Homeland Security
Progress Continues, but Challenges Remain on Department's Management of Information Technology Gao ID: GAO-06-598T March 29, 2006Information technology (IT) is a critical tool for the Department of Homeland Security (DHS), not only in performing its mission today, but also in transforming how it will do so in the future. In light of the importance of this transformation and the magnitude of the associated challenges, GAO has designated the implementation of the department and its transformation as high risk. GAO has reported that in order to effectively leverage IT as a transformation tool, DHS needs to establish certain institutional management controls and capabilities, such as having an enterprise architecture and making informed portfolio-based decisions across competing IT investments. GAO has also reported that it is critical for the department to implement these controls and associated best practices on its many IT investments. In its past work, GAO has made numerous recommendations on DHS institutional controls and on individual IT investment projects. The testimony is based on GAO's body of work in these areas, covering the state of DHS IT management both on the institutional level and the individual program level.
DHS continues to work to institutionalize IT management controls and capabilities (disciplines) across the department. Among these are (1) having and using an enterprise architecture, or corporate blueprint, as an authoritative frame of reference to guide and constrain IT investments; (2) defining and following a corporate process for informed decision making by senior leadership about competing IT investment options; (3) applying system and software development and acquisition discipline and rigor when defining, designing, developing, testing, deploying, and maintaining systems; (4) establishing a comprehensive information security program to protect its information and systems; (5) having sufficient people with the right knowledge, skills, and abilities to execute each of these areas now and in the future; and (6) centralizing leadership for extending these disciplines throughout the organization with an empowered Chief Information Officer. Over the last 3 years, the department has made efforts to establish and implement these IT management disciplines, but it has more to do. Despite progress, for instance, in developing its enterprise architecture and its investment management processes, much work remains before these and the other disciplines are fully mature and institutionalized. For example, although the department recently completed a comprehensive inventory of its major information systems--a prerequisite for effective security management--it has not fully implemented a comprehensive information security program, and its other institutional IT disciplines are still evolving. The department also has more to do in deploying and operating IT systems and infrastructure in support of core mission operations, such as border and aviation security. For example, a system to identify and screen visitors entering the country has been deployed and is operating, but a related exit capability largely is not. Also, a government-run system to prescreen domestic airline passengers is not yet in place. Similarly, some infrastructure has been delivered, but goals related to consolidating networks and e-mail systems, for example, remain to be fully accomplished. Similarly, GAO's review of key nonfinancial systems show that DHS has more to do before the IT disciplines discussed above are consistently employed. For example, these programs have not consistently employed reliable cost estimating practices, effective requirements development and test management, meaningful performance measurement, strategic workforce management, and proactive risk management, among other recognized program management best practices. Until the department fully establishes and consistently implements the full range of IT management disciplines embodied in best practices and federal guidance, it will be challenged in its ability to manage and deliver programs.
GAO-06-598T, Homeland Security: Progress Continues, but Challenges Remain on Department's Management of Information Technology
This is the accessible text file for GAO report number GAO-06-598T
entitled 'Homeland Security: Progress Continues, but Challenges Remain
on Department's Management of Information Technology' which was
released on March 30, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Testimony:
Before Congressional Subcommittees:
For Release on Delivery:
Expected at 3:00 p.m. EST Wednesday, March 29, 2006:
Homeland Security:
Progress Continues, but Challenges Remain on Department's Management of
Information Technology:
Statement of Randolph C. Hite, Director:
Information Technology Architecture and Systems Issues:
GAO-06-598T:
GAO Highlights:
Highlights of GAO-06-598T, a testimony before congressional
subcommittees:
Why GAO Did This Study:
Information technology (IT) is a critical tool for the Department of
Homeland Security (DHS), not only in performing its mission today, but
also in transforming how it will do so in the future. In light of the
importance of this transformation and the magnitude of the associated
challenges, GAO has designated the implementation of the department and
its transformation as high risk.
GAO has reported that in order to effectively leverage IT as a
transformation tool, DHS needs to establish certain institutional
management controls and capabilities, such as having an enterprise
architecture and making informed portfolio-based decisions across
competing IT investments. GAO has also reported that it is critical for
the department to implement these controls and associated best
practices on its many IT investments.
In its past work, GAO has made numerous recommendations on DHS
institutional controls and on individual IT investment projects. The
testimony is based on GAO‘s body of work in these areas, covering the
state of DHS IT management both on the institutional level and the
individual program level.
What GAO Found:
DHS continues to work to institutionalize IT management controls and
capabilities (disciplines) across the department. Among these are
* having and using an enterprise architecture, or corporate blueprint,
as an authoritative frame of reference to guide and constrain IT
investments;
* defining and following a corporate process for informed decision
making by senior leadership about competing IT investment options;
* applying system and software development and acquisition discipline
and rigor when defining, designing, developing, testing, deploying, and
maintaining systems;
* establishing a comprehensive information security program to protect
its information and systems;
* having sufficient people with the right knowledge, skills, and
abilities to execute each of these areas now and in the future; and
* centralizing leadership for extending these disciplines throughout
the organization with an empowered Chief Information Officer.
Over the last 3 years, the department has made efforts to establish and
implement these IT management disciplines, but it has more to do.
Despite progress, for instance, in developing its enterprise
architecture and its investment management processes, much work remains
before these and the other disciplines are fully mature and
institutionalized. For example, although the department recently
completed a comprehensive inventory of its major information systems”a
prerequisite for effective security management”it has not fully
implemented a comprehensive information security program, and its other
institutional IT disciplines are still evolving. The department also
has more to do in deploying and operating IT systems and infrastructure
in support of core mission operations, such as border and aviation
security. For example, a system to identify and screen visitors
entering the country has been deployed and is operating, but a related
exit capability largely is not. Also, a government-run system to
prescreen domestic airline passengers is not yet in place. Similarly,
some infrastructure has been delivered, but goals related to
consolidating networks and e-mail systems, for example, remain to be
fully accomplished.
Similarly, GAO‘s review of key nonfinancial systems show that DHS has
more to do before the IT disciplines discussed above are consistently
employed. For example, these programs have not consistently employed
reliable cost estimating practices, effective requirements development
and test management, meaningful performance measurement, strategic
workforce management, and proactive risk management, among other
recognized program management best practices.
Until the department fully establishes and consistently implements the
full range of IT management disciplines embodied in best practices and
federal guidance, it will be challenged in its ability to manage and
deliver programs.
www.gao.gov/cgi-bin/getrpt?GAO-06-598T.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Randolph C. Hite at (202)
512-3439 or hiter@gao.gov.
[End of section]
Mr. Chairmen and Members of the Subcommittees,
I appreciate the opportunity to participate in today's joint oversight
hearing on Department of Homeland Security (DHS) efforts to effectively
manage information technology (IT). As you know, IT is a critical tool
in DHS's quest to transform 22 diverse and distinct agencies--some with
longstanding management weaknesses--into a single, integrated, high-
performing department. In light of the importance of this
transformation and the magnitude of the associated challenges, in 2003
we designated the implementation of the department and its
transformation as a high-risk undertaking.[Footnote 1]
For DHS to effectively leverage IT as a transformation enabler, we
reported in 2004 that it needed to put firmly in place certain
institutional management controls and capabilities, such as having an
enterprise architecture and a process for making informed portfolio-
based decisions across competing IT investments.[Footnote 2] These
controls and capabilities are interrelated management disciplines that
collectively help an organization to deliver IT systems and
infrastructure on time and on budget, and to do so in a way that
minimizes risk and maximizes value to the organization as a whole.
My testimony today addresses the state of DHS IT management on two
levels: the institutional level and the individual program level. At
the department level, it addresses efforts to establish corporate
management controls, such as enterprise architecture, IT investment
management, and the empowerment of the Chief Information Officer (CIO)
to lead the department's IT activities. At the program level, it
addresses the extent to which the institutional management controls are
actually being implemented on key nonfinancial systems (such as those
related to border and aviation security), pointing out the pitfalls to
avoid and best practices to employ in managing these IT investments.
In summary, DHS continues to work to institutionalize the range of IT
management controls and capabilities that our research and past work
have shown are fundamental to any organization's ability to use
technology effectively to transform itself and accomplish mission
goals.[Footnote 3] Among these IT management controls and capabilities
are:
* having and using an enterprise architecture, or corporate blueprint,
as an authoritative frame of reference to guide and constrain system
investments;
* defining and following a corporate process for informed decision
making by senior leadership about competing IT investment options;
* applying system and software development and acquisition discipline
and rigor when defining, designing, developing, testing, deploying, and
maintaining systems;
* establishing a comprehensive, departmentwide information security
program to protect information and systems;
* having sufficient people with the right knowledge, skills, and
abilities to execute each of these areas now and in the future; and:
* centralizing leadership for extending these disciplines throughout
the organization with an empowered Chief Information Officer.
Despite its efforts over the last 3 years, the department has more to
do before each of these management controls and capabilities is fully
in place and is integral to how each system investment is managed. In
this regard, our reviews of key nonfinancial systems show that, for
example, DHS IT programs have not consistently employed reliable cost
estimating practices, effective requirements development and test
management, meaningful performance measurement, strategic workforce
management, and proactive management of risks, among other recognized
program management best practices.
The department also has more to do with respect to deploying and
operating the mix of IT systems and infrastructure that are needed to
support core mission operations, such as border and aviation security.
For example, although a system to identify and screen visitors entering
the country has been deployed and is operating, a related exit
capability largely is not. Also, a government-run capability to
prescreen domestic airline passengers is not yet in place. Similarly,
while certain system and infrastructure capabilities have been
delivered, goals related to consolidating data centers and networks and
employing a common e-mail system, for example, remain to be fully
accomplished.
To assist the department in addressing its IT needs and management
challenges, we have made a series of recommendations for both
institutional and program-specific improvements. Spanning these
recommendations is one for ensuring that the CIO is sufficiently
empowered to extend management discipline and implement common IT
solutions across the department. We look forward to working with DHS
leadership as it implements these recommendations.
In preparing this testimony, we drew extensively from our previous work
on DHS's IT management controls and capabilities and their application
on key department programs and projects. In addition, we reviewed
documentation and interviewed responsible DHS officials, including the
CIO. All the work on which this testimony is based was performed in
accordance with generally accepted government auditing standards.
Background:
DHS's mission is to lead the unified national effort to secure America
by preventing and deterring terrorist attacks and protecting against
and responding to threats and hazards to the nation. DHS also is to
ensure safe and secure borders, welcome lawful immigrants and visitors,
and promote the free flow of commerce.
Created in March 2003, DHS has assumed operational control of about
209,000 civilian and military positions from 22 agencies and offices
specializing in one or more aspects of homeland security.[Footnote 4]
The intent behind DHS's merger and transformation was to improve
coordination, communication, and information sharing among the multiple
federal agencies responsible for protecting the homeland. Not since the
creation of the Department of Defense in 1947 has the federal
government undertaken a transformation of this magnitude. As we
reported before the department was created,[Footnote 5] such a
transformation is critically important and poses significant management
and leadership challenges. For these reasons, we designated the
implementation of the department and its transformation as high risk;
we also pointed out that failure to effectively address DHS's
management challenges and program risks could have serious consequences
for our national security.
Among DHS's transformation challenges, we highlighted the formidable
hurdle of integrating numerous mission-critical and mission support
systems and associated IT infrastructure. For the department to
overcome this hurdle, we emphasized the need for DHS to establish an
effective IT governance framework, including controls aimed at
effectively managing IT-related people, processes, and tools.
DHS Components and IT Spending:
To accomplish its mission, the department is organized into various
components, each of which is responsible for specific homeland security
missions and for coordinating related efforts with its sibling
components, as well as external entities. Table 1 shows DHS's principal
organizations and their missions. An organizational structure is shown
in figure 1.
Table 1: DHS's Principal Organizations and Their Missions:
Principal organizations[A]: Citizenship and Immigration Services;
Missions: Responsible for the administration of immigration and
naturalization adjudication functions and establishing immigration
services policies and priorities.
Principal organizations[A]: Coast Guard;
Missions: Protects the public, the environment, and U.S. economic
interests in the nation's ports and waterways, along the coast, on
international waters, and in any maritime region as required to support
national security.
Principal organizations[A]: Customs and Border Protection;
Missions: Responsible for protecting the nation's borders in order to
prevent terrorists and terrorist weapons from entering the United
States, while facilitating the flow of legitimate trade and travel.
Principal organizations[A]: Federal Emergency Management Agency;
Missions: Prepares the nation for hazards, manages federal response and
recovery efforts following any national incident, and administers the
National Flood Insurance Program.
Principal organizations[A]: Immigration and Customs Enforcement;
Missions: The largest investigative arm of the department, responsible
for identifying and shutting down vulnerabilities in the nation's
border, economic, transportation, and infrastructure security.
Principal organizations[A]: Management Directorate;
Missions: Responsible for department budgets and appropriations,
expenditure of funds, accounting and finance, procurement, human
resources, information technology systems, facilities and equipment,
and the identification and tracking of performance measurements. This
directorate includes the offices of the Chief Financial Officer and the
Chief Information Officer.
Principal organizations[A]: Preparedness Directorate;
Missions: Works with state, local, and private sector partners to
identify threats, determine vulnerabilities, and target resources where
risk is greatest, thereby safeguarding borders, seaports, bridges and
highways, and critical information systems.
Principal organizations[A]: Science and Technology Directorate;
Missions: Serves as the primary research and development arm of the
department, responsible for providing federal, state, and local
officials with the technology and capabilities to protect the homeland.
Principal organizations[A]: Secret Service;
Missions: Protects the President and other high-level officials and
investigates counterfeiting and other financial crimes (including
financial institution fraud, identity theft, and computer fraud) and
computer-based attacks on the nation's financial, banking, and
telecommunications infrastructure.
Principal organizations[A]: Transportation Security Administration;
Missions: Protects the nation's transportation systems to ensure
freedom of movement for people and commerce.
Principal organizations[A]: US-VISIT;
Missions: Responsible for developing and implementing a governmentwide
program to record the entry into and exit from the United States of
selected individuals, verify their identity, and confirm their
compliance with the terms of their admission into and stay in this
country.
Sources: DHS (data); GAO (analysis).
[A] This table does not show the organizations that fall under each of
the directorates. This table also does not show all organizations that
report directly to the DHS Secretary and Deputy Secretary, such as
executive secretary, legislative and intergovernmental affairs, public
affairs, chief of staff, inspector general, and general counsel.
[End of table]
Figure 1: DHS Organizational Structure (Simplified and Partial):
[See PDF for image]
[End of figure]
Within the Management Directorate is the Office of the CIO, which is
expected to leverage best available technologies and IT management
practices, provide shared services, coordinate acquisition strategies,
maintain an enterprise architecture that is fully integrated with other
management processes, and advocate and enable business transformation.
Other DHS entities also are responsible or share responsibility for
critical IT management activities. For example, DHS's major
organizational components (e.g., directorates, offices, and agencies)
have their own CIOs and IT organizations. Control over the department's
IT funding is vested primarily with the components' CIOs, who are
accountable to the heads of their respective components.[Footnote 6]
To promote IT coordination across DHS component boundaries, the DHS CIO
established a CIO Council, chaired by the CIO and composed of component-
level CIOs. According to its charter, the specific functions of the
council include establishing a strategic plan, setting priorities for
departmentwide IT, identifying opportunities for sharing resources,
coordinating multibureau projects and programs, and consolidating
activities.
To accomplish their respective missions, DHS and its component
organizations rely extensively on IT. For example, in fiscal year 2006
DHS IT funding totaled about $3.64 billion, and in fiscal year 2007 DHS
has requested about $4.16 billion. For fiscal year 2006, DHS reported
that this funding supported 279 major IT programs. Table 2 shows the
fiscal year 2006 IT funding that was provided to key DHS components.
Table 2: IT Funding for Fiscal Year 2006:
Dollars in millions:
DHS components and investments: Citizenship and Immigration Services;
Funding: $388.8.
DHS components and investments: Coast Guard;
Funding: $201.3.
DHS components and investments: Customs and Border Protection;
Funding: $$423.7.
DHS components and investments: Federal Emergency and Management
Agency;
Funding: $93.5.
DHS components and investments: Immigration and Customs Enforcement;
Funding: $166.8.
DHS components and investments: Management Directorate: eMerge2[A];
Funding: $17.8.
DHS components and investments: Management Directorate: Enterprise
Application Delivery[B];
Funding: $20.3.
DHS components and investments: Management Directorate: Enterprise
Architecture and Investment Management Program[C];
Funding: $34.6.
DHS components and investments: Management Directorate: Enterprise-
Geospatial System[D];
Funding: $13.1.
DHS components and investments: Management Directorate: Homeland Secure
Data Network[E];
Funding: $32.7.
DHS components and investments: Management Directorate: Human Resources
IT[F];
Funding: $20.8.
DHS components and investments: Management Directorate: Information
Security Program[G];
Funding: $54.1.
DHS components and investments: Management Directorate: Integrated
Wireless Network[I];
Funding: $261.7.
DHS components and investments: Management Directorate: Watch List and
Technical Integration[J];
Funding: $9.9.
DHS components and investments: Management Directorate: OCIO salaries
and expenses;
Funding: $15.5.
DHS components and investments: Management Directorate: Other IT
infrastructure[H];
Funding: $887.2.
DHS components and investments: Management Directorate: Other;
Funding: $31.6.
DHS components and investments: Preparedness Directorate;
Funding: $215.4.
DHS components and investments: Science and Technology Directorate;
Funding: $33.2.
DHS components and investments: Secret Service;
Funding: $3.8.
DHS components and investments: Transportation Security Administration;
Funding: $333.2.
DHS components and investments: US-VISIT;
Funding: $341.0.
DHS components and investments: Other DHS components;
Funding: $40.2.
DHS components and investments: Total;
Funding: $3,640.2.
Source: GAO analysis of DHS data.
[A] eMerge2 is an initiative planned to integrate the business and
financial management policies, processes and systems of DHS into a
single solution with the goal of meeting the department's financial
management, acquisition, and asset management needs.
[B] Enterprise Application Delivery is intended to consolidate existing
and planned Web pages and platforms of the DHS component organizations.
[C] Enterprise Architecture and Investment Management Program is
intended to develop the department's enterprise architecture and
implement the transition strategy through the department's investment
management process.
[D] Enterprise-Geospatial System is planned to establish a framework,
organizational structure, and requisite resources to enable
departmentwide use of geographic information systems.
[E] Homeland Secure Data Network is an effort to merge disparate
classified networks into a single, integrated network to enable, among
other things, the secure sharing of intelligence and other information.
[F] HR IT includes the set of DHS enterprisewide systems to support the
personnel regulations such as Max.R.
[G] Information Security Program is intended to establish information
security policies and procedures throughout the department to protect
the confidentiality, integrity, and availability of information.
[H] Other infrastructure includes initiatives with the goal of creating
a single, consolidated, and secure infrastructure to ensure
connectivity among the department's 22 component organizations.
[I] The Integrated Wireless Network is to deliver the wireless
communications services required by agents and officers of DHS,
Justice, and Treasury.
[J] Watch List and Technical Integration is to increase effective
information sharing by consolidating, re-using, and retiring
applications that develop multiple terrorist watch lists being used by
multiple operating entities within the government.
[End of table]
GAO Has Reviewed Several of DHS's Mission-Critical IT Programs:
In view of the importance of major IT programs to the department's
mission, the Congress has taken a close interest in certain mission-
critical programs, often directing us to review and evaluate program
management, progress, and spending. Among the programs that we have
reviewed are the following:
* US-VISIT (the United States Visitor and Immigrant Status Indicator
Technology) has several major goals: to enhance the security of our
citizens and visitors and ensure the integrity of the U.S. immigration
system, and at the same time to facilitate legitimate trade and travel
and protect privacy. To achieve these goals, US-VISIT is to record the
entry into and exit from the United States of selected travelers,
verify their identity, and determine their compliance with the terms of
their admission and stay. As of October 2005, US-VISIT officials
reported that about $1.4 billion had been appropriated for the program.
The Automated Commercial Environment (ACE) is a Customs and Border
Protection (CBP) program to modernize trade processing systems and
support border security. Its goals include enhancing analysis and
information sharing with other government agencies; providing an
integrated, fully automated information system for commercial import
and export data; and reducing costs for the government and the trade
community though streamlining. To date, CBP reports that the program
has received almost $1.7 billion in funding.
The America's Shield Initiative (ASI) program (now cancelled) was to
enhance DHS's ability to provide surveillance and protection of the
U.S. northern and southern borders through a system of sensors,
databases, and cameras. The program was also to address known
limitations of the current Integrated Surveillance Intelligence System
(ISIS) and to support DHS's antiterrorism mission, including its need
to exchange information with state, local, and federal law enforcement
organizations. As of September 2005, ASI officials reported that about
$340.3 million had been spent on the program. As of December 2005, the
program was subsumed within the Secure Border Initiative, the
department's broader border and interior enforcement strategy.
The Secure Flight program is developing a system to perform passenger
prescreening for domestic flights: that is, the matching of passenger
information against terrorist watch lists to identify persons who
should undergo additional security scrutiny. The goal is to prevent
people suspected of posing a threat to aviation from boarding
commercial aircraft in the United States, while protecting passengers'
privacy and civil liberties. The program also aims to reduce the number
of people unnecessarily selected for secondary screening. To date, TSA
officials report that about $144 million has been spent on the program.
The Atlas program is intended to modernize the IT infrastructure of
Immigration and Customs Enforcement (ICE). The goals of the program are
to, among other things, improve information sharing, strengthen
information security, and improve workforce productivity. ICE estimates
the life cycle cost of Atlas to be roughly $1 billion.
The Student and Exchange Visitor Information System (SEVIS) is an
Internet-based system that is to collect and record information on
foreign students, exchange visitors, and their dependents--before they
enter the United States, when they enter, and during their stay.
Through fiscal year 2006, the department expects to have spent, in
total, about $133.5 million on this program.
The Rescue 21 program is to replace and modernize the Coast Guard's 30-
year-old search and rescue communication system, the National Distress
and Response System. The modernization is to, among other things,
increase the Coast Guard's communication coverage area in the United
States; allow electronic tracking of department vessels and other
mobile assets; enable better communication with other federal and state
systems; and provide for secure communication of sensitive information.
The Coast Guard reports that it plans to spend about $373.1 million on
the program by the end of fiscal year 2006. It also estimates program's
life cycle cost to be $710 million.
IT Management Controls and Capabilities Are Important:
Our research on leading private and public sector organizations, as
well as our past work at federal departments and agencies, shows that
successful organizations embrace the central role of IT as an enabler
for enterprisewide transformation.[Footnote 7] These leading
organizations develop and implement institutional or agencywide IT
management controls and capabilities (people, processes, and tools)
that help ensure that the vast potential of technology is applied
effectively to achieve desired mission outcomes. Among these IT
management controls and capabilities are:
* enterprise architecture development and use,
* IT investment management,
* system development and acquisition process discipline,
* information security management, and:
* IT human capital management.[Footnote 8]
In addition, these organizations establish these controls and
capabilities within a governance structure that centralizes leadership
in an empowered CIO.
These controls and capabilities are interdependent and interrelated IT
management disciplines, as shown in figure 2. If effectively
established and implemented, they can go a long way in determining how
successfully an organization leverages IT to achieve mission goals and
outcomes.
Figure 2: Interrelated Keys to Successful IT Management:
[See PDF for image]
Note: Figure shows topics addressed in this testimony; other key IT
management areas include IT strategic planning and information
management.
[End of figure]
DHS Is Making Progress but Has Yet to Fully Institutionalize IT
Management Controls and Capabilities:
Over the last 3 years, our work has shown that the department has
continued to work to establish effective corporate governance and
associated IT management controls and capabilities, but progress in
each of the key areas has been uneven, and more remains to be
accomplished. Until it fully institutionalizes effective governance
controls and capabilities, it will be challenged in its ability to
leverage IT to support transformation and mission results.
Enterprise Architecture:
Leading organizations recognize the importance of having and using an
enterprise architecture, or corporate blueprint, as an authoritative
operational and technical frame of reference to guide and constrain IT
investments. In brief, an enterprise architecture provides systematic
structural descriptions--in useful models, diagrams, tables, and
narrative--of how a given entity operates today and how it plans to
operate in the future, and it includes a road map for transitioning
from today to tomorrow. Our experience with federal agencies has shown
that attempting to modernize systems without having an enterprise
architecture often results in systems that are duplicative, not well
integrated, unnecessarily costly to maintain, and limited in terms of
optimizing mission performance.[Footnote 9]
To assist agencies in effectively developing, maintaining, and
implementing an enterprise architecture, we published a framework for
architecture management, grounded in federal guidance and recognized
best practices.[Footnote 10] The underpinning of this framework is a
five-stage maturity framework outlining steps toward achieving a stable
and mature enterprise architecture program. The framework describes 31
practices or conditions, referred to as core elements, that are needed
for effective architecture management.
We have previously reported on DHS's effort to develop its enterprise
architecture from two perspectives. First, in November 2003, we
reported on DHS's architecture management program relative to the
framework described above.[Footnote 11] At that time, we found that the
department had implemented many of the practices described in our
framework. For example, the department had, among other things,
assigned architecture development, maintenance, program management, and
approval responsibilities; created policies governing architecture
development and maintenance; and formulated plans to develop
architecture products and begun developing them. Second, in August
2004, we reported on DHS's effort to develop enterprise architecture
products, relative to well-established, publicly available criteria on
the content of enterprise architectures.[Footnote 12] At that time, we
concluded that the department's initial enterprise architecture
provided a foundation upon which to build, but that it was nevertheless
missing important content that limited its utility. Thus, it could not
be considered a well-defined architecture. In particular, the content
of this initial version was not systematically derived from a DHS or
national corporate business strategy; rather, it was more the result of
an amalgamation of the existing architectures that several of DHS's
predecessor agencies already had, along with their respective
portfolios of system investment projects. To its credit, the department
recognized the limitations of the initial architecture and has
developed a new version. To assist DHS in evolving its architecture, we
recommended 41 actions aimed at having DHS add needed architecture
content and ensure that architecture development best practices are
employed.
Since then, DHS reported that it had taken steps in response to our
recommendations. For example, the department issued version 2 of its
enterprise architecture in October 2004. According to DHS, this version
contained additional business/mission, service, and technical
descriptions. Also, this version was submitted to a group of CIOs of
major corporations and an enterprise architecture consulting firm, both
of which found the architecture meritorious. Earlier this month (March
2006), the department issued another new version of its enterprise
architecture, which it calls HLS EA 2006.
Our analysis of version 2 of the department's architecture indicates
that DHS has made progress toward development of its architecture
products, particularly descriptions of both the "as-is" and "to-be"
environments. Specifically, the scope of the "as-is" and "to-be"
environments extends to descriptions of business operations,
information and data needs and definitions, application and service
delivery vehicles, and technology profiles and standards. With respect
to the depth and detail of these descriptions (which are the focus of
most of our 41 prior recommendations), the department has reported
progress, such as (1) completing its first inventory of information
technology systems, a key input to its description of the "as-is"
environment; (2) establishing departmentwide technology standards; (3)
developing and beginning to implement a plan for introducing a shared
services orientation to the architecture, particularly with regard to
information services (e.g., network, data center, e-mail, help desk,
and video operations); and (4) finalizing content for the portion of
its architecture that relates to certain border security functions
(e.g., the alien detention and removal process that is a major facet of
the department's new Strategic Border Initiative).
IT Investment Management:
Through IT investment management, organizations define and follow a
corporate process to help senior leadership make informed decisions on
competing options for investing in IT. Such investments, if managed
effectively, can have a dramatic impact on performance and
accountability. If mismanaged, they can result in wasteful spending and
lost opportunities for improving delivery of services.
Based on our research, we have issued an IT investment management
framework[Footnote 13] that encompasses the best practices of
successful public and private sector organizations, including
investment selection and control policies and procedures. Our framework
identifies, among other things, effective policies and procedures for
developing and using an enterprisewide collection--or portfolio--of
investments; using such portfolios enables an organization to determine
priorities and make decisions among competing options across investment
categories based on analyses of the relative organizational value and
risks of all investments.[Footnote 14]
A central tenet of the federal approach to IT investment management is
the select/control/evaluate model. During the select phase, the
organization (1) identifies and analyzes each project's risks and
returns before committing significant funds and (2) selects those
projects that will best support its mission needs. In the control
phase, the organization ensures that the project continues to meet
mission needs at the expected levels of cost and risks. If the project
is not meeting expectations or if problems have arisen, steps are
quickly taken to address the deficiencies. During the evaluate phase,
actual versus expected results are compared after a project has been
fully implemented.
In August 2004, we reported[Footnote 15] that DHS had established an
investment management process that included departmental oversight of
major IT programs. However, this process was not yet institutionalized:
for example, most programs (about 75 percent) had not undergone the
departmental oversight process, and resources were limited for
completing control reviews in a timely manner. At that time, the CIO
and other DHS officials attributed these shortfalls, in part, to the
fact that the department's process was maturing and needed to improve.
Based on our findings, we made recommendations aimed at strengthening
the process.
In March 2005,[Footnote 16] we again reported on this investment review
process, noting that it incorporated many best practices and provided
its senior leaders with the information required to make well-informed
investment decisions at key points in the investment life cycle.
However, we also concluded that at some key investment decision points,
DHS's process did not require senior management attention and
oversight. For example, management reviews are not required at key
system and subsystem decision points, although such reviews (especially
with complex systems that incorporate new technology like US-VISIT) are
critical to ensuring that risk is reduced before the organization
commits to the next phase of investment. Accordingly, we made further
recommendations to improve the process.
Further, the CIO recently reported additional steps being taken to
strengthen IT investment management. According to the CIO, DHS has:
* established an acquisition project performance reporting system,
which requires periodic reporting of cost, schedule, and performance
measures as well as earned value metrics, as means to monitor and
control major acquisitions;
* aligned the investment management cycle and associated milestones
with the department's annual budget preparation process to allow
business cases for major investments to be submitted to department
headquarters at the same time as the budget, rather than as a follow-
on;
* linked investment management systems to standardize and make
consistent the financial data used to make investment decisions;
* verified alignment of approximately $2 billion worth of investments
via the department's portfolio management framework; and:
* completed investment oversight reviews (by total dollar value) of
over 75 percent of the department's major investments.
The department has also developed a standard template for capturing
information about a given IT program to be used in determining the
investment's alignment with the enterprise architecture. Such alignment
is important because it ensures that programs will be defined,
designed, and developed in a way that avoids duplication and promotes
interoperability and integration. However, the department has yet to
document a methodology, with explicit criteria, for making its
judgments about the degree of alignment. Instead, it relies on the
undocumented and subjective determinations of individuals in its
Enterprise Architecture Center of Excellence.
Systems Development and Acquisition Management:
Managing systems development and acquisition effectively requires
applying engineering and acquisition discipline and rigor when
defining, designing, developing and acquiring, testing, deploying, and
maintaining IT systems and services. Our work and other best practice
research have shown that applying such rigorous management practices
improves the likelihood of delivering expected capabilities on time and
within budget. In other words, the quality of IT systems and services
is largely governed by the quality of the management processes involved
in developing and acquiring them.
Best practices in systems development and acquisition include following
a disciplined life cycle management process, in which key activities
and phases of the project are conducted in a logical and orderly
process and are fully documented. Such a life cycle process begins with
initial concept definition and continues through requirements
determination to design, development, various phases of testing,
implementation, and maintenance. For example, expected system
capabilities should be defined in terms of requirements for
functionality (what the system is to do), performance (how well the
system is to execute functions), data (what data are needed by what
functions, when, and in what form), interface (what interactions with
related and dependent systems are needed), and security. Further,
system requirements should be unambiguous, consistent with one another,
linked (that is, traceable from one source level to another),[Footnote
17] verifiable, understood by stakeholders, and fully documented.
The steps in the life cycle process each have important purposes, and
they have inherent dependencies among themselves. Thus, if earlier
steps are omitted or deficient, later steps will be affected, resulting
in costly and time-consuming rework. For example, a system can be
effectively tested to determine whether it meets requirements only if
these requirements have already been completely and correctly defined.
Concurrent, incomplete, and omitted activities in life cycle management
exacerbate the program risks. Life cycle management weaknesses become
even more critical as the program continues, because the size and
complexity of the program will likely only increase, and the later
problems are found, the harder and more costly they will likely be to
fix.
These steps, practices, and processes are embedded in an effective
systems development life cycle (SDLC) methodology, which sets forth the
multistep process of developing information systems from investigation
of initial requirements through analysis, design, implementation,
maintenance, and disposal. Organizations generally formalize their SDLC
in policies, procedures, and guidance. Currently, many of the major DHS
components are following the processes established under their
predecessor organizations. For example, both the Transportation
Security Administration and CBP have their own SDLCs. As part of our
reviews of DHS IT management and specific IT programs, we have not
raised any issues or identified any shortcomings with these SDLCs.
DHS is currently drafting policies and procedures to establish a
departmentwide SDLC methodology and thus provide a common management
approach to systems development and acquisition. According to DHS, the
goals of the SDLC are to help:
* align projects to mission and business needs and requirements;
* incorporate accepted industry and government standards, best
practices, and disciplined engineering methods, including IT maturity
model concepts;
* ensure that formal reviews and approvals required by the process are
consistent with DHS's investment management process; and:
* institute disciplined life cycle management practices, including
planning and evaluation in each phase of the information system life
cycle.
The department's SDLC, currently in draft form, is to apply to DHS's IT
portfolio as well as other capital asset acquisitions. Under the SDLC,
each program will be expected to, among other things,
* follow disciplined project planning and management processes balanced
by effective management controls;
* have a comprehensive project management plan;
* base project plans on user requirements that are clearly articulated,
testable, and traceable to the work products produced; and:
* integrate information security activities throughout the SDLC.
Information Security Management:
Effective information security management depends on establishing a
comprehensive program to protect the information and information
systems that support an organization's operations and assets.The
overall framework for ensuring the effectiveness of federal information
security controls is provided by the Federal Information Security
Management Act of 2002.[Footnote 18] In addition, OMB Circular No. A-
130 requires agencies to provide information and systems with
protection that is commensurate with the risk and magnitude of the harm
that would result from unauthorized access to these assets or their
loss, misuse, or modification.
Because of continuing evidence indicating significant, pervasive
weaknesses in the controls over computerized federal operations, we
have designated information security as a governmentwide high-risk
issue since 1997.[Footnote 19] Moreover, related risks continue to
escalate, in part because the government is increasingly relying on the
Internet and on commercially available IT products. Concerns are
increasing regarding attacks for the purpose of crime, terrorism,
foreign intelligence gathering, and acts of war, as well as by the
disgruntled insider, who may not need particular expertise to gain
unrestricted access and inflict damage or steal assets. Without an
effective security management program, an organization has no assurance
that it can withstand these and other threats.
Since it was established, both we and the department's inspector
general (IG) have reported that although the department continues to
improve its IT security, it remains a major management challenge. For
example, within its first year the department had appointed a chief
information security officer and developed and disseminated information
system security policies and procedures, but it had not completed a
comprehensive inventory of its major IT systems--a prerequisite for
effective security management.
In June 2005, we reported that DHS had yet to effectively implement a
comprehensive, departmentwide information security program to protect
the information and information systems that support its operations and
assets.[Footnote 20] In particular, although it had developed and
documented departmental policies and procedures that could provide a
framework for implementing such a program, certain departmental
components had not yet fully implemented key information security
practices and controls. Examples of weaknesses in components'
implementation included incomplete or missing elements in risk
assessments, security plans, and remedial action plans, as well as
incomplete, nonexistent, or untested continuity of operations plans. To
address these weaknesses, we made recommendations aimed at ensuring
that DHS fully implement the key information security practices and
controls.
More recently, the DHS IG reported that DHS's components have not
completely aligned their respective information security programs with
DHS's overall policies, procedures, and practices.[Footnote 21]
However, the IG also reported progress. According to the IG, DHS
completed actions to eliminate two obstacles that had significantly
impeded the department in establishing its security program: First, it
completed the comprehensive system inventory mentioned earlier,
including major applications and general support systems for all DHS
components. Second, it implemented a departmentwide tool that
incorporates the guidance required to adequately complete security
certification and accreditation for all systems. The IG also reported
that the CIO had developed a plan to accredit all systems by September
2006.
The DHS CIO testified earlier this month (March 2006) on progress in
implementing the department's certification and accreditation plan,
stating that the department is well on its way to achieving its
September 2006 target for full system accreditation.[Footnote 22] The
CIO also stated that by the end of February 2006, more than 60 percent
of the over 700 systems in its inventory were fully accredited, up from
about 26 percent 5 months earlier.
IT Human Capital Management:
A strategic approach to human capital management includes viewing
people as assets whose value to an organization can be enhanced by
investing in them,[Footnote 23] and thus increasing both their value
and the performance capacity of the organization. Based on our
experience with leading organizations, we issued a model[Footnote 24]
encompassing strategic human capital management, in which strategic
human capital planning was one cornerstone.[Footnote 25] Strategic
human capital planning enables organizations to remain aware of and be
prepared for current and future needs as an organization, ensuring that
they have the knowledge, skills, and abilities needed to pursue their
missions. We have also issued a set of key practices for effective
strategic human capital planning.[Footnote 26] These practices are
generic, applying to any organization or component, such as an agency's
IT organization. They include:
* involving top management, employees, and other stakeholders in
developing, communicating, and implementing a strategic workforce plan;
* determining the critical skills and competencies needed to achieve
current and future programmatic results;
* developing strategies tailored to address gaps between the current
workforce and future needs;
* building the capability to support workforce strategies; and:
* monitoring and evaluating an agency's progress toward its human
capital goals and the contribution that human capital results have made
to achieving programmatic goals.
In June 2004, we reported that DHS had begun strategic planning for IT
human capital at the headquarters level, but it had not yet
systematically gathered baseline data about its existing workforce.
Moreover, the DHS CIO expressed concern over staffing and acknowledged
that progress in this area had been slow.[Footnote 27] In our report,
we recommended that the department analyze whether it had appropriately
allocated and deployed IT staff with the relevant skills to obtain its
institutional and program-related goals. In response, DHS stated that
on July 30, 2004, the CIO approved funding for an IT human capital
Center of Excellence. This center was tasked with delivering plans,
processes, and procedures to execute an IT human capital strategy and
to conduct an analysis of the skill sets of DHS IT professionals.
Since that time, DHS has undertaken a departmentwide human capital
initiative, MAXHR, which is to provide greater flexibility and
accountability in the way employees are paid, developed, evaluated,
afforded due process, and represented by labor organizations. Part of
this initiative involves the development of departmentwide workforce
competencies. According to the DHS IG, the department intended to
implement MAXHR in the summer of 2005, but federal district court
decisions have delayed the department's plans. However, the IG stated
that the classification, pay, and performance management provisions of
the new program are moving forward, with implementation of the new
performance management system beginning in October 2005. According to
the IG, the new pay system is planned for implementation by January
2007 for some DHS components.
CIO Leadership:
According to our research on leading private and public sector
organizations and experience at federal agencies, leading organizations
adopt and use an enterprisewide approach to IT governance under the
leadership of a CIO or comparable senior executive, who has
responsibility and authority, including budgetary and spending control,
for IT across the entity.[Footnote 28]
In May 2004, we reported that the DHS CIO did not have authority and
control over departmentwide IT spending.[Footnote 29] Control over the
department's IT budget was vested primarily with the CIO organizations
within each DHS component, and the components' CIO organizations were
accountable to the heads of the components. As a result, DHS's CIO did
not have authority to manage IT assets across the department.
Accordingly, we recommended that the Secretary examine the sufficiency
of spending authority vested in the CIO and take appropriate steps to
correct any limitations in authority that constrain the CIO's ability
to effectively integrate IT investments in support of departmentwide
mission goals.
Since then, the DHS IG has reported that the DHS CIO is not well
positioned to accomplish IT integration objectives.[Footnote 30]
According to the IG, despite federal laws and requirements, the CIO is
not a member of the senior management team with authority to
strategically manage departmentwide technology assets and programs. The
IG reported that steps were taken to formalize reporting relationships
between the DHS CIO and the CIOs of major component organizations, but
that the CIO still does not have sufficient staff resources to assist
in carrying out the planning, policy formation, and other IT management
activities needed to support departmental units. The IG expressed the
view that although the CIO currently participates as an integral member
at each level of the investment review process, the department would
benefit from following the successful examples of other federal
agencies in positioning their CIOs with the authority and influence
needed to guide executive decisions on departmentwide IT investments
and strategies.
In response to the IG's comments, the DHS CIO stated that his office is
properly positioned and has the authority it needs to accomplish its
mission. According to the CIO, the office is the principal IT authority
to the Secretary and Deputy Secretary, and it will continue to hold
that leadership role within the department.
DHS Is Making Some Progress in Implementing IT Systems and
Infrastructure:
A gauge of DHS's progress in managing its IT investments is the extent
to which it has deployed and is currently operating more modern IT
systems and infrastructure. To the department's credit, our reviews
have shown progress in these areas, and DHS has reported other
progress. However, our reviews have also shown that IT programs have
not met stated goals for deployed capabilities, and DHS's own reporting
shows that infrastructure goals have yet to be fully met.
To expedite the implementation of IT systems, the department has
developed and deployed system capabilities incrementally, which we
support, as this is a best practice and consistent with our
recommendations.[Footnote 31] For example, the department has
successfully delivered visitor entry identification and screening
capabilities with the first three increments of its US-VISIT program,
and it is currently implementing release four of its ACE program. At
the same time, however, US-VISIT exit capabilities are not in place,
and release four of ACE does not include needed functionality. Further,
some IT programs that either were or have been under way for years have
not delivered any functionality, such as the canceled ASI program and
the Secure Flight program.
In addition, the department has recently reported a number of
accomplishments relative to IT infrastructure; however, what has been
reported also shows that much remains to be accomplished before
infrastructure-related efforts produce deployed and operational
capabilities. For example, the department reports that it has begun its
Infrastructure Transformation Program (ITP), which is its approach to
moving to a consolidated, integrated, and services-oriented IT
infrastructure. According to the department, the CIO developed and has
begun implementing the ITP plan, which is to be centrally managed but
executed in a distributed manner, with various DHS components taking
the lead for different areas of infrastructure transformation.[Footnote
32] The ITP is to create a highly secure and survivable communications
network (OneNet) for Sensitive but Unclassified data across the
department, and it is also to establish a common and reliable e-mail
system across the department. The department reported that it had
deployed the initial core of the DHS OneNet and built the primary
Network Operation Center to monitor OneNet performance. Among the other
goals of the program are consolidated data centers to reduce costs and
provide a highly survivable and reliable computing environment. In this
regard, the department reported that it has now established an interim
data center.
In addition, the department stated that it has extended its classified
networking capabilities by fielding 56 Secret sites on the department's
Homeland Secure Data Network and by completing the connection of this
network to SIPRNet (the Defense Department's Secret Internet Protocol
Routed Network). DHS also reported that it has established an
Integrated Wireless Program Plan, which provides a program management
framework to ensure the on-time cost and schedule performance of
wireless programs and projects.
Key IT Programs Reflect Mixed Use of Effective IT Management Practices:
A key measure of how well an organization is managing IT is the degree
to which its IT-dependent programs actually implement corporate
management controls and employ associated best practices. In this
regard, our reviews of several nonfinancial DHS IT programs provide
examples of both strengths and weaknesses in program management. In
summary, they show that DHS IT programs are not being managed
consistently: some programs are at least partially implementing certain
program management best practices, but others are largely disregarding
most of the practices. Further, they show that most of the programs are
considerably challenged in certain key areas, such as measuring
progress and performance against program commitments and establishing
human capital capabilities.
IT investment alignment with the enterprise architecture. An important
element of enterprise architecture management is ensuring that IT
investments comply with the architecture. However, in several of the
programs that we have reviewed, investments have been approved without
documented analysis to support these judgments and to permit the
judgments to be independently verified. For example, DHS approved the
ACE program's alignment with the department's architecture on the
recommendation of its Enterprise Architecture Center of Excellence and
Enterprise Architecture Board. However, the Center's evaluators did not
provide a documented analysis that would allow independent
verification. According to DHS officials, they do not have a documented
methodology for evaluating programs' architecture compliance, and
instead rely on the professional expertise of Center staff. In
contrast, the ASI program provides an example of an instance in which
the reviews required to ensure architecture alignment resulted in the
discovery of a significant problem: the program had not adequately
defined its relationships and dependencies with other department
programs.[Footnote 33] As a result, the program was reconsidered and
later subsumed within the new Secure Border Initiative, the
department's broader strategy for border and interior enforcement.
Reliable cost estimates. Reliable cost estimates are prerequisites both
for developing an economic justification for a program and for
establishing cost baselines against which to measure progress. DHS IT
programs that we reviewed have demonstrated mixed results in this
regard. For example, the ACE program has made considerable progress in
implementing our recommendation to ensure that its development
contractor's cost estimates are reconciled with independent cost
estimates, and that the derivation of both estimates is consistent with
published best practices. However, cost estimating remains a major
challenge for other DHS IT programs. For example, Secure Flight did not
have cost estimates for either initial or full operating capability,
nor did it have a life-cycle cost estimate (estimated costs over the
expected life of a program, including direct and indirect costs and
costs of operation and maintenance). Also, for the US-VISIT program's
analysis of proposed alternatives for monitoring the exit of travelers,
cost estimates did not meet key criteria for reliable cost estimating
as established in the published best practices mentioned above. For
example, they did not include detailed work breakdown structures
defining the work to be performed, so that associated costs could be
identified and estimated. Such a work breakdown structure provides a
reliable basis for ensuring that estimates include all relevant costs.
Without reasonable cost estimates, it is not possible to produce an
adequate economic justification for choosing among alternatives, and
program performance cannot be adequately measured.
Earned value management. To help ensure that reliable processes are
used to measure progress against cost and schedule commitments, OMB
requires agencies to manage and measure major IT projects[Footnote 34]
through use of an earned value management (EVM) system that is
compliant with specified standards.[Footnote 35] On programs we
reviewed, however, the use of EVM was as yet limited. For example,
although the ACE program had instituted the use of EVM on recent
releases, its use for one release was suspended in June 2005, because
staff assigned to the release were unfamiliar with the technique. For
another release, EVM was not used because, according to program
officials, the release had not established the necessary cost and
schedule baseline estimates against which earned value could be
measured. ACE officials told us that they plan to establish baselines
and use EVM for future work. With regard to the US-VISIT program,
although EVM is to be used in managing the prime integration contract,
it has not been used in a number of US-VISIT related contracts over the
last 3 years. According to DHS, in fiscal year 2005, 30 percent of
departmental programs were using EVM.
Performance management and accountability. To ensure that programs
manage their performance effectively, it is important that they define
and measure progress against program commitments and hold themselves
accountable for results. These program commitments include expected or
estimated (1) capabilities and associated use and quality; (2) benefits
and mission value; (3) costs; and (4) milestones and schedules. To be
accountable, projects need first to develop and maintain reliable and
current expectations and then to define and select metrics to measure
progress against these. However, in our reviews of DHS programs (such
as those that are required to prepare expenditure plans for Senate and
House appropriations subcommittees before obligating funding), we have
reported that program performance and accountability has been a
challenge. For example, the fiscal year 2004 expenditure plan for the
Atlas program did not provide sufficient information on program
commitments to allow the Congress to perform effective oversight. On
the other hand, although the ACE program office is still not where it
needs to be in this regard, it has made progress in this area: it has
now prepared an initial version of a program accountability framework
that includes measuring progress against costs, milestones and
schedules, and risks for select releases. However, ACE benefit
commitments are still not well defined, and the performance targets
being used were not always realistic. On other programs, such as SEVIS,
we found that while some performance aspects of the system were being
measured, others were not such as network usage.
Disciplined acquisition and development processes. Our reviews of DHS
programs have disclosed numerous weaknesses in key process areas
related to system acquisition and management, such as requirements
development and management, test management, project planning,
validation and verification, and contract management oversight. For
example, we reported that the Atlas program office, which had been
recently established, had not yet implemented any of these key process
areas.[Footnote 36] For the ACE program, weaknesses in requirements
definition were a major reason for recent problems and delays,
including the realization during pilot testing that key functionality
had not been defined and built into the latest release. For US-VISIT,
test plans were incomplete in that they did not, among other things,
adequately demonstrate traceability between test cases and the
requirement to be verified by testing. Also, both ASI and Secure Flight
were proceeding without complete and up-to-date program management
plans, and Secure Flight's requirements were not well developed. In
addition, key ASI acquisition controls, such as contract management
oversight, were not yet defined. This led to a number of problems in
ASI deploying, operating, and maintaining ISIS technology. Further, ACE
and US-VISIT projects have not always effectively employed independent
verification and validation.
Risk management. Effective risk management is vital to the success of
any system acquisition. Accordingly, best practices[Footnote 37]
advocate establishing management structures and processes to
proactively identify facts and circumstances that can increase the
probability of an acquisition's failing to meet cost, schedule, and
performance commitments and then taking steps to reduce the probability
of their occurrence and impact. Our work on the ACE, US-VISIT, and ASI
programs, for example, showed that risk management programs were in
place, but not all risks were being effectively addressed. In
particular, key risks on the ACE program were not being effectively
addressed. Specifically, the ACE program schedule had introduced
significant concurrency in the development and deployment of releases;
as both prior experience on the ACE program and best practices show,
such concurrency causes contention for common resources, which in turn
produces schedule slips and cost overruns. Also, the ACE program was
passing key milestones with known severe system defects--that is,
allowing development to proceed to the next stage even though
significant problems remained to be solved. This led to a recurring
pattern of addressing quality problems with earlier releases by
borrowing resources from future releases, which led to schedule delays
and cost overruns. Moreover, it led the program to deploy one release
prematurely with the intention of gaining user acceptance sooner.
However, this premature deployment actually produced a groundswell of
user complaints and poor user satisfaction scores with the release.
Similar risks were experienced on the Coast Guard's Rescue 21 program.
For example, we reported that the Coast Guard's plan to compress and
overlap key tests introduced risks, and subsequently the Coast Guard
decided to postpone several tests.[Footnote 38]
Security. The selection and employment of appropriate security and
privacy controls for an information system are important tasks that can
have major implications for the operations and assets and for the
protection of personal information that is collected and maintained in
the system. Security controls are the management, operational, and
technical safeguards prescribed for an information system to protect
the confidentiality, integrity, and availability of the system and its
information. Privacy controls limit the collection, use, and disclosure
of personal information.
For several IT programs, security and privacy has been a challenge. For
example, we reported[Footnote 39] in September 2003 and again in May
2004 that the US-VISIT program office had yet to develop a security
plan as required by OMB and other federal guidance, although the
program later developed a plan that was generally consistent with
applicable guidance. However, the program office had not conducted a
security risk assessment or included in the plan when such an
assessment would be completed. OMB and other federal guidance specifies
that security plans should describe the methodology that is used to
identify system threats and vulnerabilities and to assess the risks,
and include the date the assessment was completed.
In addition, we reported that the Atlas program was relying on a
bureauwide security plan that did not address Atlas infrastructure
requirements. Further, Atlas had yet to develop a privacy impact
assessment to determine what effect, if any, the system would have on
individual privacy, the privacy consequences of processing certain
information, and alternatives considered to collect and handle the
information.
On TSA's Secure Flight program, although the agency had taken steps to
implement security to protect system information and assets, we
recently reported that these steps were individually incomplete and
collectively fell short of a comprehensive program consistent with
federal guidance and associated best practices. More specifically, OMB
and other federal guidance and relevant best practices call for
agencies to, among other things, (1) conduct a systemwide risk
assessment that is based on system threats and vulnerabilities and (2)
then develop system security requirements and related policies and
procedures that govern the operation and use of the system and address
identified risks. Although TSA developed two system security plans--one
for the underlying infrastructure (hardware and software) and another
for the Secure Flight system application--neither was complete.
Specifically, the infrastructure plan only partially defined the
requirements to address the risks, and the application plan did not
include any requirements addressing risks. Furthermore, we also
recently reported[Footnote 40] that TSA did not fully disclose to the
public, as required by privacy guidance, its use of personal
information during the testing phase of Secure Flight until after many
of the tests had been completed.
Establishing and maintaining adequate staffing. Implementing the IT
management processes that I have been describing requires that programs
have the right people--not only people who have the right knowledge,
skills, and abilities, but also enough of them to do the job.
Generally, all the programs we reviewed were challenged, particularly
in their initial stages, to assemble sufficient staff with the right
skill mix and to treat workforce (human capital) planning as a
management imperative. For example, we reported that both the Atlas and
the ASI programs were initiated without being adequately staffed. In
addition, in September 2003 we reported that the US-VISIT program
office had assessed its staffing needs for acquisition management at
115 government and 117 contractor personnel, but that at the time the
program had 10 staff within the program office and another 6 staff
working closely with them.[Footnote 41] Since then, US-VISIT has filled
102 of its 115 planned government positions (with plans in place to
fill the remaining positions) and all of its planned 117 contractor
positions.[Footnote 42]
However, to ensure that staffing needs continue to be met,
organizations need to manage human capital strategically, which entails
identifying the program functions that need to be performed and the
associated numbers and skill sets (core competencies) needed to perform
them, assessing the on-board workforce relative to these needs,
identifying gaps, and developing and implementing strategies (i.e.,
hiring, retention, training, contracting) for filling these gaps over
the long-term. In this regard, the US-VISIT program has made
considerable progress. Specifically, we recently reported that it has
analyzed the program office's workforce to determine diversity trends,
retirement and attrition rates, and mission-critical and leadership
competency gaps, and it has updated the program's core competency
requirements to ensure alignment between the program's human capital
and business needs. In contrast, although the ACE program has taken
various informal steps to bolster its workforce (such as providing
training), it has been slow to document and implement a human capital
strategy that compares competency-based staffing needs to on-board
capabilities and includes plans for closing shortfalls.
In closing, let me reiterate that we have made a series of
recommendations to the department aimed at addressing both the
department's institutional IT management challenges and its IT program-
specific weaknesses. To the department's credit, it has largely agreed
with these recommendations. Although some of these have been
implemented, most are still works in process. In my view, these
recommendations provide a comprehensive framework for strengthening
DHS's management of IT and increasing the chances of delivering
promised system capabilities and benefits on time and within budget. We
look forward to working constructively with the department in
implementing these recommendations and thereby maximizing the role that
IT can play in DHS's transformation efforts.
Mr. Chairmen, this concludes my statement. I would be happy to answer
any questions at this time.
Contacts and Acknowledgments:
For future information regarding this testimony, please contact Randy
Hite, Director, Information Technology Architecture and Systems Issues,
at (202) 512-3439, or hiter@gao.gov. Other individuals who made key
contributions to this testimony were Mathew Bader, Mark Bird, Justin
Booth, Barbara Collier, Deborah Davis, Michael Holland, Ash Huda, Gary
Mountjoy, and Scott Pettis.
FOOTNOTES
[1] GAO, High-Risk Series: An Update, GAO-03-119 (Washington, D.C.:
January 2003); High-Risk Series: An Update, GAO-05-207 (Washington,
D.C.: January 2005).
[2] GAO, Department of Homeland Security: Formidable Information and
Technology Management Challenge Requires Institutional Approach, GAO-04-
702 (Washington, D.C.: Aug. 27, 2004).
[3] GAO, Maximizing the Success of Chief Information Officers: Learning
from Leading Organizations, GAO-01-376G (Washington, D.C.: February
2001); Architect of the Capitol: Management and Accountability
Framework Needed for Organizational Transformation, GAO-03-231
(Washington, D.C.: Jan. 17, 2003).
[4] Some of those specialties are intelligence analysis, law
enforcement, border security, transportation security, biological
research, critical infrastructure protection, and disaster recovery.
[5] For example, see GAO, Major Management Challenges and Program
Risks: Department of Homeland Security, GAO-03-102 (Washington, D.C.:
January 2003) and Homeland Security: Proposal for Cabinet Agency Has
Merit, but Implementation Will be Pivotal to Success, GAO-02-886T
(Washington, D.C.: June 25, 2002).
[6] GAO, Homeland Security: Information Sharing Responsibilities,
Challenges, and Key Management Issues, GAO-03-715T (Washington, D.C.:
May 8, 2003).
[7] GAO, Maximizing the Success of Chief Information Officers: Learning
from Leading Organizations, GAO-01-376G (Washington, D.C.: February
2001); Architect of the Capitol: Management and Accountability
Framework Needed for Organizational Transformation, GAO-03-231
(Washington, D.C.: Jan. 17, 2003).
[8] Other important IT management controls and capabilities are not
addressed in this testimony, such as IT strategic planning and
information management.
[9] See for example, GAO, DOD Business Systems Modernization:
Improvements to Enterprise Architecture Development and Implementation
Efforts Needed, GAO-03-458, (Washington, D.C.: Feb. 28, 2003);
Information Technology: DLA Should Strengthen Business Systems
Modernization Architecture and Investment Activities, GAO-01-631
(Washington, D.C.: June 29, 2001); and Information Technology: INS
Needs to Better Manage the Development of Its Enterprise Architecture,
AIMD-00-212 (Washington, D.C.: Aug. 1, 2000).
[10] GAO, Information Technology: A Framework for Assessing and
Improving Enterprise Architecture Management (Version 1.1), GAO-03-584G
(Washington, D.C.: April 2003).
[11] GAO, Information Technology: Leadership Remains Key to Agencies
Making Progress on Enterprise Architecture Efforts, GAO-04-40
(Washington, D.C.: Nov. 17, 2003).
[12] GAO, Homeland Security: Efforts Under Way to Develop Enterprise
Architecture, but Much Work Remains, GAO-04-777 (Washington, D.C.: Aug.
6, 2004).
[13] GAO, Information Technology Investment Management: A Framework for
Assessing and Improving Process Maturity, Exposure Draft, GAO/AIMD-
10.1.23 (Washington, D.C.: May 2000); Information Technology Investment
Management: A Framework for Assessing and Improving Process Maturity,
version 1.1, GAO-04-394G (Washington, D.C.: March 2004).
[14] Our ITIM framework is also consistent with the Clinger-Cohen Act
of 1996 (40 U.S.C. §§ 11101-11703), in which Congress enacted
provisions requiring federal agencies to focus on results achieved
through IT investments and to improve their IT acquisition processes.
The act also introduces more rigor and structure into how agencies
select and manage IT projects.
[15] GAO, Department of Homeland Security: Formidable Information and
Technology Management Challenge Requires Institutional Approach, GAO-04-
702 (Washington, D.C.: Aug. 27, 2004).
[16] GAO, Homeland Security: Successes and Challenges in DHS's Efforts
to Create an Effective Acquisition Organization, GAO-05-179
(Washington, D.C.: Mar. 29, 2005).
[17] Examples of higher order sources include legislation, which may
dictate certain requirements, and other system documentation, such as
the operational concept. When requirements are managed well,
traceability can be established from the source requirements to lower
level requirements and from the lower level back to their source. Such
bidirectional traceability helps determine that all source requirements
have been addressed completely and that all lower level requirements
can be verified as derived from a valid source.
[18] Pub. L. No. 107-347, tit. III, § 301, 116 Stat. 2946, 2946-55
(Dec. 17, 2002) (codified at 44 U.S.C. §§ 3541-3549).
[19] See GAO, High-Risk Series: Protecting Information Systems
Supporting the Federal Government and the Nation's Critical
Infrastructures, GAO-03-121 (Washington, D.C.: January 2003).
[20] GAO, Information Security: Department of Homeland Security Needs
to Fully Implement Its Security Program, GAO-05-700 (Washington, D.C.:
June 17, 2005).
[21] DHS Office of Inspector General, Major Management Challenges
Facing the Department of Homeland Security, OIG-06-14 (Washington,
D.C.: December 2005).
[22] Statement by Scott Charbo, DHS CIO, before the House Committee on
Government Reform (Washington, D.C.: Mar. 16, 2006).
[23] See GAO, Human Capital: Attracting and Retaining a High-Quality
Information Technology Workforce, GAO-02-113T (Washington, D.C.: Oct.
4, 2001); A Model of Strategic Human Capital Management, GAO-02-373SP
(Washington, D.C.: Mar. 15, 2002); Key Principles for Effective
Strategic Workforce Planning, GAO-04-39 (Washington, D.C.: Dec. 11,
2003).
[24] GAO-02-373SP.
[25] The other three are leadership; acquiring, developing, and
retaining talent; and results-oriented organizational culture.
[26] GAO-04-39.
[27] GAO, Human Capital: DHS Faces Challenges In Implementing Its New
Personnel System, GAO-04-790 (Washington, D.C.: June 18, 2004).
[28] For example, see GAO, Architect of the Capitol: Management and
Accountability Framework Needed for Organizational Transformation, GAO-
03-231 (Washington, D.C.: Jan. 17, 2003) and Maximizing the Success of
Chief Information Officers: Learning from Leading Organizations, GAO-01-
376G (Washington, D.C.: February 2001).
[29] GAO, Information Technology: Homeland Security Should Better
Balance Need for System Integration Strategy with Spending for New and
Enhanced Systems, GAO-04-509 (Washington, D.C.: May 21, 2004).
[30] DHS Office of Inspector General, Major Management Challenges
Facing the Department of Homeland Security, OIG-06-14 (Washington,
D.C.: December 2005).
[31] Clinger-Cohen Act of 1996, Pub. L. 104-106; OMB, Management of
Federal Information Resources, Circular A-130 (Nov. 28, 2000).
[32] For instance, CBP is the lead for network services and data
centers; the Coast Guard is the lead for e-mail and help desk services;
and the Federal Emergency Management Agency is the lead on video
operations services.
[33] In February 2006, we reported that the DHS Deputy Secretary had
directed that the program be reevaluated within the department's
broader border and interior enforcement strategy, now referred to as
the Secure Border Initiative. See GAO, Border Security: Key Unresolved
Issues Justify Reevaluation of Border Surveillance Technology Program,
GAO-06-295 (Washington, D.C.: Feb. 22, 2006).
[34] Specifically, OMB requires agencies to use this method on all new
major IT projects, ongoing major IT developmental projects, and high-
risk projects.
[35] EVM is a project management tool that integrates the investment
scope of work with schedule and cost elements for investment planning
and control. This method compares the value of work accomplished during
a given period with that of the work expected in the period.
Differences in expectations are measured in both cost and schedule
variances.
[36] GAO, Information Technology: Management Improvements Needed on
Immigration and Customs Enforcement's Infrastructure Modernization
Program, GAO-05-805 (Washington, D.C.: Sept. 7, 2005).
[37] Software Engineering Institute, Software Acquisition Capability
Maturity Model® version 1.03, CMU/SEI-2002-TR-010 (Pittsburgh, PA:
March 2002).
[38] GAO, Coast Guard: New Communication System to Support Search and
Rescue Faces Challenges, GAO-03-1111 (Washington, D.C.: Sept. 30,
2003).
[39] Homeland Security: First Phase of Visitor and Immigration Status
Program Operating, but Improvements Needed, GAO-04-586 (Washington,
D.C.: May 11, 2004); and Homeland Security: Risks Facing Key Border and
Transportation Security Program Need to Be Addressed, GAO-03-1083
(Washington, D.C.: Sept. 19, 2003).
[40] GAO, Aviation Security: Transportation Security Administration Did
Not Fully Disclose Uses of Personal Information during Secure Flight
Program Testing in Initial Privacy Notices, but Has Recently Taken
Steps to More Fully Inform the Public, GAO-05-864R (Washington, D.C.:
July 22, 2005).
[41] GAO, Homeland Security: Risks Facing Key Border and Transportation
Security Program Need to Be Addressed, GAO-03-1083 (Washington, D.C.:
Sept. 19, 2003);
[42] GAO, Homeland Security: Recommendations to Improve Management of
Key Border Security Program Need to Be Implemented, GAO-06-296
(Washington, D.C.: Feb. 14, 2006).
