Information Technology
DHS Needs to Fully Define and Implement Policies and Procedures for Effectively Managing Investments
Gao ID: GAO-07-424 April 27, 2007
The Department of Homeland Security (DHS) relies extensively on information technology (IT) to carry out its mission. For fiscal year 2008, DHS requested about $4 billion--the third largest planned IT expenditure among federal departments. Given the size and significance of DHS's IT investments, GAO's objectives were to determine whether DHS (1) has established the management structure and associated policies and procedures needed to effectively manage these investments and (2) is implementing key practices needed to effectively control them. GAO used its IT Investment Management (ITIM) framework and associated methodology to address these objectives, focusing on the framework's stages related to the investment management provisions of the Clinger-Cohen Act.
DHS has established the management structure to effectively manage its investments. However, the department has yet to fully define 8 of the 11 related policies and procedures that GAO's ITIM framework defines. Specifically, while DHS has documented the policies and related procedures for project-level management, some of these procedures do not include key elements. For example, procedures for selecting investments do not cite either the specific criteria or steps for prioritizing and selecting new IT proposals. In addition, the department has yet to define most of the policies associated with managing its IT projects as investment portfolios. Officials attributed the absence of policies and procedures at the portfolio level to other investment management priorities. Until DHS fully defines and documents policies and procedures for investment management, it risks selecting investments that will not meet mission needs in the most cost-effective manner. DHS has also not fully implemented the key practices needed to actually control investments--either at the project level or at the portfolio level. For example, according to DHS officials and the department's control review schedule, DHS investment boards have not conducted regular investment reviews. Further, while GAO found that control activities are sometimes performed, they are not performed consistently across projects. In addition, because the policies and procedures for portfolio management have yet to be defined, control of the department's investment portfolios is ad hoc, according to DHS officials. Officials told GAO that they have recently hired a portfolio manager and are recruiting another one to strengthen IT investment management. Until DHS fully implements processes to control its investments, both at the project and portfolio levels, it increases the risk of not meeting cost, schedule, benefit, and risk expectations.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-07-424, Information Technology: DHS Needs to Fully Define and Implement Policies and Procedures for Effectively Managing Investments
This is the accessible text file for GAO report number GAO-07-424
entitled 'Information Technology: DHS Needs to Fully Define and
Implement Policies and Procedures for Effectively Managing Investments'
which was released on April 27, 2007.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
April 2007:
Information Technology:
DHS Needs to Fully Define and Implement Policies and Procedures for
Effectively Managing Investments:
GAO-07-424:
GAO Highlights:
Highlights of GAO-07-424, a report to congressional requesters
Why GAO Did This Study:
The Department of Homeland Security (DHS) relies extensively on
information technology (IT) to carry out its mission. For fiscal year
2008, DHS requested about $4 billion”the third largest planned IT
expenditure among federal departments. Given the size and significance
of DHS‘s IT investments, GAO‘s objectives were to determine whether DHS
(1) has established the management structure and associated policies
and procedures needed to effectively manage these investments and (2)
is implementing key practices needed to effectively control them. GAO
used its IT Investment Management (ITIM) framework and associated
methodology to address these objectives, focusing on the framework‘s
stages related to the investment management provisions of the Clinger-
Cohen Act.
What GAO Found:
DHS has established the management structure to effectively manage its
investments. However, the department has yet to fully define 8 of the
11 related policies and procedures that GAO‘s ITIM framework defines
(see the table below). Specifically, while DHS has documented the
policies and related procedures for project-level management, some of
these procedures do not include key elements. For example, procedures
for selecting investments do not cite either the specific criteria or
steps for prioritizing and selecting new IT proposals. In addition, the
department has yet to define most of the policies associated with
managing its IT projects as investment portfolios. Officials attributed
the absence of policies and procedures at the portfolio level to other
investment management priorities. Until DHS fully defines and documents
policies and procedures for investment management, it risks selecting
investments that will not meet mission needs in the most cost-effective
manner.
DHS has also not fully implemented the key practices needed to actually
control investments”either at the project level or at the portfolio
level. For example, according to DHS officials and the department‘s
control review schedule, DHS investment boards have not conducted
regular investment reviews. Further, while GAO found that control
activities are sometimes performed, they are not performed consistently
across projects. In addition, because the policies and procedures for
portfolio management have yet to be defined, control of the
department‘s investment portfolios is ad hoc, according to DHS
officials.
Officials told GAO that they have recently hired a portfolio manager
and are recruiting another one to strengthen IT investment management.
Until DHS fully implements processes to control its investments, both
at the project and portfolio levels, it increases the risk of not
meeting cost, schedule, benefit, and risk expectations.
Table: Execution of Policy and Procedure-Related Key Practices in GAO's
Framework:
Stage 2: building the investment foundation: Instituting the investment
board; Key practices executed: 1/1;
Stage 3: developing a complete investment portfolio: Defining the
portfolio criteria; Key practices executed: 0/1.
Stage 2: building the investment foundation: Meeting business needs;
Key practices executed: 1/1;
Stage 3: developing a complete investment portfolio: Creating the
portfolio; Key practices executed: 0/1.
Stage 2: building the investment foundation: Selecting an investment;
Key practices executed: 1/3;
Stage 3: developing a complete investment portfolio: Evaluating the
portfolio; Key practices executed: 0/1.
Stage 2: building the investment foundation: Providing investment
oversight; Key practices executed: 0/1;
Stage 3: developing a complete investment portfolio: Conducting
postimplementation reviews; Key practices executed: 0/1.
Stage 2: building the investment foundation: Capturing investment
information; Key practices executed: 0/1;
Stage 3: developing a complete investment portfolio: [Empty]; Key
practices executed: [Empty].
Stage 2: building the investment foundation: Overall; Key practices
executed: 3/7;
Stage 3: developing a complete investment portfolio: Overall; Key
practices executed: 0/4.
Source: GAO.
[End of table]
What GAO Recommends:
GAO recommends that DHS fully define the project-level and portfolio-
level policies and procedures defined in GAO‘s ITIM framework and
implement the practices needed to effectively control investments. In
written comments on this report, DHS agreed with GAO's findings and
recommendations and stated it will use the report to improve its
investment management process.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-424].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Randolph Hite at (202)
512-3439 or hiter@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
DHS Has Established the Structure Needed to Effectively Manage Its
Investments but Has Yet to Fully Define Many of the Related Policies
and Procedures:
DHS Has Not Fully Executed Key Practices Associated with Effectively
Controlling Investments:
Conclusions:
Recommendations for Executive Action:
Agency Comments:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Comments from the U.S. Department of Homeland Security:
Appendix III: GAO Contact and Staff Acknowledgments:
Tables:
Table 1: DHS's Principal Organizations and Their Missions:
Table 2: IT Funding for Fiscal Year 2007:
Table 3: Levels of Investments:
Table 4: DHS Governance Entities and Responsibilities:
Table 5: Stage 2 Critical Processes--Building the Investment
Foundation:
Table 6: Summary of Policies and Procedures for Stage 2 Critical
Processes--Building the Investment Foundation:
Table 7: Stage 3 Critical Processes--Developing a Complete Investment
Portfolio:
Table 8: Summary of Policies and Procedures for Stage 3 Critical
Processes--Developing a Complete Investment Portfolio:
Table 9: Summary of Key Practices for Providing Investment Oversight
(Stage 2 Critical Process):
Table 10: Summary of Key Practices for Evaluating the Portfolio (Stage
3 Critical Process):
Figures:
Figure 1: DHS Organizational Structure (Simplified and Partial):
Figure 2: DHS Review and Approval Process:
Figure 3: DHS Investment Review Process:
Figure 4: The Five ITIM Stages of Maturity with Critical Processes:
Abbreviations:
APB: Acquisition Program Baseline:
CFO: Chief Financial Officer:
CIO: Chief Information Officer:
eNEMIS: National Emergency Management Information System:
DHS: Department of Homeland Security:
EAB: Enterprise Architecture Board:
IPRT: Integrated Project Review Team:
IRB: Investment Review Board:
IT: information technology:
ITIMIT: Investment Management:
IWN: Integrated Wireless Network:
JRC: Joint Requirements Council:
OA: operational analysis:
PIR: postimplementation review:
TWIC: Transportation Worker Identification Credentialing:
United States Government Accountability Office:
Washington, DC 20548:
April 27, 2007:
The Honorable Robert C. Byrd:
Chairman:
The Honorable Thad Cochran:
Ranking Minority Member:
Subcommittee on Homeland Security:
Committee on Appropriations:
United States Senate:
The Honorable David E. Price:
Chairman:
The Honorable Harold Rogers:
Ranking Minority Member:
Subcommittee on Homeland Security:
Committee on Appropriations:
House of Representatives:
The Department of Homeland Security (DHS) is one of the largest federal
agencies in the government. With its workforce of over 200,000
employees and budget of $42.7 billion, it manages numerous information
technology (IT) programs to carry out its mission of leading the
unified national effort to secure America by preventing and deterring
terrorist attacks and protecting against and responding to threats and
hazards to the nation. Specifically, for fiscal year 2008, DHS
requested about $4 billion for IT--the third largest planned IT
expenditure among federal departments.[Footnote 1]
This report is one of a series of products to respond to DHS's fiscal
year 2006 appropriations act. The act directs the department's Chief
Information Officer (CIO) to submit a report to congressional
appropriations committees that includes, among other things, a
description of the department's IT capital planning and investment
control process. The act also directs us to review the report.[Footnote
2] As agreed with your offices, our objectives were to determine
whether DHS (1) has established the management structure and associated
policies and procedures needed to effectively manage its IT investments
and (2) is implementing key practices needed to effectively control
them. To address our objectives, we evaluated DHS's documented policies
and procedures for making IT investment management decisions and DHS's
processes for controlling investments against the accepted practices
presented in our IT Investment Management framework (ITIM). This
framework provides a method for assessing how well an agency is
managing its IT resources.[Footnote 3] We focused on the project-level
and portfolio-level key practices that assist organizations in
establishing the selection, control, and evaluation processes required
by the Clinger-Cohen Act of 1996.[Footnote 4] Specifically, we
addressed the 11 key practices that are policy and procedure-related.
Of these 11 practices, 7 are project-level practices, and 4 are
portfolio-level practices. We also addressed the key practices
associated with controlling investments and portfolios.
We performed our work from February 2006 through March 2007 in
accordance with generally accepted government auditing standards.
Appendix I contains details about our objectives, scope, and
methodology.
Results in Brief:
DHS has established the management structure to effectively manage its
investments. However, the department has yet to fully define 8 of the
11 related policies and procedures defined by our ITIM framework.
Specifically, while DHS has documented the policies and the related
procedures for project-level management, some of these procedures do
not include key elements. For example, procedures for selecting
investments do not cite either the specific criteria or steps for
prioritizing and selecting new IT proposals, and procedures for
management oversight of IT projects and systems do not specify the
rules the investment boards are to follow in controlling investments.
In addition, the department has yet to define most of the policies
associated with managing its IT projects as investment portfolios.
Officials attributed the absence of policies and procedures at the
portfolio level to other investment management priorities. Until DHS
fully defines and documents policies and procedures for investment
management, it risks selecting investments that will not meet mission
needs in the most cost-effective manner.
DHS has also not fully implemented any of the key practices needed to
actually control investments--either at the project level or at the
portfolio level. For example, according to DHS officials and the
department's control review schedule, the investment boards have not
conducted regular reviews of investments. While control activities are
sometimes performed, they are not performed consistently across all IT
projects. In addition, because the policies and procedures for
portfolio management have yet to be defined, control of the
department's investment portfolios is ad hoc, according to DHS
officials. To strengthen IT investment management, officials told us
that they have recently hired a portfolio manager and are recruiting
another one. Until DHS fully implements processes to control its
investments, both at the project and portfolio levels, it increases the
risk that its projects will not meet cost, schedule, benefit, and risk
expectations.
To strengthen DHS's investment management capability, we are
recommending that the department devote the appropriate degree of
attention to fully defining the project-level and portfolio-level
policies and procedures in our ITIM framework and implementing those
framework practices needed to control investments at both the project
level and the portfolio level. In commenting on a draft of this report,
the department agreed with our findings and recommendations and stated
it will use the report to improve its investment management and review
processes.
Background:
Since beginning operations in March 2003, DHS has assumed operational
control of about 209,000 civilian and military positions from 22
agencies and offices specializing in one or more aspects of homeland
security.[Footnote 5] The intent behind DHS's merger and transformation
was to, among other things, improve coordination, communication, and
information sharing among the multiple federal agencies responsible for
carrying out the mission of protecting the homeland.
Overview of DHS Organizational Structure:
To accomplish its mission, the department is organized into various
components, each of which is responsible for specific homeland security
missions and for coordinating related efforts with its sibling
components, as well as external entities. Table 1 shows DHS's principal
organizations and their missions. An organizational structure is shown
in figure 1.
Table 1: DHS's Principal Organizations and Their Missions:
Principal organizations[A]: Citizenship and Immigration Services;
Missions: Administers immigration and naturalization adjudication
functions and establishes immigration services policies and priorities.
Principal organizations[A]: Coast Guard;
Missions: Protects the public, the environment, and U.S. economic
interests in the nation's ports and waterways, along the coast, on
international waters, and in any maritime region as required to support
national security.
Principal organizations[A]: Customs and Border Protection;
Missions: Secures the nation's borders in order to prevent terrorists
and terrorist weapons from entering the United States, while
facilitating the flow of legitimate trade and travel.
Principal organizations[A]: Federal Emergency Management Agency;
Missions: Prepares the nation for hazards, manages federal response and
recovery efforts following any national incident, and administers the
National Flood Insurance Program.
Principal organizations[A]: Immigration and Customs Enforcement;
Missions: Investigates, identifies, and addresses vulnerabilities in
the nation's border, economic, transportation, and infrastructure
security.
Principal organizations[A]: Management Directorate;
Missions: Is responsible for department budgets and appropriations,
expenditure of funds, accounting and finance, procurement, human
resources, IT systems, facilities and equipment, and the identification
and tracking of performance measurements. This directorate includes the
Offices of the Chief Financial Officer and the CIO.
Principal organizations[A]: National Protection and Programs
Directorate;
Missions: Supports the department's homeland security risk reduction
mission through an integrated approach that encompasses both physical
and virtual threats and their associated human elements. This
directorate includes the Offices of Cyber Security and Communications
and Infrastructure Protection.
Principal organizations[A]: Science and Technology Directorate;
Missions: Serves as the primary research and development arm of the
department, responsible for providing federal, state, and local
officials with the technology and capabilities to protect the homeland.
Principal organizations[A]: Secret Service;
Missions: Protects the President and other high-level officials and
investigates counterfeiting and other financial crimes (including
financial institution fraud, identity theft, and computer fraud) and
computer- based attacks on the nation's financial, banking, and
telecommunications infrastructure.
Principal organizations[A]: Transportation Security Administration;
Missions: Protects the nation's transportation systems to ensure
freedom of movement for people and commerce.
Sources: GAO analysis of DHS data.
[A] This table does not show the organizations that fall under each of
the directorates. This table also does not show all organizations that
report directly to the DHS Secretary and Deputy Secretary, such as
Executive Secretary, Legislative and Intergovernmental Affairs, Public
Affairs, Chief of Staff, Inspector General, and General Counsel.
[End of table]
Figure 1: DHS Organizational Structure (Simplified and Partial):
[See PDF for image]
Source: GAO analysis of DHS data.
[End of figure]
Within the Management Directorate is the Office of the CIO, which is
expected to leverage best available technologies and IT management
practices, provide shared services, coordinate acquisition strategies,
maintain an enterprise architecture that is fully integrated with other
management processes, and advocate and enable business transformation.
Other DHS entities also are responsible or share responsibility for
critical IT management activities. For example, DHS's major
organizational components (e.g., directorates, offices, and agencies)
have their own CIOs and IT organizations. Control over the department's
IT funding is vested primarily with the components' CIOs, who are
accountable to the heads of their respective components.[Footnote 6]
The Director of Program Analysis and Evaluation is the sponsor for the
department's capital planning and investment control process and serves
as the executive agent and coordinator for the process. This Director
reports to the Chief Financial Officer (CFO).
IT Is Critical to DHS's Mission Performance:
To accomplish its mission, DHS relies extensively on IT. For example,
for fiscal year 2007 DHS requested about $4.16 billion to support 278
major IT programs. Table 2 shows the fiscal year 2007 IT funding for
key DHS components.
Table 2: IT Funding for Fiscal Year 2007:
Dollars in millions.
DHS components and investments: Citizenship and Immigration Services;
Funding: $570.3.
DHS components and investments: Coast Guard;
Funding: 196.7.
DHS components and investments: Customs and Border Protection;
Funding: 546.4.
DHS components and investments: Federal Emergency Management Agency;
Funding: 77.1.
DHS components and investments: Immigration and Customs Enforcement;
Funding: 134.0.
DHS components and investments: Management Directorate: Enterprise
Application Delivery[A];
Funding: 20.7.
DHS components and investments: Management Directorate: Enterprise
Architecture and Investment Management Program[B];
Funding: 35.6.
DHS components and investments: Management Directorate: Enterprise-
Geospatial System[C];
Funding: 12.8.
DHS components and investments: Management Directorate: Homeland Secure
Data Network[D];
Funding: 32.7.
DHS components and investments: Management Directorate: Human Resources
IT[E];
Funding: 19.1.
DHS components and investments: Management Directorate: Information
Security Program[F];
Funding: 57.8.
DHS components and investments: Management Directorate: Integrated
Wireless Network[G];
Funding: 361.3.
DHS components and investments: Management Directorate: Watch List and
Technical Integration[H];
Funding: 9.9.
DHS components and investments: Management Directorate: CIO Office
salaries and expenses;
Funding: 16.5.
DHS components and investments: Management Directorate: Other IT
infrastructure[I];
Funding: 954.3.
DHS components and investments: Management Directorate: Other;
Funding: 55.3.
DHS components and investments: Preparedness Directorate[J];
Funding: 213.5.
DHS components and investments: Science and Technology Directorate;
Funding: 34.1.
DHS components and investments: Secret Service;
Funding: 3.8.
DHS components and investments: Transportation Security Administration;
Funding: 356.4.
DHS components and investments: US-VISIT[K];
Funding: 407.4.
DHS components and investments: Other DHS components;
Funding: 45.1.
DHS components and investments: Total;
Funding: $4,160.8.
Source: GAO analysis of DHS data.
[A] Enterprise Application Delivery is to consolidate existing and
planned Web pages and platforms of the DHS component organizations.
[B] The Enterprise Architecture and Investment Management Program is to
develop the department's enterprise architecture and implement the
transition strategy through the department's investment management
process.
[C] The Enterprise-Geospatial System is to establish a framework,
organizational structure, and requisite resources to enable
departmentwide use of geographic information systems.
[D] The Homeland Secure Data Network is to merge disparate classified
networks into a single, integrated network to enable, among other
things, the secure sharing of intelligence and other information.
[E] Human Resources IT includes the set of DHS enterprisewide systems
to support personnel regulations:
[F] The Information Security Program is to establish information
security policies and procedures throughout the department to protect
the confidentiality, integrity, and availability of information.
[G] The Integrated Wireless Network is to deliver the wireless
communications services required by agents and officers of DHS, the
Department of Justice, and the Department of the Treasury.
[H] Watch List and Technical Integration is to increase effective
information sharing by consolidating, re-using, and retiring
applications that develop multiple terrorist watch lists being used by
multiple operating entities within the government.
[I] Other infrastructure includes initiatives with the goal of creating
a single, consolidated, and secure infrastructure to ensure
connectivity among the department's 22 component organizations.
[J] On April 1, 2007, this Directorate was replaced by the National
Protection and Programs Directorate.
[K] On April 1, 2007, US-VISIT became part of the National Protection
and Programs Directorate.
[End of table]
As mentioned earlier, DHS requested about $4 billion for fiscal year
2008, which is the third largest planned IT expenditure among federal
departments.
Prior GAO Reviews of DHS's IT Investment Management Efforts:
During the last 3 years, we have reported on steps that DHS has taken
to establish its IT investment management activities and the associated
challenges it faced.
² In May 2004, we reported that DHS was in the midst of developing and
implementing a strategic approach to IT management.[Footnote 7] We also
reported that DHS's interim efforts to manage IT investments did not
provide assurance that those investments were strategically aligned. As
a result, we concluded that DHS system investments were at risk of
requiring rework in order to properly align with strategic mission
goals and outcomes. Accordingly, we recommended that DHS limit its IT
investments to those efforts that were deemed cost-effective via
several criteria and considering any future system rework that would be
needed to later align the system with the department's emerging systems
integration strategy.
² In August 2004, we reported that DHS had established several key
foundational elements for investment management.[Footnote 8] However,
we also reported that DHS was not providing effective departmental
oversight of IT investments, with many investments not receiving
control reviews, due in large part to the lack of an organized process
for conducting the reviews. Accordingly, we recommended that DHS
establish milestones for the initiation and completion of major
information and technology management activities, such as conducting
these control reviews.
² In March 2006, we testified that DHS had worked to institutionalize
IT management controls across the department but still faced
challenges.[Footnote 9] We identified actions that DHS reported it was
taking, while noting, for example, that the department still needed to
define explicit criteria for determining if investments aligned with
the agency's modernization road map (enterprise architecture).
Overview of DHS's Approach to Investment Management:
DHS's enterprisewide and component agency IT investments are
categorized into one of four "levels" of investments that determine the
extent and scope of the required project and program management, the
level of reporting requirements, and the review and approval authority.
An investment is assigned to a level based on its total acquisition
costs and total life cycle costs.[Footnote 10] Table 3 shows the dollar
thresholds that DHS reports it uses in determining investment levels.
Table 3: Levels of Investments:
Level: 1;
Acquisition costs: Greater than $100 million;
Life cycle costs: Greater than $200 million.
Level: 2;
Acquisition costs: Between $50 and $100 million;
Life cycle costs: Between $100 and $200 million.
Level: 3;
Acquisition costs: Between $20 and $50 million;
Life cycle costs: Between $50 and $100 million.
Level: 4;
Acquisition costs: Less than $20 million;
Life cycle costs: Less than $50 million.
Source: DHS documents.
[End of table]
Several entities and individuals are involved in managing these
investments. Table 4 lists the decision-making bodies and personnel
involved in DHS's investment management process, and provides a
description of their key responsibilities and membership.
Table 4: DHS Governance Entities and Responsibilities:
Governance entity: Investment Review Board (IRB);
Membership/ description: Chaired by the Deputy Secretary; Members are
the Under Secretary for Management and other senior executives,
including the CIO, CFO, Chief Procurement Officer, and the Director for
Program Analysis and Evaluation; The chair of the Joint Requirements
Council holds an adjunct member position;
Example of responsibilities:
* Approves level 1 investments;
* Reviews and validates portfolio placement;
* Provides strategic guidance for the Joint Requirements Council.
Governance entity: Joint Requirements Council (JRC);
Membership/ description: Chair appointed by the Deputy Secretary from
among the JRC members; Members include the Chief of Staff, DHS
Management; Chief of Staff, Policy; the Chief Procurement Officer,
Chief Information Officer, and senior managers from each business
component;
Example of responsibilities:
* Approves level 2 investments;
* Provides recommendations to the IRB for level 1 investments regarding
requirements, risk, effect on the mission and other department
programs, and ability to implement within the project spending plan;
* Conducts portfolio reviews and determines the appropriate portfolio
for investments;
* Validates requirements.
Governance entity: Enterprise Architecture Board (EAB);
Membership/ description: Chaired by CIO; Members are CIOs from
component entities, business unit and program representatives, and CFO,
Chief Procurement Officer, Chief Administrative Officer designees;
Example of responsibilities:
* Oversees the department's enterprise architecture;
* Performs technical reviews of level 1 and level 2 IT investments;
* Reviews level 3 and level 4 for IT elements at the inception of the
investment and annually.
Governance entity: Heads of components;
Membership/description: Chief Operating Officer or his/her designee;
Example of responsibilities:
* Approves all level 3 and 4 investments;
* Conducts appropriate management and oversight of investments and
establishes processes to manage approved investments at the component
level.
Governance entity: Program Analysis and Evaluation Office; (This office
is part of the Office of the CFO.);
Membership/description: Director serves as the DHS's executive agent
and coordinator for the investment review process;
Example of responsibilities:
* Reviews investments and prepares decision support information and
analysis for the IRB and JRC;
* Coordinates activities of the Integrated Project Review Team and
adjudicates review issues.
Governance entity: Integrated Project Review Team;
Membership/ description: Led by Program Analysis and Evaluation Office;
Members include subject matter experts from appropriate functional
disciplines and representatives from the following offices: CIO, CFO,
Privacy, Policy, Security, Chief Procurement Officer, Chief
Administrative Officer, General Counsel, and Science and Technology;
Example of responsibilities:
* Is the entry point for the investment management process;
* Provides technical guidance on the process and the investments;
* Conducts integrated investment reviews in support of the IRB, JRC,
and EAB;
* Performs comprehensive decision milestones and portfolio reviews for
level 1 and 2 investments;
* Guides components in a portfolio analysis of their investments.
Source: GAO analysis of DHS data.
[End of table]
Figure 2 shows the relationship among the key players in DHS's
investment management process.
Figure 2: DHS Review and Approval Process:
[See PDF for image]
Source: DHS.
[End of figure]
Investment Management Process:
DHS's investment management process consists of four phases (which it
refers to as Capital Planning Investment Control Steps): (1) the
preselect phase supports the initial conception and development of the
investment, (2) the select phase supports the selection of the
investment from among competing investments, (3) the control phase
supports the monitoring of investments for acceptable performance, and
(4) the evaluate phase supports the evaluation of investments for
progress made against objectives. Each phase of the process is made up
of multiple steps that set out requirements that need to be met in
order for the boards to make decisions about the investments. The
investment management phases are aligned with projects' life cycle
phases, as illustrated in figure 3.[Footnote 11] According to DHS
policy, the boards are to review projects at key decision points or at
least annually. Figure 3 shows where these key decision points (see
shaded areas) are to occur in a project's life cycle and in the
investment management process.
Figure 3: DHS Investment Review Process:
[See PDF for image]
Source: DHS.
[End of figure]
Preselect:
DHS's preselect phase is to identify the business needs and assess the
preliminary costs and benefits needed for the development and support
of an investment's initial concept. During this phase, the component
agency is to assign a project manager to develop an investment review
request--essentially an investment proposal--and to scope the project.
The document is to provide initial information, which is to be used to
establish a schedule for the investment's key milestone reviews and be
reviewed by the Integrated Project Review Team (IPRT). For major
investments (level 1 and 2 investments), project managers are required
to also assemble an interdisciplinary team to assist in the management
of the investment. During this phase, the EAB assesses investments for
alignment with the enterprise architecture and provides recommendations
to the appropriate decision-making authorities (recommendations for
level 1 investments are made to the IRB, those for level 2 investments
are made to the JRC, and those for level 3 and 4 investments are made
to the heads of the components). Project managers present investment
proposals to their component-level investment review boards for
approval.
Select:
In the select phase, DHS is to assess investments against a uniform set
of evaluation criteria and thresholds to ensure that the department
selects the investments that best support its mission. All new and
existing investments are to go through this phase in support of DHS's
annual programming and budgeting process. Based on the assessments
during the select phase, DHS is to prioritize investments and decide
which investments to include in its portfolios. The select phase is
also intended to help the department justify budget requests by
demonstrating the resources required for individual investments. At the
end of the selection process, the department is to produce a scored and
ranked list of Exhibit 300s[Footnote 12] for all major investments and
an Exhibit 53[Footnote 13] for all level 1 through level 4 IT
investments for submission to the Office of Management and Budget.
Control:
Once resources are expended to acquire planned capabilities, the
investment is assumed to be in the control phase, and control related
activities are to continue throughout the investment's life cycle.
During this phase, project managers are responsible for preparing
inputs for periodic reporting in support of investment reviews. The
purpose of the reviews is to ensure that investments are performing
within acceptable cost, schedule, and performance parameters. The
Acquisition Program Baseline is the main control instrument used
through predeployment to baseline these parameters for investments. The
IPRT reviews the Acquisition Program Baseline and other periodic
reporting documents and provides recommendations to the project teams,
if needed. Once the project teams have made the recommended changes,
the IPRT provides a summary package to the component agency heads and
DHS's review boards (IRB and JRC) to support key milestone decision
reviews and other reviews established in the investment's investment
review request during the preselect phase.
Evaluate:
The evaluate phase begins when an investment is implemented or is
deployed and operational. During this phase, project managers are
responsible for conducting postimplementation reviews (PIR) to evaluate
the impact of the investment on the department's mission and programs.
The PIR focuses on three primary areas: impact to stakeholders and
customers, ability to deliver results, and ability to meet baseline
goals. Major investments that are in the operations and maintenance
phases are required to perform an operational analysis to measure
performance and cost against the investment's baseline. If the
investment's performance is deficient, the program manager is required
to introduce corrective actions. Any changes to the investment's
original baseline need to be approved by the appropriate IRB. The
lessons learned from conducting a PIR are to be reported to the IPRT
for use throughout the department.
Overview of GAO's ITIM Maturity Framework:
The ITIM framework consists of five progressive stages of maturity that
an agency can achieve in its investment management
capabilities.[Footnote 14] It was developed on the basis of our
research into the IT investment management practices of leading private-
and public-sector organizations. The maturity stages are cumulative;
that is, in order to attain a higher stage, an agency must
institutionalize all of the critical processes at the lower stages, in
addition to the higher stage critical processes.
The framework can be used to assess the maturity of an agency's
investment management processes and as a tool for organizational
improvement. The overriding purpose of the framework is to encourage
investment processes that promote business value and mission
performance, reduce risk, and increase accountability and transparency
in the decision process. We have used the framework in several of our
evaluations,[Footnote 15] and a number of agencies have adopted it.
These agencies have used ITIM for purposes ranging from self-assessment
to redesign of their IT investment management processes.
ITIM's five maturity stages (see fig. 4) represent steps toward
achieving stable and mature processes for managing IT investments. The
successful attainment of each stage leads to improvement in the
organization's ability to manage its investments. With the exception of
the first stage, each maturity stage is composed of "critical
processes" that must be implemented and institutionalized in order for
the organization to achieve that stage. These critical processes are
further broken down into key practices that describe the types of
activities that an organization should be performing to successfully
implement each critical process. It is not unusual for an organization
to be performing key practices from more than one maturity stage at the
same time. However, our research shows that agency efforts to improve
investment management capabilities should focus on implementing all
lower stage practices before addressing higher stage practices.
Figure 4: The Five ITIM Stages of Maturity with Critical Processes:
[See PDF for image]
Source: GAO.
[End of figure]
In the ITIM framework, Stage 2 critical processes lay the foundation
for sound IT investment processes by helping the agency to attain
successful, predictable, and repeatable investment control processes at
the project level. At Stage 2, the emphasis is on establishing basic
capabilities for selecting new IT projects, and on developing the
capability to (1) control projects so that they finish predictably
within established cost, schedule, and performance expectations and (2)
identify and mitigate potential exposures to risk.
Stage 3 is where the agency moves from project-centric processes to
portfolio-based processes and evaluates potential investments by how
well they support the agency's missions, strategies, and goals. This
stage requires that an organization continually assess both proposed
and ongoing projects as parts of complete investment portfolios--
integrated and competing sets of investment options. It focuses on
establishing a consistent, well-defined perspective on IT investment
portfolios and maintaining mature, integrated selection (and
reselection), control, and evaluation processes, which are to be
evaluated during PIRs. This portfolio perspective allows decision
makers to consider the interaction among investments and the
contributions to organizational mission goals and strategies that could
be made by alternative portfolio selections, rather than to focus
exclusively on the balance between the costs and benefits of individual
investments. Organizations implementing Stage 2 and 3 key practices
have in place capabilities that assist in establishing the selection,
control, and evaluation processes required by the Clinger-Cohen Act of
1996.[Footnote 16]
Stages 4 and 5 require the use of evaluation techniques to continuously
improve both investment processes and portfolios in order to better
achieve strategic outcomes. At Stage 4 maturity, an organization has
the capacity to conduct IT succession activities and, therefore, can
plan and implement the deselection of obsolete, high-risk, or low-value
IT investments. An organization with Stage 5 maturity conducts
proactive monitoring for breakthrough technologies that will enable it
to change and improve its business performance.
As mentioned earlier, each ITIM critical process is further broken down
into key practices that describe the tasks that an organization should
be performing to successfully implement each critical process. Key
practices include organizational commitments, which are typically
policies and procedures; prerequisites, which are conditions that must
exist to implement a critical process successfully; and activities,
which address the implementation of policies and procedures.
DHS Has Established the Structure Needed to Effectively Manage Its
Investments but Has Yet to Fully Define Many of the Related Policies
and Procedures:
Through IT investment management, organizations define and follow a
corporate process to help senior leadership make informed decisions on
competing IT investment options. Such investments, if managed
effectively, can have a dramatic impact on an organization's
performance and accountability. If mismanaged, they can result in
wasteful spending and lost opportunities for improving delivery of
services. Based on our framework, an organization should establish the
management structure needed to manage its investments; build the
investment foundation by selecting and controlling individual projects
(Stage 2 capabilities); and manage projects as a portfolio of
investments, treating them as an integrated package of competing
investment options and pursuing those that best meet the strategic
goals, objectives, and mission of the agency (Stage 3 capabilities).
DHS has established the management structure to effectively manage its
investments. However, the department has yet to fully define 8 of the
11 related policies and procedures defined by our ITIM framework.
Specifically, while DHS has documented the policies and related
procedures for project-level management, some of these procedures do
not include key elements. For example, procedures for selecting
investments do not cite either the specific criteria or steps for
prioritizing and selecting new IT proposals, and procedures for
management oversight of IT projects and systems do not specify the
rules that the investment boards are to follow in overseeing
investments. In addition, the department has yet to define most of the
policies associated with managing its IT projects as investment
portfolios. Officials attributed the absence of policies and procedures
at the portfolio level to other investment management priorities. Until
DHS fully defines and documents its policies and procedures for
investment management, it risks selecting investments that will not
meet mission needs in the most cost-effective manner.
DHS Has Established an Investment Management Structure and Project-
Level Policies, but It Has Not Fully Defined Supporting Procedures:
At ITIM Stage 2, an organization has attained repeatable, successful IT
project-level investment control processes and basic selection
processes. Through these processes, the organization can identify
expectation gaps early and take the appropriate steps to address them.
ITIM Stage 2 critical processes include (1) defining IT investment
board operations, (2) identifying the business needs for each IT
investment, (3) developing a basic process for selecting new IT
proposals and reselecting ongoing investments, (4) developing project-
level investment control processes, and (5) collecting information
about existing investments to inform investment management decisions.
Table 5 describes the purpose of each of these Stage 2 critical
processes.
Table 5: Stage 2 Critical Processes--Building the Investment
Foundation:
Critical process: Instituting the investment board;
Purpose: To define and establish an appropriate IT investment
management structure and the processes for selecting, controlling, and
evaluating IT investments.
Critical process: Meeting business needs;
Purpose: To ensure that IT projects and systems support the
organization's business needs and meet users' needs.
Critical process: Selecting an investment;
Purpose: To ensure that a well-defined and disciplined process is used
to select new IT proposals and reselect ongoing investments.
Critical process: Providing investment oversight;
Purpose: To review the progress of IT projects and systems, using
predefined criteria and checkpoints, in meeting cost, schedule, risk,
and benefit expectations and to take corrective action when these
expectations are not being met.
Critical process: Capturing investment information;
Purpose: To make available to decision makers information to evaluate
the impacts and opportunities created by proposed (or continuing) IT
investments.
Source: GAO.
[End of table]
DHS has established a management structure within which to execute
investment management processes. As previously mentioned, this
management structure consists of two review boards, the IRB and the
JRC, which are responsible for defining and implementing DHS's IT
investment management approach. The membership for these boards
appropriately consists of senior executives at the department level and
from the major business units and the CIO organization. Other entities,
including the EAB and IPRT, play a critical role in supporting the
boards and performing investment management activities.
DHS has also fully documented the policies and certain procedures
associated with project-level management. Specifically, the
department's Investment Review Process management directive establishes
the framework for department investment management by documenting a
high-level investment management process and defining project-level
policies, including policies for such key activities as identifying
projects or systems that support business needs and selecting among new
investment proposals. In addition, other documents specify the
procedures associated with these policies. For example, the Investment
Management Handbook and Business Case Life Cycle Handbook specify
procedures for relating projects and systems to DHS's business needs,
and the Capital Planning and Investment Control Guide and Systems
Development Lifecycle specify procedures for integrating funding and
selection.
Nevertheless, some of DHS's project-level procedures fail to address
key elements as follows:
² Procedures for selecting investments do not cite either the specific
criteria or steps for prioritizing and selecting new IT proposals.
According to officials, such elements are being used to select new IT
proposals. However, unless the criteria and steps for prioritizing and
selecting new proposals are documented in procedures, it is unlikely
that they will be used consistently.
² Procedures for management oversight of IT projects and systems do not
specify the steps and criteria (i.e., rules) for the investment boards
to follow in controlling investments. Documenting these rules would
provide reasonable assurance that key investment control activities are
being performed consistently and would establish transparency and thus
promote departmentwide understanding of how decisions are made.
² A methodology, with explicit decision-making criteria, does not exist
to guide the EAB in determining an investment's alignment with the DHS
enterprise architecture. DHS has developed Enterprise Architecture
Board Process Guidance that the EAB uses in its reviews of
investments,[Footnote 17] and this guidance contains a standard
template for projects to use in providing information to the board;
however, it does not describe the procedures governing how alignment is
to be determined. As a result, the EAB's assessments are based on
subjective and unverifiable judgments. This is a significant weakness
given the importance of architecture alignment in ensuring that
programs will be defined, designed, and developed in a way that avoids
duplication and promotes interoperability and integration.
DHS officials stated that they are aware of the absence of documented
procedures in certain areas of project-level management, but said that
they are nevertheless carrying out the activities that these procedures
would address if they were documented. The officials attributed the
absence of procedures to resource constraints, stating that, with a
full time staff of six to support departmentwide investment management
activities, they are more focused on performing investment management
rather than documenting it in great detail. While we do not question
the importance of actually implementing IT investment management
practices, as evidenced by the fact that our ITIM framework provides
for such implementation, it is important to recognize that
implementation of undefined processes will at best produce ad hoc and
inconsistent results. Accordingly, our framework provides for both
documenting how IT investment management is to be performed through
policies and procedures and for actually implementing these policies
and procedures. Unless DHS's IT investment process guidance specifies
procedures for Stage 2 activities that cover all the elements of
effective project-level investment management, it is unlikely that key
activities will be carried out consistently and in a disciplined
manner. This means that DHS is at risk of investing in IT assets that
will not cost-effectively meet mission needs.
Table 6 summarizes our findings relative to DHS's execution of the
seven key policy and procedure practices needed to manage IT
investments at the project level (Stage 2).
Table 6: Summary of Policies and Procedures for Stage 2 Critical
Processes--Building the Investment Foundation:
Critical process: Instituting the investment board;
Key practice: 1. The organization has a documented IT investment
process directing each investment board's operations;
Rating: Executed;
Summary of evidence: DHS's Investment Review Process management
directive and supporting procedural documents define DHS's IT
investment process and board operations. These documents generally lay
out the roles of the boards and other entities involved in the
investment management process, outline significant events and key
decision points within the process, and specify the manner in which
investment-related processes will be coordinated with other processes,
including the strategic planning, budget, and enterprise architecture
processes.
Critical process: Meeting business needs;
Key practice: 2. The organization has documented policies and
procedures for identifying IT projects or systems that support the
organization's ongoing and future business needs;
Rating: Executed;
Summary of evidence: DHS's Investment Review Process management
directive defines the department's policy for ensuring that IT projects
and systems support the department's ongoing and future business needs.
The supporting procedures are specified in several documents, including
the Investment Management Handbook and Business Case Life Cycle
Handbook.
Critical process: Selecting an investment;
Key practice: 3. The organization has documented policies and
procedures for selecting new IT proposals;
Rating: Not executed;
Summary of evidence: DHS's Investment Review Process management
directive defines the department's policy for selecting investments.
Although supporting procedures exist, they do not specify the criteria
and procedures for prioritizing and selecting new IT proposals.
Critical process: Selecting an investment;
Key practice: 4. The organization has documented policies and
procedures for reselecting ongoing IT investments;
Rating: Not executed;
Summary of evidence: DHS's Investment Review Process management
directive defines the department's policy for reselecting investments.
Although supporting procedures exist, they do not specify the criteria
and procedures for prioritizing and reselecting ongoing IT investments.
Critical process: Selecting an investment;
Key practice: 5. The organization has policies and procedures for
integrating funding with the process of selecting an investment;
Rating: Executed;
Summary of evidence: DHS's Investment Review Process management
directive, Capital Planning and Investment Control Guide, and Systems
Development Lifecycle specify policies and procedures for integrating
funding with the process of selecting an investment.
Critical process: Providing investment oversight;
Key practice: 6. The organization has documented policies and
procedures for management oversight of IT projects and systems;
Rating: Not executed;
Summary of evidence: DHS's Investment Review Process management
directive sets the policy for management oversight of IT projects and
systems. The supporting procedures, however, are lacking key elements,
including the procedural rules for the investment boards operations and
decision making during project oversight.
Critical process: Capturing investment information;
Key practice: 7. The organization has documented policies and
procedures for identifying and collecting information about IT projects
and systems to support the investment management process;
Rating: Not executed;
Summary of evidence: Although DHS policy documents the types of
information to be collected about IT projects and systems to support
the investment management process, the department does not have
supporting procedures that explicitly assign responsibility and
ownership of information or define the physical and logical locations
for information storage.
Source: GAO analysis of DHS data.
[End of table]
DHS Has Largely Not Documented Policies and Procedures for Portfolio
Management:
Once an agency has attained Stage 2 (i.e., project-level) maturity, it
needs to effectively manage critical processes for managing its
investments as a portfolio or set of portfolios (Stage 3). IT
investment portfolios are integrated, agencywide collections of
investments that are assessed and managed collectively based on common
criteria. Managing investments as portfolios is a conscious,
continuous, and proactive approach to allocating limited resources
among an organization's competing initiatives in light of the relative
benefits expected from these investments. Taking an agencywide
perspective enables an organization to consider its investments in a
more comprehensive and integrated fashion, so that collectively the
investments optimally address the organization's missions, strategic
goals, and objectives. Managing IT investments as portfolios also
allows an organization to determine its priorities and make decisions
about which projects to begin funding and continue to fund based on
analyses of the relative organizational value and risks of all
projects, including projects that are proposed, under development, and
in operation. Although investments may initially be organized into
subordinate portfolios--based on, for example, business lines or life
cycle stages--and managed by subordinate investment boards, they should
ultimately be aggregated into enterprise-level portfolios.
According to ITIM, Stage 3 maturity involves (1) defining the portfolio
criteria; (2) creating the portfolio; (3) evaluating (i.e., overseeing)
the portfolio; and (4) conducting PIRs. Table 7 summarizes the purpose
of each of these processes.
Table 7: Stage 3 Critical Processes--Developing a Complete Investment
Portfolio:
Critical process: Defining the portfolio criteria;
Purpose: To ensure that the organization develops and maintains IT
portfolio selection criteria that support its mission, organizational
strategies, and business priorities.
Critical process: Creating the portfolio;
Purpose: To ensure that IT investments are analyzed according to the
organization's portfolio selection criteria and to ensure that an
optimal IT investment portfolio with manageable risks and returns is
selected and funded.
Critical process: Evaluating the portfolio;
Purpose: To review the performance of the organization's investment
portfolio(s) at agreed- upon intervals and to adjust the allocation of
resources among investments as necessary.
Critical process: Conducting postimplementation reviews;
Purpose: To compare the results of recently implemented investments
with the expectations that were set for them and to develop a set of
lessons learned from these reviews.
Source: GAO.
[End of table]
DHS has not yet fully established any of the policies and procedures
associated with managing the 22 IT portfolios that it recently
established. For example, the department does not have documented
policies and procedures for creating and modifying portfolio selection
criteria or for creating its portfolios. In addition, DHS does not have
documented policies and procedures for evaluating (or controlling) its
portfolios. Further, while the department has policies and procedures
for conducting PIRs, these policies and procedures do not specify
several items, including roles and responsibilities for conducting
reviews, and how conclusions, lessons learned, and recommended
management actions are to be shared with executives and others.
DHS officials attributed the lack of portfolio-level policies and
procedures to the fact that resources have been assigned to other
investment management activities, such as its efforts to establish the
22 portfolios. However, they said that establishing these policies and
procedures is important, and thus they are taking steps to begin
defining them. Specifically, they said that a portfolio manager for
four portfolios--Grants, Case Management, Portal, and Disaster
Management--was hired in the fall of 2006, and this manager's
responsibilities include developing the direction, guidance, and
procedures for departmental portfolio management. They also said that
another portfolio manager is currently being recruited. In addition,
DHS officials stated that the PIR procedures defined in the Operational
Analysis Guide are being updated to focus more on lessons learned.
Not having documented policies and procedures for portfolio management
is a significant weakness, particularly since officials told us that
they recently began performing control reviews of these portfolios.
Until DHS fully establishes the policies and procedures for portfolio-
level management, DHS is at risk of not selecting and controlling the
mix of investments in a manner that best supports the department's
mission needs.
As illustrated in table 10, none of the practices associated with
policies and procedures for Stage 3 have been executed. Table 8
summarizes the rating for each critical process required to manage
investments as a portfolio and summarizes the evidence that supports
these ratings.
Table 8: Summary of Policies and Procedures for Stage 3 Critical
Processes--Developing a Complete Investment Portfolio:
Critical process: Defining the portfolio criteria;
Key practice: The organization has documented policies and procedures
for creating and modifying IT portfolio selection criteria;
Rating: Not executed;
Summary of evidence: While DHS recently developed and vetted its IT
portfolios, it has not documented policies and procedures for creating
and modifying the portfolio selection criteria.
Critical process: Creating the portfolio;
Key practice: The organization has documented policies and procedures
for analyzing, selecting, and maintaining the investment portfolio(s);
Rating: Not executed;
Summary of evidence: DHS does not have policies and procedures for
analyzing, selecting, and maintaining its investment portfolios.
Critical process: Evaluating the portfolio;
Key practice: The organization has documented policies and procedures
for reviewing, evaluating, and improving the performance of its
portfolio(s);
Rating: Not executed;
Summary of evidence: DHS does not have documented policies and
procedures for reviewing, evaluating, and improving the performance of
its portfolios, although officials told us that the department has
recently begun to perform portfolio reviews.
Critical process: Conducting postimplementation reviews;
Key practice: The organization has documented policies and procedures
for conducting PIRs;
Rating: Not executed;
Summary of evidence: Although DHS has policies and procedures for
conducting PIRs, they do not specify key items, including roles and
responsibilities for conducting PIRs.
Source: GAO.
[End of table]
DHS Has Not Fully Executed Key Practices Associated with Effectively
Controlling Investments:
DHS has not fully implemented any of the key practices needed to
control investments--either at the project level or at the portfolio
level. For example, according to DHS officials and our review of the
department's control review schedule, the investment boards have not
conducted regular reviews of investments. Further, while control
activities are sometimes performed, they are not performed consistently
across projects. In addition, because the policies and procedures for
portfolio management have yet to be defined, control of the
department's investment portfolios is ad hoc, according to DHS
officials. Officials told us that to strengthen IT investment
management, they have recently hired a portfolio manager and are
recruiting another one. Until DHS fully implements processes to control
its investments, both at the project and portfolio levels, it increases
the risk of not meeting cost, schedule, benefit, and risk expectations.
DHS Has Not Implemented the Key Practices Associated with Controlling
Investments at the Project Level:
As we have previously reported, an organization should effectively
control its IT projects throughout all phases of their life cycles. In
particular, its investment board should observe each project's
performance and progress toward predefined cost and schedule
expectations, as well as each project's anticipated benefits and risk
exposure. The board should also employ early warning systems that
enable it to take corrective actions when cost, schedule, and
performance expectations are not met. According to our ITIM framework,
effective project-level control[Footnote 18] requires, among other
things, (1) providing adequate resources for IT project oversight; (2)
developing and maintaining an approved management plan for each IT
project; (3) making up-to-date cost and schedule data for each project
available to the oversight boards; (4) having regular reviews by each
investment board of each project's performance against stated
expectations; and (5) ensuring that corrective actions for each
underperforming project are documented, agreed to, implemented, and
tracked until the desired outcome is achieved. (The key practices are
listed in table 9.)
Although (as discussed in the previous section), DHS has established
some policies and procedures, DHS has not implemented any of the
prerequisites and activities associated with effective project control.
For example, DHS officials stated that the department does not have
adequate resources, including human capital, for project oversight.
In addition, although DHS policies and procedures call for certain
control activities to be performed, these have not always taken place.
For example, DHS policy and procedures call for cost, schedule,
benefit, and risk parameters to be documented in (1) Acquisition
Program Baselines (APB) and risk management plans for major projects in
the capability development and demonstration or production and
deployment phases and (2) in operational analysis (OA) documents and
Exhibit 300s for projects in operations and support (steady state).
However, DHS officials acknowledged that some projects do not have APBs
or OAs and stated that a management directive to implement the OA
policy is in draft. In addition, although the APBs are supposed to be
approved by the appropriate board at the alternative selection
milestone decision point, DHS officials stated that this does not
always happen. Instead, these officials said that the Office of Program
Analysis and Evaluation is reviewing APBs for "interim approval." In
addition, OAs are currently reviewed by the boards only if a problem
arises with the projects. Of the three investments we
reviewed,[Footnote 19] an APB and risk management plan were developed
for one (Transportation Worker Identification Credentialing or TWIC).
However, these documents are being updated to reflect changes in the
project's scope and have not yet been approved by the IRB. For another
investment (Integrated Wireless Network or IWN), although, according to
officials, an APB was developed, it was not approved by the IRB,
although it should have been given its life cycle stage. For the third
investment (National Emergency Management Information System or
eNEMIS), an OA document specifies the cost, schedule, and benefit
expectations for the project. However, the OA has not been reviewed by
an investment board because the project has not experienced a problem
that would trigger its review.
Data on actual performance are also not provided to the appropriate IT
investment board on a regular basis. Specifically, according to the
Investment Review Process management directive, Periodic Reporting
Manual, and Investment Management Handbook, actual cost, schedule, and
benefits performance data for projects through the production and
deployment phase should be provided to the boards in the APB and the
IPRT's analyses of quarterly reports for key milestone decision reviews
and annual reviews. However, our review of the fiscal year 2006 control
schedule showed that project reviews did not always occur; therefore,
the boards were not provided with data on actual project performance on
a regular basis. In addition, a schedule for fiscal year 2007 project
reviews has not been developed. Moreover, officials confirmed that
these reviews do not always occur stating that, for fiscal year 2007,
the boards' reviews have been scheduled reactively, for projects that
have legislatively required expenditure plans or have otherwise
prompted congressional interest. In addition, while the IPRT is
supposed to monitor data on the actual performance of projects in
operations and support, these data are provided to the boards only if
problems arise.
Regarding investment board reviews of the performance of IT projects
and systems against expectations, DHS's policy requires that ongoing
project reviews be conducted either annually or at milestone decision
points. However, these reviews are not conducted in a timely manner for
all level 1 and 2 investments that are not the subject of congressional
interest. Officials stated that the Under Secretary for Management
would likely be issuing new guidance aimed at making the review
schedule more proactive.
Finally, DHS officials told us that the investment boards do not
effectively track the implementation of corrective actions for
underperforming projects, primarily because they do not have a robust
tool to support them in this activity.
This means that DHS executives do not have the information they need to
determine whether investments are meeting expectations, which increases
the risk that underperforming projects will not be identified and
corrected in a timely manner.
Table 9 shows the ratings for each key practice required to control
investments (except for the policies and procedures, which were
discussed in the previous section) and summarizes the evidence that
supports these ratings.
Table 9: Summary of Key Practices for Providing Investment Oversight
(Stage 2 Critical Process):
Type of practice: Prerequisite;
Key practice: Adequate resources, including people, funding, and tools,
are provided for IT project oversight;
Rating: Not executed;
Summary of evidence: According to DHS officials, the department does
not have adequate resources for project oversight. Specifically, staff
resources fall short of the required number and experience level. In
addition, officials stated that the board does not have a robust tool
to track the implementation of corrective actions for underperforming
projects.
Type of practice: Prerequisite;
Key practice: IT projects and systems, including those in steady state
(operations and maintenance), maintain approved project management
plans that include expected cost and schedule milestones and measurable
benefit and risk expectations;
Rating: Not executed;
Summary of evidence: DHS's Investment Review Process management
directive and supporting procedures specify that all major projects in
the capability development and demonstration phase or in the production
and deployment phase of the life cycle should have an APB that defines
the projects' cost, schedule, and performance parameters and a risk
management plan that identifies expected risks. They also specify that
the APB and risk management plan should be approved by the appropriate
board at key milestone decision points. However, DHS officials told us
that not all investments have an APB. They also stated that, for those
that have APBs, these documents are not always approved by the boards;
In addition, officials stated that all major projects in steady state
are to have an OA that documents expected cost, schedule, and benefit
parameters. However, DHS officials stated that not all operational
programs currently have OAs. Risk factors for steady state projects are
addressed in Exhibit 300s; None of the three investments we reviewed
(TWIC, IWN, and eNEMIS) satisfied this key practice. Specifically, for
TWIC, an APB and risk management plan were developed, but these
documents are being updated to reflect changes in the project's scope
and have not yet been approved by the IRB. For IWN, according to
officials, an APB has been prepared, but it has not been approved by
the IRB, although it should have been, given its life cycle stage. For
eNEMIS, a June 2006 OA document was prepared, but it has not been
approved by the review board. According to officials, such approval of
the OA document is not required.
Type of practice: Activity;
Key practice: Data on actual performance (including cost, schedule,
benefit, and risk performance) are provided to the appropriate IT
investment board;
Rating: Not executed;
Summary of evidence: According to the Investment Review Process
management directive, Periodic Reporting Manual, and Investment
Management Handbook, actual cost, schedule, and benefits performance
data for projects through the production and deployment phase should be
provided to the boards in the APB and the IPRT's analyses of quarterly
reports for key milestone decision reviews and annual reviews. However,
according to our review of the control schedule and DHS officials, this
is not happening in some cases. In addition, while the IPRT is to
monitor data on the actual performance of projects that are the in
operations and support phase, these data are provided to the boards
only if problems arise; Of the three investments that we reviewed, TWIC
satisfied this key practice since actual performance data for TWIC was
last presented to the IRB for a key milestone decision review in March
2006. However, IWN and eNEMIS did not satisfy this key practice.
Specifically, we received the quarterly report for IWN containing data
on actual performance but received no evidence that the data were
provided to the board. Because eNEMIS is a steady state investment, it
was not required to submit data on actual performance to the investment
board.
Type of practice: Activity;
Key practice: Using verified data, each investment board regularly
reviews the performance of IT projects and systems against stated
expectations;
Rating: Not executed;
Summary of evidence: According to DHS officials, the IPRT verifies data
on the performance of IT investments against stated expectations and
provides summaries and analyses of verified data to the boards for
their milestone decision reviews and annual reviews. However, the
department's control schedule shows that the boards have not conducted
regular reviews of investments. Instead, officials told us that the
boards have reacted to projects that are the focus of congressional
interest. Moreover, steady state investments are not reviewed by upper
management review boards (the IRB or JRC) unless the analysis conducted
for the initial review by the IPRT indicates a problem; Of the three
investments that we reviewed, TWIC is the only project that satisfied
this key practice. Specifically, TWIC's performance against
expectations was reviewed by the IRB. Implementation plans for IWN are
currently being revised and, according to officials, are to be reviewed
by the IRB in April 2007. As noted earlier, eNEMIS was not reviewed by
a board since it is a steady state project.
Type of practice: Activity;
Key practice: For each underperforming IT project or system,
appropriate actions are taken to correct or terminate the project or
system in accordance with defined criteria and the documented policies
and procedures for management oversight;
Rating: Not executed;
Summary of evidence: According to DHS's Periodic Reporting Manual,
projects in the capability development and demonstration or production
and deployment phases are to report on projects whose cost, schedule,
and performance variances exceed the investment's APB by 8 percent
(plus or minus) on a quarterly basis and to submit a remediation plan
within 30 days. Of the three investments that we reviewed, officials
told us that TWIC was the only investment that experienced performance
shortfalls. However, according to officials, a remediation plan
documenting the corrective actions for this investment was not
prepared; As previously noted, the department does not have policies
and procedures for ensuring that appropriate actions are taken for
underperforming steady state projects.
Type of practice: Activity;
Key practice: The investment board regularly tracks the implementation
of corrective actions for each underperforming project until the
actions are completed;
Rating: Not executed;
Summary of evidence: The CFO Planning Analysis and Evaluation and CIO
Enterprise Business Management officials stated that although there is
a tool in place to track corrective actions, it is not yet shared
across the IPRT and needs improvement.
Source: GAO.
[End of table]
DHS Has Not Implemented Key Practices Needed to Control Its Investment
Portfolios:
The critical process associated with controlling investment portfolios
(evaluating the portfolio under Stage 3 of our ITIM framework) builds
upon the Stage 2 critical process providing investment oversight by
adding the elements of portfolio performance to an organization's
investment control capacity. Compared with less mature organizations,
Stage 3 organizations will have the capability to control the risks
faced by each investment and to deliver benefits that are linked to
mission performance. In addition, a Stage 3 organization will have the
benefit of performance data generated by Stage 2 processes. Executive-
level oversight of risk management outcomes and incremental benefit
accumulation provides the organization with increased assurance that
each IT investment will achieve the desired results. Table 10 lists the
key practices associated with this critical process, with the exception
of the establishment of policies and procedures, which was discussed
earlier.
Table 10: Summary of Key Practices for Evaluating the Portfolio (Stage
3 Critical Process):
Type of practice: Prerequisites;
Key practice: Adequate resources, including people, funding, and tools
have been provided for reviewing the investment portfolio and its
projects.
Board members are familiar with the process for evaluating and
improving the portfolio's performance.
Results of relevant providing investment oversight reviews from Stage 2
are provided to the investment board.
Criteria for assessing portfolio performance are developed, reviewed,
and modified at regular intervals to reflect current performance
expectations.
Type of practice: Activities;
Key practice: IT portfolio performance measurement data are defined and
collected consistent with portfolio performance criteria.
Adjustments to the IT investment portfolio are executed in response to
actual portfolio performance.
Source: GAO.
[End of table]
Although officials told us that DHS has taken steps to classify its
investments into 22 IT portfolios, the department has largely not
defined the policies and procedures needed to control these portfolios
(see earlier section of this report). As a result, DHS officials stated
that they are performing portfolio-level control in an ad hoc manner.
To begin addressing this, they stated that an analyst was recently
hired to help develop guidance and procedures for the IT portfolios,
and another staff member is being recruited. Without documented
policies and procedures for controlling its investment portfolios, the
department's efforts to evaluate its portfolios will remain ad hoc,
compounding its risk of investing in new and existing IT systems that
are not aligned with DHS's mission and business priorities and do not
meet cost, schedule, and performance expectations.
Conclusions:
Given the importance of IT to DHS's mission performance and outcomes,
it is vital for the department to adopt and employ an effective
institutional approach to IT investment management. To its credit, the
department has established aspects of such an approach and thus has a
basis for achieving greater maturity. However, its approach is missing
key elements of effective investment management, such as procedures for
implementing project-specific investment management policies, as well
as policies and procedures for portfolio-based investment management.
Further, it has yet to fully implement either project-or portfolio-
level investment control practices. All told, this means that DHS lacks
the complete institutional capability needed to ensure that it is
investing in IT projects that best support its strategic mission needs
and that ongoing projects will meet cost, schedule, and performance
expectations. After almost 4 years in operation, DHS is overdue in
having a mature approach to investment management. Without one, DHS is
impaired in its ability to optimize mission performance and
accountability.
Recommendations for Executive Action:
To strengthen DHS's investment management capability and address the
weaknesses discussed in this report, we recommend that the Secretary of
Homeland Security direct the Undersecretary for Management, in
collaboration with the CFO and CIO, to devote the appropriate attention
to development and implementation of effective investment management
processes. At a minimum, this should include fully defining and
documenting project-and portfolio-level policies and procedures that
address the following eight areas:
² selecting new investments, including specifying the criteria and
steps for prioritizing and selecting these proposals;
² reselecting ongoing IT investments, including specifying the criteria
and steps for prioritizing and reselecting these investments;
² overseeing (i.e., controlling) IT projects and systems, including
specifying the procedural rules for the investment boards' operations
and decision making during project oversight;
² identifying and collecting information about investments, including
assigning responsibility for the process and ownership of the
information and defining the locations for information storage;
² creating and modifying IT portfolio selection criteria;
² analyzing, selecting, and maintaining the investment portfolios;
² assessing portfolio performance at regular intervals to reflect
current performance expectations; and:
² conducting postimplementation reviews of IT investments, including
defining roles and responsibilities for doing so, and specifying how
conclusions, lesson learned, and recommended management actions are to
be shared with executives and others.
In addition, we recommend that the department implement key investment
control processes. At a minimum, this should include these six project-
level practices:
² providing adequate resources, including people, funding, and tools,
for IT project oversight;
² having IT projects and systems, including those in steady state
(operations and maintenance), maintain approved project management
plans that include expected cost and schedule milestones and measurable
benefit and risk expectations;
² providing data on actual performance (including cost, schedule,
benefit, and risk performance) to the appropriate IT investment board;
² having each investment board use verified data to regularly review
the performance of IT projects and systems against stated expectations;
² taking appropriate actions to correct or terminate each
underperforming IT project or system in accordance with defined
criteria and the documented policies and procedures for management
oversight; and:
² having the investment board regularly track the implementation of
corrective actions for each underperforming project until the actions
are completed.
It should also include the following six portfolio-level practices:
² providing adequate resources, including people, funding, and tools,
for reviewing the investment portfolios and their projects;
² making board members familiar with the process for evaluating and
improving the portfolio's performance;
² providing results of relevant Providing Investment Oversight reviews
from Stage 2 to the investment boards;
² developing, reviewing, and modifying criteria for assessing portfolio
performance at regular intervals to reflect current performance
expectations;
² defining and collecting IT portfolio performance measurement data
that are consistent with portfolio performance criteria; and:
² executing adjustments to the IT investment portfolios in response to
actual portfolio performance.
Agency Comments:
In DHS's written comments on a draft of this report, signed by the
Director, Departmental GAO/Office of Inspector General Liaison, the
department stated that it agreed with our findings and recommendations
and will use the report to improve its investment management and review
processes. The department's written comments are reprinted in appendix
II. The department also provided technical comments that we
incorporated in the report where appropriate.
We are sending copies of this report to the Chairmen and Ranking
Minority Members of other Senate and House committees that have
authorization and oversight responsibilities for homeland security and
other interested congressional committees; the Director of the Office
of Management and Budget; and the DHS Secretary, Undersecretary for
Management, Chief Financial Officer, and Chief Information Officer. We
also will make copies available to others upon request. In addition,
the report will be made available at no charge on the GAO Web site at
www.gao.gov.
If you or your staff have any questions about matters discussed in this
report, please contact me at (202) 512-3439 or by e-mail at
hiter@gao.gov. Contact points for our Office of Congressional Relations
and Public Affairs Office may be found on the last page of this report.
Key contributors to this report are listed in appendix III.
Signed by:
Randolph C. Hite:
Director, Information Technology Architecture and Systems Issues:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
The objectives of our review were to (1) determine whether the
Department of Homeland Security (DHS) has established the management
structure and policies and procedures needed to effectively manage its
information technology (IT) investments and (2) determine whether the
department is implementing key practices needed to effectively control
these investments.
To address our first objective, we reviewed the results of the
department's self-assessment of practices associated with project-
level and portfolio-level policies and procedures and compared them
against the relevant practices in Stages 2 and 3 of our IT Investment
Management (ITIM) framework. We also validated and updated the results
of the self-assessment through document reviews and interviews with
officials. We reviewed written policies, procedures, guidance, and
other documentation providing evidence of executed practices, including
DHS's Investment Review Process Management Directive, Capital Planning
and Investment Control Guide, Investment Management Handbook, Periodic
Reporting Manual, and various management memoranda. Our review focused
on DHS's capabilities related to Stages 2 and 3 in our framework that
relate to policies and procedures because those stages lay the
foundation for higher maturity stages and assist organizations in
complying with the investment management provisions of the Clinger
Cohen Act.
To address our second objective, we reviewed the results of the
department's self-assessment of critical processes within Stages 2 and
3 that are associated with project-level and portfolio-level oversight
and compared them against our ITIM framework. We also validated and
updated the results of the self-assessment through document reviews and
interviews with officials. In addition, we reviewed DHS's Investment
Review Board, Joint Resources Council, and Enterprise Architecture
Board investment-related materials, including the investment review
boards' control schedule, status reports, meeting minutes, portfolio-
related documents, and records of decisions. We also conducted
interviews with officials from the Office of the Chief Information
Officer, the Office of the Chief Financial Officer, and the Office of
Program Analysis and Evaluation whose main responsibilities are to
control investments and ensure that DHS's IT investment management
process is implemented and followed.
As part of our analysis for the second objective, we selected three
investments as case studies to verify that the key practices for
investment control were being applied. The investments selected were
major systems when we began our review. They also (1) represented a mix
of enterprisewide (i.e., headquarters) and component agency
investments; and (2) spanned different life cycle phases. The three
investments are described below:
² DHS Integrated Wireless Network (IWN)--This network is to provide a
coordinated nationwide approach to reliable, seamless, interoperable
wireless communications. It is intended to support federal agents and
officers engaged in the conduct of law enforcement, protective
services, homeland defense, and disaster response with DHS, the
Department of Justice, and the Department of the Treasury. IWN is a
major enterprisewide investment and is in the capability development
and demonstration phase. It has an estimated life cycle cost of $4.3
billion and is designated as a level 1 investment.
² Transportation Security Administration's Transportation Worker
Identification Credentialing (TWIC)--This project is intended to
improve security by establishing a systemwide common secure credential,
used across all transportation nodes, for all personnel requiring
unescorted physical and/or logical access to secure areas of the
transportation system. It is a major component agency investment and is
designated as a level 1 investment. The total cost of the program is
estimated at appropriately $307 million through fiscal year 2012.
² Federal Emergency Management Agency's National Emergency Management
Information System (eNEMIS)--eNEMIS is a mission critical application
and infrastructure that supports the entire life cycle of emergency or
disaster (including acts of terrorism) declarations. The project tracks
major incidents; supports mission assignments and other predeclaration
response activities; processes the governor's request for assistance;
and automates the preliminary damage assessment process, the regional
analysis, and summary. It is a major component agency investment that
is in the operations and support phase and is designated as a level 1
investment with an estimated total life cycle cost of $319 million. For
these investments, we reviewed project management documentation, such
as acquisition program baseline, operational analysis document, and
decision memoranda.
For both objectives, we rated the ITIM key practices as "executed" on
the basis of whether the agency demonstrated (by providing evidence of
performance) that it had fully met the criteria of the key practice. A
key practice was rated as "not executed" when we found insufficient
evidence of a practice during the review or when we determined that
there were significant weaknesses in DHS's execution of the key
practice. We provided DHS an opportunity to produce evidence for the
key practices that we rated as "not executed."
We conducted our work at DHS headquarters in Washington, D.C., from
February 2006 through March 2007 in accordance with generally accepted
government auditing standards.
[End of section]
Appendix II: Comments from the U.S. Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
April 16, 2007:
Mr. Randolph C. Hite:
Director, Information Technology Architecture and Systems Issues:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Hite:
RE: Draft Report GAO-07-424, Information Technology: DHS Needs to Fully
Define and Implement Policies and Procedures for Effectively Managing
Investments (GAO Job Code 310617):
The Department of Homeland Security appreciates the opportunity to
review and comment on the draft report referenced above. The Government
Accountability Office makes two broad recommendations: (1) devote
appropriate attention to the development and implementation of
effective management processes and (2) implement key investment control
processes.
We agree with the findings and recommendations and will use the report
findings to improve the Department's investment-management and
investment-review procedures. Management Directive 0007.1, signed by
the Secretary, solidifies the primary role of the Chief Information
Officer functions within the Department, provides for a review of all
IT budgets within the Department, and provides the format for the Chief
Information Officer approval of component information technology
budgets and information technology procurements greater than $2.5
million.
Technical comments that update or clarify statements in the draft
report are provided under separate cover.
Sincerely,
Signed by:
Steven J. Pecinovsky:
Director:
Departmental GAO/OIG Liaison Office:
www.dhs.gov:
[End of section]
Appendix III: GAO Contact and Staff Acknowledgments:
GAO Contact:
Randolph C. Hite, (202) 512-3439, or hiter@gao.gov:
Staff Acknowledgments:
In addition to the individual named above, Sabine Paul, Assistant
Director; Gary Mountjoy, Assistant Director; Mathew Bader; Justin
Booth; Barbara Collier; Tomas Ramirez; and Niti Tandon made key
contributions to this report.
[End of section]
(310617):
FOOTNOTES
[1] Office of Management and Budget, Fiscal Year 2008 Report on
Information Technology Budgets (Washington, D.C.: Feb. 6, 2007).
[2] As part of this mandate, we are also reviewing the department's
enterprise architecture and IT human capital strategy.
[3] GAO, Information Technology Investment Management: A Framework for
Assessing and Improving Process Maturity, GAO-04-394G (Washington,
D.C.: March 2004).
[4] The Clinger-Cohen Act of 1996, 40 U.S.C. §§ 11311-11313.
[5] Some of those specialties are intelligence analysis, law
enforcement, border security, transportation security, biological
research, critical infrastructure protection, and disaster recovery.
[6] GAO, Homeland Security: Information Sharing Responsibilities,
Challenges, and Key Management Issues, GAO-03-715T (Washington, D.C.:
May 8, 2003).
[7] GAO, Information Technology: Homeland Security Should Better
Balance Need for System Integration Strategy with Spending for New and
Enhanced Systems, GAO-04-509 (Washington, D.C.: May 21, 2004).
[8] GAO, Department of Homeland Security: Formidable Information and
Technology Management Challenge Requires Institutional Approach, GAO-04-
702 (Washington, D.C.: Aug. 27, 2004).
[9] GAO, Homeland Security: Progress Continues, but Challenges Remain
on Department's Management of Information Technology, GAO-06-598T
(Washington, D.C.: Mar. 29, 2006).
[10] Investments may be assigned to a higher level for certain reasons,
including high development, operating, or maintenance costs or high
executive visibility.
[11] DHS's systems development life cycle has five stages: (1) Project
Initiation, (2) Concept and Technology Development, (3) Capability
Development and Demonstration, (4) Production and Deployment, and (5)
Operations and Support.
[12] Exhibit 300 is a capital asset plan completed for major IT systems
and IT budget initiatives.
[13] Exhibit 53 is the listing of all IT investment, providing budget
estimates for overall IT investments and for major and significant IT
systems.
[14] GAO-04-394G.
[15] GAO, Information Technology: DLA Needs to Strengthen Its
Investment Management Capability, GAO-02-314 (Washington, D.C.: Mar.
15, 2002); United States Postal Service: Opportunities to Strengthen IT
Investment Management Capabilities, GAO-03-3 (Washington, D.C.: Oct.
15, 2002); Information Technology: Departmental Leadership Crucial to
Success of Investment Reforms at Interior, GAO-03-1028 (Washington,
D.C.: Sept. 12, 2003); Bureau of Land Management: Plan Needed to
Sustain Progress in Establishing IT Investment Management Capabilities,
GAO-03-1025 (Washington, D.C.: Sept. 12, 2003); and Information
Technology: FAA Has Many Investment Management Capabilities in Place,
but More Oversight of Operational Systems Is Needed, GAO-04-822
(Washington, D.C.: Aug. 20, 2004); Information Technology: HHS Has
Several Investment Management Capabilities in Place, but Needs to
Address Key Weaknesses, GAO-06-11 (Washington, D.C.: Oct. 28, 2005);
Information Technology: Centers for Medicare & Medicaid Services Needs
to Establish Critical Investment Management Capabilities, GAO-06-12
(Washington, D.C.: Oct. 28, 2005).
[16] 40 U.S.C. §§ 11311-11313.
[17] The results of the EAB reviews are used as input into the JRC and
IRB reviews.
[18] In our ITM framework, project-level control is associated with the
Stage 2 critical process Providing Investment Oversight.
[19] We reviewed three investments as part of our evaluation--TWIC
(Transportation Worker Identification Credentialing), which is intended
to improve security by establishing a systemwide common secure
credential, used across all transportation nodes, for all personnel
requiring unescorted physical and/or logical access to secure areas of
the transportation system; IWN (Integrated Wireless Network), which is
to provide a coordinated nationwide approach to reliable, seamless,
interoperable wireless communications; and eNEMIS (National Emergency
Management Information System), which is a mission critical application
and infrastructure that supports the entire life cycle of emergency or
disaster (including acts of terrorism) declarations. These projects are
described in greater detail in appendix I.
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site.
To have GAO e-mail you a list of newly posted products every afternoon,
go to www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125
Washington, D.C. 20548:
Public Affairs:
Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548: