Homeland Security
U.S. Visitor and Immigrant Status Indicator Technology Program Planning and Execution Improvements Needed Gao ID: GAO-09-96 December 12, 2008The Department of Homeland Security (DHS) has established a program known as U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) to collect, maintain, and share information, including biometric identifiers, on certain foreign nationals who travel to and from the United States. By congressional mandate, DHS is to develop and submit an expenditure plan for US-VISIT that satisfies certain conditions, including being reviewed by GAO. GAO's objectives were to (1) determine if the plan satisfies the twelve legislative conditions and (2) provide observations about the plan and management of the program. To accomplish this, GAO assessed the plan and related DHS certification letters against each aspect of each legislative condition and assessed program documentation against federal guidelines and industry standards.
The fiscal year 2008 US-VISIT expenditure plan does not fully satisfy any of the eleven conditions required of DHS by the Consolidated Appropriations Act, 2008, either because the plan does not address key aspects of the condition or because what it does address is not adequately supported or is otherwise not reflective of known program weaknesses. More specifically, of the eleven conditions, the plan partially satisfies eight. For example, while the plan includes a listing of GAO recommendations, it does not provide milestones for addressing these recommendations, as required by the act. Further, although the plan includes a certification by the DHS Chief Procurement Officer that the program has been reviewed and approved in accordance with the department's investment management process, and that this process fulfills all capital planning and investment control requirements and reviews established by the Office of Management and Budget, the certification is based on information that pertains to the fiscal year 2007 expenditure plan and fiscal year 2009 budget submission, rather than to the fiscal year 2008 expenditure plan. Moreover, even though the plan provides an accounting of operations and maintenance and program management costs, the plan does not separately identify the program's contractor services costs, as required by the act. With regard to the remaining three legislative conditions, the plan does not satisfy any of them. For example, the plan does not include a certification by the DHS Chief Human Capital Officer that the program's human capital needs are being strategically and proactively managed and that the program has sufficient human capital capacity to execute the expenditure plan. Further, the plan does not include a detailed schedule for implementing an exit capability or a certification that a biometric exit capability is not possible within 5 years. The twelfth legislative condition was satisfied by our review of the expenditure plan. Beyond the expenditure plan, GAO observed that other program planning and execution limitations and weaknesses also confront DHS in its quest to deliver US-VISIT capabilities and value in a timely and cost-effective manner. Concerning DHS's proposed biometric air and sea exit solution, for example, the reliability of the cost estimates used to justify the proposed solution is not clear, the proposed solution would provide less security and privacy than other alternatives, and public comments on the proposed solution raise additional concerns, including the impact the solution would have on the industry's efforts to improve passenger processing and travel. Moreover, the program's risk management database shows that key risks are not being managed. Finally, frequent rebaselining of one of the program's task orders has minimized the significance of schedule variances. Collectively, this means that additional management improvements are needed to effectively define, justify, and deliver a US-VISIT system solution that meets program goals, reflects stakeholder input, minimizes exposure to risk, and provides Congress with the means by which to oversee program execution. Until these steps are taken, US-VISIT program performance, transparency, and accountability will suffer.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-09-96, Homeland Security: U.S. Visitor and Immigrant Status Indicator Technology Program Planning and Execution Improvements Needed
This is the accessible text file for GAO report number GAO-09-96
entitled 'Homeland Security: U.S. Visitor and Immigrant Status
Indicator Technology Program Planning and Execution Improvements
Needed' which was released on December 12, 2008.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Committees:
United States Government Accountability Office:
GAO:
December 2008:
Homeland Security:
U.S. Visitor and Immigrant Status Indicator Technology Program Planning
and Execution Improvements Needed:
GAO-09-96:
GAO Highlights:
Highlights of GAO-09-96, a report to congressional committees.
Why GAO Did This Study:
The Department of Homeland Security (DHS) has established a program
known as U.S. Visitor and Immigrant Status Indicator Technology (US-
VISIT) to collect, maintain, and share information, including biometric
identifiers, on certain foreign nationals who travel to and from the
United States. By congressional mandate, DHS is to develop and submit
an expenditure plan for US-VISIT that satisfies certain conditions,
including being reviewed by GAO. GAO‘s objectives were to (1) determine
if the plan satisfies the twelve legislative conditions and (2) provide
observations about the plan and management of the program. To
accomplish this, GAO assessed the plan and related DHS certification
letters against each aspect of each legislative condition and assessed
program documentation against federal guidelines and industry
standards.
What GAO Found:
The fiscal year 2008 US-VISIT expenditure plan does not fully satisfy
any of the eleven conditions required of DHS by the Consolidated
Appropriations Act, 2008, either because the plan does not address key
aspects of the condition or because what it does address is not
adequately supported or is otherwise not reflective of known program
weaknesses. More specifically, of the eleven conditions, the plan
partially satisfies eight. For example, while the plan includes a
listing of GAO recommendations, it does not provide milestones for
addressing these recommendations, as required by the act. Further,
although the plan includes a certification by the DHS Chief Procurement
Officer that the program has been reviewed and approved in accordance
with the department‘s investment management process, and that this
process fulfills all capital planning and investment control
requirements and reviews established by the Office of Management and
Budget, the certification is based on information that pertains to the
fiscal year 2007 expenditure plan and fiscal year 2009 budget
submission, rather than to the fiscal year 2008 expenditure plan.
Moreover, even though the plan provides an accounting of operations and
maintenance and program management costs, the plan does not separately
identify the program‘s contractor services costs, as required by the
act. With regard to the remaining three legislative conditions, the
plan does not satisfy any of them. For example, the plan does not
include a certification by the DHS Chief Human Capital Officer that the
program‘s human capital needs are being strategically and proactively
managed and that the program has sufficient human capital capacity to
execute the expenditure plan. Further, the plan does not include a
detailed schedule for implementing an exit capability or a
certification that a biometric exit capability is not possible within 5
years. The twelfth legislative condition was satisfied by our review of
the expenditure plan.
Beyond the expenditure plan, GAO observed that other program planning
and execution limitations and weaknesses also confront DHS in its quest
to deliver US-VISIT capabilities and value in a timely and cost-
effective manner. Concerning DHS‘s proposed biometric air and sea exit
solution, for example, the reliability of the cost estimates used to
justify the proposed solution is not clear, the proposed solution would
provide less security and privacy than other alternatives, and public
comments on the proposed solution raise additional concerns, including
the impact the solution would have on the industry‘s efforts to improve
passenger processing and travel. Moreover, the program‘s risk
management database shows that key risks are not being managed.
Finally, frequent rebaselining of one of the program‘s task orders has
minimized the significance of schedule variances. Collectively, this
means that additional management improvements are needed to effectively
define, justify, and deliver a US-VISIT system solution that meets
program goals, reflects stakeholder input, minimizes exposure to risk,
and provides Congress with the means by which to oversee program
execution. Until these steps are taken, US-VISIT program performance,
transparency, and accountability will suffer.
What GAO Recommends:
GAO is recommending that the Secretary direct the department‘s
Investment Review Board to immediately review the program relative to
the findings and observations in this report and report the results to
Congress. In written comments on a draft of this letter, DHS officials
said that they agreed with GAO‘s recommendations.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-09-96]. For more
information, contact Randolph C. Hite at (202) 512-3439 or
hiter@gao.gov.
[End of section]
Contents:
Letter:
Compliance with Legislative Conditions:
Observations on US-VISIT:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Briefing for Staff Members of the Subcommittees on Homeland
Security, Senate and House Committees on Appropriations:
Appendix II: Comments from the Department of Homeland Security:
Appendix III: GAO Contact and Staff Acknowledgments:
Abbreviations:
ADIS: Arrival and Departure Information System:
APIS: Advance Passenger Information System:
CHCO: chief human capital officer:
CIO: chief information officer:
CPO: chief procurement officer:
CLAIMS 3: Computer Linked Application Information Management System:
DHS: Department of Homeland Security:
DCMA: Defense Contract Management Agency:
EA: enterprise architecture:
EAB: enterprise architecture board:
ELCM: enterprise life cycle methodology:
EVM: earned value management:
FBI: Federal Bureau of Investigation:
IAFIS: Integrated Automated Fingerprint Identification System:
IV&V: independent verification and validation:
IBIS: Interagency Border Inspection System:
IDENT: Automated Biometric Identification System:
iDSM: Interim Data Sharing Model:
MDP: milestone decision point:
NPRM: Notice of Proposed Rule Making:
OMB: Office of Management and Budget:
OIG: Office of Inspector General:
POE: ports of entry:
SEVIS: Student and Exchange Visitor Information System:
TECS: Treasury Enforcement Communications System:
UDM: US-VISIT Delivery Methodology:
US-VISIT: U.S. Visitor and Immigrant Status Indicator Technology:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
December 12, 2008:
The Honorable Robert C. Byrd:
Chairman:
The Honorable Thad Cochran:
Ranking Member:
Subcommittee on Homeland Security:
Committee on Appropriations:
United States Senate:
The Honorable David E. Price:
Chairman:
The Honorable Harold Rogers:
Ranking Member:
Subcommittee on Homeland Security:
Committee on Appropriations:
House of Representatives:
The Department of Homeland Security (DHS) submitted to Congress on June
12, 2008, its fiscal year 2008 expenditure plan for the U.S. Visitor
and Immigrant Status Indicator Technology (US-VISIT) program pursuant
to the Consolidated Appropriations Act, 2008.[Footnote 1] US-VISIT is a
governmentwide program to collect, maintain, and share information on
foreign nationals who enter and exit the United States. The program's
goals are to enhance the security of U.S. citizens and visitors,
facilitate legitimate trade and travel, ensure the integrity of the
U.S. immigration system, and protect the privacy of visitors to the
United States. Currently, US-VISIT entry capabilities are operating at
over 300 land, sea, and air ports of entry; however, exit capabilities
are not yet operating. DHS near-term plans call for enhancing existing
biometric collection, identification, and sharing capabilities, as well
as introducing an exit capability at airports and seaports.
As required by the appropriations act, we reviewed US-VISIT's fiscal
year 2008 expenditure plan. Our objectives were to (1) determine
whether the plan satisfies the legislative conditions and (2) provide
observations about the plan and management of the program.
On September 15, 2008, we briefed the staffs of the Senate and House
Appropriations Subcommittees on Homeland Security on the results of our
review. This letter summarizes and transmits these results, with the
exception of information that DHS deemed contractor sensitive. A
redacted version of the briefing, including our scope and methodology,
is reprinted in appendix I.[Footnote 2] In a separate report designated
"For Official Use Only," we summarize and transmit the full briefing.
We performed this audit from June 2008 to September 2008 in accordance
with generally accepted government auditing standards. Those standards
require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.
Compliance with Legislative Conditions:
The US-VISIT expenditure plan partially satisfies 8 of the 11
legislative conditions required of DHS.[Footnote 3] For example, the
plan partially satisfies the legislative conditions that it:
* contain a listing of all open GAO and DHS Office of Inspector General
recommendations. Specifically, while the plan did include a listing and
status of our recommendations, it did not provide milestones for
addressing any of the recommendations, as required by the act.
* include a certification by the DHS Chief Procurement Officer that the
program was reviewed and approved in accordance with the department's
investment management process and that this process fulfilled all
capital planning and investment control requirements and reviews
established by the Office of Management and Budget (OMB). While the
plan did include such a certification, it was based on information that
pertains to the fiscal year 2007 expenditure plan and the fiscal year
2009 budget submission, rather than on the fiscal year 2008 expenditure
plan, as required by the act.
* include an architectural compliance certification by the Chief
Information Officer that the system architecture of the program is
sufficiently aligned with the information system enterprise
architecture of DHS. Specifically, while the plan did include such a
certification, the basis for the certification was an assessment
against the 2007 DHS enterprise architecture, which is a version that
we recently reported to be missing important US-VISIT architectural
content.[Footnote 4]
* provide a detailed accounting of operations and maintenance,
contractor services, and program management costs. While the plan did
provide an accounting of operations and maintenance, and program
management costs, it did not separately identify the program's
contractor costs, as required by the act.
The plan does not satisfy the remaining three conditions that apply to
DHS. Specifically:
* The expenditure plan did not explicitly define how funds are to be
obligated to meet future program commitments, including linking the
planned expenditure of funds to milestone-based delivery of specific
capabilities and services. While the plan linked funding to four broad
core capability areas and associated projects, it did not link this
planned use of funds to milestones, and it did not consistently
decompose projects into specific mission capabilities, services,
performance levels, benefits and outcomes, or program management
capabilities.
* The expenditure plan did not include a certification by the DHS Chief
Human Capital Officer that the program's human capital needs are being
strategically and proactively managed and that the program has
sufficient human capital capacity to execute the expenditure plan.
While the plan contained a certification, it only addressed that the
human capital plan reviewed by the Chief Human Capital Officer
contained specific initiatives to address the hiring, development, and
retention of program employees and that a strategy existed to develop
indicators to measure the progress and results of these initiatives. It
did not address the implementation of this plan or whether the current
human capital capabilities were sufficient to execute the expenditure
plan.
* The expenditure plan did not include a complete schedule for the full
implementation of a biometric exit program or certification that a
biometric exit program is not possible within 5 years. While the plan
contains a very high-level schedule that identifies five broadly
defined tasks and high-level milestones, the schedule did not include,
among other things, decomposition of the program into a work breakdown
structure or sequencing, integrating, or resourcing each work element
in the work breakdown structure.
Observations on US-VISIT:
We are making five observations about US-VISIT relative to its proposed
exit solution, its management of program risks, and its use of earned
value management. These observations are summarized here.
* Reliability of cost estimates for air and sea exit alternatives is
not clear.
In developing its air and sea exit Notice of Proposed Rule Making
(NPRM), DHS is required to prepare a written assessment of the costs,
benefits, and other effects of its proposal and a reasonable number of
alternatives and to adopt the least costly, most cost-effective, or
least burdensome among them. To accomplish this, it is important that
DHS have reliable cost estimates for its proposed and alternative
solutions.
However, the reliability of the estimates that DHS developed is not
clear because (1) DHS documents characterize the estimates as being, by
definition, rough and imprecise, but DHS officials responsible for
developing the estimates stated that this characterization is not
accurate; (2) our analysis of the estimates' satisfaction of cost
estimating best practices shows that while DHS satisfied some key
practices, it did not fully satisfy others or the documentation
provided was not sufficient for us to determine whether still other
practices were met; and (3) data on certain variables pertaining to
airline costs were not available for inclusion in the estimates, and
airlines report that these costs were understated in the estimates.
* DHS reports that the proposed air and sea exit solution provides less
security and privacy than other alternatives.
Adequate security and privacy controls are needed to assure that
personally identifiable information is secured against unauthorized
access, use, disclosure, or retention. Such controls are especially
needed for government agencies, where maintaining public trust is
essential. In the case of US-VISIT, one of its stated goals is to
protect the security and privacy of U.S. citizens and visitors.
DHS's proposed air and sea exit solution would require air and vessel
carriers to implement and manage the collection of biometric data at
the location(s) of their choice. However, the NPRM states that having
carriers collect the biometric information is less secure than
alternatives where DHS collects the information, regardless of the
information collection point. Similarly, the NPRM states that the
degree of confidence in compliance with privacy requirements is lower
when DHS does not maintain full custody of personally identifiable
information.
* Public comments on the proposed air and sea exit solution raise a
range of additional concerns.
Ninety-one entities--including the airline, trade, and travel
industries, as well as federal, state, and foreign governments--
commented on the air and sea exit proposal. The comments that were
provided raised a number of concerns and questions about the proposed
solution. For example, comments stated that (1) technical requirements
the carriers must meet in delivering their respective parts of the
proposed solution had yet to be provided; (2) the proposed solution
conflicts with air and vessel carrier passenger processing
improvements; (3) the proposed solution is not fully integrated with
other border screening programs involving air carriers; and (4)
stakeholders were not involved in this rulemaking process as they had
been in previous rulemaking efforts.
* Risk management database shows that some program risks have not been
effectively managed.
Proactively managing program risks is a key acquisition management
control and, if defined and implemented properly, it can increase the
chances of programs delivering promised capabilities and benefits on
time and within budget. To its credit, the US-VISIT program office has
defined a risk management plan and related process that is consistent
with relevant guidance. However, its own risk database shows that all
risks have not been proactively mitigated. As we have previously
reported, not proactively mitigating risks increases the chances that
risks become actual cost, schedule, and performance problems.
* Significance of a task order's schedule variances have been minimized
by frequent rebaselining.
According to the GAO Cost Assessment Guide,[Footnote 5] rebaselining
should occur rarely, as infrequently as once in the life of a program
or project. Schedule rebaselining should occur only when a schedule
variance is significant enough to limit its utility as a predictor of
future schedule performance. For task order 7, the prime contractor's
largest task order,[Footnote 6] the program office has rebaselined its
schedule twice in the last 2 years--first in October 2006 and again in
October 2007. This rebaselining has resulted in the task order showing
a $3.5 million variance, rather than a $7.2 million variance that would
exist without either of the rebaselinings.
Conclusions:
DHS has not adequately met the conditions associated with its
legislatively mandated fiscal year 2008 US-VISIT expenditure plan. The
plan does not fully satisfy any of the conditions that apply to DHS,
either because it does not address key aspects of the condition or
because what it does address is not adequately supported or is
otherwise not reflective of known program weaknesses. Given that the
legislative conditions are intended to promote the delivery of promised
system capabilities and value, on time and within budget, and to
provide Congress with an oversight and accountability tool, these
expenditure plan limitations are significant.
Beyond the expenditure plan, other program planning and execution
limitations and weaknesses also confront DHS in its quest to deliver US-
VISIT capabilities and value in a timely and cost-effective manner.
Most notably, DHS has proposed a solution for a long-awaited exit
capability, but it is not clear if the cost estimates used to justify
it are sufficiently reliable to do so. Also, DHS has reported that the
proposed solution provides less security and privacy than other
alternatives analyzed, and the proposed solution is being challenged by
those who would be responsible for implementing it. Further, DHS's
ability to measure program performance and progress, and thus be
positioned to address cost and schedule shortfalls in a timely manner,
is hampered by weaknesses in the prime contractor's implementation of
earned value management. Each of these program planning and execution
limitations and weaknesses introduce risk to the program.
In addition, DHS is not effectively managing the program's risks, as
evidenced by the program office's risk database showing that known
risks are being allowed to go years without risk mitigation and
contingency plans. Overall, while DHS has taken steps to implement a
significant percentage of our prior recommendations aimed at improving
management of US-VISIT, additional management improvements are needed
to effectively define, justify, and deliver a system solution that
meets program goals, reflects stakeholder input, minimizes exposure to
risk, and provides Congress with the means by which to oversee program
execution. Until these steps are taken, US-VISIT program performance,
transparency, and accountability will suffer.
Recommendations for Executive Action:
To assist DHS in planning and executing US-VISIT, we recommend that the
Secretary of Homeland Security direct the department's Investment
Review Board to review the reasons for the plan's limitations and
address the challenges and weaknesses raised by our observations about
the proposed air and sea exit solution, risk management, and the
implementation of earned value management, and to report the results to
Congress.
Agency Comments and Our Evaluation:
In written comments on a draft of this report, signed by the Director,
Departmental Audit Liaison Office, and reprinted in appendix II, DHS
concurred with our recommendations and stated that the department's
Investment Review Board would meet for the purpose of reviewing US-
VISIT and addressing our findings and recommendations. Moreover, DHS
commented that our report has prompted the department to modify the
fiscal year 2009 US-VISIT expenditure plan to provide greater
visibility into operations and maintenance and program management
expenditures, and to include milestones and performance targets for
planned accomplishments, mitigation plans, milestones for closing open
recommendations, and results relative to prior year commitments. DHS
also commented that after it received our report for comment, it issued
an interim policy for managing investments, such as US-VISIT, and thus
it disagreed with one of our findings relative to one of the
legislative conditions--namely that DHS's investment management process
is not sufficiently mature. However, DHS did not provide the policy
itself, thus we were not able to determine whether it addressed our
concerns. Further, the memo states that the policy is draft and that
implementation of the policy, including training, still needs to occur.
Thus, while we have modified our briefing document to reflect the
policy's issuance, we have not modified our conclusion that DHS's
investment management process is not sufficiently mature.
We are sending copies of this report to the Chairmen and Ranking
Minority Members of other Senate and House committees and subcommittees
that have authorization and oversight responsibilities for homeland
security. We are also sending copies to the Secretary of Homeland
Security, Secretary of State, and the Director of OMB. Copies of this
report will also be available at no charge on our Web site at
[hyperlink, http://www.gao.gov].
If you or your staffs have any questions on matters discussed in this
report, please contact me at (202) 512-3439 or at hiter@gao.gov.
Contact points for our Offices of Congressional Relations and Public
Affairs may be found on the last page of this report. GAO staff who
have made significant contributions to this report are listed in
appendix III.
Signed by:
Randolph C. Hite:
Director, Information Technology Architecture and Systems Issues:
[End of section]
Appendix I: Briefing for Staff Members of the Subcommittees on Homeland
Security, Senate and House Committees on Appropriations:
Homeland Security: U.S. Visitor and Immigrant Status Indicator
Technology Program Planning and Execution Improvements Needed:
Briefing for staff members of the Subcommittees on Homeland Security
Senate and House Committees on Appropriations:
September 15, 2008*:
* This briefing has been amended on page 44 to address DHS comments.
Briefing Overview:
Introduction:
Objectives:
Scope and Methodology:
Results in Brief:
Background:
Results:
* Legislative Conditions;
* Observations:
Conclusions:
Recommendations for Executive Action:
Agency Comments:
Attachment 1: Objectives, Scope, and Methodology:
Attachment 2: Related Projects List:
Attachment 3: Detailed Description of Increments and Component Systems;
Attachment 4: Status of Prior GAO Recommendations:
[End of Briefing Overview section]
Introduction:
U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) is a
Department of Homeland Security (DHS) program for collecting,
maintaining, and sharing information on foreign nationals who enter and
exit the United States. The goals of US-VISIT are to:
* enhance the security of U.S. citizens and visitors,
* facilitate legitimate travel and trade,
* ensure the integrity of the U.S. immigration system, and;
* protect the privacy of our visitors.
Currently, US-VISIT entry capabilities are operating at over 300 land,
sea, and air ports of entry; however, exit capabilities are not yet
operating. DHS near-term plans call for enhancing existing biometric
collection, identification, and sharing capabilities, as well as
introducing an exit capability at airports and seaports.
[End of Introduction section]
Objectives:
The Consolidated Appropriations Act, 2008,[Footnote 7] states that DHS
may not obligate $125 million of the $475 million appropriated[Footnote
8] for US-VISIT until the Senate and House Committees on Appropriations
receive a plan for expenditure[Footnote 9] that includes the following:
* a detailed accounting of the program‘s progress to date relative to
system capabilities or services, system performance levels, mission
benefits and outcomes, milestones, cost targets, and program management
capabilities;
* an explicit plan of action defining how all funds are to be obligated
to meet future program commitments, with the planned expenditure of
funds linked to the milestone-based delivery of specific capabilities,
services, performance levels, mission benefits and outcomes, and
program management capabilities;
* a listing of all open GAO and DHS Office of the Inspector General
(OIG) recommendations related to the program and the status of DHS
actions to address the recommendations, including milestones for fully
addressing them;
* a certification by the DHS Chief Procurement Officer (CPO) that the
program has been reviewed and approved in accordance with the
department‘s investment management process, and that this process
fulfills all capital planning and investment control requirements and
reviews established by the Office of Management and Budget (OMB),
including Circular A-11, part 7;
* a certification by the DHS Chief Information Officer (CIO) that an
independent verification and validation agent is currently under
contract for the project;
* a certification by the DHS CIO that the system architecture of the
program is sufficiently aligned with the department‘s information
systems enterprise architecture to minimize future rework, including a
description of all aspects of the architectures that were and were not
assessed in making the alignment determination, the date of the
alignment determination, and any known areas of misalignment, along
with the associated risks and corrective actions to address any such
areas;
* a certification by the DHS CPO that the plans for the program comply
with federal acquisition rules, requirements, guidelines, and
practices, and a description of the actions being taken to address any
areas of noncompliance, the risks associated with them, along with any
plans for addressing these risks and the status of their
implementation;
* a certification by the DHS CIO that the program has a risk management
process that regularly identifies, evaluates, mitigates, and monitors
risks throughout the system life cycle, and communicates high-risk
conditions to agency and DHS investment decision makers, as well as a
listing of all the program‘s high risks, and a status of efforts to
address them;
* a certification by the DHS Chief Human Capital Officer (CHCO) that
the human capital needs of the program are being strategically and
proactively managed, and that current human capital capabilities are
sufficient to execute the plans discussed in the report;
* a complete schedule for the full implementation of a biometric exit
program or a certification that such a program is not possible within 5
years;
* a detailed accounting of operations and maintenance, contractor
services, and program management costs associated with the program.
Footnote 10]
The act also requires that we review this plan. DHS submitted its
fiscal year 2008 US-VISIT expenditure plan to the House and Senate
Appropriations Subcommittees on Homeland Security on June 12, 2008. As
agreed, our objectives were to (1) determine whether the plan satisfies
the legislative conditions and (2) provide observations about the plan
and management of the program.
[End of Objectives section]
Scope and Methodology:
To accomplish the first objective, we compared the information provided
in the plan with each aspect of the eleven conditions. Further, for
those conditions requiring a DHS certification, we analyzed
documentation, interviewed cognizant officials, and leveraged our
recent work to determine the basis for each certification. We then
determined whether the plan satisfies, partially satisfies, or does not
satisfy the conditions based on the extent to which (1) the plan
addresses all aspects of the applicable condition, as specified in the
act or (2) the applicable certification letter contained in the plan
(a) addresses all aspects of each condition, as specified in the act,
(b) is sufficiently supported by documented and verifiable analysis,
(c) contains significant qualifications, and (d) is otherwise consistent
with our related findings.
To accomplish the second objective, we analyzed DHS‘s Notice of
Proposed Rule Making (NPRM) for Air/Sea Exit, the Regulatory Impact
Analysis, Privacy Impact Assessment, and US-VISIT‘s Exit Pilot Report.
We also compared available information on the USVISIT prime
contractor‘s implementation of earned value management and the program
office‘s implementation of risk management to relevant guidance. (See
attachment 1 for more detailed information on our scope and
methodology.) We conducted this performance audit at US-VISIT offices
in Arlington, Virginia, and DHS offices in Washington, D.C. from June
2008 to September 2008 in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform
the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit
objectives. We believe that the evidence obtained provides a reasonable
basis for our findings and conclusions based on our audit objectives.
[End of Scope and Methodology section]
Results in Brief: Legislative Conditions:
Table: Expenditure Plan‘s Satisfaction of Legislative Conditions:
Legislative condition: Detailed accounting of the program‘s progress to
date relative to system capabilities;
Expenditure Plan‘s Satisfaction of Legislative Conditions: Partially
satisfies.
Legislative condition: Explicit plan defining how funds are to be
obligated to meet future program commitments, linked to the milestone-
based delivery of specific capabilities and services;
Expenditure Plan‘s Satisfaction of Legislative Conditions: Does not
satisfy.
Legislative condition: Listing of all open GAO and OIG recommendations;
Expenditure Plan‘s Satisfaction of Legislative Conditions: Partially
satisfies.
Legislative condition: DHS investment management and OMB capital
planning and investment control certification by the CPO;
Expenditure Plan‘s Satisfaction of Legislative Conditions: Partially
satisfies.
Legislative condition: Independent verification and validation
certification by the CIO;
Expenditure Plan‘s Satisfaction of Legislative Conditions: Partially
satisfies.
Legislative condition: Architecture certification by the CIO;
Expenditure Plan‘s Satisfaction of Legislative Conditions: Partially
satisfies.
Legislative condition: Acquisition certification by the CPO;
Expenditure Plan‘s Satisfaction of Legislative Conditions: Partially
satisfies.
Legislative condition: Risk management certification by the CIO;
Expenditure Plan‘s Satisfaction of Legislative Conditions: Partially
satisfies.
Legislative condition: Human Capital certification by the CHCO;
Expenditure Plan‘s Satisfaction of Legislative Conditions: Does not
satisfy.
Legislative condition: Exit implementation schedule or certification
that not possible within 5 years;
Expenditure Plan‘s Satisfaction of Legislative Conditions: Does not
satisfy.
Legislative condition: Detailed accounting of operations and
maintenance, contractor services, program management costs;
Expenditure Plan‘s Satisfaction of Legislative Conditions: Partially
satisfies.
Legislative condition: Reviewed by GAO;
Expenditure Plan‘s Satisfaction of Legislative Conditions: Satisfies.
Source: GAO analysis based on DHS data.
[End of table]
Results in Brief: Observations:
* The reliability of DHS Air and Sea Exit cost estimates is not clear
for various reasons, including program officials‘ statements that
contradict how the department characterized the estimates in the public
documents and supporting documentation about the estimates‘ derivation
that we have yet to receive.
* The proposed Air and Sea Exit solution, according to DHS, would
provide less security and privacy than other alternatives, because it
relies on private carriers to collect, store, and transmit passenger
data.
* Comments on the Proposed Air and Sea Exit solution, provided by
airlines and others, raised a number of additional stakeholder
concerns, such as conflicts with air carrier business models and impact
on trade and travel.
* The program office‘s risk database shows that risk mitigation and
contingency plans have not been developed and implemented in a timely
fashion for a number of risks, which increases the chances that known
risks will become actual problems.
* Significant schedule variances are being minimized by frequent
redefinition of baselines, thus limiting the use of earned value
management as a performance management tool.
Results in Brief: Recommendation and Agency Comments:
We are recommending that DHS‘ Investment Review Board review the
reasons for the plan‘s limitations and address the challenges and
weaknesses raised by our observations about the proposed Air and Sea
Exit solution, and the implementation of earned value management and
risk management, and to report the results to the Congress.
We provided a draft of this briefing to DHS officials, including the
Director of US-VISIT. While these officials did not state whether they
agreed or not with our findings, conclusions, or recommendations, they
did provide a range of technical comments, which we have incorporated
into the briefing, as appropriate. They also sought clarification on
our scope and methodology, which we have also incorporated into the
briefing.
[End of Results in Brief section]
Background: US-VISIT Strategic Goals:
The strategic goals of US-VISIT are to enhance the security of U.S.
citizens and visitors, facilitate legitimate travel and trade, ensure
the integrity of the U.S. immigration system, and protect the privacy
of our visitors. It is to accomplish these things by:
* collecting, maintaining, and sharing biometric and other information
on certain foreign nationals who enter and exit the United States;
* identifying foreign nationals who (1) have overstayed or violated the
terms of their admission; (2) can receive, extend, or adjust their
immigration status; or (3) should be apprehended or detained by law
enforcement officials;
* detecting fraudulent travel documents, verifying traveler identity,
and determining traveler admissibility through the use of biometrics;
and;
* facilitating information sharing and coordination within the
immigration and border management community.
Background: History/Status:
Overview of History and Status of US-VISIT Increments:
As defined in expenditure plans prior to fiscal year 2006, US-VISIT
biometric entry and exit capabilities were to be delivered in four
increments.
* Increments 1 through 3 were to be interim, or temporary, solutions
that would focus on building interfaces among existing (legacy)
systems; enhancing the capabilities of these systems; and deploying
these systems to air, sea, and land ports of entry (POEs).
* Increment 4 was to be a series of yet-to-be-defined releases, or
mission capability enhancements, that were to deliver long-term
strategic capabilities for meeting program goals.
* Increments 1 through 3 have produced an entry capability that began
operating at over 300 POEs by 2006. (See the system diagram on the next
slide for an overview of this entry capability; attachment 3 provides
further details on each of the systems.)
Figure: Systems Diagram of Entry Capability Operating at Points of
Entry[Footnote 11]:
[Refer to PDF for image]
This figure is a detailed diagram of Entry Capability Operating at
Points of Entry. Included in the diagram are systems/applications which
are:
* Common to all increments;
* Increment 1 only;
* Increment 2B and 3 only.
Source: GAO analysis of US-VISIT data.
[End of figure]
Increment 4 has continued to evolve.
* The fiscal year 2006 expenditure plan described increment 4 as the
combination of two projects: (1) Transition to 10 fingerprints in the
Automated Biometric Identification System (IDENT) and (2)
interoperability between IDENT and the Federal Bureau of
Investigation‘s (FBI) Integrated Automated Fingerprint Identification
System (IAFIS).
* The fiscal year 2007 expenditure plan combines these two projects
with a third project called Enumeration (developing a single identifier
for each individual) into a larger project referred to as Unique
Identity. During fiscal year 2007, the following Unique Identity
efforts were completed.
- The Interim Data Sharing Model (iDSM) was deployed. It allows sharing
of certain biometric information between US-VISIT and the FBI, as well
as with the Office of Personnel Management and police departments in
Houston, Dallas, and Boston. The next phase of IDENT/IAFIS
interoperability (referred to as Initial Operating Capability) is to be
deployed in October 2008.
- The 10-print scanners were deployed to 10 air locations for pilot
testing. Deployment of the scanners to 292 POEs is to begin during
fiscal year 2008 and is to be completed by December 2008.
* Also in fiscal year 2007, steps were taken relative to a biometric
exit solution. Specifically,
- Exit pilot projects were halted at 12 airports and 2 seaports in May
2007.
- Exit radio frequency identification[Footnote 12] proof-of-concept
projects were discontinued at selected land ports in November 2006.
- Planning for an air and sea exit solution based on lessons learned
from the pilot projects was begun, to include studying the costs,
impacts, and privacy concerns of alternative solutions.
The fiscal year 2008 expenditure plan provides additional information
on these and other projects in the context of the program‘s four core
mission capabilities: (1) providing identity management and screening
services, (2) developing and enhancing biometric identity collection
and data sharing, (3) providing information technology support for
mission services, and (4) enhancing program management. For example,
under developing and enhancing biometric capabilities, the plan
allocates $228 million for further development and deployment of Unique
Identity and $13 million for development of an Air and Sea Exit
solution. (See table on next slide).
Table: Summary of Fiscal Year 2008 Expenditure Plan Budget:
Core Mission Areas: Provide identity management and screening services:
Project: Biometric support;
Fiscal Year 2008 Total: $7.9 million.
Project: Data integrity;
Fiscal Year 2008 Total: $6.4 million.
Project: Law enforcement and intelligence;
Fiscal Year 2008 Total: $1.5 million.
Core Mission Areas: Develop and enhance biometric identity collection
and data sharing:
Project: Unique Identity;
Fiscal Year 2008 Total: $228.0 million.
Project: Comprehensive Biometric Exit – Air/Sea;
Fiscal Year 2008 Total: $13.0 million.
Core Mission Areas: Provide information technology support to mission
service:
Project: Operations and maintenance;
Fiscal Year 2008 Total: $103.0 million.
Core Mission Areas: Enhance Program Management:
Project: Mission support;
Fiscal Year 2008 Total: $109.2 million.
Project: Management reserve;
Fiscal Year 2008 Total: $6.0 million.
Core Mission Areas/Projects: Total;
Fiscal Year 2008 Total: $475.0 million.
Source: DHS Fiscal Year 2008 Expenditure Plan.
[End of table]
Background: Projects‘ Approach and Status:
Life Cycle Approach for and Status of US-VISIT Projects:
US-VISIT projects are subject to the program‘s Enterprise Life Cycle
Methodology (ELCM). Within ELCM is a component methodology for managing
software-based system projects, such as Unique Identity and Air/Sea
Exit, known as the US-VISIT Delivery Methodology (UDM). According to
version 4.3 of UDM (April 2007), it:
* applies to both new development and operational projects;
* specifies the documentation and reviews that should take place within
each of the methodology‘s six phases: plan, analyze, design, build,
test, and deploy; and;
* allows for tailoring to meet the needs and requirements of individual
projects, in which specific activities, deliverables, and milestone
reviews that are appropriate for the scope, risk, and context of the
project can be set for each phase of the project.
The chart on the following page shows the status of each US-VISIT
project within the life cycle methodology as of August 2008.
Table: Project Status:
Project: Comprehensive Exit Land;
ELCM Gate Review, Plan: [Check];
ELCM Gate Review, Analyze: [Empty];
ELCM Gate Review, Design: [Empty];
ELCM Gate Review, Build: [Empty];
ELCM Gate Review, Test: [Empty];
ELCM Gate Review, Deploy: [Empty];
ELCM Gate Review, Operational: [Empty].
Project: Comprehensive Exit Air/Sea Release 1[A];
ELCM Gate Review, Plan: [Check];
ELCM Gate Review, Analyze: [Check];
ELCM Gate Review, Design: [Check];
ELCM Gate Review, Build: [Check];
ELCM Gate Review, Test: [Check];
ELCM Gate Review, Deploy: [Empty];
ELCM Gate Review, Operational: [Empty].
Project: Comprehensive Exit Air/Sea Release 2[B]:
ELCM Gate Review, Plan: [Check];
ELCM Gate Review, Analyze: [Empty];
ELCM Gate Review, Design: [Empty];
ELCM Gate Review, Build: [Empty];
ELCM Gate Review, Test: [Empty];
ELCM Gate Review, Deploy: [Empty];
ELCM Gate Review, Operational: [Empty].
Project: Unique Identity 10-Print Initial Deployment;
ELCM Gate Review, Plan: [Check];
ELCM Gate Review, Analyze: [Check];
ELCM Gate Review, Design: [Check];
ELCM Gate Review, Build: [Check];
ELCM Gate Review, Test: [Check];
ELCM Gate Review, Deploy: [Check];
ELCM Gate Review, Operational: [Check].
Project: Unique Identity 10-Print National Deployment;
ELCM Gate Review, Plan: [Check];
ELCM Gate Review, Analyze: [Check];
ELCM Gate Review, Design: [Check];
ELCM Gate Review, Build: [Check];
ELCM Gate Review, Test: [Check];
ELCM Gate Review, Deploy: [Check];
ELCM Gate Review, Operational: [Empty].
Project: Increment 1 Air/Sea Entry;
ELCM Gate Review, Plan: [Check];
ELCM Gate Review, Analyze: [Check];
ELCM Gate Review, Design: [Check];
ELCM Gate Review, Build: [Check];
ELCM Gate Review, Test: [Check];
ELCM Gate Review, Deploy: [Check];
ELCM Gate Review, Operational: [Check].
Project: Increment 2 Land Entry Top 50;
ELCM Gate Review, Plan: [Check];
ELCM Gate Review, Analyze: [Check];
ELCM Gate Review, Design: [Check];
ELCM Gate Review, Build: [Check];
ELCM Gate Review, Test: [Check];
ELCM Gate Review, Deploy: [Check];
ELCM Gate Review, Operational: [Check].
Project: Increment 3 Remaining Land;
ELCM Gate Review, Plan: [Check];
ELCM Gate Review, Analyze: [Check];
ELCM Gate Review, Design: [Check];
ELCM Gate Review, Build: [Check];
ELCM Gate Review, Test: [Check];
ELCM Gate Review, Deploy: [Check];
ELCM Gate Review, Operational: [Check].
Project: IDENT/IAFIS iDSM;
ELCM Gate Review, Plan: [Check];
ELCM Gate Review, Analyze: [Check];
ELCM Gate Review, Design: [Check];
ELCM Gate Review, Build: [Check];
ELCM Gate Review, Test: [Check];
ELCM Gate Review, Deploy: [Check];
ELCM Gate Review, Operational: [Check].
Project: Unique Identity Interoperability IOC;
ELCM Gate Review, Plan: [Check];
ELCM Gate Review, Analyze: [Check];
ELCM Gate Review, Design: [Check];
ELCM Gate Review, Build: [Check];
ELCM Gate Review, Test: [Empty];
ELCM Gate Review, Deploy: [Empty];
ELCM Gate Review, Operational: [Empty].
Project: Unique Identity Interoperability FOC;
ELCM Gate Review, Plan: [Check];
ELCM Gate Review, Analyze: [Empty];
ELCM Gate Review, Design: [Empty];
ELCM Gate Review, Build: [Empty];
ELCM Gate Review, Test: [Empty];
ELCM Gate Review, Deploy: [Empty];
ELCM Gate Review, Operational: [Empty].
Project: Enumeration Services;
ELCM Gate Review, Plan: [Check];
ELCM Gate Review, Analyze: [Check];
ELCM Gate Review, Design: [Check];
ELCM Gate Review, Build: [Check];
ELCM Gate Review, Test: [Check];
ELCM Gate Review, Deploy: [Check];
ELCM Gate Review, Operational: [Check].
Project: Mobile Biometrics at Sea;
ELCM Gate Review, Plan: [Check];
ELCM Gate Review, Analyze: [Check];
ELCM Gate Review, Design: [Check];
ELCM Gate Review, Build: [Check];
ELCM Gate Review, Test: [Check];
ELCM Gate Review, Deploy: [Check];
ELCM Gate Review, Operational: [Check].
[A] Release 1 deploys backend capabilities to receive and process the
biometric exit data captured and transmitted in compliance with the
Final Rule.
[B] Release 2 focuses on exit reporting capabilities.
Source GAO based on agency data.
[End of table]
Contract and Task Order Overview and Status:
In May 2004, DHS awarded an indefinite-delivery/indefinite-quantity
[Footnote 13] prime contract to Accenture and its partners[Footnote 14]
for delivering US-VISIT products and services. Thus far,
* 20 task orders have been issued against this contract, and their
total value[Footnote 15] is about $501 million.
* 11 of these task orders are ongoing, and their total value is about
$331 million.
The table on the following slides provides additional information about
the ongoing task orders organized by the four core mission capabilities
and projects.
Table: Contract and Task Order Overview and Status:
Core Capability: Provide identity management and screening services:
Project: Data integrity and biometric support;
Task Order Name: Data management support;
Start: August 2004;
Approximate Value: $3 million;
Description: Support Program Office Data Management Branch to identify
errors, omissions, and trends in data; recommend corrective actions;
provide refined data to other offices (e.g., U.S. Immigration and
Customs Enforcement) to support criminal investigations, lookout
creation, and informed managerial/operational decision making.
Core Capability: Develop and enhance biometric identity collection and
data sharing capabilities:
Project: Biometric solutions delivery;
Task Order Name: Unique Identity;
Start: October 2004;
Approximate Value: $82.5 million;
Description: Planning, development, and implementation of Unique
Identity (IDENT/IAFIS integration and IDENT 10-print).
Project: Biometric solutions delivery;
Task Order Name: Integration support to the Unique Identity ID Project
Office;
Start: November 2006;
Description: Approximate Value: $1.6 million;
Program and technical integration support services.
Project: Biometric solutions delivery;
Task Order Name: Secure Information Management Systems;
Start: October 2007;
Approximate Value: $2.3 million;
Description: Planning, development, and implementation of enumeration
functionality for Unique Identity and the US Customs and Immigration
Service‘s Inter-Country Adoption Pilot.
Project: Biometric solutions delivery;
Task Order Name: Biometric Solutions Delivery;
Start: February 2008;
Approximate Value: $18 million;
Description: Deployment of solutions”includes installation of scanning
equipment for 10-print collection.
Core Capability: Provide information technology support mission
services:
Project: Operations and maintenance;
Task Order Name: Facilities and infrastructure;
Start: March 2005;
Approximate Value: $6.3 million;
Description: Provisioning of office/facility space, furniture,
workstations, telecommunications, and other infrastructure to support
contractor activities.
Project: Operations and maintenance;
Task Order Name: Operations and maintenance;
Start: August 2006;
Approximate Value: $27.7 million;
Description: Management of operations and maintenance activities for
deployed capabilities.
Project: Information technology services;
Task Order Name: IT services;
Start: September 2007;
Approximate Value: $10.8 million;
Description: Information technology services for implemented
functionality, including security upgrades, system changes, etc.
Core Capability: Enhance program management:
Project: Contractor support/program management;
Task Order Name: Program-level engineering;
Start: September 2004;
Approximate Value: $16 million;
Description: Develop and maintain the standards, guidance,
architectures, performance models, and other engineering processes
necessary to support the development of functionality.
Project: Contractor support/program management;
Task Order Name: Development and support of program planning
activities;
Start: November 2006;
Description: Approximate Value: $1.8 million;
Support the development and maintenance of program planning artifacts
and analyze phases of project execution and planning, updating, and
implementation of the US-VISIT strategic plan.
Source: GAO analysis of DHS data.
[End of table]
Overview of DHS Investment Management Process:
DHS issued a draft Investment Review Process guide in March 2006 that
includes milestone decision points (MDP) linking five life cycle
phases: project initiation (MDP1), concept and technology development
(MDP2), capability development and demonstration (MDP3), production and
deployment (MDP4), and operations and support (MDP5).Under the draft
guide, a program sends an investment review request prior to the
initial milestone date. The program is then to be reviewed by the DHS
Enterprise Architecture Board (EAB), Joint Requirements Council and/or
Investment Review Board, depending on such factors as the program‘s
cost and significance. According to the official from DHS‘s Program
Analysis and Evaluation Directorate who is responsible for overseeing
program adherence to the investment control process, the draft guide is
being used for all DHS programs, including US-VISIT. This official also
stated that milestone reviews can be performed concurrently with an
expenditure plan review.
In December 2006, the DHS Investment Review Board held an MDP1 review
of US-VISIT. Since then, the EAB held an MDP2 review in April 2007, and
the EAB is currently performing an MDP3 review. Neither the Joint
Requirements Council nor the Investment Review Board have reviewed US-
VISIT since MDP1.
Overview of DHS Notice of Proposed Rule Making (NPRM) for Air/Sea Exit:
On April 24, 2008, DHS published its NPRM for establishing a biometric
exit capability at commercial air and sea ports. At the same time, it
published an Air/Sea Biometric Exit Regulatory Impact Analysis
providing information on the projected costs and benefits of several
alternatives discussed in the proposed rule. Key aspects of the NPRM
are summarized here.
* The proposed rule would require aliens who are subject to US-VISIT
biometric requirements on entry at POEs to provide biometric
information to commercial carriers before departing air and sea POEs.
The rule also proposed that the biometric information collected be
submitted to DHS within 24 hours of securing the airplane doors for air
travel or departing the seaport. According to the NPRM, these
requirements would not apply to persons departing on certain private or
small carriers.
* The proposed rule discussed nine exit alternatives for collecting
biometrics: (1) at the check-in counter by air and vessel carriers, (2)
at the check-in counter by DHS, (3) at the security checkpoint by DHS,
(4) at the departure gate by air and vessel carriers, (5) at the
departure gate by DHS, (6) at the check-in counter by air and vessel
carriers with verification at the departure gate, (7) at the check-in
counter by DHS with verification at the departure gate, (8) at the
security checkpoint by DHS with verification at the departure gate, and
(9) within the sterile area (after passing through the Transportation
Security Administration checkpoint) by DHS.
The following five alternatives were subject to further analysis of
costs and benefits.
* Proposed Alternative: Air and vessel carriers implement and manage
the collection of biometric data at location(s) of their choice.
* Alternative 1: Air and vessel carriers implement and manage the
collection of biometric data at their check-in counter.
* Alternative 2: DHS implements and manages the collection of biometric
data at the TSA Security checkpoint.[Footnote 16]
* Alternative 3: DHS implements and manages the collection of biometric
data at location(s) of the air or vessel carrier‘s choice.
* Alternative 4: DHS implements and manages the collection of biometric
data at kiosks placed in various locations.
DHS provided a 60-day comment period for the NPRM. A total of 91
organizations provided 117 comments and supporting documents. These
included: 12 air industry associations, 44 air carriers (9 domestic and
35 foreign), 4 vessel industry associations, 1 vessel carrier, 9
commerce associations, 1 congressional committee, 5 foreign
governments, and 2 local governments.
[End of Background section]
Objective 1: Legislative Conditions:
Of the 12 legislative conditions pertaining to DHS‘s fiscal year 2008
expenditure plan for US-VISIT, the plan partially satisfies 8 and does
not satisfy 3 of them. Our review has satisfied the remaining
condition.
Given that the act‘s conditions are designed to help ensure that the
program is effectively managed and that congressional oversight of
program can occur, a partially or a not satisfied condition should be
viewed as introducing risk to the program. Each of the conditions is
addressed in detail on the following slides.
Condition 1:
Condition 1: The plan partially satisfies the legislative condition to
include a detailed accounting of the program‘s progress to date
relative to system capabilities or services, system performance levels,
mission benefits and outcomes, milestones, cost targets, and program
management capabilities.
As we previously reported,[Footnote 17] describing how well DHS is
progressing relative to US-VISIT program commitments (e.g., cost,
schedule, capabilities, and benefits commitments) that it has made in
previous expenditure plans is essential to permitting meaningful
program oversight and promoting accountability for results.
System Capabilities and Services: The current plan provides information
on some US-VISIT capabilities and services that have been completed or
delivered. For example, the fiscal year 2007 plan stated that US-VISIT
would make IDENT modifications to support the transition to 10-print
capability. The fiscal year 2008 plan identifies the modifications that
were implemented, such as consolidating several IDENT databases,
deploying a watch list demotion capability, introducing improved
fingerprint-matching algorithms, and developing new requirements for an
enhanced Candidate Verification Tool. However, the information
presented is not always sufficient to measure progress. For example,
* The fiscal year 2007 plan stated that US-VISIT would begin 10-print
pilot deployment in late 2007 to ten air locations, but the fiscal year
2008 plan only states that DHS selected a number of pilot locations and
evaluated the performance and operational impacts at those locations.
According to program officials, although the plan does not state the
number of locations for the pilot, it was in fact deployed to ten
locations, and this information has been previously provided to the
Congress.
System Performance Levels:
The fiscal year 2008 plan describes progress in achieving some, but not
all, system performance levels. For example, the fiscal year 2007 plan
cited a target of 1,850 biometric watch list hits for travelers
processed at POEs, and the latest plan reports that the number of these
hits was 11,838. However, many of the target measures included in the
fiscal year 2007 plan are not described in the current plan. For
example,
* The fiscal year 2007 plan cited a target of having biometric
information on file for 49 percent of foreign nationals prior to their
entering the United States (also referred to as the ’Unique Identity
baseline“). However, this measure is not discussed in the fiscal year
2008 plan.
* The fiscal year 2007 plan cited a target of 26 days for resolving
requests by visitors to correct their baseline data. However, this
measure is not discussed in the fiscal year 2008 plan.
* The fiscal year 2007 plan stated that US-VISIT would establish a
baseline of the number of individuals who were biometrically verified
based on 10-print enrollment. However, this baseline measure is not
discussed in the fiscal year 2008 plan.
According to program officials, although these measures are not
mentioned in the expenditure plan, performance data relative to each is
in fact collected and monitored.
Cost Targets:
The fiscal year 2008 plan identifies estimated costs (i.e., funding
levels) for each of the four broad capability areas. In some cases, the
broad areas are decomposed and meaningful detail is provided to
understand how the funds will be used. However, in many cases,
capabilities and costs are not decomposed to a level that permits such
understanding and oversight. For example,
* The fiscal year 2008 plan states that $7.9 million will be used for
the Biometric Support Center. However, allocations for specific support
center capabilities and services are not provided.
* The fiscal year 2008 plan states that $72.6 million will be used to
update DHS border and process technology in support of 10-print and
IDENT/IAFIS interoperability. However, the funds are not allocated
between the two activities or to major tasks, products, and services
under each activity, such as the completion of initial operating
capability for IDENT/IAFIS integration.
* The fiscal year 2008 plan states that $6.4 million will be used for
data integrity efforts. However, the funds are not allocated among
specific data integrity activities described in the plan, such as
upgrading the integrity of the system and data to meet stakeholder
needs.
Furthermore, the fiscal year 2007 and 2008 plans use different
terminology to describe categories of spending under the broad
capability areas. For example,
* The fiscal year 2008 plan shows $5.0 million in fiscal year 2007
funds allocated to ’Information Technology“ under the ’Comprehensive
Biometric Exit Solution”Air and Sea“ project, but the 2007 plan does
not identify an ’Information Technology“ component to this project, but
rather shows $5.0 million being allocated to ’Planning and Design.“
* The fiscal year 2008 plan shows $1.4 million in fiscal year 2007
funds allocated to ’Law Enforcement and Intelligence“ under Biometric
Support Services, but the fiscal year 2007 plan does not identify a Law
Enforcement and Intelligence component, but instead shows $1.4 million
being allocated to ’Management.“
Benefits/Outcomes:
The fiscal year 2008 plan cites benefits associated with each of the
four broad capability areas and in some cases, provides specific and
measurable benefits that are linked to specific capabilities. For
example, the plan states that 10-print capability would provide several
benefits, including facilitating travel by reducing the number of
travelers sent to secondary inspection. More specifically, the plan
states that the IDENT False Accept Rate fell from 0.093 percent to
0.0034 percent in fiscal year 2007 through the implementation of
improved fingerprint matching algorithms, and estimates that this
improvement provided operational benefits by reducing the number of
individuals sent to secondary processing due to erroneous
identification by approximately 25,000 travelers. However, in other
cases, the benefits are not specific and measurable and are not linked
to specific capabilities and services committed to in the prior plan.
For example,
* The plan cites the following benefits relative to the Comprehensive
Biometric Exit Solution – Air and Sea project: ’Provides greater
accuracy in recording identity of persons leaving the country, enables
improved assessment by DHS of travelers‘ compliance with immigration
laws, and enables DHS to more easily match records across multiple
identities or travel documents.“
However, since these benefits/outcomes are not linked to a baseline
measure, and the amount of the expected improvement is not specified,
the proposed benefits are not meaningful.
* The plan cites benefits from sharing biometric data globally,
including enabling countries to redirect the course of an immigration
claims or enforcement activity, improving the accuracy of records
through vetting and validation, identifying patterns of legal and
illegal migration, achieving efficiency savings, establishing the
identities of individuals who sought benefits among partner agencies
and governments, and helping to prevent fraud through identity
verification of individuals seeking benefits. However, it does not link
any of these benefits to specific baseline measures.
Milestones:
The fiscal year 2008 plan cites high-level milestones that are
traceable to the prior plan. However, neither of the plans provides
enough specificity to measure progress. For example:
* The fiscal year 2007 plan stated that the first phase of IDENT/IAFIS
interoperability was implemented via the iDSM prototype in 2006. It
also identified high-level activities to design, build, and deploy the
initial operating capability for IDENT/IAFIS interoperability, such as
advancing the data sharing architecture and enabling the assignment of
a unique number to each individual. While the fiscal year 2008 plan
states that some of these efforts were completed, neither plan provided
specific milestones to measure progress.
* The fiscal year 2007 plan stated that efforts to deploy a biometric
exit solution for air and sea environments would be launched. While the
fiscal year 2008 plan states that US-VISIT developed a Comprehensive
Biometric Exit strategy and began planning to address the air and sea
environments, neither plan provided specific milestones to measure
progress.
Program Management:
The fiscal year 2008 plan discusses several initiatives to enhance and
leverage key program management capabilities, such as continuing
efforts to improve the program‘s use of earned value management, the
maturity of software acquisition/development processes, and the quality
of internal governance. In some cases, the plan cites program
management efforts that can be traced to the fiscal year 2007 plan. For
example, the fiscal year 2007 plan stated that an assessment of the
prime contractor‘s earned value management system was to be conducted
during fiscal year 2007. According to the fiscal year 2008 plan, an
assessment was completed in June 2007 that identified a number of
weaknesses, a plan of action and milestones was developed to address
the weaknesses, and this plan is to be executed in 2008. (These
weaknesses are discussed in detail later in this briefing.)
However, the fiscal year 2008 plan also identifies program management
capability improvements that are not traceable to prior plan
commitments. For example, the fiscal year 2008 plan states that a
Planning, Programming, Budgeting, and Execution process was developed
during fiscal year 2007. However, this effort was not mentioned in the
prior plan as a commitment and thus as a basis for measuring progress.
Condition 2:
Condition 2: The plan does not satisfy the condition that it include an
explicit plan of action defining how all funds are to be obligated to
meet future program commitments, with the planned expenditure of funds
linked to the milestone-based delivery of specific capabilities,
services, performance levels, mission benefits and outcomes, and
program management capabilities.
As we have previously reported,[Footnote 18] the purpose of the
expenditure plan is to provide Congress with sufficient information to
exercise effective oversight of US-VISIT and to hold DHS accountable
for results. As such, the plan should specify planned system
capabilities, schedules, costs, and expected benefits for each of its
projects and for its program management activities. While the fiscal
year 2008 plan links funding to four broad core capability areas and
associated projects, it does not link this planned use of funds to
milestones and it does not consistently decompose projects into
specific mission capabilities, services, performance levels, benefits
and outcomes, or program management capabilities.
To illustrate, the expenditure plan allocates funding among the
program‘s four broad core capability areas. For one of these capability
areas, the plan identifies major projects, such as Unique Identity and
Comprehensive Biometric Exit Solution”Air and Sea. These projects are
then decomposed into general functional activities (e.g., project
integration and analysis, and acquisition and procurement), which are
then associated with fiscal year 2007 and 2008 funding. However, these
functional activities do not constitute specific capabilities,
services, performance levels, or benefits. Rather, they represent
functions to be performed that presumably will produce such
capabilities, services, performance levels, or benefits.
Similarly, the remaining three core capability areas are also divided
into general functional activities (e.g., biometric support, data
integrity, program staffing, data center operations) that do not
constitute capabilities, services, performance levels, or benefits.
Moreover, the funding associated with the broad core capability areas,
projects, or functional activities is not linked to any milestones. For
example, the plan states that $72.6 million of fiscal year 2008 funds
will be used to update DHS border and process technology for 10-print
transition and IDENT/IAFIS, but does not state what updates will be
accomplished or by when. The plan also states that $45.1 million will
be used to operate and maintain applications, but does not state what
maintenance activities will be performed and when they will be
performed.
Condition 3:
Condition 3: The plan, including related program documentation and
program officials‘ statements,partially satisfies the condition that it
include a listing of all open GAO and OIG recommendations related to
the program and the status of DHS actions to address them, including
milestones.
We reported in August 2007[Footnote 19] that US-VISIT‘s progress in
implementing our prior recommendations had been slow, as indicated by
the 4-year-old recommendations that were less than fully implemented.
Given that our recommendations focus on fundamental limitations in the
management of US-VISIT, they are integral to DHS‘s ability to execute
its expenditure plans, and thus should be addressed in the plans.
Since 2003, GAO has made 44 recommendations to the US-VISIT program.
The fiscal year 2008 plan provides a listing and status of our
recommendations. However, the plan does not provide milestones for
addressing these recommendations. The table on the next slide
summarizes our analysis of the status of our recommendations.
Table: Status of Recommendations:
Status: Implemented;
Number of recommendations: 26.
Status: Partially Implemented;
Number of recommendations: 9.
Status: Not Implemented;
Number of recommendations: 9.
Source: GAO analysis of DHS data.
[End of table]
In addition, the plan does not include two OIG recommendations.
According to program officials, this is because these two
recommendations were made the same month that the plan was sent to the
appropriations committee. (See attachment 4 for more detailed
information on the status of our recommendations.)
Condition 4:
Condition 4: The plan partially satisfies the condition that it include
a certification by the DHS CPO that (1) the program has been reviewed
and approved in accordance with the department‘s investment management
process and (2) the process fulfills all capital planning and
investment control requirements and reviews established by the Office
of Management and Budget (OMB), including Circular A-11, part 7.
[Footnote 20]
As we have previously reported,[Footnote 21] it is important for
organizations such as DHS, which rely heavily on IT to support
strategic outcomes and meet mission needs, to adopt and employ an
effective institutional approach to IT investment management. Such an
approach provides agency management with the information needed to
ensure that IT investments cost-effectively meet strategic mission
needs and that projects are meeting cost, schedule, and performance
expectations. We have also reported[Footnote 22] that the capital
investment control requirements and reviews outlined in the OMB
Circular A-11, part 7, are important because they are intended to
minimize a program‘s exposure to risk, permit performance measurement
and oversight, and promote accountability.
On March 14, 2008, the DHS CPO certified that (1) US-VISIT was reviewed
and approved in accordance with the department‘s investment management
process and (2) this process fulfills all capital planning and
investment control requirements and reviews established by OMB,
including Circular A-11, part 7.
In support of certifying the first aspect of the condition, the CPO
stated that OMB scored US-VISIT‘s fiscal year 2009 budget submission
(i.e., budget exhibit 300) a 35 out of a possible 50 in November 2007.
According to OMB, this score means that the submission has ’very few
points...but still needs strengthening.“ In addition, the CPO stated
that the program had been reviewed by the DHS Investment Review Board
in December 2006, and that the board had issued a decision memorandum
in April 2007 stating that the fiscal year 2007 expenditure plan met,
among other things, OMB capital planning and investment review
requirements and satisfied that aspect of the DHS investment management
process that requires investments to comply with DHS‘s enterprise
architecture.
However, this support is not sufficient to fully satisfy the first
aspect of the legislative condition because this condition applies to
the fiscal year 2008 expenditure plan, and the support that the CPO
cites does not relate to either the fiscal year 2008 budget submission
or to the fiscal year 2008 expenditure plan. Rather, it pertains to the
following year‘s budget submission and the prior year‘s plan.
In support of certifying the second aspect of the condition, the CPO
again cites the fiscal year 2009 budget submission, which DHS documents
show underwent a series of reviews and revisions before being sent to
OMB that raised the department‘s scoring of the submission from a 29 to
a 37. According to OMB, a score of 29 means, among other things, that
’much work remains to solidify and quantify“ the submission. In
certifying to this aspect, the CPO also stated that his office will
continue to oversee US-VISIT through the department‘s emerging
investment management process.
However, the cited support is not sufficient to satisfy the legislative
condition for two reasons.
* As previously noted, the cited budget submission is for fiscal year
2009 rather than fiscal year 2008.
* DHS‘s investment management process is not sufficiently mature. As we
reported in April 2007,[Footnote 23] this process does not satisfy the
key practices outlined in the Information Technology Investment
Management Framework,[Footnote 24] which is a maturity framework based
on corporate investment management best practices employed by leading
public and private sector organizations and is consistent with OMB
capital planning and investment control requirements. In particular, we
reported that:
- DHS‘s process (policies and procedures) for project-level management
do not include all key elements, such as specific criteria or steps for
prioritizing and selecting new investments.
- DHS has not fully implemented the practices needed to control
investments”at the project level or at the portfolio level, including
regular project-level reviews by the DHS Investment Review Board.
- DHS‘s process does not identify a methodology with explicit decision-
making criteria to determine an investment‘s alignment with the DHS
enterprise architecture.
In its comments on a draft of this report, DHS disagreed that its
investment management process is not sufficiently mature, stating that
on November 7, 2008 it issued an interim operational policy for
investment control that addresses the limitations that we reported in
April 2007. However, because DHS‘s comments only provided the memo that
issued the interim policy, and not the policy itself, we have yet to
review it to determine whether it addresses the above limitations.
Also, the memo describes the interim policy as a ’resulting draft“ that
is the product of an ’informal staffing process“ and that changes will
be made to ’the policy prior to completing this process.“ Moreover,
implementation of the policy, including training on its implementation,
still needs to occur. Therefore, we continue to view DHS‘s investment
management process as not sufficiently mature.
Condition 5:
Condition 5: The plan partially satisfies the condition that it include
a certification by the DHS CIO that an independent verification and
validation (IV&V) agent is currently under contract.
As we have previously reported,[Footnote 25] IV&V is a recognized best
practice for large and complex system development and acquisition
programs, like US-VISIT, as it provides management with objective
insight into the program‘s processes and associated work products.
On February 25, 2008, the former DHS Acting CIO conditionally certified
that the program has an IV&V agent under contract. However, this
certification was qualified to recognize that the contract only
provided for IV&V services relative to testing system applications
(i.e., it did not extend to other key program activities). Accordingly,
the certification was made conditional on the program office providing
an update on its efforts to award a contract for program-level IV&V by
April 15, 2008. According to program officials, they are in the process
of evaluating a program-wide IV&V contract proposal and plan to award a
contract in September 2008.
Condition 6:
Condition 6: The plan partially satisfies the condition that it include
a certification by the DHS CIO that the program‘s system architecture
is sufficiently aligned with the department‘s enterprise architecture
(EA), including a description of all aspects of the architectures that
were and were not assessed in making the alignment determination, the
date of the alignment determination, and any known areas of
misalignment, along with the associated risks and corrective actions to
address any such areas.
According to federal guidelines[Footnote 26] and best practices,
[Footnote 27] investment compliance with an EA is essential for
ensuring that new and existing systems are defined, designed, and
implemented in a way that promotes integration and interoperability and
minimizes overlap and redundancy, thus optimizing enterprisewide
efficiency and effectiveness. A compliance determination is not a one-
time event that occurs when an investment begins, but rather occurs
throughout an investment‘s life cycle as changes to both the EA and the
investment‘s architecture are made. Within DHS, the EAB, supported by
the Enterprise Architecture Center of Excellence, is responsible for
ensuring that system investments demonstrate adequate technical and
strategic compliance with the department‘s EA.
In early 2008, the DHS Acting CIO certified that the US-VISIT system
architecture was aligned with the DHS EA based on an assessment of the
program‘s alignment to the 2007 version of DHS‘s EA, which was
conducted by the EAB in support of the program‘s MDP2 review.
Consistent with the legislative condition, the fiscal year 2008
expenditure plan includes the former Acting CIO‘s certification, the
date of the board‘s conditional approval of architectural alignment for
MDP2 (September 27, 2007) and the date of the certification (February
25, 2008). It also includes areas of misalignment and corrective
actions to address the identified areas. Specifically, it identifies
such areas of misalignment as:
* US-VISIT requirements and products to support 10-print solution not
having been defined and included in the 2007 EA technical reference
model, and;
* US-VISIT data standards not having been vetted with the DHS
Enterprise Data Management Office for compliance.
It states that corrective actions to address these areas were completed
in September 2007, and that no outstanding MDP2 conditions
remain.However, the certification does not fully satisfy the
legislative conditions for three reasons.
First, the basis for the certification is an assessment against the
2007 EA, which is a version that we recently reported to be missing
important US-VISIT architectural content.[Footnote 28] Further, while
DHS recently issued a 2008 version of its EA, it does not address these
content shortfalls. The following are examples of the missing
architecture content:
* US-VISIT‘s representation in this version‘s business model”which
associates the department‘s business functions with the organizations
that support and/or implement them”does not align US-VISIT with certain
business functions (e.g., verify identity and establish identity) that
the program office has identified as a critical part of its mission.
* US-VISIT business rules and requirements are not included in this
version‘s business model. Business rules are important because they
explicitly translate business policies and procedures into specific,
unambiguous rules that govern what can and cannot be done. As such,
they facilitate the consistent implementation of policies and
procedures.
* US-VISIT‘s baseline and target performance goals (e.g., for
transaction volume) are not reflected in this version.
* US-VISIT-owned and managed component systems are not all accurately
captured in the 2007 EA. For example, it erroneously identifies two US-
VISIT component systems as being owned by two other DHS entities.
* All US-VISIT system interfaces are not included in the 2007 EA‘s
system reference model. For example, it does not identify key
interfaces between the IDENT, Advance Passenger Information System
(APIS), Arrival and Departure Information System (ADIS), and Treasury
Enforcement Communications System. Additionally, it does not identify
the interface between IDENT and the Global Enrollment System, even
though US-VISIT officials confirmed that the interface exists and is
operating.
Second, the department lacks a defined methodology for determining an
investment‘s compliance with its EA, including explicit steps and
criteria. According to federal guidance,[Footnote 29] such a
methodology is important because the benefits of using an EA cannot be
fully realized unless individual investments are defined, designed, and
developed in a way that avoids duplication and promotes
interoperability. However, we reported in April 2007 that DHS does not
have such a methodology.[Footnote 30] Without this methodology and
verifiable documentation demonstrating its use in making compliance
determinations, the basis for concluding that a program sufficiently
complies with any version of the 2007 EA will be limited.
Third, the certification attachment includes a description of what was
assessed to provide the basis for the compliance certification. For
example, the attachment states that the board ’evaluated the program‘s
ability to support the Department‘s line of business and strategic
goals; their alignment to a DHS Office of the CIO portfolio; the data,
data objects, and data entity that encompass the investment; the
technology leveraged to deliver capabilities and functions by the
program; and compliance with information security, Section 508, and
screening coordination.“ However, the descriptions do not link directly
to key 2007 EA artifacts. For example, it aligns US-VISIT‘s data
entities (e.g., Watch List and Warrants) to the data object ’Record“.
The 2007 EA, however, does not define that data object. Moreover, those
aspects of the architectures that were not assessed are not identified,
such as the business rules and enterprise security architecture.
Condition 7:
Condition 7: The plan partially satisfies the condition that it include
a certification by the DHS CPO that the plans for the program comply
with federal acquisition rules, requirements, guidelines and practices,
and a description of the actions being taken to address any areas of
noncompliance, the risks associated with them, along with any plans for
addressing these risks, and the status of their implementation.
As we have previously reported,[Footnote 31] federal IT acquisition
requirements, guidelines, and management practices provide an
acquisition management framework that is based on the use of rigorous
and disciplined processes for planning, managing, and controlling the
acquisition of IT resources. If implemented effectively, these
processes can greatly increase the chances of acquiring software-
intensive systems that provide promised capabilities on time and within
budget.
On March 14, 2008, the DHS CPO certified that US-VISIT complied with
federal acquisition rules, requirements, guidelines, and practices. In
support of this certification, the CPO stated that the program was
reviewed by the DHS Investment Review Board in December 2006, and that
the board issued a decision memorandum in April 2007 that stated that
the fiscal year 2007 expenditure plan met, among other things, federal
acquisition rules, requirements, guidelines, and system acquisition
management practices. In addition, the CPO stated that DHS's Office of
Procurement Operations had conducted self-assessments of US-VISIT-
related contracts in fiscal years 2006 and 2007, and that these
assessments had not identified any areas of non-compliance that
required risk mitigation.However, the cited support is not sufficient
to fully satisfy the legislative condition because the condition
applies to the fiscal year 2008 expenditure plan, while the support
that is cited pertains to the fiscal year 2007 expenditure plan and
assessments that were completed in fiscal years 2006 and 2007.
Condition 8:
Condition 8: The plan partially satisfies the condition that it include
(1) a certification by the DHS CIO that the program has a risk
management process that regularly identifies, evaluates, mitigates, and
monitors risks throughout the system life cycle and communicates high-
risk conditions to department investment decision makers, as well as
(2) a listing of all the program‘s high risks and the status of efforts
to address them.
As we have previously reported,[Footnote 32] proactively managing
program risks is a key acquisition management control, and if defined
and implemented properly, it can increase the chances of programs
delivering promised capabilities and benefits on time and within
budget.
On February 25, 2008, the former DHS Acting CIO certified that US-VISIT
had a sufficient risk management process in place, adding that this
process satisfied all process-related aspects of the legislative
condition. In doing so, the then Acting CIO relied on an assessment of
a range of US-VISIT risk management documents, including a policy,
plan, periodic listings of high risks and related status reports, and
communications with department decision makers.
However, the certification does not fully satisfy the legislative
condition. Our analysis of the same risk management documents that the
certification is based on revealed key weaknesses:
* The US-VISIT risk management plan is not being effectively
implemented, which is also a weakness that we reported in February
2006.[Footnote 33] For example, of the 33 high risks identified as
being in or past the handling phase of the risk management process
[Footnote 34] in the February 6, 2008 risk inventory, 8 (about 24
percent) did not have a mitigation plan, and 19 (about 58 percent) did
not have a contingency plan. Moreover, considerable time has passed
without such plans being developed, in some cases more than 3 years.
According to the risk management plan, mitigation and contingency plans
should be developed for all high and medium risks once they have
reached the handling phase of the risk management process. (This
weakness is discussed in greater detail later in this briefing.)
* The US-VISIT process for managing risk does not contain thresholds
for elevating risks beyond the program office. Moreover, program
officials told us that an update to this process that is currently in
draft does not include such thresholds. Without thresholds, it is
unlikely that senior DHS officials will become aware of those risks
requiring their attention. In this regard, we reported in February 2006
[Footnote 35] that the thresholds for elevating risks to department
executives that were in place were not being applied. In August 2007,
[Footnote 36] we reported that these thresholds had been eliminated and
that no risks had been elevated to department executives since December
2005. During the following 32 months, only one risk was elevated beyond
the program office.
Condition 9:
Condition 9: The plan does not satisfy the condition that it include a
certification by the DHS Chief Human Capital Officer that the human
capital needs of the program are being strategically and proactively
managed, and that current human capital capabilities are sufficient to
execute the plans discussed in the report.
As we have previously reported,[Footnote 37] strategic management of
human capital is both a best practice and a provision in federal
guidance.Among other things, it involves proactive efforts to
understand an entity‘s future workforce needs, existing workforce
capabilities, and the gap between the two and charting a course of
action to define how this gap will be continuously addressed. By doing
so, agencies and programs can better ensure that they have the
requisite human capital capacity to execute agency and program plans.
On March 6, 2008, the DHS Chief Human Capital Officer certified that
the US-VISIT human capital strategic plan provides specific initiatives
to address the hiring, development, and retention of program employees,
and that a strategy exists to develop indicators to measure the
progress and results of these initiatives.However, this certification
does not satisfy the legislative condition for two reasons.
* The certification does not address the strategic plan‘s
implementation, which is important because just having a human capital
strategic plan does not constitute strategic and proactive management
of the program‘s human capital.
* The certification does not address whether the current human capital
capabilities are sufficient to execute the expenditure plan. For
example, it does not recognize that US-VISIT is under staffed. We
reported in August 2007[Footnote 38] that the program office had 21
vacancies and had taken the interim step to address this shortfall by
temporarily assigning other staff to cover the vacant positions, and
planned to fill all the positions through aggressive recruitment. As of
July 2008, the program office reported having 23 vacancies, including
vacancies in leadership positions, such as the program‘s deputy
director. Since then, the program office reports that it has filled
nine of these vacancies.
Condition 10:
Condition 10: The plan does not satisfy the condition that it include a
complete schedule for the full implementation of a biometric exit
program or a certification that such a program is not possible within 5
years.
As we stated in our June 2007 testimony,[Footnote 39] a complete
schedule for the full deployment of an exit capability would specify,
at a minimum, what work will be done, by what entities, and at what
cost to define, acquire, deliver, deploy, and operate expected system
capabilities. A complete schedule is essential to ensuring that the
solution is developed and implemented effectively and efficiently.
The fiscal year 2008 plan does not contain either a complete schedule
for fully implementing biometric exit capabilities at air, sea, and
land POEs, or a statement that this cannot be completed within a 5-year
time frame. Rather, the plan contains a very high-level schedule that
only identifies five broadly-defined tasks, and a date by which each is
to be completed, as shown in the table on the following slide.
Table: Air/Sea/Land Biometric Exit Schedule-High Level:
Activity: Pilot closeout activities;
Date: September 28, 2007.
Activity: Air/Sea Exit outreach;
Date: December 31, 2008.
Activity: Air/Sea Exit planning;
Date: April 24, 2008.
Activity: Air/Sea Exit design;
Date: December 31, 2008.
Activity: Land border planning document;
Date: December 31,2008.
Source: DHS data.
[End of table]
Such high-level milestones do not constitute a ’complete schedule for
the full implementation of a biometric exit program,“ as requested by
the act, because they are not supported by the kind of verifiable
analysis and documentation that we have previously reported as
necessary for a reliable program schedule.[Footnote 40] For example,
these milestones do not include (1) decomposition of the program into a
work breakdown structure; (2) sequencing, integration, and resourcing
of each work element in the work breakdown structure; and (3)
identification of the critical path through the schedule of linked work
elements.
Condition 11:
Condition 11: The plan partially satisfies the condition that it
include a detailed accounting of operation and maintenance, contractor
services, and program management costs associated with the program.
[Footnote 41]
As we have previously reported,[Footnote 42] the purpose of the
expenditure plan is to provide Congress with sufficient information to
exercise effective oversight of US-VISIT and to hold DHS accountable
for results. To accomplish this, the act sought specific information
relative to planned US-VISIT spending for operations and maintenance,
contractor services, and program management.
Operations and Maintenance:
The fiscal year 2008 plan provides a decomposition of program
operations and maintenance costs according to functional areas of
activity, such as operations and maintenance of system applications,
data center operations, network/data communications, and IT services.
While this decomposition does satisfy the condition, it nevertheless
could be more informative if the costs were associated with specific
capabilities, systems, and services, such as the cost to operate and
maintain ADIS, IDENT, and iDSM.
Contractor Services:
The fiscal year 2008 plan does not separately identify the program‘s
costs for contractor services. According to program officials, such
services are embedded in other cost categories, such as Program
Staffing (which is a combination of government and contractor staff),
Prime Integrator, and Project Integration and Analysis. The one
exception is for the Provide Identity Management and Screening Services
broad core capability area, which identifies $15.8 million in
contractor services.
Program Management Costs:
The fiscal year 2008 plan states that program management costs will
total $115.2 million, and allocates them to items such as program
staffing ($46.2 million), planning and logistics ($14.3 million), prime
integrator ($33.5 million), and working capital and management reserve
($ 21.2 million). It also describes a number of program management
related initiatives, such as maturing program monitoring and control
processes, developing strategic plans and related policies, conducting
public information dissemination and outreach, and strengthening human
capital management and stakeholder training.
However, it does not allocate the $115.2 million to these initiatives.
For example, the plan does not describe what portion of the $115.2
million will be used to develop criteria for estimating life cycle
costs, which is one effort within the maturing program processes
initiative, or to properly align program management staffing to tasks
and rewrite position descriptions, which are efforts within
strengthening human capital management. In addition, the $115.2 million
does not include $11.6 million in contractor program management support
provided to specific projects, such as Air and Sea Exit. As a result,
total cost allocated to program management in fiscal year 2008 is
$126.8 million, which is similar to the program management costs we
reported in the fiscal year 2006 and 2007 expenditure plans. As we
previously reported,[Footnote 43] these levels of program management
costs represented a sizeable portion of the US-VISIT planned spending,
but were not adequately justified.
Condition 12:
Condition 12: We have reviewed the plan, thus satisfying the condition.
Our review was completed on September 15, 2008.
[End of Legislative Conditions section]
Objective 2: Observations:
Observation 1: Reliability of DHS Air and Sea Exit cost estimates is
not clear:
In developing its Air and Sea Exit NPRM, DHS is required to prepare a
written assessment of the costs, benefits, and other effects of its
proposal and a reasonable number of alternatives, and to adopt the
least costly, most cost-effective, or least burdensome among them. To
accomplish this, it is important that DHS have reliable cost estimates
for its proposed and alternative solutions.
However, the reliability of the estimates that DHS developed is not
clear because (1) DHS documents characterize the estimates as being by
definition rough and imprecise, but DHS officials that were responsible
for developing the estimates stated that this characterization is not
accurate, (2) our analysis of the estimates‘ satisfaction of estimating
best practices shows that while DHS satisfied some key practices, it
either did not fully satisfy others or it has yet to provide us with
documentation to determine whether still other practices were met, and
(3) data on certain variables pertaining to airline costs were not
available for inclusion in the estimates, and airlines report that
these costs were understated in the estimates.
DHS Documents and Program Officials Statements Characterizing the
Nature of the Estimates Are Not Consistent:
As noted earlier in this briefing, the NPRM and regulatory impact
analysis cite the estimated costs of each of the five alternatives that
were analyzed. For example, the impact analysis states that the
estimated cost of the proposed solution is $3.6 billion. Moreover, this
analysis states that each of the cost estimates are ’rough order of
magnitude“ estimates, meaning that they are by definition rough and
imprecise, to the point of being potentially understated by as much as
100 percent, and overstated by as much as 50 percent. Restated, this
means that the estimated cost of the proposed solution could be
anywhere from $1.8 billion to $7.2 billion.
According to DHS‘s analysis, these broad cost risk ranges were used to
reflect the degree to which Air and Sea Exit has been defined,
including the assumptions that had to be made about airline solution
configurations in the absence of airline data. According to GAO‘s Cost
Estimating Guide, rough order of magnitude estimates are used when few
details are available about the alternatives, and they should not be
considered budget-quality cost estimates. Accordingly, they should not
be viewed as sufficiently credible, accurate, or comprehensive to be
considered reliable for making informed choices among competing
investment options.
Notwithstanding the regulatory impact analysis‘ characterization of the
cost estimates as rough order of magnitude estimates, program officials
responsible for deriving the estimates stated that the estimates were
’mislabeled“ in the analysis, and thus the risk ranges for the
estimates are overstated. They added that the estimates should have
been characterized as parametric and partial engineering estimates,
which would have produced much smaller risk ranges.
Available Documentation Shows Some Estimating Best Practices Were Met,
While Others Were Not:
GAO‘s Cost Estimating Guide identifies four characteristics of reliable
cost estimates and associates a number of estimating best practices
with each characteristic. The four characteristics of reliable cost
estimates are that they are well-documented, credible, comprehensive,
and accurate.
The cost estimates for the Air and Sea Exit alternatives satisfied a
number of the best practices in GAO‘s Cost Estimating Guide. For
example, the estimate‘s purpose and scope are clearly defined, the cost
team included experienced cost analysts, and the cost estimate included
a description of the cost estimation process, data sources, and
methods.
However, these cost estimates did not satisfy other best practices in
our guide. For example, the cost estimate was not compared to an
independent estimate and a technical baseline was not developed to
provide the underlying basis for this estimate. These are important
because the technical baseline provides a detailed technical, program,
and schedule description of the system to be developed, and thus is the
basis for the program and independent cost estimates. Additionally, an
independent estimate provides an unbiased check on the reliability of
the program‘s estimate.
Moreover, we have yet to receive documentation from DHS relative to
other best practices cited in the guide. For example, the guide
recognizes the importance of performing risk analyses that allow for
risks to be examined across the work breakdown structure so that the
uncertainties associated with individual work elements can be
determined, and risk levels can be assigned to each. According to the
regulatory impact analysis, a standard level 5 risk range (50 percent
below to 100 percent above) was used with the cost estimates because a
comprehensive risk analysis had not been done. Program officials told
us, however, that a risk analysis was performed, but we have yet to
receive it. Further, we have yet to receive evidence showing that all
relevant costs were addressed, such as the cost of spare, refreshed,
and updated equipment and technology.
Estimates May Not Include Major Cost Elements:
The regulatory impact analysis states that data on several variables
were not available for inclusion in the analysis, including estimates
for burden to carriers and travelers. Of the 56 airlines and airline
associations that provided comments on the NPRM, 21 commented that
DHS‘s cost estimate for its proposed solution was understated because
it did not adequately reflect the burden to carriers. In particular,
the International Air Transport Association commented that the proposed
solution could cost the air carriers as much as $12.3 billion over 10
years. According to this association, its estimate was developed in
collaboration with airlines, network service providers, and hardware
manufacturers. The association attributed the understatement of DHS‘s
estimate to its omission of relevant costs for data transmission,
secure networks, and secure data warehouses. Specifically, it stated
that:
* transmission requirements for biometric data would be between 350 and
800 times greater that what the airlines currently use for the
transmission of biographic and manifest text data (between 31 and 128
megabytes of information for each international flight versus about 100
kilobytes currently transferred);
* secure networks required for transmission of biometric data would
need to be installed between the airports and the airlines‘ departure
control systems because they currently do not exist (estimated to cost
about $150 million over 10 years); and;
* secure data warehouses for biometric data storage would need to be
installed to store the data prior to transmission to DHS (estimated to
cost about $1 billion to operate over 10 years).
In addition, United Airlines commented that its start-up costs would be
about $21.8 million. It also commented that DHS‘s cost estimate does
not include the cost of additional traveler burden, which they
estimated to be about $30 per hour. According to United Airlines,
passenger time is potentially the highest cost element with as many as
50 million persons being affected by queuing, congested space, and
flight delays. DHS‘s regulatory impact analysis acknowledges the
omission of the cost of additional travel burden and the impact on the
cost to each carrier‘s business processes.
Further, Air Canada Jazz, a regional airline, commented that because
the requirement for airline personnel to collect biometric data is
beyond the scope of duties outlined in current collective agreements,
it would have to renegotiate its agreements to add these duties.
Observation 2: DHS reports that proposed solution would provide less
security and privacy than other alternatives:
Adequate security and privacy controls are needed to assure that
personally identifiable information is secured against unauthorized
access, use, disclosure, or retention. Such controls are especially
needed for government agencies, where maintaining public trust is
essential. In the case of US-VISIT, one of its stated goals is to
protect the security and privacy of U.S. citizens and visitors.
However, DHS's proposed solution would have more privacy and security
risks than alternative solutions. According to the NPRM, having
carriers collect the biometric information is less secure than
alternatives where DHS collects the information, regardless of the
information collection point. Moreover, it states that information that
is in the sole custody of one entity (e.g., DHS) is less likely to be
compromised than information passed from private carriers to DHS.
Similarly, the NPRM states that the degree of confidence in compliance
with privacy requirements is lower when DHS does not maintain full
custody of personally identifiable information.
Further, the privacy impact assessment that DHS prepared for Air and
Sea Exit states that carrier custody of personally identifiable
information introduces vulnerabilities, including inadequate
information security and data integrity, and it concludes that this
could impact travelers in several ways, such as travel inconveniences,
subsequent denial of admission to the United States based on faulty
data, or misuse of personally identifiable information. In fact, the
privacy impact assessment rated misuse of personally identifiable
information as a high risk under the proposed solution due to the
serious impact that misuse of personally identifiable information would
have on both the individual traveler and the integrity of US-VISIT.
According to the NPRM, these privacy and security risks will be
addressed in two ways. First, DHS will require carriers to ensure that
their systems and transmission methods of biometric data meet DHS
technical, security and privacy requirements to be established in
guidance and issued in conjunction with the final rule. However, it is
unclear how DHS will ensure that the guidance is effectively
implemented. Second, when the data are received by DHS, the NPRM states
that it will be protected in accordance with a robust privacy and
security program. However, we recently reported[Footnote 44] that the
systems supporting US-VISIT have significant information security
weaknesses that place sensitive and personally identifiable information
at increased risk of unauthorized and possibly undetected disclosure
and modification, misuse, and destruction.
Observation 3: Public comments on the NPRM raise a range of additional
concerns:
As noted earlier, 91 entities, including the airline, trade, and travel
industries, and federal, state, and foreign governments, commented on
the Air and Sea Exit proposal. In addition to the comments discussed
earlier relative to the reliability of the cost estimates and the
security and privacy implications of a carrier-implemented solution, a
number of other comments were provided that raise further concerns and
questions about the proposed solution. Specifically, the entities
provided the following comments:
* According to some carriers, DHS has yet to provide technical
requirements for the carriers to meet in delivering their respective
parts of the proposed solution. In particular, the NPRM stated that
carriers will be required to comply with the DHS Consolidated User‘s
Guide. However, they stated that this guide does not define, for
example, how biometric images are to be incorporated into the existing
message format used for APIS transmissions. Similarly, the NPRM states
that all biometric data transmissions would be bound by existing
regulations, including the FBI‘s Criminal Justice Information Services
Electronic Transmission Specifications.However, carriers stated that
these specifications had not been made available.
* According to some of the carriers, DHS‘s proposed solution conflicts
with air and vessel carrier passenger processing improvements.
Requiring passenger-agent contact goes against recent simplifications
to carriers‘ business models in which new technologies are being
introduced to eliminate time-consuming passenger-agent interactions.
For example, most airlines and cruise ships allow passengers to confirm
arrival and check-in online prior to entering the airport or sea
terminal, or to check in and print a boarding pass at a kiosk. These
carriers commented that the passenger-agent contact required under the
NPRM is at odds with this evolution in business processes and will slow
down the travel process, delay flights, and make air and sea ports more
crowded. According to one carrier‘s estimates, the proposed solution
will add 1 to 2 minutes processing time per passenger, which will
collectively add an estimated 3 to 5 hours per flight. While the
regulatory impact analysis projected flight delays to be less lengthy,
it nevertheless acknowledged that most travelers would be delayed by
about 50 minutes. A number of entities said that such significant
delays will cause foreign travelers to vacation elsewhere.
* According to several airlines and airline associations, DHS‘s
proposed solution is not fully integrated with other border screening
programs involving air carriers. DHS has recently issued proposed or
final rules for four DHS programs,[Footnote 45] and each of these
require or propose requiring carriers to collect and transmit
additional data in 2008 and 2009. As such, these organizations viewed
the four as duplicative (require very similar data) and inefficient
(use different transmission methods), and claimed that DHS‘ sequential
introduction of these programs will require carriers to undertake
separate and repeated system development and employee training efforts
that will impact their operations.
* According to several carriers, DHS did not involve the stakeholders
in this rulemaking process as it had in previous rulemaking efforts.
Carriers stated that for US-VISIT entry and the Advance Passenger
Information System-Quick Query, which is about to be deployed, they
were involved in developing a solution, but for US-VISIT exit, they
were not.
Observation 4: US-VISIT risk management database shows that some risks
have not been effectively managed:
Proactively managing program risks is a key acquisition management
control and, if defined and implemented properly, it can increase the
chances of programs delivering promised capabilities and benefits on
time and within budget. To its credit, the program office has defined a
risk management plan and related process that is consistent with
relevant guidance. However, its own risk database shows that not all
risks have been proactively mitigated. As we have previously reported,
[Footnote 46] not proactively mitigating risks increases the chances
that risks become actual cost, schedule, and performance problems.
Federal guidance and related best practices[Footnote 47] advocate
identifying facts and circumstances that can increase the probability
of a program failing to meet cost, schedule, and performance
commitments and then taking steps to reduce the probability of their
occurrence and impact. Among other things, effective risk management
includes (1) establishing a written plan for managing risks; (2)
designating responsibility for risk management activities; (3) defining
and implementing a process that provides for identifying, analyzing,
and mitigating risks; and (4) periodically examining the status of
identified risks and their mitigation. The US-VISIT Risk Management
Plan defines a five-step process for managing program risks, as
illustrated in the figure.
Figure: Five-step process for managing program risks:
[Refer to PDF for image]
1) Prepare for risk management;
2) Risk identification;
3) Risk analysis;
4) Risk handling;
5) Risk monitoring and control.
[End of figure]
Within each of these steps, the plan defines a number of activities
that are consistent with federal guidance and related best practices.
For example,
* In the preparation phase, each project office is to develop a
strategy for managing risk that includes, among other things, the scope
of the project risks to be addressed and the risk management tools to
be used.
* In the risk identification phase, risks are to be identified in as
much detail as possible and a risk owner is to be designated.
* In the risk analysis phase, the estimated probability of occurrence
and impact on the program or project of each risk is to be determined
and used to assign a priority (high, medium, or low).
* In the risk handling phase, detailed mitigation and contingency plans
are to be prepared for all medium-and-high priority risks as early as
possible.
* In the risk monitoring phase, the status of risk mitigation and
contingency plans is to be tracked, and decisions are to be reached as
to whether to close a risk or to designate it as a realized issue
(i.e., actual problem).
However, the program office‘s own data show that it is not following
its Risk Management Plan. Specifically, of the list of 39 high-priority
risks provided to the DHS CIO to support the earlier described risk
management-related expenditure plan certification, the program office
reported that 6 were in the analysis phase, 9 were in the handling
phase, 13 were in the monitoring phase, and 11 were now realized and
became program issues. Our analysis shows that of the 13 risks in the
monitoring phase, 6 did not have contingency plans and 1 did not have a
mitigation plan, even though both plans were to have been developed in
the prior phase. Further, of the 11 risks that had been realized, none
were included in the list of program issues provided to the DHS CIO.
Further, many of these risks had not had mitigation and/or contingency
plans developed in a time frame that can be considered either ’as early
as possible“ or timely. In fact, some risks had been open for over 3
years without having such plans. For example, of the six risks in the
monitoring phase without at least one of the two required plans, one
risk had been open for 1212 days (about 3 years and 3 months) without a
mitigation plan, and the median number of days that risks in this phase
had gone without one or both of these plans was 178 (about 6 months).
The chance of risks becoming actual problems and impacting the program
is increased by not having mitigation and contingency plans. This is
evident by the fact that of the 11 high risks that the program office
reported at the time as having become realized issues (actual
problems), all were missing mitigation and/or contingency plans, and
the median number of days these 11 had gone without these plans was 299
(see table below).
Table: Risks without mitigation and/or contingency plans:
Management step: Handle (6 risks);
Days the risk has been open (as of February 6, 2008), Minimum: 22;
Days the risk has been open (as of February 6, 2008), Maximum: 652;
Days the risk has been open (as of February 6, 2008), Median: 230.
Management step: Monitor (6 risks);
Days the risk has been open (as of February 6, 2008), Minimum: 2;
Days the risk has been open (as of February 6, 2008), Maximum: 1212;
Days the risk has been open (as of February 6, 2008), Median: 178.
Management step: Realized (11 risks);
Days the risk has been open (as of February 6, 2008), Minimum: 19;
Days the risk has been open (as of February 6, 2008), Maximum: 1204;
Days the risk has been open (as of February 6, 2008), Median: 299.
[End of table]
Our analysis of a more recent risk listing confirmed that this pattern
has continued. Specifically, the July 3, 2008, risk listing contained
34 high-priority risks, of which none were in the analysis phase, 10
were in the handling phase, 12 were in the monitoring phase, and 12
were now realized and became program issues. However, 6 of the 12 risks
in the monitoring phase, for example, did not have contingency plans
and 3 of these 6 did not have mitigation plans. Moreover, some of the
risks in either the monitoring phase or the realized phase have not had
mitigation and/or contingency plans for more than 3½ years (see table
below).
Table: Risks without mitigation and/or contingency plans:
Management step: Handle (7 risks) 22652230
Days the risk has been open (as of February 6, 2008), Minimum: 114;
Days the risk has been open (as of February 6, 2008), Maximum: 800;
Days the risk has been open (as of February 6, 2008), Median: 260.
Management step: Monitor (6 risks) 21212178
Days the risk has been open (as of February 6, 2008), Minimum: 4;
Days the risk has been open (as of February 6, 2008), Maximum: 1360;
Days the risk has been open (as of February 6, 2008), Median: 78.5.
Management step: Realized (11 risks) 191204299
Days the risk has been open (as of February 6, 2008), Minimum: 77;
Days the risk has been open (as of February 6, 2008), Maximum: 1352;
Days the risk has been open (as of February 6, 2008), Median: 821.
Source: GAO analysis of DHS data.
[End of table]
The absence of timely risk mitigation and contingency planning is
exacerbated by the fact that these are high risks which, according to
the Risk Management Plan, means that there is at least a 41 percent
chance they will significantly affect critical cost, schedule, and
performance baselines. By not effectively managing key program risks,
the program office is unnecessarily increasing its chances of
experiencing actual cost, schedule, and performance problems, and will
be less likely to be able to deliver system capabilities on time and
within budget.
Observation 5: Significance of task order 7 schedule variances have
been minimized by frequent rebaselining:
According to the GAO Cost Assessment Guide,[Footnote 48] rebaselining
should occur very rarely, as infrequently as once in the life of a
program or project and only when a schedule variance is significant
enough to limit its utility as a predictor of future schedule
performance.
For task order 7, the largest task order,[Footnote 49] which provides
for development and deployment of new capabilities (e.g., Unique
Identity and Biometric Solutions Delivery) the program office has
rebaselined its schedule twice in the last 2 years”first in October
2006, when the task order had a negative schedule variance of $958,216,
and then in October 2007, when the negative schedule variance for
Unique Identity and Biometric Solutions was $4.1 million. Since this
last rebaselining, the program office reports a negative variance
through May 2008 of $3.5 million. Without the rebaselinings, this would
have amounted to a $7.2 million schedule variance. The graphic on the
next slide shows the cumulative schedule variance with and without the
rebaselining.
Figure: Cumulative Schedule Variance, TO7 (Biometric Solutions + Unique
ID):
[Refer to PDF for image]
This figure is a multiple line graph depicting the Cumulative Schedule
Variance. The vertical axis of the graph represents Schedule variance
in millions of dollars. The horizontal axis of the graph represents a
series of dates from July 2006 to June 2008.
Date: September 2006;
Rebaseline: -$.958;
Cumulative Schedule Variance without rebaseline: -$.958.
Date: October 2006;
Rebaseline: 0.0;
Cumulative Schedule Variance without rebaseline: -$.958.
Date: November 2006;
Rebaseline: -$0.227;
Cumulative Schedule Variance without rebaseline: -$1.185.
Date: December 2006;
Rebaseline: -$0.332;
Cumulative Schedule Variance without rebaseline: -$1.290.
Date: January 2007;
Rebaseline: -$0.369;
Cumulative Schedule Variance without rebaseline: -$1.327;
Date: February 2007;
Rebaseline: -$0.384;
Cumulative Schedule Variance without rebaseline: -$1.343.
Date: March 2007;
Rebaseline: -$0.170
Cumulative Schedule Variance without rebaseline: -$1.128
Date: April 2007;
Rebaseline: -$0.220;
Cumulative Schedule Variance without rebaseline: -$1.179.
Date: May 2007;
Rebaseline: -$0.825;
Cumulative Schedule Variance without rebaseline: -$1.783.
Date: June 2007;
Rebaseline: -$1.674;
Cumulative Schedule Variance without rebaseline: -$2.632.
Date: July 2007;
Rebaseline: -$3.052;
Cumulative Schedule Variance without rebaseline: -$4.010.
Date: August 2007;
Rebaseline: -$3.675;
Cumulative Schedule Variance without rebaseline: -$4.634.
Date: September 2007;
Rebaseline: -$4.128;
Cumulative Schedule Variance without rebaseline: -$5.086.
Date: October 2007;
Rebaseline: -$1.390;
Cumulative Schedule Variance without rebaseline: -$5.086.
Date: November 2007;
Rebaseline: -$1.679;
Cumulative Schedule Variance without rebaseline: -$5.375.
Date: December 2007;
Rebaseline: -$1.304;
Cumulative Schedule Variance without rebaseline: -$5.001.
Date: January 2008;
Rebaseline: -$2.081;
Cumulative Schedule Variance without rebaseline: -$5.778.
Date: February 2008;
Rebaseline: -$3.128;
Cumulative Schedule Variance without rebaseline: -$6.824.
Date: March 2008;
Rebaseline: -$3.168;
Cumulative Schedule Variance without rebaseline: -$6.865.
Date: April 2008;
Rebaseline: -$3.554;
Cumulative Schedule Variance without rebaseline: -$7.251.
Date: May 2008;
Rebaseline: -$$3.500;
Cumulative Schedule Variance without rebaseline: -$7.197.
[End of figure]
As the graphic shows, frequent rebaselining does not adequately
disclose the potential extent of the shortfall in meeting the baseline.
Given that EVM reporting is to alert management to magnitude and
significance of potential problems sooner rather than later, this
practice does not adequately support informed program decision making.
Moreover, it is an indicator of the limitations in the baselines being
set. According to program officials, these schedule variances are due
to (1) increases in scope of the work, such as the addition of new
requirements and (2) underestimating the complexity and difficulty of
the work to be completed (i.e., limitations in the schedule baseline).
End of Observations section]
Conclusions:
DHS has not adequately met the conditions associated with its
legislatively mandated fiscal year 2008 US-VISIT expenditure plan. The
plan does not fully satisfy any of the conditions that apply to DHS,
either because it does not address key aspects of the condition or
because what it does address is not adequately supported or is
otherwise not reflective of known program weaknesses. Given that the
legislative conditions are intended to promote the delivery of promised
system capabilities and value, on time and within budget, and to
provide Congress with an oversight and accountability tool, these
expenditure plan limitations are significant.
Beyond the expenditure plan, other program planning and execution
limitations and weaknesses also confront DHS in its quest to deliver US-
VISIT capabilities and value in a timely and cost-effective manner.
Most notably, DHS has proposed a solution for a long-awaited exit
capability, but it is not clear if the cost estimates used to justify
it are sufficiently reliable to do so. DHS has reported itself that the
proposed solution provides less security and privacy than other
alternatives analyzed, and the proposed solution is being challenged by
those responsible for implementing it. Further, DHS‘s ability to
measure program performance and progress, and thus be positioned to
address cost and schedule shortfalls in a timely manner, is hampered by
weaknesses in the prime contractor‘s implementation of EVM. Each of
these program planning and execution limitations and weaknesses
introduce risk to the program.
In addition, DHS is not effectively managing the program‘s risks, as
evidenced by the program office‘s risk database showing that known
risks are being allowed to go years without risk mitigation and
contingency plans. Overall, while DHS has taken steps to implement a
significant percentage of our prior recommendations aimed at improving
management of US-VISIT, additional management improvements are needed
to effectively define, justify, and deliver a system solution that
meets program goals, reflects stakeholder input, minimizes exposure to
risk, and provides Congress with the means by which to oversee program
execution. Until these steps are taken, US-VISIT program performance,
transparency, and accountability will suffer.
[End of conclusions section]
Recommendations for Executive Action:
To assist DHS in planning and executing US-VISIT, we recommend that the
Secretary of Homeland Security direct the department‘s Investment
Review Board to immediately hold a review of the US-VISIT program that,
at a minimum, addresses:
* The reasons for the fiscal year 2008 expenditure plan not fully
addressing each of the legislative conditions and corrective action to
ensure that this does not occur for future expenditure plans;
* The adequacy of the basis for any future Air and Sea Exit solution,
including the reliability of cost estimates, implication of privacy and
security issues, and addressing key concerns raised in comments to the
proposed rule;
* The weaknesses in the program‘s implementation of risk management,
and;
* The weaknesses in the prime contractor‘s implementation of earned
value management, including the limitations in the quality of the
schedule baselines and the schedule variance measurements. We further
recommend that the Secretary of Homeland Security report the results of
this Investment Review Board review to Congress.
End of Recommendations for Executive Action section]
Agency Comments and Our Evaluation:
We provided a draft of this briefing to DHS officials, including the
Director of US-VISIT. In their oral comments on the draft, these
officials did not state whether they agreed or not with our findings,
conclusions, or recommendations. They did, however, provide a range of
technical comments, which we have incorporated in the briefing, as
appropriate. They also sought clarification on our scope and
methodology, which we have also incorporated in the briefing.
[End of Agency Comments and Our Evaluation]
Attachment 1: Objectives, Scope and Methodology:
Our objectives were to (1) determine whether the plan satisfies the
legislative conditions specified in the fiscal year 2008 Consolidated
Appropriations Act, and (2) provide observations about the expenditure
plan and management of US-VISIT. Information on scope and methodology
for each objective follows:
To accomplish conditions 1, 2, 3, 10 and 11 of our first objective, we
determined whether the plan[Footnote 50] satisfies, partially
satisfies, or does not satisfy the conditions based on the extent to
which the plan addresses all aspects of the applicable condition, as
specified in the act. Specifically,
* For condition 1, we compared information in the fiscal year 2008
expenditure plan to previous expenditure plans to determine whether the
current plan provided a detailed accounting of the program‘s progress
to date related to systems capabilities or services, system performance
levels, mission benefits and outcomes, milestones, cost targets, and
program management capabilities;
* For condition 2, we reviewed the fiscal year 2008 expenditure plan to
determine whether it contained an explicit plan of action defining how
all funds were to be obligated to meet future commitments, with funds
linked to the milestone-based delivery of specific capabilities,
services, system performance levels, mission benefits and outcomes, and
program management capabilities;
* For condition 3, we reviewed and analyzed information in the fiscal
year 2008 expenditure plan, US-VISIT's most recent status reports on
the implementation of our open recommendations, and related key
documents (e.g., the program's product test plans, capacity management
plan, configuration management plan, and cost estimation process),
augmented as appropriate by interviews with program officials to
determine whether the expenditure plan contained a listing of all open
GAO and OIG recommendations and the status of DHS actions to address
them, including milestones;
* For condition 10, we reviewed the fiscal year 2008 expenditure plan
to determine whether it contained a schedule for the full
implementation of a biometric exit capability that fully defines, at a
minimum, what work will be done, by what entities, and at what cost to
define, acquire, deliver, deploy, and operate expected system
capabilities; and;
* For condition 11, we reviewed the fiscal year 2008 expenditure plan
to determine whether it contained a detailed accounting of all
operation and maintenance, contractor services, and program management
costs associated with management of the program. For this condition, we
obtained clarification from staff from the House and Senate
Appropriations Subcommitees on Homeland Security to ensure that our
assessment met their intent. As a result, we have modified the wording
slightly from what was in the Act.
To accomplish conditions 4, 5, 6, 7, 8, and 9 of objective 1 we
determined whether the plan satisfies, partially satisfies, or does not
satisfy the conditions based on the extent to which the applicable
certification letter contained in the plan (a) addresses all aspects of
each condition, as specified in the act, (b) is sufficiently supported
by documented and verifiable analysis, (c) contains significant
qualifications, and (d) is otherwise consistent with our related
findings.
* For condition 4, we reviewed the DHS certification and supporting
documentation for US-VISIT‘s capital planning and investment controls,
including US-VISIT‘s most recent OMB submission and documents related
to the milestone decision point 1 and 2 approvals, to determine whether
a sufficient basis existed for the certification;
* For condition 5, we reviewed the DHS certification for the
independent verification and validation agent and analyzed supporting
documentation, such as DHS‘s assessment of US-VISIT‘s independent
verification and validation efforts, to determine whether a sufficient
basis existed for the certification;
* For condition 6, we reviewed the DHS certification that the US-VISIT
architecture is sufficiently aligned with the DHS EA, and assessed
supporting documentation, including US-VISIT program documents against
the DHS EA 2007, and criteria in DHS‘s Investment Review Process and
DHS‘s EA Governance Process Guide to determine whether a sufficient
basis existed for the certification;
* For condition 7, we reviewed the DHS certification that the plans for
the US-VISIT program comply with federal acquisition rules, guidelines,
and practices, and analyzed supporting documentation, such as DHS‘s
assessment of US-VISITs contracts, to determine whether there was a
sufficient basis for the certification;
* For condition 8, we reviewed the DHS certification that US-VISIT have
a risk management process that identifies, evaluates, mitigates, and
monitors risks throughout the life cycle, and communicates high risks
to the appropriate managers at the US-VISIT program and DHS levels. We
also analyzed the most current US-VISIT risk management plan, risk
lists, and risk meeting minutes, to determine whether there was a
sufficient basis for the certification; and;
* For condition 9, we reviewed the DHS certification that the human
capital needs of the US-VISIT program were being strategically and
proactively managed, and analyzed supporting documentation, such as US-
VISIT‘s Human Capital Strategic Plan, to determine whether there was a
sufficient basis for the certification.
To accomplish our second objective, we reviewed the fiscal year 2008
plan and other available program documentation related to US-VISIT‘s
plans for deploying an biometric exit capability, US-VISIT‘s use of
earned value management, and US-VISIT‘s implementation of risk
management. In doing so, we examined planned and completed actions and
steps, including program officials' stated commitments to perform them.
For earned value management, we reported data provided by the
contractor to US-VISIT that is verified by US-VISIT. To assess its
reliability, we reviewed relevant documentation and interviewed the
system owner for the earned value data. More specifically, we addressed
US-VISIT efforts to:
* define and implement an exit strategy for air, sea, and land by
reviewing and analyzing information provided as part of the expenditure
plan; the notice of proposed rulemaking for air and sea exit; the
regulatory impact analysis and privacy impact assessment for air and
sea exit; and comments made to the notice of proposed rule for air and
sea exit;[Footnote 51]
* track and manage cost and schedule commitments by applying
established earned value analysis techniques to baseline and actual
performance data from cost performance reports;[Footnote 52] and
* define and implement a risk management process that addresses the
identification, analysis, evaluation, and monitoring of risks by
reviewing the risk management policy, risk management plan, active and
high risk lists, risk meeting minutes, and a risk elevation memorandum.
Additionally, in February 2007, we reported[Footnote 53] that the
system that US-VISIT uses to manage its finances (U.S. Immigration and
Customs Enforcement‘s Federal Financial Management System) has
reliability issues. In light of these issues, the US-VISIT Budget
Office tracks program obligations and expenditures separately using a
spreadsheet and comparing this spreadsheet to the information in
Federal Financial Management System. Based on a review of this
spreadsheet, there is reasonable assurance that the US-VISIT budget
numbers being reported by Federal Financial Management System are
accurate.
For DHS-provided data that our reporting commitments did not permit us
to substantiate, we have made appropriate attribution indicating the
data‘s source.
[End of Attachment 1]
Attachment 2: Related GAO Products List:
Homeland Security: Strategic Solution for US-VISIT Program Needs to Be
Better Defined, Justified, and Coordinated. [hyperlink,
http://www.gao.gov/products/GAO-08-361]. Washington, D.C.: February 29,
2008.
Homeland Security: U.S. Visitor and Immigrant Status Program‘s Long-
standing Lack of Strategic Direction and Management Controls Needs to
be Addressed. [hyperlink, http://www.gao.gov/products/GAO-07-1065].
Washington, D.C.: August 31, 2007.
Homeland Security: DHS Enterprise Architecture Continues to Evolve But
Improvements Needed. [hyperlink,
http://www.gao.gov/products/GAO-07-564]. Washington, D.C.: May 9, 2007.
Homeland Security: US-VISIT Program Faces Operational, Technological,
and Management Challenges. [hyperlink,
http://www.gao.gov/products/GAO-07-632T]. Washington D.C.: March 20,
2007.
Homeland Security: US-VISIT Has Not Fully Met Expectations and
Longstanding Program Management Challenges Need to Be Addressed.
[hyperlink, http://www.gao.gov/products/GAO-07-499T]. Washington, D.C.:
February 16, 2007.
Homeland Security: Planned Expenditures for U.S. Visitor and Immigrant
Status Program Need to Be Adequately Defined and Justified. [hyperlink,
http://www.gao.gov/products/GAO-07-278]. Washington, D.C.: February 14,
2007.
Border Security: US-VISIT Program Faces Strategic, Operational, and
Technological Challenges at Land Ports of Entry. [hyperlink,
http://www.gao.gov/products/GAO-07-378T]. Washington, D.C.: January 31,
2007.
Border Security: US-VISIT Program Faces Strategic, Operational, and
Technological Challenges at Land Ports of Entry. [hyperlink,
http://www.gao.gov/products/GAO-07-248]. Washington, D.C.: December 6,
2006.
Homeland Security: Contract Management and Oversight for Visitor and
Immigrant Status Program Need to Be Strengthened. [hyperlink,
http://www.gao.gov/products/GAO-06-404]. Washington, D.C.: June 9,
2006.
Homeland Security: Progress Continues, but Challenges Remain on
Department‘s Management of Information Technology. [hyperlink,
http://www.gao.gov/products/GAO-06-598T]. Washington, D.C.: March 29,
2006.
Homeland Security: Recommendations to Improve Management of Key Border
Security Program Need to Be Implemented. [hyperlink,
http://www.gao.gov/products/GAO-06-296]. Washington, D.C.: February 14,
2006.
Homeland Security: Visitor and Immigrant Status Program Operating, but
Management Improvements Are Still Needed. [hyperlink,
http://www.gao.gov/products/GAO-06-318T]. Washington, D.C.: January 25,
2006.
Information Security: Department of Homeland Security Needs to Fully
Implement Its Security Program. [hyperlink,
http://www.gao.gov/products/GAO-05-700]. Washington, D.C.: June 17,
2005.
Information Technology: Customs Automated Commercial Environment
Program Progressing, but Need for Management Improvements Continues.
[hyperlink, http://www.gao.gov/products/GAO-05-267]. Washington, D.C.:
March 14, 2005.
Homeland Security: Some Progress Made, but Many Challenges Remain on
U.S. Visitor and Immigrant Status Indicator Technology Program.
[hyperlink, http://www.gao.gov/products/GAO-05-202]. Washington, D.C.:
February 23, 2005.
Border Security: State Department Rollout of Biometric Visas on
Schedule, but Guidance Is Lagging. [hyperlink,
http://www.gao.gov/products/GAO-04-1001]. Washington, D.C.: September
9, 2004.
Border Security: Joint, Coordinated Actions by State and DHS Needed to
Guide Biometric Visas and Related Programs. [hyperlink,
http://www.gao.gov/products/GAO-04-1080T]. Washington, D.C.: September
9, 2004.
Homeland Security: First Phase of Visitor and Immigration Status
Program Operating, but Improvements Needed. [hyperlink,
http://www.gao.gov/products/GAO-04-586]. Washington, D.C.: May 11,
2004.
Homeland Security: Risks Facing Key Border and Transportation Security
Program Need to Be Addressed. [hyperlink,
http://www.gao.gov/products/GAO-04-569T]. Washington, D.C.: March 18,
2004.
Homeland Security: Risks Facing Key Border and Transportation Security
Program Need to Be Addressed. [hyperlink,
http://www.gao.gov/products/GAO-03-1083]. Washington, D.C.: September
19, 2003.
Information Technology: Homeland Security Needs to Improve Entry Exit
System Expenditure Planning. [hyperlink,
http://www.gao.gov/products/GAO-03-563]. Washington, D.C.: June 9,
2003.
[End of Attachment 2]
Attachment 3: Detailed Description of Increments and Component Systems:
Description of the processes underlying each increment and the systems
that provide information to US-VISIT.
Increment 1 processes”Increment 1 includes the following five processes
at air and sea ports of entry (POE): pre-entry, entry, status
management, exit, and analysis, which are depicted in the graphic
below.
Figure: Increment 1 processes:
[Refer to PDF for image]
The following information is illustrated:
Pre-entry: occurs at Embassy or consulate;
Entry: via air, sea, automobile, or on foot;
Status: monitored throughout the nation;
Exit: via air, sea, automobile, or on foot;
Analysis: occurs throughout the entire process.
Source: GAO analysis of US-VISIT data, NOva Development Corp.
(clipart).
[End of figure]
Pre-entry process:
Pre-entry processing begins with initial petitions for visas, grants of
visa status, or the issuance of travel documentation. When a foreign
national applies for a visa at a U.S. consulate, biographic and
biometric data are collected and shared with border management
agencies. The biometric data[Footnote 54] are transmitted from the
Department of State (State) to the Department of Homeland Security
(DHS), where the fingerprints are run against the Automated Biometric
Identification System (IDENT) to verify identity and to run a check
against the biometric watch list. The results of the biometric check
are transmitted back to State. A ’hit“ response prevents State‘s system
from printing a visa for the applicant until the information is cleared
by a consular officer.Pre-entry also includes transmission by
commercial air and sea carriers of crew and passenger manifests before
arriving in the United States.[Footnote 55] These manifests are
transmitted through the Advance Passenger Information System (APIS).
The APIS lists are run against the biographic lookout system and
identify those arrivals who have biometric data available. In addition,
POEs review the APIS list in order to identify foreign nationals who
need to be scrutinized more closely.
Entry process:
When the foreign national arrives at a primary POE inspection booth,
the inspector, using a document reader, scans the machine-readable
travel documents. APIS returns any existing records on the foreign
national to the CBP primary inspection workstation screen, including
manifest data matches and biographic lookout hits. When a match is
found in the manifest data, the foreign national‘s name is highlighted
and outlined on the manifest data portion of the screen.Biographic
information, such as name and date of birth, is displayed on the bottom
of the computer screen,[Footnote 56] as well as the photograph from
State‘s Consular Consolidated Database. The inspector at the booth
scans the foreign national‘s fingerprints and takes a digital
photograph. This information is forwarded to the IDENT database, where
it is checked against stored fingerprints in the IDENT lookout
database.
If no prints are currently found in IDENT, the foreign national is
enrolled in US-VISIT (i.e., biographic and biometric data are entered).
If the foreign national‘s fingerprints are already in IDENT, the system
performs a match (a comparison of the fingerprints captured during the
primary inspection to the ones on file) to verify that the person
submitting the fingerprints is the person on file. If the system finds
a mismatch of fingerprints or a watch list hit, the foreign national is
sent to an inspection booth for further screening or processing.
While the system is checking the fingerprints, the inspector questions
the foreign national about the purpose of his or her travel and length
of stay. The inspector adds the class of admission and duration of stay
information into the Treasury Enforcement Communications System (TECS),
and stamps the ’admit until“ date on the Form I-94. If the foreign
national is ultimately determined to be inadmissible, the person is
detained, lookouts are posted in the databases, and appropriate actions
are taken.
Within 2 hours after a flight lands and all passengers have been
processed, TECS is to send the Arrival and Departure Information System
(ADIS) the records showing the class of admission and the ’admit until“
dates that were modified by the inspector.
Status management process:
The status management process manages the foreign national‘s temporary
presence in the United States, including the adjudication of benefits
applications and investigations into possible violations of immigration
regulations.
Commercial air and sea carriers transmit departure manifests
electronically for each departing passenger. These manifests are
transmitted through APIS and shared with ADIS. ADIS matches entry and
exit manifest data to ensure that each record showing a foreign
national entering the United States is matched with a record showing
the foreign national exiting the United States. ADIS maintains a status
indicator for each traveler and computes the number of overstay days a
visitor remains beyond their original entry duration.
ADIS also provides the ability to run queries on foreign nationals who
have entry information but no corresponding exit information.
ADIS receives status information from the Computer Linked Application
Information Management System and the Student and Exchange Visitor
Information System on foreign nationals.
Exit process:
The exit process includes the carriers‘ electronic submission of
departure manifest data to APIS. This biographic information is passed
to ADIS, where it is matched against entry information.
Analysis:
An ongoing analysis capability is to provide for the continuous
screening against watch lists of individuals enrolled in US-VISIT for
appropriate reporting and action. As more entry and exit information
becomes available, it is to be used to analyze traffic volume and
patterns as well as to perform risk assessments. The analysis is to be
used to support resource and staffing projections across the POEs,
strategic planning for integrated border management analysis performed
by the intelligence community, and determination of travel use levels
and expedited traveler programs.
Increment 2B and Increment 3 processes:
Increments 2B and 3 deployed US-VISIT entry processing capabilities to
land POEs. These two increments are similar to Increment 1 (air and sea
POEs), with several noteworthy differences.
* No advance passenger information is available to the inspector before
the traveler arrives for inspection.
* Travelers subject to US-VISIT are processed at secondary inspection,
rather than at primary inspection.
* Inspectors‘ workstations use a single screen, which eliminates the
need to switch between the TECS and IDENT screens.
* Form I-94 data are captured electronically. The form is populated by
data obtained when the machine-readable zone of the travel document is
swiped. If visa information about the traveler exists in the Datashare
database,[Footnote 57] it is used to populate the form. Fields that
cannot be populated electronically are manually entered. A copy of the
completed form is printed and given to the traveler for use upon exit.
* No electronic exit information is captured.
Component systems:
US-VISIT Increments 1 through 3 include the interfacing and integration
of existing systems and, with Increment 2C, the creation of a new
system. The three main existing systems are as follows:
Arrival and Departure Information System (ADIS) stores:
* non-citizen traveler arrival and departure data received from air and
sea carrier manifests,
* arrival data captured by CBP officers at air and sea POEs,
* Form I-94 issuance data captured by CBP officers at Increment 2B land
POEs,
* Form I-94 data captured at air and sea ports of entry, and,
* status update information provided by the Student and Exchange
Visitor Information System (SEVIS) and the Computer Linked Application
Information Management System (CLAIMS 3) (described on the next slide).
ADIS provides biographic identity record matching, query, and reporting
functions.
The passenger processing component of the Treasury Enforcement
Communications System (TECS) includes two systems:
* Advance Passenger Information System (APIS) captures arrival and
departure manifest information provided by air and sea carriers, and;
* Interagency Border Inspection System (IBIS) maintains lookout data
and interfaces with other agencies‘ databases.
CBP officers use these data as part of the admission process. The
results of the admission decision are recorded in TECS and ADIS.
The Automated Biometric Identification System (IDENT) collects and
stores biometric data on foreign visitors, including data such as:
* Federal Bureau of Investigation information[Footnote 58] on all known
and suspected terrorists, all active wanted persons and warrants, and
previous criminal histories for visitors from high-risk countries;
* DHS Immigration and Customs Enforcement information on deported
felons and sex offender registrants; and;
* DHS information on previous criminal histories and previous IDENT
enrollments.
US-VISIT also exchanges biographic information with other DHS systems,
including SEVIS and CLAIMS 3:
* SEVIS is a system that contains information on foreign students and;
* CLAIMS 3 is a system that contains information on foreign nationals
who request benefits, such as change of status or extension of stay.
Some of the systems involved in US-VISIT, such as IDENT and ADIS, are
managed by the program office, while some systems are managed by other
organizational entities within DHS. For example:
* TECS is managed by CBP,
* SEVIS is managed by Immigration and Customs Enforcement, and,
* CLAIMS 3 is under United States Citizenship and Immigration Services.
US-VISIT also interfaces with other, non-DHS systems for relevant
purposes, including watch list[Footnote 59] (i.e. lookout) updates and
checks to determine whether a visa applicant has previously applied for
a visa or currently has a valid U.S. visa. In particular, US-VISIT
receives biographic and biometric information from State‘s Consular
Consolidated Database as part of the visa application process, and
returns finger scan information and watch list changes. IDENT also
receives data from FBI‘s IAFIS fingerprint system.
[End of Attachment 3]
Attachment 4: Status of Prior GAO Recommendations:
Recommendation: 1. Develop and approve complete test plans before
testing begins. These plans, at a minimum, should (1) specify the test
environment, including test equipment, software, material, and
necessary training; (2) describe each test to be performed, including
test controls, inputs, and expected outputs; (3) define the test
procedures to be followed in conducting the tests; and (4) provide
traceability between test cases and the requirements to be verified by
the testing.(GAO-04-586);
Included in plan: Yes;
Status: Partially Implemented: The program office has developed and
approved test plans for various system components, such as the US-
VISIT/IDENT Product Integration and the Unified IDENT Release 2
Component/Assembly. Our analysis of these plans shows that they (1)
specified the test environment, including test equipment, software,
material, and necessary training; (2) described each test to be
performed, including test controls, inputs, and expected outputs; (3)
defined test procedures to be followed in conducting tests; and (4)
provided traceability between test cases and the requirements to be
verified by the testing. However, we were unable to verity that these
plans were approved prior to testing.
Recommendation: 2. Implement effective configuration management
practices, including establishing a US-VISIT change control board to
manage and oversee system changes. (GAO-04-586);
Included in plan: Yes;
Status: Implemented: The program office has developed a configuration
control board that is responsible for, among other things, to manage
and oversee system changes. The office has also developed a
configuration management plan and begun implementing practices
specified in the plan. For example, a project level configuration
management plan was developed for Unique Identity and a change control
request submitted and approved by the board.
Recommendation: 3. Develop a plan, including explicit tasks and
milestones, for implementing all of our open recommendations, including
those provided in this report. The plan should provide for periodic
reporting to the Secretary and Under Secretary on progress in
implementing this plan. The Secretary should report this progress,
including reasons for delays, in all future US-VISIT expenditure
plans.(GAO-04-586);
Included in plan: Yes;
Status: Partially Implemented: US-VISIT audit coordination and
resolution is governed by formal audit guidance and coordinated through
an Integrated Project Team. The team has developed a plan that includes
tasks and milestones for implementing GAO recommendations. The plan
also provides for the periodic reporting to the Secretary and Under
Secretary. Further, the status of efforts to address a number of GAO
recommendations has been included in recent US-VISIT expenditure plans,
although reasons for delays in implementing them have not.
Recommendation: 4. Fully and explicitly disclose in all future
expenditure plans how well DHS is progressing against the commitments
that it made in prior expenditure plans. (GAO-05-202);
Included in plan: No;
Status: Partially Implemented: As discussed earlier in this briefing,
while the fiscal year 2008 expenditure plan provides some information
on how well DHS is progressing against commitments made in the fiscal
year 2007 expenditure plan, it does not fully and explicitly disclose
how well it is progressing against all previous commitments, and it
describes progress in areas not committed to in the prior year‘s plan.
Recommendation: 5. Reassess its plans for deploying an exit capability
to ensure that the scope of the exit pilot provides for adequate
evaluation of alternative solutions and better ensures that the exit
solution selected is in the best interest of the program. (GAO-05-202);
Included in plan: Yes;
Status: Implemented: The program office has reassessed its plans for
deploying an exit capability. As a result of that assessment, the
program office discontinued the US-VISIT exit pilots in May 2007.
Recommendation: 6. Develop and implement processes for managing the
capacity of the US-VISIT system. (GAO-05-202);
Included in plan: Yes;
Status: Implemented: The program has developed a capacity management
handbook that provides guidance for managing system capacity and has
incorporated the activities to be performed into its Universal Delivery
Method. Further, the program office has begun implementing this
guidance. For example, it has developed US-VISIT/IDENT business and
service capacity baselines.
Recommendation: 7. Follow effective practices for estimating the costs
of future increments. (GAO-05-202);
Included in plan: Yes;
Status: Partially Implemented: According to the program office, they
have (1) established a Cost Process Action Team, (2) defined cost
estimation and analysis practices and processes, (3) developed
processes for developing both program life cycle cost estimates and
Independent Government Cost Estimates, and (4) conducted a self-
assessment of the program‘s cost estimating practices against
guidelines from the Software Engineering Institute. However, the
program office has yet to provide documentation demonstrating that it
is implementing its defined cost estimation practices.
Recommendation: 8. Make understanding the relationships and
dependencies between the US-VISIT and ACE programs a priority matter,
and report periodically to the Under Secretary on progress in doing so.
(GAO-05-202);
Included in plan: Yes;
Status: Implemented: The program office has been working with the DHS
Screening and Coordination Office to, among other priorities; develop a
greater understanding between US-VISIT and other programs, including
ACE. Further, because the program is no longer organizationally within
the Office of the Under Secretary, reporting on progress to the Under
Secretary is no longer warranted. Instead, the Screening and
Coordination Office, which reports directly to the Secretary and Deputy
Secretary, is aware of progress in this area.
Recommendation: 9. Explore alternative means of obtaining an
understanding of the full impact of US-VISIT at all land POEs,
including its impact on workforce levels and facilities; these
alternatives should include surveying the sites that were not part of
the previous assessment. (GAO-06-296);
Included in plan: Yes;
Status: Implemented: The program office reassessed its plans for
deploying an exit capability to land POEs, and as a result,
discontinued the demonstration project in November 2006.
Recommendation: 10. For each US-VISIT contract action that the program
manages directly, establish and maintain a plan for performing the
contractor oversight process, as appropriate. (GAO-06-404);
Included in plan: Yes;
Status: Implemented: For contract actions that the program manages
directly, and where it is appropriate for the program office to oversee
contractor activities, the program office has established and maintains
an oversight plan. For example, the program office has developed
individual oversight plans for 10-Print, Unique Identity, Interim Data
Sharing Model, and Independent Test and Support Evaluation Services.
Each individual oversight plan describes the roles, responsibilities,
and authorities involved in conducting contract administration and
oversight of the contract action.
Recommendation: 11. Develop and implement practices for overseeing
contractor work managed by other agencies on the program office‘s
behalf, including (1) clearly defining roles and responsibilities for
both the program office and all agencies managing US-VISIT-related
contracts; (2) having current, reliable, and timely information on the
full scope of contract actions and activities; and (3) defining and
implementing steps to verify that deliverables meet requirements. (GAO-
06-404);
Included in plan: Yes;
Status: Implemented: The program office has developed and implemented
practices for overseeing contractor work managed by other agencies on
the program office‘s behalf. Specifically, it has developed a
contractor administration management plan that includes (1) clearly
defining roles and responsibilities for both the program office and all
agencies managing US-VISIT-related contracts; (2) having current,
reliable, and timely information on the full scope of contract actions
and activities; and (3) defining and implementing steps to verify that
deliverables meet requirements.
Recommendation: 12. Require, through agreements, that agencies managing
contract actions on the program office‘s behalf implement effective
contract management practices consistent with acquisition guidance for
all US-VISIT contract actions, including at a minimum, (1) establishing
and maintaining a plan for performing contract management activities;
(2) assigning responsibility and authority for performing contract
oversight; (3) training the people performing contract oversight; (4)
documenting the contract; (5) verifying that deliverables satisfy
requirements; (6) monitoring contractor-related risk; and (7)
monitoring contractor performance to ensure that the contractor is
meeting schedule, effort, cost, and technical performance requirements.
(GAO-06-404);
Included in plan: Yes;
Status: Implemented: The program office has amended the language used
in its interagency agreements (IAA) to require agencies that manage
contract actions on the program‘s behalf to implement certain practices
designed to strengthen contract management and oversight. These
requirements are specified in the May 2007 US-VISIT Contracts
Administration Management Plan and have been included in each of the
IAAs. Specifically, each IAA specifies that the agent agency is to (1)
establish and maintain a plan for performing contract management
activities; (2) designate a contracting officer and contracting
officer‘s technical representative to manage all contractual actions;
(3) train the people performing contract oversight, (4) document the
contract; (5) verify that deliverables satisfy requirements; (6)
monitor contractor-related risk; and (7) monitor contractor performance
to ensure that the contractor is meeting schedule, effort, cost, and
technical performance requirements.
Recommendation: 13. Require DHS and non-DHS agencies that manage
contracts on behalf of US-VISIT to (1) clearly define and delineate the
US-VISIT work from non-US-VISIT work as performed by contractors; (2)
record, at the contract level, amounts being billed and expended on US-
VISIT-related work so that these can be tracked and reported separately
from amounts not for US-VISIT purposes; and (3) determine if they have
received reimbursement from the program for payments not related to US-
VISIT work by contractors, and, if so, refund to the program any amount
received in error. (GAO-06-404);
Included in plan: Yes;
Status: Partially Implemented: The program office reports that it has
begun efforts to establish the processes that are to (1) ensure that
both DHS and non-DHS agencies that manage contracts on behalf of the
program clearly define and delineate the US-VISIT work from non-US-
VISIT work performed by contractors, (2) record, at the contract level,
amounts being billed and expended on US-VISIT-related work so that
these can be tracked and reported separately from amounts not for US-
VISIT purposes; and (3) determine if they have received reimbursement
from the program for payments not related to US-VISIT work by
contractors, and, if so, refund to the program any amount received in
error; however, they have yet to demonstrate that these processes are
in place and being used by all DHS and non-DHS agencies.
Recommendation: 14. Ensure that payments to contractors are timely and
in accordance with the Prompt Payment Act. (GAO-06-404);
Included in plan: Yes;
Status: Partially Implemented: The program office reports that it has
begun efforts to establish the controls needed to ensure that payments
to contractors are made timely and in accordance with the Prompt
Payment Act.
Recommendation: 15. Improve existing management controls for
identifying and reporting computer processing and other operational
problems as they arise at land POEs and ensure that these controls are
consistently administered. (GAO-07-248);
Included in plan: Yes;
Status: Not Implemented:DHS has yet to implement improved management
controls for identifying and reporting computer processing and other
operational problems as they arise at land POEs or to implement a
method for ensuring that these controls are consistently administered.
Recommendation: 16. Develop performance measures for assessing the
impact of US-VISIT operations specifically at land POEs. (GAO-07-248);
Included in plan: Yes;
Status: Not Implemented: DHS has yet to develop performance measures
for assessing the impact of US-VISIT operations at land POEs.
Recommendation: 17. As DHS finalizes the statutorily mandated report
describing a comprehensive biometric entry and exit system for US-
VISIT, that it include, among other things, information on the costs,
benefits, and feasibility of deploying biometric and nonbiometric exit
capabilities at land POEs. (GAO-07-248);
Included in plan: No;
Status: Not Implemented: DHS reports that it has recently begun to
develop the statutorily mandated report, and department officials said
that they expect to issue it in early 2009. DHS officials stated that
they expect it to include information on costs, benefits, and
feasibility of biometric and nonbiometric exit capabilities at land
POEs.
Recommendation: 18. As DHS finalizes the statutorily mandated report
describing a comprehensive biometric entry and exit system for US-
VISIT, that it include, among other things, a discussion of how DHS
intends to move from a nonbiometric exit capability, such as the
technology currently being tested, to a reliable biometric exit
capability that meets statutory requirements. (GAO-07-248);
Included in plan: No;
Status: Not Implemented: DHS has recently begun to develop the
statutorily mandated report, and department officials stated that it is
to be issued in early 2009. DHS officials stated that they expect it to
include a discussion on how it intends to move to a biometric exit
capability at land ports of entry.
Recommendation: 19. As DHS finalizes the statutorily mandated report
describing a comprehensive biometric entry and exit system for US-
VISIT, that it include, among other things, a description of how DHS
expects to align emerging land border security initiatives with US-
VISIT and what facility or facility modifications would be needed to
ensure that technology and processes work in harmony. (GAO-07-248);
Included in plan: No;
Status: Not Implemented: DHS has recently begun to develop the
statutorily mandated report, and department officials stated that it is
to be issued in early 2009. DHS officials stated that they expect it to
show how US-VISIT is to align with emerging land border initiatives as
well as what facility modifications would be needed to ensure that
technology and processes work in harmony.
Recommendation: 20. Report regularly to the Secretary and to the DHS
authorization and appropriations committees on the range of program
risks associated with not having fully satisfied all expenditure plan
legislative conditions, reasons why they were not satisfied, and steps
being taken to mitigate these risks. (GAO-07-278);
Included in plan: Yes;
Status: Not Implemented: Program officials stated that they
periodically brief authorization and appropriations committees on a
range of program risks, including those associated with not having
fully satisfied all expenditure plan legislative conditions, reasons
why they were not satisfied, and steps being taken to mitigate these
risks. However, they did not provide any verifiable evidence that these
matters were discussed, and staff with the House and Senate
appropriations committees that focus on US-VISIT told us that they are
not aware of such briefings in which these matters were discussed.
Recommendation: 21. Limit planned expenditures for exit pilots and
demonstration projects until such investments are economically
justified and until each investment has a well-defined evaluation plan.
The projects should be justified on the basis of costs, benefits, and
risks, and the evaluation plans should define what is to be achieved
and should include a plan of action and milestones and measures for
demonstrating achievement of pilot and project goals and desired
outcomes. (GAO-07-278);
Included in plan: Yes;
Status: Implemented: The program office has limited planned
expenditures in exit pilots and demonstration projects by reassessing
its plans and discontinuing the exit pilots in May 2007 and the
demonstration project in November 2006.
Recommendation: 22. Work with the DHS Enterprise Architecture Board to
identify and mitigate program risks associated with investing in new US-
VISIT capabilities in the absence of a DHS-wide operational and
technological context for the program. These risks should reflect the
absence of fully defined relationships and dependencies with related
border security and immigration enforcement programs. (GAO-07-278);
Included in plan: Yes;
Status: Not Implemented: The program office provided DHS Enterprise
Architecture Board meeting meetings. However, none of the meeting
minutes provided contained information on identifying and mitigating
program risks associated with investing in new US-VISIT capabilities in
the absence of a DHS-wide technological context for the program.
Recommendation: 23. Limit planned expenditures for program management-
related activities until such investments are economically justified
and have well-defined plans detailing what is to be achieved, a plan of
action and milestones, and measures for demonstrating progress and
achievement of desired outcomes. (GAO-07-278);
Included in plan: Yes;
Status: Not Implemented: The program office has yet to provide either
an economic justification or well-defined plans for its program
management-related activities detailing what is to be achieved and
including a plan of action and milestones and measures for
demonstrating progress and achievement of desired outcomes. Moreover,
the amount of funding for program management in FY2008 remains at the
level mentioned in FY2006 expenditure plan, which was the basis for
this recommendation.
Recommendation: 24. The Secretary of DHS report to the department‘s
authorization and appropriations committees on its reasons for not
fully addressing its expenditure plan legislative conditions and our
prior recommendations.(GAO-07-1065);
Included in plan: Yes;
Status: Not Implemented: Program officials stated that they
periodically brief authorization and appropriations committees on
program-related issues, including reasons for not having fully
satisfied all expenditure plan legislative conditions and GAO
recommendations. However, they did not provide any verifiable evidence
that these matters were discussed, and staff with the House and Senate
appropriations committees that focus on US-VISIT told us that they are
not aware of such briefings in which these matters were discussed.
Recommendation: 25. Develop a plan for a comprehensive exit capability,
which includes, at a minimum, a description of the capability to be
deployed, the cost of developing, deploying and operating the
capability, identification of key stakeholders and their respective
roles and responsibilities, key milestones, and measurable performance
indicators. (GAO-08-361);
Included in plan: No;
Status: Partially Implemented: DHS recently issued a notice of proposed
rulemaking for implementing an exit capability at air and sea POEs.
This notice provides a high-level description of a proposed Air and Sea
Exit solution, and an estimate of the cost to develop, deploy, and
operate the solution. Further, it describes the roles and
responsibilities of key stakeholders, such as air and sea carriers, and
sets some performance indicators, such as when passenger biometrics are
to be transmitted to DHS. However, as discussed in this briefing, this
proposed solution raises a number of questions that need to be
resolved.
Recommendation: 26. Develop an analysis of costs, benefits, and risks
for proposed exit solutions before large sums of money are committed on
those solutions, and use the analysis in selecting the final solution.
(GAO-08-361);
Included in plan: No;
Status: Partially Implemented: As noted earlier in this briefing, DHS‘s
Air and Sea Exit regulatory impact analysis analyzed the costs and
benefits of the proposed solution and four alternatives, and DHS used
this analysis in proposing its exit solution. However, the cost
estimates that were used in this analysis were not sufficiently
reliable to justify the proposed solution.
Recommendation: 27. Direct the appropriate DHS parties involved in
defining, managing, and coordinating relationships across the
department‘s border and immigration management programs to address the
program collaboration shortcomings identified in this report, such as
fully defining the relationships between US-VISIT and other immigration
and border management programs and, in doing so, to employ the
collaboration practices discussed in this report. (GAO-08-361);
Included in plan: No;
Status: Partially Implemented: DHS has yet to direct all of the
appropriate parties involved in defining, managing, and coordinating
relationships across the department‘s border and immigration management
programs to address the program collaboration shortcomings identified
in this report and, in doing so, to employ the collaboration practices
discussed in this report. Specifically, while US-VISIT has begun to
coordinate with specific border and immigration management programs
such as the Secure Border Initiative and Western Hemisphere Travel
Initiative.
[End of Attachment 4]
[End of Appendix I]
Appendix II: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
November 19, 2008:
Randolph C. Hite:
Director, Information Technology Architecture and Systems:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, D.C. 20548:
Dear Mr. Hite:
The Department of Homeland Security (DHS) is submitting this written
response regarding the Government Accountability Office (GAO)
recommendation contained in its report, U.S. Visitor and Immigrant
Status indicator Technology Program Planning and Execution Improvements
Needed, 09-96.
GAO Recommendation:
To assist DHS in planning and executing US-VISIT, we recommend that the
Secretary of Homeland Security direct the department's Investment
Review Board to immediately hold a review of the US-VISIT program that,
at a minimum, addresses:
* The reasons for the fiscal year 2008 expenditure plan not fully
addressing each of the legislative conditions and corrective action to
ensure that this does not occur for future expenditure plans;
* The adequacy of the basis for any future Air and Sea Exit solution,
including the reliability of cost estimates, implication of privacy and
security issues, and addressing key concerns raised in comments to the
proposed rule;
* The weaknesses in the program's implementation of risk management;
and;
* The weaknesses in the prime contractor's implementation of its earned
value management, including the limitations in the quality of the
schedule baselines and the schedule variance measurements.
Response:
DHS concurs with this recommendation. The DHS Investment Review Board
will convene on November 17, 2008, for the purpose of reviewing the US-
VISIT program. The objectives of this review are to address the
recommendation made in GAO-09-96. US-VISIT is prepared to discuss the
following:
* How the FY09 Spend Plan will address GAO concerns raised in the audit
of the FY08 Spend Plan;
* How the Air/Sea Exit solution will address GAO concerns regarding
cost estimates, security and privacy of the solution and the level of
detail for the solution;
* How US-VISIT's improvements in risk management will address GAO
concerns regarding the currency of the information in the risk
management database, risk management plan and the elevation of risks;
and;
* How US-VISIT will continue its oversight and the Defense Contract
Management Agency (DCMA) will perform periodic assessments of the
contractor's progress toward compliance of the 32 published standards
for earned value management.
Additionally, GAO writes that Legislative Condition 4, regarding DHS
investment management and OMB capital planning and investment control
certification by the CPO, is only partially satisfied:
DHS's investment management process is not sufficiently mature. As we
reported in April 2007, this process does not satisfy the key practices
outlined in the Information Technology Investment Management Framework,
which is a maturity framework based on corporate investment management
best practices employed by leading public and private sector
organizations and is consistent with OMB capital planning and
investment control requirements. In particular, we reported that:
* DHS's process (policies and procedures) for project level management
do not include all key elements, such as specific criteria or steps for
prioritizing and selecting new investments.
* DHS has not fully implemented the practices needed to control
investments - at the project level or at the portfolio level, including
regular project-level reviews by the DHS Investment Review Board.
* DHS's process does not identify a methodology with explicit decision-
making criteria to determine an investment's alignment with the DHS
enterprise architecture.
DHS nonconcurs with this finding. On November 7, 2008, the DHS Under
Secretary for Management signed out the interim operational policy for
the investment control requirements. This policy provides for the
following:
* A DHS process (including policies and procedures) for project level
management that includes all key elements, including specific criteria
and steps for prioritizing and selecting new investments;
* A set of practices to control investments at the project and
portfolio level, including regular project-level reviews by the DHS
Investment Review Board; and;
* Identification of a methodology with explicit decision-making
criteria to determine an investment's alignment with the DHS enterprise
architecture.
Lessons learned from the FY08 expenditure plan have prompted the
Department to make adjustments in developing the FY09 spend plan. For
example, greater visibility will be provided into operations and
maintenance and program management planned expenditures; milestones
will be provided and quantitative performance targets will be
incorporated into planned accomplishments; mitigation plans for open
GAO recommendations will also include milestones and the Department
will make every effort to close out GAO's previous recommendations; and
FY08 results will be reported for all planned accomplishments from the
FY 08 plan. When fully executed it is our aim to fully satisfy the
legislative conditions in accordance with the Consolidated
Appropriations Act, 2008, Public Law No. 110-161.
Sincerely,
Signed by:
Jerald E. Levine:
Director:
Departmental Audit Liaison Office:
Attachment:
U.S. Department of Homeland Security:
Washington, DC 20528:
November 7, 2008:
Memorandum For: Distribution List
From: [Signed by] Elaine C. Duke:
Under Secretary for Management:
Subject: Departmental Acquisition Management:
As you know, I tasked the Acquisition Program Management Division
(APMD) of the Office of the Chief Procurement Officer to re-engineer
the Department's Investment Review Process (Management Directive (MD)
1400). This re-engineering had, as its objective, improvement in
acquisition management and oversight across the Department of Homeland
Security (DHS) enterprise. APMD. in collaboration with Departmental and
Component stakeholders, has developed and informally staffed the
attached Directive (102-01). Because of the extensive coordination to
date, this Directive is authorized as an interim policy effective
today. In parallel with this interim authorization, Directive 102-01
will be formally staffed through the Department's executive
correspondence process. Changes resulting from this formal review
(along with changes proposed by users as a result of initial
implementation) will be incorporated in the policy prior to its
completing this process.
I appreciate the tremendous collaboration and inputs provided by your
organizations throughout the development and informal staffing
process - this resulting draft marks another critical milestone toward
the integration of DHS.
This Directive's overarching goal is to establish an acquisition
management system that effectively provides required capability to DHS
users in support of DHS missions. The Directive leverages proven
management, governance, and oversight practices within the Department,
streamlines the acquisition process, and addresses the issues and
problems with the previous MD 1400. Specifically, it:
* Creates a common acquisition policy across the Department;
* Creates the Acquisition Decision Authority position as a single point
of accountability;
* Establishes a single, but tailorable life cycle framework for all
acquisitions; and;
* Delegates acquisition decision authority to Components wherever
feasible.
This Directive supersedes all versions of MD 1400; consequently, all
previous versions of MD 1400 are hereby revoked. The Department is
required to commence implementing the Directive's policies and align
internal policies accordingly. Individual programs should transition to
this policy at their next formal decision point, but not later than six
months from the date of this memorandum. APMD will work with each
Component or Headquarters contingent to establish a collaborative
transition schedule for each acquisition portfolio.
Training on this policy will be provided by cadres of individuals
(trained by APMD) within each Component/Headquarters contingent. "Train-
the-Trainers" training began on November S. and will continue until all
who need instruction have attended.
For further information, please contact John Higbee, Director, APMD at
(202) 447-5398 or by e-mail at,john.higbee@adhs.gov, or Page Glennie at
(202) 447-5492 or by e-mail at page.glennie@dhs.gov.
Attachment:
Distribution List:
Under Secretary, Science & Technology:
Under Secretary, National Protection & Programs Under Secretary,
Intelligence & Analysis Assistant Secretary, Policy:
Assistant Secretary, Legislative Affairs:
Assistant Secretary. Public Affairs:
Assistant Secretary, Health Affairs/Chief Medical Officer:
Assistant Secretary, Transportation Security Administration:
Assistant Secretary, United States Immigration & Customs Enforcement:
Commissioner, Customs and Border Protection:
Commandant, United States Coast Guard:
Administrator, Federal Emergency Management Agency:
Director. Operations Coordination Director, Counternarcotics
Enforcement:
Director, Federal Law Enforcement Training Center:
Director, Domestic Nuclear Detection Office:
Director, United States Citizenship & Immigration Services:
Director, United States Secret Service:
Ombudsman Citizenship & Immigration Services:
Officer for Civil Rights & Civil Liberties:
General Counsel (Acting):
Inspector General:
Military Advisor's Officer:
Gulf Coast Region Office:
Chief Financial Officer:
Chief Information Officer:
Chief Administrative Officer:
Chief Procurement Officer:
Chief Human Capital Officer:
Chief Privacy Officer:
Chief Security Officer:
Director, Screening Coordination Office:
Director, U.S. Visitor and Immigrant Status Indicator Technology:
Director, Acquisition & Program Management Support Division,
Transportation Security Administration:
Director, Investment Management, Office of Finance, Customs and Border
Protection:
Chief Acquisition Support Office, United States Coast Guard:
[End of section]
Appendix III: GAO Contact and Staff Acknowledgments:
GAO Contact:
Randolph C. Hite, (202) 512-3439, or hiter@gao.gov:
Staff Acknowledgments:
In addition to the individual named above, Tonia Johnson (Assistant
Director), Bradley Becker, Season Dietrich, Neil Doherty, Jennifer
Echard, Elena Epps, Nancy Glover, Rebecca LaPaze, Anjalique Lawrence,
Anh Le, Emily Longcore, Lee McCracken, Freda Paintsil, Karl Seifert,
and Jeanne Sung made key contributions to this report.
[End of section]
Footnotes:
[1] Pub L. No. 110-161, 121 Stat. 1844, 2059-60 (Dec. 26, 2007).
[2] The briefing document includes a few minor editorial changes to
clarify certain points.
[3] The twelfth legislative condition--that the plan be reviewed by us-
-was satisfied.
[4] GAO, Homeland Security: Strategic Solution for US-VISIT Program
Needs to Be Better Defined, Justified, and Coordinated, [hyperlink,
http://www.gao.gov/products/GAO-08-361] (Washington, D.C.: Feb. 29,
2008).
[5] GAO, Cost Assessment Guide: Best Practices for Estimating and
Managing Program Costs, Exposure Draft, [hyperlink,
http://www.gao.gov/products/GAO-07-1134SP] (Washington, D.C.: July
2007), at p. 251.
[6] Task order 7 provides for development and deployment of new
capabilities.
[7] Pub. L. No. 110-161 (Dec. 26, 2007).
[8] Since fiscal year 2002, $2.22 billion has been appropriated for US-
VISIT.
[9] This is the seventh legislatively-mandated US-VISIT expenditure
plan.
[10] As discussed in the scope and methodology section of this briefing
(attachment 1), we sought clarification from staff with the House and
Senate Appropriations Committees, Subcommittees on Homeland Security,
on this condition. As a result, the wording of this condition has been
modified slightly from that in the act.
[11] For details on the processes underlying each increment and systems
supplying information on US-VISIT, see attachment 3.
[12] Radio frequency technology relies on proximity cards and card
readers. Radio frequency devices read the information contained on the
card when the card is passed near the device. The information can
contain personal information of the cardholder.
[13] An indefinite delivery/indefinite quantity contract provides for
an indefinite quantity, within stated limits, of supplies or services
during a fixed period of time. The government schedules deliveries or
performance by placing orders with the contractor.
[14] Accenture‘s partners in this contract include, among others,
Raytheon Company, the Titan Corporation, and SRA International, Inc.
[15] Total value is the reported budget at completion as of May 2008.
[16] This solution would not be applicable to vessel carriers because
there are no TSA checkpoints at seaports.
[17] GAO, Information Technology: Homeland Security Needs to Improve
Entry Exit System Expenditure Planning, [hyperlink,
http://www.gao.gov/products/GAO-03-563] (Washington, D.C.: June 9,
2003) and Homeland Security: Some Progress Made, but Many Challenges
Remain on U.S. Visitor and Immigrant Status Indicator Technology
Program, [hyperlink, http://www.gao.gov/products/GAO-05-202]
(Washington, D.C.: Feb. 23, 2005).
[18] GAO, Homeland Security: U.S. Visitor and Immigrant Status
Program‘s Long-standing Lack of Strategic Direction and Management
Controls Needs to Be Addressed, [hyperlink,
http://www.gao.gov/products/GAO-07-1065] (Washington, D.C.: Aug. 31,
2007).
[19] [hyperlink, http://www.gao.gov/products/GAO-07-1065].
[20] Office of Management and Budget Circular A-11, Part 7 establishes
policy for planning, budgeting, acquisition, and management of federal
capital assets.
[21] GAO, Information Technology: DHS Needs to Fully Define and
Implement Policies and Procedures for Effectively Managing Investments,
[hyperlink, http://www.gao.gov/products/GAO-07-424] (Washington, D.C.:
April 27, 2007).
[22] [hyperlink, http://www.gao.gov/products/GAO-07-1065].
[23] [hyperlink, http://www.gao.gov/products/GAO-07-424].
[24] GAO, Information Technology Investment: A Framework for Assessing
and Improving Process Maturity, [hyperlink,
http://www.gao.gov/products/GAO-04-394G] (Washington, D.C.: March
2004).
[25] GAO, Homeland Security: First Phase of Visitor and Immigration
Status Program Operating, but Improvements Needed, [hyperlink,
http://www.gao.gov/products/GAO-04-586] (Washington, D.C.: May 11,
2004).
[26] Chief Information Officer Council, A Practical Guide to Federal
Enterprise Architecture, Version 1.0, February 2001.
[27] GAO, Information Technology: A Framework for Assessing and
Improving Enterprise Architecture Management (version 1.1), [hyperlink,
http://www.gao.gov/products/GAO-03-584G] (Washington, D.C.: April
2003).
[28] GAO, Homeland Security: Strategic Solution for US-VISIT Program
Needs to Be Better Defined, Justified, and Coordinated, [hyperlink,
http://www.gao.gov/products/GAO-08-361] (Washington, D.C.: Feb. 29,
2008).
[29] [hyperlink, http://www.gao.gov/products/GAO-03-584G].
[30] [hyperlink, http://www.gao.gov/products/GAO-07-424].
[31] [hyperlink, http://www.gao.gov/products/GAO-07-1065].
[32] GAO,DOD Business Systems Modernization: Key Marine Corps System
Acquisition Needs to Be Better Justified, Defined, and Managed,
[hyperlink, http://www.gao.gov/products/GAO-08-22] (Washington, D.C.:
July. 28, 2008).
[33] GAO, Homeland Security: Recommendations to Improve Management of
Key Border Security Program Needs to Be Implemented, [hyperlink,
http://www.gao.gov/products/GAO-06-296] (Washington, D.C.: Feb. 14,
2006).
[34] The US-VISIT Risk Management Plan separates the risk management
process into five steps. The fourth step”risk handling”is the process
of selecting and implementing responses to identified and prioritized
risks.
[35] [hyperlink, http://www.gao.gov/products/GAO-06-296].
[36] [hyperlink, http://www.gao.gov/products/GAO-07-1065].
[37] [hyperlink, http://www.gao.gov/products/GAO-07-1065].
[38] [hyperlink, http://www.gao.gov/products/GAO-07-1065].
[39] GAO, Homeland Security: Prospects for Biometric US-VISIT Exit
Capability Remains Unclear, [hyperlink, http://www.gao.gov/products/GAO-
07-1044T (Washington, D.C.: June 28, 2007).
[40] [hyperlink, http://www.gao.gov/products/GAO-08-361].
[41] As discussed in the scope and methodology section of this briefing
(attachment 1), we sought clarification from staff with the House and
Senate Appropriations Committees, Subcommittees on Homeland Security,
on this condition. As a result, the wording of this condition has been
modified slightly from that in the act.
[42] [hyperlink, http://www.gao.gov/products/GAO-07-1065].
[43] GAO, Homeland Security: Planned Expenditures for U.S. Visitor and
Immigrant Status Program Need to be Adequately Defined and Justified,
[hyperlink, http://www.gao.gov/products/GAO-07-278] (Washington, D.C.:
Feb. 14, 2007).
[44] GAO, Information Security: Homeland Security Needs to Immediately
Address Significant Weaknesses in Systems Supporting the US-VISIT
Program, [hyperlink, http://www.gao.gov/products/GAO-07-870]
(Washington, D.C.: July 13, 2007).
[45] These are the Air/Sea Exit, Secure Flight, the Electronic Travel
Authorization System, and the Advance Passenger Information System-
Quick Query.
[46] [hyperlink, http://www.gao.gov/products/GAO-06-296].
[47] OMB, Circular No. A-11, Part 7 Supplement - Capital Programming
Guide, 2006, [hyperlink,
http://www.whitehouse.gov/omb/circulars/a11/current_year/a_11_2006.pdf]
(accessed June 16, 2008) and Software Engineering Institute, CMMI for
Acquisition, Version 1.2, CMU/SEI-2007-TR-017 (Pittsburgh, PA; November
2007).
[48] GAO, Cost Assessment Guide: Best Practices for Estimating and
Managing Program Costs, Exposure Draft, [hyperlink,
http://www.gao.gov/products/GAO-07-1134SP]. (Washington, D.C.: July
2007).
[49] Task order 7 has an approximate value of $141 million.
[50] As agreed, our scope of work focused on the plan delivered to the
House and Senate Appropriations Committees.
[51] We did not attempt to validate the comments.
[52] For observation 6, we used the Unique ID and Biometric Solutions
Delivery subtasks of task order 7. These tasks covered 98 percent of
the total value of task order 7 and the remaining 2 percent were
related to subtasks issued in fiscal year 2008.
[53] [hyperlink, http://www.gao.gov/products/GAO-07-278].
[54] US-VISIT is currently transitioning from scanning only the right
and left index fingers to scanning all 10 fingers.
[55] 8 U.S.C. § 1221(a).
[56] The new 10-print process will also integrate this information with
manifest data so that it is all represented on one screen.
[57] Datashare includes a data extract from State‘s Consular
Consolidated Database system and includes the visa photograph,
biographical data, and the fingerprint identification number assigned
when a nonimmigrant applies for a visa.
[58] Information from the Federal Bureau of Investigation includes
fingerprints from the Integrated Automated Fingerprint Identification
System.
[59] Watch list data sources include DHS‘s Customs and Border
Protection and Immigration and Customs Enforcement; the Federal Bureau
of Investigation; legacy DHS systems; the U.S. Secret Service; the U.S.
Coast Guard; the Internal Revenue Service; the Drug Enforcement Agency;
the Bureau of Alcohol, Tobacco, & Firearms; the U.S. Marshals Service;
the U.S. Office of Foreign Asset Control; the National Guard; the
Treasury Inspector General; the U.S. Department of Agriculture; the
Department of Defense Inspector General; the Royal Canadian Mounted
Police; the U.S. State Department; Interpol; the Food and Drug
Administration; the Financial Crimes Enforcement Network; the Bureau of
Engraving and Printing; and the Department of Justice Office of Special
Investigations.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
