Homeland Security
U.S. Visitor and Immigrant Status Program's Long-standing Lack of Strategic Direction and Management Controls Needs to Be Addressed
Gao ID: GAO-07-1065 August 31, 2007
The Department of Homeland Security (DHS) has established a program known as U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) to collect, maintain, and share information, including biometric identifiers, on certain foreign nationals who travel to the United States. By congressional mandate, DHS is to develop and submit an expenditure plan for US-VISIT that satisfies certain conditions, including being reviewed by GAO. GAO reviewed the plan to (1) determine if the plan satisfied these conditions, (2) follow up on certain recommendations related to the program, and (3) provide any other observations. To address the mandate, GAO assessed plans and related documentation against federal guidelines and industry standards and interviewed the appropriate DHS officials.
The US-VISIT expenditure plan, including related program documentation and program officials' statements, satisfies or partially satisfies some but not all of the legislative conditions required by the Department of Homeland Security Appropriations Act, 2007. For example, the department satisfied the condition that it provide certification that an independent verification and validation agent is currently under contract for the program and partially satisfied the condition that US-VISIT comply with DHS's enterprise architecture. However, the department did not satisfy the conditions that the plan include a comprehensive US-VISIT strategic plan and a complete schedule for biometric exit implementation. DHS partially implemented GAO's oldest open recommendations pertaining to US-VISIT. For example, while the department partially completed the recommendation that it develop and begin implementing a US-VISIT system security plan, the scope of the plan does not extend to all the systems that comprise US-VISIT. In addition, while the expenditure plan provides some information on US-VISIT's cost, schedule, and benefits associated with planned capabilities, the information provided is not sufficiently defined and detailed to address GAO's recommendation and provide a reasonable basis for measuring progress and holding the department accountable for results. GAO identified several additional observations. On the positive side, DHS data show that the US-VISIT prime contract is being executed according to cost and schedule expectations. However, DHS continues to propose disproportionately heavy investment in US-VISIT program management-related activities without adequate justification or full disclosure. Further, DHS continues to propose spending tens of millions of dollars on US-VISIT exit projects that are not well-defined, planned, or justified on the basis of costs, benefits, and risks. Overall, the US-VISIT fiscal year 2007 expenditure plan and other available program documentation do not provide a sufficient basis for effective program oversight and accountability. Both the legislative conditions and GAO's open recommendations are aimed at accomplishing both, and thus they need to be addressed quickly and completely. However, despite ample opportunity to do so, DHS has not done so and the reasons why are unclear. Until these recommendations are addressed, GAO does not believe that the program's disproportionate investment in management-related activities represents a prudent and warranted course of action or to expect that the newly launched exit endeavor will produce results different from past results--namely, no operational exit solution despite expenditure plans allocating about a quarter of a billion dollars to various exit activities.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-07-1065, Homeland Security: U.S. Visitor and Immigrant Status Program's Long-standing Lack of Strategic Direction and Management Controls Needs to Be Addressed
This is the accessible text file for GAO report number GAO-07-1065
entitled 'Homeland Security: U.S. Visitor and Immigrant Status
Program's Long-standing Lack of Strategic Direction and Management
Controls Needs to Be Addressed' which was released on September 4,
2007.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Committees:
August 2007:
Homeland Security:
U.S. Visitor and Immigrant Status Program's Long-standing Lack of
Strategic Direction and Management Controls Needs to Be Addressed:
GAO-07-1065:
GAO Highlights:
Highlights of GAO-07-1065, a report to congressional committees.
Why GAO Did This Study:
The Department of Homeland Security (DHS) has established a program
known as U.S. Visitor and Immigrant Status Indicator Technology (US-
VISIT) to collect, maintain, and share information, including biometric
identifiers, on certain foreign nationals who travel to the United
States. By congressional mandate, DHS is to develop and submit an
expenditure plan for US-VISIT that satisfies certain conditions,
including being reviewed by GAO. GAO reviewed the plan to (1) determine
if the plan satisfied these conditions, (2) follow up on certain
recommendations related to the program, and (3) provide any other
observations. To address the mandate, GAO assessed plans and related
documentation against federal guidelines and industry standards and
interviewed the appropriate DHS officials.
What GAO Found:
The US-VISIT expenditure plan, including related program documentation
and program officials‘ statements, satisfies or partially satisfies
some but not all of the legislative conditions required by the
Department of Homeland Security Appropriations Act, 2007. For example,
the department satisfied the condition that it provide certification
that an independent verification and validation agent is currently
under contract for the program and partially satisfied the condition
that US-VISIT comply with DHS‘s enterprise architecture. However, the
department did not satisfy the conditions that the plan include a
comprehensive US-VISIT strategic plan and a complete schedule for
biometric exit implementation.
DHS partially implemented GAO‘s oldest open recommendations pertaining
to US-VISIT. For example, while the department partially completed the
recommendation that it develop and begin implementing a US-VISIT system
security plan, the scope of the plan does not extend to all the systems
that comprise US-VISIT. In addition, while the expenditure plan
provides some information on US-VISIT‘s cost, schedule, and benefits
associated with planned capabilities, the information provided is not
sufficiently defined and detailed to address GAO‘s recommendation and
provide a reasonable basis for measuring progress and holding the
department accountable for results.
GAO identified several additional observations. On the positive side,
DHS data show that the US-VISIT prime contract is being executed
according to cost and schedule expectations. However, DHS continues to
propose disproportionately heavy investment in US-VISIT program
management-related activities without adequate justification or full
disclosure. Further, DHS continues to propose spending tens of millions
of dollars on US-VISIT exit projects that are not well-defined,
planned, or justified on the basis of costs, benefits, and risks.
Overall, the US-VISIT fiscal year 2007 expenditure plan and other
available program documentation do not provide a sufficient basis for
effective program oversight and accountability. Both the legislative
conditions and GAO‘s open recommendations are aimed at accomplishing
both, and thus they need to be addressed quickly and completely.
However, despite ample opportunity to do so, DHS has not done so and
the reasons why are unclear. Until these recommendations are addressed,
GAO does not believe that the program‘s disproportionate investment in
management-related activities represents a prudent and warranted course
of action or to expect that the newly launched exit endeavor will
produce results different from past results”namely, no operational exit
solution despite expenditure plans allocating about a quarter of a
billion dollars to various exit activities.
What GAO Recommends:
Because outstanding recommendations already address all of the
management weaknesses discussed in this report, GAO is reiterating
prior recommendations and recommending that the Secretary of DHS report
to the department‘s authorization and appropriations committees on its
reasons for not fully addressing the legislative conditions and prior
GAO recommendations. DHS largely agreed with the report and provided
additional information and views that GAO has incorporated and
addressed in the report as appropriate.
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-1065].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Randolph C. Hite at (202)
512-3439 or hiter@gao.gov.
[End of section]
Contents:
Letter:
Compliance with Legislative Conditions:
Status of Open Recommendations:
Observations on the Expenditure Plan and Management of US-VISIT:
Conclusions:
Recommendation for Executive Action:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Briefing Slides:
Appendix II: Comments from the Department of Homeland Security:
Appendix III: GAO Contact and Staff Acknowledgments:
DHS: Department of Homeland Security: EA: enterprise architecture: EVM:
earned value management: HLS: Homeland Security: OMB: Office of
Management and Budget: POE: port of entry: SEI: Software Engineering
Institute: TECS: Treasury Enforcement Communications System: US-VISIT:
U.S. Visitor and Immigrant Status Indicator Technology:
Letter:
August 31, 2007:
The Honorable Robert C. Byrd:
Chairman:
The Honorable Thad Cochran:
Ranking Member:
Subcommittee on Homeland Security: Committee on Appropriations: United
States Senate:
The Honorable David E. Price:
Chairman:
The Honorable Harold Rogers:
Ranking Member:
Subcommittee on Homeland Security: Committee on Appropriations: House
of Representatives:
The Department of Homeland Security (DHS) submitted to Congress in
March 2007 its fiscal year 2007 expenditure plan for the U.S. Visitor
and Immigrant Status Indicator Technology (US-VISIT) program pursuant
to the Department of Homeland Security Appropriations Act,
2007.[Footnote 1] US-VISIT is a governmentwide program to collect,
maintain, and share information on foreign nationals who enter and exit
the United States. The program's goals are to enhance the security of
U.S. citizens and visitors, facilitate legitimate trade and travel,
ensure the integrity of the U.S. immigration system, and protect the
privacy of visitors to the United States. As required by the
appropriations act, we reviewed US-VISIT's fiscal year 2007 expenditure
plan. Our objectives were to (1) determine whether the expenditure plan
satisfies legislative conditions specified in the appropriations act,
(2) determine the status of our oldest open recommendations pertaining
to US-VISIT,[Footnote 2] and (3) provide observations about the
expenditure plan and DHS' management of US-VISIT.
On June 15, 2007, and on June 20, 2007, we briefed the staffs of the
Senate and House Appropriations Subcommittees on Homeland Security,
respectively, on the results of our review. This report transmits these
results. The full briefing, including our scope and methodology, is
reprinted in appendix I.
Compliance with Legislative Conditions:
The US-VISIT expenditure plan, including related program documentation
and program officials' statements, satisfies or partially satisfies
some, but not all, of the legislative conditions. Specifically, the
legislative conditions that DHS certify that an independent
verification and validation agent is currently under contract for the
program and that the DHS Investment Review Board, the Secretary of
Homeland Security, and the Office of Management and Budget (OMB) review
and approve the plan were satisfied.[Footnote 3] However, DHS only
partially satisfied the legislative conditions that it (1) meet the
capital planning and investment control review requirements established
by OMB, including OMB Circular A-11, part 7; (2) comply with DHS'
enterprise architecture; and (3) comply with federal acquisition rules,
requirements, guidelines, and systems acquisition management practices.
In addition, DHS did not satisfy the legislative conditions that the
plan include (1) a comprehensive US-VISIT strategic plan and (2) a
complete schedule for biometric exit implementation.
Status of Open Recommendations:
DHS has partially implemented our recommendations pertaining to US-
VISIT that have been open for 4 years. These recommendations, along
with their status, are summarized here.
* Recommendation: Develop and begin implementing a system security plan
and perform a privacy impact analysis and use the results of this
analysis in near term and subsequent system acquisition decision
making.
DHS has partially implemented this recommendation. In December 2006,
the program office developed a US-VISIT security strategy and has since
begun implementing it. However, the scope of this strategy does not
extend to all the systems that comprise US-VISIT, such as the Treasury:
Enforcement Communications System (TECS). We recently
testified[Footnote 4] that TECS has neither the security controls and
defensive perimeters in place for preventing an intrusion, nor the
capability to detect an intrusion should one occur. Until a more
comprehensive security strategy is developed, the systems that comprise
US-VISIT could place it at increased risk.
* Recommendation: Develop and implement a plan for satisfying key
acquisition management controls, including acquisition planning,
solicitation, requirements management, project management, contract
tracking and oversight, evaluation, and transition to support, and
implement the controls in accordance with Software Engineering
Institute (SEI) guidance.[Footnote 5]
DHS has partially implemented this recommendation. Since 2005, the
program office reports progress in implementing 113 practices
associated with six SEI key process areas. However, the six areas of
focus do not include all of the management controls that our
recommendations cover, such as solicitation and transition to support.
As long as the program office does not address all of the management
controls that we have recommended, it will unnecessarily increase
program risks.
* Recommendation: Ensure that expenditure plans fully disclose what
system capabilities and benefits are to be delivered, by when, and at
what cost, as well as how the program is being managed.
DHS has partially implemented this recommendation. The fiscal year 2007
expenditure plan discloses planned system capabilities, estimated
schedules and costs, and expected benefits. However, schedules, costs,
and benefits are not always defined in sufficient detail to be
measurable and to permit oversight. Finally, the plan does not fully
disclose challenges or changes associated with program management.
Without such information, the expenditure plan may not provide Congress
with enough information to exercise effective oversight and to hold the
department accountable.
* Recommendation: Ensure that the human capital and financial resources
provided are sufficient to establish a fully functional and effective
program office and associated management capability.
DHS has partially implemented this recommendation. At one point in
2006, all of the program office's 115 government positions were filled.
However, 21 positions have since become vacant. Without adequate human
capital, particularly in key positions and for extended periods,
program risks will increase.
* Recommendation: Clarify the operational context within which US-VISIT
must operate.
DHS has partially implemented this recommendation. DHS has yet to
define the operational context in which US-VISIT is to operate, such as
having a departmentally approved strategic plan or a well-defined
department enterprise architecture (EA). While the expenditure plan
includes a departmentally approved US-VISIT strategic plan, it does not
address key elements of relevant federal strategic planning guidance.
Moreover, we recently reported[Footnote 6] that the version of the
department's EA[Footnote 7] that DHS has been using for US-VISIT
alignment purposes was missing architecture content and was developed
with limited stakeholder input. Finally, although program officials
have met with related programs to coordinate their respective efforts,
specific coordination efforts have not been assigned to any DHS entity.
Until a well-defined operational context exists, the department will be
challenged in its ability to define and implement US-VISIT and related
border security and immigration management programs in a manner that
promotes interoperability, minimizes duplication, and optimizes
departmental capabilities and performance.
* Recommendation: Determine whether proposed US-VISIT increments will
produce mission value commensurate with costs and risks and disclose to
its executive bodies and Congress the results of these business cases
and planned actions.
DHS has partially implemented this recommendation. We recently reported
that, while a business case was prepared for Increment 1B,[Footnote 8]
the analysis performed met only four of the eight criteria in OMB
guidance. Since then, the program office has developed business cases
for two projects: Unique Identity and U.S. Travel Documents-ePassports
(formerly Increment 2A), and we have ongoing work to address, among
other things, these business cases. Further, the program office has yet
to develop a business case for another project that it plans to begin
implementing this year--biometric exit at air ports of entry (POE).
Until the program office has reliable business cases for each US-VISIT
project in which alternative solutions for meeting mission needs are
evaluated on the basis of costs, benefits, and risks, it will not be
able to adequately inform its executive bodies and Congress about its
plans and will not provide the basis for prudent investment decision
making.
* Recommendation: Develop and implement a human capital strategy that
provides for staffing open positions with individuals who have the
requisite core competencies (knowledge, skills, and abilities).
DHS has partially implemented this recommendation. In February 2006, we
reported[Footnote 9] that the program office issued a human capital
plan and had begun implementing it. However, DHS stopped doing so
during 2006 pending departmental approval of a DHS-wide human capital
initiative and because all program office positions were filled.
However, as noted earlier, the program office now reports that it has
21 government positions--including critical leadership positions--that
are now vacant. Moreover, it has stated that it developed a new human
capital plan but we did not review this plan because it is still
undergoing departmental review. Until the department approves the human
capital plan and the program office begins to implement it, the program
will continue to be at risk.
* Recommendation: Develop and implement a risk management plan and
ensure that all high risks and their status are reported regularly to
the appropriate executives.
DHS has partially implemented this recommendation. US-VISIT has
approved a risk management plan and has begun implementing it. However,
the current risk management plan does not address when risks should be
elevated beyond the level of the US-VISIT Program Director. According
to program officials, elevation of US-VISIT risks is at the discretion
of the Program Director, and no risks have been elevated to DHS
executives since December 2005. Until the program office ensures that
high risks are appropriately elevated, department executives will not
have the information they need to make informed investment decisions.
* Recommendation: Define performance standards for US-VISIT that are
measurable and reflect the limitations imposed on US-VISIT capabilities
by relying on existing systems.
DHS has partially implemented this recommendation. The program office
has defined technical performance standards for several increments, but
these standards do not contain sufficient information to determine
whether they reflect the limitations imposed by relying on existing
systems. As a result, the ability of these increments to meet
performance requirements remains uncertain and the ability to identify
and effectively address performance shortfalls is missing.
Observations on the Expenditure Plan and Management of US-VISIT:
While available data show that prime contract cost and schedule
expectations are being met, aspects of the US-VISIT program continue to
lack definition and justification. Each of our observations in this
regard are summarized here.
* Earned value management (EVM) data on ongoing prime contract task
orders show that cost and schedule baselines are being met.
EVM is a program management tool for measuring progress by comparing
the value of work accomplished with the amount of work expected to be
accomplished.[Footnote 10] Data provided by the program office show
that the cumulative cost and schedule variances for the overall prime
contract and all 12 ongoing task orders are within an acceptable range
of performance.
* DHS continues to propose a heavy investment in program management-
related activities without adequate justification or full disclosure.
Program management is an important and integral aspect of any system
acquisition program and should be justified in relation to the size and
significance of the acquisition activities being performed. In 2006,
program management costs represented 135 percent of planned
development. This means that for every dollar spent on new
capabilities, $1.35 was spent on management. The fiscal year 2007
expenditure plan similarly proposed investing $1.25 on management-
related activities for every dollar invested in new development.
However, the plan does not explain the reasons for the sizable
investment in management-related activities or otherwise justify it on
the basis of measurable expected value. Without disclosing and
justifying its proposed investment and program management-related
efforts, it is unclear that such a large amount of funding for these
activities represents the best use of resources.
* Lack of a well-defined and justified exit solution introduces the
risk of repeating failed and costly past exit efforts. DHS has issued a
high-level schedule for air exit, but information supporting that
schedule is not yet available. In addition, there are no other exit
program plans available that define what will be done, by what
entities, and at what cost in order to define, acquire, deliver,
deploy, and operate this capability. This includes developing plans
describing expected system capabilities, identifying key stakeholder
roles/responsibilities and buy-in, coordinating and aligning with
related programs, and allocating funding to activities. Furthermore,
DHS has not performed an analysis comparing the life cycle costs of the
air exit solution to its expected benefits and risks. Since 2004, we
have reported on a similar lack of definition and justification of
prior US-VISIT exit efforts, even though prior expenditure plans have
allocated funding of $250 million to completing these efforts. As of
today, these prior efforts have not produced an operational exit
solution. Without better definition and justification of its future
exit efforts, the department runs the serious risk of repeating its
past failures.
Conclusions:
US-VISIT's prime contract cost and schedule metrics show that
expectations are being met, according to available data, although the
EVM system that the metrics are based on has yet to be independently
certified. Notwithstanding this, such performance is a positive sign.
However, most of the many management weaknesses raised in this report
have been the subject of our prior US-VISIT reports and testimonies
and, thus, are not new. Accordingly, we have already made a litany of
recommendations to correct each weakness, as well as follow-on
recommendations to increase DHS attention to and accountability for
doing so. Despite this, recurring legislative conditions associated
with US-VISIT expenditure plans continue to be less than fully
satisfied and recommendations that we made 4 years ago have still not
been fully implemented.
Exacerbating this situation is the fact that DHS did not satisfy two
new legislative conditions associated with the fiscal year 2007
expenditure plan, and serious questions continue to exist about DHS'
justification for and readiness to invest current, and potentially
future, fiscal year funding relative to an exit solution and program
management-related activities.
DHS has had ample opportunity to address these many issues, but it has
not. As a result, there is no reason to expect that its newly launched
exit endeavor, for example, will produce results different from past
endeavors--namely, DHS will not have an operational exit solution
despite expenditure plans allocating about a quarter of a billion
dollars to various exit activities. Similarly, on the basis of past
efforts, there is no reason to believe that the program's
disproportionate investment in management-related activities represents
a prudent and warranted course of action. All told, this means that
needed improvements in US-VISIT program management practices are long
overdue. Both the legislative conditions and our open recommendations
are aimed at accomplishing these improvements, and they need to be
addressed quickly and completely. Thus far, they have not been, and the
reasons that they have not are unclear.
Recommendation for Executive Action:
Because our outstanding US-VISIT recommendations already address all of
the management weaknesses discussed in this report, we are reiterating
our prior recommendations and recommending that the Secretary of DHS
report to the department's authorization and appropriations committees
on its reasons for not fully addressing its expenditure plan
legislative conditions and our prior recommendations.
Agency Comments and Our Evaluation:
We received written comments on a draft of this report from DHS, which
were signed by the Director, Departmental GAO/IG Liaison Office, and
are reprinted in appendix II.
In its comments, DHS stated that it agreed with the majority of our
findings, adding that the department realizes, and our report supports
the fact, that improvements to US-VISIT's management controls,
operational context, and human capital are needed. DHS also stated that
the US-VISIT program office would aggressively engage with us to
address our open recommendations, noting that it appreciates the
guidance provided by our reports. In this regard, DHS's comments
described efforts completed, underway, and planned to address our
recommendations, most of which were already reflected in the draft
report. New information in DHS's comments covered its intentions
relative to the next US-VISIT expenditure plan and the next US-VISIT
strategic plan, both of which are to be issued in fiscal year 2008.
This new information is consistent with the intent of our open
recommendations. New information also included the US-VISIT Director's
intention to communicate high-priority risks to the Under Secretary of
the National Protection and Programs Directorate, which is also in line
with our open recommendations.
However, DHS also stated that it disagreed with the "partially
complete" status that we assigned to one of our open recommendations.
It also stated that our observation characterizing past US-VISIT exit
efforts as failed and costly implicitly devalued the experience and
empirical data that the department gained from these proof-of-concept
efforts, and this observation did not recognize relevant information
about the program's use of biographic exit procedures. We do not agree
with either of these comments, as discussed below.
* With the respect to the "partially complete" status that our report
assigns to the open recommendation for the program to develop and begin
implementing a system security plan, and to perform a privacy impact
analysis and use the results of this analysis in near term and
subsequent system acquisition decision making, DHS stated that it
considers this recommendation satisfied. In this regard, the department
describes a number of actions that the program has taken with respect
to US-VISIT security and privacy. We do not take issue with the actions
that DHS described, and would note that our draft report already
recognizes them. Moreover, we too consider the privacy component of our
recommendation satisfied. However, we do not agree with the
department's position relative to the scope of US-VISIT's security
strategy in that it does not address known vulnerabilities associated
with a US-VISIT component system--TECS.[Footnote 11] As we state in our
report, TECS is an integral component of US-VISIT and, according to
federal security standards, a system security plan, or in US-VISIT's
case the system security strategy, typically covers such component
systems. Therefore, we believe that the US-VISIT security risk
assessment and security strategy need to explicitly address such
vulnerabilities, and thus we do not consider the entire recommendation
as being fully satisfied.
* With respect to our characterization of past US-VISIT exit efforts,
the department stated that we incorrectly viewed these past efforts as
"ends in themselves" and as "failed and costly" because they did not
immediately conclude with operational systems. According to DHS, the
program never intended for these efforts to be more than proof-of-
concept learning experiences that would form the basis for more
workable future system solutions. We do not agree with these comments.
As we state in our report, the program first committed to full
deployment of a biometric exit capability in 2003, and it has continued
to make similar deployment commitments in subsequent years. At the same
time, we have chronicled a pattern of inadequate analysis surrounding
the expected costs, benefits, and risks of these exit efforts since
2004, and thus an absence of reliable information upon which to view
their expected value and base informed exit-related investment
decisions. Nevertheless, the program continued to invest each year in
these biometric exit efforts, thus far having allocated about $250
million in funding to them. At no time, however, was any analysis
produced to justify investing a quarter of a billion dollars to gain
"experiences and empirical data" for such a sizeable investment.
Rather, commitments were repeatedly made in expenditure plans for
deploying an operational exit solution. While we recognize the value
and role of demonstration and pilot efforts as a means for learning and
informing future development efforts, our point is that exit-related
efforts have been inadequately defined and justified over the last 4
years, despite being allocated $250 million, and the fiscal year 2007
expenditure proposes more of the same.
With respect to not recognizing the program's use of biographic exit
procedures in the above described observation, the department is
correct that we describe these procedures in other sections of our
report but not as part of this observation. We do not include this
information under this observation because its focus is on the 4 years
and $250 million that has been devoted to biometric-based exit efforts,
and the lack of definition and justification in the fiscal year 2007
expenditure plan for these biometric efforts going forward.
We are sending copies of this report to the Chairmen and Ranking
Members of other Senate and House committees and subcommittees that
have authorization and oversight responsibilities for homeland
security. We are also sending copies to the Secretary of Homeland
Security, Secretary of State, and the Director of OMB. We will also
make copies available to others on request. In addition, the report
will be available at no charge on GAO's Web site at [Hyperlink,
http://www.gao.gov].
If you or your staffs have any questions on matters discussed in this
report, please contact me at (202) 512-3439 or at hiter@gao.gov.
Contact points for our Offices of Congressional Relations and Public
Affairs may be found on the last page of this report. GAO staff who
have made significant contributions to this report are listed in
appendix III.
Signed by:
Randolph C. Hite:
Director:
Information Technology Architecture and Systems Issues:
[End of section]
Appendix I: Briefing Slides:
Homeland Security: U.S. Visitor and Immigrant Status Program's Long-
standing Lack of Strategic Direction and Management Controls Needed to
be Addressed:
Briefing to the Staffs of the Subcommittee on Homeland Security Senate
and House Committees on Appropriations:
June 15, 2007:
Briefing Overview:
Introduction:
Objectives:
Results in Brief:
Background:
Results:
* Legislative Conditions:
* Status of Open Recommendations:
* Observations:
Conclusions:
Recommendations for Executive Action: Agency Comments:
Attachment 1. Scope and Methodology: Attachment 2. Related Products
List: Attachment 3. Description of US-VISIT Program: Attachment 4.
Description of Increments and Component Systems:
Introduction:
The U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT)
program of the Department of Homeland Security (DHS) is a
governmentwide program to collect, maintain, and share information on
foreign nationals who enter and exit the U.S. The goals of US-VISIT are
to:
enhance the security of U.S. citizens and visitors,
facilitate legitimate travel and trade,
ensure the integrity of the U.S. immigration system, and:
protect the privacy of our visitors.
The Department of Homeland Security Appropriations Act, 2007,[Footnote
12] states that DHS may not obligate $200 million of the $362.494
million appropriated for the US-VISIT project until the Senate and
House Committees on Appropriations receive a plan for expenditure that:
meets the capital planning and investment control review requirements
established by the Office of Management and Budget (OMB), including
Circular A-11, part 7;[Footnote 13]
complies with DHS‘s enterprise architecture;
complies with the acquisition rules, requirements, guidelines, and
systems acquisition management practices of the federal government;
includes a certification by the DHS Chief Information Officer (CIO)
that an independent verification and validation (IV&V) agent is
currently under contract for the project;
is reviewed and approved by the DHS Investment Review Board (IRB), the
Secretary of Homeland Security, and OMB;
is reviewed by GAO;
includes a comprehensive US-VISIT strategic plan; and:
includes a complete schedule for biometric exit implementation. On
March 20, 2007, DHS submitted its fiscal year 2007 expenditure plan for
$362.494 million to the House and Senate Appropriations Subcommittees
on Homeland Security.
Objectives:
As agreed, our objectives were to:
1. determine whether the US-VISIT fiscal year 2007 expenditure plan
satisfies the legislative conditions,
2. determine the status of our oldest open recommendations pertaining
to US- VISIT,[Footnote 14] and:
3. provide observations about the expenditure plan and management of
the program.
We conducted our work at US-VISIT offices in Arlington, Virginia, from
March 2007 through June 2007 in accordance with generally accepted
government auditing standards. Details of our scope and methodology are
described in attachment 1.
Results in Brief: Objective 1:
Legislative Conditions:
Table: Summary of Fiscal Year 2007 US-VISIT Expenditure Plan‘s
Satisfaction of Legislative Conditions:
Legislative conditions: Meets the capital planning and investment
control review requirements established by OMB, including OMB A-11,
part 7;
Does not satisfy[A]: [Empty];
Partially satisfies[B]: [Check];
Satisfies[C]: [Empty].
Legislative conditions: Complies with the DHS enterprise architecture;
Does not satisfy[A]: [Empty];
Partially satisfies[B]: [Check];
Satisfies[C]: [Empty].
Legislative conditions: Complies with the acquisition rules,
requirements, guidelines, and systems;
Does not satisfy[A]: [Empty];
Partially satisfies[B]: [Check];
Satisfies[C]: [Empty].
Legislative conditions: Includes a certification by the DHS CIO that an
IV&V agent is currently under contract for the program;
Does not satisfy[A]: [Empty];
Partially satisfies[B]: [Empty];
Satisfies[C]: [Check].
Legislative conditions: Is reviewed and approved by the DHS IRB, the
DHS Secretary, and OMB;
Does not satisfy[A]: [Empty];
Partially satisfies[B]: [Empty];
Satisfies[C]: [Check].
Legislative conditions: Is reviewed by GAO;
Does not satisfy[A]: [Empty];
Partially satisfies[B]: [Empty];
Satisfies[C]: [Check].
Legislative conditions: Includes a comprehensive US-VISIT strategic
plan;
Does not satisfy[A]: [Check];
Partially satisfies[B]: [Empty];
Satisfies[C]: [Empty].
Legislative conditions: Includes a complete schedule for biometric exit
implementation;
Does not satisfy[A]: [Check];
Partially satisfies[B]: [Empty];
Satisfies[C]: [Empty].
Source: GAO.
[A] Does not satisfy or provide for satisfying all key aspects of the
condition we reviewed.
[B] Satisfies or provides for satisfying some, but not all, key aspects
of the condition that we reviewed.
[C] Satisfies or provides for satisfying every aspect of the condition
that we reviewed.
[End of figure]
Results in Brief: Objective 2:
Open Recommendations:
Table: Summary of Status of Open Recommendations:
Open recommendations: 1. Develop and begin implementing a system
security plan and perform a privacy impact analysis and use the results
of this analysis in near term and subsequent system acquisition
decision making;
Partially complete[D]: [Check];
Complete[E]: [Empty];
Open recommendations: 2. Develop and implement a plan for satisfying
key acquisition management controls, including acquisition planning,
solicitation, requirements management, project management, contract
tracking and oversight, evaluation, and transition to support, and
implement the controls in accordance with Software Engineering
Institute (SEI) guidance[F];
Partially complete[D]: [Check];
Complete[E]: [Empty];
Open recommendations: 3. Ensure that expenditure plans fully disclose
what system capabilities and benefits are to be delivered, by when, and
at what cost, as well as how the program is being managed;
Partially
complete[D]: [Check];
Complete[E]: [Empty];
Open recommendations: 4. Ensure that the human capital and financial
resources are provided to establish a fully functional and effective
program office and associated management capability;
Partially
complete[D]: [Check];
Complete[E]: [Empty];
Open recommendations: 5. Clarify the operational context within which
US-VISIT must operate;
Partially complete[D]: [Check];
Complete[E]: [Empty];
Open recommendations: 6. Determine whether proposed US-VISIT increments
will produce mission value commensurate with costs and risks and
disclose to its executive bodies and the Congress the results of these
business cases and planned actions;[G]
Partially complete[D]: [Check];
Complete[E]: [Empty];
Open recommendations: 7. Develop and implement a human capital strategy
that provides for staffing open positions with individuals who have the
requisite core competencies (knowledge, skills, and abilities);
Partially complete[D]: [Check];
Complete[E]: [Empty];
Open recommendations: 8. Develop and implement a risk management plan
and ensure that all high risks and their status are reported regularly
to the appropriate executives;
Partially complete[D]: [Check];
Complete[E]: [Empty];
Open recommendations: 9. Define performance standards for US-VISIT that
are measurable and reflect the limitations imposed by relying on
existing systems;
Partially complete[D]: [Check];
Complete[E]: [Empty];
Source: GAO.
[D] A recommendation is partially complete when documentation indicates
that some, but not all, actions needed to implement it have been taken.
E] A recommendation is complete when documentation demonstrates that it
has been fully addressed.
[F] This recommendation is the merger of two of our prior
recommendations.
[G] This recommendation is the merger of three of our prior
recommendations.
[End of figure]
Results in Brief: Objective 3:
Observations:
Observation Summaries:
DHS data show that the US-VISIT prime contract is being executed
according to cost and schedule expectations, as defined and measured by
a well- accepted progress measurement technique known as earned value
management.
DHS continues to propose disproportionately heavy investment in US-
VISIT program management-related activities without adequate
justification or full disclosure, to the point of spending $1.25 on
management for every dollar invested in new development. Without
justifying and fully disclosing such a large investment in program
management, questions persist as to whether this represents the best
use of DHS resources.
DHS continues to propose spending tens of millions of dollars on exit
projects that are not well-defined, planned, or justified on the basis
of costs, benefits and risks. Without properly positioning itself for
effectively and efficiently investing in an exit solution, DHS risks
repeating its prior failed and costly exit efforts.
Results in Brief: Recommendations:
and Agency Comments:
Because our outstanding US-VISIT recommendations already address all of
the management weaknesses discussed in this briefing, we are
reiterating our prior recommendations, and recommending that DHS report
to its congressional authorization and appropriations committees the
reasons for it not fully satisfying its US-VISIT expenditure plan
legislative requirements and our prior recommendations.
In comments on a draft of this briefing, DHS stated that the briefing
was factually correct, that GAO's guidance provided value to the
program, and that it would continue to address our recommendations. 12
Background:
US-VISIT Overview:
The goals of the US-VISIT program are to enhance the security of U.S.
citizens and visitors, facilitate legitimate travel and trade, ensure
the integrity of the U.S. immigration system, and protect the privacy
of our visitors. US-VISIT is to accomplish these things by:
collecting, maintaining, and sharing biometric and other information on
certain foreign nationals who enter and exit the United States;
identifying foreign nationals who (1) have overstayed or violated the
terms of their admission; (2) can receive, extend, or adjust their
immigration status; or (3) should be apprehended or detained by law
enforcement officials;
detecting fraudulent travel documents, verifying traveler identity, and
determining traveler admissibility through the use of biometrics; and:
facilitating information sharing and coordination within the
immigration and border management community.
Background:
US-VISIT Program Office:
Figure: Organizational Structure and Functional
Responsibilities[Footnote 15]
[See PDF for image]
Source: US-VISIT.
[End of figure]
Background:
Acquisition Strategy:
DHS originally planned to deliver biometric entry and exit capability
in for major increments:
Increments 1 through 3 were to be interim, or temporary, solutions that
focus on building interfaces among existing (legacy) systems; enhancing
the capabilities of these systems; and deploying these systems to air,
sea, and land ports of entry (POEs).
Increment 4 was to be a series of incremental releases, or mission
capability enhancements, that were to deliver long-term strategic
capabilities for meeting program goals.
In May 2004, DHS awarded an indefinite-delivery/indefinite-
quantity[Footnote 16] prime contract to Accenture and its partners for
delivering future US-VISIT capabilities.[Footnote 17]
Background:
Description and History of Increments:
Increment 1:
Increment 1 was intended to establish entry and exit capabilities at
air and sea POEs. Increment 1 air and sea entry capabilities were
deployed on January 5, 2004, at 115 airports and 14 seaports for
individuals requiring nonimmigrant visas to enter the United
States.[Footnote 18] These capabilities include collecting and matching
biographic information, biometric data (two digital index finger scans)
and a digital photograph for selected foreign nationals. In addition,
several types of increment 1 air and sea exit devices for collecting
biometric data were piloted at 12 airports and 2 seaports. This 3-year
pilot focused on the technical feasibility of a biometric exit solution
at air and sea POEs. The pilot ended in May 2007.
Increment 2:
Increment 2 was originally to extend US-VISIT entry and exit
capabilities to the 50 busiest land POEs by December 31, 2004.
Subsequently, the increment was divided into three parts”2A, 2B, and
2C.
Increment 2A established entry capabilities at land, sea, and air POEs
to biometrically authenticate machine-readable visas and other travel
and entry documents issued by Department of State (State) and DHS to
foreign nationals.[Footnote 19] These capabilities were deployed to all
POEs by October 23, 2005, except for e-Passports, which were deployed
to 33 POEs by November 14, 2006. These 33 POEs account for 97 percent
of all travelers entering with e- Passports.
Increment 2B extended the increment 1 entry solution to the 50 busiest
land POEs and included redesigning the process for issuing a
handwritten form I- 94[Footnote 20] to enable the electronic capture of
biographic, biometric (unless the traveler is exempt),[Footnote 21] and
related travel documentation for travelers arriving in secondary
inspection. This capability was deployed to the 50 busiest land POEs as
of December 29, 2004.
Increment 2C was a proof-of-concept demonstration of the feasibility of
using passive radio frequency identification (RFID) technology[Footnote
22] to record travelers‘ entry and exit via a unique ID number tag
embedded in the form I-94. It was originally deployed at five land
POEs. The demonstration was terminated in November 2006.
Increment 3:
Increment 3 was to extend increment 2B entry capabilities to 104 land
POEs by December 31, 2005. It was essentially completed as of December
19, 2005.[Footnote 23]
Increment 4 – Unique Identity:
All expenditure plans prior to fiscal year 2006 have described
increment 4 as a yet- to-be-defined, strategic solution. The fiscal
year 2006 plan described increment 4 as the combination of two
projects: (1) Transition to 10 fingerprints in the Automated Biometric
Identification System (IDENT) and (2) Interoperability between IDENT
and the Federal Bureau of Investigation‘s Integrated Automated
Fingerprint Identification System (IAFIS). The fiscal year 2007
expenditure plan combines the two projects, with a third called
enumeration (developing a single identifier for each individual), into
a single project referred to as Unique Identity.
Background:
Entry Systems Overview:[Footnote 24]
Figure: Systems Diagram of Entry Capability
[See PDF for image]
Source: GAO analysis of US-VISIT data.
[End of figure]
Background:
Chronology of Expenditure Plans:
Table: Chronology of Expenditure Plans:
Fiscal year: 2002;
Date submitted: 11/15/2002;
Funds appropriated (in thousands): $13,300;
Funds requested (in thousands): $13,300;
Funds released to date (in thousands): $13,300.
Fiscal year: 2003;
Date submitted: 06/05/2003;
Funds appropriated (in thousands): $362,000;
Funds requested (in
thousands): $375,000;
Funds released to date (in thousands): $367,00014[Footnote 25].
Fiscal year: 2004;
Date submitted: 01/27/2004;
Funds appropriated (in thousands): $330,000; Funds requested (in
thousands): $330,000;
Funds released to date (in thousands): $330,000.
Fiscal year: 2005;
Date submitted: 10/19/2004;
Funds appropriated (in thousands): $340,000;
Funds requested (in thousands): $340,000 ;
Funds released to date (in thousands): $340,000.
Fiscal year: 2006;
Date submitted: 08/10/2006;
Funds appropriated (in thousands): $336,600;
Funds requested (in thousands): $336,600 ;
Funds released to date (in thousands): $336,600.
Fiscal year: 2007 ;
Date submitted: 03/20/2007;
Funds appropriated (in thousands): $362,494;
Funds requested (in thousands): $362,494;
Funds released to date (in thousands): $162,494.
Total;
Funds appropriated (in thousands): $1,744,394;
Funds requested (in thousands): $1,757,394;
Funds released to date (in thousands): $1,557,394.
Source: GAO, based on an analysis of DHS data.
[End of figure]
Background:
2007 Expenditure Plan Funding Allocation:
Table: 2007 Expenditure Plan Funding Allocation:
Areas of expenditure/Projects (see next slides for descriptions): Exit
(air and sea);
Government program management (costs in thousands): 0;
Contractor program management support: 2,300;
Development: 5,000;
Operations and Maintenance: [Empty];
Other: [Empty];
Total: $7,300.
Areas of expenditure/Projects (see next slides for descriptions): U.S.
travel documents and e-Passports (2A PKD);
Government program management (costs in thousands): 0;
Contractor program management support: 2,700;
Development: 8,100;
Operations and Maintenance: [Empty];
Other: [Empty];
Total: 10,800.
Areas of expenditure/Projects (see next slides for descriptions):
Unique Identity (10-print, enumeration, and IDENT/IAFIS
interoperability;
Government program management (costs in thousands): 0;
Contractor program management support: 17,400;
Development: 76,500;
Operations and Maintenance: [Empty];
Other: [Empty];
Total: 93,900.
Areas of expenditure/Projects (see next slides for descriptions): Data
integrity and biometric support services;
Government program management (costs in thousands): 0;
Contractor program management support: 1,400;
Development: 14,100;
Operations and Maintenance: [Empty];
Other: [Empty];
Total: 15,500.
Areas of expenditure/Projects (see next slides for descriptions):
Program management and operations;
Government program management (costs in thousands): 25,700;
Contractor program management support: 0;
Development: 0;
Operations and Maintenance: [Empty];
Other: [Empty];
Total: 25,700.
Areas of expenditure/Projects (see next slides for descriptions):
Contractor program management support;
Government program management (costs in thousands): 0;
Contractor program management support: 62,500;
Development: 0;
Operations and Maintenance: [Empty];
Other: [Empty];
Total: 62,500.
Areas of expenditure/Projects (see next slides for descriptions):
Operations and maintenance;
Government program management (costs in thousands): 0;
Contractor program management support: 0;
Development: 0;
Operations and Maintenance: 138,800;
Other: [Empty];
Total: [Empty].
Areas of expenditure/Projects (see next slides for descriptions):
Management reserve;
Government program management (costs in thousands): 0;
Contractor program management support: 0;
Development: 0;
Operations and Maintenance: [Empty];
Other: 8,000;
Total: 8,000.
Total;
Government program management (costs in thousands): 25,700;
Contractor program management support: 86,300;
Development: 103,700;
Operations and Maintenance: 138,800;
Other: 8,000;
Total: $362,500.
Source: GAO, based on an analysis of DHS data.
[End of table]
Background:
Summary of 2007 US-VISIT Expenditure Plan:
Exit: Includes planning and implementation of the chosen deployment
option for the implementation of an exit screening program at air and
sea ports.
U.S. travel documents and e-Passports: Includes development, testing,
and deployment of public key directory (PKD) validation
services[Footnote 26] for e-Passport readers.
Unique Identity: Includes implementing the 10-fingerprint scanners and
the interim data sharing model (iDSM);[Footnote 27] related systems
interoperability; associated facilities and engineering support; and
systems architecture, engineering and integration, and design.
Data Integrity and Biometric Support Services: Includes providing
qualified leads and actionable information to the U.S. Customs and
Border Protection Service and U.S. Immigration and Customs Enforcement;
establishment of lookout records for visa denials and adverse actions
by border officials.
Program management and operations: Includes the government salaries and
benefits for 115 government program office positions necessary to
manage and operate the program, including relocation costs, personnel
security checks, and training.
Contractor services-program management: Includes the program office
support contractors.
Operations and maintenance: Includes operations and maintenance of
Increment 1, 2, and 3 systems, including technical, application,
system, network, and infrastructure support costs.
Program management reserve: Includes funds allocated to accommodate
unknown timing and magnitude of risks.
Background:
US-VISIT Project Life Cycle Management:
US-VISIT has adopted its own methodology for managing its projects
throughout their respective life cycles. This methodology is known as
the US-VISIT Enterprise Life Cycle Methodology (ELCM). Within the ELCM
is a component methodology for managing software-based system projects
known as the US-VISIT Delivery Methodology (UDM). According to version
4.3 of UDM (April 2007), it:
Applies to new development projects and existing, operational projects.
Specifies the documentation and reviews that should take place within
each of the methodology‘s six phases: plan, analyze, design, build,
test, and deploy.
Allows for tailoring to meet the needs and requirements of individual
projects, in which specific activities, deliverables, and milestone
reviews that are appropriate for the scope, risk, and context of the
project can be set for each phase of the project.
The chart on the following page shows where US-VISIT projects are in
terms of the life cycle methodology.
Background: US-VISIT Project Status:
(New Development and Operational):
Figure: New Development and Operational:
[See PDF for image]
Source: GAO, based on an analysis of DHS data.
* Exit project in pre-planning; not within the UDM Technology
Workstream.
*** IOC: Initial Operational Capability.
[End of figure]
Background:
US-VISIT Task Orders:
Area of Expenditure: Exit;
Task Order Name: Exit Pilot beta survey data collection;
Start: August 2004;
Status/Completion Date: Completed May 2005;
Description: Pilot, test, and evaluate three exit alternatives (kiosk,
mobile, hybrid) at selected international ports of departure.
Area of Expenditure: Exit;
Task Order Name: Increment 1B;
Start: February 2005;
Status/Completion Date: Completed Dec. 2006;
Description: Air and Sea Exit Deployment-provide services for national
deployment of the 1B exit solution as determined from results of 1B
pilots.
Area of Expenditure: Exit;
Task Order Name: Increment 2C;
Start: September 2004;
Status/Completion Date: Ongoing[H];
Description: Planning and implementation of the US-VISIT Increment 2C
Proof of Concept Project.
Area of Expenditure: U.S. Travel Documents and e-Passports;
Task Order Name: International Registered Traveler IPT;
Start: February 2005;
Status/Completion Date: Completed Aug 2005;
Description: Support for SecurePass IPT, and integrated international
registered program designed to enhance national security and improve
efficiency.
Area of Expenditure: U.S. Travel Documents and e-Passports;
Task Order Name: Increment 2A-PKD;
Start: March 2005;
Status/Completion Date: Ongoing;
Description: Development and implementation of PKD Validation service
to allow for biometric comparison and authentication of US visas and
other travel documents.
Area of Expenditure: U.S. Travel Documents and e-Passports;
Task Order Name: Material support to Increment 2A-PKD;
Start: March 2007;
Status/Completion Date: Ongoing;
Description: Purchase of materials, including hardware and software, to
meet requirements of the PKD validation services project.
Area of Expenditure: Unique Identity;
Task Order Name: IT solutions delivery;
Start: October 2004;
Status/Completion Date: Ongoing;
Description: Planning, development, and implementation of the Biometric
identification Systems Project, now referred to as Unique Identity
(IDENT/IAFIS integration and IDENT 10-print).
Area of Expenditure: Unique Identity;
Task Order Name: Integration support to the Unique ID project office;
Start: November 2006;
Status/Completion Date: Ongoing;
Description: Program and technical integration support services.
Area of Expenditure: Unique Identity;
Task Order Name: Material support to task order 007;
Start: April 2007;
Status/Completion Date: Ongoing;
Description: Material, maintenance licenses, warrant, etc. in support
of task 007 IT solutions.
Area of Expenditure: Data Integrity and Biometric Support;
Task Order Name: Data Management support;
Start: August 2004;
Status/Completion Date: Ongoing;
Description: Support Program Office Data Management Branch-identity
errors, omissions, and trends in data;
recommend corrective actions;
provide refined data to other offices (e.g. U.S. Immigration and
Customs Enforcement) to support criminal investigations, lookout
creation, and informed material/operational decision making.
Area of Expenditure: Contractor Support-Program Management;
Task Order Name: Program level management;
Start: July 2004;
Status/Completion Date: Ongoing;
Description: Comprehensive program and project management methodology,
policies, processes, procedures, and support to program office.
Area of Expenditure: Contractor Support-Program Management;
Task Order Name: Strategic Plan;
Start: October 2004;
Status/Completion Date: Completed March 2005;
Description: Create and document a comprehensive strategic plan that
describes necessary activities to integrate US- VISIT processes and
systems.
Area of Expenditure: Contractor Support-Program Management;
Task Order Name: Blueprint;
Start: May 2005;
Status/Completion Date: Completed Nov 2006;
Description: Create a US-VISIT blueprint that describes a comprehensive
approach to achieving the overall vision for US-VISIT's immigration and
border management enterprise.
Area of Expenditure: Contractor Support-Program Management;
Task Order Name: Program level engineering;
Start: September 2004;
Status/Completion Date: Ongoing;
Description: Develop and maintain standards, guidance, architectures,
performance models, and other engineering processes necessary to
support the development of functionality.
Area of Expenditure: Contractor Support-Program Management;
Task Order Name: Development;
Start: November 2006;
Status/Completion Date: Ongoing;
Description: Support the development and maintenance of program
planning artifacts and analyze phases of project execution and
planning, updating, and implementing the US-VISIT Strategic Plan.
Area of Expenditure: Operations and Maintenance;
Task Order Name: Facilities and infrastructure;
Start: March 2005;
Status/Completion Date: Ongoing;
Description: Provisioning of office/faculty space, furniture,
workstations, telecommunications, and other infrastructure to support
contractor activities.
Area of Expenditure: Operations and Maintenance;
Task Order Name: Operations and Maintenance;
Start: August 2006;
Status/Completion Date: Ongoing;
Description: Management of operations and maintenance activities for
deployed capabilities.
Source: GAO, based on analysis of DHS data.
[H] Increment 2C was terminated in November 2006. This task order will
closer once shutdown activities are complete.
[End of table]
Background:
Overview of DHS Investment Management Process:
DHS recently changed its investment management process. Prior to 2006,
DHS IT programs, including US-VISIT, were subject to key decision point
reviews. According to DHS, this approach was adopted from the
Department of Defense‘s investment management process, and while well-
suited for the acquisition of fighter jets, ships, etc., was not well-
suited for acquisition of IT systems.
Accordingly, DHS drafted an Investment Review Process guide that adopts
an approach using milestone decision points (MDP) linking five life
cycle phases: (1) project initiation, (2) concept and technology
development, (3) capability development and demonstration, (4)
production and deployment, and (5) operations and support. According to
DHS, this guide provides more flexibility, allowing DHS to tailor the
number of phases and milestone reviews based on risk and visibility.
MDP reviews can be performed concurrently with an expenditure plan
review. The draft guide was issued in March 2006; as of May 2007, the
draft guide had not been approved.
Under the draft guide, a program sends an investment review request to
the Integrated Project Review Team (IPRT) prior to the initial MDP. The
IPRT assigns the program to a portfolio, and schedules the program for
a Joint Requirements Council and/or IRB review. According to the
official from DHS‘s Program Analysis and Evaluation Directorate who is
responsible for overseeing program adherence to the investment control
process, it is being used for all DHS programs.
Objective 1: Legislative Conditions:
Condition 1:
This fiscal year 2007 US-VISIT expenditure plan, related program
documentation, and program officials' statements satisfy (in part or
total) most, but not all, of the legislative conditions.
Condition 1. The plan, including related program documentation and
program officials' statements, satisfies or partially satisfies all
aspects of the capital planning and investment control review
requirements established by OMB, including OMB Circular A-11, part
7.[Footnote 28]
The table that follows provides examples of the results of our
analysis, including areas in which the A-11 requirements have been and
have not been fully satisfied. Given that the A-11 requirements are
intended to minimize a program's exposure to risk, permit performance
measurement and oversight, and promote accountability, any areas in
which the program falls short of the requirements reduce the chances of
delivering cost-effective capabilities and measurable results of time
and within budget.
Table: Legislative Conditions: Condition 1:
Examples of A-11 Conditions: Provide a brief description of the
investment and its status in the capital planning and investment
control review, including major assumptions made about the investment;
Results of our analysis: The expenditure plan and fiscal year 2007
Exhibit 300 provide a description of investment and its status in the
capital US-VISIT but do not include its status in the DHS capital
planning and planning and investment control review, investment control
process. According to program officials, the program was re- including
major assumptions made evaluated under the MDP process defined in the
draft DHS investment review about the investment process guide. On
February 7, 2007, it passed its first MDP and is now undergoing its
second MDP review. Also, the expenditure plan and related program
documents identify a number of program assumptions. Examples of
assumptions cited in the fiscal year 2007 Exhibit 300 submission
include (1) existing facilities at land POEs will not support the
proposed incorporation of biometric devices without investment in
equipment and infrastructure, and (2) improved exit processes are
needed to collect accurate data on departures.
Examples of A-11 Conditions: Provide a summary of the investment‘s risk
assessment, including how 19 OMB- identified risk elements are being
addressed;
Results of our analysis: The US-VISIT enterprise risk
assessment was completed in December 2005. It identified a number of
risks, their likelihood of occurrence, their potential impact, and
recommended controls to address each risk. The most recent version of
the risk management plan was approved February 2007. Under the
processes defined in this plan, risks are to be monitored and reviewed
by program management and stakeholders through integrated project
teams. All identified risks are to be logged in the risk database and
are to be individually reviewed by the Director. Both the Exhibit 300
and the Risk Management Plan address the 19 OMB-identified risk
elements.
Examples of A-11 Conditions: Demonstrate that the investment is
included in the agency's enterprise architecture and capital planning
and investment control process. Illustrate agency's capability to align
the investment to the Federal Enterprise Architecture (FEA);
Results of our analysis: The plan does not describe US-VISIT relative to
the DHS enterprise architecture (EA) or the capital planning and
investment control process. Moreover, the last review of program
compliance with the DHS EA was in August 2004, and since then US-VISIT
and the DHS architecture have changed significantly. With regard to the
FEA, the fiscal year 2007 OMB Exhibit 300 budget submission contains tables that
satisfy OMB's requirement for listing the various aspects of the FEA
that the program supports. In February 2007, the program completed a
MDP1 review, which program officials told us revalidated the program.
The program has since submitted to the Enterprise Architecture Center
for Excellence its MDP2 review package. US-VISIT's architecture
alignment is further discussed under the legislative condition 2
section of this briefing.
Examples of A-11 Conditions: Provide a description of an investment's
security and privacy issues. Summarize the agenda's ability to manage
security at the system or application level. Demonstrate compliance
with the certification and accreditation processes as well as the
mitigation of IT security weaknesses; Results of our analysis: As we
previously reported, US-VISIT's 2004 security plan and privacy impact
assessments generally satisfied IMB and the National Institutes of
Standards and Technology (NIST) security guidance. Further, the
expenditure plan states that all of the US-VISIT component systems have
been certified and accredited and given authority to operate. Also, the
program office developed a security strategy in December 2006 that was
based on the 2005 risk assessment. However, this security strategy was
limited to the systems under US-VISIT control and does not mention, for
example, the Treasury Enforcement Communications System (TECS) which
provides biographic information to US-VISIT and is owned by Customs and
Border Protection. According to NIST Special Publication 800-18, a
comprehensive security strategy should include all component systems.
We have ongoing work to evaluate the quality of US-VISIT security
documents and practices.
Examples of A-11 Conditions: Provide a summary of the investment's
status in accomplishing baseline cost and schedule goals through the
use of an earned value management (EVM) system or operational analysis,
depending on the life-cycle stage; Results of our analysis: The program
is currently relying on the prime contractor's EVM system to manage the
prime contractor's progress against cost and schedule goals. This EVM
system was self-certified by the prime contractor in December 2003 as
meeting established standards, but has yet to be verified by the agency
or an independent representative of the agency as required by OMB. In
December 2006, the program office contracted with the Defense Contract
Management Agency to conduct this investigation, but it will not be
completed until August 2008. Finally, while the fiscal year 2006
expenditure plan stated that all US-VISIT contractors will perform EVM
and program officials stated that this will be performed in accordance
with the DHS guidelines for all contracts after October 1, 2006, the
fiscal year 2007 expenditure plan does not continue to make this
commitment.
Source: OMB criteria and GAO analysis of DHS documentation.
[End of table]
Objective 1: Legislative Conditions:
Condition 2:
Condition 2. The plan, including related program documentation and
program officials‘ statements, partially provides for satisfying the
condition that it comply with DHS‘s EA.
According to federal guidelines and best practices, investment
compliance with an EA is essential for ensuring that an organization‘s
investment in new and existing systems is defined, designed, and
implemented in a way that promotes integration and interoperability and
minimizes overlap and redundancy, thus optimizing enterprise wide
efficiency and effectiveness. A compliance determination is not a one-
time event that occurs when an investment begins, but is, rather, a
series of determinations that occurs throughout an investment‘s life
cycle as changes to both the EA and the investment‘s architecture are
made.
The DHS Enterprise Architecture Board, supported by the Enterprise
Architecture Center of Excellence, is responsible for ensuring that
projects demonstrate adequate technical and strategic compliance with
the department‘s EA.
The DHS Enterprise Architecture Board has not conducted a detailed
review of US- VISIT architecture compliance in more than 2 years. In
August 2004, the board reviewed US-VISIT‘s architectural alignment with
some aspects of the DHS EA, and it recommended that US-VISIT be given
conditional approval to proceed.[Footnote 29] However, we reported
[Footnote 30] in February 2005 that this architectural compliance was
limited because:
DHS‘ determination was based on version 1.0 of the EA, which was
missing, in part or in whole, all the key elements expected in a well-
defined architecture, such as a description of business processes,
information flows among these processes, and security rules associated
with these information flows.
DHS did not provide sufficient documentation to allow us to understand
the methodology and criteria for architecture compliance or to verify
analysis justifying the conditional approval.
Moreover, the next architecture alignment review did not occur until
more than 2 years later, in November 2006. This review was part of US-
VISIT‘s MDP1 revalidation review, and it focused on compliance with 2
components of the DHS EA 2006. In February 2007 US-VISIT received MDP1
approval with the stipulation that the program undergo a MDP2 review
within 60 days.
This February 2007 MDP1 alignment determination does not fully satisfy
the legislative condition for several reasons.
The review was based on US-VISIT documentation that was not current. In
particular, the US-VISIT Mission Needs Statement[Footnote 31] did not
reflect recent changes to the program, such as the IDENT/IAFIS
interoperability and expansion of IDENT to collect 10, rather than 2,
prints.
The review assessed compliance with only general aspects of the DHS EA,
such as the investment portfolio, the architecture principles, and the
business model. It did not include US-VISIT‘s compliance with other
relevant aspects of the EA, such as the data and information security
components.
The review was based on DHS EA 2006. We reported[Footnote 32] in May
2007 that this version was missing important architectural content and
did not address most of the comments made by DHS stakeholders. As a
result, we concluded that it was not complete, consistent,
understandable, or usable.
Program officials told us that they submitted documentation for a more
comprehensive MDP2 alignment review to the Enterprise Architecture
Centers of Excellence in April 2007. They also stated that they have
mitigated the risks of US-VISIT being misaligned with the DHS EA
through other means. These included:
submitting the technical baseline of existing hardware and software to
the Center for Excellence for inclusion in the DHS EA;
submitting technology insertion requests for new equipment planned for
US-VISIT, such as RFID technology, to the EA Center of Excellence for
review and inclusion in the DHS EA, and:
relating US-VISIT capabilities with the business and services models of
the FEA reference models.
Notwithstanding these steps, DHS has yet to demonstrate, through
verifiable documentation and methodologically-based analysis, that US-
VISIT is aligned with a well-defined DHS EA. As a result, the program
will remain at risk of being defined and implemented in a way that does
not support optimized department wide operations, performance, and
achievement of strategic goals and outcomes.
Objective 1: Legislative Conditions:
Condition 3:
Condition 3. The plan, including related program documentation and
program officials‘ statements, partially provides for satisfying the
condition that it comply with the acquisition rules, requirements,
guidelines, and systems acquisition management practices of the federal
government.[Footnote 33]
Federal IT acquisition requirements, guidelines, and management
practices provide an acquisition management framework that is based on
the use of rigorous and disciplined processes for planning, managing,
and controlling the acquisition of IT resources.[Footnote 34] Effective
acquisition management processes are embodied in published best
practices models, such as the Software Engineering Institute (SEI)
Capability Maturity ModelsŽ. These models explicitly define, among
other things, acquisition process management controls that are
recognized hallmarks of successful organizations and that, if
implemented effectively, can greatly increase the chances of acquiring
software-intensive systems that provide promised capabilities on time
and within budget.
We reported in September 2003[Footnote 35] that the program office had
not defined key acquisition management controls to support the
acquisition of US-VISIT, and therefore its efforts to acquire, deploy,
operate, and maintain system capabilities were at risk of not meeting
system requirements and benefit expectations on time and within budget.
Subsequently, the program adopted SEI Capability Maturity Model
Integration[Footnote 36] (CMMIŽ) to guide its efforts to employ
effective acquisition management practices and approved an acquisition
management process improvement plan dated May 16, 2005. One of the
goals of this plan was to achieve a CMMIŽ level 2 capability rating
from SEI by October 2006.
In September 2005, DHS‘s initial assessment of 13 US-VISIT key
acquisition process areas revealed a number of weaknesses. In light of
this, US-VISIT updated its acquisition management process improvement
plan, narrowing the scope of the process improvement activities to six
of the CMMI process areas--project planning, project monitoring and
control, requirements management, risk management, configuration
management, and product and process quality assurance”and focusing on
two US-VISIT projects”U.S. Travel Documents-ePassports (formerly
Increment 2A) and Unique Identity. Under the updated plan, the goal for
an external CMMI evaluation remained October 2006.
During 2006, the program conducted periodic assessments in the six key
process areas and reported that while it had increased the number of
fully and largely implemented practices within these six areas,
sufficient progress had not been made to pass an external evaluation in
October 2006. Some of the weaknesses reported were:
Insufficient definition of processes and preparation of supporting
documents for areas such as systems development, budget and finance,
facilities, and strategic planning (e.g., product work flow among
organizational units was unclear and not documented, and roles,
responsibilities, and assignments for performing work tasks and
activities were not adequately defined and documented).
Lack of policies, process descriptions, and templates for requirements
development and management.
Lack of definition of roles, responsibilities, work products,
expectations, resources, and accountability of external stakeholder
organizations.
The program has since revised its process improvement plan. Among other
things, the revised plan delays the date for having an external CMMI
evaluation from October 2006 to November 2007. At the same time, it has
continued to address the weaknesses discovered during earlier internal
assessments. Based on its latest periodic assessment (March 2007), the
program office reports that 83 percent of key practices are now either
fully or largely implemented, up from 26 percent in August 2005 (see
chart on next slide).
Figure: State of US-VISIT Implementation of 113 Key Practices
Associated with Six CMMI Key Process Areas:
[See PDF for image]
Source: GAO, based on an analysis of DHS data.
[End of figure]
In addition, the fiscal year 2007 expenditure plan reported progress in
a seventh key process area not included in the program‘s CMMI
improvement efforts” contract tracking and oversight.
In 2006, we reported[Footnote 37] that the program office had not
effectively overseen US-VISIT related contract work performed on its
behalf by other DHS and non-DHS agencies, and these agencies did not
always establish and implement the full range of controls associated
with effective management of contractor activities. Further, neither
the program office nor the other agencies had implemented effective
financial controls.[Footnote 38]
Since this report was issued, the program office has instituted the use
of oversight plans for new task order and contract awards and is
developing a set of requirements for reimbursable contracts that
address our recommendations to enhance the probability of successful
performance and reduce risks.
Notwithstanding this reported progress in implementing acquisition
management process areas, the program‘s acquisition management
improvement efforts are focused on only seven acquisition management
process areas. Other areas are also relevant to the program and need to
be addressed. The status of the program office‘s efforts to implement
our recommendations aimed at implementing the full range of acquisition
management controls is discussed later in this briefing.
Objective 1: Legislative Conditions:
Condition 4:
Condition 4. The plan satisfies the condition that it include a
certification by the DHS CIO that an IV&V agent is currently under
contract for the project.
On February 21, 2007, the DHS Deputy CIO certified in writing that two
independent verification and validation agents[Footnore39] were under
contract for US-VISIT and that these agents met the requirements and
standards for an IV&V agent. 49
Objective 1: Legislative Conditions:
Condition 5:
Condition 5. The plan, including related program documentation and
program officials‘ statements, satisfies the requirement that it be
reviewed and approved by the DHS Investment Review Board, the Secretary
of Homeland Security, and OMB.
The DHS Deputy Secretary, who is also the chair of the Investment
Review Board, approved the fiscal year 2007 expenditure plan, and:
OMB approved the plan on March 20, 2007.
Objective 1: Legislative Conditions:
Condition 6:
Condition 6. The plan satisfies the requirement that it be reviewed by
GAO. Our review was completed on June 15, 2007.
Objective 1: Legislative Conditions:
Condition 7:
Condition 7. The plan does not satisfy the condition that it include a
comprehensive US-VISIT strategic plan.
Strategic plans are the starting point and basic underpinning for
results-oriented management. Such plans articulate the fundamental
mission of an organization, or program, and lay out its long-term goals
and objectives for implementing that mission, including the resources
needed to reach these goals. Federal legislation and
guidelines[Footnote 40] require that agencies‘ strategic plans include
six key elements: (1) a comprehensive mission statement, (2) strategic
goals and objectives, (3) strategies and the various resources needed
to achieve the goals and objectives, (4) a description of the
relationship between the strategic goals and objectives and annual
performance goals, (5) an identification of key external factors that
could significantly affect the achievement of strategic goals, and (6)
a description of how program evaluations were used to develop or revise
the goals and a schedule for future evaluations. As we have previously
reported,[Footnote 41] strategic plans should also include a discussion
of management challenges facing the program that may threaten its
ability to meet long-term, strategic goals and efforts to coordinate
among cross-cutting programs, activities, or functions.
While the US-VISIT program is not required to explicitly follow these
guidelines, the guidelines nonetheless provide a framework for
effectively developing strategic plans and the basis for program
accountability. However, the US-VISIT strategic plan[Footnote 42] does
not include any of these key elements associated with effective
strategic plans. In summary, the plan describes eight desired program
capabilities[Footnote 43] and provides an implementation strategy that
describes how each of these capabilities will be delivered over a
multi- year investment horizon through three categories of activities –
Foundation, Transformation, and Globalization.
Foundation activities, which are described as modernization,
enhancement, and expansion of capabilities and technologies, as well as
leveraging current capabilities and technologies.
Transformation activities, which are described as the implementation of
processes and technologies that cut across the particular functions and
entities that make up the immigration and border management system.
Globalization activities, which are described as the coordination and
sharing of information with foreign governments to improve the ability
to detect and prevent potential threats from either entering the United
States or remaining here.
However, the plan does not provide time frames for the completion of
these broad investment categories. The plan also does not include
strategic goals and objectives or strategies for achieving goals and
objectives. As a result, it is not clear what program capabilities will
be delivered when and whether they are aligned with the program‘s goals
and objectives. Further, the plan does not include a comprehensive
mission statement, describe the relationships between strategic goals
and annual performance goals, the external factors that could affect
the program, and the program evaluations used to establish or revise
the goals.
In addition, the US-VISIT strategic plan does not address management
challenges facing the program, such as those addressed in our past
recommendations. And although the strategic plan identifies the ability
to communicate with external stakeholders as a desired capability, the
plan does not provide any evidence of such past communication or
explain the relationship between US-VISIT and other organizations
within the border and immigration management enterprise. For example,
it does not describe the relationship between US-VISIT and DHS‘s
Western Hemisphere Travel Initiative, even though both programs involve
the entry of certain foreign individuals at U.S. POEs.
While the strategic plan is missing important content, other related
program documentation includes some of this content. For example, the
fiscal year 2007 expenditure plan and the US-VISIT Mission Needs
Statement state the program‘s mission and goals. In addition, the US-
VISIT Program Blueprint describes eight core capabilities, which are
very similar to those described in the strategic plan, and maps those
capabilities to four business outcomes. However, the Blueprint does not
include strategic goals, so it is not clear whether the business
outcomes are aligned with US-VISIT‘s goals. Further, the outcomes are
not described in the strategic plan.
The Program Blueprint also notes that responsibilities for immigration
and border management are spread across multiple agencies and
departments. However, it does not provide clear delineations of these
organizations‘ respective tasks, services, or efforts. Further, the
strategic plan does not cite or describe any coordination efforts to
address this situation. Additionally, the Blueprint identifies border
and immigration management enterprise stakeholders and identifies, for
each stakeholder, needs and priorities, challenges, how the business
outcomes will benefit the stakeholder, and stakeholder constraints that
will affect business outcomes.
This means that while some of the content of a US-VISIT strategic plan
is captured in a fragmented fashion across a range of documents, the
full range of content needed to define an authoritative strategic
direction, focus, and roadmap for the program that is approved by
departmental leadership is missing. Without it, DHS reduces the chances
that the US-VISIT program will achieve desired results and succeed in
achieving the program‘s goals and objectives.
Objective 1: Legislative Conditions:
Condition 8:
Condition 8. The plan, including related program documentation and
program officials‘ statements, does not satisfy the condition that it
include a complete schedule for biometric exit implementation.
The fiscal year 2007 expenditure plan addresses DHS‘ near-term
deployment plans for biometric exit capabilities at air and sea POEs.
Further, it notes the absence of near-term biometric options for land
POEs and mentions only a possible near-term, interim option that is
being considered. In addition, the expenditure plan addresses all three
locations of US-VISIT technology (air, sea, and land). However, the
expenditure plan‘s discussion of exit capabilities is conceptual and
general and does not contain a schedule for the full implementation of
US-VISIT exit capabilities at air, sea and land POEs.
Air:
The plan states that DHS plans to incorporate air exit into the airline
check-in process. However, the plan does not provide any details as to
what capabilities will be acquired and deployed when and at what cost.
Instead, it states that DHS plans to integrate US-VISIT‘s efforts with
CBP‘s pre-departure Advance Passenger Information System[Footnote 44]
and TSA‘s Secure Flight[Footnote 45] for purposes of partnering with
the airline industry. Further, the plan does not include any schedule
of air exit implementation activities, but rather, simply states that
DHS plans to initiate efforts on its air exit solution at an
unspecified time during the third quarter of fiscal year 2007, and will
fully deploy the air exit solution by an unspecified time during
calendar year 2008.
On June 11, 2007, DHS provided us with a schedule for air exit, which
the department characterized as high-level. For example, it does not
include the underlying details supporting the timelines for such areas
of activity as system design, system testing, and system development.
However, program officials told us that greater detail existed to
support the schedule, but that because this had not been approved by
DHS, could not be provided. The schedule provided indicates that the
air exit solution will be fully deployed by June 2009, which is at
least six months after the deployment date provided in the expenditure
plan.
Sea:
The plan states that DHS will initiate planning efforts on the sea exit
deployment at an unspecified time during fiscal year 2007, and that it
will emulate the technology and operational plans used for the air exit
solution. However, the plan does not provide any details about how,
when, and at what cost the sea exit solution will be accomplished, or
provide a completion date or any interim dates.
Land:
Consistent with our December 2006 report,[Footnote 46] the plan states
that implementing a biometric exit solution at land POEs is
significantly more complicated and costly than air or sea exit because
it would require a costly expansion of existing exit capacity,
including physical infrastructure, land acquisition, and staffing.
Because of this, the plan concludes that land exit cannot be
practically based on biometric validation in the short term. In lieu of
biometric-based exit at land POEs in the near term, the plan states
that DHS will initially seek to match entry and exit records using
biographic information in instances where departure information is not
collected from an individual who leaves the country, as in the case of
an individual who does not submit their Form I-94[Footnote 47] upon
departure.
However, the plan does not specify what this near-term focus entails
and how, when, and at what cost it will be accomplished. Rather, it
says that DHS has not yet determined a time frame or any cost estimates
for the initiation of a land exit solution.
Objective 2: Open Recommendations:
Recommendation 1:
Recommendation 1: Develop and begin implementing a system security plan
and perform a privacy impact analysis and use the results of this
analysis in near-term and subsequent system acquisition decision-
making.
Status: Partially complete:
A system security plan and privacy impact assessment are important to
understanding system requirements and ensuring that the proper
safeguards are in place to protect system data, resources, and
individuals‘ privacy. Both best practices and federal guidance advocate
their development and use.
System Security Plan:
The purpose of a system security plan is to define the steps that will
be taken (i.e., security controls that will be implemented) to cost-
effectively address known security risks. We reported[Footnote 48] in
2005 that the program office developed a US-VISIT system security plan
that was generally consistent with federal practice. However, we also
reported at that time that the plan was not based on a security risk
assessment.
In December 2005, the program office developed a US-VISIT risk
assessment that addressed the risk elements required by OMB, including
having an inventory of known risks, their probability of occurrence and
impact, and recommended controls to address them. At that time, program
officials told us that they intended to develop a US-VISIT security
strategy that reflected the results of this risk assessment.
In December 2006, the program office developed a US-VISIT security
strategy and has since begun implementing it. For example, it has
conducted security evaluations of commercial off-the-shelf software
products before adding them to the program‘s technical baseline.
However, the scope of this strategy does not extend to all the systems
that comprise US-VISIT. For example, the Treasury Enforcement
Communications System (TECS), an integral component of US- VISIT, is
not under the US-VISIT inventory of systems because it is owned by
Customs and Border Protection.
The fact that the US-VISIT security strategy‘s scope is limited to only
systems that the program office owns is not consistent with our
recommendation. We have ongoing work to evaluate the quality of US-
VISIT security documents and practices, including TECS implementation
of security controls.
Privacy Impact Assessment:
The purpose of a privacy impact assessment is to ensure handling of
information conforms to applicable legal, regulatory, and policy
requirements regarding privacy, determine the risks and effects of
collecting, maintaining, and disseminating information in identifiable
form[Footnote 49] in an electronic information system, and examine and
evaluate protections and alternative processes for handling information
to mitigate potential privacy risks.
In February 2006, we reported[Footnote 50] that the program office had
developed and periodically updated a privacy impact assessment.
However, we also reported that system documentation only partially
addressed privacy. Since then, program officials told us that they have
taken steps to ensure that the impact assessment‘s results are used in
deciding and documenting the content of US-VISIT projects. For example,
they said that privacy office representatives are included in key
project definition, design, and development meetings to ensure that
privacy issues are addressed and that key system documentation now
reflects privacy-based needs.
Furthermore, US-VISIT privacy officials recently conducted an audit of
system documentation to ensure that privacy is being addressed. They
found only a single instance where privacy should have been addressed
in system documentation but was not. Finally, our review of recently
issued system documentation shows privacy concerns are being addressed.
Objective 2: Open Recommendations:
Recommendation 2:
Recommendation 2: Develop and implement a plan for satisfying key
acquisition management controls, including acquisition planning,
solicitation, requirements management, project management, contract
tracking and oversight, evaluation, and transition to support, and
implement the controls in accordance with Software Engineering
Institute (SEI) guidance.[Footnote 51]
Status: Partially complete:
Effective acquisition management controls are important contributors to
the success of programs like US-VISIT. SEI has defined a range of
acquisition management controls as part of its capability maturity
models, which, when properly implemented, have been shown to increase
the chances of delivering promised system capabilities on time and
within budget.
In June 2003, we first reported[Footnote 52] that the program did not
have key acquisition management controls in place, and we reiterated
this point in September 2003.[Footnote 53]
In May 2005, the program office developed a plan for satisfying SEI
acquisition management guidance and began implementing it. Its 2005
assessment addressed 13 SEI key process areas, a number of which were
consistent with the seven management controls that we recommended.
In April 2006, the program office updated its plan to focus on six key
process areas: acquisition project planning, requirements management,
project monitoring and control, risk management, configuration
management, and product and process quality assurance.
Since 2005, the program office reports that it has made progress in
implementing the 113 practices associated with these six key process
areas, as previously discussed. However, the six areas of focus do not
include all of the management controls that we recommended. For
example, solicitation, contract tracking and oversight, and transition
to support are not included. While the program office reports that it
has also addressed contract tracking and oversight as part of
responding to a later recommendation that we made (not one of the nine
recommendations addressed in this briefing), it also reports that it
has yet to address the other two management controls.
It is important for the program office to address all of the management
controls that we recommended. If it does not, it will unnecessarily
increase program risks.
Objective 2: Open Recommendations:
Recommendation 3:
Recommendation 3: Ensure that expenditure plans fully disclose what
system capabilities and benefits are to be delivered, by when, and at
what cost, as well as how the program is being managed.
Status: Partially complete The fiscal year 2007 expenditure plan
discloses planned system capabilities, estimated schedules and costs,
and expected benefits, but meaningful information about schedules,
costs, and benefits is missing. Further, while the plan does provide
information on some acquisition activities, it does not adequately
describe how the program is being managed in a number of areas and does
not disclose the management challenges that it continues to face.
Without such information, the expenditure plan does not provide
Congress with enough information to exercise effective oversight and
hold the department accountable.
Schedule:
The fiscal year 2007 expenditure plan provides time commitments for
some capabilities; however, these are not specific. For example, the
plan states the following:
Unique Identity:
* Deployment of 10-print pilot to 10 air locations to begin in late
2007.
* Initial Operating Capability functionality targeted for September
2008.
Exit:
* Air exit solution deployment will begin in third quarter 2007 and
continue through 2008.
* Begin work in fiscal year 2007 on sea exit deployment that will
emulate technology and operational plans adopted for commercial
aviation environment.
Moreover, no schedule commitments are made for the development and
deployment of PKD validation capabilities.
Costs:
The fiscal year 2007 expenditure plan identifies each project‘s
funding. In some cases, this information is provided with meaningful
detail that allows for understanding of how the funds will be used. For
example:
Unique Identity shows the following activities and costs:
* Acquisition and Procurement ($21.2 million)”purchase and initial
deployment of 10-print capture devices and upgrades in network
capabilities (bandwidth and technology refreshes) at 119 airports, 9
seaports, and 155 land ports.
* Update DHS Border and Process Technology ($2.0 million)”update device
to client biometric interfaces and further 10-print prototype testing
and evaluation.
However, in other cases, costs are not described at a level that would
permit such understanding. For example:
Contractor Services (Project Assigned) ($12.1 million) - contractor
services and support for the project-related resource planning and
management (including the areas of configuration, acquisition, and
risk), as well as project performance metrics and reporting in the
areas of cost, schedule, scope, and quality management. This exact
wording is also used for this category in two other projects with
different costs.
In addition, unlike prior expenditure plans, carryover funds from prior
years that are planned for use in 2007 are not allocated to 2007
activities. For example:
Exit - A total of $7.3 million in fiscal year 2007 funds, plus fiscal
year 2006 carryover funds of $20 million are mentioned as being
allocated to begin the process of deploying DHS‘ integrated air exit
strategy and initial planning for sea exit. However, only the $7.3
million is allocated among the activities listed. No information is
presented regarding the allocation of the $20 million in carryover
funds to these activities or any others.
Benefits:
The fiscal year 2007 expenditure plan cites benefits associated with
the projects. However, the benefits are broadly stated. For example,
the plan describes exit benefits as ’Safer and more secure travel“ and
Unique Identity benefits as ’Facilitation of efficient, yet secure,
trade and travel.“
Acquisition Management:
The 2007 expenditure plan describes a range of key acquisition
management activities and control areas. These include:
Requirements development and management:
Configuration management:
Data governance:
However, the plan does not fully disclose challenges that the program
faces in managing acquisition activities, nor does it discuss key areas
in which change is occurring, such as capital planning and investment
controls and human capital management.
Objective 2: Open Recommendations:
Recommendation 4:
Recommendation 4: Ensure that the human capital and financial resources
are provided to establish a fully functional and effective program
office and associated management capability.
Status: Partially complete:
DHS established the US-VISIT program office in July 2003 and determined
the office‘s staffing needs to be 115 government and 117 contractor
personnel. In September 2003, we reported[Footnote 54] that the program
office lacked adequate human capital and financial resources. In August
2004, the program office, in conjunction with OPM developed a draft
human capital plan. Agency officials stated that, at one point in 2006,
all of the 115 government positions were filled. In addition, the
program has received about $1.4 billion in funding, and we recently
reported that it has devoted an increasing proportion of its annual
appropriation to program office and related management activities.
Since then, however, 21 of the government positions have become vacant.
According to program officials, they have taken interim steps to
address this void in leadership by temporarily assigning other staff to
cover them. They added that they plan to fill all the positions through
aggressive recruitment and that they do not consider the vacancies to
present a risk to the program. However, without adequate human capital,
particularly in key positions and for extended periods, program risks
will invariably increase.
Objective 2: Open Recommendations:
Recommendation 5:
Recommendation 5: Clarify the operational context within which US-VISIT
must operate.
Status: Partially complete:
As we have previously reported, all programs exist within a larger
operational (and technological) context or frame of reference that is
captured in such strategically focused instruments as strategic plans
and an EA. Additionally, having a strategic plan and an EA are
recognized best practices and provided for in federal guidance.
In 2003, we reported[Footnote 55] that DHS had yet to define the
operational context in which US-VISIT is to operate, such as a well-
defined department EA or a departmentally approved strategic plan. In
the absence of this operational context, we stated that program
officials could make assumptions and decisions that, if they proved
inconsistent with subsequent departmental policy decisions, would
require US- VISIT rework to make it interoperable with related programs
and systems, such as the FBI‘s 10-print biometric identity system known
as IAFIS. Moreover, we stated that US-VISIT could be defined and
implemented in a way that made it duplicative of other programs and
systems, such as the Secure Border Initiative or the Western Hemisphere
Travel Initiative.
Since then, we have continued to report on the absence of this context.
Most recently, we reported[Footnote 56]in February 2006 that this
operational context was still a work in process. Specifically, we found
that although a strategic plan was drafted that program officials said
showed how US-VISIT was aligned with DHS‘s organizational mission and
defined an overall vision for immigration and border management across
multiple departments and external stakeholders with common objectives,
strategies, processes, and infrastructures, this plan had been awaiting
departmental approval at that time for more than 11 months.
In February 2007, we reported[Footnote 57] that US-VISIT was still
lacking a departmentally approved operational context, and that this
was exacerbated by DHS‘s recent launching of other major programs
without defining their relationships to US-VISIT. Examples of these
programs are:
Secure Border Initiative (SBI), a multi-year program to secure the
borders and reduce illegal immigration by installing state-of-the-art
surveillance technologies along the border, increasing border security
personnel, and ensuring information access to DHS personnel at and
between ports of entry.
Western Hemisphere Travel Initiative (WHTI), which is to implement the
provisions of the Intelligence Reform and Terrorism Prevention Act of
200448 requiring citizens of the United States, Canada, Bermuda, and
Mexico to have a designated document for entry or re-entry into the
United States that establishes the bearer‘s identity and citizenship.
US-VISIT continues to lack a well-defined operational context.
As discussed earlier in this briefing, the fiscal year 2007 expenditure
plan includes an appendix titled ’Comprehensive Strategic Plan for US-
VISIT,“ which the Program Director told us is the department‘s
officially approved US- VISIT strategic plan. However, as we discussed
in the legislative conditions section of the briefing, key elements of
relevant federal guidance for a strategic plan are not addressed in
this plan. For example, no specific outcome-related goals for major
functions and operations of US-VISIT or specific objectives to meet
those goals are provided, nor does it address external factors that
could affect achievement of program goals. Finally, this strategic plan
does not address the explicit relationships between US-VISIT and either
the SBI or WHTI programs.
We recently reported [Footnote 59] that DHS‘s EA has evolved beyond
prior versions. However, the DHS EA 2006[Footnote 60] was not complete
for several reasons. For example, it was missing architecture content,
such as a transition plan and evidence of a gap analysis between the
’as is“ and ’to be“ architectures, and it was developed with limited
stakeholder input: support contractors and organizational stakeholders
provided a range of comments on completeness, internal consistency, and
understandability of a draft of the EA, but the majority of comments
were not addressed. Because the EA was not complete, internally
consistent and understandable, we concluded that its usefulness was
limited, in turn limiting DHS‘s ability to guide and constrain IT
investments in a way that promotes interoperability and reduces overlap
and duplication.
Program officials told us that they have met with related programs to
coordinate their respective efforts. They stated that DHS‘s Office of
Screening Coordination and Operations (SCO) has been trying to
coordinate and unify the departmental components‘ initiatives by
bringing border management stakeholders together. However, specific
coordination efforts have not been assigned to the SCO or any other DHS
entity.
The absence of a well-defined operational context within which to
define and pursue US-VISIT has been longstanding. Until this context
exists, the department will be challenged in its ability to define and
implement US-VISIT and related border security and immigration
management programs in a manner that promotes interoperability,
minimizes duplication, and optimizes departmental capabilities and
performance.
Objective 2: Open Recommendations:
Recommendation 6:
Recommendation 6: Determine whether proposed US-VISIT increments will
produce mission value commensurate with costs and risks and disclose to
its executive bodies and the Congress the results of these business
cases and planned actions.[Footnote 61]
Status: Partially complete:
The decision to invest in any system capability should be based on
reliable analysis of return on investment. Moreover, according to
relevant guidance, incremental investments in major systems should be
individually supported by such analyses of benefits, costs, and risks.
Without such analyses, an organization cannot adequately know that a
proposed investment is a prudent and justified use of limited
resources.
In June and September 2003, and in February 2005, we reported[Footnote
62] that proposed investments in the then entry/exit system, US-VISIT
Increment 1, and US-VISIT Increment 2B, respectively, were not
justified by reliable business cases.
Further, in February 2006 we reported[Footnote 63] that while a
business case was prepared for Increment 1B, the analysis performed met
only four of the eight criteria in OMB guidance. For example, it did
not include a complete uncertainty analysis for the alternatives
evaluated.
More recently, the program office has developed business cases for two
projects: Unique Identity and U.S. Travel Documents-ePassports
(formerly Increment 2A).[Footnote 64] However, the program office has
not developed a business case for another project that it plans to
begin implementing this year”biometric exit at air POEs. As discussed
later in the observations section of this briefing, the program office
has defined very little about its proposed solution to meeting its exit
needs at air POEs, including an analysis of alternative solutions to
meeting this need on the basis of their relative costs, benefits, and
risks.
Until the program office has reliable business cases for each US-VISIT
project in which alternative solutions for meeting mission needs are
evaluated on the basis of costs, benefits, and risks, it will not be
able to adequately inform its executive bodies and the Congress about
its plans and will not provide the basis for prudent investment
decision making.
Objective 2: Open Recommendations:
Recommendation 7:
Objective 7: Open Recommendations Recommendation:
Recommendation 7: Develop and implement a human capital strategy that
provides for staffing open positions with individuals who have the
requisite core competencies (knowledge, skills, and abilities).
Status: Partially complete:
Strategic management of human capital involves proactive efforts to
understand an entity‘s future workforce needs, existing workforce
capabilities, and the gap between the two and to chart a course of
action defining how this gap will be continuously addressed. Such an
approach to human capital management is both a best practice and
provision in federal guidance.
In September 2003, we reported[Footnote 65] that US-VISIT did not have
a human capital strategy. In February 2006, we reported[Footnote 66]
that the program office issued a human capital plan and began
implementing it. However, it stopped doing so during 2006 pending a
departmental approval of a DHS-wide human capital initiative, known as
MAXHR, and because all program office positions were filled. However,
as noted earlier, the program office now reports that it has 21
government positions, including critical leadership positions, vacant.
According to program officials, US-VISIT recently developed a new human
capital plan as part of their Organizational Improvement Initiative and
this plan is now being reviewed by the department. Because its approval
is pending, we were not provided a copy.
Objective 2: Open Recommendations:
Recommendation 8:
Recommendation 8: Develop and implement a risk management plan and
ensure that all high risks and their status are reported regularly to
the appropriate executives.
Status: Partially complete:
In September 2003, we reported[Footnote 67] that US-VISIT was a risky
undertaking due to several factors, including its large scope and
complexity and various program weaknesses. We concluded that these
risks, if not effectively managed, would likely cause program cost,
schedule, and performance problems.
Since then, US-VISIT approved a risk management plan and began to put
into place a risk management process that included, among other things,
subprocesses for identifying, analyzing, managing, and monitoring risk.
It also defined and began implementing a governance structure to
oversee and manage the process, and it maintains a risk database that
is available to program management and staff.
In February 2006,[Footnote 68] we reported that the risk management
process detailed in the risk management plan was not being consistently
applied across the program. In addition, we reported that thresholds
for elevating risks to department executives were not being applied and
risk elevation was being left to the discretion of the Program
Director. Since then, the program has provided training to its
employees to ensure that they understood how to apply the risk
management process.
However, program officials told us that they have eliminated the
thresholds for elevating risks beyond the US-VISIT Program Office.
Further, no risks have been elevated to department executives since
December 2005, and no specific guidance on when risks should be
elevated beyond the US-VISIT Program Director is provided in the
current risk management plan. Until the program office ensures that
high risks are appropriately elevated, department executives will not
have the information they need to make informed investment decisions.
Objective 2: Open Recommendations:
Recommendation 9:
Recommendation 9: Define performance standards for US-VISIT that are
measurable and reflect the limitations imposed on US-VISIT capabilities
by relying on existing systems.
Status: Partially complete:
The operational performance of US-VISIT depends largely on the
performance of the existing systems that have been integrated to form
it. This means that, for example, the availability of US-VISIT is
constrained by the downtime of existing systems. In February 2006, we
reported[Footnote 69] that the program office had defined technical
performance standards for several increments (e.g., Increments 1, 2B,
and 2C), but these standards did not contain sufficient information to
determine whether or not they reflected the limitations imposed by
reliance on existing systems. Since then, program officials told us
that they have not updated the performance standards for Increments 1-3
to reflect limitations imposed by relying on existing systems. As a
result, the ability of these increments to meet performance
requirements remains uncertain.
Recently, the program office has developed requirements-related
documentation on Unique Identity elements, including the iDSM. While
this documentation specifies a requirement that the model be able to
exchange information with external systems, and refers to this as a
system constraint, it does not assess the quantitative impact that
these changes would impose on the system. In order to determine such
impacts, it is necessary to assess such factors as the response time
and throughput of US-VISIT feeder systems on US-VISIT.
Until the program defines performance standards that reflect the
limitations of the existing systems upon which US-VISIT relies, the
program lacks the ability to identify and effectively address
performance shortfalls.
Objective 3: Observation 1:
Earned Value Data Show Favorable Variances:
Observation 1: Earned value management data on ongoing prime contract
task orders show that cost and schedule baselines are being met.
Earned value management (EVM) is a program management tool for
measuring progress by comparing, during a given period of time, the
value of work accomplished with the amount of work expected to be
accomplished. This comparison permits performance to be evaluated based
on calculated variances from the planned (baselined) cost and schedule.
EVM is both an industry accepted practice and an OMB requirement.
The program office requires its prime contractor to use EVM,[Footnote
70] and the data provided by the program office show that the
cumulative cost and schedule variances for the overall prime contract
and all 12 ongoing task orders are within an acceptable range of
performance.
Our analysis of baseline and actual performance data using generally
accepted earned value analysis techniques show that as of February
2007, the prime contractor had an overall:
Positive cost variance for all task orders combined (i.e., was under
budget) by about $17.1 million (about 7 percent of the $ 238.9 million
worth of work to be completed).
Negative schedule variance for all task orders combined (i.e., had a
schedule slip) of only about $1.3 million worth of work (less than 1
percent of the work scheduled for the period). The six-month (September
2006-February 2007) trend in cost and schedule variances for the prime
contract are shown on the next two pages.
Figure: Cumulative Cost Variance:
[See PDF for image]
Source: GAO, based on an analysis of DHS data.
[End of figure]
Figure: Cumulative Cost Variance:
[See PDF for image]
Source: GAO, based on an analysis of DHS data.
[End of figure]
Our analysis of these data for two specific task orders showed similar
results. Specifically,
Task order 4: Program Level Engineering. This task order includes the
development and maintenance of the US-VISIT target architecture,
related standards, engineering plans, and guidance as well as
performance modeling and technology assessments. As of February 2007,
it:
* Showed a positive cost variance (i.e., was under budget) by about
$4.1 million (about 9.6 percent of the $ 42.7 million worth of work to
be completed).
* Showed a negative schedule variance (i.e., had a schedule slip) by
about $230,000 worth of work (less than one percent of the work
scheduled for the period).
Task order 7: IT Solutions Delivery. This task order contains several
Unique Identity project subtasks including (1) operation and
maintenance of US- VISIT‘s IDENT biometric identification system, (2)
development and maintenance of the iDSM, (3) IDENT expansion to 10
prints, and (4) development and testing of enumeration functionality
for the U.S. Citizenship and Immigration Services. As of February 2007,
it:
* Showed a positive cost variance (i.e., was under budget) by about
$747,000 (less than 2 percent of the $44.5 million worth of work to be
completed).
* Showed a negative schedule variance (i.e., had a schedule slip) of
about $384,000 worth of work (less than one percent of the work
scheduled for the period).
All of the above cited variances are within the expected range of 10
percent.
Objective 3: Observation 2:
Management Funding Remains High and Unsatisfied:
Observation 2: DHS continues to propose a heavy investment in program
management-related activities without adequate justification or full
disclosure.
Program management is an important and integral aspect of any system
acquisition program. Our recommendations to DHS aimed at strengthening
US- VISIT program management are grounded in our research, OMB
requirements, and recognized best practices relative to the importance
of strong program management capabilities. The importance of this area,
however, does not in and of itself justify the level of investment in
such activities. Rather, investment in program management-related
activities, similar to investment in any program capability, should be
based on full disclosure of the scope, nature, size, and value of the
program and such investments should be justified in relation to the
size and significance of the acquisition activities being performed.
Earlier this year, we reported,[Footnote 71] that the program‘s
investment in program management had risen significantly over the past
4 years, particularly in relation to the program‘s declining level of
new system development. The fiscal year 2007 expenditure plan proposes
a level of investment in program management similar to that for 2006.
At the same time, no explanation or justification of such a relatively
large investment in program management-related funding has been
provided. Specifically,
The fiscal year 2003 expenditure plan provided $30 million for program
management and operations. In contrast, the fiscal year 2006 plan
provided $126 million for program management-related functions. At the
same time, funds provided for new development fell from $325 million in
2003 to $93 million in 2006.
Restated, program management costs represented about 9 percent of
planned development costs in 2003 but 135 percent of planned
development in 2006. This means that in 2006, for every dollar spent on
new capabilities, $1.35 was spent on management.
* According to program officials, the fiscal year 2006 plan did not
properly categorize proposed program management-related funding
according to its intended use. They added that future expenditure plans
would provide greater clarity into funds used for management versus
development.
The fiscal year 2007 expenditure plan proposed investing a comparable
percentage of funding on management-related activities vis-a-vis new
development. Specifically, our analysis shows that, for every dollar
invested in new development, $1.25 is to be spent on management-related
activities at either the program or project level.
Charts showing this trend in management-related funding in relation to
new development funding are on the following two pages.
Figure: Development, Operations, and Program/Project Management Cost
Trends, FY-2002-FY2007:
(Dollars in millions.)
[See PDF for image]
Source: GAO analysis of DHS data.
[End of figure]
Figure: Program/Project Management Costs as Percentage of New
Development:
(Percentage of development)
[See PDF for image]
Source: GAO analysis of DHS data.
[End of figure]
The fiscal year 2007 expenditure plan does not explain the reasons for
the sizable investment in management-related activities or otherwise
justify it on the basis of measurable expected value. Without
disclosing and justifying its proposed investment and program
management-related efforts, it is unclear that such a large amount of
funding for these activities represents the best use of resources.
Objective 3: Observation 3:
Exit Remains Inadequately Defined and Justified:
Observation 3: Lack of a well-defined and justified exit solution
introduces the risk of repeating failed and costly past exit efforts.
The decision to invest in a system or system component should be based
on a clear definition of what capabilities, what stakeholders, and what
will be delivered according to what schedule and at what cost.
Moreover, it should be economically justified via reliable analysis
showing that execution of the plan will produce mission value
commensurate with expected costs and risks.
According to the fiscal year 2007 expenditure plan, DHS intends to
begin deploying an exit capability at air and sea POEs and spend $27.3
million doing so. More specifically, the plan states that:
$7.3 million in fiscal year 2007 funding and $20 million in fiscal year
2006 carryover funding will be used, in part, to begin the process of
planning and designing an air and sea exit solution;
the air exit solution will be fully deployed by an unspecified time
during calendar year 2008;
the air exit solution will be integrated with commercial airlines‘
existing passenger check-in processes; and:
the sea exit solution will emulate the technology and operational plans
adopted for air exit.
However, while US-VISIT has developed a high-level schedule for air
exit, information supporting that schedule was not provided to GAO and
no other exit program plans are available that define what will be
done, by what entities, and at what cost to define, acquire, deliver,
deploy, and operate this capability, including plans describing
expected system capabilities, identifying key stakeholder (e.g.,
airlines) roles/responsibilities and buy-in, coordinating and aligning
with related programs, and allocating funding to activities. In
addition, the exit schedule provided by the program office indicates
that the air exit solution is to be fully implemented by June 2009,
which is at least 6 months after the full deployment date provided in
the expenditure plan.
Further, available documentation (e.g., the expenditure plan):
does not define what key terms mean, such as ’full implementation“ and
’integrated;“
does not specify what the $20 million in fiscal year 2006 carryover
funding will be spent on, and only allocates the $7.3 million in fiscal
year 2007 funding to such broad categories of activities as project
management, contractor services, and planning and design; and:
does not describe what has been done and what is planned to engage with
commercial airlines, even though the recently-provided air exit
schedule states that the department plans to issue a proposed federal
regulation requiring airlines to participate in this effort by end of
calendar year 2007.
Moreover, no analysis comparing the life cycle costs of the air exit
solution to its expected benefits and risks is available. In
particular, neither the 2007 expenditure plan nor any other program
documentation describe measurable outcomes (benefits and results) that
will result from an air exit solution.
According to the expenditure plan, significant air exit planning and
testing has been conducted over the past 3 years and the air exit
solution is based in part on these efforts. However, during this time
we have continued to report on fundamental limitations in the
definition and justification of those efforts. For example,
In September 2003,[Footnote 72] we reported that DHS had not
economically justified the initial US-VISIT increment (which was to
include an exit capability at air and sea POEs) on the basis of
benefits, costs, and risks. As result, we recommended that DHS
determine whether proposed incremental capabilities will produce value
commensurate with program costs and risks.
In May 2004,[Footnote 73] we reported that an exit capability
(including biometric capture) was not deployed to the 80 air and 14 sea
POEs as part of Increment 1 deployment in December 2003, as originally
intended. Instead, a pilot exit capability was deployed to only one air
and one sea POE on January 5, 2004. At that time, program officials
told us that it was being piloted at only two locations because they
decided to evaluate other exit alternatives and planned to select an
alternative for full deployment by December 31, 2004.
In February 2005,[Footnote 74] we reported that DHS had not adequately
planned for evaluating the air and sea exit alternatives because the
scope and timeline of the pilot evaluations were compressed. We
recommended that the program office reassess its plans for deploying an
exit capability to ensure that the scope of the pilot provided an
adequate evaluation of alternatives.
In February 2006,[Footnote 75] we reported that DHS had analyzed the
cost, benefits, and risks for its air and sea exit capability, but the
analyses did not demonstrate that the program was producing or would
produce mission value commensurate with expected costs and benefits,
and the costs upon which the analyses were based were not reliable. We
also raised questions about the adequacy of the program‘s air exit
pilot evaluation, noting that the results showed an average compliance
of only 24 percent across the three alternatives. We concluded that
until exit alternatives were adequately evaluated, the program office
would not be in a position to select the best solution. We further
noted that without an effective exit capability, the benefits and the
mission value of US-VISIT would be greatly diminished. We did not make
a recommendation to address this because we had already addressed the
situation through a prior recommendation.
In December 2006,[Footnote 76] we reported that US-VISIT officials had
concluded that a biometric US-VISIT land exit capability could not be
implemented without incurring a major impact on land POE facilities. We
also reported that the land exit pilots had surfaced several
performance problems, such as RFID devices not reading a majority of
travelers‘ tags during testing and multiple RFID devices installed on
poles or structures over roads reading information from the same
traveler tag. We recommended that DHS report to Congress information on
the costs, benefits, and feasibility of deploying biometric and
nonbiometric exit capabilities at land POEs.
In February 2007,[Footnote 77] we reported that DHS had not adequately
defined and justified its past investment in exit pilots and
demonstration projects. We noted that the program had devoted
considerable time and resources to exit but still did not have either
an operational exit capability or a viable exit solution to deploy.
Further, exit-related program documentation did not adequately define
what work was to be done or what these efforts would accomplish and did
not describe measurable outcomes from the pilot or demonstration
efforts, or related cost, schedule, and capability commitments that
would be met. We recommended that planned expenditures be limited for
exit pilots and demonstration projects until such investments are
economically justified and until each investment has a well-defined
evaluation plan.
Notwithstanding these longstanding limitations in planning for and
justifying its exit efforts, and notwithstanding that funding for exit-
related efforts in US-VISIT expenditure plans for fiscal years 2003
through 200668 totals about $250 million, no operational exit
capability exists. Unless the department better plans and justifies its
new exit efforts, it runs the serious risk of repeating this past
failure.
Conclusions:
US-VISIT‘s prime contract cost and schedule metrics show that
expectations are being met, according to available data, although their
earned value management system that the metrics are based on has yet to
be independently certified. Nothwithstanding this, such performance is
a positive sign.
However, the vast majority of the many management weaknesses raised in
this briefing have been the subject of our prior US-VISIT reports and
testimonies, and thus are not new. Accordingly, we have already made a
litany of recommendations to correct each weakness, as well as follow-
on recommendations to increase DHS attention to and accountability for
doing so. Despite this, recurring legislative conditions associated
with US-VISIT expenditure plans continue to be less than fully
satisfied, and recommendations that we made 4 years ago are still not
fully implemented.
Exacerbating this situation is the fact that the DHS did not satisfy
two new legislative conditions associated with the fiscal year 2007
expenditure plan, and serious questions continue to exist about DHS‘s
justification for and readiness to invest current, and potentially
future, fiscal year funding relative to an exit solution and program
management-related activities.
DHS has had ample opportunity to address these many issues, but it has
not. As a result, there is no reason to expect its newly launched exit
endeavor, for example, to produce results different from its past
endeavors”namely, no operational exit solution despite expenditure
plans allocating about a quarter of billion dollars to various exit
activities. Similarly, there is no reason to believe that the program‘s
disproportionate investment in management-related activities represents
a prudent and warranted course of action. All told, this means that
needed improvements in US-VISIT program management practices are long
overdue. Both the legislative conditions and our open recommendations
are aimed at accomplishing these improvements, and thus they need to be
addressed quickly and completely. Thus far, they have not been and the
reasons that they have not are unclear.
Recommendations for Executive Action:
Because our outstanding US-VISIT recommendations already address all of
the management weaknesses discussed in this briefing, we are
reiterating our prior recommendations, and recommending that the
Secretary of DHS report to the department‘s authorization and
appropriations committees on its reasons for not fully addressing its
expenditure plan legislative conditions and our prior recommendations.
Agency Comments:
We provided a draft of this briefing to DHS and US-VISIT program
officials and solicited their comments on it. In response, DHS and US-
VISIT program officials, including the program director, stated that
the briefing was factually correct and that GAO's continued guidance
provided value to the program. They also stated that the program office
would continue to address our open recommendations, and would formally
comment on a draft of our report that transmits the briefing.
Attachment 1:
Scope and Methodology:
To accomplish our first objective,
we reviewed the fiscal year 2007 plan and other available program
documentation related to each condition. In doing so, we examined not
only completed actions and steps, but also planned actions and steps,
including program officials‘ stated commitments to perform such
activities and steps. More specifically, we:
* compared the information in the program‘s fiscal year 2007 Exhibit
300 budget submission and related documentation to capital planning
guidance (OMB A-11 part 7) to determine whether the information
complies with the capital planning and investment controls,
* assessed program documents against criteria in DHS‘s Investment
Review Process to determine whether the program could demonstrate
compliance with the DHS enterprise architecture,
* assessed the program‘s software improvement program to determine the
progress made in developing acquisition processes that meet industry
standards,
* reviewed documentation to determine whether an independent
verification and validation agent was currently under contract,
reviewed documentation to determine whether the expenditure plan
received the required certification and approvals,
* reviewed US-VISIT‘s strategic plan submission and compared it against
federal legislation and guidelines, and GAO strategic planning criteria
to determine whether US-VISIT‘s strategic plan met best practices, and
* reviewed US-VISIT‘s exit submission to determine the extent to which
it described the exit capabilities to be deployed and included a
schedule for deploying these capabilities.
To accomplish our second objective, we:
* Reviewed and analyzed the fiscal year 2007 expenditure plan, US-
VISIT‘s most recent status reports on the implementation of our open
recommendations, and related key documents, augmented as appropriate by
interviews with program officials. Specifically, we reviewed and
analyzed:
* relevant systems acquisition documentation, including the program‘s
process improvement plan, risk management plan, and configuration
management plan;
* the program‘s security plan, privacy impact assessment, and related
system acquisition documents;
* the program‘s most recent draft human capital strategy and related
documents;
We also reviewed the fiscal year 2007 plan to determine whether it
- disclosed key aspects of how the acquisition is being managed,
including management areas that our prior reports on US-VISIT
identified as important but missing (e.g., governance structure,
organizational structure, human capital, systems configuration, and
system capacity); and:
- fully disclosed system capabilities and related benefits as well as
cost and schedule information.
To accomplish our third objective, we reviewed the fiscal year 2007
plan and other available program documentation related to each of the
following areas. In doing so, we examined completed and planned actions
and steps, including program officials‘ stated commitments to perform
them. For earned value, we reported data provided by the contractor to
US-VISIT that is verified by US- VISIT. To assess its reliability, we
reviewed relevant documentation and interviewed the system owner for
the earned value data. More specifically, we addressed US-VISIT efforts
to:
- track and manage cost and schedule commitments by applying
established earned value analysis techniques to baseline and actual
performance data from cost performance reports,
- define and justify program management costs by reviewing and
analyzing data on costs provided as part of the expenditure plan; and:
- define and implement an exit strategy for air, sea, and land by
reviewing and analyzing information provided as part of the expenditure
plan.
Additionally, in February 2007,1 we reported that the system that US-
VISIT uses to manage its finances (U.S. Immigration and Customs
Enforcement‘s Federal Financial Management System (FFMS)) has
reliability issues. In light of these issues, the US-VISIT Budget
Office tracks program obligations and expenditures separately using a
spreadsheet and comparing this spreadsheet to the information in FFMS.
Based on a review of this spreadsheet, there is reasonable assurance
that the US-VISIT budget numbers being reported by FFMS are accurate.
For DHS-provided data that our reporting commitments did not permit us
to substantiate, we have made appropriate attribution indicating the
data‘s source. To assess the reliability of US-VISIT‘s electronic
document repository, we reviewed relevant documentation and talked with
an agency official about data quality control procedures. We determined
the data were sufficiently reliable for the purposes of this report. We
conducted our work at US-VISIT program offices in Arlington, Virginia,
from March 2007 through June 2007, in accordance with generally
accepted government auditing standards.
Attachment 2:
Related Products List:
Related Products List:
* Homeland Security: DHS Enterprise Architecture Continues to Evolve
But Improvements Needed. GAO-07-564. Washington D.C.: May 9, 2007
* Homeland Security: US-VISIT Program Faces Operational, Technological,
and Management Challenges. GAO-07-632T. Washington D.C.: March 20,
2007.
* Homeland Security: US-VISIT Has Not Fully Met Expectations and
Longstanding Program Management Challenges Need to Be Addressed. GAO-
07-499T. Washington D.C.: February 16, 2007.
* Homeland Security: Planned Expenditures for U.S. Visitor and
Immigrant Status Program Need to Be Adequately Defined and Justified.
GAO-07-278. Washington D.C.: February 14, 2007.
* Border Security: US-VISIT Program Faces Strategic, Operational, and
Technological Challenges at Land Ports of Entry. GAO-07-378T.
Washington D.C.: January 31, 2007.
* Border Security: US-VISIT Program Faces Strategic, Operational, and
Technological Challenges at Land Ports of Entry. GAO-07-248. Washington
D.C.: December 6, 2006.
* Homeland Security: Contract Management and Oversight for Visitor and
Immigrant Status Program Need to Be Strengthened. GAO-06-404.
Washington, D.C.: June 9, 2006.
* Homeland Security: Progress Continues, but Challenges Remain on
Department‘s Management of Information Technology. GAO-06-598T.
Washington, D.C.: March 29, 2006.
* Homeland Security: Recommendations to Improve Management of Key
Border Security Program Need to Be Implemented. GAO-06-296. Washington,
D.C.: February 14, 2006.
* Homeland Security: Visitor and Immigrant Status Program Operating,
but Management Improvements Are Still Needed. GAO-06-318T. Washington,
D.C.: January 25, 2006.
* Information Security: Department of Homeland Security Needs to Fully
Implement Its Security Program. GAO-05-700. Washington, D.C.: June 17,
2005.
* Information Technology: Customs Automated Commercial Environment
Program Progressing, but Need for Management Improvements Continues.
GAO-05-267. Washington, D.C.: March 14, 2005.
* Homeland Security: Some Progress Made, but Many Challenges Remain on
U.S. Visitor and Immigrant Status Indicator Technology Program. GAO-05-
202. Washington, D.C.: February 23, 2005.
* Border Security: State Department Rollout of Biometric Visas on
Schedule, but Guidance Is Lagging. GAO-04-1001. Washington, D.C.:
September 9, 2004.
* Border Security: Joint, Coordinated Actions by State and DHS Needed
to Guide Biometric Visas and Related Programs. GAO-04-1080T.
Washington, D.C.: September 9, 2004.
* Homeland Security: First Phase of Visitor and Immigration Status
Program Operating, but Improvements Needed. GAO-04-586. Washington,
D.C.: May 11, 2004.
* Homeland Security: Risks Facing Key Border and Transportation
Security Program Need to Be Addressed. GAO-04-569T. Washington, D.C.:
March 18, 2004.
* Homeland Security: Risks Facing Key Border and Transportation
Security Program Need to Be Addressed. GAO-03-1083. Washington, D.C.:
September 19, 2003.
* Information Technology: Homeland Security Needs to Improve Entry
Exit System Expenditure Planning. GAO-03-563. Washington, D.C.: June 9,
2003.
Attachment 3:
Detailed Description of US-VISIT Program:
The US-VISIT program consists of nine organizations and uses contractor
support services in several areas. The roles and responsibilities of
each of the nine organizations include the following:
Chief Strategist is responsible for developing and maintaining the
strategic vision and related documentation, transition plan, and
business case.
Budget and Financial Management is responsible for establishing the
program‘s cost estimates; analysis; and expenditure management
policies, processes, and procedures that are required to implement and
support the program by ensuring proper fiscal planning and execution of
the budget and expenditures.
Mission Operations Management is responsible for developing business
and operational requirements based on strategic direction provided by
the Chief Strategist.
Outreach Management is responsible for enhancing awareness of the US-
VISIT requirements among foreign nationals, key domestic audiences, and
internal stakeholders by coordinating outreach to media, third parties,
key influencers, Members of Congress, and the traveling public.
Information Technology Management is responsible for developing
technical requirements based on strategic direction provided by the
Chief Strategist and business requirements developed by Mission
Operations Management.
Implementation Management is responsible for developing accurate,
measurable schedules and cost estimates for the delivery of mission
systems and capabilities.
Acquisition and Program Management is responsible for establishing and
managing the execution of program acquisition and management policies,
plans, processes, and procedures. 126 Attachment 3 Detailed Description
of US-VISIT Program
Administration and Training is responsible for developing and
administering a human capital plan that includes recruiting, hiring,
training, and retaining a diverse workforce with the competencies
necessary to accomplish the mission.
Facilities and Engineering Management is responsible for establishing
facilities and environmental policies, procedures, processes, and
guidance required to implement and support the program office. 127
Attachment 3 Detailed Description of US-VISIT Program The program uses
contractor support services in the following six subject matter areas:
Facilities and Infrastructure – provides the infrastructure and
facilities support necessary for current and anticipated future staff
for task orders awarded under the prime contract.
Program-Level Management – defines the activities required to support
the prime contractor‘s program management office, including quality
management, task order control, acquisition support, and integrated
planning and scheduling.
Program-Level Engineering – assures integration across incremental
development of US-VISIT systems and maintains interoperability and
performance goals.
Data Management Support – analyzes data for errors and omissions,
corrects data, reports changes to the appropriate system of record
owners, and provides reports.
Data Management and Governance – provides support in the implementation
of data management architecture and transition and sequencing plans,
conducts an assessment of the current data governance structure and
provides a recommendation for the future data governance structure,
including a data governance plan.
Mission Operations Data Integrity Improvements – determines possible
ways to automate some of the data feeds from legacy systems, making the
data more reliable.
Attachment 4:
Detailed Description of Increments and Component Systems:
Below is a discussion of the processes underlying each increment and
the systems that provide information to US-VISIT.
Increment 1 processes –Increment 1 includes the following five
processes at air and sea ports of entry (POE): pre-entry, entry, status
management, exit, and analysis, which are depicted in the graphic
below.
Figure:
[See PDF for image]
Source: GAO analysis of US-VISIT data, Nova Development Corp.
(clipart).
[End of figure]
Pre-entry process:
Pre-entry processing begins with initial petitions for visas, grants of
visa status, or the issuance of travel documentation. When a foreign
national applies for a visa at a U.S. consulate, biographic and
biometric data are collected and shared with border management
agencies. The biometric data (i.e., fingerprint scan of the right and
left index fingers) are transmitted from the Department of State
(State) to the Department of Homeland Security (DHS), where the
fingerprints are run against the Automated Biometric Identification
System (IDENT) to verify identity and to run a check against the
biometric watch list. The results of the biometric check are
transmitted back to State. A ’hit“ response prevents State‘s system
from printing a visa for the applicant until the information is cleared
by a consular officer.
Pre-entry also includes transmission by commercial air and sea carriers
of crew and passenger manifests before arriving in the United
States.[Footnote 80] These manifests are transmitted through the
Advance Passenger Information System (APIS). The APIS lists are run
against the biographic lookout system and identify those arrivals who
have biometric data available.
In addition, POEs review the APIS list in order to identify foreign
nationals who need to be scrutinized more closely.
Entry process:
When the foreign national arrives at a primary POE inspection booth,
the inspector, using a document reader, scans the machine-readable
travel documents. APIS returns any existing records on the foreign
national to the US-VISIT workstation screen, including manifest data
matches and biographic lookout hits. When a match is found in the
manifest data, the foreign national‘s name is highlighted and outlined
on the manifest data portion of the screen.
Biographic information, such as name and date of birth, is displayed on
the bottom half of the computer screen, as well as the photograph from
State‘s Consular Consolidated Database. The inspector at the booth
scans the foreign national‘s fingerprints (left and right index
fingers) and takes a digital photograph. This information is forwarded
to the IDENT database, where it is checked against stored fingerprints
in the IDENT lookout database.
If no prints are currently in IDENT, the foreign national is enrolled
in US-VISIT (i.e., biographic and biometric data are entered). If the
foreign national‘s fingerprints are already in IDENT, the system
performs a match (a comparison of the fingerprint taken during the
primary inspection to the one on file) to confirm that the person
submitting the fingerprints is the person on file. If the system finds
a mismatch of fingerprints or a watch list hit, the foreign national is
sent to an inspection booth for further screening or processing.
While the system is checking the fingerprints, the inspector questions
the foreign national about the purpose of his or her travel and length
of stay. The inspector adds the class of admission and duration of stay
information into the Treasury Enforcement Communications Systems
(TECS), and stamps the ’admit until“ date on the Form I-94.
If the foreign national is ultimately determined to be inadmissible,
the person is detained, lookouts are posted in the databases, and
appropriate actions are taken.
Within 2 hours after a flight lands and all passengers have been
processed, TECS is to send the Arrival Departure Information System
(ADIS) the records showing the class of admission and the ’admit until“
dates that were modified by the inspector.
Status management process: The status management process manages the
foreign national‘s temporary presence in the United States, including
the adjudication of benefits applications and investigations into
possible violations of immigration regulations.
Commercial air and sea carriers transmit departure manifests
electronically for each departing passenger. These manifests are
transmitted through APIS and shared with ADIS. ADIS matches entry and
exit manifest data to ensure that each record showing a foreign
national entering the United States is matched with a record showing
the foreign national exiting the United States.
ADIS also provides the ability to run queries on foreign nationals who
have entry information but no corresponding exit information.
ADIS receives status information from the Computer Linked Application
Information Management System and the Student and Exchange Visitor
Information System on foreign nationals.
Exit process:
The exit process includes the carriers‘ electronic submission of
departure manifest data to APIS. This biographic information is passed
to ADIS, where it is matched against entry information.
Analysis:
An ongoing analysis capability is to provide for the continuous
screening against watch lists of individuals enrolled in US-VISIT for
appropriate reporting and action. As more entry and exit information
becomes available, it is to be used to analyze traffic volume and
patterns as well as to perform risk assessments. The analysis is to be
used to support resource and staffing projections across the POEs,
strategic planning for integrated border management analysis performed
by the intelligence community, and determination of travel use levels
and expedited traveler programs.
Increment 2B and Increment 3 processes –:
Increments 2B and 3 deployed US-VISIT entry processing capabilities to
land POEs. These two increments are similar to Increment 1 (air and sea
POEs), with several noteworthy differences.
No advance passenger information is available to the inspector before
the traveler arrives for inspection.
Travelers subject to US-VISIT are processed at secondary inspection,
rather than at primary inspection.
Inspectors‘ workstations use a single screen, which eliminates the need
to switch between the TECS and IDENT screens.
Form I-94 data are captured electronically. The form is populated by
data obtained when the machine-readable zone of the travel document is
swiped. If visa information about the traveler exists in the Datashare
database,[Footnote 81] it is used to populate the form. Fields that
cannot be populated electronically are manually entered. A copy of the
completed form is printed and given to the traveler for use upon exit.
No electronic exit information is captured. 2Datashare includes a data
extract from State‘s Consular Consolidated Database system and includes
the visa photograph, biographical data, and the fingerprint
identification number assigned when a nonimmigrant applies for a visa.
Component Systems:
US-VISIT Increments 1 through 3 include the interfacing and integration
of existing systems and, with Increment 2C, the creation of a new
system. The three main existing systems are as follows:
Arrival Departure Information System (ADIS) stores;
* non-citizen traveler arrival and departure data received from air and
sea carrier manifests,
* arrival data captured by CBP officers at air and sea POEs,
* Form I-94 issuance data captured by CBP officers at Increment 2B land
POEs, and:
* status update information provided by the Student and Exchange
Visitor Information System (SEVIS) and the Computer Linked Application
Information Management System (CLAIMS 3) (described below).
ADIS provides record matching, query, and reporting functions.
The passenger processing component of the Treasury Enforcement
Communications Systems (TECS) includes two systems:
* Advance Passenger Information System (APIS) captures arrival and
departure manifest information provided by air and sea carriers, and:
* Interagency Border Inspection System (IBIS) maintains lookout data
and interfaces with other agencies‘ databases.
CBP officers use these data as part of the admission process. The
results of the admission decision are recorded in TECS and ADIS.
The Automated Biometric Identification System (IDENT) collects and
stores biometric data on foreign visitors, including data such as
* Federal Bureau of Investigation information[Footnote 82] on all known
and suspected terrorists, selected wanted persons (foreign-born,
unknown place of birth,previously arrested by DHS), and previous
criminal histories for high-risk countries;
* DHS Immigration and Customs Enforcement information on deported
felons and sexual registrants; and
* DHS information on previous criminal histories and previous IDENT
enrollments.
US-VISIT also exchanges biographic information with other DHS systems,
including SEVIS and CLAIMS 3:
* SEVIS is a system that contains information on foreign students and:
* CLAIMS 3 is a system that contains information on foreign nationals
who request benefits, such as change of status or extension of stay.
Some of the systems involved in US-VISIT, such as IDENT and AIDMS, are
managed by the program office, while some systems are managed by other
organizational entities within DHS. For example:
* TECS is managed by CBP,
* SEVIS is managed by Immigration and Customs Enforcement,
* CLAIMS 3 is under United States Citizenship and Immigration Services,
and:
* ADIS is owned by US-VISIT, but is managed by CBP.
US-VISIT also interfaces with other, non-DHS systems for relevant
purposes, including watch list[Footnote 83] (i.e. lookout) updates and
checks to determine whether a visa applicant has previously applied for
a visa or currently has a valid U.S. visa. In particular, US-VISIT
receives biographic and biometric information from State‘s Consular
Consolidated Database as part of the visa application process, and
returns fingerscan information and watch list changes.
[End of section]
Appendix II: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security: Washington, DC 20528:
August 13, 2007:
Mr. Randolph C. Hite:
Director, Information Technology Architecture: and Systems Issues:
441 G Street, NW:
U.S. Government Accountability Office: Washington, DC 20548:
Re: Draft Report GAO-07-1065, Homeland Security: U.S. Visitor and
Immigrant Status Program's Longstanding Lack of Strategic Direction and
Management Controls Needs to be Addressed (GAO Job Code 310650)
Dear Mr. Hite:
The Department of Homeland Security (DHS) appreciates the opportunity
to review and comment on the draft report referenced above. We agree
with the majority of the findings. However, there are some findings
with which DH-S officials disagree, and on which we provide comments
below. Other comments are intended to provide either additional
information or clarification.
As you know, US-VISIT represents the greatest advancement in border
technology in three decades. The Department of Homeland Security
established US-VISIT to achieve the following goals: (1) enhance the
security of our citizens and visitors; (2) facilitate legitimate travel
and trade; (3) ensure the integrity of our immigration system; and (4)
protect the privacy of visitors.
For all the successes of US-VISIT, the Department realizes, and your
report supports the fact, that we need to improve the core areas of the
report that focus on management controls, operational context, and
human capital. We have already established much of the foundation for
meeting future challenges and will continue to improve the necessary
disciplines for excellent program management. We realize that much
needs to be done, and we appreciate the guidance provided by reports
such as this.
US-VISIT officials are establishing an Integrated Project Team to
engage the U.S. Government Accountability Office (GAO) staff to
aggressively review the open recommendations and satisfy and close each
of them. DHS will appreciate consideration of our comments and their
inclusion in any revision in this draft report or any future related
audit report. We will engage with GAO on any questions or concerns you
have with US-VISIT's comments.
GAO notes that DHS has partially implemented recommendations pertaining
to US-VISIT that have been open for four years and provides a summary
of the status.
1. Recommendation: Develop and begin implementing a system security
plan and perform a privacy impact analysis and use the results of this
analysis in near term and subsequent system acquisition decision
making.
DHS Response: US-VISIT officials do not agree with this recommendation
and consider it satisfied based on security activities undertaken in
response to previous GAO recommendations. GAO reported in 2005 that the
US-VISIT program office completed a security plan largely consistent
with federal practice. However, this plan did not properly consider a
security risk assessment. Since that time, US-VISIT has communicated to
GAO that it was replacing the security plan with an enterprise security
strategy and enterprise risk assessment. Officials noted that all
individual systems comprising the US-VISIT program that were under US-
VISIT control had been certified and accredited in accordance with
Office of Management and Budget (OMB) and National Institute of
Standards and Technology (NIST) policy, to include security plans and
risk assessments for each system. US-VISIT completed the enterprise
risk assessment in 2005 and, based on that assessment, an enterprise
security strategy was completed in 2006. US-VISIT delivered an IT
Security Strategy Plan to GAO in January 2007.
As part of GAO's results of analysis on page 35, GAO states that the
program office's security strategy developed in December 2006 ".was
limited to the systems under US-VISIT control and does not mention, for
example, the Treasury Enforcement Communications System (TECS) which
provides biographic information to US- VISIT and is owned by Customs
and I3order Protection (CBP). According to NIST Special Publication
800- 18, a comprehensive security strategy should include all component
systems."
In actuality, NIST publication 800-18 provides guidance for completing
system security plans and not enterprise security strategies.
Furthermore, it notes that systems should have the following
characteristics when determining system boundaries for complex systems:
(1) have the same function or mission objective and essentially the
same operating characteristics and security needs, and (2) reside in
the same general operating environment (or in the case of a distributed
information system, reside in various locations with similar operating
environments).
TECS is a mainframe environment owned by CBP and located in a CBP data
center that serves many other program needs besides US-VISIT. US-VISIT
and CBP have developed and signed Interconnection Security Agreements
(ISAs) which detail the security controls that must be in place prior
to the exchange of any data. These ISAs are consistent with federal
policy in general and DHS policy in particular for sharing data in a
secure manner. The US-VISIT program remains current with all
certification and accreditation documents for systems within its
control. As part of its commitment to security, the program is also
updating the enterprise security strategy and enterprise risk
assessment on a regular basis. In addition, the options available to
US- VISIT to address this risk--developing ISAs and collaborating with
CBP on development efforts to ensure security--are already in place. In
discussing the privacy impact assessment aspect of the recommendation,
GAO notes (pp. 65-66) that "US-VISIT privacy officials recently
conducted an audit of system documentation to ensure that privacy is
being addressed. They found only a single instance where privacy should
have been addressed in system documentation but was not. Finally, our
review of recently issued system documentation shows privacy concerns
are being addressed."
US-VISIT considers this part of the recommendation as satisfied based
on privacy activities undertaken in response to previous GAO
recommendations. The US-VISIT privacy team review identified 250
documents prepared for the Automated Biometric Identification System
(IDENT) since January 1, 2006. Of these, 66 of the more recently
created documents were selected for review. Of the 66 documents
reviewed, seven were determined to be relevant system documents. It was
determined that the remaining documents were not relevant system
documents for including privacy assessments based on the type of system
document or based on the fact that the documents were for system
updates that did not have a privacy impact. Of these seven relevant
system documents, six were determined to have satisfactory discussions
of privacy. One document, the Enumeration Data Management Plan, did not
have a satisfactory discussion of privacy, and that document is being
revised to include the privacy requirements.
2. Recommendation: Develop and implement a plan for satisfying key
acquisition management controls, including acquisition planning,
solicitation, requirements management, project management, contract
tracking, oversight, evaluation, and transition to support, and
implement the controls in accordance with Software Engineering
Institute (SEI) guidance.
DHS Response: US-VISIT officials agree with this recommendation and
have demonstrated efforts to satisfy this recommendation. US-VISIT has
focused on the implementation of six Capability Maturity Model
Integration (CMMI) process areas as a result of the 2005 internal
appraisal. As reflected in the 2006 Process Improvement Plan, the six
process areas are being implemented in two pilot US- VISIT projects as
well as internal program office functional groups that are responsible
for these process areas. An appraisal conducted in May 2006 reported
progress against the US-VISIT 2006 Process Improvement goals. Another
internal appraisal was completed in November 2006, and the results were
briefed to the Management Steering Group (MSG) in December 2006. The
appraisal results showed that the participating projects and program
office functions progressed from 29 fully or largely implemented
practices assessed in 2005 to 55 in November 2006; in addition all 29
practices `not implemented' in 2005 were reduced to zero in November
2006. Follow-up quarterly internal appraisals are planned, and the
results will be reported to the Enterprise Process Group (EPG) and MSG.
US-VISIT has updated the Process Improvement Plan for 2007 to re-
establish goals and define activities to undertake in 2007 to continue
to address strengthening processes. A copy of this document was
provided to the GAO audit team for review.
3. Recommendation: Ensure that expenditure plans fully disclose what
system capabilities and benefits are to be delivered, by when, and at
what cost, as well as how the program is being managed.
DHS Response: US-VISIT officials agree with this recommendation and
have demonstrated efforts to satisfy this recommendation. In developing
the FY 2008 Expenditure Plan, US-VISIT has incorporated into its data
call templates, requirements to: articulate results against prior year
commitments; report project performance against cost and schedule
estimates; link discussions of project capabilities, benefits, and
performance indicators; and provide a clearer explanation of operations
& maintenance and program management costs and results. The draft FY
2008 Expenditure Plan is to be provided to National Protection and
Programs Directorate (NPPD) to begin DHS review and approval at the
beginning of September 2007. This will provide the first evidence of
efforts to address this recommendation.
Addressing Recommendations 4 and 7:
4. Recommendation: Ensure that the human capital and financial
resources are provided to establish a fully functional and effective
program office and associated management capability. Recommendation 7:
Develop and implement a human capital strategy that provides for
staffing open positions with individuals who have the requisite core
competencies (knowledge, skills and abilities).
DHS Response: US-VISIT officials agree with this recommendation and
have demonstrated efforts to satisfy this recommendation. As of 31
December 2006, all 115 Federal positions designated for US-VISIT had
been filled, with recruitment actions in process for 10 vacancies that
resulted from expected turnover. In FY 2006, US-VISIT experienced a 10
percent turnover rate. The current US-VISIT Human Capital Plan,
developed in 2004 to guide strategic human capital initiatives through
2008, is expected to be superseded by a 2007 revision following
approval of US- VISIT's Organizational Improvement Initiative (011).
Currently, 90 of 115 authorized US-VISIT positions are filled. The 25
vacancies are a result of attrition. The attrition was mitigated by a
successful intern program and recruitment and retention program that
was implemented in July 2007, with executive management sponsorship and
dedicated resources from the human capital planning project team.
Further, US-VISIT is fully budgeted to hire its complement of
employees.
5. Recommendation: Clarify the operational context within which US-
VISIT must operate.
DHS Response: US-VISIT officials agree with this recommendation and
have demonstrated efforts to satisfy this recommendation. US-VISIT
continues to incorporate elements of the vision, goals, and objectives
into ongoing activities. US- VISIT has developed a strategic framework
that contains US-VISIT's core purpose and capabilities moving into the
future and its key objectives for the next five years with associated
activities. This document provides the framework for future operations
and other documentation to include (currently in draft and being
reviewed): Mission Needs Statement (MNS) - addresses core mission and
capabilities; Operational Requirements Document (ORD) - contains
performance and operational information; Acquisition Program Baseline
(APB) - presents critical data affecting and supporting the
performance, cost and schedule of the US-VISIT Program's investment
operations for Fiscal Years 2008-2013.
The strategic framework will also be used to update US-VISIT's
strategic plan that will reflect: US-VISIT's transition to NPPD; its
designation as the biometric repository for all of DHS; management
services being provided to immigration and border management; world-
wide trans-border travel security efforts to include adopting
compatible biometric capture and comparison and allowing for
international sharing of pertinent watch list data; and relationships
with other DHS components and programs and other federal agencies.
US-VISIT expects to have its strategic plan, to include those key
elements required by GPRA, updated, reviewed, and approved in FY08. US-
VISIT has been diligently working on the FY08 Expenditure Plan to
ensure projects are mapped to the mission, strategic goals, and
objectives; and provide for traceability of expenditures.
6. Recommendation: Determine whether proposed US-VISIT increments will
produce mission value commensurate with costs and risks and disclose to
its executive bodies and Congress the results of these business cases
and planned actions.
DHS Response: US-VISIT officials agree with this recommendation and
have demonstrated efforts to satisfy this recommendation. In accordance
with capital investment best practices, US-VISIT follows a practice of
incremental program development through a series of increments, or
mission capability enhancements (MCEs), intended to deliver discrete
functional capabilities. Each proposed incremental investment is
subjected to a cost-benefit analysis (CBA) to ensure that the
investment is justified in terms of operational and/or economic value
delivered. CBAs are performed in accordance with a cost-benefit process
that conforms to the requirements of OMB Circular A-94, the DHS CBA
Workbook, and DHS MD-1400. Specifically, where feasible, benefits are
monetized and compared to correlated costs to derive the investment's
net present value.
To ensure uncertainties related to the investment are fully factored in
the analysis, the estimates for both monetized benefits and costs are
subjected to uncertainty analysis, yielding a risk-adjusted return on
investment for each alternative considered. Recognizing that the
quality and precision of the CBA plays a key role in any investment
decision, US-VISIT continues efforts to strengthen its capabilities in
this area through such actions as establishment of a Cost Process
Action Team to assist in refining the program's cost analysis policies
and procedures, the creation of a US- VISIT cost estimation and
analysis process document, and the acquisition of professional services
in the areas of life cycle cost modeling and independent cost analysis.
CBAs underway are currently monitored and reviewed for compliance with
OMB and Software Engineering Institute cost and cost-benefit
guidelines.
7. Recommendation: Develop and implement a human capital strategy that
provides for staffing open positions with individuals who have the
requisite core competencies (knowledge, skills and abilities).
Please see response #4.
8. Recommendation: Develop and implement a risk management plan and
ensure that all high risks and their status are reported regularly to
the appropriate executives.
DHS Response: US-VISIT officials agree with this recommendation and
have demonstrated efforts to satisfy this recommendation. The US-VISIT
Program published a revised Risk Management Plan in 2nd Quarter FY07.
As the risk management program continues to mature, US-VISIT has
observed that the risk management processes (as detailed in the Risk
Management Plan) are being applied throughout the program. Utilization
of the US-VOICE risk database, bi-monthly meetings of the Risk Review
Council (RRC), periodic Risk Review Board (RRB) meetings, vertical and
horizontal communications to stakeholders, monthly Risk Status Reports
provided to the RRC and RRB, and frequent training help to ensure that
risk management is part of the US-VISIT culture.
In the area of training, US-VISIT provided risk management training
classes to US- VISIT personnel (government and contractors) in
accordance with the US-VISIT Risk Management Plan–classes covered the
theory of risk management and the five risk management processes. Since
March 2006, risk management training has included the application of
the US-VOICE risk management database and scenarios to instruct
students in the planning, identification, analysis, handling,
monitoring, and control of risks and issues. High priority risks will
be communicated from the US- VISIT Director to the Under Secretary of
NPPD. In addition to RRBs, high priority risks are briefed to the US-
VISIT Senior Leadership and US-VISIT staff at quarterly Program
Management Reviews (PMRs). US-VISIT provided GAO officials with the
most recent Risk Management Plan dated February 2007.
9. Recommendation: Define performance standards for US-VISIT that are
measurable and reflect the limitations imposed on US-VISIT Capabilities
by relying on existing systems.
DHS Response: US-VISIT officials agree with this recommendation and
have demonstrated efforts to satisfy this recommendation. US-VISIT
completed the selection process for tools to support database
management, application management, enterprise management console,
event/fault management, and performance management. US-VISIT has
formalized an enterprise modeling process to provide decision support
and alternatives analysis for meeting business process performance
expectations by analyzing the end-to-end effects of the physical
environment, network capacity, and performance requirements and back-
end system performance. The models have been used for simulation and
analysis to provide the Unique Identity (UI) Project with the right set
of decision-making elements for the implementation of the right
combination of inspection processes, technical architecture, and
supporting infrastructure. US-VISIT has negotiated Interface Control
Documents/Agreements (ICD/ICA) with those organizations with whom
information is to be generated or shared. Included in these agreements
generally are Service Level Agreements regarding timeliness,
reliability and availability.
To ensure that US-VISIT systems meet internal performance commitments,
an Architecture Improvement Design and Prototype Team has been
established to engineer and build prototypes to verify or clarify the
various enhancements and changes to the current IDENT system during the
modernization phase of the Unique Identity Program. The specific goals
of the prototypes include:
* determining the viability of specific Commercial Off the Shelf
Technology (COTS) products (e.g., biometric middleware, reporting
architectures, and non-incumbent matcher solutions) to reduce costs of
matching and reporting results;
* identifying the most viable architectural alternative for the given
feature;
* evaluating, where possible, the performance of the architecture;
* assessing the reliability, maintainability, and availability of the
architecture;
* assessing and prototype implementation alternatives to enhance
security features;
* estimating required architecture sizing to meet long-term scale; and
* determining the optimal tuning to enhance matching accuracy while
reducing costs.
In discussing its observations on the expenditure plan and management
of US-VISIT, GAO correctly comments that prime contract cost and
schedule expectations are being met. GAO then states that aspects of
the program continue to lack definition and justification.
Specifically, GAO observed (page 9) a "lack of a well-defined and
justified exit solution introduces the risk of repeating failed and
costly past exit efforts."
The overall impression created by this language is that the proofs of
concept for exit operations at the air ports of entry (POEs) and I-94
Radio Frequency Identification test operations at the land POEs were a
failure because they did not immediately conclude with operational
systems. GAO presents the proof of concepts as ends in themselves and
implies that the experiences and empirical data gained from the proofs
of concept were not worth their costs. In omitting any discussion of,
and implicitly devaluing, the operational experience gained from the
proofs. of concept and how that data can or will be used in developing
a more workable future system, the undertaking may, unfortunately, be
considered a failure by GAO. We would draw a different conclusion. US-
VISIT had always intended to end the proofs of concept and use what was
learned.
GAO did not include biographic exit procedures (as later described at
pp. 134-135 of the draft report) in the June 2007 briefing material
provided to the staffs of the Subcommittees on Homeland Security,
Senate and House Committees on Appropriations (page 16, Acquisition
Strategy, Description and History of Increments, Increment 1),
notwithstanding its important historical and current use as part of the
exit process.
GAO informed the staffs of the subcommittees (page 33) that the fiscal
year 2007 US-VISIT expenditure plan, related program documentation, and
program officials' statements satisfied (in part or total) most, but
not all, of the legislative conditions. Specifically, GAO discussed
whether the plan, related program documentation and program officials'
statements satisfied or partially satisfied all aspects of the capital
planning and investment control review requirements established by OMB,
including OMB Circular A-1 1, part 7. We appreciate the opportunity to
comment on this draft report.
Sincerely,
Signed by:
Steven J. Pecinovsky:
Director:
Departmental GAO/OIG Liaison Office:
[End of section]
Appendix III: GAO Contact and Staff Acknowledgments:
GAO Contact:
Randolph C. Hite, (202) 512-3439 or h [Hyperlink, hiter@gao.gov]
iter@gao.gov:
Staff Acknowledgments:
In addition to the contact named above, Tonia Johnson (Assistant
Director), Eric Costello, Deborah Davis, Neil Doherty, Nancy Glover,
Joshua Hammerstein, David Hinchman, Scott Pettis, Karl Seifert, Teresa
Smith, Daniel Wexler, and Charles Youman made key contributions to this
report.
[End of section]
Footnotes:
[1] Pub. L. No. 109-295 (Oct. 4, 2006).
[2] Our reports on US-VISIT expenditure plans have resulted in 28
recommendations, 6 of which pertain to the US-VISIT expenditure plan
and 22 of which pertain to the US-VISIT program. The recommendations
that we focused on are those that have been open for 4 years. For a
full list of US-VISIT-related GAO reports, see appendix I, attachment
2.
[3] One additional legislative condition--that the plan be reviewed by
us--was also satisfied.
[4] House Committee on Homeland Security, Hacking the Homeland:
Investigating Cybersecurity Vulnerabilities at the Department of
Homeland Security: Hearing before the Subcommittee on Emerging Threats,
Cybersecurity, and Science and Technology, 110th Cong., 1st sess.,
2007.
[5] This recommendation merges two of our prior recommendations.
[6] GAO, Homeland Security: DHS Enterprise Architecture Continues to
Evolve, but Improvements Needed, GAO-07-564 (Washington D.C.: May 9,
2007).
[7] The focus of our review was DHS EA 2006. In March 2007, DHS issued
HLS EA 2007.
[8] Air and Sea Exit Deployment.
[9] GAO, Homeland Security: Recommendations to Improve Management of
Key Border Security Program Need to Be Implemented, GAO-06-296
(Washington, D.C.: Feb. 14, 2006).
[10] The EVM system used by the prime contractor has yet to be
certified by an outside agent (see briefing slide 36 in app. I for
details).
[11] GAO, Information Security: Homeland Security Needs to Immediately
Address Significant Weaknesses in Systems Supporting the US-VISIT
Program, GAO-07-870 (Washington, D.C.: July 13, 2007).
[12] 1Pub. L. No. 109-295 (Oct. 4, 2006).
[13] OMB Circular A-11 establishes policy for planning, budgeting,
acquisition, and management of federal capital assets.
[14] Our reports on US-VISIT expenditure plans have resulted in 28
recommendations, six of which pertain to the US-VISIT expenditure plan
and 22 of which pertain to the US-VISIT program. The recommendations
that we focused on are those that have been open for 4 years. For a
full list of US-VISIT related GAO reports, see attachment 2.
[15] See attachment 3 for more details on the current organization
structure. A proposed program office reorganization is currently being
reviewed by DHS.
[16] An indefinite-delivery/indefinite-quantity contract provides for
an indefinite quantity, within stated limits, of supplies or services
during a fixed period of time. The government schedules deliveries or
performance by placing orders with the contractor.
[17] Accenture's partners in this contract include, among others,
Raytheon Company, the Titan Corporation, and SRA International, Inc.
[18] On September 30, 2004, US-VISIT expanded biometric entry
procedures to include individuals from visa waiver countries applying
for admission.
[19] Legislation requiring the installation of software and equipment
at POEs to authenticate machine-readable visas and travel documents and
to have visa waiver countries issue e-Passports established a deadline
of October 26, 2004 (Pub. L. No. 107-173, (May 14, 2002)), but this
date was subsequently changed (Pub. L. No. 108-299 (Aug. 9, 2004)) to
October 26, 2005, before DHS and State requested an extension from the
congressional committee providing oversight to change the date to
October 26, 2006.
[20] Form I-94s are used to record a foreign national's entry into the
United States. The form as two parts-arrival and departure-containing a
unique number for the purposes of recording and matching the arrival
and departure records of nonimmigrants.
[21] For example, dimplomats and persons under the age of 14 or over
the age of 70 are exempt from US-VISIT.
[22] Radio frequency technology relies on proximity cards and card
readers. Radio frequency devices read the information contained on the
card when the card is passed near the device. The information can
contain personal identification of the cardholder.
[23] At one POE, these capabilities were deployed by December 19, 2005,
but were not fully operational until January 7, 2006, because of a
telephone company strike that prevented the installation of a high-
capacity communications line.
[24] For details on the processes underlying each increment and systems
supplying information to US-VISIT, see attachment 4.
[25] In fiscal year 2003, the expenditure plan called for $375 million,
but the appropriated amount was for $362 million. The difference of $13
million was to have been made up through authorized user fees collected
by U.S. Immigration and Customs Enforcement. However, only $5 million
in user fees was provided to the program, for a total of $367 million.
[26] These services verify and authenticate the origins of e-passports
and traveler's identities.
[27] The iDSM is a prototype of new functionality allowing US-VISIT and
Federal Bureau of Investigation to share biometric and associated
biographic information. It was deployed in September 2006.
[28] OMB Circular A-11, part 7 establishes policy for planning,
budgeting, acquisition, and management of federal capital assets.
[29] The condition was that the program office resubmit documentation
upon approval of the US-VISIT strategic plan, which at the time was to
be January 2005.
[30] GAO, Homeland Security: Some Progress Made, but Many Challenges
Remain on U.S. Visitor and Immigrant Status Indicator Technology
Program, GAO-05-202 (Washington D.C.: Feb. 23, 2005).
[31] Department of Homeland Security, US-VISIT Mission Needs Statement
(Washington, D.C.: Nov. 20, 2003).
[32] GAO, Homeland Security: DHS Enterprise Architecture Continues to
Evolve, But Improvements Needed, GAO-07-564 (Washington D.C.: May 9,
2007).
[33] We did not review the program‘s compliance with the Federal
Acquisition Regulation.
[34] See, for example, the Clinger-Cohen Act of 1996, Pub. L. No. 104-
106, (Feb. 10, 1996) and OMB Circular A-130.
[35] GAO, Homeland Security: Risks Facing Key Border and Transportation
Security Program Need to be Addressed, GAO-03-1083 (Washington D.C.:
Sept. 19, 2003).
[36] The CMMIŽ ranks organizational maturity according to five levels.
Maturity levels 2 through 5 require verifiable existence and use of
certain key process areas.
[37] GAO, Homeland Security: Contract Management and Oversight for
Visitor and Immigrant Status Program Need to Be Strengthened, GAO-06-
404 (Washington, D.C.: June 9, 2006).
[38] Financial controls include practices to provide accurate,
reliable, and timely accounting for billings and expenditures.
[39] One IV&V contractor was obtained to assess organizational program
risk. The second IV&V contractor was obtained to independently assess
system testing activities.
[40] Government Performance and Results Act of 1993, Pub. L. No. 103-62
(Aug. 3, 1993) and OMB Circular A-11, Preparation, Submission, and
Execution of the Budget, (June 30, 2006) provide guidance in this
instance since the US-VISIT strategic plan is not an agencywide
strategic plan.
[41] GAO, Managing for Results: Critical Issues for Improving Federal
Agencies‘ Strategic Plans, GAO/GGD-97-180 (Washington, D.C.: Sep. 16,
1997).
[42] The fiscal year 2007 expenditure plan contains an appendix titled
’Comprehensive Strategic Plan for US-VISIT,“ which the US-VISIT Program
Director told us is the program‘s approved strategic plan.
[43] The eight capabilities are: (1) identify a person, (2) assess risk
and eligibility, (3) record entry, exit, and status, (4) take law
enforcement actions, (5) communicate with external entities, (6) manage
knowledge, information, and intelligence, (7) manage the immigration
and border management enterprise and (8) infrastructure development. In
an earlier section of the strategic plan, only seven of the
capabilities are discussed, omitting ’infrastructure development.“
[44] The Advanced Passenger Information System captures arrival and
departure manifest information provided by air and sea carriers.
[45] Secure Flight is a program being developed by TSA to prescreen
passengers – or match passenger information against terrorist watch
lists to identify individuals who should undergo additional security
scrutiny – for domestic flights.
[46] GAO, Border Security: US-VISIT Program Faces Strategic,
Operational, and Technological Challenges at Land Ports of Entry, GAO-
07-248 (Washington, D.C.: Dec. 6, 2006).
[47] I-94 forms are used to track foreign nationals‘ arrivals and
departures. Each form is divided into two parts: an entry portion and
an exit portion. Each form contains a unique number printed on both
portions of the form for the purposes of subsequent recording and
matching the arrival and departure records for nonimmigrants.
[48] GAO-05-202.
[49] Information in a form that permits individuals to be identified.
[50] GAO, Homeland Security: Recommendations to Improve Management of
Key Border Security Program Need to Be Implemented, GAO-06-296
(Washington, D.C.: February 14, 2006).
[51] This recommendation is the merger of two of our prior
recommendations.
[52] GAO, Information Technology: Homeland Security Needs to Improve
Entry Exit System Expenditure Planning, GAO-03-563 (Washington,
D.C.:June 9, 2003).
[53] GAO-03-1083.
[54] GAO-03-1083.
[55] GAO-03-1083.
[56] GAO-06-296.
[57] GAO-07-278.
[58] Pub. L. No. 108-458, § 7209, 118 Stat. 3638, 3823 (Dec. 17, 2004).
[59] GAO-07-564.
[60] The focus of our review was the DHS EA 2006. In March 2007, DHS
issued HLS 2007.
[61] This recommendation is the merger of three recommendations.
[62] GAO-03-563, GAO-03-1083, and GAO-05-202.
[63] GAO-06-296.
[64] We have ongoing work to address, among other things, these
business cases.
[65] GAO-03-1083.
[66] GAO-06-296.
[67] GAO-03-1083.
[68] GAO-06-296.
[69] GAO-06-296.
[70] The EVM system used by the prime contractor has yet to be
certified by an outside agent (see page 36 for details).
[71] GAO-07-278.
[72] GAO-03-1083.
[73] GAO, Homeland Security: First Phase of Visitor and Immigrant
Status Program Operating, but Improvements Needed, GAO-04-586
(Washington, D.C.: May 11, 2004).
[74] GAO-05-202.
[75] GAO-06-296.
[76] GAO-07-248.
[77] GAO-07-278.
[78] As reported in the fiscal year 2005 and revised 2006 expenditure
plans. The fiscal year 2007 plan reported that of this amount, $53.1
million was still available as prior year carryover ($17.7 million from
land and $35.4 million from air and sea). Our assessment of these
reported numbers is detailed in the Scope and Methodology discussion
found in Attachment 1.
[79] GAO-07-278.
[80] Pub. L. 107-173 (May 14, 2002).
[81] Datashare includes a data extract from State‘s Consular
Consolidated Database system and includes the visa photograph,
biographical data, and the fingerprint identification number assigned
when a nonimmigrant applies for a visa.
[82] Information from the Federal Bureau of Investigation includes
fingerprints from the Integrated Automated Fingerprint Identification
System.
[83] Watch list data sources include DHS‘s Customs and Border
Protection and Immigration and Customs Enforcement; the Federal Bureau
of Investigation; legacy DHS systems; the U.S. Secret Service; the U.S.
Coast Guard; the Internal Revenue Service; the Drug Enforcement Agency;
the Bureau of Alcohol, Tobacco, & Firearms; the U.S. Marshals Service;
the U.S. Office of Foreign Asset Control; the National Guard; the
Treasury Inspector General; the U.S. Department of Agriculture; the
Department of Defense Inspector General; the Royal Canadian Mounted
Police; the U.S. State Department; Interpol; the Food and Drug
Administration; the Financial Crimes Enforcement Network; the Bureau of
Engraving and Printing; and the Department of Justice Office of Special
Investigations.
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "Subscribe to Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office: 441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-
mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400:
U.S. Government Accountability Office: 441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Susan Becker,Acting Manager, Beckers@gao.gov (202) 512-4800:
U.S. Government Accountability Office: 441 G Street NW, Room 7149:
Washington, D.C. 20548: