinating all DOD biometrics information assurance
programs. Given current wartime missions following the terrorist
attacks on September 11, 2001, DOD has spent millions of dollars in
procuring biometrics technologies and systems and installing them
throughout the department and in its operations overseas. For example,
for fiscal years 2006 and 2007, the Army alone received approval for
about $540 million in biometrics-related funding and requested over
$470 million in funding for fiscal year 2008. With the increased use of
biometrics, DOD recognized that it needed to establish better
overarching direction for its biometrics activities and improve
coordination among the DOD organizations involved, and began to
institute various initiatives to achieve those goals. For example, by
memorandum dated October 4, 2006, the Deputy Secretary of Defense
designated the Director of Defense Research and Engineering, under the
Under Secretary of Defense for Acquisition, Technology and Logistics,
as the Principal Staff Assistant for DOD Biometrics. The Deputy
Secretary directed the Principal Staff Assistant to establish the DOD
Biometrics Executive Committee (Executive Committee) with members
representing DOD's military services and intelligence, acquisitions,
networks and information integration, personnel, and policy
communities. In a February 2008 directive, DOD designated the Principal
Staff Assistant as the chair of the Executive Committee.
While biometrics technologies are important tools in DOD operations,
they also are enabling technologies for the much broader operating
concept termed identity management. While the definition for identity
management is evolving, a basic understanding from federal and DOD
reports and other documents is that identity management seeks to manage
identity information, including biometrics data, in an integrated,
coordinated way to enable improved sharing and analysis of identity
information. Biometrics data represent only a part of an individual's
identity. For example, in addition to unique physical attributes, such
as fingerprints and iris scans, other information on individuals may
include their names, Social Security numbers, or dates of birth.
Identity information on known or suspected terrorists, as well as U.S.
or foreign individuals, may also be collected, organized, analyzed, and
protected in databases associated with military combat or base access
operations or intelligence, law enforcement, border security, or other
national security mission areas. The greater confidence provided by
biometrics data raises the potential for it to be used as a "master
key" to grant access across all these databases and systems, and cross-
reference information from all the different perspectives--subject to
existing privacy protections--resulting in the opportunity for new
analytical perspectives. In its 2006 concept of operations,[Footnote 3]
DOD recognized that its current methods of identifying individuals,
organizing information on persons, and recalling and sharing such
information were inadequate to meet its operational needs. As a result,
DOD saw the need to integrate its dispersed biometrics operations to be
consistent with the type of improved information sharing and analysis
sought by identity management. The need for increased sharing of
biometric and other information in the Global War on Terrorism is also
being recognized across the federal government. For example, in June
2008, the President issued a new national security directive
establishing a governmentwide framework for the sharing of biometrics
data.[Footnote 4] The directive is designed to ensure that federal
agencies use compatible methods and procedures in the collection,
storage, use, and analysis of biometric information to enhance the
sharing of such data.
In light of the increasing importance of biometrics and identity
management to DOD's missions and the significant amount of funding
devoted to biometrics technologies, you asked that we examine the
effectiveness of DOD's efforts to manage biometrics in support of the
larger context that is identity management. This is the third in a
series of products we have issued in response to your request. In
December 2007, we issued a management letter raising concerns about
whether the newly established Principal Staff Assistant for Biometrics
was being provided with the authority needed to improve coordination
and direction of DOD's biometrics initiatives.[Footnote 5] In May 2008,
we recommended that DOD establish guidance specifying a standard set of
biometrics data for collection during military operations in the field,
and explore broadening its data sharing with other federal agencies in
some areas.[Footnote 6] In this report, we examine the extent to which
DOD has established biometrics goals and objectives, implementing
guidance for managing biometrics activities, and a designated budget
linking resources to specific objectives and providing a consolidated
view of the resources devoted to biometrics activities.
To address this report's objective, we considered leading management
practices and principles identified in our prior reports and analyses.
[Footnote 7] Our analysis focused primarily on DOD's management of
biometrics activities, systems, and programs associated with its
current warfighting and counterterrorism efforts, particularly those
used in U.S. Central Command's geographic area of responsibility, which
includes Iraq and Afghanistan. We reviewed documents and interviewed
officials from a range of DOD organizations at the departmental,
military service, and combatant command levels involved in conducting,
managing, or overseeing biometrics activities. These documents included
various memorandums, directives, briefings, progress reports, budgetary
data, planning documents, charters, agendas, reports, studies, and
analyses related to biometrics activities in the department. To
understand DOD's biometrics activities within a federal government
context, we also obtained information and met with officials from other
federal agencies and offices and reviewed the February 2008 National
Security Presidential Directive on the use of biometrics to enhance
national security. We conducted this performance audit from May 2007
through September 2008 in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform
the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit
objectives. We believe that the evidence obtained provides a reasonable
basis for our findings and conclusions based on our audit objectives.
Further details on our scope and methodology can be found in appendix
I.
Results in Brief:
DOD began to take actions to better manage its dispersed biometrics
activities in 2000, but as of August 2008, it had not established
management practices that include clearly defined goals and objectives,
implementing guidance that clarifies decision-making procedures for the
Executive Committee, and a designated biometrics budget. First, while
DOD has stated some general goals for biometrics, such as providing
comprehensive planning policy in several documents such as the November
2005 Department of Defense Biometrics Strategy, it has not articulated
specific program objectives, the steps needed to achieve those
objectives, and the priorities, milestones, and performance measures
needed to gauge results. DOD officials said that in late 2008 they plan
to complete studies that will lay the foundation for the eventual
development of a formal biometrics program. Second, DOD issued a
directive in 2008 to establish biometrics policy and assigned general
responsibilities to the Executive Committee and the Principal Staff
Assistant but has not issued implementing guidance that clarifies
decision-making procedures for policy and management issues. The
Executive Committee is chaired by the Principal Staff Assistant and
includes a wide array of representatives from DOD communities such as
intelligence, acquisitions, networks and information integration,
personnel, and policy and the military services. The Executive
Committee is responsible for resolving biometrics management issues,
such as issues between the military services and joint interests
resulting in duplications of effort. However, the committee does not
have guidance for making decisions that can resolve management issues.
At one time, DOD considered providing the Executive Committee with a
voting mechanism to resolve policy issues and help ensure that such
issues and others are formally addressed and resolved in the best
interests of the department as a whole. However, this directive did not
include this voting mechanism. Past DOD reports have noted difficulties
in decision making and accountability in the management of its
biometrics activities. Third, DOD also has not established a designated
budget for biometrics that links resources to specific objectives and
provides a consolidated view of the resources devoted to biometrics
activities. Instead, it has relied on initiative-by-initiative requests
for supplemental funding, which may not provide a predictable stream of
funding for biometrics. Until DOD has established a designated budget,
it will continue to experience uncertainty in obtaining resources for
its biometrics activities.
Our prior work on performance management demonstrates that successful
programs incorporate such key management practices, and for several
years, DOD reports and studies have also called for DOD to establish
such practices for its biometrics activities. Similarly, a new
presidential directive issued in June 2008 supports the establishment
of these practices in addition to calling for a governmentwide
framework for the sharing of biometrics data. DOD officials have said
that DOD's focus has been on quickly fielding biometrics systems and
maximizing existing systems to address immediate warfighting needs in
Afghanistan and Iraq. This focus on responding to immediate warfighting
needs and the absence of the essential management practices have
contributed to operational inefficiencies in managing DOD's biometrics
activities, such as DOD's difficulties in sharing biometrics data
within and outside the department. For example, in May 2008, we
recommended that DOD establish guidance specifying a standard set of
biometrics data for collection during military operations in the field.
These shortcomings may also impede DOD's implementation of the June
2008 presidential directive and the overall identity management
operating concept. Therefore, we are recommending that DOD establish
clearly defined goals and objectives, issue implementing guidance that
clarifies decision-making procedures for the Executive Committee, and
establish a designated budget for managing its biometrics activities.
GAO provided a draft of this report to DOD in August 2008 for its
review and comment. In written comments on the draft, DOD concurred
with all of our recommendations. Also, the Director of Defense
Biometrics provided us with technical comments, which we incorporated
in the report where appropriate. DOD's response is reprinted in
appendix V.
Background:
DOD has been using biometrics since the 1970s, and with improvements in
the technologies used to collect and share this information, DOD's use
of biometrics has increased. As this use increased, reports have called
on DOD to improve its management of biometrics activities and, over
time, DOD has taken some key actions. Meanwhile, a new concept called
identity management is emerging of which biometrics is an integral
part.
Growing Use of Biometrics:
The use of biometrics to authenticate a person's identity is not new. A
method to index fingerprints was first developed in the late 1800s, and
the U.S. prison system began using fingerprints to identify criminals
in 1903. Additional forms of biometrics, such as facial and iris
recognition, began being used in the latter half of the 20th century,
but the emergence of computer systems to help automate the recognition
process resulted in an explosion of activity in biometrics in the
1990s. DOD's involvement in biometrics dates back at least to the
1970s, but a 1999 initiative for DOD to move to the use of smart card
technology as the principal mechanism for access to its buildings and
databases set the stage for the increased use of biometrics in the
department.[Footnote 8] With the wars in Afghanistan and Iraq, DOD and
the military services expanded the use of biometrics for tactical
military operations, such as helping identify known or suspected
terrorists on the battlefield and controlling the movement of local
civilian populations.
Reports to DOD on Management of Biometrics and DOD Actions:
Several reports have called on DOD to improve its management of
biometrics. For example, in the August 2005 Joint Urgent Operational
Need Statement for a Joint Biometrics Solution in Support of
Operations, U.S. Central Command reported that the "lack of a
comprehensive management approach to the development and implementation
of biometrics technology" was resulting in "unfocused investment" of
resources with DOD services and agencies fielding individual systems
with varying levels of interoperability, undercutting the command's
operations in Iraq and Afghanistan. A second DOD report in 2006
identified a host of problems where biometrics systems were fielded
without regard to an overarching design and often had different
applications and capabilities with different data fields, resulting in
a lack of interoperability and synchronization, and duplication of
data.[Footnote 9] More recently, in March 2007, a report by the Defense
Science Board Task Force on Defense Biometrics cited the "reactive" and
"ad hoc" nature of DOD's management of biometrics initiatives since the
terrorist attacks of September 11, 2001.[Footnote 10]
In July 2000, Congress designated the Secretary of the Army as the
"Executive Agent to lead, consolidate, and coordinate all biometrics
information assurance programs" across DOD.[Footnote 11] Since then,
DOD has taken various actions over time to address management of
biometrics activities, as shown in figure 1. For example, DOD has
formed at least three coordinating groups over the past 6 years to help
improve coordination and management of its biometrics activities. DOD's
actions culminated in the February 2008 DOD Directive, which
established general biometrics policy and organizational
responsibilities, with the Principal Staff Assistant responsible for
coordinating and overseeing biometrics and the Executive Committee,
chaired by the Principal Staff Assistant, responsible for reviewing and
approving biometrics strategy and program plans and for resolving
biometrics issues and disputes. The directive calls for DOD to
integrate biometrics into its operations, eliminate unwarranted
duplication and overlap of efforts, and ensure that biometrics
capabilities be developed to be interoperable with other identity
management capabilities and systems.[Footnote 12] Further information
on DOD's actions is included in appendix II.
Figure 1: Key DOD Actions Related to Management of Biometrics
Activities:
[See PDF for image]
This figure is a timeline depicting the following information:
July 2000:
Pub. L. No. 106-246 assigns the Secretary of the Army as Executive
Agent for DOD Biometrics.
Dec. 2000:
DOD establishes Biometrics Management Office (now Biometrics Task
Force) and Biometrics Fusion Center.
Aug. 2002:
DOD creates Biometrics Senior Coordinating Group.
Jan. 2004:
DOD establishes Identity Management Senior Coordinating Group for
Common Access Card, Public Key Infrastructure, and Biometrics.
Oct. 2006:
DOD establishes Principal Staff Assistant for DOD Biometrics, DOD
Biometrics Executive Committee, and Director of Defense Biometrics.
Feb. 2008:
DOD issues Directive 8521.01E on DOD Biometrics.
Source: GAO analysis of DOD documents.
[End of figure]
Emerging Concept of Identity Management:
As DOD's use of biometrics has expanded, recognition of the broader
concept of identity management--generally understood as the management
of personal identity information, including biometrics data, in an
integrated, coordinated way to enable improved sharing and analysis of
said information--has emerged within the department and the federal
government. For example, in its March 2007 report on the use of
biometrics within DOD, the Defense Science Board's Task Force on
Defense Biometrics urged the department to "embrace the larger
construct" of identity management, rather than focus solely on
biometrics.[Footnote 13] Similarly, according to officials from the
National Science and Technology Committee's Subcommittee on Biometrics
and Identity Management within the Executive Office of the President,
which is responsible for coordinating biometrics policy across the
federal government, the subcommittee added "Identity Management" to its
name in the spring of 2007 to reflect the increasingly broader nature
of its activities.
In addition to being a key component of identity management,
information sharing among federal agencies has also grown in importance
for national security purposes. The overall U.S. national security
establishment has been moving toward an increasingly interoperable,
sharing approach to terrorism-related identity information in the wake
of the intelligence failures associated with the terrorist attacks of
September 11, 2001. For example, in 2004, Congress directed the
President to establish a formal Information Sharing Environment program
to facilitate the sharing of terrorist information. Since then,
strategies and plans for developing an information-sharing architecture
cutting across the entire federal government--including the
intelligence, law enforcement, defense, homeland security, and foreign
affairs communities--have been under development. This information
includes not only biometrics identity data but virtually all
information regarding terrorist organizations. According to Office of
Science and Technology Policy officials who lead the National Science
and Technology Council's Subcommittee on Biometrics and Identity
Management, they supported the development of the new presidential
directive calling for broader sharing of biometrics data across the
federal government, and are also working to develop additional
interagency products for potential use in informing broader elements of
a governmentwide policy foundation for biometrics.[Footnote 14]
DOD Biometrics Lacks Clear Goals and Objectives, Implementing Guidance,
and a Designated Budget:
DOD has not established clearly defined goals and objectives,
implementing guidance clarifying decision-making procedures for the
Executive Committee, and a designated budget linking resources to
specific objectives for its biometrics activities. Our prior work has
found that such management practices are key to program success.
[Footnote 15] First, although DOD has developed some general goals for
biometrics, it has not articulated specific program objectives, the
steps needed to achieve those objectives, and the priorities,
milestones, and performance measures needed to gauge results. Second,
DOD issued a directive in 2008 that, among other things, established
biometrics policy and assigned general responsibilities to the
Executive Committee, which is chaired by the Principal Staff Assistant.
However, the department has not issued implementing guidance that
clarifies the committee's decision-making procedures for resolving
policy differences among its members, who represent a wide range of DOD
communities and the military services with different functional
responsibilities or operational requirements for biometrics. Such
guidance is important to help the Executive Committee ensure the
interoperability of biometrics systems and prevent duplication of
biometrics-related efforts within the department-- problems that have
affected DOD's management of biometrics in the past. Third, DOD has not
established a designated budget for biometrics that links resources to
specific objectives or that provides a consolidated view of resources
devoted to biometrics. Instead, the department has relied on initiative-
by-initiative requests for supplemental funding for its biometrics
activities, which may not provide a predictable stream of funding.
Having a designated budget also helps to link resources to specific
objectives and provides an organization with a consolidated view of
specific activities.
DOD Biometrics Activities Lack Clear Goals and Objectives:
DOD has not articulated clearly defined goals and objectives that would
inform the development and implementation of biometrics activities for
DOD and the services. Our prior work has found that management
principles, such as providing a clear expression of goals and
objectives, are key to program success.[Footnote 16] While DOD has
developed a variety of concept papers and other documents discussing
biometrics concepts and activities, as well as a number of tactical
plans and documents discussing timelines for improvements to individual
biometrics technologies and systems, these attempts do not provide
sufficient management direction to help ensure program success. For
example, the Biometrics Task Force published the Department of Defense
Biometrics Strategy in November 2005, which lays out general goals and
objectives. The strategy states goals such as providing "recognized
leadership" and "comprehensive planning and policy." However, these
goals and objectives did not provide a clear expression of the specific
program objectives, the steps needed to achieve those results, and the
priorities, milestones, and performance measures needed to gauge
results.
Similarly, the DOD Capstone Concept of Operations for DOD Biometrics in
Support of Identity Superiority dated November 2006 also provides
important concepts of the use of biometrics in both military operations
and business functions. However, it is not a biometrics program plan
with goals, timelines, and performance measures. Further, in September
2006, the Identity Protection and Management Senior Coordinating Group
produced a draft Roadmap to Identity Superiority. This document
provides a more specific strategic vision of biometrics and some
associated programs, including specific goals and expected timelines.
However, DOD officials told us that the document has not been
finalized.
DOD officials said that they have not developed specific strategic
goals and objectives and measures of performance characteristic of
results-oriented successful programs. According to the Director of
Defense Biometrics, who reports to the Principal Staff Assistant, faced
with the threat posed by the terrorist attacks of September 11, 2001,
DOD has been focusing most of its efforts on quickly fielding
biometrics systems, particularly in Iraq and Afghanistan, and working
to maximize existing biometrics systems and programs to address DOD's
immediate warfighting needs. According to DOD officials, the ongoing
Capabilities Based Assessment of the shortfalls in DOD biometrics
activities is expected to lay the foundation for the eventual
development of a formal biometrics program.[Footnote 17] The study is
expected to be completed in late fall 2008. In addition, the new
biometrics directive directed the Executive Manager for Biometrics to
develop a new DOD biometrics vision and strategy for submission to the
Principal Staff Assistant for Biometrics. According to officials, that
document is currently in development and is expected to be completed in
late summer 2008.
DOD Has Not Established Implementing Guidance Clarifying Decision-
Making Procedures for Resolving Policy and Management Issues:
Biometrics activities are dispersed throughout DOD at many
organizational levels, as shown in figure 2, and DOD has not
established implementing guidance clarifying decision-making procedures
to minimize duplications of effort and ensure interoperability across
these levels. The various offices of the Secretary of Defense, such as
those offices associated with intelligence, acquisitions, networks and
information integration, personnel, and policy, and the military
services each have their own functional or operational requirements and
responsibilities for biometrics. However, with many different
organizations using biometrics for their own requirements and missions,
coordination has been difficult to achieve across DOD.
Figure 2: Key DOD Entities Involved in Biometrics Activities:
[See PDF for image]
This figure is an organization chart depicting the following key DOD
entities involved in biometrics activities:
Secretary of Defense;
Deputy Secretary of Defense;
* Unified Combatant Commands[A];
* Joint Chiefs of Staff (Chairman = Vice Chair of Executive
Committee)[A];
* Office of the Secretary of Defense;
- Assistant Secretary of Defense, Networks and Information
Integration[A]; Defense Information Systems Agency; Identity Protection
and Management, Senior Coordinating Group (Biometrics; Common Access
Card; Public Key Infrastructure);
- Director, Administration and Management[A];
- Director, Program Analysis and Evaluation[A];
- General Counsel[A];
- Under Secretaries of Defense: Comptroller[A];
- Under Secretaries of Defense: Policy[A];
- Under Secretaries of Defense: Personnel and Readiness[A]; Identity
Protection and Management, Senior Coordinating Group (Biometrics;
Common Access Card; Public Key Infrastructure);
- Under Secretaries of Defense: Intelligence[A]; Defense Intelligence
Agency;
- Under Secretary of Defense for Acquisition, Technology and
Logistics[A];
- Deputy Under Secretary of Defense for Acquisition and Technology[A];
- Director of Defense Research and Engineering (Principal Staff
Assistant for DOD Biometrics and Chair of Executive Committee)[A];
Director of Defense Biometrics[A];
- DOD Biometrics Executive Committee[A];
* Department of the Army (Secretary = Executive Agent for DOD
Biometrics)[A];
- Army G-3 (Operations);
- Assistant Secretary of the Army for Acquisition, Logistics, and
Technology;
- Army Program Executive Office, Enterprise Information Systems;
- Program Manager, DOD Biometrics;
- Biometrics Task Force (Director = Executive Manager for DOD
Biometrics and Vice-Chair of Executive Committee)[A];
- Biometrics Fusion Center;
* Department of the Navy[A];
- Marine Corps (Headquarters[A];
- Special Advisor to the Secretary of the Navy for Identity Management;
- Program Manager, Naval Identity Management Capability;
* Department of the Air Force[A];
- Air Force Communications Center.
Source: GAO analysis of DOD documents.
[A] Members of the DOD Biometrics Executive Committee.
[End of figure]
To address its coordination challenges, DOD established the Executive
Committee chaired by the Principal Staff Assistant, with
responsibilities that included ensuring the interoperability of DOD's
biometrics systems and resolving important policy or management issues,
including disputes that could result in unnecessary duplication of
effort. DOD's establishment of the Principal Staff Assistant and
Executive Committee is viewed by many as an improvement over past
management approaches. However, the directive establishing the
responsibilities of the committee did not provide guidance to clarify
how decisions would be made to resolve disputes over duplication of
effort or other important policy or management issues. Our prior work
states that in assessing federal programs and best practices of public
and private organizations, it is important to clearly identify not only
organizational roles and responsibilities but also implementing
guidance addressing specific mechanisms and accountability provisions
for coordination and collaboration and resolution of conflicts. We have
reported that DOD's approach to business operations to support
warfighter needs, such as biometrics activities, is a high-risk area
that has suffered from pervasive problems in the ability to make
coordinated system improvements that cut across multiple organizations.
[Footnote 18] DOD's attempts to make improvements across multiple
organizations have often been hindered by fragmented responsibilities
for activities and control over resources and in defining
accountability and authority for making improvements.
DOD established, in October 2006, the Principal Staff Assistant and the
Executive Committee and issued a memorandum that called for the
Principal Staff Assistant to have "responsibility for the authority,
direction, and control of DOD biometrics programs, initiatives, and
technologies" and for developing and coordinating biometrics policy.
However, DOD's 2008 directive superseded this memorandum, giving the
Executive Committee responsibility for review and approval of DOD
biometrics program strategy, program plans, and resources. The
directive states that it is DOD policy that biometrics programs shall
be designed to improve the effectiveness and efficiency of biometrics
activities by "eliminating unwarranted duplication and overlap of
technology development and information management efforts." However,
the directive allows the military services to acquire biometrics
capabilities on their own if such capabilities are determined to be
service-specific. The directive requires that the services coordinate
with the Executive Committee in this area, and does not specify the
mechanism for determining whether biometrics capabilities are service-
specific or applicable DOD-wide. As a result, when services pursue
their own biometrics systems, these systems may lack interoperability
DOD-wide or be duplicative. This has been a problem in the past, as
previous DOD studies have noted a serious lack of coordination,
interoperability, and ability to share biometric data in Afghanistan
and Iraq.[Footnote 19]
DOD officials stated that its acquisition guidelines would provide the
needed management discipline over the military services' and
components' biometrics activities. However, we have reported repeatedly
that significant, systemic problems associated with DOD's acquisition
processes at both the strategic and program levels--problems leading to
weapon programs that take longer, cost more, and deliver fewer
capabilities than originally planned--will require greater discipline
and accountability from DOD, as well as other fundamental changes.
[Footnote 20] Similarly, as part of DOD's ongoing Capabilities Based
Assessment of biometrics in support of identity management at DOD, U.S.
Joint Forces Command issued a report in February 2008 noting that
without a formal program for biometrics, not all steps associated with
safeguards in DOD's acquisitions process for new technological systems
are occurring.[Footnote 21] According to the report, for example, DOD
lacks an approved information architecture for developing and procuring
biometrics information systems, defined key performance parameters for
designing and procuring biometrics systems, and a defined regime for
testing and certifying the interoperability of biometrics systems. Such
efforts are key to addressing long-term strategic issues within a
broader program for identity management.
DOD Has Not Established a Designated Budget to Link Resources and
Provide a Consolidated View of Biometrics Resources:
DOD has not designated a biometrics budget linking resources to
specific objectives and providing a consolidated view of the resources
devoted to biometrics activities. Our prior work underscores the
importance of taking these actions.[Footnote 22] According to DOD
officials, instead of having a designated budget for biometrics as
other more established programs have been provided, resources for
biometrics activities have been provided primarily through individual,
initiative-by-initiative requests for supplemental funding associated
with the Global War on Terrorism. Our prior work notes that relying on
supplemental funding is not an effective means for decision makers to
plan for future years' resource needs, weigh priorities, and assess
budget trade-offs.[Footnote 23]
According to DOD officials, the use of supplemental funds creates
uncertainty surrounding the implementation of program initiatives,
since the use of supplemental funding makes it harder to compete for
resources against formally established programs and does not ensure a
predictable stream of program funding. For example, in response to U.S.
Central Command's August 2005 identification of the urgent operational
need to improve biometrics in its operations in Iraq and Afghanistan,
DOD developed a series of initiatives to address those needs, with
requirements of about $430 million. Although DOD has made progress in
initiatives such as improvements in intelligence and forensics analysis
and in fielding additional equipment for the call for an increase in
troops, it has reported that many of the initiatives have experienced
resource delays and other problems, resulting in systems continuing to
experience problems in interoperability--such as inconsistent data
formats and screening procedures--that limit DOD's ability to share,
screen, and store biometrics data in an efficient, timely manner.
According to U.S. Central Command officials, it is difficult to
quantify the impact of delays in these initiatives precisely, but time
lags in developing these capabilities hinder a commander's ability to
engage in population management and reduce the ability to seize and
exploit opportunities that may not be present later. Ultimately, such
delays can result in catching fewer insurgents and suboptimal system
performance. As of April 2008, about $275 million of the $429 million
(64 percent) required had been provided for the initiatives.
In conjunction with the previously discussed Capabilities Based
Assessment, U.S. Joint Forces Command estimated in August 2007 that
about $2.7 billion--ranging from $523.4 million to $558.7 million
annually--would be required for a designated budget for DOD biometrics
activities from fiscal years 2009 to 2013. These budget estimates
included biometrics-related operations and maintenance activities,
procurement, and research, development, test, and evaluation for all of
the military services, U.S. Northern Command, and U.S. Central Command.
According to the Director of Defense Biometrics, these budget estimates
were not validated or submitted formally to DOD's Office of the
Comptroller. Officials from this office, however, noted that approval
of such a budget would have been uncertain, given DOD's relatively
undeveloped biometrics organizational and management structures and
lack of clearly defined long-term biometrics requirements. Instead,
according to the Director of Defense Biometrics, the Principal Staff
Assistant for DOD Biometrics submitted a request and received approval
for $70 million from fiscal years 2009 to 2013 for the establishment of
a U.S. Army biometrics program associated with the Automated Biometric
Identification System, DOD's central repository of biometrics data on
non-United States persons of interest. In addition, officials from
DOD's Biometrics Task Force are continuing to develop the information
needed for a designated budget that would provide a comprehensive view
of DOD's biometrics activities. Until DOD has established a designated
budget, it will continue to experience uncertainty in obtaining
resources for its biometrics activities.
In addition to the lack of a designated budget, the Principal Staff
Assistant's authority regarding overall biometrics funding was changed
by the 2008 directive on biometrics. Initially, the 2006 memorandum
from the Deputy Secretary of Defense that established the Principal
Staff Assistant called on the Principal Staff Assistant to "approve
biometrics funding across the DOD in support of validated requirements
and approved standards and architecture." However, the 2008 directive
changed this role and provides for the Principal Staff Assistant to
"review the adequacy of biometrics funding," while giving the Executive
Committee responsibility for reviewing and approving annual program
plans and resources for biometrics activities. DOD officials told us
that some services and offices opposed the provisions in the 2006
memorandum that gave the Principal Staff Assistant authority to approve
funding of all biometrics-related activities because that would have
undercut their own funding authorities. They believed that the
potential for "coordinating" their biometrics spending through the
Executive Committee provided sufficient opportunity for Principal Staff
Assistant review.
Conclusions:
Biometrics technologies have become essential tools for supporting
DOD's warfighting and counterterrorism missions, but DOD continues to
lack clear goals and performance measures, implementing guidance to
specify how the Executive Committee will make decisions to resolve
disputes over duplication of effort or other important policy or
management issues, and a designated budget--management practices key
for program success. While each is important in its own right, these
practices also interrelate, with weaknesses in one practice reinforcing
and prolonging weaknesses in another. For example, program officials
need to establish clear, long-term biometrics goals and objectives to
provide program direction. Clear program goals and objectives are
needed to justify and prioritize budgetary resources, and in turn, such
resources are necessary to accomplish program goals. Similarly, a lack
of clear implementing guidance on how decisions to resolve important
policy or management issues are made can confuse accountability.
Officials say that some of the management weaknesses have occurred
because the department's focus on fielding biometrics systems as
quickly as possible to meet immediate, shorter-term warfighting needs
has resulted in insufficient attention to developing an overall
approach for managing dispersed biometrics activities across the
department. However, weaknesses in DOD's management of its biometrics
activities, if allowed to continue, serve to hinder DOD's ability to
effectively support its warfighting and counterterrorism missions in
the long term. For example, continuing interoperability problems among
several major biometrics systems in U.S. Central Command's area of
operations--problems involving inconsistent biometrics data formats and
screening procedures--have impeded the command's ability to share
biometrics data in an efficient, timely manner. Furthermore, according
to U.S. Central Command officials, several high-priority departmental
initiatives intended to address such problems--identified as "urgent
operational needs" in 2005 by the command--were delayed, thereby
jeopardizing the command's ability to identify and detain potential
enemy combatants. In addition, shortcomings in DOD's management of
biometrics activities may impede the department's efforts to fully
implement the June 2008 presidential directive on using biometrics
within the federal government to enhance national security, as well as
hinder DOD's ability to further develop the overall identity management
operating concept. As a result, we believe that the department needs to
take a longer-term perspective on the management of its biometrics
initiatives.
Recommendations for Executive Action:
To improve the management of DOD's biometrics activities, we recommend
that the Secretary of Defense direct the Principal Staff Assistant and
Executive Committee to (1) develop clearly defined goals and measures
of success to guide and monitor development of biometrics activities,
(2) issue implementing guidance that clarifies decision-making
procedures for the Executive Committee, and (3) work with the
Comptroller to establish a designated biometrics budget.
Agency Comments and Our Evaluation:
In written comments on a draft of this report, DOD concurred with all
of our recommendations. Also, the Director of Defense Biometrics
provided us with technical comments, which we incorporated in the
report where appropriate. DOD's written comments are reprinted in
appendix V.
DOD concurred with our first recommendation that the Secretary of
Defense direct the Principal Staff Assistant and the Executive
Committee for DOD Biometrics to develop clearly defined goals and
measures of success to guide and monitor the development of DOD's
biometrics activities. In its concurrence with this recommendation, DOD
indicated that the Executive Committee had approved a DOD Biometrics
Enterprise Strategic Plan (2008-2013) while the department was
reviewing a draft of this report. According to DOD, the strategy
includes specific goals and objectives for DOD's biometrics enterprise
and directs the development of a detailed implementation plan that
includes metrics and milestones. DOD further stated that it would
develop additional milestones and metrics for emerging biometrics
acquisitions programs in conjunction with the development of a more
formal biometrics program. We did not have an opportunity to review the
DOD Biometrics Enterprise Strategic Plan before publishing this report
and therefore did not evaluate the extent to which the plan's goals and
measures of success would help guide and monitor the development of
DOD's biometrics activities.
DOD also concurred with our second recommendation that the Secretary of
Defense direct the Principal Staff Assistant and the Executive
Committee for DOD Biometrics to issue implementing guidance that
clarifies decision-making procedures for the Executive Committee. In
its concurrence with this recommendation, DOD noted that the Executive
Committee had initiated the development of an implementation
instruction to clarify and provide details about the governing process
for DOD biometrics. The department expects approval of this guidance in
fiscal year 2009.
Finally, DOD concurred with our third recommendation that the Secretary
of Defense direct the Principal Staff Assistant and the Executive
Committee for DOD Biometrics to work with the department's Comptroller
to establish a designated biometrics budget. In its concurrence, DOD
agreed with the need for defined biometrics programs and associated
funding lines. The department stated that it had established a discrete
biometrics science and technology program in fiscal year 2008 in order
to focus biometrics technology development within a primary program. In
addition, DOD stated that it had taken significant steps, such as its
ongoing Capabilities Based Assessment of biometrics, to transition its
biometrics acquisition efforts into more structured programs with
associated funding lines. The department intends to initiate such
biometrics programs in fiscal year 2010. However, noting that
biometrics is an enabling technology that supports many departmental
capabilities, DOD intends to establish multiple discrete programs with
associated funding lines, rather than a single funding line that
encompasses all DOD investments in biometrics technology, systems, and
programs. In our view, however, pursuing an approach involving multiple
funding lines, DOD should ensure that the funding lines are clearly
linked to specific biometrics program objectives and that they provide
a consolidated view of the resources devoted to biometrics activities
throughout the department.
We are sending copies of this report to the Secretary of Defense and to
interested congressional committees. Copies of this report will also be
made available to others upon request. In addition, this report will be
available at no charge on the GAO Web site at [hyperlink,
http://www.gao.gov].
If you have any questions concerning this report, please contact me at
(202) 512-5431 or dagostinod@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last
page of this report. Key contributors to this report are included in
appendix VI.
Signed by:
Davi M. D'Agostino:
Director, Defense Capabilities and Management:
[End of section]
Appendix I: Scope and Methodology:
In this report, we examine the extent to which the Department of
Defense (DOD) has established biometrics goals and objectives,
implementing guidance for managing biometrics activities, and a
designated budget to provide a consolidated view of resources devoted
to DOD biometrics activities. To address this objective, we considered
leading management practices and principles related to these areas and
previously identified in prior GAO reports and analyses.[Footnote 24]
Our analysis focused primarily on DOD's management of biometrics
activities, systems, and programs associated with its current
warfighting and counterterrorism efforts, particularly those used in
U.S. Central Command's geographic area of responsibility, which
includes Iraq and Afghanistan.
In assessing DOD's efforts, we reviewed documents and interviewed
officials from a range of DOD organizations involved in conducting,
managing, or overseeing biometrics activities and funding.
Specifically, we obtained information from DOD officials representing
the Office of the Secretary of Defense (the Under Secretaries of
Defense for Acquisition, Technology and Logistics and Intelligence,
Policy, Personnel and Readiness; the Comptroller/Chief Financial
Officer; the Assistant Secretary of Defense for Networks and
Information Integration; and the Director of Administration and
Management); the military departments and services (the U.S. Army, the
U.S. Navy, the U.S. Air Force, and the Marine Corps); U.S. Joint Forces
Command; U.S. Central Command; U.S. Special Operations Command; the
Director of Defense Research and Engineering (DOD's Principal Staff
Assistant for DOD Biometrics); the Director of Defense Biometrics; the
U.S. Army (whose Secretary serves as DOD's Executive Agent for DOD
Biometrics); the DOD Biometrics Executive Committee; DOD's Identity
Protection and Management Senior Coordinating Group; DOD's Biometrics
Task Force; DOD's Program Manager for Biometrics; the Biometrics Fusion
Center; the Defense Manpower Data Center (regarding DOD's Common Access
Card); DOD's Public Key Infrastructure Program Management Office; and
the National Ground Intelligence Center. The documents we reviewed
included memorandums, directives, guidance, briefings, progress
reports, budgetary data, planning documents, charters, agendas,
reports, studies, and analyses related to biometrics activities in the
department.
To understand DOD's biometrics activities within a federal government
context, including identity management, we also obtained documents and
interviewed officials from other federal agencies and offices, such as
the Department of Homeland Security, the Department of State, the
Federal Bureau of Investigation, the Office of the Director of National
Intelligence, and the National Science and Technology Council's
Subcommittee on Biometrics and Identity Management. We also reviewed
the June 2008 national security presidential directive on the use of
biometrics to enhance national security.[Footnote 25]
We conducted this performance audit from May 2007 through September
2008 in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives.
[End of section]
Appendix II: DOD Actions to Improve Coordination of Biometrics:
DOD took the following actions from fiscal year 2000 through fiscal
year 2008.
In July 2000, Congress designated the Secretary of the Army as the
Executive Agent to lead, consolidate, and coordinate all biometrics
information assurance programs across DOD.[Footnote 26]
To assist the Executive Agent, DOD created, in December 2000, the
Biometrics Management Office--currently known as the Biometrics Task
Force--within the Army to consolidate oversight and management for all
biometrics technologies for DOD. In August 2002, the Department of the
Army also added another organization to coordinate its biometrics
activities by establishing the DOD Biometrics Senior Coordinating
Group. The group was intended to provide strategic guidance and to
serve as a DOD-wide coordinating group for biometrics. Members of the
group included various Office of the Secretary of Defense offices, DOD
agencies, and the military services.
In January 2004, however, DOD acknowledged the need to improve
coordination of its biometrics programs with two other closely linked
technology-based initiatives called the Common Access Card and Public
Key Infrastructure[Footnote 27] programs. To address this need, DOD
established the Identity Management Senior Coordinating Group. This
organization was to be a "cohesive DOD-wide policy, requirements,
strategy, and oversight group" for managing biometrics and the other
two initiatives and replaced the existing oversight and coordination
bodies for these initiatives (including the Biometrics Senior
Coordinating Group). In establishing this new coordinating group, the
Assistant Secretary of Defense for Networks and Information Integration
acknowledged that the lack of an overarching management vision had
impeded development of DOD-wide requirements for a biometrics program.
In response to the continuing problems in biometrics, the Deputy
Secretary of Defense established the position of Principal Staff
Assistant for DOD Biometrics in the Office of the Under Secretary of
Defense for Acquisition, Technology and Logistics on October 4, 2006.
The memorandum establishing the Principal Staff Assistant laid out a
strong role for the office, providing it "with responsibility for the
authority, direction, and control of DOD biometrics programs,
initiatives, and technologies." The memorandum called for the Principal
Staff Assistant to "develop and coordinate DOD biometrics policy" and
to "approve biometrics funding across the DOD in support of validated
requirements and approved standards and architecture." The memorandum
also called for development of a DOD biometrics directive and the
establishment of the Executive Committee for DOD Biometrics to support
the Principal Staff Assistant and help ensure "timely and vigorous
action." The memorandum continued the Secretary of the Army's
designation as Executive Agent for DOD's biometrics programs.
DOD finalized DOD Directive 8521.01E on DOD Biometrics in February
2008, which superseded the 2006 memorandum. The directive laid out
general organizational responsibilities for biometrics and established
broad DOD policy, such as the need to fully integrate biometrics into
DOD operations, eliminate unwarranted duplication and overlap of
efforts, and ensure that biometrics capabilities are developed to be
interoperable with other identity management capabilities and systems.
One of the initial acts of the Principal Staff Assistant was to call
for a comprehensive assessment of the shortfalls in departmentwide
biometrics activities and the needed solutions. That study, the
Capabilities Based Assessment of biometrics in support of identity
management, was originally scheduled to be completed by August 2007.
However, the assessment continues and is expected to be completed in
late fall 2008. According to DOD officials, the rapid development of
biometrics capabilities simply outran the policy framework needed to
support it.
[End of section]
Appendix III: GAO Management Letter to the Secretary of Defense:
United States Government Accountability Office:
Washington, DC 20548:
December 13, 2007:
The Honorable Robert M. Gates:
The Secretary of Defense:
Dear Mr. Secretary:
As you know, we are currently reviewing the Department of Defense‘s
(DOD‘s) use of biometrics to improve identity management. This work is
being done at the request of the Chairmen and Ranking Members of the
House Armed Services Committee‘s Subcommittees on Readiness and on
Terrorism and Unconventional Threats and Capabilities (engagement code
351028). Specifically, the Subcommittees asked us to review DOD‘s
approach to planning and implementing its biometrics and identity
management activities, as well as DOD‘s efforts to coordinate such
activities within the Department and with other federal agencies. We
expect to issue a comprehensive report on these issues in the fall of
2008.
During the course of our review, we evaluated DOD‘s ongoing efforts to
develop a DOD directive for Defense biometrics, as called for by the
Deputy Secretary of Defense‘s memorandum on Defense Biometrics dated
October 4, 2006. The memorandum called for significant changes to DOD‘s
framework for coordinating its biometrics and identity management
activities, including the designation of a Principal Staff Assistant
(PSA) with responsibility for the authority, direction, and control
over DOD‘s biometrics activities.
The purpose of this letter is to request that you clarify the intended
scope of authority for the PSA, and to urge you to ensure that the
final directive provides the PSA with sufficient authority to improve
the coordination and direction of DOD‘s biometrics initiatives. Based
on our analysis of the memorandum and the two draft versions of the
directive (Number 8521.aaE), we are concerned that the current version
of the draft directive would not provide the new PSA for Biometrics
with clear authority to direct and oversee DOD‘s widely dispersed
biometrics initiatives as called for in the Deputy Secretary‘s
memorandum.
Such clear authority for the PSA is important to enable DOD to address
past problems in its coordination and oversight of biometrics
initiatives. DOD has struggled for years to develop a coordinated,
cohesive approach to managing the many biometrics initiatives dispersed
throughout the Department. These efforts date back at least to July
2000, when the Congress passed Public Law 106-246 directing DOD to
designate the Army as the ’Executive Agent“ to lead, consolidate, and
coordinate all biometrics programs across DOD. Shortly after, the
Secretary of Defense created the Biometrics Management Office (BMO)--
now known as the Biometrics Task Force--within the Army, to consolidate
oversight and management for all biometrics technologies for DOD, and
the Biometrics Fusion Center to test, evaluate, and integrate such
technologies. Some twenty months later, in August 2002, the Department
of the Army added another coordinating organization, announcing that it
was establishing a DOD Biometrics Senior Coordinating Group to provide
strategic guidance to the BMO and to serve as a DOD-wide coordinating
group for biometrics.
Again in January 2004, DOD acknowledged the need to improve
coordination of the biometrics programs and two other closely linked
initiatives called the Common Access Card and Public Key Infrastructure
programs. To address this need, the Assistant Secretary of Defense for
Networks and Information Integration established an Identity Management
Senior Coordinating Group (IMSCG) to manage and oversee the three
initiatives as one coordinated venture across DOD. The Group was to be
a ’cohesive DOD-wide policy, requirements, strategy, and oversight
group“ for managing biometrics and the other two initiatives. Shortly
thereafter in February 2004, the Assistant Secretary also acknowledged
that the lack of an overarching identity management vision had impeded
development of DOD-wide requirements for a biometrics program, as well
as the Public Key Infrastructure and Common Access Card programs, and
directed the IMSCG to formulate a DOD-wide corporate vision for
identity management, including biometrics initiatives.
Despite these efforts, DOD organizations have continued to report
problems in DOD‘s coordination and management of biometrics activities.
For example, in an August 2005 ’Joint Urgent Operational Need Statement
for a Joint Biometrics Solution in Support of Operations,“ the U.S.
Central Command reported on the ’lack of a comprehensive management
approach to the development and implementation of biometrics
technology,“ with DOD services and agencies fielding multiple
biometrics systems at varying levels of interoperability. In its review
of biometrics systems and processes used in the U.S. Central Command‘s
area of responsibility, a ’Biometrics Tiger Team“ reported numerous
instances of questions about biometrics leadership in June 2006.
Similarly, in April 2006, the Under Secretary of Defense requested that
the Defense Science Board (DSB) form a Task Force to study the Defense
Biometrics Program, citing the ’reactive“ and ’ad hoc“ nature of DOD‘s
management of biometrics initiatives since the terrorist attacks of
September 11, 2001. The Task Force provided DOD with an interim
briefing on the immediate organizational needs”including the need for a
Principal Staff Assistant for Biometrics”in May 2006, and its final
report in March 2007. In its final report, the Task Force reported that
the ’Operational responsiveness, organization, coordination, [and]
programmatics [of DOD‘s biometrics activities]—all showed serious
deficiencies—“ Among its various recommendations, the Task Force called
for DOD to clarify, strengthen, and reassign roles, responsibilities,
and authorities of DOD components involved in managing biometrics
initiatives.
In response to concerns such as those cited in the DSB report, the
Deputy Secretary of Defense issued a memorandum on Defense Biometrics
on October 4, 2006. Among its key provisions, the memorandum designated
the Director of Defense Research and Engineering (DDR&E), under the
Under Secretary of Defense for Acquisition, Technology, and Logistics
(USD(AT&L)), as DOD‘s Principal Staff Assistant (PSA) for Biometrics
’with responsibility for the authority, direction, and control of DOD
biometrics programs, initiatives, and technologies.“ The memorandum
called for the PSA, with the assistance of a newly established Director
for Defense Biometrics, to ’develop and coordinate DOD biometrics
policy“ through the USD(AT&L) and to ’approve biometrics funding across
the DOD in support of validated requirements and approved standards and
architecture.“
The memorandum also called for the establishment of an Executive
Committee for Biometrics to support the PSA with high-level
representatives from the Department‘s policy, operations, intelligence,
personnel, acquisition, and information communities, as well as the
military departments. In addition, the memorandum continued the
Secretary of the Army‘s designation as Executive Agent for DOD‘s
biometrics programs, with responsibility for ensuring that biometric
data are fully accessible to required users and for supporting the
implementation of joint biometrics capabilities, including joint
standards, architecture, and research and development activities.
Finally, the memorandum called for DDR&E to lead the development of a
DOD directive implementing the provisions of the memorandum and
delineating the roles and responsibilities of relevant DOD
stakeholders. In July 2007, DDR&E submitted an initial draft of this
directive -- DOD Directive 8521.aaE on ’the DOD Biometrics Program“ --
to relevant DOD offices and military services for formal coordination,
review, and comment. Although the comments received from these
stakeholders covered a range of issues, several of them – including
some categorized as ’critical“ nonconcurrence -- reflected concerns
over the extent of the PSA‘s oversight authorities. In order to address
these comments and concerns and obtain full concurrence from the DOD
stakeholders, DDR&E subsequently drafted a revised version of the
directive in September 2007.
Based on our review of the draft versions of the directive, we are
concerned that certain provisions in the latest version do not appear
fully consistent with the Deputy Secretary of Defense‘s memorandum of
October 4, 2006. In particular, provisions in the current draft would
provide the PSA with considerably less authority to oversee and
coordinate DOD‘s biometrics initiatives than originally called for in
the memorandum. As previously mentioned, such authority for the PSA is
important if DOD is to develop a coordinated, cohesive approach to
managing its various biometric initiatives.
The memorandum, for example, called for the PSA to approve biometrics
funding across DOD, including the spending plans of DOD components for
executing their biometrics programs. However, the current draft of the
Directive indicates that the DDR&E would only ’review the adequacy of
biometrics funding across the DOD—“ The memorandum also called for the
PSA to coordinate DOD biometrics policy department-wide. In three
instances, however, provisions in the current draft of the Directive
were either added or modified from those in the initial draft to
require only that DOD offices would coordinate their biometrics-related
programs and budget through their participation in the Executive
Committee for Biometrics, rather than directly with the PSA. Similarly,
in three instances, provisions in the initial draft of the Directive
that called for DOD offices to support or coordinate directly with the
PSA on certain issues were deleted from the current draft.
According to DOD officials, these changes reflect concerns expressed by
some military services and DOD offices involved in the development of
the Directive over the extent of the PSA‘s responsibilities and
authorities. For example, officials told us that some services and
offices opposed the provisions giving the PSA authority to approve
funding of all biometrics-related activities, because that would have
conflicted with their own funding authorities, already established
under Title 10 of the U.S. Code. They believed that the potential for
coordinating their biometrics spending through the Executive Committee
provided sufficient opportunity for PSA review. However, this approach
provides no formal mechanism for review and approval and does not
prevent DOD organizations from spending on biometrics activities in
ways that may not be consistent with DOD-wide views of the PSA.
Officials told us that in the case of disagreements, the PSA would be
free to raise his concerns to the DOD Comptroller, Deputy Secretary, or
Secretary of Defense. Some officials also indicated that the Executive
Committee should play a greater role than the PSA or EA in providing
strategic guidance and direction, since its decisions reflect consensus
from high-level representatives of all relevant DOD services and
offices. One official stated that it would be inappropriate for the EA,
acting on behalf of the PSA, to provide direction to other offices
operating at the secretarial level, when the EA itself was not a
secretarial level organization in the Department of the Army.
Although we appreciate such concerns and recognize that the directive
would represent an important step in improving DOD‘s management of its
biometrics activities, we note that the Deputy Secretary of Defense‘s
memorandum clearly intended for the PSA to have ’responsibility for the
authority, direction, and control of DOD biometrics programs,
initiatives, and technologies“ and to ’approve biometrics funding
across the DOD—“ The lack of integration, discipline and leadership
have consistently been identified as problems hampering progress in the
biometrics program. We are concerned that if the PSA does not have the
requisite authority needed to resolve potential conflicts of interest
among DOD services and offices over the strategic direction or funding
of biometrics initiatives, DOD will again be in the same position.
Furthermore, resolving such conflicts through the DOD Comptroller, the
Deputy Secretary of Defense, or the Secretary of Defense -- as proposed
by some DOD services and offices -- would appear to contradict the
leadership role for the PSA envisioned in the Deputy Secretary of
Defense‘s memorandum.
In light of these differences, we request that you clarify DOD‘s
intended scope of oversight authority for the PSA and urge you to
ensure that DOD‘s final directive provides the PSA with sufficient
authority to improve the coordination and direction of DOD‘s biometrics
initiatives. This is particularly important as DOD seeks to integrate
its biometrics initiatives within the broader framework of identity
management and identity superiority in the future. Please direct your
response, and any questions you or your staff may have, to me at (202)
512-5431 or DAgostinoD@gao.gov, or to David Artadi of my staff at (404)
679-1989 or ArtadiD@gao.gov. We are sending copies of this letter to
the House Armed Services Committee, Subcommittees on Readiness and
Terrorism, Unconventional Threats and Capabilities.
Sincerely yours,
Signed by:
Davi M. D‘Agostino, Director:
Defense Capabilities and Management:
[End of section]
Appendix IV: DOD Response to GAO Management Letter:
The Under Secretary Of Defense:
Acquisition, Technology And Logistics:
3010 Defense Pentagon:
Washington, DC 20301-3010:
February 13, 2008:
Mr. Davi M. D'Agostino"
Director, Defense Capabilities and Management:
U.S. Government Accountability Office:
Washington, DC 20548:
Dear Mr. D'Agostino:
Thank you for your letter to the Secretary of Defense concerning the
authorities assigned to the Principal Staff Assistant for DoD
Biometrics. Your letter correctly highlights the need to have clear
authorities assigned to ensure effective development and coordination
of DoD biometrics capabilities. The policy and governance structure
that is outlined in the draft DoD Directive 8521.aaE provides the
Director, Defense Research and Engineering (DDR&E), my principal staff
assistant (PSA) for Defense Biometrics, with clear responsibilities and
strong authority to achieve an effective and enduring biometrics
capability to support Department requirements.
Prior to assignment of the PSA, there were deficiencies in the
coordination and oversight of the efforts being independently
undertaken by the various DoD components dating back to July 2000. In
view of the expanding operational value of biometrics, DDR&E was
assigned as the PSA with authority to control, direct and, ultimately,
mature the DoD biometrics programs. Although not specifically stated in
the October 2006 Deputy Secretary of Defense memorandum, a critical
implied responsibility of the PSA was to transition the various ad hoc
biometrics efforts into the Department's mainstream acquisition process
with its inherent and strict oversight authorities.
The directive as drafted does not diminish the PSA authority; it
establishes structures and processes through which to exercise that
authority in an efficient and transparent manner consistent with DoD
Joint Capability Development and acquisition guidelines. Although the
language of the memorandum and the draft directive are different, the
authorities of the PSA have not been diminished. The PSA continues to
execute approval authority over component programs and resources, but
that authority will be executed through the biometrics Executive
Committee (EXCOM), chaired by the PSA, thereby ensuring transparency
and full coordination of the Department's biometrics programs.
Additionally, the draft directive makes all components responsible and
accountable to the PSA for reviewing all biometrics requirements and
programs and submitting such to the EXCOM for review and approval. To
provide the requisite programmatic discipline for this enduring
capability, the directive further requires full compliance with DoD
acquisition guidelines and directs the Army as the Executive Agent to
appoint a Program Manager accountable through the Army Acquisition
Executive. To further ensure component compliance, the directive
further requires the PSA to submit an annual report to the Secretary of
Defense on the adequacy of the program's assignments, arrangements, and
funding. All of these controls serve to strengthen the oversight of our
biometrics programs and provide the PSA with the tools he needs to hold
all components accountable for compliance.
The desired outcome of our biometrics directive is an effective
management structure, consistent with Department and regulatory
acquisition guidance. The Secretary of the Army has clear
responsibility and authority as Executive Agent for managing common
Department-wide biometrics functions while requiring the many DoD
components to fully coordinate their activities and gain approval prior
to program initiation or procurement actions.
Under DDR&E's leadership this past year, we have begun to normalize the
acquisition and operation of biometrics technologies within the
Department resulting in much improved performance and maintainability
of our systems. We are conducting a full Capability-Based Assessment to
enhance development, and the Services are planning for these
capabilities in their programs and developing their own internal
management structures. The roles and responsibilities assigned to the
DoD components, with oversight provided by the PSA as outlined in the
draft directive, is not only adequate, but provides the best path for
stabilizing the management of this important technical capability as
its value to DoD expands.
My point of contact is Mr. Tom Dee, Director Defense Biometrics, at 703-
746-1385.
Sincerely,
Signed by:
John J. Young, Jr.
[End of section]
Appendix V: Comments from the Department of Defense:
Director Of Defense Research And Engineering:
3030 Defense Pentagon:
Washington, D.C. 20301-3030:
September 12, 2008:
Mrs. Davi M. D'Agostino:
Director, Defense Capabilities and Management:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, DC 20548:
Dear Mrs. D'Agostino:
This is the Department of Defense (DoD) response to the GAO draft
report, GAO-08-1065, "Defense Management: DoD Needs to Establish Clear
Goals and Objectives, Guidance, and a Designated Budget to Manage Its
Biometrics Activities," dated August 13, 2008 (GAO Code 351028).
The Department concurs with the need for continued improvement of the
management processes which govern the Department's biometrics programs.
The establishment of clear program goals and objectives and the
issuance of implementing guidance for DOD Directive 8521.01E (Defense
Biometrics) were identified as priorities by the Department's
Biometrics Executive Committee and the establishment of programmed
funding for the biometrics programs is the subject of an ongoing review
by the Department.
The Department also agrees with GAO's comments concerning the
interrelationship of the three recommendations. Designated program
funding requires clear program requirements, objectives and milestones.
These objectives and milestones, however, cannot be attained without
adequate program funding. To accurately assess the scope of our
biometrics programs and to enable the initiation of formal biometrics
programs of record, the Department initiated a capabilities based
assessment that will be concluded shortly. This assessment will
objectively identify priority capability gaps, recommend solutions to
overcome those gaps and inform our decision as to how to best structure
our acquisition efforts and the associated funding.
Sincerely,
Signed by:
Alan R. Shaffer:
Principal Deputy:
Enclosure: As stated:
GAO Draft Report Dated August 13, 2008:
GAO-08-1065 (GAO Code 351028):
"Defense Management: DoD Needs To Establish Clear Goals and Objectives,
Guidance and a Designated Budget To Manage Its Biometrics Activities"
Department Of Defense Comments To The GAO Recommendations:
Recommendation 1: That the Secretary of Defense direct the Principal
Staff Assistant and the Executive Committee to develop clearly defined
goals and measures of success to guide and monitor development of
biometrics activities.
DOD Response: Concur. The establishment of clear program goals and
objectives and the associated metrics and milestones was identified as
a priority by the Department's Biometrics Executive Committee which
approved the DoD Biometrics Enterprise Strategic Plan (2008-2013) at
its 27 Aug 2008 quarterly meeting. This strategy includes specific
goals and objectives for our biometrics enterprise and directs the
development of a detailed implementation plan, currently in progress,
which includes metrics and milestones. Milestones and metrics for
emerging biometrics acquisition programs will be developed and approved
coincident to the development of biometrics programs of record and
consistent with defense acquisition guidelines.
Recommendation 2: That the Secretary of Defense direct the Principal
Staff Assistant and the Executive Committee to issue implementing
guidance that clarifies decision-making procedures for the Executive
Committee.
DOD Response: Concur. The Department's Executive Committee initiated
the development of an implementation instruction to clarify and detail
the governing process for the Department's biometrics enterprise.
Approval of this guidance is expected in FY 2009.
Recommendation 3: That the Secretary of Defense direct the Principal
Staff Assistant and the Executive Committee to work with the
Comptroller to establish a designated biometrics budget.
DOD Response: Concur. The Department concurs with the need for defined
biometrics programs and associated funding lines in order to provide
the structure to succeed within our acquisition processes and the
predictability upon which to build and gauge our capabilities. To that
end, the Department established a discrete biometrics Science and
Technology program in FY08 in order to better focus biometrics
technology development within a primary program. Similarly, we have
taken significant steps to transition our biometrics acquisition
efforts into formal programs of record with associated funding lines.
We will shortly complete a Biometrics Capabilities Based Assessment
that defines our priority capability gaps and proposes both material
and non-material solutions. The Army and Navy both initiated follow-on
Capability Development Documents which will form the basis of our
biometrics programs of record. We are currently assessing the scope of
these programs and the requisite level of resources to support them. We
intend to have both the programs and funding in place to enable formal
program initiation in FY10. As biometrics is an enabling technology
that supports many department capabilities, however, we do not
anticipate having a single funding line that encompasses all department
investment in biometric technology, systems and programs. Rather the
intent is to establish discrete programs with associated funding lines
that best captures the program scope and purpose while providing
Department level visibility of our collective biometrics efforts.
[End of section]
Appendix VI: GAO Contact and Staff Acknowledgments:
GAO Contact:
Davi M. D'Agostino, (202) 512-5431 or dagostinod@gao.gov:
Acknowledgments:
In addition to the contact named above, Linda Kohn, Acting Director;
Lorelei St. James, Assistant Director; David Artadi; Grace Coleman;
Brian Kime; David Malkin; John Nelson (retired); and Bethann Ritter
made key contributions to this report.
[End of section]
Footnotes:
[1] While biometrics technologies have advanced security operations,
they have limitations. For example, some people working extensively at
manual labor may have fingerprints too worn to be recorded. In
addition, errors may also occur during matching operations. For this
reason some security systems may use multiple biometrics to increase
their accuracy. For a more detailed examination of biometrics accuracy
rates, see GAO, Technology Assessment: Using Biometrics for Border
Security, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-174]
(Washington, D.C.: Nov. 15, 2002).
[2] In 1999, the Deputy Secretary of Defense issued a memorandum
directing the implementation of a standard smart-card-based
identification system for all active duty military personnel, DOD
civilian employees, and eligible contractor personnel, to be called the
Common Access Card.
[3] Department of Defense, Capstone Concept of Operations for DOD
Biometrics in Support of Identity Superiority (Washington, D.C.:
November 2006).
[4] The White House, National Security Presidential Directive/NSPD-59,
and Homeland Security Presidential Directive/HSPD-24, Biometrics for
Identification and Screening to Enhance National Security (Washington,
D.C.: June 5, 2008).
[5] Unnumbered letter to the Secretary of Defense dated December 13,
2007. See app. III.
[6] GAO, Defense Management: DOD Needs to Establish More Guidance for
Biometrics Collection and Can Explore Broadening Data Sharing,
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-430NI]
(Washington, D.C.: May 21, 2008).
[7] GAO, Combating Terrorism: Evaluation of Selected Characteristics in
National Strategies Related to Terrorism, [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-04-408T] (Washington, D.C.: Feb.
3, 2004); Determining Performance and Accountability Challenges and
High Risks, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-159SP]
(Washington, D.C.: November 2000); and Executive Guide: Effectively
Implementing the Government Performance and Results Act, [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO/GGD-96-118] (Washington, D.C.:
June 1996).
[8] Deputy Secretary of Defense, Memorandum on Smart Card Adoption and
Implementation (Washington, D.C.: Nov. 10, 1999). Smart cards are
plastic devices about the size of a credit card that use integrated
circuit chips to store and process data, much like a computer.
[9] Biometrics Tiger Team of the Executive Agent for DOD Biometrics,
Biometrics Tiger Team Trip Report 23 April - 5 May 2006 (Washington,
D.C.: June 28, 2006).
[10] Defense Science Board, Report of the Defense Science Board Task
Force on Defense Biometrics (Washington, D.C.: March 7, 2007). This
report was requested by the Under Secretary of Defense for Acquisition,
Technology and Logistics on April 13, 2006.
[11] Pub. L. No. 106-246, § 112 (2000).
[12] Department of Defense Directive 8521.01E, Department of Defense
Biometrics (Feb. 21, 2008).
[13] Defense Science Board, Report of the Defense Science Board Task
Force on Defense Biometrics.
[14] To date, the Subcommittee on Biometrics and Identity Management
has published the following documents on biometrics: National Science
and Technology Council Subcommittee on Biometrics and Identity
Management, The National Biometrics Challenge (Washington, D.C.: August
2006); NSTC Policy for Enabling the Development, Adoption, and Use of
Biometrics Standards (Washington, D.C.: Sept. 7, 2007); and Privacy and
Biometrics: Building a Conceptual Foundation (Washington, D.C.: Sept.
15, 2006).
[15] See [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-408T],
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-159SP], and
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/GGD-96-118].
[16] See [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-408T],
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-159SP], and
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/GGD-96-118].
[17] In January 2006, DOD's Director of Defense Research and
Engineering issued a memorandum requesting that DOD conduct an in-depth
Capabilities Based Assessment of the gaps in the department's overall
biometrics capabilities.
[18] GAO, High-Risk Series: An Update, [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-07-310] (Washington, D.C.:
January 2007).
[19] Biometrics Tiger Team of the Executive Agent for DOD Biometrics,
Biometrics Tiger Team Trip Report 23 April - 5 May 2006.
[20] See GAO, Defense Acquisitions: Better Weapon Program Outcomes
Require Discipline, Accountability, and Fundamental Changes in the
Acquisition Environment, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-08-782T] (Washington, D.C.: June 3, 2008). The
testimony, based on a body of GAO work on DOD's acquisitions processes,
states that at the strategic level, DOD's processes for identifying
warfighter needs, allocating resources, and developing and procuring
weapon systems--which together define DOD's overall weapon system
investment strategy--are fragmented and broken. At the program level,
the testimony states that weapon system programs are initiated without
sufficient knowledge about system requirements, technology, and design
maturity.
[21] U.S. Joint Forces Command, Joint Capabilities Document (JCD):
Biometrics in Support of Identity Management (Norfolk, Va.: Feb. 15,
2008). The report summarizes the results of one phase of the
Capabilities Based Assessment led by the command at the request of the
Director of Defense Research and Engineering, and identifies
capabilities and appropriate tasks that are useful in defining the
operational needs for biometrics technology in support of identity
assurance--an element of identity management--across the range of
military operations.
[22] See [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-408T],
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-159SP], and
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/GGD-96-118].
[23] GAO, Global War on Terrorism: DOD Needs to Take Action to
Encourage Fiscal Discipline and Optimize the Use of Tools Intended to
Improve GWOT Cost Reporting, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-08-68] (Washington, D.C.: Nov. 6, 2007); Defense
Infrastructure: Actions Needed to Guide DOD's Efforts to Identify,
Prioritize, and Assess Its Critical Infrastructure, [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-07-461] (Washington, D.C.: May
24, 2007); and Securing, Stabilizing, and Rebuilding Iraq: Key Issues
for Congressional Oversight, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-07-308SP] (Washington, D.C.: Jan. 9, 2007).
[24] See [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-408T],
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-159SP], and
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/GGD-96-118].
[25] The White House, National Security Presidential Directive/NSPD-59,
and Homeland Security Presidential Directive/HSPD-24, Biometrics for
Identification and Screening to Enhance National Security.
[26] Pub. L. No. 106-246, § 112 (2000).
[27] Public Key Infrastructure is a system of hardware, software,
policies, and people that when fully and properly implemented, can
provide a suite of information security assurances--including
confidentiality, data integrity, and authentication--important in
protecting sensitive communications.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
