Homeland Security
Risks Facing Key Border and Transportation Security Program Need to Be Addressed Gao ID: GAO-04-569T March 18, 2004US-VISIT (United States Visitor and Immigrant Status Indicator Technology) is a governmentwide program to enhance national security, facilitate legitimate trade and travel, contribute to the integrity of the U.S. immigration system, and adhere to U.S. privacy laws and policies by (1) collecting, maintaining, and sharing information on certain foreign nationals who enter and exit the United States; (2) identifying foreign nationals who (1) have overstayed or violated the terms of their visit; (2) can receive, extend, or adjust their immigration status; or (3) should be apprehended or detained by law enforcement officials; (3) detecting fraudulent travel documents, verifying traveler identity, and determining traveler admissibility through the use of biometrics; and (4) facilitating information sharing and coordination within the border management community. GAO was asked to testify on its completed work on the nature, status, and management of the USVISIT program.
The US-VISIT program is inherently risky, both because of the type of program it is and because of the way it is being managed. First, US-VISIT is inherently risky because it is to perform a critical, multifaceted mission, its scope is large and complex, it must meet a demanding implementation schedule, and its potential cost is enormous. That is, one critical aspect of the program's mission is to prevent the entry of persons who pose a threat to the United States; failing in this mission could have serious consequences. To carry out this mission, the program aims to control the pre-entry, entry, status, and exit of millions of travelers--a large and complex process. In addition, through legislative mandate, it has challenging milestones (such as the system being implemented at all U.S. ports of entry by December 31, 2005). Finally, DHS estimated that the program would cost $7.2 billion through fiscal year 2014, but this estimate did not include all costs and underestimated some others. All these factors add risk. Second, several factors related to the program's management increase the risk of not delivering mission valued commensurate with costs or not delivering defined program capabilities on time and within budget. For example, the program is to rely initially on integrating existing systems with reported problems that could limit US-VISIT performance. In addition, the requirements for interim facilities at high-volume land ports of entry are not only demanding, they are based on assumptions that, if altered, could significantly affect facility plans. Further, DHS did not define the benefits versus costs of near-term program increments (that is, the interim versions of the program that are being pursued while the final version is being defined). Addressing these issues is the responsibility of the program office, which however was not adequately staffed, had not clearly defined roles and responsibilities for its staff, and had not established key processes for managing the acquisition and deployment of US-VISIT. Despite the program management challenges confronting US-VISIT, the first increment was deployed at the beginning of this year. However, the program still faces a number of risks, including the ones described above. To address these, GAO has made a series of recommendations regarding the planned scope of US-VISIT and its management. Addressing the identified risks increases the likelihood that the deployment of US-VISIT will be successful--the predictable outcome of sound management of a welljustified and designed program.
GAO-04-569T, Homeland Security: Risks Facing Key Border and Transportation Security Program Need to Be Addressed
This is the accessible text file for GAO report number GAO-04-569T
entitled 'Homeland Security: Risks Facing Key Border and Transportation
Security Program Need to Be Addressed' which was released on March 18,
2004.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Testimony:
Before the Subcommittee on Immigration, Border Security, and Claims,
House Committee on the Judiciary:
United States General Accounting Office:
GAO:
For Release on Delivery Expected at 10:00 a.m. EST:
Thursday, March 18, 2004:
Homeland Security:
Risks Facing Key Border and Transportation Security Program Need to Be
Addressed:
Statement of Randolph C. Hite, Director, Information Technology
Architecture and Systems Issues:
GAO-04-569T:
GAO Highlights:
Highlights of GAO-04-569T, a testimony before the Subcommittee on
Immigration, Border Security, and Claims, House Committee on the
Judiciary:
Why GAO Did This Study:
US-VISIT (United States Visitor and Immigrant Status Indicator
Technology) is a governmentwide program to enhance national security,
facilitate legitimate trade and travel, contribute to the integrity of
the U.S. immigration system, and adhere to U.S. privacy laws and
policies by collecting, maintaining, and sharing information on certain
foreign nationals who enter and exit the United States; identifying
foreign nationals who (1) have overstayed or violated the terms of
their visit; (2) can receive, extend, or adjust their immigration
status; or (3) should be apprehended or detained by law enforcement
officials; detecting fraudulent travel documents, verifying traveler
identity, and determining traveler admissibility through the use of
biometrics; and facilitating information sharing and coordination
within the border management community.
GAO was asked to testify on its completed work on the nature, status,
and management of the US-VISIT program.
What GAO Found:
The US-VISIT program is inherently risky, both because of the type of
program it is and because of the way it is being managed.
First, US-VISIT is inherently risky because it is to perform a
critical, multifaceted mission, its scope is large and complex, it must
meet a demanding implementation schedule, and its potential cost is
enormous. That is, one critical aspect of the program's mission is to
prevent the entry of persons who pose a threat to the United States;
failing in this mission could have serious consequences. To carry out
this mission, the program aims to control the pre-entry, entry, status,
and exit of millions of travelers--a large and complex process. In
addition, through legislative mandate, it has challenging milestones
(such as the system being implemented at all U.S. ports of entry by
December 31, 2005). Finally, DHS estimated that the program would cost
$7.2 billion through fiscal year 2014, but this estimate did not
include all costs and underestimated some others. All these factors add
risk.
Second, several factors related to the program's management increase
the risk of not delivering mission valued commensurate with costs or
not delivering defined program capabilities on time and within budget.
For example, the program is to rely initially on integrating existing
systems with reported problems that could limit US-VISIT performance.
In addition, the requirements for interim facilities at high-volume
land ports of entry are not only demanding, they are based on
assumptions that, if altered, could significantly affect facility
plans. Further, DHS did not define the benefits versus costs of near-
term program increments (that is, the interim versions of the program
that are being pursued while the final version is being defined).
Addressing these issues is the responsibility of the program office,
which however was not adequately staffed, had not clearly defined roles
and responsibilities for its staff, and had not established key
processes for managing the acquisition and deployment of US-VISIT.
Despite the program management challenges confronting US-VISIT, the
first increment was deployed at the beginning of this year. However,
the program still faces a number of risks, including the ones described
above. To address these, GAO has made a series of recommendations
regarding the planned scope of US-VISIT and its management. Addressing
the identified risks increases the likelihood that the deployment of
US-VISIT will be successful--the predictable outcome of sound
management of a well-justified and designed program.
For more information, contact Randolph C. Hite at (202) 512-3870 or
hiter@gao.gov.
[End of section]
Mr. Chairman and Members of the Subcommittee:
We appreciate the opportunity to participate in the Subcommittee's
hearing on US-VISIT (the United States Visitor and Immigrant Status
Indicator Technology), a large, complex program that is intended to
achieve a daunting set of goals: it is to enhance homeland security and
the integrity of the U.S. immigration system, and at the same time it
is to facilitate legitimate border crossing and protect privacy. To
achieve these goals, US-VISIT relies on information technology, as well
as people, processes, and facilities.
The genesis of US-VISIT was in 1996, when the Congress passed
legislation that directed the former Immigration and Naturalization
Service (INS) to develop a system to monitor the entry and exit of
foreign nationals visiting this country.[Footnote 1] As a result of
this and later related legislative direction,[Footnote 2] efforts were
begun in 2002 to develop the system now known as US-VISIT.
Subsequently, INS was merged into the Department of Homeland Security
(DHS), which is now responsible for developing and implementing the US-
VISIT program.
In the last three appropriations acts governing the development and
implementation of US-VISIT,[Footnote 3] the Congress prohibited the
INS, and later DHS, from obligating funds until the agency submitted to
the Senate and House Committees on Appropriations expenditure plans
that met several conditions, including being reviewed by GAO. We have
accordingly issued two reports on US-VISIT[Footnote 4] and will shortly
be issuing a third to the appropriations committees. All three reports
were based on work performed in accordance with generally accepted
government auditing standards. My testimony today is based on our two
published reports and on more current public information on the program
since the reports were issued.
Results in Brief:
The overall message of our testimony today is that the US-VISIT program
is risky, both because of the type of program it is and because of the
way it is being managed. US-VISIT is a large, complex, and expensive
program aimed at supporting a multifaceted mission-critical area; thus,
it is an intrinsically challenging effort. Several aspects of the
program increase the risk that it will not meet its goals or its cost,
schedule, and performance commitments:
* Multifaceted, critical mission. The program aims to prevent the entry
of persons who pose a threat to the United States. Besides this
critical security mission, the program also aims to achieve law
enforcement goals regarding visa violations, while facilitating
legitimate trade and travel and adhering to U.S. privacy laws and
policies.
* Large and complex scope. Controlling the pre-entry, entry, status,
and exit of millions of travelers is a large and complex process.
* Challenging milestones. Progress and current status of the program
make it difficult to satisfy legislatively mandated milestones: for
example, that US-VISIT be implemented at all ports of entry by December
31, 2005.[Footnote 5]
* Significant potential cost. In February 2003, DHS estimated that the
program would cost $7.2 billion through fiscal year 2014, but this
estimate did not include all costs and underestimated some others.
Additionally, several factors related to the program's management
increase the risk of not achieving program goals or not delivering
program capabilities on time and within budget. Our imminent report for
the appropriations committees will discuss each of these factors,
including why each is still an area of risk. Examples of the factors
that we have reported on are as follows:
* Problems with existing systems. The program is to rely initially on
existing systems with reported problems that could limit US-VISIT
performance.
* Program management capability. The program office was not adequately
staffed, roles and responsibilities had not been clearly defined, and
acquisition management processes were not yet established.
* Near-term facilities solutions. Interim facility planning for high-
volume land ports of entry must satisfy requirements that are both
demanding and based on assumptions that, if altered, could
significantly affect facility plans.
* Mission value of increments. The benefits versus costs were not yet
known of the interim versions (or increments) of the program that are
being implemented while the final version is being developed.
Our experience in reviewing large, complex, information-technology-
dependent programs in other federal agencies has shown that such
program management weaknesses typically result in these programs
falling short of expectations. Accordingly, we have made several
recommendations regarding the US-VISIT program to address these
weaknesses and risks.
Background:
The US-VISIT program is a governmentwide endeavor intended to enhance
national security, facilitate legitimate trade and travel, contribute
to the integrity of the U.S. immigration system, and adhere to U.S.
privacy laws and policies by:
* collecting, maintaining, and sharing information on certain foreign
nationals who enter and exit the United States;
* identifying foreign nationals who (1) have overstayed or violated the
terms of their visit; (2) can receive, extend, or adjust their
immigration status; or (3) should be apprehended or detained by law
enforcement officials;
* detecting fraudulent travel documents, verifying traveler identity,
and determining traveler admissibility through the use of biometrics;
and:
* facilitating information sharing and coordination within the border
management community.
The program involves interdependencies among people, processes,
technology, and facilities, as shown in figure 1.
Figure 1: People, Processes, Technology, and Facilities Involved in US-
VISIT:
[See PDF for image]
Note: GAO analysis based on DHS data.
[End of figure]
Within DHS, organizational responsibility for the US-VISIT program lies
with the Border and Transportation Security Directorate. In July 2003,
DHS established a US-VISIT program office with responsibility for
managing the acquisition, deployment, operation, and sustainment of the
US-VISIT system and supporting people (e.g., inspectors), processes
(e.g., entry exit policies and procedures), and facilities (e.g.,
inspection booths).
DHS plans to deliver US-VISIT capability incrementally. Currently, it
has defined four increments, with Increments 1 through 3 being interim
or temporary solutions, and Increment 4 being the yet-to-be-defined end
vision for US-VISIT. Increments 1 through 3 include the interfacing and
enhancement of existing system capabilities and the deployment of these
capabilities to air, sea, and land ports of entry (POE).
1. The first increment includes the electronic collection and matching
of biographic and biometric information at all major air and some sea
POEs for selected foreign travelers with non-immigrant visas.[Footnote
6] Increment 1 entry capability was deployed to 115 airports and 14
seaports on January 5, 2004. Increment 1 exit capability was deployed
as a pilot to two POEs on January 5, 2004--one airport and one
seaport.[Footnote 7]
2. The second increment is divided into two parts--2A and 2B. Increment
2A is to include the capability to process machine-readable visas and
other travel and entry documents that use biometric identifiers at all
POEs. This increment is to be implemented by October 26, 2004.
Increment 2B is to expand the Increment 1 solution for entry to
secondary inspection[Footnote 8] at the 50 highest volume land POEs by
December 31, 2004. According to the US-VISIT Request for Proposal
(RFP),[Footnote 9] 2B is also to include radio frequency (RF)[Footnote
10] capability at the 50 busiest land POEs for both entry and exit
processes.
3. Increment 3 is to expand the 2B capability to the remaining 115 land
POEs. It is to be implemented by December 31, 2005.
4. Increment 4 is the yet-to-be-defined end vision of US-VISIT, which
will likely consist of a series of capability releases.
DHS plans to award a single, indefinite-delivery/indefinite-
quantity[Footnote 11] contract to a prime contractor for integrating
existing and new business processes and technologies. DHS plans to
award the contract by May 2004. According to the RFP, the prime
contractor's scope of work is to include, but is not limited to,
Increments 2B, 3, and 4.
US-VISIT Is Inherently Risky:
By definition, US-VISIT is a risky undertaking because it is to perform
a critical mission, its scope is large and complex, it must meet a
demanding implementation schedule, and its potential cost is enormous.
Program Supports Multifaceted, Critical Mission:
In announcing the US-VISIT system, the DHS Under Secretary for Border
and Transportation Security stated that the system's goal is to "give
America a 21st Century 'smart border'--one that speeds through
legitimate trade and travel, but stops terrorists in their tracks."
Achieving these goals is daunting: the United States shares over 7,500
miles of land border with Canada and Mexico, and it has approximately
95,000 miles of shoreline and navigable waterways to protect. In fiscal
year 2002, there were about 279 million inspections of foreign
nationals at U.S. POEs. In these circumstances, preventing the entry of
persons who pose a threat to the United States cannot be guaranteed,
and the missed entry of just one can have severe consequences.
Relatedly, US-VISIT is to achieve the important law enforcement goal of
identifying those among these millions of visitors each year who
overstay or otherwise violate the terms of their visas.
Complicating achievement of these security and law enforcement goals
are other key US-VISIT goals: facilitating the movement of legitimate
trade and travel through the POEs and providing for enforcement of U.S.
privacy laws and regulations.
Scope Is Large and Complex:
US-VISIT is to provide for the interfacing of a number of existing
systems. It is also to support and refine a large and complex
governmentwide process involving multiple departments and agencies.
This process involves the pre-entry, entry, status, and exit of
hundreds of millions of foreign national travelers to and from the
United States at over 300 air, sea, and land POEs.
The interfaced systems included in Increment 1 are:
* Arrival Departure Information System (ADIS), a database that stores
traveler arrival and departure data received from air and sea carrier
manifests and that provides query and reporting functions;
* Advance Passenger Information System (APIS), a system that captures
arrival and departure manifest information provided by air and sea
carriers;
* Interagency Border Inspection System (IBIS), a system that maintains
lookout data, interfaces with other agencies' databases, and is
currently used by inspectors at POEs to verify traveler information and
modify data;
* Automated Biometric Identification System (IDENT), a system that
collects and stores biometric data about foreign visitors;
* Student Exchange Visitor Information System (SEVIS), a system that
contains information on foreign students;
* Computer Linked Application Information Management System (CLAIMS 3),
a system that contains information on foreign nationals who request
benefits, such as change of status or extension of stay; and:
* Consular Consolidated Database (CCD), a system that includes
information on whether a visa applicant has previously applied for a
visa or currently has a valid U.S. visa.
Figure 2 shows these systems and their relationships.
Figure 2: Simplified Diagram of US-VISIT Increment 1 Component Systems
and Relationships:
[See PDF for image]
[1] FIN = Fingerprint Identification Number.
[End of figure]
In addition to integrating numerous systems, US-VISIT also involves
complex processes governing the stages of a traveler's visit to the
United States: pre-entry, entry, status management, and exit. These
processes for Increment 1 are as follows:
Pre-entry process. Pre-entry processing begins with initial petitions
for visas. When the Department of State issues the travel
documentation, biographic (and in some cases biometric) data are
collected and made available to border management agencies. The
biometric data are transmitted from State to DHS, where the prints are
run against the US-VISIT IDENT biometric database to verify identity
and to check the biometric watchlist. The results of the biometric
check are transmitted back to State.
Commercial air and sea carriers are required by law to transmit crew
and passenger manifests to appropriate immigration officers before
arriving in the United States.[Footnote 12] These manifests are
transmitted through APIS. The APIS lists are run against the biographic
lookout system and identify those arrivals who have biometric data
available. In addition, POEs review the APIS list in order to identify
foreign nationals who need to be scrutinized more closely.
Entry process. When a foreign national arrives at a POE's primary
inspection booth, biographic information, such as name and date of
birth, is displayed on the bottom half of a computer workstation
screen, along with a photograph obtained from State's CCD. The
inspector at the booth scans the foreign national's fingerprints (left
and right index fingers) and takes a digital photograph. This
information is forwarded to the IDENT database, where it is checked
against stored fingerprints in the IDENT lookout database. If the
foreign national's fingerprints are already in IDENT, the system
performs a match (a comparison of the fingerprint taken during the
primary inspection to the one on file) to confirm that the person
submitting the fingerprints is the person on file. During this process,
the inspector also questions the foreign national about the purpose of
his or her travel and length of stay.
Status management process. The status management process manages the
foreign national's temporary presence in the United States, including
the adjudication of benefits applications and investigations into
possible violations of immigration regulations. ADIS matches entry and
exit manifest data to ensure that each record showing a foreign
national entering the United States is matched with a record showing
the foreign national exiting the United States. ADIS receives status
information from CLAIMS 3 and SEVIS on foreign nationals.
Exit process. The exit process includes the carriers' submission of
electronic manifest data to IBIS/APIS. This biographic information is
passed to ADIS, where it is matched against entry information. At the
two POEs where the exit pilot is being conducted, foreign nationals use
a self-serve kiosk where they are prompted to scan their travel
documentation and provide their fingerprints (right and left index
fingers). This departure record is then stored in ADIS (along with the
person's arrival record) and used to verify if a foreign national has
complied with the admission terms of his or her visa.
Milestones Are Challenging:
Key US-VISIT milestones are legislatively mandated. For example, the
Immigration and Naturalization Service Data Management Improvement Act
of 2000[Footnote 13] requires that US-VISIT be implemented at all air
and sea POEs by December 31, 2003; at the 50 highest volume land POEs
by December 31, 2004; and at all remaining POEs by December 31, 2005.
Because of limited progress during the 7 years following the
legislation that originated the entry exit system requirement, DHS
acknowledged that it could not complete permanent solutions in these
time frames, and thus it planned to implement interim (temporary)
solutions. For example, Increments 1 through 3 include the interfacing
of existing systems and the design and construction of interim
facilities at land POEs. Further, DHS officials have stated that it
will be difficult to develop and implement even the interim solutions
at some of the highest volume land POEs (such as San Ysidro,
California; Otay Mesa, California; and Laredo, Texas) by December 31,
2004, because even minor changes in the inspection time can greatly
affect the average wait time at these high-volume POEs. Moreover,
achievement of interim solutions is based on assumptions that, if
changed, could significantly affect facility and staffing plans.
Potential Cost Is Significant:
Despite DHS's estimate in February 2003, that the total overall cost of
the US-VISIT program would be about $7.2 billion through fiscal year
2014, the potential governmentwide cost of US-VISIT over just a 10-year
period could be about twice as much. Although the DHS estimate included
a wide range of costs, it omitted some costs and may have understated
others. The estimate included:
* system investment costs, such as information technology hardware and
communications infrastructure, software enhancements, and interfaces;
* the cost of facilities and additional inspectors;
* system and facilities operation and maintenance costs;
* the cost of planning, designing, and constructing permanent
facilities, which according to DHS was about $2.9 billion[Footnote 14]
(this estimate was based on the assumptions that (1) no additional
traffic lanes would be required to support the entry processes and (2)
exit facilities would mirror entry facilities--i.e., that a land POE
with 10 entry traffic lanes would require 10 exit traffic lanes);
* costs to design and construct building space to house additional
computer equipment and inspectors; and:
* costs for highway reconfiguration at land POEs.
However, the estimate did not include the costs to design and construct
interim facilities at land POEs. DHS officials estimated that the cost
of constructing the interim facilities at the 50 highest volume POEs
was about $218 million. Moreover, the estimate is based on assumptions
that, if changed, could significantly affect, for example, land POE
facility and staffing needs.
Finally, although the estimate did include the cost of implementing
biometrics, these costs are understated, because they did not include,
for example, State Department costs. Specifically, in November
2002,[Footnote 15] we reported that a rough order of magnitude estimate
of the cost to implement visas with biometrics would be between $1.3
billion and $2.9 billion initially and between $0.7 and $1.5 billion
annually thereafter. This estimate is based on certain assumptions,
including that all current visa-issuing embassies and consulates will
be equipped to collect biometrics from visa applicants. Assuming that
biometrics are implemented by December 2004, this means that the
recurring cost of having biometric visas through DHS's fiscal year 2014
life cycle period would be between $7 and $15 billion. In contrast,
DHS's estimate for the entire program through fiscal year 2014 was
about $7.2 billion.
Management of US-VISIT System Acquisition:
Compounding the risk factors inherent in the scale and significance of
the US-VISIT program are a number of others that can be attributed to
its state of management and its acquisition approach. As described in
our September 2003 report on US-VISIT, these include relying on
existing systems to provide the foundation for the first three program
increments (and thus having to accept the performance limitations of
these existing systems), not having mature program management
capabilities, not having fully defined near-term facilities solutions,
and not knowing the mission value that is to be derived from US-VISIT
increments. Our recently completed audit work for the appropriations
committees addressed each of these factors, which our next report will
discuss, including why each is still an area of risk.
Problems with Existing Systems:
The system performance of the interim releases of US-VISIT (Increments
1, 2, and 3) will depend largely on the performance of the existing
systems that are to be interfaced to create the overall system. Thus,
US-VISIT system availability and associated downtime, for example, will
be constrained by the availability of the interfaced systems. In this
regard, some of the existing systems have had availability and
reliability problems that could limit US-VISIT performance. Two
examples are SEVIS and CLAIMS 3.
Problems have been identified with the availability and reliability of
SEVIS, the system designed to manage and monitor foreign students in
the United States. For example, in April 2003, the Justice Inspector
General reported that many users had difficulty logging on to the
system, and that as the volume of users grew, the system became
increasingly sluggish.[Footnote 16] According to other reports,
university representatives complained that it was taking hours to log
on to the system and to enter a single record, or worse, that the
system accepted the record and later deleted it. We are required to
report to the House and Senate Appropriations Committees by April 1,
2004, on SEVIS performance, among other things. [Footnote 17]
We also reported in May 2001[Footnote 18] that CLAIMS 3 was unreliable.
This system contains information on foreign nationals who request
benefits and is used to process benefit applications other than
naturalization. Specifically, we reported that INS officials stated
that the system was frequently unavailable and did not always update
and store important case data when field offices transferred data from
the local system to the mainframe computer.
Program Management Capability:
Our experience with major modernization programs, like US-VISIT, shows
that they should be managed formally, which includes establishing a
program office that (1) is adequately staffed (both in numbers and
skill levels), (2) has clearly defined its staff's roles and
responsibilities, and (3) is supported by rigorous and disciplined
acquisition management processes.
DHS established a US-VISIT program office in June 2003[Footnote 19] and
determined that this office's staffing needs were, in all, 115
government and 117 contractor personnel to perform key acquisition
management functions. These functions fall into categories described by
the Software Engineering Institute's Software Acquisition Capability
Maturity Model (SA-CMM®),[Footnote 20] which defines a suite of key
acquisition process areas that are necessary for rigorous and
disciplined management of a system acquisition program. These process
areas include acquisition planning, requirements development and
management, project management, solicitation, contract tracking and
oversight, evaluation, and transition to support.
Our latest report stated that the US-VISIT program's staffing levels
were far below its stated needs. Moreover, specific roles and
responsibilities had not been defined beyond general statements.
Further, the program had not yet defined plans and associated time
frames for achieving needed staffing levels and defining roles,
responsibilities, and relationships. According to the Program Director,
positions were being filled with detailees from various DHS component
organizations.
Additionally, although the approved program office structure provided
for positions to perform the SA-CMM" key process areas (including
acquisition planning, requirements development and management, project
management, and contract tracking and oversight), none of the process
areas were defined and implemented. Until they are, the program office
must rely on the knowledge and skills of its existing staff to execute
these important acquisition functions.
According to the Program Director, needed program staffing and key
process areas were not in place because the program was just getting
off the ground, and it would take considerable time to establish a
fully functioning and mature program management capability. Until the
program office is adequately staffed, positional roles and
responsibilities are clearly defined and understood, and rigorous and
disciplined acquisition process controls are defined, understood, and
followed, DHS's efforts to acquire, deploy, operate, and maintain
system capabilities will be at risk of not producing promised
performance levels, functionality, and associated benefits on time and
within budget.
Near-Term Facilities Solutions:
Work by the Data Management Improvement Act Task Force has shown that
existing facilities do not adequately support the current entry exit
process at land POEs. In particular, more than 100 land POEs have less
than 50 percent of the required capacity to support current inspection
processes and traffic levels.[Footnote 21] As a result, as part of US-
VISIT (Increment 2), DHS plans to construct interim facilities at about
40 of the 50 highest volume land POEs by December 31, 2004, and
construct interim facilities at the remaining portion of these 50 POEs
by February 2005.
According to DHS officials, the department plans to design and
construct interim facilities to (1) support the US-VISIT inspection
process, technology, and staff requirements and (2) meet current
traffic wait time requirements at each land POE. To plan for the design
and construction of interim facilities that meet these requirements,
DHS modeled various inspection process and facilities scenarios to
define what inspection process to follow and what interim facilities to
construct. The modeling was based on two key assumptions: (1) the
current staffing level and (2) the current number of inspection booths
staffed for each POE. According to preliminary DHS modeling exercises,
small incremental increases in average inspection times at some high-
volume land POEs could significantly increase average wait times.
Moreover, any changes to decisions about which foreign travelers are
subject to US-VISIT could significantly affect these assumptions and
thus near-term facility requirements.
Mission Value of Increments:
OMB Circular Number A-11, part 7, requires that investments in major
systems be implemented incrementally, with each increment delivering
tangible and measurable benefits. Incremental investment involves
justifying investment in each increment on the basis of benefits,
costs, and risks. Although DHS is pursuing US-VISIT incrementally, it
has not defined incremental costs and benefits to justify its proposed
investments in each increment.
In the case of Increment 1, DHS' 2003 expenditure plan stated that this
increment would provide "immediate benefits," but it did not describe
them. Instead, it described capabilities to be provided, such as the
ability to determine whether a foreign national should be admitted and
to perform checks against watch lists. It did not describe in
meaningful terms the benefits that are to result from implementation of
these capabilities (e.g., X percent reduction in inspection times or Y
percent reduction in false positive matches against watch lists).
Also, DHS did not identify the estimated cost of Increment 1. The
Program Director told us that the $375 million requested in the 2003
plan included not only all the funding required for Increment 1, but
also funding for later increments. However, the plan did not separate
the funds by increment, and program officials did not provide this
information.
While DHS developed a benefits and cost analysis for the former entry
exit program in February 2003, this analysis had limitations, such as
an absence of meaningful benefit descriptions. Program officials
acknowledged that this analysis is out of date and is not reflective of
current US-VISIT plans. According to these officials, an updated
analysis will be issued in the very near future.
Without a reliable understanding of whether near-term increments will
produce mission value justifying its costs and whether known risks can
be effectively mitigated, DHS is investing in and implementing near-
term solutions that have not been adequately justified.
To the credit of the hard-working and dedicated staff working on the
program, an initial US-VISIT operating capability was deployed to major
air and selected sea POEs at the beginning of this year. However, the
US-VISIT program still faces the risk factors described in this
testimony, each of which will be discussed in our soon to be released
report. To address these risk factors, our published reports presented
several recommendations regarding the US-VISIT program, including:
* ensure that future expenditure plans fully disclose US-VISIT system
capabilities, schedule, cost, and benefits to be delivered;
* determine whether proposed US-VISIT increments will produce mission
value commensurate with costs and risks;
* define performance standards for each increment that are measurable
and reflect the limitations imposed by relying on existing systems;
* develop a risk management plan and regularly report all high risks;
* develop and implement a plan for satisfying key acquisition
management controls and implement these in accordance with Software
Engineering Institute guidance;
* ensure that human capital and financial resources are provided to
establish a fully functional and effective US-VISIT program office;
* define program office positions, roles, and responsibilities; and:
* develop and implement a human capital strategy for the program office
that provides for staffing positions with individuals who have the
appropriate knowledge, skills, and abilities.
Unless DHS addresses the risk factors described in this testimony,
successful deployment of US-VISIT increments is doubtful, because
achieving success will depend too much on heroic efforts by the people
involved, rather than being the predictable outcome of sound investment
and acquisition management capabilities.
Mr. Chairman, this concludes our statement. We would be happy to answer
any questions that you or members of the committee may have at this
time.
Contacts and Acknowledgement:
If you should have any questions about this testimony, please contact
Randolph C. Hite at (202) 512-3870 or hiter@gao.gov. Other major
contributors to this testimony included Barbara Collier, Deborah Davis,
Tamra Goldstein, David Hinchman, and Jessica Waselkow.
FOOTNOTES
[1] Illegal Immigration Reform and Immigrant Responsibility Act of
1996, Pub. L. 104-208 (Sept. 30, 1996).
[2] Immigration and Naturalization Service Data Management Improvement
Act of 2000, Pub. L. 106-215 (June 15, 2000); Visa Waiver Permanent
Program Act, Pub. L. 106-396 (Oct. 30, 2000). USA PATRIOT ACT, Pub. L.
107-56 (Oct. 26, 2001); Aviation and Transportation Security Act, Pub.
L. 107-71 (Nov. 19, 2001); Enhanced Border Security and Visa Entry
Reform Act of 2002, Pub. L. 107-173 (May 14, 2002).
[3] 2002 Supplemental Appropriations Act for Further Recovery from and
Response to Terrorist Attacks on the United States, Pub. L. 107-206
(Aug. 2, 2002); Consolidated Appropriations Resolution, 2003, Pub. L.
108-7 (Feb. 20, 2003); Department of Homeland Security Appropriations
Act, 2004 , Pub. L. 108-90 (Oct. 1, 2003).
[4] U.S. General Accounting Office, Homeland Security: Risks Facing Key
Border and Transportation Security Program Need to Be Addressed,
GAO-03-1083 (Washington, D.C.: Sept. 19, 2003); Information Technology:
Homeland Security Needs to Improve Entry Exit System Expenditure
Planning, GAO-03-563 (Washington, D.C.: June 9, 2003).
[5] Immigration and Naturalization Service Data Management Improvement
Act, 2000, Pub. L. 106-215 (June 15, 2000).
[6] Classes of travelers that are not subject to US-VISIT are foreign
nationals admitted on A-1, A-2, C-3 (except for attendants, servants,
or personal employees of accredited officials), G-1, G-2, G-3, G-4,
NATO-1, NATO-2, NATO-3, NATO-4, NATO-5, or NATO-6 visas, unless the
Secretary of State and the Secretary of Homeland Security jointly
determine that a class of such aliens should be subject to the rule;
children under the age of 14; and persons over the age of 79.
[7] The Miami Royal Caribbean seaport and the Baltimore/Washington
International Airport.
[8] Secondary inspection is used for more detailed inspections that may
include checking more databases, conducting more intensive interviews
of the individual, or both.
[9] In November 2003, DHS issued as planned a Request for Proposal
(RFP) for a prime contractor for US-VISIT work beyond Increment 2A.
[10] RF technology would require proximity cards and card readers. RF
readers read the information contained on the card when the card is
passed near the reader, and could be used to verify the identity of the
card holder.
[11] An indefinite-delivery/indefinite-quantity contract provides for
an indefinite quantity, within stated limits, of supplies or services
during a fixed period of time. The government schedules deliveries or
performance by placing orders with the contractor.
[12] Enhanced Border Security and Visa Entry Reform Act of 2002, Pub.
L. 107-173 (May 14, 2002).
[13] Pub. L. 106-215 (June 15, 2000).
[14] The $2.9 billion is a parametric cost estimate. Parametric cost
estimating is a technique used in the planning, budgeting, and
conceptual stages of projects. This technique expedites the development
of order of magnitude benchmark estimates when discrete estimating
techniques are not possible or would require inordinate amounts of time
and resources to produce similar results. Estimates such as this can
vary ±30 to 50 percent.
[15] U.S. General Accounting Office, Technology Assessment: Using
Biometrics for Border Security, GAO-03-174 (Washington, D.C.: Nov. 15,
2002).
[16] Statement of Glenn A. Fine, Inspector General, U.S. Department of
Justice, "Implementation of the Student and Exchange Visitor
Information System (SEVIS)" (Apr. 2, 2003).
[17] H.R. Conf. Rep. No. 108-280, at 32 (2003).
[18] U.S. General Accounting Office, Immigration Benefits: Several
Factors Impede Timeliness of Application Processing, GAO-01-488
(Washington, D.C.: May 4, 2001).
[19] The predecessor program office for the entry exit program was
established within the former INS in March 2002.
[20] Carnegie Mellon Software Engineering Institute, Software
Acquisition Capability Maturity Model, Version 1.03 (March 2002).
[21] Data Management Improvement Act Task Force, First Annual Report to
Congress (Washington, D.C.: December 2002).
