Department of Homeland Security
Formidable Information and Technology Management Challenge Requires Institutional Approach Gao ID: GAO-04-702 August 27, 2004In 2003 GAO designated the merger of 22 separate federal entities into the Department of Homeland Security (DHS) as a high risk area because of the criticality of the department's mission and the enormous transformation challenges that the department faced. Given that the effective use of information technology (IT) is a critical enabler of this merger, GAO has previously reported on a number of DHS efforts aimed at institutionalizing an effective information and technology governance structure and investing in new IT systems that are intended to better support mission operations. Now that DHS has been operating for over a year, GAO was asked to, based largely on its prior work, describe DHS's progress in meeting its information and technology management challenge.
DHS's overall IT challenge is to standardize and integrate the legacy system environments and management approaches that it inherited from its predecessor agencies, while concurrently attempting to ensure that present levels of IT support for critical homeland security operations are not only maintained but improved in the near term. To accomplish this, the department is in the process of instituting seven information and technology management disciplines that are key elements of an effective information and technology management structure. DHS's progress in institutionalizing these key information and technology management elements has been mixed, and overall remains a work in progress. Such progress is not unexpected, given the diversity of the inherited agencies and the size and complexity of the department's mission operations. Nevertheless, because DHS has not yet fully institutionalized these governance elements, its pursuit of new and enhanced IT investments are at risk of not optimally supporting corporate mission needs and not meeting cost, schedule, capability, and benefit commitments. Accordingly, GAO has previously made recommendations relative to most of these areas to the department's chief information officer and other responsible DHS entities. Lastly, DHS has developed a draft IT strategic plan, which GAO finds lacking in explicit goals, performance measures, milestones, and knowledge of whether it has properly positioned IT staff with the right skills to accomplish these things.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-04-702, Department of Homeland Security: Formidable Information and Technology Management Challenge Requires Institutional Approach
This is the accessible text file for GAO report number GAO-04-702
entitled 'Department of Homeland Security: Formidable Information and
Technology Management Challenge Requires Institutional Approach' which
was released on September 27, 2004.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Committees:
August 2004:
DEPARTMENT OF HOMELAND SECURITY:
Formidable Information and Technology Management Challenge Requires
Institutional Approach:
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-702]:
GAO Highlights:
Highlights of GAO-04-702, a report to the Chairman, Senate Committee
on Governmental Affairs, and the Chairman, Subcommittee on Technology,
Information Policy, Intergovernmental Relations and the Census, House
Committee on Government Reform
Why GAO Did This Study:
In 2003 GAO designated the merger of 22 separate federal entities into
the Department of Homeland Security (DHS) as a high risk area because
of the criticality of the department‘s mission and the enormous
transformation challenges that the department faced. Given that the
effective use of information technology (IT) is a critical enabler of
this merger, GAO has previously reported on a number of DHS efforts
aimed at institutionalizing an effective information and technology
governance structure and investing in new IT systems that are intended
to better support mission operations.
Now that DHS has been operating for over a year, GAO was asked to,
based largely on its prior work, describe DHS‘s progress in meeting
its information and technology management challenge.
What GAO Found:
DHS‘s overall IT challenge is to standardize and integrate the legacy
system environments and management approaches that it inherited from
its predecessor agencies, while concurrently attempting to ensure that
present levels of IT support for critical homeland security operations
are not only maintained but improved in the near term. To accomplish
this, the department is in the process of instituting seven information
and technology management disciplines that are key elements of an
effective information and technology management structure (see chart).
DHS‘s progress in institutionalizing these key information and
technology management elements has been mixed, and overall remains a
work in progress. Such progress is not unexpected, given the diversity
of the inherited agencies and the size and complexity of the
department‘s mission operations. Nevertheless, because DHS has not yet
fully institutionalized these governance elements, its pursuit of new
and enhanced IT investments are at risk of not optimally supporting
corporate mission needs and not meeting cost, schedule, capability,
and benefit commitments. Accordingly, GAO has previously made
recommendations relative to most of these areas to the department‘s
chief information officer and other responsible DHS entities. Lastly,
DHS has developed a draft IT strategic plan, which GAO finds lacking
in explicit goals, performance measures, milestones, and knowledge of
whether it has properly positioned IT staff with the right skills to
accomplish these things.
Key Elements of Effective Information and Technology Management
Structure:
[See PDF for image]
[End of figure]
What GAO Recommends:
To strengthen DHS‘s IT strategic planning, GAO recommends that the
department establish IT goals, performance measures, and milestones,
and analyze whether its IT staffing adequately supports those goals.
In commenting on a draft of this report, DHS generally concurred with
GAO‘s recommendations.
www.gao.gov/cgi-bin/getrpt?GAO-04-702.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Randolph C. Hite at (202)
512-3439 or hiter@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
DHS's Progress in Dealing with Formidable Information and Technology
Management Challenge Is Mixed:
Conclusions:
Recommendations:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Department of Homeland Security Governance Entities:
Appendix II: Comments from the Department of Homeland Security:
GAO Comments:
Related GAO Products:
Figures:
Figure 1: Simplified Diagram of DHS Organizational Structure:
Figure 2: Key Elements of an Effective Information and Technology
Management Structure:
Figure 3: DHS Investment Governance Boards:
Figure 4: DHS Investment Review Process:
Abbreviations:
ACE: Automated Commercial Environment:
CAPPS II: Computer-Assisted Passenger Prescreening System II:
CIO: chief information officer:
DHS: Department of Homeland Security:
IRM: information resources management:
IT: information technology:
OMB: Office of Management and Budget:
SEVIS: Student Exchange Visitor Information System:
TSA: Transportation Security Administration:
US-VISIT: United States Visitor and Immigrant Status Indicator
Technology:
Letter August 27, 2004:
The Honorable Susan M. Collins:
Chairman, Committee on Governmental Affairs:
United States Senate:
The Honorable Adam H. Putnam:
Chairman, Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census:
Committee on Government Reform:
House of Representatives:
Responding to real and potential threats to homeland security is one of
the federal government's most significant challenges. To address this
challenge, as you know, the Homeland Security Act of 2002 (P.L. 107-
296) merged 22 federal agencies and organizations with homeland
security-related missions into the Department of Homeland Security
(DHS). Since becoming operational in March 2003, DHS has faced the
considerable challenge of transforming these diverse organizations into
a single new cabinet-level department. The information technology (IT)
task related to DHS's transformation is complex and critical to the
agency's success. According to DHS's Deputy Secretary, to help detect
and deter future terrorist attacks, DHS must rationalize disparate
technologies with conflicting business rules, consolidate data centers
and networks, have a common e-mail system, get the right information to
border agents, and prevent cyber attacks against the department's
mission-critical systems.[Footnote 1]
Critical to meeting DHS's challenge is establishing an effective
corporate information and technology management governance process at
the same time that the department is investing billions of dollars to
develop, acquire, maintain, and operate mission-critical systems.
Ideally, DHS's corporate governance structure would be in place prior
to the department's making significant IT investments so that such
investment decisions reflect departmentwide needs and priorities. Yet,
the operational reality of starting a new organization such as DHS is
that it must strike a balance between its pursuit of new and enhanced
systems (that in some cases are being managed using legacy processes)
and establishing the means for achieving a family of systems that
optimally support departmentwide operations and mission performance.
Since DHS has been operational for over a year, you requested that we
describe the state of DHS's information and technology management.
Accordingly, our objective is to describe DHS's progress in meeting its
information and technology management challenge. To address this
objective we reviewed and synthesized our prior reports and those of
the DHS Office of Inspector General on the department's information and
technology management and specific IT investments. (A list of related
GAO products is included at the end of this report.) We also reviewed
relevant documentation to obtain more up-to-date information on changes
to the department's processes, particularly as it relates to IT
strategic planning and IT investment management. This documentation
included DHS's draft information resources management (IRM) strategic
plan, draft road maps related to its eight IT priority areas, and the
department's investment review management directive and related
guidance documents. As part of reviewing these changed processes and to
discuss steps that the department has taken to address certain of our
open recommendations, we also interviewed appropriate DHS IT officials,
including the chief information officer (CIO), chief technology
officer, and the coordinator for its top level investment management
boards. We performed our work at DHS in Washington, D.C., in accordance
with generally accepted government auditing standards between April and
July 2004.
Results in Brief:
DHS is working to address the daunting challenge of standardizing and
integrating the various legacy IT environments and management
approaches it inherited from its predecessor agencies while it is
concurrently attempting to ensure that existing levels of IT support
for critical homeland security missions are not only maintained but
improved in the near term. To do so, the department has, among other
things, made progress in establishing seven key information and
technology management disciplines. However, fully establishing and
institutionalizing these disciplines remains a work in progress that
has yet to be accomplished. While accomplishing them will
understandably take considerable time given the diversity of the
inherited agencies and the size and complexity of the department, DHS's
progress to date on each has been mixed, both across and within the
disciplines. In the interim, new and existing system investments
continue to be pursued without a fully defined and implemented
departmentwide IT governance structure. The status of DHS's efforts
relating to the seven disciplines that would create such a structure
are discussed below.
* IT strategic planning. DHS's draft IRM strategic plan dated March
2004 lists the priorities of the department's and component agencies'
CIOs for 2004. The department is also in the process of developing what
it terms as road maps for each of these priority areas that include
descriptions of the current condition of the area, the need for change,
the planned future state, initiatives, and barriers. However, neither
the draft IRM strategic plan nor the draft road maps fully define the
department's IT goals and performance measures, the time frames to
complete significant activities, and the staff resources to execute
these activities.
* Enterprise architecture. DHS released the initial version of its
enterprise architecture in September 2003.[Footnote 2] Our recent
report on this initial version stated that it provides a partial basis
upon which to build future versions.[Footnote 3] However, this version
was not systematically derived from a DHS or national corporate
business strategy. Moreover, it is missing most of the content
necessary to effectively guide and constrain IT investments. Without
such content, DHS runs the risk that its investments will not be well
integrated, will be duplicative, will be unnecessarily costly to
maintain and interface, and will not effectively optimize mission
performance. The department recognizes the architecture's limitations
and plans to issue a new version in September 2004.
* IT investment management. DHS has established an IT investment
management process that includes departmental oversight of major IT
projects. However, this process is still maturing and has yet to be
institutionalized in that most projects have not undergone the
departmental oversight process and a mechanism to ensure that such
reviews are accomplished in a timely manner has not been established.
* Systems development and acquisition management. DHS has numerous
ongoing major systems initiatives, but our reviews of several of these
projects have found that rigorous systems development and acquisition
processes were not consistently employed. In particular, we identified
significant problems in critical areas, such as process controls
associated with acquiring software-intensive systems, managing and
conducting testing, and measuring the performance of a system.
* Information security management. The DHS Office of Inspector General
reported that the department has made progress in establishing a
framework for the department's information systems security program by,
for example, appointing a chief information security officer and
developing and disseminating information system security policies and
procedures. However, the inspector general concluded that more needs to
be done to ensure the security of DHS's IT infrastructure and prevent
disruptions to mission operations. For example, none of the DHS
components had a fully functioning IT security program.
* Information management. As agencies increasingly move to an
operational environment in which electronic--rather than paper--
records provide comprehensive documentation of their activities and
business processes, a variety of information collection, use, and
dissemination issues face these agencies, including DHS. For example,
privacy issues are a major concern in certain IT investments, such as
the Computer-Assisted Passenger Prescreening System II (CAPPS II), in
which privacy was designated by law as one of eight key issues that the
Transportation Security Administration (TSA) must fully address before
the system is deployed or implemented. DHS has taken steps to deal with
privacy at both the department and system-specific level. For example,
in April 2003, DHS appointed its first chief privacy officer to, for
instance, guide DHS agencies in developing appropriate privacy
policies.
* IT human capital management. DHS has begun strategic human capital
planning at the headquarters level, but the agency has not yet
systematically gathered necessary human capital data. Moreover, the DHS
CIO has expressed concern over IT staffing and acknowledged that
progress in the IT human capital area has been slow.
Taken collectively, the breadth and complexity of information and
technology management issues facing DHS is a formidable challenge.
Overcoming this challenge will require the kind of institutional
approach to information and technology management that the
aforementioned seven disciplines are intended to provide. We have made
numerous recommendations aimed at institutionalizing these disciplines
to the department's chief information officer and other responsible DHS
entities that, in some cases, the department has implemented or begun
to implement. This report contains additional recommendations to the
Secretary of Homeland Security related to the important undertaking of
effective IT strategic planning, including the establishment of IT
goals and performance measures that demonstrate how information and
technology management contributes to, for example, the efficiency and
effectiveness of agency operations.
In written comments on a draft of our report signed by the Director,
Departmental GAO/OIG Liaison within the Office of the Chief Financial
Officer, DHS generally concurred with our recommendations. In addition,
DHS provided additional information on our recommendations and actions
that it has taken, which we incorporated in the report, as appropriate.
Background:
In March 2003 DHS assumed operational control of about 209,000 civilian
and military positions from 22 agencies and offices. Not since the
creation of the Department of Defense in 1947 has the federal
government undertaken a transformation of this magnitude. As we have
previously reported,[Footnote 4] such a transformation poses
significant management and leadership challenges, including those
associated with coordinating and facilitating the sharing of
information, both among its component agencies and with other entities,
and integrating numerous mission support, administrative, and
infrastructure IT systems. Critical to DHS's ability to meet this
challenge is the establishment of an effective IT governance mechanism,
including IT plans, processes, and people.
DHS Organizational Structure:
The Homeland Security Act of 2002 created DHS by merging agencies that
specialize in one or more interrelated and interdependent aspects of
homeland security, such as intelligence analysis, law enforcement,
border security, transportation security, biological research,
critical infrastructure protection, and disaster recovery. DHS is in
the early stages of transforming and integrating this disparate group
of agencies with multiple missions, values, and cultures into a strong
and effective cabinet department. The effective interaction,
integration, and synergy of these agencies are critical to homeland
security mission performance.
DHS's mission is to lead the unified national effort to secure America
by preventing and deterring terrorist attacks and protecting against
and responding to threats and hazards to the nation. DHS also is to
ensure safe and secure borders, welcome lawful immigrants and visitors,
and promote the free flow of commerce. To accomplish this, the Homeland
Security Act established five under secretaries with responsibilities
over directorates for management, science and technology, information
analysis and infrastructure protection, border and transportation
security, and emergency preparedness and response (see fig. 1). In
addition to these directorates, the U.S. Secret Service and the U.S.
Coast Guard continue as distinct entities within DHS. Each DHS
directorate is responsible for its specific homeland security mission
area and for coordinating related efforts with its sibling components,
as well as other external entities.
Figure 1: Simplified Diagram of DHS Organizational Structure:
[See PDF for image]
[End of figure]
Within the Management directorate is the Office of the CIO, which is
expected to enhance mission success by leveraging best available
information technologies and technology-management practices, provide
shared services and coordinate acquisition strategies to minimize cost
and improve consistency, support executive leadership in performance-
based management by maintaining an enterprise architecture that is
fully integrated with other management processes, and advocate and
enable business transformation in support of enhanced homeland
security. Other DHS entities also are responsible, or share
responsibility, for critical information and technology management
activities. For example, within DHS's major organizational offices
(e.g., the directorates) are CIOs and IT organizations. Control over
the department's IT budget is vested primarily with the CIO
organizations within each of its component organizations, and the
component CIO organizations are accountable to the heads of DHS's
respective organizational components. Moreover, we have previously
reported on the responsibilities held by various DHS directorates to
ensure successful information sharing within the department and between
federal agencies, state and local governments, and the private
sector.[Footnote 5]
The DHS CIO established a CIO Council, chaired by the CIO and composed
of component-level CIOs, that serves as a focal point for coordinating
challenges that cross agency boundaries. According to its charter, the
specific functions of the DHS CIO Council include:
* establishing a strategic plan and setting priorities for
departmentwide IT;
* defining and continuously improving DHS IT governance structures and
processes;
* advancing DHS IT priorities through well-defined road maps that
detail actions and deliverables;
* identifying opportunities for sharing resources, coordinating
multibureau projects and programs, and consolidating activities; and:
* developing and executing formal communication programs for internal
and external constituencies.
Key Components of an Effective Information and Technology Management
Structure:
As we have previously reported, information and technology management
is a key element of management reform efforts that can help
dramatically reshape government to improve performance and reduce
costs.[Footnote 6] Accordingly, it is critical that agencies manage
their information resources effectively, taking into account the need
to address planning, processes, and people. Key components of an
effective information and technology management structure include (1)
IT strategic planning, (2) enterprise architecture, (3) IT investment
management, (4) systems development and acquisition management, (5)
information security management, (6) information management, and (7) IT
human capital management (see fig. 2).[Footnote 7]
Figure 2: Key Elements of an Effective Information and Technology
Management Structure:
[See PDF for image]
[End of figure]
Morever, effective implementation of information and technology
management recognizes the interdependencies among these processes.
Illustrations of some of these relationships are as follows:
* IT strategic planning defines what an agency seeks to accomplish and
identifies the strategies that it will use to achieve desired results.
The IT strategic plan, which is the outcome of this effort, is executed
using the processes established through the other components of the
information and technology structure, such as IT investment management.
* An organization's IT human capital approach must be aligned to
support the mission, vision for the future, core values, goals and
objectives, and strategies, which may be found in the IT strategic plan
and the enterprise architecture. IT human capital management, in turn,
ensures that the right people are in place with the right skills to
perform critical system acquisition functions.
* The enterprise architecture is an integral component of the IT
investment management process because an organization should approve
only those investments that move the organization toward the target
architecture.
* A critical aspect of systems acquisition and development management
is ensuring that robust information security is built into the projects
early and is periodically revisited.
* Privacy--a component of information management--should be a
consideration when acquiring and developing systems. For example, the
E-Government Act of 2002 requires agencies to conduct privacy impact
assessments before developing or acquiring IT systems that collect,
maintain, or disseminate information that is personally identifiable to
an individual. Such assessments would, in part, include what
information is being collected, why it is being collected, and its
intended use. In addition, ensuring that such personally identifiable
data is secured against risks such as loss or unauthorized access,
destruction, use, modification, or disclosure is an internationally
recognized privacy principle.
DHS has recognized the importance of information and technology
management to achieving its mission. In February of this year, it
issued its first strategic plan, which outlines seven strategic goals.
One of these goals is organizational excellence, which includes
information and technology management objectives related to privacy and
security and electronic government modernization and interoperability
initiatives. In addition, at its various components, DHS has numerous
ongoing major systems development and acquisition initiatives related
to meeting mission needs, such as the following:
* Border and Transportation Security Directorate. The Automated
Commercial Environment (ACE) project is to be a new trade processing
system.
* Border and Transportation Security Directorate. CAPPS II is to
identify airline passengers who pose a security risk before they reach
the passenger screening checkpoint.
* Border and Transportation Security Directorate. The Student Exchange
Visitor Information System (SEVIS) is expected to manage information
about nonimmigrant foreign students and exchange visitors from schools
and exchange programs.
* Border and Transportation Security Directorate. The United States
Visitor and Immigrant Status Indicator Technology (US-VISIT) is a
governmentwide program intended to improve the nation's capacity for
collecting information on foreign nationals who travel to the United
States, as well as control the pre-entry, entry, status, and exit of
these travelers.
* Coast Guard. Rescue 21 is to replace the Coast Guard's 30-year-old
search and rescue communication system.
* Science and Technology Directorate. Project SAFECOM has the overall
objective of achieving national wireless communications
interoperability among first responders and public safety systems at
all levels of government.
DHS's Progress in Dealing with Formidable Information and Technology
Management Challenge Is Mixed:
In the 18 months that it has been in operation, DHS has taken steps to
institute key elements of an effective information and technology
management structure. However, DHS's progress has been mixed in that
some elements are further advanced than others and there is still
considerable work remaining to institutionalize each of the areas
across the department. An example of the former is that DHS established
several key practices related to building an effective IT investment
management process, whereas fundamental activities in the IT human
capital area have not been started. IT strategic planning can serve as
an example of the considerable amount of work remaining within
individual elements of the information and technology management
structure. Specifically, although DHS issued a draft IRM strategic plan
this past March, it and other strategic planning documents do not
contain sufficient information regarding the department's IT goals, how
it will achieve them, and when it expects that significant activities
will be completed.
DHS's mixed progress is not unexpected given the diversity of the
inherited agencies and the size and complexity of the department and
the daunting hurdles that it faces in integrating the systems and IT
management approaches of its many organizational components.
Nevertheless, new and existing IT investments continue to be pursued
without a fully defined and implemented departmentwide governance
structure, which increases the risk that they will not completely or
optimally support the department's mission and objectives. To address
the risks associated with DHS's departmental structures and specific IT
investments, we have made recommendations to the DHS CIO and other
responsible entities--such as the Coast Guard and TSA--to help the
department successfully overcome its information and technology
management challenge. In some cases, the department has implemented or
begun to implement these recommendations.
IT Strategic Planning:
Strategic planning defines what an organization seeks to accomplish and
identifies the strategies it will use to achieve desired results. In
addition, the Paperwork Reduction Act requires that agencies indicate
in strategic IRM plans how they are applying information resources to
improve the productivity, efficiency, and effectiveness of government
programs.[Footnote 8] Further, Office of Management and Budget (OMB)
Circular A-130 states that strategic IRM plans should support agency
strategic plans and provide a description of how IRM helps accomplish
agency missions. This plan serves as a vision or road map for
implementing effective management controls and marshalling resources in
a manner that will facilitate leveraging of IT to support mission goals
and outcomes. It should be tied to and support the agency strategic
plan and provide for establishing and implementing IT management
processes.
DHS's draft IRM strategic plan dated March 2004, provides a high-level
description of how IT supports the goals of the agency's strategic
plan. According to the draft plan, although the department's component
agencies have advanced their separate uses of information technology
and services, serious gaps exist between the current and target
environment necessary to support effective integration of information
and collaboration of actions. The plan goes on to discuss steps taken
in the investment management, enterprise architecture, and security
disciplines.
The draft IRM plan also cites eight DHS CIO Council priorities for
2004; namely, (1) information sharing, (2) mission rationalization, (3)
IT security, (4) one IT infrastructure, (5) enterprise architecture,
(6) portfolio management, (7) governance, and (8) IT human capital. DHS
is in the process of developing road maps for each of the CIO Council's
priorities. These road maps are currently in draft and generally
include a description of the current condition of the area, the need
for a change, the planned future state, initiatives, and barriers.
Currently, neither the draft IRM strategic plan nor the draft priority
area road maps contain sufficient information regarding the
department's IT goals and performance measures, when the department
expects that significant activities will be completed, and the staff
resources necessary to implement these activities. For example:
* Neither the draft IRM strategic plan nor the draft road maps include
fully defined goals and performance measures. Leading organizations
define specific goals, objectives, and measures, use a diversity of
measurement types, and describe how IT outputs and outcomes affect
organizational customer and agency program delivery
requirements.[Footnote 9] In addition, the Paperwork Reduction Act and
the Clinger-Cohen Act of 1996 require agencies to establish goals and
performance measures on how information and technology management
contributes to program productivity, the efficiency and effectiveness
of agency operations, and service to the public.[Footnote 10]
* The draft IRM plan does not include milestones for when major
information and technology management activities will be initiated or
completed. In addition, the milestones in the draft road maps are
generally vague (e.g., using terms like short term and long term
without defining them or including specific months with no year).
Without milestone information, meaningful measurement of progress is
not possible. This is particularly important since DHS did not always
meet the target dates laid out by the CIO in February 2003. For
example, the CIO planned to introduce a balanced scorecard[Footnote 11]
for the DHS IT community in the department's first year. Although the
draft IRM strategic plan states that the DHS CIO Council has endorsed
the use of a balanced scorecard approach, as of mid-July, this
scorecard had not been developed.
* The plan does not address whether, or to what extent, DHS has staff
with the relevant skills to obtain its target environment and, if it
does, whether they are allocated appropriately. This is particularly
important since the DHS CIO Council has targeted IT human capital as a
priority area and, according to the draft road map document associated
with this priority, DHS is facing such issues as an aging IT workforce
and too little investment in continuous learning.
The DHS CIO noted that the draft IRM strategic plan, the department's
initial attempt at IT strategic planning, was primarily intended to
meet OMB's requirements that a plan be developed. He further stated
that through the development of the road maps, DHS is defining the
operational details for its IT priority areas, which, in turn, will be
used to update and improve the next version of the IRM plan. In
responding to a draft of this report, DHS stated that the CIO intends
to issue an IT strategic plan before the end of the calendar year and
that, over the next few months, each priority area will develop goals,
performance measures, and time lines for implementation.
A key emphasis of version 1.0 of the DHS draft IRM plan is its
recognition of the importance of the department's integration efforts
and its description of its plan to implement a single IT
infrastructure. In particular, to maximize its mission performance, DHS
faces the enormous task of integrating and consolidating a multitude of
systems. This includes exploiting opportunities to eliminate and
consolidate systems in order to improve mission support and reduce
system costs. We recently reported that DHS is in the process of
developing its systems integration strategy and that, in the interim,
the department has taken steps to address ongoing and planned component
IT investments integration and alignment with its evolving strategic IT
management framework.[Footnote 12] However, we concluded that while
these steps have merit, they do not provide adequate assurance of
strategic alignment across the department. For example, one step simply
continued the various approaches that produced the diverse systems that
the department inherited, while another relied too heavily on oral
communication about complex IT strategic issues that are not yet fully
defined. Thus, DHS has an increased risk that its component agencies'
ongoing investments, collectively costing billions of dollars in fiscal
year 2004, will need to be reworked at some future point to be
effectively integrated and to maximize departmentwide value.
Moreover, we reported that the DHS CIO does not have authority and
control over departmentwide IT spending, even though such control is
important for effective systems integration. According to our research
on leading private and public sector organizations and experience at
federal agencies, leading organizations adopt and use an enterprisewide
approach under the leadership of a CIO or comparable senior executive
who has the responsibility and authority, including budgetary and
spending control, for IT across the entity.[Footnote 13] To help DHS
better manage the risks that it faces, we made several recommendations,
including that the Secretary examine the sufficiency of IT spending
authority vested in the CIO and take appropriate steps to correct any
limitations in authority that constrain the CIO's ability to
effectively integrate IT investments in support of departmentwide
mission goals. In commenting on a draft of this report, DHS did not
address whether it would implement these recommendations.
Enterprise Architecture:
Effective use of enterprise architectures is a trademark of successful
public and private organizations. For a decade, we have promoted the
use of architectures to guide and constrain systems modernization,
recognizing them as a crucial means to a challenging goal: establishing
agency operational structures that are optimally defined in both
business and technological environments. The Congress, OMB, and the
federal CIO Council have also recognized the importance of an
architecture-centric approach to modernization. The Clinger-Cohen Act
of 1996 mandates that an agency's CIO develop, maintain, and facilitate
the implementation of IT architectures. This should provide a means of
managing the integration of business processes and supporting systems.
Further, the E-Government Act of 2002[Footnote 14] requires OMB to
oversee the development of enterprise architectures within and across
agencies.
Generally speaking, an enterprise architecture connects an
organization's strategic plan with program and system solution
implementations by providing the fundamental information details needed
to guide and constrain implementable investments in a consistent,
coordinated, and integrated fashion. An enterprise architecture
provides a clear and comprehensive picture of an entity, whether it is
an organization (e.g., federal department) or a functional or mission
area that cuts across more than one organization (e.g., homeland
security). This picture consists of snapshots of both the enterprise's
current or "As Is" operational and technological environment and its
target or "To Be" environment, as well as a capital investment road map
for transitioning from the current to the target environment. These
snapshots further consist of "views," which are basically one or more
architecture products that provide conceptual or logical
representations of the enterprise.
For the last 2 years, we have promoted the development and use of a
homeland security enterprise architecture. For example, in June 2002 we
testified[Footnote 15] on the need to define the homeland security
mission and the information, technologies, and approaches necessary to
perform this mission in a way that is divorced from organizational
parochialism and cultural differences. We also stressed that a
particularly critical function of a homeland security architecture
would be to establish processes and information/data protocols and
standards that could facilitate information collection and permit
sharing.
Recognizing the pivotal role that an architecture will play in
successfully merging the diverse operating and systems environments
that the department inherited, DHS issued an initial version in
September 2003. Our recent report on this initial enterprise
architecture found that it provides a partial basis upon which to build
future versions.[Footnote 16] However, the September 2003 version of
the enterprise architecture is missing most of the content necessary to
be considered a well-defined architecture. Moreover, the content in
this version was not systematically derived from a DHS or national
corporate business strategy, but rather was more the result of an
amalgamation of the existing architectures that several of DHS's
predecessor agencies already had, along with their respective
portfolios of system investment projects. Such a development approach
is not consistent with recognized architecture development best
practices.
DHS officials agreed with our content assessment of their initial
architecture, stating that it is largely a reflection of what could be
done without a departmental strategic plan to drive architectural
content and with limited resources and time. They also stated that the
primary purposes in developing this version were to meet an OMB
deadline for submitting the department's fiscal year 2004 IT budget
request and for the department to develop a more mature understanding
of enterprise architecture and its ability to execute an approach and
methodology for developing and using the next version of the
architecture.
Nevertheless, we concluded that DHS does not yet have the architectural
content that it needs to effectively guide and constrain its business
transformation efforts and the hundreds of millions of dollars it is
investing in supporting systems. For example, the architecture does not
(1) include a description of the information flows and relationships
among organizational units, business operations, and system elements;
(2) provide a description of the business and operational rules for
data standardization to ensure data consistency, integrity, and
accuracy; or (3) include an analysis of the gaps between the baseline
and target architecture for business processes, information/data, and
services/application systems to define missing and needed capabilities.
Moreover, the architecture does not adequately recognize the
interdependencies with other critical IT management processes since it
does not include (1) a description of the policies, procedures,
processes, and tools for selecting, controlling, and evaluating
application systems to enable effective IT investment management and
(2) a description of the system development lifecycle process for
application development or acquisition and the integration of the
process with the architecture. In addition, although the architecture
recognizes the need for a governance structure and contains a high-
level discussion of same, it does not include an architecture
governance and control structure and the integrated procedures,
processes, and criteria (e.g., investment management and security) to
be followed. Without such content, DHS runs the risk that its
investments will not be well integrated, will be duplicative, will be
unnecessarily costly to maintain and interface, and will not
effectively optimize mission performance.
To assist DHS in developing a well-defined enterprise architecture, our
August report contained numerous recommendations directed to the
architecture executive steering committee--composed of senior
executives from technical and business organizations across the
department--in collaboration with the CIO, that are aimed at ensuring
that the needed content is added and that the approach followed adheres
to best practices.
Given DHS's intended purpose of its enterprise architecture, which is
to use it as the basis for departmentwide (and national) operational
transformation and to support systems modernization and evolution, it
is important that individual IT investments be aligned with the
architecture. Moreover, according to the CIO, DHS is developing a
process to align its systems modernization activities with its
enterprise architecture. However, earlier this year, we reported that
this alignment had not been determined for two of the department's
major investments--ACE and US-VISIT--but the CIO and program officials
stated that they planned to address this issue.[Footnote 17]
IT Investment Management:
Investments in IT can have a dramatic impact on an organization's
performance. If managed effectively, these investments can vastly
improve government performance and accountability. If not, they can
result in wasteful spending and lost opportunities for improving
delivery of services to the public. An IT investment management process
provides a systematic method for agencies to minimize risks while
maximizing return on investment. A central tenet of the federal
approach to IT investment management has been the select/control/
evaluate model. During the select phase, the organization (1)
identifies and analyzes each project's risks and returns before
committing significant funds and (2) selects those projects that will
best support its mission needs. In the control phase, the organization
ensures that the project continues to meet mission needs at the
expected levels of cost and risks. If the project is not meeting
expectations or if problems have arisen, steps are quickly taken to
address the deficiencies. During the evaluate phase, actual versus
expected results are compared after a project has been fully
implemented.
DHS has developed and begun implementing a departmental IT investment
management process. In May 2003 DHS issued an investment review
management directive[Footnote 18] and IT capital planning and
investment control guide, which provide the department's component
organizations with requirements and guidance on documentation and
review of IT investments. In February 2004, we reported that DHS's
investment management process was evolving.[Footnote 19] Since that
time, DHS has changed its process to reflect lessons learned during the
department's first year of operation and continuous improvement of the
process. Moreover, DHS issued a new interim IT capital planning and
investment control guide in May 2004 and is in the process of revising
the investment review management directive to reflect the changes that
have been made. Among the changes is a shifting of responsibilities of
some of its investment management boards and increases to the
thresholds that determine which board approves an investment.
Figure 3 illustrates the governance boards DHS uses to execute its
investment review process. Under this process, DHS has four levels of
investments, the top three of which are subject to review by
department-level boards--the Investment Review Board, Joint
Requirements Council, and Enterprise Architecture Board. (App. I
provides more specific information on the boards and their
responsibilities.)
Figure 3: DHS Investment Governance Boards:
[See PDF for image]
[A] According to the DHS coordinator of this process, level 3 IT
investments are approved by the component agency and are subject to
review by the CIO, Chief Financial Officer, and Chief Procurement
Officer, also known as the Management Review Council. If these
officials have concerns about the investment or find that there are
cross-programmatic issues to be addressed, they can refer the
investment to the Joint Requirements Council for review.
[End of figure]
In addition, DHS has established a five-phase review process that calls
for these investments to be reviewed at key decision points, such as
program authorization (see fig. 4).
Figure 4: DHS Investment Review Process:
[See PDF for image]
[End of figure]
With the establishment of the governance boards and the investment
review process, DHS has established several key practices associated
with building the investment foundation as described by our IT
investment management framework.[Footnote 20] In addition, as part of
the selection phase of its capital planning and investment control
process, DHS reviewed component agency IT investments for its fiscal
year 2005 budget submission. Specifically, according to DHS IT
officials, (1) the CIO approved the department's IT portfolio and (2)
all of the major IT systems submitted to OMB for the fiscal year 2005
budget were assessed and scored by an investment review team.[Footnote
21]
In addition, earlier this year, as we reported, with the department's
establishment of the department's top investment management board, the
ACE and CAPPS II investments met legislative conditions contained in
the Department of Homeland Security Appropriations Act, 2004 (P.L. 108-
90).[Footnote 22] For example, in February 2004 we reported that that
creation of the Investment Review Board satisfied a CAPPS II
legislative requirement associated with the establishment of an
oversight board, with the caveat that the board oversee the program on
a regular and thorough basis. In addition, in May 2004 we reported that
DHS satisfied a prior recommendation of ours to establish and charter
an executive body to guide and direct the US-VISIT program by
establishing a three-entity governance structure, which includes the
department's Investment Review Board.[Footnote 23]
Although DHS has made noticeable progress, it still has much work
remaining to fully implement its IT investment management process,
particularly as it relates to carrying out effective departmental
control over IT investments. For example:
* Many of DHS's IT investments have not undergone control reviews. As
of early July, one or more of DHS's investment management boards had
reviewed less than a quarter of the major IT investments subject to
departmental review (level 1, 2, and 3 investments). According to the
coordinator of this process, the investments that have undergone
control reviews were considered DHS's highest priority IT investments
based on criteria such as cost, visibility, or that a key decision
point was forthcoming. In addition, DHS stated that its ability to
complete control reviews in a timely manner is affected by the amount
of resources, people, time, and funding allocated to the department.
Nevertheless, our reviews of several DHS level 1 investments indicate
the importance of such reviews, since we have found cost, schedule, and
performance problems as well as significant management activities that
have not been completed.
* DHS has not established a process to ensure that control reviews of
IT investments are performed in a timely manner. Our February 2004
report recommended that the DHS CIO develop a control review schedule
for IT investments, subject to departmental oversight.[Footnote 24] DHS
concurred with this recommendation, but has not yet implemented it.
However, for the fiscal year 2006 budget cycle, which is being
formulated now, DHS entities were asked to provide the dates of prior
and future key decision points for each major IT investment. According
to Office of the CIO capital planning and investment control officials,
this is their first step toward building a control review schedule.
* Officials from DHS's offices of the CIO and chief financial officer
characterized the department's investment management process as still
maturing. For example, Office of the CIO capital planning and
investment control officials stated that the department will be
concentrating on developing and building a disciplined and structured
control process in fiscal year 2005. Officials from the offices of the
CIO and chief financial officer also described various initiatives that
are being undertaken to improve this process. For example, portfolio
management is a CIO Council priority and, according to the draft road
map for this priority, the planned future environment will have IT
investments aligned and optimized against mission requirements at the
DHS level. DHS has procured an automated portfolio management system to
help in this endeavor. According to Office of the CIO capital planning
and investment control officials, DHS has inserted its fiscal year 2005
business cases for major investments (also known as budget exhibit
300s) into this system and plans to add the fiscal year 2006 business
cases later this year. In addition, according to these officials, the
department's Investment Review Team plans to use this system to perform
portfolio analysis to provide additional insight to DHS investment
management boards as they make their investment selections for fiscal
year 2006.
Systems Development and Acquisition Management:
Our work and other best-practice research have shown that applying
rigorous management practices to the development and acquisition of IT
systems and the acquisition of IT services improves the likelihood of
delivering expected capabilities on time and within budget. In other
words, the quality of IT systems and services is largely governed by
the quality of the management processes involved in developing and
acquiring them.
DHS has numerous ongoing major systems development and acquisition
initiatives that are critical to meeting its mission needs. Our reviews
of several major DHS systems development and acquisition efforts have
found that these rigorous processes are not always employed. We have
made numerous recommendations that address a variety of system
development and acquisition issues. DHS has generally agreed with these
recommendations and, in some cases, has implemented, or begun to
implement, them. For example:
* Process controls for acquiring software-intensive systems.
Disciplined processes for acquiring software are essential to software-
intensive system acquisitions. The Software Engineering Institute at
Carnegie Mellon University[Footnote 25] has defined the tenets of
effective software acquisition, which identify, among other things, a
number of key process areas that are necessary to effectively manage
software-intensive system acquisitions. In the past, we have reported
that such key processes had not been fully implemented for ACE and US-
VISIT. Consequently, we made recommendations for both of these programs
related to instituting acquisition process controls called for in the
Software Engineering Institute's SA-CMM® model.[Footnote 26] As of May
of this year, the acquisition control recommendation had been
implemented by the ACE program in that the Software Engineering
Institute had assigned the program a level 2 rating, meaning that it
had established basic acquisition management processes.[Footnote 27]
Also in May of this year we reported that US-VISIT was planning to
implement our recommendation on instituting acquisition process
controls.[Footnote 28]
* Managing and conducting testing. Complete and thorough testing is
essential to providing reasonable assurance that new or modified
systems process information correctly and will meet an organization's
business needs. According to leading IT organizations, to be effective,
software testing practices should be planned and conducted in a
structured and disciplined fashion.[Footnote 29] We have expressed
concerns about testing and issued related recommendations for three DHS
IT investments--Rescue 21, CAPPS II, and US-VISIT. For example, in
September 2003 we reported that the Coast Guard planned to compress and
overlap the testing schedules for Rescue 21, which increased its risk
that, for instance, all requirements would not be tested during formal
qualification testing, system integration testing, and operational
testing and evaluation.[Footnote 30] To mitigate Rescue 21 risks, we
made recommendations to the Coast Guard related to establishing a new
testing schedule and ensuring that milestones are established for
completing test plans and that these plans address all requirements of
the system. The Coast Guard agreed with these recommendations, which
the agency has begun to implement. In the cases of CAPPS II and US-
VISIT, we made recommendations to TSA and the Border and Transportation
Security Directorate, respectively, covering system and database
testing and developing and approving complete test plans before testing
begins, respectively.[Footnote 31] DHS generally concurred with these
recommendations.
* Measuring the performance of a system. By using comprehensive
performance information, more informed decisions can be made about IT
investments. An effective performance measurement system produces
information that (1) provides an early warning indicator of problems
and the effectiveness of corrective actions, (2) provides input to
resource allocation and planning, and (3) provides periodic feedback
about the quality, quantity, cost, and timeliness of products and
services. We have reported on a variety of performance measure concerns
associated with five DHS IT investments and have made relevant
recommendations. For example, in February 2004, we reported that TSA
had established preliminary goals and measures for CAPPS II but that
they could be strengthened.[Footnote 32] We also noted that TSA had not
fully established policies and procedures to monitor and evaluate the
use and operation of the system. Similarly, our review of SEVIS, which
is operational, found that several key system performance requirements
were not being formally measured.[Footnote 33] This is problematic
because without formally monitoring and documenting key system
performance requirements, DHS cannot adequately ensure that potential
system problems are identified and addressed early, before they have a
chance to become larger and affect the DHS mission objectives supported
by SEVIS.
In addition to our recommendations related to specific DHS IT
investments, we have also issued guidance to assist agencies in
improving their systems development and acquisitions.[Footnote 34]
Information Security Management:
Since 1997 we have designated information security as a governmentwide
high-risk issue because of continuing evidence indicating significant,
pervasive weaknesses in the controls over computerized federal
operations.[Footnote 35] Moreover, related risks continue to escalate,
in part due to the government's increasing reliance on the Internet and
on commercially available information technology. Government officials
are increasingly concerned about attacks launched by individuals and
groups with malicious intent, such as crime, terrorism, foreign
intelligence gathering, and acts of war. In addition, the disgruntled
organization insider is a significant threat, since such individuals
often have knowledge that allows them to gain unrestricted access and
inflict damage or steal assets without possessing a great deal of
knowledge about computer intrusions.
Based on its annual evaluation required by the Federal Information
Security Management Act of 2002[Footnote 36], in September 2003 the DHS
Office of Inspector General reported that DHS had made progress in
establishing a framework for an IT systems security program.[Footnote
37] For example, DHS has (1) appointed a chief information security
officer, (2) developed and disseminated information system security
policies and procedures, (3) implemented an incident response and
reporting process, (4) initiated a security awareness training program,
and (5) established a critical infrastructure protection working group.
However, the inspector general report concluded that still more needs
to be done to ensure the security of DHS's IT infrastructure and
prevent disruptions to mission operations. For example, DHS did not
have a process to ensure that all plans of action and milestones for
identified weaknesses were developed, implemented, and managed. In
responding to a draft of this report, DHS stated that it has instituted
a tool to monitor each organizational element's progress in developing
and achieving the milestones identified in the plans of action and
milestones.
In addition, the Office of Inspector General stated that none of the
DHS components had a fully functioning IT security program and a number
of key security areas needed attention. For example, less than half of
DHS's systems had a security plan and been assessed for risk. Among the
Office of Inspector General's recommendations were that the CIO (1)
develop and implement a process to identify information security-
related material weaknesses in mission-critical programs and systems,
(2) implement an oversight and reporting function to track the progress
of remediation of material weaknesses, and (3) require DHS information
officers to assign information systems security officers to oversee the
security controls of each major application and general support system.
More recently, the DHS Office of Inspector General reported that DHS
cannot ensure that the sensitive information processed by its wireless
systems is effectively protected from unauthorized access and potential
misuse.[Footnote 38] In particular, the Inspector General reported that
DHS had not (1) provided sufficient guidance on wireless implementation
to its components, (2) established adequate security controls to
protect its wireless networks against commonly known security
vulnerabilities, and (3) certified or accredited its wireless
networks.[Footnote 39] The Inspector General made several
recommendations to address the deficiencies cited in the report, which
the DHS CIO agreed to and has taken steps to implement.
In addition, we have long held that it is important that security be
addressed in the early planning stages of the development of IT
systems,[Footnote 40] and have reported on security planning in the US-
VISIT and CAPPS II programs. For example, in June 2003 we recommended
that the US-VISIT program manager develop a system security
plan[Footnote 41] and in May 2004 we reported that this recommendation
had been partially implemented.[Footnote 42] Specifically, DHS provided
a draft security plan, but this plan did not include (1) specific
controls for meeting the security requirements, (2) a risk assessment
methodology, or (3) the roles and responsibilities of individuals with
system access.
DHS reported four departmentwide information security-related material
weaknesses in its fiscal year 2003 Performance and Accountability
Report.[Footnote 43] For example, DHS reported that it had (1) limited
tracking, evaluation, and reporting tools necessary to provide
oversight over its information security efforts and (2) insufficient
resources, processes, policies, and guidelines in place to ensure the
identification, protection, and continuity of services to reduce the
department's vulnerabilities and risks and to sustain mission-critical
functions in the event of a man-made or natural disaster. According to
the DHS report, the department plans to take corrective actions related
to these material weaknesses by September 30, 2004.
The DHS CIO Council has also pronounced information security a priority
area. The draft road map associated with this area includes various
short-, mid-, and long-term initiatives. Moreover, to lay a foundation
for departmental improvements in information security management, DHS
has developed an information security program strategic plan, which
identifies major program areas, goals, and objectives. According to
this April 2004 plan, these major security program areas allow DHS to
implement and maintain information security as part of its capital
investment control process, systems development life cycle, and the
enterprise architecture, and are essential to providing security
services that protect the confidentiality, integrity, and availability
of information and to provide accountability for activities on DHS
networks and computing platforms.
Information Management:
As agencies increasingly move to an operational environment in which
electronic--rather than paper--records provide comprehensive
documentation of their activities and business processes, a variety of
information collection, use, and dissemination issues have emerged.
Such issues are particularly relevant to DHS because the Homeland
Security Act of 2002 and federal policy assign responsibilities to the
department for the coordination and sharing of information related to
threats of domestic terrorism--within the department and with and among
other federal agencies, state and local governments, the private
sector, and other entities.
Among the information management issues facing DHS are information
sharing, privacy, and compliance with the information collection
requirements. Namely:
Information sharing. As we have reported, information sharing is
critical to successfully addressing increasing threats and fulfilling
the missions of DHS.[Footnote 44] For example, to accomplish its
missions, the department must (1) access, receive, and analyze law
enforcement information, intelligence information, and other threat,
incident, and vulnerability information from federal and nonfederal
sources, and (2) analyze such information to identify and assess the
nature and scope of terrorist threats. Further, DHS must share
information both internally and externally with agencies and law
enforcement on such matters as goods and passengers inbound to the
United States and individuals who are known or suspected terrorists and
criminals. It also must share information among emergency responders in
preparing for and responding to terrorist attacks and other
emergencies.
We have made numerous recommendations over the last several years
related to information-sharing functions that have been transferred to
DHS, which are focused on sharing information on incidents, threats,
and vulnerabilities and providing warnings related to critical
infrastructures, both within the federal government and between the
federal government and state and local governments and the private
sector. In September 2003 we testified[Footnote 45] that although
progress has been made in addressing our recommendations, further
efforts were needed, such as (1) improving the federal government's
capabilities to analyze incident, threat, and vulnerability information
obtained from numerous sources and share appropriate timely, useful
warnings and other information concerning both cyber and physical
threats to federal entities, state and local governments, and the
private sector, and (2) developing a comprehensive and coordinated
national plan to facilitate information sharing on critical
infrastructures. More recently, in July 2004 we reported that DHS's
ability to gather, analyze, and disseminate information could be
improved by developing information sharing-related policies and
procedures for its components.[Footnote 46] In commenting on a draft
of this report, DHS provided planned actions in response to its
recommendations.
The DHS Secretary has recognized the criticality of information sharing
in the department's strategic plan. In addition, information sharing is
one of the DHS CIO Council's priorities in 2004. In the draft road map
associated with this priority area, DHS described a future state that
includes seamless access and dissemination of information in real time
or near real time, that information is shared with all constituents, at
all levels of government, and with the private sector, and that there
are agreed-upon data standardization rules. We have issued guidance on
information-sharing practices of organizations that successfully share
sensitive or time-critical information, which could aid DHS in its
efforts.[Footnote 47]
Privacy. With the emphasis on information sharing, privacy issues have
emerged as a major, and contentious, concern. Since the terrorist
attacks of September 11, 2001, data mining[Footnote 48] has been seen
increasingly as a useful tool to help detect terrorist threats by
improving the collection and analysis of public and private-sector
data. Our May 2004 governmentwide report[Footnote 49] on data mining
described 14 data mining efforts reported by DHS.[Footnote 50] Mining
government and private databases containing personal information
creates a range of privacy concerns because agencies can quickly and
efficiently obtain information on individuals or groups by exploiting
large databases containing personal information aggregated from public
and private records. Concerns have also been raised about the quality
and accuracy of the mined data; the use of the data for other than the
original purpose for which the data were collected without the consent
of the individual; the protection of the data against unauthorized
access, modification, or disclosure; and the right of individuals to
know about the collection of personal information, how to access that
information, and how to request a correction of inaccurate information.
In April 2003, DHS appointed its first chief privacy officer. According
to this officer, among other things, the DHS privacy office promotes
best practices with respect to privacy, guides DHS agencies in
developing appropriate privacy policies, and serves as a resource for
questions related to privacy and information collection and disclosure.
Privacy concerns have also been a critical factor in the development
and acquisition of US-VISIT and CAPPS II. With respect to CAPPS II, the
2004 DHS appropriations act designated privacy as one of eight key
issues that TSA must address before CAPPS II is deployed or
implemented. In our February 2004 report on whether TSA had fulfilled
these legislative requirements, we stated that the agency's plans
appear to address many of the requirements of the Privacy Act,[Footnote
51] the primary legislation that regulates the government's use of
personal information.[Footnote 52] However, while TSA had taken initial
steps, it had not finalized its plans for complying with the Privacy
Act. We also looked at the TSA's plans in the larger context of eight
Fair Information Practices, which are internationally recognized
privacy principles that include practices such as data quality and
security safeguards.[Footnote 53] The TSA's plans reflect some actions
to address each of these practices. However, to meet its evolving
mission goals, the agency also appears to limit the application of some
of these practices. This reflects TSA's efforts to balance privacy with
other public policy interests, such as national security, law
enforcement, and administrative efficiency.
Compliance with the information collection requirements of the
Paperwork Reduction Act. The Paperwork Reduction Act prohibits an
agency from conducting or sponsoring the collection of information
unless (1) the agency has submitted the proposed collection and other
documents to OMB, (2) OMB has approved the proposed collection, and (3)
the agency displays an OMB control number on the collection. We
testified in April 2004 that DHS had 18 reported violations of the
Paperwork Reduction Act in fiscal year 2003, all related to OMB
approvals that had expired and had not been reauthorized.[Footnote 54]
IT Human Capital Management:
Our work with leading organizations shows that they develop human
capital strategies to assess their skill bases and recruit and retain
staff who can effectively implement technology to meet business
needs.[Footnote 55] They assess their IT skills on an ongoing basis to
determine what expertise is needed to meet current responsibilities and
support future initiatives and evaluate the skills of their current
employees, which are then compared against the organization's needed
skills to determine gaps in the IT skills base. The challenges the
federal government faces in maintaining a high-quality IT workforce are
long-standing and widely recognized.
The success of the transformation and implementation of DHS is based
largely on the degree to which human capital management issues are
addressed. We have issued several reports examining how DHS plans to
implement its new human capital system.[Footnote 56] For example, in
June 2004 we reported that DHS had begun strategic human capital
planning efforts at the headquarters level since the release of the
department's overall strategic plan and the publication of proposed
regulations for its new human capital management system.[Footnote 57]
However, DHS had not yet systematically gathered relevant human capital
data at the headquarters level, although efforts were under way to
collect detailed human capital information and design a centralized
information system so that such data could be gathered and reported
departmentwide. These strategic human capital planning efforts can
enable DHS to remain aware of and be prepared for current and future
needs as an organization.
It is important that DHS address its IT human capital challenges
expeditiously since, according to the DHS CIO, the biggest obstacle to
the implementation of a departmentwide systems integration strategy has
been insufficient staffing. More specifically, the CIO said that his
office received substantially fewer staff than he requested when the
department was originally established in 2003. To illustrate his
statement, the CIO said that after studying other comparably sized
federal department CIO organizations, he requested approximately 163
positions. However, he said that his office received about 65
positions. In addition, CIO officials told the Office of Inspector
General that, given the relatively small staff resources provided, they
have been "busy putting out fires" and, as a result, have been hindered
in carrying out some critical IT management responsibilities, including
instituting central guidance and standards in areas such as information
security and network management.[Footnote 58] Lastly, the DHS CIO also
noted the lack of properly skilled IT staff within the component
agencies. Challenges facing DHS in this area, he stated, include
overcoming political and cultural barriers, leveraging cultural beliefs
and diversity to achieve collaborative change, and recruiting and
retaining skilled IT workers.
In addition, we have expressed concerns about human capital issues
related to two of DHS's major IT investments, ACE and US-VISIT. In May
2002 we reported that the program office managing ACE did not have the
people in place to perform critical system acquisition functions, which
increased the risk that promised system capabilities would not be
delivered on time or within budget.[Footnote 59] Accordingly, we
recommended that a human capital management strategy be immediately
implemented for this office. Two years later we reported that U.S.
Customs and Border Protection is in the process of implementing this
recommendation.[Footnote 60] In particular, the program office had
developed and begun implementing a human capital management plan, but
the office has continued to experience difficulty in filling key
positions. The ACE program office has begun implementing a new staffing
plan intended to address DHS's concern that the program office has
insufficient government program management staff. We have reported on
similar IT human capital problems associated with US-VISIT and
recommended that it develop and implement a human capital strategy,
which the department is in the process of doing.[Footnote 61]
As mentioned, the DHS CIO Council established IT human capital as one
of its eight priority areas. As with the other priority areas, a
component agency sponsor has been named for human capital. However,
unlike the other priority areas, as of mid-July 2004, an Office of the
CIO official had not been assigned to work in this area. An Office of
the CIO official explained that the person originally assigned this
task is no longer with the department and that the office was
determining who would take over this role. Moreover, in February 2003,
the DHS CIO set July 2003 as a milestone for developing a current
inventory of IT skills, resources, and positions, and September 2003 as
the target date for developing an action plan. In mid-July 2004, the
CIO stated that these milestones were not met and acknowledged that
progress in IT human capital has been slow. He stated that he still
plans to complete an inventory and action plan but could not provide an
estimated completion date.
We have issued a large body of human capital work that could assist in
this undertaking. For example, while agencies' approaches to workforce
planning will vary, our guide on strategic workforce planning lays out
five key principles that such a process should address irrespective of
the context in which planning is done.[Footnote 62] These are as
follows:
* Involve top management, employees, and other stakeholders in
developing, communicating, and implementing the strategic workforce
plan.
* Determine the critical skills and competencies that will be needed to
achieve current and future programmatic results.
* Develop strategies that are tailored to address gaps in number,
deployment, and alignment of human capital approaches for enabling and
sustaining the contributions of all critical skills and competencies.
* Build the capability needed to address administrative, educational,
and other requirements important to support workforce strategies.
* Monitor and evaluate the agency's progress toward its human capital
goals and the contribution that human capital results have made toward
achieving programmatic goals.
Conclusions:
DHS faces the formidable challenge of defining and implementing an
effective information and technology management structure at the same
time that it is developing and acquiring major IT systems that are
critical to meeting its mission needs. Although DHS has made progress
in addressing this challenge, it does not yet have a fully
institutionalized structure in place, which puts its pursuit of new and
enhanced IT investments at risk of not optimally supporting corporate
mission needs and not meeting cost, schedule, capability, and benefit
commitments. In particular, still lacking in the department's IT
strategic planning process--which is critical because it defines what
an agency seeks to accomplish and how that will be achieved--are goals,
performance measures, and milestones for significant activities and
whether DHS has appropriately skilled and deployed IT staff. The
department's CIO and DHS CIO Council--which is responsible for
establishing a strategic plan and setting priorities for departmentwide
IT--are organizationally placed to improve this planning process and to
consider the needs of DHS as a whole. With regard to the other six
elements of an effective information and technology management
structure, DHS can be guided by the many recommendations that we and
the Office of Inspector General have already made to the CIO and other
responsible entities, along with our best practices guidance, as it
uses technology to help better secure the homeland.
Recommendations:
To strengthen DHS's IT strategic planning process, we recommend that
the Secretary of Homeland Security direct the CIO, in conjunction with
the DHS CIO Council, to take the following three actions:
* Establish IT goals and performance measures that, at a minimum,
address how information and technology management contributes to
program productivity, the efficiency and effectiveness of agency
operations, and service to the public.
* Establish milestones for the initiation and completion of major
information and technology management activities.
* Analyze whether DHS has appropriately deployed IT staff with the
relevant skills to obtain its target IT structure and, if it does,
whether they are allocated appropriately.
Agency Comments and Our Evaluation:
In written comments on a draft of our report signed by the Director,
Departmental GAO/OIG Liaison within the Office of the Chief Financial
Officer, DHS generally concurred with our recommendations. DHS also
offered specific comments related to these recommendations, including:
* Regarding our recommendation that DHS establish IT goals and
performance measures, the department emphasized that it is developing
road maps for its eight priority areas that, over the next few months,
will include developing goals, performance measures, and time lines for
implementation. We believe that DHS's plans are consistent with our
recommendation.
* On our recommendation to establish milestones for the initiation and
completion of major information and technology management activities,
DHS stated that its interpretation was that the recommendation
pertained to having an established IT investment management structure
and centered its comments on its plans related to two of its
priorities--enterprise architecture and portfolio management. We agree
that these two areas are covered by our recommendation. However, our
recommendation is broader than just these two areas, instead covering
any information and technology management activity identified as
significant through DHS's IT strategic planning processes (e.g., the
development of milestones related to activities associated with each of
DHS's IT priorities).
* With respect to our recommendation on IT staffing, DHS stated that on
July 30, 2004, the CIO approved funding for an IT human capital center
of excellence. This center is tasked with delivering plans, processes,
and procedures to execute an IT human capital strategy and to conduct
an analysis of the skill sets of DHS IT professionals. DHS's stated
action represents a first step toward accomplishing these activities.
DHS also provided specific comments on our characterization of the
department's progress related to its IT investment management process.
The department described its IT investment governance boards and
processes and stated that it believed that its IT investment management
process has matured and that IT investments are subject to a rigorous
corporate review. While our report acknowledges that DHS had changed
its IT investment management process to reflect lessons learned and
continuous improvement of the process, we believe that our
characterization of this process as still maturing is appropriate. For
example, the directive that instructs DHS component entities on which
investments need to be approved and by what governance board does not
reflect the current process. Regarding DHS's comment that its IT
investments are subject to a rigorous corporate review, as we reported,
DHS has not established a process to ensure that control reviews of IT
investments are performed in a timely manner and many of DHS's IT
investments have not undergone such reviews.
Lastly, DHS provided technical comments, which we addressed in the
report as appropriate. DHS's written comments, along with our
responses, are reproduced in appendix II.
As agreed with your offices, unless you publicly announce the contents
of this report earlier, we plan no further distribution until 30 days
from the report date. At that time, we will send copies of this report
to the Secretary of Homeland Security and the Director, Office of
Management and Budget. Copies will also be available at no charge on
GAO's Web site at [Hyperlink, http://www.gao.gov].
If you have any questions on matters discussed in this report, please
contact Randy Hite at (202) 512-3439 or via e-mail at [Hyperlink,
hiter@gao.gov]. Other key contributors to this report were Season
Dietrich, Tamra Goldstein, and Linda Lambert.
Signed by:
Randolph C. Hite:
Director:
Information Technology Architecture and Systems Issues:
Signed by:
David A. Powner:
Director, Information Technology Management Issues:
[End of section]
Appendixes:
[End of section]
Appendix I: Department of Homeland Security Governance Entities:
Governance board: Investment Review Board;
Membership: Chaired by Deputy Secretary; Members include under
secretaries and other department executives, including the Chief
Information Officer (CIO);
Example of responsibilities: Makes final determination as to whether
to approve level 1 investments.
Governance board: Department of Homeland Security (DHS) Management
Council;
Membership: Chaired by Under Secretary for Management; Members include
chief operating officers or equivalents;
Example of responsibilities: Ensures that management activities are in
alignment with DHS mission, strategies, and goals; Makes
recommendations regarding departmental management policies,
procedures, and processes.
Governance board: Joint Requirements Council;
Membership: Chaired by chief operating officers or equivalent of one
of the line agencies on a rotating basis (currently 1 year); Members
include senior managers,[A] including the Chief Technology Officer,
who is within the office of the CIO;
Example of responsibilities: Decision authority for level 2
investments[B]; Reviews all projects/programs and new initiatives
greater than $100 million in preparation for the investment review
board; Validates requirements.
Governance board: Asset Management Board;
Membership: Chaired by DHS Director of Asset Management; Members are
designated asset managers from the component agencies;
Example of responsibilities: Reviews and approves real property
acquisitions, sales, and transfers $1 million and above; Develops and
implements asset management policy, procedures, and business practices.
Governance board: Enterprise Architecture Board;
Membership: Chaired by CIO;
Members are CIOs from component entities;
Example of responsibilities: Performs technical reviews of IT
investments; Approves IT business cases and develops IT strategic
guidance.
Governance board: Integrated Product Teams;
Membership: Members include subject matter experts from appropriate
functional disciplines;
Example of responsibilities: Convened by the Joint Requirements
Council to address specific issues; Has a defined scope and duration
and disbands upon completion.
Governance board: Commodity Councils/ Management Boards;
Membership: Members include program and procurement experts from
organizational elements;
Example of responsibilities: Develop and implement DHS sourcing
strategy for a specific commodity and manages specific asset types;
Coordinate policy formulation and define authorities and processes for
achieving integrated asset management.
Source: DHS.
[A] Senior executives (SES) with a broad operating background who
understand the requirements and capabilities of their agencies and who
have sufficient authority to make decisions for the agency in their
role on the Joint Requirements Council.
[B] According to the DHS coordinator of this process, level 3 IT
investments are approved by the component agency and are subject to
review by the CIO, Chief Financial Officer, and Chief Procurement
Officer, also known as the Management Review Council. If these
officials have concerns about the investment or find that there are
cross-programmatic issues to be addressed, they can refer the
investment to the Joint Requirements Council for review.
[End of table]
[End of section]
Appendix II: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
August 12, 2004:
Homeland Security:
Mr. Randolph Hite:
Director, Architecture and Systems Issues:
Government Accountability Office:
Washington, DC 20548:
Dear Mr. Hite:
RE: Draft Report GAO-04-702: Formidable Information Technology
Challenge Requires Institutional Approach (GAO Job Code 31.0464):
Thank you for the opportunity to review the above referenced draft
report. We generally concur with the draft report's recommendations but
there are several items we want to address.
DHS appreciates that the draft report acknowledges both DHS's progress
and challenges in information and technology management, particularly
in light of the diversity of the 22 inherited agencies and the size and
complexity of the Department. DHS is both meeting these challenges
while at the same time shepherding the integration of systems and
management approaches of is many organizational elements into an
enterprise architecture.
The draft report discusses the draft IRM Strategic Plan; that DHS had
worked on and incorrectly suggests that in March 2004, the Department
issued the IRM plan as an official Version 1.0 of its I Strategic Plan.
This IRM plan, however, is still draft and does not reflect the full
scope of DHS' Strategic Planning initiative. The DHS Chief
Information Officer (CIO) intends to issue an IT Strategic Plan before
the end of this calendar year.
Nevertheless, the Department's IT efforts are designed to support the
Department's Strategic Plan goals. As noted in the draft GAO report,
the DHS CIO, in conjunction with the DHS CIO Council has identified
eight priority areas and has developed roadmaps for each of these
priorities. These roadmaps include a description of the current
condition of the areas, the need for change, the planned future state,
initiatives underway or needed, and any barriers to achieving these
goals.
Equally important, the Department released Version 1.0 of its
Enterprise Architecture (EA) in September 2003. The Department
recognizes that due to time constraints, Version 1.0 was not an all-
inclusive product; and accordingly, the Department, continues its
efforts to improve and will release Version 2.0 of the EA in September
2004.
The draft report states that the investment management process is still
maturing and has yet to be institutionalized, and that most projects
have not, yet been incorporated into a departmental oversight process.
The functionality and effectiveness of the investment governance bodies
have matured during the last year. The Investment Review Board (IRB) is
the executive review board that I provides acquisition oversight of DHS
Level 1 investments (greater than $100 million), and conducts portfolio
management reviews. The IRB conducts systematic reviews of investment
submissions and approves key decisions. It also serves as a forum for
iscussing investment issues and resolving problems requiring senior
management attention. The DHS CIO serves on the IRB and actively
participates in all IT investment decisions.
Similarly, a Joint Requirements Council (JRC) was established as a
senior requirements review board that conducts program reviews to
oversee the requirements generation process, validate mission needs
statements, review cross-functional needs and requirements, and make
programmatic recommendations to the IRB on proposed new programs. The
JRC has decision authority for projects/programs whose cost is $50-$100
million. The DHS CIO also is a member of the JRC.
In addition, the Department created an Enterprise Architecture Board
(EAB) chaired by the CIO and composed of all CIOs from the
Organizational Elements. The EAB exercises architecture oversight of IT
investments, reviews and approves IT investments with an acquisition
cost between $1-$10 million or a Life Cycle Cost of $5-$20 million, and
approves IT
business cases and develops IT strategic guidance. Another component of
this effort involves an Asset Management Board, chaired by the DHS
Director of Asset Management, with membership from the Organizational
Elements. The Asset Management Board develops and implements asset
management policy, procedures and business practices, and establishes
asset management controls and program metrics. This Board reviews IT
programs from various perspectives. Interim guidance governing DHS
investment review process responsibilities was issued in May 2004. For
certain, the DHS investment management process has matured through the
above described processes and structures. As a result, DHS IT
investments are subject to a rigorous corporate review.
The draft report states that, as related to information security
management, DHS did not have a process to ensure that all plans of
action and milestones (POAM) for identified weaknesses were developed,
implemented, and managed. The Department has instituted use of a tool,
Trusted Agent FISMA, which allows the CIO and the Chief Information
Security Officer (CISO) to monitor each Organizational Element's
progress in developing and achieving the milestones identified in the
POAM. On the other hand, the draft report also states that "DHS has
developed an information security program strategic plan, which
identifies major program areas, goals, and objectives. These major
security program areas allow DHS to implement and maintain information
security as part of its capital investment control process, systems
development life cycle, and the enterprise architecture, and are
essential to providing security services that protect the
confidentiality, integrity, and availability of information and to
provide accountability for activities on DHS networks and computing
platforms." We find such statements somewhat conflicting as presented.
Human capital management issues are the key to successful
implementation of the Department and are crucial to design,
development, implementation, and maintenance of information and
technologies. The draft report discusses IT human capital management
and points out the need for strategic human capital planning. This is a
government-wide issue that transcends the IT environment; the DHS CIO
has taken steps to address (GAO's concerns. For example, there is
currently underway an initiative that responds directly 'to your
recommendation, regarding analysis of IT staff to determine whether IT
professionals have the appropriate skills for the areas in which they
are deployed. The DHS CIO, in conjunction. with the DHS CIO Council,
has as one of his eight priorities, IT Human Capital. On July 30, 2004,
the DOS CIO formally approved funding for the IT Human Capital Center
of Excellence (COE). The COE is lead by the CIO of the Federal Law
Enforcement Training Center (FLETC) and is supported by a Director
within the OLIO (Office of the CIO) and a team of Human Capital
professionals drawn from several of the Organizational
Elements within DHS. The COE is working under thegovernance of the DHS
CIO Council and with the guidance of the DHS Chief Human Capital
Officer (CHCO) and is tasked with delivering plans, processes and
procedures to execute the IT human capital strategy necessary to
support the mission and goals of DHS. The COE will be conducting an
analysis of the skill sets of all DHS IT professionals. This analysis
will include an assessment of which skills are currently held by the IT
employees versus which skills are necessary for each employee to have
in order to meet the DHS mission and goals.
The draft report recommends that the DHS CIO establish IT goals and
performance measures to address how information and technology
management contributes to program productivity, the efficiency and
effectiveness of agency operations, and the service to the public. The
draft report, however, glosses over DHS's performance measures process.
At the capital and investment level the Department has performance
measures that are captured in the OMB Exhibit 300. At the program level
DHS is developing more robust monitoring of oo-going programs using key
measures. The DHS CIO and the DHS CIO Council have established' eight
priority areas: Information Sharing, Governance, IT Human Capital,
Enterprise Architecture, Mission Rationalization, Infrastructure,
Portfolio Management, and Information Security. Initial roadmaps have
been developed for each of these priority areas. Over the next few
months, each priority area will develop goals, performance measures,
and timelines for implementation.
The Department interprets GAO's recommendation to establish milestones
for the initiation and conception of major information and technology
management activities, to mean that there should be an established IT
Investment Management structure. Two of the eight priorities
established by the DHS CIO and the DHS CIO Council support this
recommendation: Enterprise Architecture and Portfolio Management. The
DHS CIO is establishing an Enterprise Architecture COE and is
developing a Portfolio Management process, which will direct our IT
investment decisions. Additionally, we have established and implemented
a Capital Planning and Investment Control Process, and have used this
process to influence and direct our investments. The Department has
developed a draft Systems Development Life Cycle Model which is
currently under review and will be implemented in the first quarter of
FY 2005. In addition, the Department is developing consolidated tools,
processes, and procedures for Program Reviews. Once these initiatives
are complete, the Department will have all the elements in place for a
robust investment management system covering all aspects of the
investment life cycle including the Selection, Control, and Evaluation
phases.
We again thank you for the opportunity to provide comments on this
report.
Sincerely;
Signed by:
Anna F. Dixon:
Director, Departmental GAO/OIG Liaison:
Office of the Chief Financial Officer:
U.S. Department of Homeland Security:
The following are GAO's comments on the Department of Homeland
Security's (DHS) letter dated August 12, 2004.
GAO Comments:
1. Although the IRM strategic plan is not labeled draft, we changed our
characterization of the plan in the report based on the DHS comments.
2. As discussed in the report, these road maps are draft and incomplete
(e.g., they do not include fully defined goals and performance
measures).
3. The Joint Requirements Council's charter does not list the CIO as a
member of this council; instead the chief technology officer is the
Office of the CIO's representative on the council, which is reflected
in our report.
4. We believe that our characterization of DHS's IT investment
management process as still maturing is appropriate. For example, the
May 2003 directive that instructs DHS component entities on which
investments need to be approved and by what governance board does not
reflect the current process, and more recent DHS documentation related
to the process provides inconsistent information.
5. We disagree because, as we stated in the report, DHS has not
established a process to ensure that control reviews of IT investments
are performed in a timely manner, and many of DHS's IT investments have
not undergone such reviews.
6. We added information about the DHS tool to the report.
7. The DHS quote does not include our attribution in the report that
the assessment of the information security program areas is the
department's own representation. We did not evaluate the information
security program strategic plan.
8. We do not agree that these statements are conflicting. The
management of the department's plans of action and milestones is just
one of many planned actions discussed in the information security
program strategic plan.
9. As stated in the report, we agree that human capital management is a
key to the success of the department and that the challenges that the
federal government faces in maintaining a high-quality IT workforce are
long-standing and widely recognized. It is because of these views that
we are concerned that the department did not meet the CIO's goal of
having a current inventory of IT skills by July 2003 and an action plan
by September 2003. Nevertheless, DHS's stated action represents a first
step toward accomplishing these activities.
10. Our report dealt with enterprise-level performance measures, not
project-specific measures as required by the exhibit 300s. With respect
to DHS's plans for each of the priority areas, we believe this is
consistent with our recommendation.
11. We agree that the two priority areas discussed in the DHS letter
are covered by our recommendation. However, our recommendation is
broader than just these two areas. Specifically, our recommendation
covers any information and technology management activity identified as
significant through DHS's IT strategic planning processes (e.g., the
development of milestones related to activities associated with each of
DHS's IT priorities).
[End of section]
Related GAO Products:
[End of section]
Homeland Security: Efforts Under Way to Develop Enterprise Architecture, but Much Work Remains.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-777]
Washington, D.C.: Aug. 6, 2004.
Homeland Security: Performance of Information System to Monitor Foreign
Students and Exchange Visitors Has Improved, but Issues Remain.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-690]
Washington, D.C.: June 18, 2004.
Human Capital: DHS Faces Challenges In Implementing Its New Personnel
System.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-790]
Washington, D.C.: June 18, 2004.
Information Technology: Homeland Security Should Better Balance Need
for System Integration Strategy with Spending for New and Enhanced
Systems.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-509]
Washington, D.C.: May 21, 2004.
Information Technology: Early Releases of Customs Trade System
Operating, but Pattern of Cost and Schedule Problems Needs to Be
Addressed.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-719]
Washington, D.C.: May 14, 2004.
Homeland Security: First Phase of Visitor and Immigration Status
Program Operating, but Improvements Needed.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-586]
Washington, D.C.: May 11, 2004.
Additional Posthearing Questions Related to Proposed Department of
Homeland Security (DHS) Human Capital Regulations.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-617R]
Washington, D.C.:
April 30, 2004.
Project SAFECOM: Key Cross-Agency Emergency Communications Effort
Requires Stronger Collaboration.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-494]
Washington, D.C.: April 16, 2004.
Posthearing Questions Related to Proposed Department of Homeland
Security (DHS) Human Capital Regulations.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-570R]
Washington, D.C.:
March 22, 2004.
Human Capital: Preliminary Observations on Proposed DHS Human Capital
Regulations.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-479T]
Washington, D.C.: February 25, 2004.
Aviation Security: Computer-Assisted Passenger Prescreening System
Faces Significant Implementation Challenges.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-385]
Washington, D.C.:
February 12, 2004.
Information Technology: OMB and Department of Homeland Security
Investment Reviews.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-323]
Washington, D.C.: February 10, 2004.
Coast Guard: New Communication System to Support Search and Rescue
Faces Challenges.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-1111]
Washington, D.C.: September 30, 2003.
Human Capital: DHS Personnel System Design Effort Provides for
Collaboration and Employee Participation.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-1099]
Washington, D.C.: September 30, 2003.
Homeland Security: Risks Facing Key Border and Transportation Security
Program Need to Be Addressed.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-1083]
Washington, D.C.: September 19, 2003.
Information Technology: Homeland Security Needs to Improve Entry Exit
System Expenditure Planning.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-563]
Washington, D.C.: June 9, 2003.
Homeland Security: Information Sharing Responsibilities, Challenges,
and Key Management Issues.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-715T]
Washington, D.C.: May 8, 2003.
Customs Service Modernization: Automated Commercial Environment
Progressing, but Further Acquisition Management Improvements Needed.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-406]
Washington, D.C.: February 28, 2003.
Major Management Challenges and Program Risks: Department of Homeland
Security.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-102]
Washington, D.C.: January 2003.
Homeland Security: Information Technology Funding and Associated
Management Issues.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-250]
Washington, D.C.: December 13, 2002.
National Preparedness: Integrating New and Existing Technology and
Information Sharing into an Effective Homeland Security Strategy.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-811T]
Washington, D.C.: June 7, 2002.
Customs Service Modernization: Management Improvements Needed on High-
Risk Automated Commercial Environment Project.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-545]
Washington, D.C.: May 13, 2002.
(310464):
FOOTNOTES
[1] Statement of Admiral James Loy, Deputy Secretary, Department of
Homeland Security, before the House Select Committee on Homeland
Security, May 6, 2004.
[2] Generally speaking, an enterprise architecture connects an
organization's strategic plan with program and system solution
implementations by providing the fundamental information details needed
to guide and constrain implementable investments in a consistent,
coordinated, and integrated fashion.
[3] GAO, Homeland Security: Efforts Under Way to Develop Enterprise
Architecture, but Much Work Remains, GAO-04-777 (Washington, D.C.: Aug.
6, 2004).
[4] For example, see GAO, Major Management Challenges and Program
Risks: Department of Homeland Security, GAO-03-102 (Washington, D.C.:
January 2003) and Homeland Security: Proposal for Cabinet Agency Has
Merit, but Implementation Will be Pivotal to Success, GAO-02-886T
(Washington, D.C.: June 25, 2002).
[5] GAO, Homeland Security: Information Sharing Responsibilities,
Challenges, and Key Management Issues, GAO-03-715T (Washington, D.C.:
May 8, 2003).
[6] GAO, Major Management Challenges and Program Risks: A
Governmentwide Perspective, GAO-03-95 (Washington, D.C.: January
2003).
[7] As we recently reported, the Congress has made agency CIOs
statutorily responsible for some of these key elements, such as IT
investment management, information security management, and IT human
capital management. See GAO, Federal Chief Information Officers:
Responsibilities, Reporting Relationships, Tenure, and Challenges,
GAO-04-823 (Washington, D.C.: July 21, 2004).
[8] 44 U.S.C. 3506(a).
[9] GAO, Executive Guide: Measuring Performance and Demonstrating
Results of Information Technology Investments, GAO/AIMD-98-89
(Washington, D.C.: March 1998).
[10] 44 U.S.C. 3506(h); 40 U.S.C. 11313.
[11] A balanced scorecard is a tool to measure performance at various
levels of an organization and to provide employees with data to help
them achieve individual and organizational results.
[12] GAO, Information Technology: Homeland Security Should Better
Balance Need for System Integration Strategy with Spending for New and
Enhanced Systems, GAO-04-509 (Washington, D.C.: May 21, 2004).
[13] For example, see GAO, Architect of the Capitol: Management and
Accountability Framework Needed for Organizational Transformation,
GAO-03-231 (Washington, D.C.: Jan. 17, 2003) and Maximizing the Success
of Chief Information Officers: Learning from Leading Organizations,
GAO-01-376G (Washington, D.C.: February 2001).
[14] E-Government Act of 2002, Public Law 107-347 (Dec. 17, 2002).
[15] GAO, National Preparedness: Integrating New and Existing
Technology and Information Sharing into an Effective Homeland Security
Strategy, GAO-02-811T (Washington, D.C.: June 7, 2002).
[16] GAO-04-777.
[17] GAO, Information Technology: Early Releases of Customs Trade
System Operating, but Pattern of Cost and Schedule Problems Needs to Be
Addressed, GAO-04-719 (Washington, D.C.: May 14, 2004) and Homeland
Security: First Phase of Visitor and Immigration Status Program
Operating, but Improvements Needed, GAO-04-586 (Washington, D.C.: May
11, 2004).
[18] This management directive covers both IT and non-IT investments.
[19] GAO, Information Technology: OMB and Department of Homeland
Security Investment Reviews, GAO-04-323 (Washington, D.C.: Feb. 10,
2004).
[20] GAO, Information Technology Investment Management: A Framework for
Assessing and Improving Process Maturity, GAO-04-394G (Washington,
D.C.: March 2004).
[21] The investment review team was made up of representatives from the
offices of the CIO, the chief financial officer, and the chief
procurement officer, as well as several component agencies.
[22] GAO, Aviation Security: Computer-Assisted Passenger Prescreening
System Faces Significant Implementation Challenges, GAO-04-385
(Washington, D.C.: Feb. 12, 2004) and GAO-04-719.
[23] GAO-04-586.
[24] GAO-04-323.
[25] Carnegie Mellon University's Software Engineering Institute is
recognized for its expertise in developing models and methods that
define and determine organizations' software-intensive systems process
maturity.
[26] GAO, Customs Service Modernization: Management Improvements Needed
on High-Risk Automated Commercial Environment Project, GAO-02-545
(Washington, D.C.: May 13, 2002) and Homeland Security: Risks Facing
Key Border and Transportation Security Program Need to be Addressed,
GAO-03-1083 (Washington, D.C.: Sept. 19, 2003).
[27] GAO-04-719.
[28] GAO-04-586.
[29] GAO, Year 2000 Computing Crisis: A Testing Guide, GAO/AIMD-10.1.21
(Washington, D.C.: November 1998).
[30] GAO, Coast Guard: New Communication System to Support Search and
Rescue Faces Challenges, GAO-03-1111 (Washington, D.C.: Sept. 30,
2003).
[31] GAO-04-385 and GAO-04-586.
[32] GAO-04-385.
[33] GAO, Homeland Security: Performance of Information System to
Monitor Foreign Students and Exchange Visitors Has Improved, but Issues
Remain, GAO-04-690 (Washington, D.C.: June 18, 2004).
[34] See, for example, GAO/AIMD-98-89 and GAO/AIMD-10.1.21.
[35] See GAO, High-Risk Series: Protecting Information Systems
Supporting the Federal Government and the Nation's Critical
Infrastructures, GAO-03-121 (Washington, D.C.: January 2003) for our
latest high-risk series report on this issue.
[36] 44 U.S.C. 3545.
[37] Department of Homeland Security, Office of Inspector General, DHS
Information Technology: Information Security Program Evaluation,
FY2003, OIG-IT-03-02 (September 2003).
[38] Department of Homeland Security, Office of Inspector General,
Inadequate Security Controls Increase Risks to DHS Wireless Networks,
OIG-04-27 (June 2004).
[39] Accreditation is the authorization of an IT system to process,
store, or transmit information, granted by a management official that
provides a form of quality control and challenges managers and
technical staff to find the best fit for security, given technical
constraints, operational constraints, and mission requirements.
Certification is the comprehensive evaluation of the technical and
nontechnical security controls of an IT system to support the
accreditation process that establishes the extent to which a particular
design and implementation meets a set of specified security
requirements.
[40] GAO, Executive Guide: Information Security Management, GAO/AIMD-
98-68 (Washington, D.C.: May 1998).
[41] GAO, Information Technology: Homeland Security Needs to Improve
Entry Exit System Expenditure Planning, GAO-03-563 (Washington, D.C.:
June 9, 2003).
[42] GAO-04-586.
[43] Department of Homeland Security, Performance and Accountability
Report, Fiscal Year 2003 (Feb. 13, 2004).
[44] GAO-03-715T.
[45] GAO, Homeland Security: Information Sharing Responsibilities,
Challenges, and Key Management Issues, GAO-03-1165T (Washington, D.C.:
Sept. 17, 2003).
[46] GAO, Critical Infrastructure Protection: Improving Information
Sharing with Infrastructure Sectors, GAO-04-780 (Washington, D.C.: July
9, 2004).
[47] GAO, Information Sharing: Practices That Can Benefit Critical
Infrastructure Protection, GAO-02-24 (Washington, D.C.: Oct. 15, 2001).
[48] Data mining is the application of database technology and
techniques--such as statistical analysis and modeling--to uncover
hidden patterns and subtle relationships in data and to infer rules
that allow for the prediction of future results.
[49] GAO, Data Mining: Federal Efforts Cover a Wide Range of Uses, GAO-
04-548 (Washington, D.C.: May 4, 2004).
[50] As part of our methodology for this report, we aggregated the data
collected by each agency and sent them to the agency chief information
officer, comparable official, or their designee, and asked that they
review the characteristics for completeness and accuracy. DHS did not
respond to our request to review the reported data.
[51] 5 U.S.C. 552a.
[52] GAO-04-385.
[53] We refer to the eight Fair Information Practices proposed in 1980
by the Organization for Economic Cooperation and Development and that
were endorsed by the U.S. Department of Commerce in 1981. These are
collection limitation, purpose specification, use limitation, data
quality, security safeguards, openness, individual participation, and
accountability.
[54] GAO, Paperwork Reduction Act: Agencies' Paperwork Burden Estimates
Due to Federal Actions Continue to Increase, GAO-04-676T (Washington,
D.C.: Apr. 20, 2004).
[55] GAO-01-376G.
[56] GAO, Human Capital: DHS Personnel System Design Effort Provides
for Collaboration and Employee Participation, GAO-03-1099 (Washington,
D.C.: Sept. 30, 2003); Human Capital: Preliminary Observations on
Proposed DHS Human Capital Regulations, GAO-04-479T (Washington, D.C.:
Feb. 25, 2004); Posthearing Questions Related to Proposed Department of
Homeland Security (DHS) Human Capital Regulations, GAO-04-570R
(Washington, D.C.: Mar. 22, 2004); and Additional Posthearing Questions
Related to Proposed Department of Homeland Security (DHS) Human Capital
Regulations, GAO-04-617R (Washington, D.C.: Apr. 30, 2004).
[57] GAO, Human Capital: DHS Faces Challenges In Implementing Its New
Personnel System, GAO-04-790 (Washington, D.C.: June 18, 2004).
[58] Department of Homeland Security, Office of Inspector General,
Improvements Needed To DHS' Information Technology Management
Structure, OIG-04-30 (July 2004).
[59] GAO-02-545.
[60] GAO-04-719.
[61] GAO-03-1083 and GAO-04-586.
[62] GAO, Human Capital: Key Principles for Effective Strategic
Workforce Planning, GAO-04-39 (Washington, D.C.: Dec. 11, 2003).
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
