Information Technology
Homeland Security Needs to Improve Entry Exit System Expenditure Planning Gao ID: GAO-03-563 June 9, 2003Pursuant to legislative direction, the Immigration and Naturalization Service (INS), now part of the Department of Homeland Security, plans to acquire and deploy an entry exit system to assist in monitoring the flow of foreign nationals in and out of the United States. By separate legislative direction, INS must submit to the Senate and House Committees on Appropriations a plan for this system that meets certain conditions, including being reviewed by GAO, before funds can be obligated. This report satisfies GAO's mandated review obligation by (1) addressing whether the plan submitted by INS, along with related INS documentation and plans, meets required conditions and (2) providing observations about the plan and INS's management of the system.
INS's initial expenditure plan and associated system acquisition documentation and plans for the entry exit system partially meet the legislative conditions imposed by the Congress. That is, INS has implemented or has defined plans for implementing most of the legislatively mandated requirements for the plan's content, which include such areas as capital planning and investment control, acquisition, and systems acquisition management. However, key issues related to understanding and implementing system requirements, such as developing a system security plan and assessing system impact on the privacy of individuals, remain to be addressed. Moreover, INS reported that it had obligated some entry exit funding before it submitted the plan to the Appropriations Committees. Since then, INS officials told GAO that they have de-obligated and reclassified these obligations to other available funding sources. GAO observed that INS has preliminary plans showing that it intends to acquire and deploy a system that has functional and performance capabilities that satisfy the general scope of capabilities required under various laws. These include the capability to (1) collect and match alien arrival and departure data electronically; (2) be accessible to the border management community (including consular officers, federal inspection agents, and law enforcement and intelligence agencies responsible for identifying and investigating foreign nationals); and (3) support machine-readable, tamper-resistant documents with biometric identifiers at ports of entry. Each of these capabilities is integral to supporting our nation's border security process. However, GAO also observed that the initial plan does not provide sufficient information about INS commitments for the system, such as what specific system capabilities and benefits will be delivered, by when, and at what cost, and how INS intends to manage the acquisition to provide reasonable assurance that it will meet these commitments. Without sufficiently detailed information on system plans and progress, the Congress will be impeded in its efforts to oversee the system.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-03-563, Information Technology: Homeland Security Needs to Improve Entry Exit System Expenditure Planning
This is the accessible text file for GAO report number GAO-03-563
entitled 'Information Technology: Homeland Security Needs to Improve
Entry Exit System Expenditure Planning' which was released on June 09,
2003.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Committees:
United States General Accounting Office:
GAO:
June 2003:
Information Technology:
Homeland Security Needs to Improve Entry Exit System Expenditure
Planning:
GAO-03-563:
GAO Highlights:
Highlights of GAO-03-563, a report to the Senate and House
Subcommittees on Homeland Security, Committees on Appropriations
Why GAO Did This Study:
Pursuant to legislative direction, the Immigration and Naturalization
Service (INS), now part of the Department of Homeland Security, plans
to acquire and deploy an entry exit system to assist in monitoring the
flow of foreign nationals in and out of the United States. By separate
legislative direction, INS must submit to the Senate and House
Committees on Appropriations a plan for this system that meets certain
conditions, including being reviewed by GAO, before funds can be
obligated. This report satisfies GAO‘s mandated review obligation by
(1) addressing whether the plan submitted by INS, along with related
INS documentation and plans, meets required conditions and (2)
providing observations about the plan and INS‘s management of the
system.
What GAO Found:
INS‘s initial expenditure plan and associated system acquisition
documentation and plans for the entry exit system partially meet the
legislative conditions imposed by the Congress. That is, INS has
implemented or has defined plans for implementing most of the
legislatively mandated requirements for the plan‘s content, which
include such areas as capital planning and investment control,
acquisition, and systems acquisition management. However, key issues
related to understanding and implementing system requirements, such as
developing a system security plan and assessing system impact on the
privacy of individuals, remain to be addressed. Moreover, INS reported
that it had obligated some entry exit funding before it submitted the
plan to the Appropriations Committees. Since then, INS officials told
GAO that they have de-obligated and reclassified these obligations to
other available funding sources.
GAO observed that INS has preliminary plans showing that it intends to
acquire and deploy a system that has functional and performance
capabilities that satisfy the general scope of capabilities required
under various laws. These include the capability to (1) collect and
match alien arrival and departure data electronically; (2) be
accessible to the border management community (including consular
officers, federal inspection agents, and law enforcement and
intelligence agencies responsible for identifying and investigating
foreign nationals); and (3) support machine-readable, tamper-resistant
documents with biometric identifiers at ports of entry. Each of these
capabilities is integral to supporting our nation‘s border security
process (see figure).
However, GAO also observed that the initial plan does not provide
sufficient information about INS commitments for the system, such as
what specific system capabilities and benefits will be delivered, by
when, and at what cost, and how INS intends to manage the acquisition
to provide reasonable assurance that it will meet these commitments.
Without sufficiently detailed information on system plans and
progress, the Congress will be impeded in its efforts to oversee the
system.
What GAO Recommends:
GAO recommends that the Secretary of Homeland Security (1) plan for
and implement system investment and acquisition management controls
and (2) ensure that future expenditure plans provide sufficient
details to permit an understanding of (a) system capabilities,
benefits, cost, and delivery date and (b) how the acquisition will be
managed to meet these commitments. The department did not explicitly
agree or disagree with GAO‘s conclusions and recommendations, but
described actions it plans to take that are consistent with these
recommendations.
www.gao.gov/cgi-bin/getrpt?GAO-03-563.
To view the full report, including the scope
and methodology, click on the link above.
For more information, contact Randolph C. Hite at (202) 512-3439 or
hiter@gao.gov.
[End of table]
Contents:
Letter:
Results in Brief:
Background:
Fiscal Year 2002 Expenditure Plan Partially Satisfied Legislative
Mandate:
Other Observations: Planned Entry Exit Capabilities Are Aligned with
Legislation, but Future Expenditure Plans Need to Be Improved:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Comments from the Department of Homeland Security:
GAO Comments:
Appendix III: Summary of Entry Exit Related Systems:
Visa Waiver Permanent Program Act Support System:
National Security Entry Exit Registration System:
Appendix IV: Summary of Legislation Regarding Entry Exit System
Capabilities:
Appendix V: GAO Contacts and Staff Acknowledgments:
GAO Contact:
Staff Acknowledgments:
Tables:
Table 1: Primary Inspections by U.S. Ports of Entry (Fiscal Year 2002):
Table 2: Foreign Nationals Admitted through Primary and Secondary
Inspections (Fiscal Year 2002):
Table 3: Summary of INS's Fiscal Year 2002 Entry Exit System
Expenditure Plan:
Table 4. Planned Operational Requirements for Entry Exit System:
Table 5: Key System Capabilities Specified by Legislation Compared with
INS's Planned Operational Requirements:
Table 6: Verbatim Text of INS Entry Exit System Expenditure Plan as
Submitted to the Congress:
Figures:
Figure 1: Simplified Diagram of the Border Security Process:
Figure 2: Simplified Diagram of the Visa Issuance Process:
Figure 3: Simplified Diagram of the Entry Control Process:
Figure 4: Simplified Diagram of the Stay Management Process:
Figure 5: Simplified Diagram of the Exit Control Process:
Figure 6: Partial DHS Organization Chart Identifying the Border and
Transportation Security Directorate:
Abbreviations:
ADIS: Arrival Departure Information System
APIS: Advance Passenger Information System
CCD: Consular Consolidated Database
CLASS: Consular Lookout and Support System
DHS: Department of Homeland Security
DMIA: Data Management Improvement Act
FAR: Federal Acquisition Regulation
IBIS: Interagency Border Inspection System
IIRIRA: Illegal Immigration Reform and Immigrant Responsibility
Act of 1996
INS: Immigration and Naturalization Service
IT: information technology
ITIM: Information Technology Investment Management
NCIC: National Crime Information Center
NIIS: Non-Immigrant Information System
NIST: National Institute of Standards and Technology
NSEERS: National Security Entry Exit Registration System
OMB: Office of Management and Budget
SA-CMM: Software Acquisition Capability Maturity Model
SEI: Software Engineering Institute
TSA: Transportation Security Administration
USA PATRIOT: Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and Obstruct Terrorism
US VISIT: U.S. Visitor and Immigrant Status Indication Technology
System
VWPPA: Visa Waiver Permanent Program Act:
United States General Accounting Office:
Washington, DC 20548:
June 9, 2003:
The Honorable Thad Cochran Chairman The Honorable Robert C. Byrd
Ranking Minority Member Subcommittee on Homeland Security Committee on
Appropriations United States Senate:
The Honorable Harold Rogers Chairman The Honorable Martin Olav Sabo
Ranking Minority Member Subcommittee on Homeland Security Committee on
Appropriations House of Representatives:
The Congress has long recognized the need for a border security system
that collects information about foreign nationals entering and exiting
the United States and identifies those who have overstayed their
visits. Seven years ago, the Congress passed legislation that directed
the Immigration and Naturalization Service (INS)[Footnote 1] to develop
such an entry exit system.[Footnote 2] More recently, the Congress has
passed additional entry exit legislation,[Footnote 3] requiring, for
example, that the system be integrated with other law enforcement
databases and that it use biometric technologies[Footnote 4] to better
identify persons entering and exiting the United States.
To exercise close oversight over the entry exit system,[Footnote 5] the
Congress also prohibited the INS from obligating funds for the system
that were made available in fiscal year 2002 supplemental
appropriations until the agency submitted to the Senate and House
Committees on Appropriations an expenditure plan (1) that meets the
capital planning and investment control review requirements established
by the Office of Management and Budget (OMB), including Circular A-11,
part 3; (2) that complies with the acquisition rules, requirements, and
guidelines and systems acquisition management practices of the federal
government; and (3) that is reviewed by GAO.[Footnote 6]
This report responds to our legislative mandate to review INS's fiscal
year 2002 entry exit system expenditure plan. On November 15, 2002, INS
provided this plan to the Appropriations Committees, and on December
19, 2002, we received a copy of the plan. As agreed with your offices,
our review objectives were to (1) determine whether the plan satisfied
the legislative conditions and (2) provide observations about the
expenditure plan and INS's management of the entry exit system. As
agreed with your offices, our review focused not only on the plan, but
also on related system documentation and plans. Our objectives, scope,
and methodology are presented in detail in appendix I.
Results in Brief:
INS's fiscal year 2002 expenditure plan, supplemented by related entry
exit system acquisition documentation and plans, partially satisfied
relevant legislative conditions governing INS's obligation of fiscal
year 2002 funding. In particular, INS has either implemented or plans
to implement most of OMB's capital planning and investment control
review requirements, including those established by Circular A-11, part
3, but has not yet satisfied two OMB requirements--having a system
security plan and assessing the system's impact on the privacy of
individuals--both of which are critical to understanding system
requirements and ensuring that acquired system capabilities satisfy
these requirements. INS's plans and actions to date also are generally
consistent with important federal acquisition rules, requirements, and
guidelines and system acquisition management practices, as defined in
such documents as INS's life cycle management and investment management
guidance and the Federal Acquisition Regulation. However, before
submitting an expenditure plan to the Appropriations Committees, INS
obligated for the system approximately $9.8 million in fiscal year 2002
supplemental appropriations. Since then, INS officials told us that
they have de-obligated over $6.6 million that they had obligated after
August 2, 2002,[Footnote 7] and reclassified those obligations to other
available sources.
In addition, we observed that INS's preliminary plans for the entry
exit system show that it intends for the system to have functional and
performance capabilities that the Congress specified in law. These
capabilities include being able to collect and match alien arrival and
departure data electronically, being accessible to the border
management community, and being able to read tamper-resistant documents
with biometric identifiers. However, we also observed that this first
expenditure plan does not adequately disclose material information
about the system, such as what system capabilities and benefits are to
be delivered, by when, and at what cost. Without sufficiently detailed
information on system plans and progress, the Congress will be impeded
in its oversight efforts for the system.
To improve the content and utility of future entry exit system
expenditure plans, we are making recommendations to the Secretary of
Homeland Security (1) to plan for and implement important system
investment and acquisition management controls and (2) to ensure that
the plans provide sufficient detail about what system capabilities and
benefits can be delivered, what these capabilities will cost, when they
will be delivered, and how the acquisition will be managed to meet
these commitments.
In written comments on a draft of our report signed by the department's
Assistant Secretary, Bureau of Immigration and Customs Enforcement
(reprinted in app. II, along with our responses), the department did
not explicitly agree or disagree with our conclusions and
recommendations. However, it described several actions that it plans to
take that are consistent with our recommendations.
The department also provided other principal comments. Specifically, it
stated that (1) we failed to consider that the expenditure plan's lack
of specific detail is attributable to a number of pending policy
decisions and that until these decisions are made it is impossible to
provide a detailed plan; (2) the entry exit system security plan and
privacy impact assessment are addressed in a draft document entitled
Technical Architecture and Security Requirements; (3) we concluded that
the entry exit program office is in compliance with INS's Information
Technology Investment Management (ITIM) process, and therefore the
entry exit system is in compliance with OMB requirements; and (4) we
failed to consider and incorporate information regarding INS's
obligation of supplemental appropriations.
We support the department's planned actions. However, we do not agree
with the four other comments. First, as we state in our report,
effective congressional oversight and informed decision-making require
that the plan disclose a sufficient level and scope of information for
the Congress to understand what system capabilities and benefits are to
be delivered, by when, and at what cost. They also require that the
plan address how these system capability, benefit, schedule, and cost
commitments will be met. If this information was not known because of
pending policy issues, this uncertainty should have been in the plan,
along with a timetable for addressing it. Further, notwithstanding
these undecided policy matters, the plan could still have provided more
detailed information, such as addressing how the acquisition was to be
managed. Second, the draft document that the department provided to us
with its comments does not include either a security plan or a privacy
impact assessment. Third, our report does not conclude that the entry
exit program office is in full compliance with ITIM, and that therefore
the entry exit system is in compliance with OMB requirements. Rather,
it concludes that it is important for INS to focus on implementing the
investment management controls provided for its plan and related
documentation. Accordingly, we recommend in our report that the
department fully implement planned investment management controls in
accordance with relevant federal requirements and guidance. Fourth, we
did not include information in our draft report regarding the
department's obligation of the supplemental appropriations because this
information was contained in a letter to us dated April 7, 2003, which
was 4 days after we provided the department with our draft report. We
have since modified this report, as appropriate, to incorporate the
information in the April 7, 2003, letter.
The department also provided additional technical comments, which we
have incorporated as appropriate in our report.
Background:
Securing our nation's borders is a formidable task. The United States
shares over 7,500 miles of land border with Canada and Mexico, and it
has approximately 95,000 miles of shoreline and navigable waterways to
protect. All people and goods that legally enter the United States must
come through one of about 300 land, air, or sea ports of entry and must
undergo what is referred to as "primary inspection." In fiscal year
2002, INS reported that over 440 million persons passed through primary
inspections; approximately 81 percent of these inspections were at land
ports of entry (see table 1).
Table 1: Primary Inspections by U.S. Ports of Entry (Fiscal Year 2002):
Type of port: Sea; Inspections[A]: Number: 12,369,035;
Inspections[A]: Percent: 3; Number of foreign national inspections:
4,994,879.
Type of port: Air; Inspections[A]: Number: 69,679,190;
Inspections[A]: Percent: 16; Number of foreign national inspections:
36,678,082.
Type of port: Land; Inspections[A]: Number: 358,373,569;
Inspections[A]: Percent: 81; Number of foreign national inspections:
237,693,265.
Type of port: Total; Inspections[A]: Number: 440,421,794;
Inspections[A]: Percent: 100; Number of foreign national inspections:
279,366,226.
Source: INS.
Note: GAO analysis of INS data.
[A] Includes U.S. citizens.
[End of table]
Following primary inspection, some persons seeking admission into the
United States go through a more detailed, secondary inspection before
they can be admitted. In fiscal year 2002, INS reported that about 8
million of the approximately 279 million foreign nationals entering the
United States were admitted through secondary inspections (see table
2). INS reported that 738,396 were denied admission.
Table 2: Foreign Nationals Admitted through Primary and Secondary
Inspections (Fiscal Year 2002):
Type of inspection: Primary; Foreign nationals admitted:
Number: 270,371,310; Foreign nationals admitted: Percent: 97.
Type of inspection: Secondary; Foreign nationals admitted:
Number: 8,256,520; Foreign nationals admitted: Percent: 3.
Type of inspection: Total; Foreign nationals admitted: Number:
278,627,830; Foreign nationals admitted: Percent: 100.
Source: INS.
Note: GAO analysis of INS data.
[End of table]
Overview of the Border Security Process:
As we previously reported,[Footnote 8] our nation's current border
security process for controlling the entry and exit of individuals
generally consists of four primary functions: (1) issuing visas,
(2) controlling entry, (3) managing stays, and (4) controlling exit.
Figure 1 depicts these functions, each of which is described below.
Figure 1: Simplified Diagram of the Border Security Process:
[See PDF for image]
[End of figure]
Issuing Visas:
The visa issuance process begins with the Department of State, which
issues immigrant and nonimmigrant visas[Footnote 9] to foreign
nationals at more than 200 diplomatic consular posts in approximately
180 countries. Officials at these consular posts review visa
applications, sometimes interviewing applicants, before issuing a visa.
As part of their review of visa applications, the officials run the
applicant's name through one of the State Department's watch
lists,[Footnote 10] the Consular Lookout and Support System
(CLASS),[Footnote 11] and its Consular Consolidated Database
(CCD).[Footnote 12] If an application is approved, a visa is issued; if
an application is rejected, the rejection is recorded in CLASS, and the
person's name is electronically forwarded to the Interagency Border
Inspection System (IBIS).[Footnote 13] The State Department reports
that the majority of visa applications are for nonimmigrant travel.
Canadian citizens and citizens of countries participating in the Visa
Waiver Program[Footnote 14] who travel to the United States on business
or pleasure for a period of 90 days or less[Footnote 15] are examples
of two classes of noncitizens that are exempt from these processing
requirements. Figure 2 depicts the visa issuance process.
Figure 2: Simplified Diagram of the Visa Issuance Process:
[See PDF for image]
[End of figure]
Controlling Entry:
Foreign nationals seeking entry into the United States are screened for
admission by INS or U.S. Customs Service inspectors at official air,
land, or sea ports of entry. Generally, this screening consists of
questioning each traveler regarding his or her identity and purpose of
visit. The inspector is to review the person's travel documents and
query IBIS to determine whether there is a "lookout" for the person or
vehicle. Once the inspector has the necessary information, an admission
decision is made. If additional review is necessary, the person is
referred to secondary inspection, where a more detailed review of the
travel documents, further questioning, and queries of multiple systems
are to occur.[Footnote 16] Travelers who are deemed inadmissible are
detained, and they are subject to enforcement actions as required.
Arriving foreign nationals must also complete a paper Form I-94, which
is an arrival/departure record.[Footnote 17] For each arrival, the
inspector is to review the form for accuracy, and if the foreign
national is deemed admissible, the inspector annotates the admission
classification[Footnote 18] and stamps the "Admit Until" date on the
form. The foreign national is then given the departure portion of the
form for proof of status while in the United States. INS keeps the
arrival portion for entry into the Non-Immigrant Information System
(NIIS) database.[Footnote 19]
The previously described inspection process may vary, depending on
travelers' nationalities. As of October 2002, the National Security
Entry Exit Registration System (NSEERS) program required nonimmigrant
foreign nationals over the age of 16 from certain countries to register
with INS.[Footnote 20] At the port of entry, these persons are to be
fingerprinted, photographed, and interviewed under oath at the time
they apply for entry into the United States. The inspector also
annotates the Form I-94 with a Fingerprint Identification Number to
show that the person has registered. (App. III provides more
information on NSEERS, as well as the Visa Waiver Support System, which
according to INS officials, are recently implemented systems that will
be integrated into the entry exit system.):
The entry control process also varies by type of port of entry. At air
and sea ports of entry, commercial carriers are required to submit
passenger and crew manifests before arrival. Manifest data are
submitted to the Advance Passenger Information System (APIS)[Footnote
21] and include (among other things) the person's full name, date of
birth, nationality, and passport number. Using the manifest data, INS
inspectors conduct a name check through IBIS before the persons arrive,
identifying those who will be subject to secondary inspection.
Land ports of entry differ from air and sea ports of entry in that no
requirements for passenger or crew manifests are imposed on commercial
carriers. Further, the procedures differ for pedestrians and occupants
of vehicles. As a general rule, pedestrians have all travel documents
checked, and if IBIS is available, a name search is conducted.
(Exceptions to this rule are Canadians, who are not required to have a
passport when entering a land port, and Mexicans with a border-crossing
card,[Footnote 22] who are not required to present a Mexican passport
or a U.S. visa.) For vehicles, license plates are checked through IBIS,
and documents and names of the vehicle's occupants are checked randomly
or when an inspector has reason to be suspicious. Figure 3 depicts the
entry control process.
Figure 3: Simplified Diagram of the Entry Control Process:
[See PDF for image]
[End of figure]
Managing Stays:
Until recently, foreign nationals admitted into the United States were
not actively monitored. However, with the implementation of NSEERS,
certain foreign national males over the age of 16 are now required,
within 30 days of arrival, to report to an INS office and register, a
process that includes providing information consistent with their
visas, such as proof of residence and proof of employment. If the
foreign national stays in the United States for more than 1 year, he
must also report to a designated INS location within 10 days of each
registration anniversary. If the foreign national changes his address,
school, or employer, he is required to notify INS by mail within 10
days. Those who violate these rules will have their photographs,
fingerprints, and other information added to the National Crime
Information Center (NCIC) "wants and warrants" list for enforcement
purposes.[Footnote 23] NSEERS violators who are caught by police are
transferred to INS custody for removal or criminal prosecution. Figure
4 depicts the stay management process.
Figure 4: Simplified Diagram of the Stay Management Process:
[See PDF for image]
[End of figure]
Controlling Exit:
At air and sea ports of entry, carriers are responsible for collecting
from exiting foreign nationals the departure portions of the Form I-94
and for forwarding them to INS, which in turn sends them to a data
entry contractor for manual input into the Non-Immigrant Information
System. Carriers are also required to electronically submit to APIS
manifest information of passengers leaving the United States from an
air or sea port of entry. The departure manifest information is
transmitted from APIS to the Arrival Departure Information System
(ADIS), which uses name-matching algorithms to match the arrival and
departure records and identify persons who have overstayed their
authorized visits. At land ports of entry, there is no collection point
for the departure portion of the Form I-94. The foreign national is
responsible for returning the departure portion, although there is no
penalty for not doing so, unless the person is subject to NSEERS
requirements. Persons subject to NSEERS must depart the United States
from an INS-designated port of entry and report to an INS agent for
examination and endorsement of departure. If these persons do not
report their exit, they become ineligible to return to the United
States. The exit control process is depicted in figure 5.
Figure 5: Simplified Diagram of the Exit Control Process:
[See PDF for image]
[End of figure]
Congress Has Specified Entry Exit System Capabilities in Legislation:
Legislation defines the capabilities that the entry exit system is to
have. The "pre-9/11" laws defining these capabilities are the Illegal
Immigration Reform and Immigrant Responsibility Act of 1996
(IIRIRA),[Footnote 24] the Immigration and Naturalization Service Data
Management Improvement Act of 2000,[Footnote 25] and the Visa Waiver
Permanent Program Act.[Footnote 26] The "post-9/11" laws are the USA
PATRIOT Act,[Footnote 27] the Aviation and Transportation Security
Act,[Footnote 28] and the Enhanced Border Security and Visa Entry
Reform Act of 2002.[Footnote 29]
Among other things, Section 110 of IIRIRA directed the Attorney General
to develop an automated entry exit control system to collect records of
departure from every alien leaving the United States and match it with
the alien's record of arrival. It also required that the system provide
on-line searching procedures to identify each lawfully admitted
nonimmigrant who remains in the United States beyond his or her
authorized period.
The Immigration and Naturalization Service Data Management Improvement
Act amended Section 110 of IIRIRA by replacing it in its entirety. This
act, among other things, requires that the entry exit system integrate
arrival and departure information on aliens required under IIRIRA and
contained in Department of Justice (including INS) and State Department
databases. Further, the act specifies that the system be implemented at
all airports and seaports by December 31, 2003; the 50 busiest land
ports by December 31, 2004; and all remaining ports no later than
December 31, 2005.
The Visa Waiver Permanent Program Act, among other things, requires the
Attorney General, no later than October 1, 2001, to develop and
implement at airports and seaports a fully automated system to control
entry and exit of aliens who enter the United States under the Visa
Waiver Program. The act also requires that, by October 1, 2002,
inspectors at the ports of entry have access to any State Department or
INS photograph and information on whether the alien has been determined
to be ineligible to be admitted to the United States or receive a visa.
Further, the act requires that visa waiver applicants be checked
against lookout (i.e., watch list) systems, and that by October 1,
2007, aliens applying for a visa waiver have a machine-readable
passport.
Since September 11, 2001, three additional laws address, among other
things, an alien entry exit control system. The USA PATRIOT Act
mandates that this system be capable of interfacing with other law
enforcement agencies, and that it use biometric technology and tamper-
resistant documents. The Aviation and Transportation Security Act
requires air carriers to electronically transmit manifest information
for all international flight passengers and crew members before landing
at a U.S. airport. The Enhanced Border Security and Visa Entry Reform
Act further requires the use of biometrics in travel documents by
October 26, 2004; it expands the passenger arrival manifest requirement
in the Aviation and Transportation Security Act to sea carriers and to
air and sea departures; and it requires compliance for both no later
than January 1, 2003. Appendix IV provides more information on the
legislatively mandated capabilities for an entry exit system.
Overview of the President's Homeland Security Strategy and Department
of Homeland Security:
In July 2002, the administration issued a national strategy for
homeland security.[Footnote 30] This strategy, among other things,
aligns and focuses homeland security functions into six mission areas,
one of which is border and transportation security.[Footnote 31] To
better address the issues of border and transportation security, the
strategy identifies several initiatives, including:
* creating "smart borders" to provide greater security, including the
development and deployment of the statutorily mandated entry exit
system; and:
* ensuring accountability in border and transportation security by
consolidating the current border and transportation security agencies
under a new department of homeland security.
In November 2002, the Congress passed and the President signed the
Homeland Security Act of 2002,[Footnote 32] which established this new
Department of Homeland Security (DHS) to provide greater accountability
over critical homeland security missions and unity of purpose among the
agencies responsible for them.
The administration's national strategy also proposed having a single
entity to manage who and what enters the United States. Under the new
department, this single entity is the Border and Transportation
Security Directorate. Before this, responsibility and accountability
for border security were vested primarily with INS, which was part of
the Justice Department; the Customs Service, which was part of the
Department of the Treasury; the Transportation Security Administration
(TSA), which was part of the Department of Transportation; and the
Bureau of Consular Affairs, which is part of the State Department.
Effective March 1, 2003, DHS merged within its Border and
Transportation Security Directorate three of these four agencies--INS,
Customs, and TSA. The goal in doing so is to better manage and
coordinate port of entry activities, lead efforts to create a border of
the future, and secure our nation's transportation systems. Also, the
Secretary of Homeland Security has the authority to issue regulations
regarding the issuance of visas. The regulations will be implemented
through the State Department. (See fig. 6 for a partial organization
chart of the Border and Transportation Security Directorate.):
Figure 6: Partial DHS Organization Chart Identifying the Border and
Transportation Security Directorate:
[See PDF for image]
[End of figure]
Brief Description of the Entry Exit Program:
The entry exit program was established to integrate the people,
processes, and technologies needed to satisfy the legislative mandates.
The program includes each of the four border security process
functions: issuing visas, controlling entry, managing stays, and
controlling exit. Additionally, the program is intended to cover the
people responsible for implementing the process, the technology to
support the process, and the physical infrastructure (e.g., vehicle and
pedestrian traffic lanes and facilities) needed to support the process.
For fiscal year 2002, the conference report for the first supplemental
appropriations act[Footnote 33] recommended that INS use $13.3 million
in appropriations for the development of an automated entry exit
system. The Congress prohibited INS from obligating these funds for the
system until the agency submitted to the Appropriations Committees an
expenditure plan (1) that meets the capital planning and investment
control review requirements established by OMB, including Circular A-
11, part 3; (2) that complies with the acquisition rules, requirements,
and guidelines and systems acquisition management practices of the
federal government; and (3) that is reviewed by GAO.
On November 15, 2002, INS submitted to its Senate and House
Appropriations Subcommittees a one-page plan for spending the $13.3
million for the entry exit system. In summary, the plan allocated the
$13.3 million to 10 areas, the largest area being contract support for
program management activities ($5.6 million). Other major areas
included the design, development, and deployment of the Visa Waiver
Permanent Program Act Support System ($2.1 million); the assessment of
facilities at every port of entry along the Mexican and Canadian
borders ($1.4 million); and the development of standards for biometrics
identifiers[Footnote 34] ($2.1 million). Table 3 summarizes INS's entry
exit system expenditure plan.
Table 3: Summary of INS's Fiscal Year 2002 Entry Exit System
Expenditure Plan:
Area of expenditure: 1. Entry exit support contract activities (e.g.,
evaluating the proposals; developing the concept of operations,
business case, and request for proposal); Amount: $5,554,000.
Area of expenditure: 2. Design, development, and deployment of the Visa
Waiver Support System; Amount: 2,050,000.
Area of expenditure: 3. Assessment of the current facilities at every
land border port along the Canadian and Mexican borders; Amount:
1,425,000.
Area of expenditure: 4. Development of biometrics standards and testing
of possible biometric identifiers; Amount: 2,060,000.
Area of expenditure: 5. Prototyping of proposed systems at various
ports of entry; Amount: 863,000.
Area of expenditure: 6. IBIS support activities; Amount: 560,000.
Area of expenditure: 7. Joint TSA/Customs/State/INS/Department of
Agriculture project with United Airlines to develop an expedited
process to inspect returning U.S. citizens; Amount: 400,000.
Area of expenditure: 8. Travel; Amount: 210,800.
Area of expenditure: 9. Entry exit program office operations; Amount:
159,000.
Area of expenditure: 10. Livescan fingerprint units; Amount: 18,200.
Area of expenditure: Total; Amount: $13,300,000.
Source: INS.
Note: GAO analysis of INS data.
[End of table]
In fiscal year 2003, Justice requested $380 million for the entry exit
program--$362 million in new funding and $18 million provided in fiscal
year 2003 base resources.[Footnote 35] According to INS officials, $334
million of this amount will be used for facility improvements. In
conjunction with the Consolidated Appropriations Resolution,
2003,[Footnote 36] the conference report[Footnote 37] recommended $362
million for the entry exit program in fiscal year 2003 funds.
In March 2002, INS chartered an Entry Exit Program Team consisting of
representatives from INS, Customs, TSA, and the Bureau of Consular
Affairs, with INS serving as the program lead; the team reports to an
interagency board comprising senior leadership from these four
agencies.[Footnote 38] The team is responsible for:
* managing program resources (i.e., budgetary planning, formulation,
execution, and control);
* reporting to the Congress and other key stakeholders, as necessary;
and:
* managing the acquisition, including defining and establishing program
management controls, developing program plans and baselines, and
managing all aspects of the entry exit system life cycle.
As currently envisioned, the program will be placed organizationally
within DHS's Bureau of Immigration and Customs Enforcement, which is
part of the department's Border and Transportation Security Directorate
(see fig. 6), previously mentioned. With the transition to the new
department, the program manager also stated that the program's
governance and management structure is undergoing change.
As previously noted, the entry exit system is one of three parts of the
whole entry exit program--the technologies--the other two parts being
people and processes. As planned, the system is to provide automated
support in identifying and preventing unlawful persons from entering
the United States, as well as managing the stay and exit of those
lawfully admitted. To do this, plans indicate that the system is to
share vital border control information so as to alert border officials
of national security threats. It is also to help coordinate the
enforcement of immigration laws for alien overstays.
DHS's Bureau of Immigration and Customs Enforcement plans to acquire
the entry exit system through a two-phase competitive acquisition
process. The first phase is referred to as a pilot demonstration. In
this phase, two or more contractors are to be awarded contracts to
develop and pilot test system solutions. Following an evaluation of
each pilot system, a contract is to be awarded to the winning
contractor for full-scale development and implementation of the entry
exit system. According to the entry exit program manager, INS has
developed costs and milestones for the system acquisition. However, INS
did not respond to our requests for this information, citing the
sensitive nature of the information as its reason.
Fiscal Year 2002 Expenditure Plan Partially Satisfied Legislative
Mandate:
The Congress limited INS's ability to obligate fiscal year 2002
appropriated funds for the entry exit system until INS submitted to the
Appropriations Committees an expenditure plan (1) that meets the
capital planning and investment control review requirements established
by OMB, including Circular A-11, part 3; (2) that complies with the
acquisition rules, requirements, and guidelines and systems acquisition
management practices of the federal government; and (3) that is
reviewed by us.
INS submitted an expenditure plan to its Senate and House
Appropriations Subcommittees on November 15, 2002. This plan and
related documentation partially satisfied the first condition and
generally satisfied the second condition, and we have satisfied the
third with this report. According to the entry exit program manager,
INS's efforts to satisfy the two conditions are a by-product of its
policies and practices for acquiring information technology (IT)
systems, which it is following, and which are aligned with federal
capital planning and acquisition requirements and guidance.
However, INS has obligated at least part of the $13.3 million
recommended for the entry exit system before submitting the plan. Since
then, INS officials told us that they have de-obligated over $6.6
million that they had obligated after August 2, 2002,[Footnote 39] and
reclassified those obligations to other available sources of base
"Enforcement and Border Affairs" fiscal year 2002 funding.
INS Satisfied Most, but Not All, of OMB's Capital Planning and
Investment Control Review Requirements:
OMB's IT capital planning and investment control review policies are
intended to help agencies achieve performance goals and objectives with
minimal risk, lowest life cycle costs, and greatest benefits to the
agency's business.[Footnote 40] OMB requires, among other things, that
agencies establish a process that defines how the agency (1) selects
projects included in its IT portfolio; (2) controls these projects to
achieve the intended cost, schedule, and performance outcomes; and
(3) evaluates IT projects' performance to maintain a positive return on
investment. OMB also requires that agencies (1) develop a system
acquisition strategy; (2) conduct an alternatives analysis that, among
other things, addresses replaced systems savings and a savings recovery
schedule; (3) comply with agencies' enterprise architectures[Footnote
41] in developing and acquiring IT systems; and (4) use a performance-
based management system to monitor progress against established project
performance goals. Additionally, OMB requires that IT projects
(1) ensure that a system security plan is developed and implemented, so
that appropriate controls are defined, established, and continually
assessed for effectiveness, and (2) perform a system privacy impact
assessment, so that relevant privacy issues and needs are understood
and appropriately addressed early and continuously in the system life
cycle.
While the expenditure plan does not explicitly address OMB's
requirements, related INS documents and plans satisfy most, but not
all, of the requirements. For example, INS has established a capital
planning and investment control process that defines how INS selects,
controls, and evaluates its IT projects. This process describes
(1) controls used to create the IT portfolio; (2) procedures for
measuring projects against their costs, schedule, and benefits; and
(3) measures used to determine the IT projects' actual return on
investment. The process also identifies several decision points for
review and approval. For example, approval by INS's Investment Approval
Board[Footnote 42] of the business case (cost/benefit analysis, risk
analysis, and alternatives analysis) is required before the project
team defines system requirements. INS has not yet developed a business
case for the entry exit program.
Further, INS has developed an entry exit system acquisition strategy.
Under this strategy, INS intends to acquire the system in two phases.
In the first phase, it plans to award contracts to multiple vendors to
develop prototype versions of the system and to demonstrate their
capabilities against requirements, on a pilot basis, at a simulated
port of entry. In the second phase, INS plans to award a contract to
develop, integrate, and implement an operational entry exit system.
Additionally, it has developed an alternatives analysis, and, according
to the entry exit program manager, INS's fiscal year 2004 Exhibit
300[Footnote 43] for the entry exit program addresses the potential
savings associated with replacing existing systems and a schedule for
achieving those savings. In addition, preliminary planning documents
indicate that INS plans to comply with its enterprise architecture, and
that it intends to apply earned value management standards and
techniques to monitor and control costs and to measure progress against
established performance goals.
However, INS has yet to develop a security plan and privacy impact
assessment for the entry exit system, both of which are important to
understanding system requirements and ensuring that the proper
safeguards are in place to protect system data and resources. According
to INS officials, the agency has not developed a security plan and
privacy impact assessment because it is too early in the system
development life cycle to do so. This is not consistent with system
acquisition best practices and federal guidance, which advocate
understanding and defining security and privacy requirements both early
and continuously in a system's life cycle. Until these important
requirements are satisfied, the basis for further entry exit system
definition and acquisition will be limited, thereby introducing the
risk that security and privacy will not be effectively and efficiently
addressed.
INS Generally Satisfied Key Federal Acquisition Rules, Requirements,
and Guidelines and Systems Acquisition Management Practices:
Federal acquisition rules, requirements, guidelines, and management
practices provide an acquisition management framework that is based on
the use of rigorous and disciplined processes for planning, managing,
and controlling the acquisition of IT resources.[Footnote 44] These
acquisition management processes are also embodied in published best
practices models, such as the Software Acquisition Capability Maturity
Model® developed by Carnegie Mellon University's Software Engineering
Institute (SEI).[Footnote 45] SEI's model explicitly defines
acquisition process management controls that are recognized hallmarks
of successful organizations and that, if implemented effectively, can
greatly increase the chances of acquiring software-intensive systems
that provide promised capabilities on time and within budget. Key
processes include the following:
* Acquisition planning. Ensures that reasonable planning for the
acquisition is conducted and that all aspects of the total acquisition
effort are included in these plans.
* Solicitation. Ensures that a request for proposal that delineates a
project's requirements is prepared and, consistent with relevant
solicitation laws and regulations, that a contractor is selected that
can most cost-effectively satisfy these requirements.
* Requirements development and management. Establishes and maintains a
common and unambiguous definition of software requirements among the
acquisition team, the system users, and the development contractor.
* Project management. Provides for management of the activities within
the project office and supporting contractors to ensure a timely,
efficient, and cost-effective acquisition.
* Contract tracking and oversight. Ensures that the development
contractor performs according to the terms of the contract; needed
contract changes are identified, negotiated, and incorporated into the
contract; and contractor performance issues are identified early, when
they are easier to address.
* Evaluation. Determines whether the acquired products and services
satisfy contract requirements before acceptance.
Within these key processes, SEI identifies practices that are needed to
effectively execute each process. Among others, these practices include
(1) having a written policy, (2) assigning responsibility for the
acquisition, (3) developing and adhering to a plan, (4) performing
management review activities, and (5) measuring the status of key
activities and using these measurements to make decisions.
INS plans generally satisfy SEI's acquisition processes and practices.
For example, INS's governing acquisition policy and supporting
procedures for acquiring and implementing the entry exit system are
provided by INS's Systems Development Life Cycle,[Footnote 46] its
Information Technology Investment Management process,[Footnote 47] and
the Federal Acquisition Regulation,[Footnote 48] which our analysis
shows are generally consistent with SEI's acquisition model. (See app.
I for a description of our analysis.) Further, responsibility for
acquiring and implementing the entry exit system was assigned to INS
(and now to DHS's Bureau of Immigration and Customs Enforcement). INS
has developed an acquisition plan that outlines its approach and
strategy for acquiring the entry exit system. Additionally, INS has
issued a request for information to solicit input from development
contractors on the capabilities of their respective commercial products
and services to assist in developing system requirements, and it has
developed procedures and criteria for evaluating contractor proposals
and selecting a contractor to develop the entry exit system. Further,
through its Information Technology Investment Management process, INS
plans to measure the status and progress of acquisition activities and
use this information for investment decision-making.
According to the entry exit program manager, INS has made a commitment
to following rigorous and disciplined processes and practices in
acquiring the entry exit system because this is what its governing
policy and procedures require. If implemented effectively, such
processes and practices can minimize the acquisition and deployment
risks associated with the entry exit system.
GAO Reviewed Expenditure Plan:
On December 19, 2002, we received a copy of the initial expenditure
plan that INS submitted to the Congress, and on January 17, 2003, INS
provided us with most of the supporting acquisition management
documentation we requested. We reviewed the plan and documentation, and
the results of our review are provided in this report.
Expenditure Plan Submitted to the Congress after Funds Were Obligated:
In addition to requiring the expenditure plan to satisfy the above
three conditions, the Congress also limited INS's ability to obligate
funds for the entry exit system until INS submitted the plan to the
Appropriations Committees. However, INS obligated entry exit system
funding before submitting the plan. Specifically, as part of a January
6, 2003, briefing on planned fiscal year 2003 entry exit spending, INS
reported to its House Appropriations Subcommittee that, as of September
30, 2002, it had obligated approximately $9.8 million of the $13.3
million recommended for the entry exit system to perform tasks
described in its expenditure plan. Since then, INS officials told us
that they have de-obligated over $6.6 million that they had obligated
after August 2, 2002,[Footnote 49] and reclassified those obligations
to other available sources of base "Enforcement and Border Affairs"
fiscal year 2002 funding.
Other Observations: Planned Entry Exit Capabilities Are Aligned with
Legislation, but Future Expenditure Plans Need to Be Improved:
Recent legislation has defined the capabilities that the entry exit
system is to provide, and INS's preliminary plans show that it intends
for the system to provide these capabilities. However, INS's first
entry exit system expenditure plan does not adequately disclose
material information about the system. Without sufficiently detailed
information on system plans and progress, the Congress will be impeded
in its efforts to oversee the system and constrained in its ability to
provide timely guidance and release of funding.
Preliminary Plans Provide for Implementing System Capabilities Cited in
Legislation:
As discussed in the Background section of this report, various laws
have defined the types of capabilities that the entry exit system is to
provide. (See app. IV for a more detailed summary of the legislation.)
For example, the system must, among other things, (1) collect and match
alien arrival and departure data electronically; (2) be accessible to
the border management community, including consular officers, federal
inspection agents, and law enforcement and intelligence agencies
responsible for the identification and investigation of foreign
nationals; and (3) support machine-readable, tamper-resistant
documents containing biometric identifiers at U.S. ports of entry.
Initial INS plans for the entry exit system are generally aligned with
these legislatively directed system capabilities. For example, the
operational capabilities for the planned system include, among other
things, (1) electronically recording and matching arrivals and
departures for the purpose of identifying visa overstays;
(2) interoperating with other entities involved in border management,
including law enforcement and intelligence agencies; and
(3) implementing a biometric standard on all travel documents issued on
or after October 26, 2004.[Footnote 50] Table 4 provides a list of the
high-level operational requirements defined in preliminary system
plans, and table 5 provides a detailed comparison to the key
legislative requirements.
Table 4: Planned Operational Requirements for Entry Exit System:
Requirement number: 1; Description of requirement: Record pertinent
information before the arrival of persons to the United States, such as
visas and immigration petitions and applications
Requirement number: 2; Description of requirement: Record the arrival
and departure of aliens; record changes in a visitor's status; identify
those persons who have remained in the United States beyond their
authorized period; and enable the reporting of overstay statistics to
Congress
Requirement number: 3; Description of requirement: Facilitate
identification of lawfully admitted non-U.S. citizens
Requirement number: 4; Description of requirement: Enable the biometric
standard selected by the National Institute for Standards and
Technology and consistent with the International Civil Aviation
Organization's standards
Requirement number: 5; Description of requirement: Include the
biometric standard on all travel documents issued on or after October
26, 2004
Requirement number: 6; Description of requirement: Develop a unified
workflow that integrates the activities of all agencies supporting
border management
Requirement number: 7; Description of requirement: Be interoperable
with other entities as appropriate, including law enforcement and
intelligence agencies
Requirement number: 8; Description of requirement: Provide access to,
exchange, and integrate alien arrival and departure information that is
in an electronic format in the databases of the Departments of Justice
and State
Requirement number: 9; Description of requirement: Develop a capability
to exchange information between existing and future systems among
border management agencies (within the requirement of the law)
regardless of what agency owns the system
Requirement number: 10; Description of requirement: Notify appropriate
authorities as required
Requirement number: 11; Description of requirement: Provide improved
decision support to inspectors, adjudicators, consular officers, and
other appropriate personnel, including access to fully integrated
lookout information, comprehensive travel document information
(including immediate access to nonimmigrant visa and immigrant visa
data), and alien overstay alerts
Source: INS.
[End of table]
Table 5: Key System Capabilities Specified by Legislation Compared with
INS's Planned Operational Requirements:
Legislative requirement for entry exit system: The term "integrated
entry and exit data system" means an electronic system that; * provides
access to and integrates alien arrival and departure data that are
(1) authorized or required to be created or collected under law; (2) in
an electronic format; and (3) in a Justice or State Department
database, including those created or used at ports of entry and at
consular offices; * produces a report of arriving and departing aliens
by country of nationality, classification as an immigrant or
nonimmigrant, and date of arrival in and departure from the United
States; * matches an alien's available arrival data with the alien's
available departure data; * identifies lawfully admitted nonimmigrants
who may have remained in the United States beyond the period authorized
by the Attorney General; and; * uses available data to permit the
Attorney General to generate reports, including (1) number of departure
records collected by nationality; (2) number of departure records that
were successfully matched to records of arrival, by nationality and
classification as an immigrant or nonimmigrant; (3) number of aliens
who arrived pursuant to a nonimmigrant visa or the Visa Waiver Program,
for whom no matching departure data have been obtained as of the end of
the alien's authorized period of stay, by nationality and arrival date
in the United States; and (4) number of lawfully admitted nonimmigrants
identified as visa overstays, by nationality; INS operational
requirement in table 4: 2, 3, 8, 11.
Legislative requirement for entry exit system: The entry exit system
will be implemented at airports and seaports by December 31, 2003; at
the 50 busiest land border ports of entry by December 31, 2004; and at
all remaining ports by December 31, 2005; INS operational
requirement in table 4: 2, 11.
Legislative requirement for entry exit system: By October 1, 2001, the
Attorney General shall develop and implement a fully automated entry
exit control system to collect a record of arrival and departure for
every alien who arrives and departs by sea or air at a U.S. port of
entry and is provided a waiver under the Visa Waiver Program;
INS operational requirement in table 4: 2, 3.
Legislative requirement for entry exit system: By October 1, 2002, the
system shall enable immigration officers conducting inspections at
ports of entry to obtain, with respect to aliens seeking a waiver under
the Visa Waiver Program, (1) any photograph of the alien that is
contained in the records of the State Department or INS and
(2) information on whether the alien has ever been determined to be
ineligible to receive a visa or be admitted to the United States;
INS operational requirement in table 4: 1, 8, 11.
Legislative requirement for entry exit system: On or after October 1,
2007, an alien applying for U.S. entrance under the Visa Waiver Program
must have a valid unexpired passport that meets internationally
accepted standards for machine readability; INS operational
requirement in table 4: 3.
Legislative requirement for entry exit system: Countries designated to
participate in the Visa Waiver Program before May 1, 2000, shall issue
machine-readable passports no later than October 1, 2003; INS
operational requirement in table 4: 3.
Legislative requirement for entry exit system: By October 1, 2002, no
visa waiver may be provided to an alien arriving by air or sea at a
port of entry on a carrier unless the carrier is electronically
transmitting passenger data to the entry exit system; INS
operational requirement in table 4: 2, 3.
Legislative requirement for entry exit system: All Visa Waiver Program
applicants must be checked against lookout systems; INS
operational requirement in table 4: 1, 3, 7.
Legislative requirement for entry exit system: Not less than 1 hour
before arrival at port of entry, signatory aircraft transporting Visa
Waiver Program aliens must electronically furnish the passenger data
required by regulations; INS operational requirement in table
4: 2, 3.
Legislative requirement for entry exit system: The system shall contain
sufficient data to permit the Attorney General to calculate, for each
Visa Waiver Program country and each fiscal year, the portion of
nationals of that country who arrive under the program at air and sea
ports of entry but for whom no record of departure exists, expressed as
a percentage of the total number of such visa waiver aliens for the
particular country; INS operational requirement in table 4:
2.
Legislative requirement for entry exit system: System shall maintain,
for a minimum of 10 years, information about each application for
admission made by an alien seeking a waiver under the Visa Waiver
Program; INS operational requirement in table 4: 1, 11.
Legislative requirement for entry exit system: Focus of system
development shall be (1) on the use of biometric technology and (2)
on tamper-resistant documents readable at ports of entry; INS
operational requirement in table 4: 4, 5.
Legislative requirement for entry exit system: System must be
accessible to (1) all consular officers responsible for visa issuance,
(2) all federal inspection agents at all U.S. border inspection points,
and (3) all law enforcement and intelligence responsible for
investigation or identification of aliens; INS operational
requirement in table 4: 1, 6, 7, 9, 10, 11.
Legislative requirement for entry exit system: The entry exit system
must be able to interface with law enforcement databases for use by
federal law enforcement to identify and detain individuals who pose a
threat to the national security of the United States; INS
operational requirement in table 4: 7, 9, 10.
Legislative requirement for entry exit system: No later than October
26, 2004, the Secretary of State and the Attorney General shall issue
to aliens only machine-readable, tamper-resistant visas and other
travel and entry documents that use biometrics; INS
operational requirement in table 4: 4, 5, 8.
Legislative requirement for entry exit system: In addition to the
requirement for biometric identifiers, name-search capacity and support
must also be implemented between 18 months and 4.5 years of enactment;
INS operational requirement in table 4: 2, 11.
Legislative requirement for entry exit system: Not later than October
26, 2004, the Attorney General and the Secretary of State shall install
at all U.S. ports of entry equipment and software to allow biometric
comparison and authentication of all U.S. visas and other travel and
entry documents issued to aliens; INS operational requirement
in table 4: 4, 5, 8.
Legislative requirement for entry exit system: Not later than January
1, 2003, arrival and departure manifests must be electronically
provided for each passenger (including crew members and any other
occupants) for air and sea carriers at port of entry. The manifest
shall include (1) complete name; (2) date of birth; (3) citizenship;
(4) sex; (5) passport number and country of issuance; (6) country of
residence; (7) U.S. visa number, date, and place of issuance, where
applicable; (8) alien registration number, where applicable; (9) U.S.
address while in the United States; and (10) other information the
Attorney General and the Secretaries of State and the Treasury
determine necessary for the identification of persons, for the
enforcement of immigration laws, and to protect safety and national
security; INS operational requirement in table 4: 2, 3, 6,
11.
Legislative requirement for entry exit system: Upon request,
information provided to the Department of Transportation or the U.S.
Customs Service may be shared with other federal agencies for the
purpose of protecting national security; INS operational
requirement in table 4: 6, 7, 8, 9, 10, 11.
Sources: Section 110, Public Law 104-208 (Sept. 30, 1996); Public Law
106-215 (June 15, 2000); Public Law 106-396 (Oct. 30, 2000); Public Law
107-56 (Oct. 26, 2001); Public Law 107-71 (Nov. 19, 2001); and Public
Law 107-173 (May 14, 2002).
Note: GAO analysis of cited legislation and INS entry exit system
operational requirements.
[End of table]
System Acquisition Commitments and Progress Need to Be Addressed in
Future Expenditure Plans:
The legislative requirement to submit an expenditure plan for the entry
exit system to the Appropriations Committees is intended to provide
lawmakers with a sufficient understanding of the system acquisition to
permit effective oversight and to allow for informed decision-making
about the use of appropriated funds. For this to occur, however, our
prior experience in working with the Congress and other agencies in
developing and implementing expenditure plans shows that these plans
need to disclose a sufficient level and scope of information for the
Congress to understand what system capabilities and benefits are to be
delivered, by when, and at what cost, and what progress is being made
against the commitments that were made in prior expenditure plans.
Further, our experience shows that the plans should disclose how the
acquisition will be managed to provide reasonable assurance that system
capability, benefit, schedule, and cost commitments will be met. In
effect, the expenditure plans can be viewed as contractual arrangements
with the committees. Such treatment is consistent with expenditure
planning precedents set with the Internal Revenue Service and the
former U.S. Customs Service on their respective system modernization
programs.[Footnote 51]
INS's first expenditure plan does not contain the level and scope of
information needed for the Congress to understand its plans and
commitments relative to system capabilities, benefits, schedules, and
costs. More specifically, this first plan only identifies general
"areas of expenditure" and associated funding amounts (see table 6 for
the verbatim text of the plan as submitted). According to INS
officials, this is because the expenditure plan was developed on the
basis of Justice Department guidance, which did not require more
detailed information. However, they said that future plans will include
more detailed and complete information on system capabilities,
benefits, schedules, and costs, but they did not provide supporting
documentation or specific details. Without this level of detail, the
Congress will be denied the information needed to allow it to oversee
plans and progress on the system.
Table 6: Verbatim Text of INS Entry Exit System Expenditure Plan as
Submitted to the Congress:
Name: CT Supplemental; Funding: $13,300,000;
Name: Entry Exit Support Contract; Spend plan:
$5,554,000; Description: Entry Exit Support Contract--A
contractor will assist the INS in developing the Request for Proposal
(RFP) for the Entry Exit System. The contractor will also assist INS in
evaluating the proposals, developing the Concept of Operations and the
Business Case, and all requirements under Office of Management and
Budget Circular A-11, Part 7. The contractor will also assist the INS
in overseeing the design and development of the Entry Exit System
Name: Interagency Agreement with the National Institute for Standards
and Technology (NIST); Spend plan: $1,000,000;
Description: Interagency Agreement (IAA) with the National
Institute for Standards and Technology (NIST)--This IAA requires NIST
to test biometrics and to assist the Attorney General and Secretary of
State to develop standards for biometrics identifiers as required by
the PATRIOT Act and the Enhanced Border Security Act
Name: Interagency Agreement with the White House Office of Science and
Technology (Biometrics); Spend plan: $1,060,000;
Description: IAA with the White House Office of Science and
Technology--This IAA is to contract with a biometrics expert to assist
and advise the Entry Exit Office on possible biometrics identifiers
Name: Travel; Spend plan: $210,800;
Description: [Empty].
Name: Facility Port Assessment; Spend plan:
$1,425,000; Description: Port Facility Assessment--This is an
assessment of the current facilities present at every land border port
along the Canadian and Mexican borders
Name: Entry Exit Program Office Operations; Spend
plan: $159,000; Description: [Empty].
Name: Visa Waiver Permanent Program Act (VWPPA) Task;
Spend plan: $2,050,000; Description: Visa Waiver Permanent
Program At (VWPPA) Task--This is the design, development and deployment
of the system that will record the arrival and departure of all Visa
Waiver visitors arriving and departing through air and sea ports-of-
entry
Name: Interagency Agreement with U.S. Customs Service (USCS)--(IBIS);
Spend plan: $560,000; Description: [Empty].
Name: Livescan Fingerprint Units; Spend plan:
$18,200; Description: [Empty].
Name: Entry/Exit System Prototyping; Spend plan:
$863,000; Description: E/E System Prototyping--This is the
prototyping of proposed systems at various ports-of-entry that will
culminate in the award of a vendor to build the entry exit system
Name: Transportation Security Administration (TSA) Prototype test at
Dulles International Airport (IAD); Spend plan:
$400,000; Description: Transportation Security Administration
(TSA) Prototype Test--This is a joint TSA/USCS/Department of State/INS/
Department of Agriculture project with United Airlines to develop an
expedited process to inspect returning US citizens
Name: Total; Funding: $13,300,000; Spend plan: $13,300,000;
Description: [Empty].
Name: The Entry Exit Program Manager states that to the best of his
knowledge INS has complied with all acquisition rules, requirements,
guidelines, and system acquisition management practices of the Federal
Government
Source: INS.
[End of table]
Conclusions:
The immense importance of the entry exit system to the security of our
nation's borders is undeniable, as is the need to acquire and implement
this system effectively and efficiently. This criticality is a major
reason that the Congress placed limitations on the use of entry exit
system funding until the Congress has been assured, through the
submission of a high-quality plan, that the system is being managed
effectively.
INS partially met the legislative conditions that the Congress placed
on its use of fiscal year 2002 entry exit system funding. However, it
is important that DHS promptly address certain capital planning and
investment control issues--security and privacy--and that the Congress
be given the opportunity to exercise its intended level of expenditure
plan oversight before funds are obligated. It is equally important that
future expenditure plans disclose sufficient information to permit
meaningful congressional understanding and oversight of the system.
While this lack of detail is a material limitation in the first plan,
it will become even more problematic in the future: as the magnitude
and complexity of the entry exit system acquisition increases in fiscal
year 2003 and beyond, so will the importance of creating plans with the
appropriate level and scope of information.
Of particular significance going forward will be how effectively DHS
implements the system investment and acquisition controls provided for
in the first plan and related documentation. Therefore, it is important
that future plans disclose project information of sufficient level and
scope about (1) what system capabilities and benefits are to be
delivered, by when, and at what cost; (2) how well DHS is progressing
against the commitments that it made in prior expenditure plans; and
(3) how the acquisition is being managed to provide reasonable
assurance that the system capability, benefit, schedule, and cost
commitments will be met. This approach to expenditure planning for
congressional oversight has worked successfully with other federal
agencies and the Congress.
Recommendations for Executive Action:
To help ensure the effective management and acquisition of the entry
exit system, we recommend that the Secretary of Homeland Security,
through whatever entry exit program governance structure is
established, direct the entry exit program manager to ensure that
planned investment and acquisition management controls, including the
development of a business case, are fully implemented in accordance
with recognized best practices and relevant federal requirements and
guidance. At a minimum, we recommend that the Secretary's direction
include having the entry exit program manager immediately develop and
begin implementing a system security plan. At the same time, we
recommend that the Secretary have the program manager perform a privacy
impact analysis and use the results of this analysis in near-term and
subsequent system acquisition decision-making. Further, in light of
INS's recent transition to the new department and potential changes to
system investment and acquisition controls provided for in the first
plan, we recommend that controls in the areas of acquisition planning,
solicitation, requirements management, project management, contract
tracking and oversight, and evaluation be implemented in accordance
with SEI guidance.
Additionally, we recommend that the Secretary ensure that future
expenditure plans (1) be provided to the department's Senate and House
Appropriations Subcommittees in advance of entry exit system funds
being obligated and (2) fully disclose what entry exit system
capabilities and benefits are to be delivered, by when, and at what
cost, and how it intends to manage the acquisition to provide
reasonable assurance that these system capability, benefit, schedule,
and cost commitments will be met.
Agency Comments and Our Evaluation:
In written comments on a draft of our report signed by DHS's Assistant
Secretary, Bureau of Immigration and Customs Enforcement (reprinted in
app. II, along with our responses), the department did not explicitly
agree or disagree with our conclusions and recommendations. However,
the department described actions that it plans to take that are
consistent with our recommendations, including developing and
implementing a system security plan, developing system management
controls, providing future expenditure plans to the Appropriations
Subcommittees before obligating any funds, and specifying system
capabilities and benefits in future plans. We support these planned
actions.
The department provided other principal comments. First, it stated that
we failed to consider that the lack of specific detail in the fiscal
year 2002 expenditure plan is attributable to a number of pending
policy decisions. Second, it stated that it had addressed the
development of a system security plan and privacy impact assessment and
provided a draft document entitled Technical Architecture and Security
Requirements that it said addressed these issues. Third, it commented
that we concluded that the entry exit program office is in compliance
with INS's ITIM, and therefore the entry exit system is in compliance
with OMB requirements. Fourth, it said we failed to consider and
incorporate information regarding its obligation of supplemental
appropriations.
We do not agree with these four comments. First, as we state in this
report, the legislative requirement to develop an expenditure plan is
intended to provide lawmakers with a sufficient understanding of the
system acquisition to permit effective oversight and informed decision-
making about the use of appropriated funds. For this to occur, the plan
needs to disclose a sufficient level and scope of information for the
Congress to understand what system capabilities and benefits are to be
delivered, by when, and at what cost. The plan also needs to disclose
what progress is being made against the commitments that were made in
prior expenditure plans, as well as how the acquisition will be managed
to provide reasonable assurance that system capability, benefit,
schedule, and cost commitments will be met. To the extent that this
information was not known because of pending policy issues, these
issues should have been explained and a timetable for addressing them
included in the plan. Notwithstanding these undecided policy matters,
the plan could have provided more detailed information. For example, it
could have addressed how the acquisition was to be managed.
Second, the draft document that the department provided with its
comments does not satisfy relevant federal guidance governing a
security plan and a privacy impact assessment.[Footnote 52] While the
document acknowledges the need to develop the plan and conduct the
assessment, and the document describes high-level security
requirements, it does not include, for example, rules of behavior for
individuals who access the system and the consequences for violating
those rules; methods for identifying, appropriately limiting, and
controlling interconnections with other systems; and procedures for
periodically reviewing the effectiveness of security controls.
Similarly, the document does not include an assessment of the privacy
implications of personal information to be collected and maintained by
the system.
Third, while we state in this report that INS's ITIM process generally
satisfies OMB's requirement to establish a process that defines how the
agency selects, controls, and evaluates its IT projects, we do not
state that the program office is in full compliance with the ITIM
process, and that therefore the entry exit system is in compliance with
OMB requirements. Rather, we conclude that, in going forward, it is
important that INS focus on implementing the investment management
controls provided for the plan and related documentation. Accordingly,
we recommend that DHS fully implement planned investment management
controls in accordance with relevant federal requirements and guidance.
Fourth, we did not include in our draft report the information that the
department provided regarding its obligation of the supplemental
appropriations because the department provided this information to us
in a letter dated April 7, 2003. We sent our draft report to the
department for comment on April 3, 2003, before we received the
department's letter. We have since modified this report, as
appropriate, to incorporate the information in the April 7, 2003,
letter.
The department also provided additional technical comments, which we
have incorporated as appropriate into this report.
We are sending copies of this report to interested congressional
committees. We are also sending copies to the Secretary of Homeland
Security, the Director of the Office of Management and Budget, and the
Secretary of State. We will also send copies to others upon request. In
addition, copies will be available at no charge on our Web site at
www.gao.gov.
Should you or your offices have questions on matters discussed in this
report, please contact me at (202) 512-3439. I can also be reached by
E-mail at hiter@gao.gov. An additional GAO contact and staff
acknowledgments are listed in appendix V.
Randolph C. Hite
Director, Information Technology Architecture and Systems Issues:
Signed by Randolph C. Hite:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
The Congress limited the ability of the Immigration and Naturalization
Service (INS) to obligate funds for the entry exit system until INS
submitted an expenditure plan (1) that meets the capital planning and
investment control review requirements established by the Office of
Management and Budget (OMB), including Circular A-11, part 3; (2) that
complies with the acquisition rules, requirements, and guidelines and
systems acquisition management practices of the federal government; and
(3) that is reviewed by us.[Footnote 53] To satisfy our legislative
mandate, our objectives were to review INS's expenditure plan to
(1) determine whether the plan satisfied the legislative conditions and
(2) provide observations about the expenditure plan and INS's
management of the entry exit system. Our review focused not only on the
plan, but also on related system documentation and plans.
To determine whether INS's expenditure plan satisfied the legislative
conditions, we first identified and analyzed relevant federal guidance,
such as OMB's investment control review requirements and
guidelines[Footnote 54] and the Federal Acquisition Regulation (FAR).
We then reviewed INS's expenditure plan and related documentation, such
as entry exit planning documents (i.e., concept paper, concept of
operations, business case, cost-effectiveness study, and feasibility
study); visa waiver support system functional requirements, system
design, and interface control documents; and the concept of operations
for the National Security Entry Exit Registration System (NSEERS). We
also interviewed the entry exit program team program manager and other
INS and Department of Justice officials to determine what INS is doing
to satisfy the legislative conditions. To specifically address the
legislative conditions, we did the following:
* To determine whether INS's expenditure plan met OMB's capital
planning and investment control review requirements, we reviewed entry
exit planning documents and INS's procedures for managing information
technology (IT) investments.[Footnote 55] We then compared the planning
documents with OMB requirements to identify whether any variances
existed. We discussed reasons for variances with the entry exit program
manager.
* To determine whether INS's plan complies with federal acquisition
rules, requirements, and guidelines and systems acquisition management
practices, we reviewed INS's policies and procedures for governing
system acquisition efforts, such as its System Development Life
Cycle[Footnote 56] and IT investment management guidelines. We then
identified and reviewed the acquisition management best practices
model[Footnote 57] developed by the Software Engineering Institute
(SEI), which many federal agencies have adopted as a benchmarking tool
for acquiring software-intensive systems in a manner that comports with
federal acquisition rules, requirements, and guidelines. Next, we
compared the primary components of INS's System Development Life Cycle
and its investment management procedures with the components of SEI's
model to determine whether any variances existed. The components
addressed in SEI's model were acquisition planning, solicitation,
requirements development and management, project management, contract
tracking and oversight, and evaluation. Because the entry exit program
manager stated that INS was following the requirements of the FAR in
acquiring the entry exit system, we also compared selected sections of
the FAR[Footnote 58] (e.g., acquisition planning, and contract
negotiation and administration) with SEI's model. Our comparative
analysis focused on whether key components of the SEI model were
provided for in the policies and procedures that INS was following or
intended to follow; it did not include evaluating the quality of INS's
policies and procedures.
To identify observations about the expenditure plan and INS's
management of the entry exit system, we first identified system
capabilities mandated in the applicable legislation.[Footnote 59] Next,
we identified and reviewed the entry exit system's planned operational
requirements and mapped the planned requirements to the legislatively
mandated system capabilities to identify any variances. We also
compared INS's expenditure plan with those of two other agencies that
have been required to submit expenditure plans to the Congress (the
Internal Revenue Service and the U.S. Customs Service). We interviewed
INS officials about plans for providing information regarding the
system's benefits, schedules, and costs in future expenditure plans.
The scope of our work was based on INS's policies and procedures before
the transition to the Department of Homeland Security.
We conducted our work at INS headquarters in Washington, D.C., from
September 2002 through March 2003 in accordance with generally accepted
government auditing standards.
[End of section]
Appendix II: Comments from the Department of Homeland Security:
Note: GAO comments supplementing those in the report text appear at the
end of this appendix.
U.S. Department of Homeland Security:
Bureau of Immigration and Customs Enforcement:
HQOIA 110/8.2-C:
Office of the Assistant Secretary
425 I Street NW Washington, DC 20536:
MAY 07 2003:
Randolph C. Hite:
Director, Information Technology Architecture and Systems Issues:
U.S. General Accounting Office 441 G Street, N.W. Washington, D.C.
20548:
Dear Mr. Hite:
On April 3, 2003 the General Accounting Office (GAO) presented the
Bureau of Immigration and Customs Enforcement (ICE) with its draft
report GAO-03-563, entitled Information Technology: Homeland Security
Needs to Improve Entry Exit System Expenditure Planning. As of April
29, 2003, the Entry Exit System was renamed U.S. Visitor and Immigrant
Status Indication Technology system (U.S. VISIT), as such this letter
will refer to the former Entry Exit System by its current name U.S.
VISIT. ICE appreciates the opportunity to comment on the draft report:
In a joint effort with the Department of State, the Department of
Transportation, and the Department of the Treasury, the Department of
Homeland Security is vigorously pursuing the implementation of the U.S.
VISIT. The U.S. VISIT was designed to assist in monitoring the arrivals
and departures of foreign nationals to the United States. Our efforts
in establishing a U.S. VISIT program are an important element of
controlling our borders and collecting information on the movement of
aliens in, through, and out of the United States. ICE has discussed
these efforts at length with the GAO representatives.
This letter serves as ICE's response to certain contextual, technical,
historical, and conceptual issues that were portrayed inaccurately in
the draft report. The comments are as follows:
During the course of the GAO review, the Department of Homeland
Security (DHS), formerly the Immigration and Naturalization Service
(INS) under the Department of Justice, was in the planning stages of
developing a business case, concept of operations, risk assessment, and
other necessary requirements for the capital investment planning
related to U.S. VISIT. According to the GAO draft report, the INS has
not satisfied two Office of Management and Budget (OMB) requirements:
(1) having a system security plan for U.S. VISIT, and (2) assessing
the system's impact on the privacy of individuals. The development of a
system security plan, along with assessing the privacy impact of the
system, are significant matters to DHS. Consequently, the U.S. VISIT
program office has prepared a draft document entitled Technical
Architecture and Security Requirements, addressing those specific
issues. (see attachment):
ICE will complete a system security plan for U.S. VISIT in accordance
with the requirements for capital investment planning. The USA PATRIOT
Act, Pub L. 107-56 (2001), states that "[t]he entry exit system must be
able to interface with law enforcement databases to be used by federal
law enforcement ... ." To meet this statutory requirement, the program
office plans to integrate several existing databases within DHS. Since
all of these existing databases have been operational for several
years, each one has a system security plan already in place. In framing
the system security plan for U.S. VISIT, the program office intends to
integrate these various existing system security plans. The program
office recognizes that the development of the system security plan for
U.S. VISIT not only involves integrating these existing systems, but
also includes making certain modifications to ensure that the system's
requirements and capabilities are met.
In addition to developing and implementing a system security plan,
controls in the areas of acquisition planning, project management,
contract oversight, and evaluation will follow the Software Acquisition
Capability Maturity Mode (SA-CMMI). The program office will provide the
appropriate House and Senate appropriation subcommittees with U.S.
VISIT capabilities and benefits that are anticipated to be delivered by
the system. The program office will also ensure that expenditure plans
are furnished to these subcommittees in advance of obligating entry
exit funds.
According to the GAO draft report, the INS' first U.S. VISIT
expenditure plan does not adequately describe detailed material
information about the system, which consequently will impede
Congressional efforts to oversee the system, provide timely guidance,
and release funding for the project. In reaching this conclusion, the
draft report fails to consider that the lack of specific detail is
attributable to a number of policy decisions that are pending, all of
which directly impact the features of the system. Some of these pending
issues include whether biometrics will be captured and used for all
persons entering and exiting the United States; whether official travel
or identity documents will be required for all persons who enter and
exit the country, including citizens of Canada and the United States;
and whether exit control will consist of law enforcement queries and
capturing biographic data, or rather consist of biometrics and direct
observation to confirm that the individual physically departs the
United States. Until these policy decisions are made, it is not
possible to provide a specifically detailed expenditure plan. Once
these decisions have been made, the expenditure plan will contain the
necessary specific material information.
The GAO draft report states that INS has either implemented or plans to
implement most of the OMB capital planning and investment control
review requirements. This finding is based on the reasoning that the
former INS' Information Technology Investment Management (ITIM)
process meets OMB requirements, and since the program office is in
compliance with ITIM process, U.S. VISIT must be in conformity with OMB
requirements. The ITIM process is managed by Strategic Information and
Technology Development (SITD). The SITD office provides guidance and
development for the Exhibit 300, business case, and other ITIM
requirements. While SITD staff members have provided input and guidance
on the development of the Exhibit 300 and business case, an entry exit
business case has not been submitted to the Investment Approval Board
(IAB) for consideration. The Exhibit 300 that the program office
submitted for OMB review does not constitute an ITIM business case.
Thus, at the present time, the entry exit business case has not been
submitted through the ITIM process. Once the entry exit business case
and other relevant documents are finalized, the program office will
submit these documents through the ITIM process.
The ITIM records do reflect that documentation pertaining to the two
related systems initiatives referenced in the draft report, the Visa
Waiver Permanent Program Act Support System and the National Security
Entry Exit Registration System, were submitted to the LAB and received
various approvals through the ITIM expedited counter-terrorism process.
The GAO draft report contains inaccurate information relating to the
legislation impacting U.S. VISIT. According to the GAO draft report,
DHS is required to meet the legislative mandates contained in the
original version of section 110 of Illegal Immigration Reform and
Immigrant Responsibility Act (IIRIRA), Pub. L. 104-208 (1996).
Specifically, section 110 required an automated entry exit system that
recorded the arrival and departure of "every alien." This version of
section 110 is no longer valid law. The Data Management Improvement Act
(DMIA) of 2000, Pub. L. 106-215 (2000), replaced section 110 in its
entirety. DMIA focuses principally on the requirement to integrate all
existing alien arrival and departure data that is maintained in
Department of Justice and Department of State systems. The requirement
that every alien's arrival and departure must be recorded is no longer
applicable. As a matter of policy, DHS is examining the possibility and
manner in which additional alien arrival and departure data can be
collected.
Additionally, the draft report fails to consider and incorporate the
information in the DHS/ICE letter to GAO counsel dated April 7, 2003,
regarding the obligation of appropriations from the first Counter-
Terrorism (CT) Supplemental Appropriations Act, Pub. L. 107-117. As
drafted, the report states different figures for the total amounts
obligated than described in the letter to GAO. The report also
indicates that all of the CT obligations were de-obligated. This
information is inaccurate. As explained in the April 7, 2003 letter,
only approximately $6.6 million was de-obligated and reclassified. This
is the amount of funds that were obligated or expended after August 2,
2002, the date that the legislative conditions on the Entry Exit CT
funding became effective in Pub. L. 107-8206 (2002).
Thank you again for the opportunity to respond to the draft report.
Should you have any questions, please contact Kathleen Stanley, Audit
Liaison, at (202) 514-8800.
Sincerely,
Michael Garcia
Assistant Secretary
Bureau of Immigration and Customs Enforcement:
Signed by Michael Garcia:
See comment 1.
See comment 3.
See comment 2.
See comment 7.
See comment 6.
See comment 5.
See comment 4.
The following are GAO's comments on the Department of Homeland
Security's letter dated May 7, 2003.
GAO Comments:
1. We agree that the development of a system security plan and privacy
impact assessment of the system is a significant matter. We also
acknowledge that on May 6, 2003, the department provided us with a
draft document entitled Technical Architecture and Security
Requirements. However, we reviewed the document and found that it does
not include information consistent with a security plan and privacy
impact assessment. The Office of Management and Budget (OMB) and the
National Institute of Standards and Technology (NIST) have issued
security planning guidance.[Footnote 60] In general, this guidance
calls for developing risk-based security plans that (1) provide an
overview of system security requirements, (2) describe the controls in
place or planned for meeting requirements, and (3) define
responsibilities and expected behavior for all individuals who access
the system. The draft document provided by the department acknowledges
the need to address but does not include many of these security plan
elements, such as rules of behavior for individuals who access the
system and the consequences for violating those rules; methods for
identifying, appropriately limiting, and controlling interconnections
with other systems; and procedures for periodically reviewing the
effectiveness of security controls. In addition, it does not, for
example, describe the specific controls in place or planned to address
requirements or delineate responsibilities and the expected behavior of
individuals who access the system. Similarly, the document does not
include an assessment of the privacy implications of personal
information to be collected and maintained by the entry exit system.
2. We disagree that we failed to consider that the lack of specific
detail in the fiscal year 2002 expenditure plan is attributable to a
number of policy decisions that are pending. As we state in this
report, the legislative requirement to develop an expenditure plan is
intended to provide lawmakers with a sufficient understanding of the
system acquisition to permit effective oversight and to allow for
informed decision-making about the use of appropriated funds. For this
to occur, the plan needs to disclose a sufficient level and scope of
information for the Congress to understand what system capabilities and
benefits are to be delivered, by when, and at what cost, and what
progress is being made against the commitments that were made in prior
expenditure plans. Further, the plan should disclose how the
acquisition will be managed to provide reasonable assurance that system
capability, benefit, schedule, and cost commitments will be met.
Consequently, pending policy decisions that affect plans for the entry
exit program are precisely the kind of detail missing in this
expenditure plan that should be disclosed. To the extent that detailed
planning information is not known, this should be explained and a
timetable for obtaining this information included in the plan.
3. We agree that we concluded in this report that INS's Information
Technology Investment Management (ITIM) process generally satisfies
OMB's requirement to establish a process that defines how the agency
(1) selects projects included in its information technology portfolio;
(2) controls these projects to achieve the intended cost, schedule, and
performance outcomes; and (3) evaluates information technology
projects' performance to maintain a positive return on investment. We
do not, however, state that the program office is in full compliance
with the ITIM process, and therefore the entry exit system is in
compliance with OMB requirements. Further, we concluded that of
particular significance going forward will be how effectively the
department implements the investment management controls provided for
its plan and related documentation. Accordingly, we recommended that
the department fully implement planned investment management controls
in accordance with relevant federal requirements and guidance.
4. We have modified this report to recognize that an entry exit system
business case has yet to be developed, and we have added a
recommendation that the department develop a business case as part of
implementing planned investment management controls.
5. We do not question the department's statement, because this was not
within the scope of our review.
6. We agree and have modified this report.
7. We sent our draft report to the department on April 3, 2003, which
was 4 days before we received the department's letter dated April 7,
2003. We have since modified this report to reflect the information in
the April 7 letter.
[End of section]
Appendix III: Summary of Entry Exit Related Systems:
Over the last year, INS has implemented two systems that are intended
to provide certain near-term border security capabilities until the
entry exit system is acquired and implemented. These two systems are
the Visa Waiver Permanent Program Act Support System and the National
Security Entry Exit Registration System (NSEERS). According to the
entry exit program manager, both systems will be integrated into the
entry exit system.
Visa Waiver Permanent Program Act Support System:
On October 1, 2002, INS implemented the Visa Waiver Permanent Program
Act Support System. This system electronically collects arrival and
departure information for all passengers and crew members who are
provided a waiver and who arrive and depart U.S. airports and seaports.
It modifies two existing systems--Customs' Advance Passenger
Information System (APIS) and INS's Arrival Departure Information
System (ADIS)[Footnote 61]--in collecting information.
* Arrival: Before entering an air or sea port of entry, commercial
carriers must electronically submit manifest information (e.g., for
each passenger and crew member, the person's name, address, country of
residence, and passport number) to APIS. This information is queried
against several databases, including the Interagency Border Inspection
System (IBIS) Consolidated Lookout Database and the Datashare Immigrant
Visa database.[Footnote 62] Receiving the manifest data before carriers
arrive allows INS to review the data beforehand and identify passengers
who will require referral to secondary inspection. The inspector also
inputs the "Admit Until" date into IBIS, which establishes the foreign
national's length of stay. Both the manifest data and the approved
length of stay are transmitted to ADIS.
* Departure: Carriers are also required to electronically submit to
APIS manifest information of passengers leaving the United States from
an air or sea port. The departure manifest information is transmitted
from APIS to ADIS, which uses name-matching algorithms to match the
arrival and departure records. The matching results are used to
identify persons who have overstayed their authorized visits.
According to the entry exit program manager, INS has been able to match
98 percent of received departure records to arrival records. The
program manager also estimated that there are currently 16 million
outstanding (i.e., unmatched) arrival records. He also estimated that
INS receives about 350,000 arrival records per day.
National Security Entry Exit Registration System:
On June 5, 2002, the Attorney General established the NSEERS program to
capture information about certain foreign nationals entering, staying
in, and exiting the United States. In brief, NSEERS consists of (1) a
modified version of an existing INS system used to collect and record
enforcement data, the Enforcement Case Tracking System;[Footnote 63]
(2) more deployments of an existing INS biometric capture/analysis
system, the Automated Biometric Identification System;[Footnote 64] and
(3) updated business processes/rules covering the registration of
certain nonimmigrants.[Footnote 65] Under the updated business
processes/rules, existing registration requirements[Footnote 66] were
changed to require certain nonimmigrant aliens to report to INS upon
arrival; approximately 30 days after arrival; every 12 months after
arrival; upon certain events (e.g., change of address, employment, or
school); and at the time of departure from the United States.
Registration requirements also now include photographing and
fingerprinting the alien and matching both against criminal and
terrorist watch lists. According to INS, NSEERS was deployed to a
limited number of sites on September 11, 2002, and became fully
operational at 238 INS locations on October 1, 2002.
[End of section]
Appendix IV: Summary of Legislation Regarding Entry Exit System
Capabilities:
Legislation: Illegal Immigration Reform and Immigrant Responsibility
Act of 1996; Public Law 104-208; September 30, 1996; Provisions: By
September 30, 1998, the Attorney General shall develop an automated
entry exit control system that: (1) collects a record of departure
for every alien departing the United States and matches it with the
corresponding arrival record and; (2) identifies, through on-line
searching procedures, lawfully admitted aliens who overstay their
visas; Overstay information identified through the system shall be
integrated into appropriate databases of the Immigration and
Naturalization Service (INS) and the Department of State, including
those used at ports of entry and at consular offices; Notwithstanding
any other provision of federal, state, or local law, a federal, state,
or local government entity or official may not prohibit or in any way
restrict any government entity or official from sending to or receiving
from INS information regarding the citizenship or immigration status,
lawful or unlawful, of any individual
Legislation: INS Data Management Improvement Act of 2000; Public Law
106-215; June 15, 2000; Provisions: For the purposes of this section,
the term "integrated entry and exit data system" means an electronic
system that--; (1) provides access to, and integrates, alien arrival
and departure data that are (a) authorized or required to be created or
collected under law; (b) in an electronic format; and (c) in a database
of the Department of Justice or the Department of State, including
those created or used at ports of entry and at consular offices; (2)
uses available data described above to produce a report of arriving and
departing aliens by country of nationality, classification as an
immigrant or nonimmigrant, and date of arrival in and departure from
the United States; (3) matches an alien's available arrival data with
the alien's available departure data; (4) identifies, through on-line
searching procedures, lawfully admitted nonimmigrants who may have
remained in the United States beyond the period authorized by the
Attorney General; and; (5) otherwise uses available alien arrival and
departure data described in paragraph (1) above to permit the Attorney
General to make the reports required under 8 U.S.C. section 1365a(e):;
* Number of departure records collected, with an accounting by
nationality; * Number of departure records that were successfully
matched to records of arrival, with an accounting by nationality and
classification as an immigrant or nonimmigrant; * Number of aliens who
arrived pursuant to a nonimmigrant visa, or the Visa Waiver Program,
for whom no matching departure data have been obtained through the
system or by other means as of the end of the alien's authorized period
of stay, with an accounting by nationality and arrival date in the
United States; * Number of lawfully admitted nonimmigrants identified
as visa overstays, with an accounting by nationality; The Attorney
General shall implement the integrated entry exit system at airports
and seaports by December 31, 2003. System requirements:; * include
available arrival/departure data,; * ensure that the arrival/departure
data, when collected or created by an immigration officer, are entered
into the system and can be accessed by other officers at other air/
seaports; The Attorney General must implement the system at the 50
busiest land border ports of entry by December 31, 2004. System
requirements:; * Same as specified above; * Arrival/departure data on
aliens shall be accessible at other high-traffic land border ports of
entry; The system shall be fully implemented at all remaining ports of
entry by December 31, 2005
Legislation: Visa Waiver Permanent Program Act; Public Law 106-396;
October 30, 2000; Provisions: Not later than October 1, 2001, the
Attorney General shall develop and implement a fully automated entry
exit control system that will collect a record of arrival and departure
for every alien who arrives and departs by sea or air at a port of
entry in the United States and is provided a waiver; Not later than
October 1, 2002, the system shall enable immigration officers
conducting inspections at ports of entry to obtain from the system,
with respect to aliens seeking a waiver, (1) any photograph of the
alien that may be contained in the records of the State Department or
INS; and (2) information on whether the alien has ever been determined
to be ineligible to receive a visa or be admitted to the United
States; The system shall maintain, for a minimum of 10 years,
information about each application for admission made by an alien
seeking a waiver; On and after October 1, 2007, the alien at the time
of application for admission must have a valid unexpired machine-
readable passport that satisfies the internationally accepted standard
for machine readability; Countries designated to participate before
May 1, 2000, shall issue machine-readable passports no later than
October 1, 2003; All Visa Waiver Program (VWP) applicants are to be
checked against lookout systems; By October 1, 2002, no waiver may be
provided to an alien arriving by air or sea at a port of entry on a
carrier unless the carrier is electronically transmitting passenger
data to the entry exit system; Not less than 1 hour before arrival at
port of entry, signatory aircraft transporting VWP aliens must
electronically furnish the passenger data required by the Attorney
General in regulations; The system shall contain sufficient data to
permit the Attorney General to calculate, for each program country and
each fiscal year, the portion of nationals of that country who arrive
under VWP at air and sea ports of entry but for whom no record of
departure exists, expressed as a percentage of the total number of such
VWP aliens for the particular country
Legislation: USA PATRIOT Act; Public Law 107-56; October 26, 2001;
Provisions: Focus of system development shall be on (a) utilization of
biometric technology and (b) tamper-resistant documents readable at
ports of entry; The system must be accessible to (a) all consular
officers responsible for visa issuance, (b) all federal inspection
agents at all U.S. border inspection points, and (c) all law
enforcement and intelligence responsible for investigation or
identification of aliens; The entry exit system must be able to
interface with law enforcement databases to be used by federal law
enforcement to identify and detain individuals who pose a threat to the
national security of the United States
Legislation: Aviation and Transportation Security Act; Public Law 107-
71; November 19, 2001; Provisions: (1) Not later than 60 days after the
date of enactment, each air carrier and foreign air carrier operating a
passenger flight in foreign air transportation to the United States
shall provide to the Commissioner of Customs by electronic transmission
a passenger and crew manifest containing the following information:; *
The full name of each passenger and crew member; * The date of birth
and citizenship of each passenger and crew member; * The sex of each
passenger and crew member; * The passport number and country of
issuance of each passenger and crew member if required for travel; *
The U.S. visa number or resident alien card number of each passenger
and crew member, as applicable; * Such other information as the Under
Secretary of Transportation for Security, in consultation with the
Commissioner of Customs, determines is reasonably necessary to ensure
aviation safety; Carriers may use the advanced passenger information
system established under section 431 of the Tariff Act of 1930 (19
U.S.C. 1431) to provide the information required by the preceding
sentence; (2) Passenger name records--The carriers shall make
passenger name record information available to the Customs Service upon
request; (3) Transmission of manifest--a passenger and crew manifest
required for a flight under paragraph (1) above shall be transmitted to
the Customs Service in advance of the aircraft landing in the United
States in such manner, time, and form as the Customs Service
prescribes; (4) Transmission of manifests to other federal agencies--
Upon request, information provided to the Under Secretary or the
Customs Service under this subsection may be shared with other federal
agencies for the purpose of protecting national security
Legislation: Enhanced Border Security and Visa Entry Reform Act of
2002; Public Law 107-173; May 14, 2002; Provisions: No later than
October 26, 2004, the Secretary of State and the Attorney General shall
issue to aliens only machine-readable, tamper-resistant visas and other
travel and entry documents that use biometrics; In addition to the
requirement for biometric identifiers, name-search capacity and support
must also be implemented between 18 months and 4.5 years after the date
of enactment; Not later than October 26, 2004, the Attorney General
and Secretary of State shall install at all U.S. ports of entry
equipment and software to allow biometric comparison and authentication
of all U.S. visas and other travel and entry documents issued to
aliens; Not later than January 1, 2003, arrival and departure
manifests must be electronically provided to appropriate immigration
officers for each passenger (including crew members and any other
occupants) of air and sea carriers at port of entry; The information
to be provided with respect to each person listed on a manifest shall
include (1) complete name; (2) date of birth; (3) citizenship; (4) sex;
(5) passport number and country of issuance; (6) country of residence;
(7) U.S. visa number, date, and place of issuance, where applicable;
(8) alien registration number, where applicable; (9) U.S. address while
in the United States; and (10) such other information that the Attorney
General, in consultation with the Secretaries of State and the
Treasury, determines as being necessary for the identification of the
persons transported and for the enforcement of the immigration laws and
to protect safety and national security
Sources: Cited legislation.
[End of table]
[End of section]
Appendix V: GAO Contacts and Staff Acknowledgments:
GAO Contact:
Deborah Davis, (202) 512-6261:
Staff Acknowledgments:
In addition to the person named above, other key contributors were
Carol Cha, Barbara Collier, Neil Doherty, Ashfaq Huda, Richard Hung,
Franklin Jackson, Tammi Nguyen, and Jamelyn Smith.
FOOTNOTES
[1] INS is no longer a distinct federal agency. Effective March 1,
2003, INS became part of at least three Department of Homeland Security
component organizations. However, for purposes of this report, we
continue to refer to INS, as appropriate, because INS is the focus of
the legislative language that this report addresses.
[2] Section 110 of the Illegal Immigration Reform and Immigrant
Responsibility Act of 1996, Public Law 104-208 (Sept. 30, 1996).
[3] Immigration and Naturalization Service Data Management Improvement
Act of 2000, Public Law 106-215 (June 15, 2000); Visa Waiver Permanent
Program Act, Public Law 106-396 (Oct. 30, 2000); Uniting and
Strengthening America by Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism (USA PATRIOT Act) Act of 2001, Public
Law 107-56 (Oct. 26, 2001); and Enhanced Border Security and Visa Entry
Reform Act of 2002, Public Law 107-173 (May 14, 2002).
[4] Biometric technologies measure and analyze human physiological and
behavioral characteristics for the purposes of personal identification.
Biometric technologies include fingerprint recognition; hand geometry;
and facial, retina, and iris recognition.
[5] On April 29, 2003, the Secretary of the Department of Homeland
Security renamed the entry exit system the U.S. Visitor and Immigrant
Status Indication Technology System (US VISIT). Because this name
change does not affect the content of this report, we have not modified
the text to change entry exit system to US VISIT.
[6] 2002 Supplemental Appropriations Act for Further Recovery From and
Response to Terrorist Attacks on the United States, Public Law 107-206
(Aug. 2, 2002).
[7] On August 2, 2002, the Congress passed the supplemental
appropriations law (P.L. 107-206), which prohibited INS from obligating
funds for the entry exit system until the agency submitted an
expenditure plan to the Appropriations Committees that satisfied the
conditions under the law mentioned previously.
[8] U.S. General Accounting Office, Information Technology: Terrorist
Watch Lists Should Be Consolidated to Promote Better Integration and
Sharing, GAO-03-322 (Washington, D.C.: Apr. 15, 2003).
[9] A nonimmigrant visa authorizes a foreign national to apply for
admission to the United States for a specific purpose and time period.
Nonimmigrant visas are valid for 3 months to 10 years, depending on the
applicant's citizenship and other factors.
[10] Watch lists, sometimes referred to as lookout, target, or tip-off
systems, are databases that are supported by certain analytical
capabilities. The databases contain a wide variety of data; most
contain biographical data, such as name and date of birth, and a few
contain biometric data, such as fingerprints.
[11] CLASS is a name check system that contains records of people who
may be ineligible to receive a passport or visa. It is populated from a
variety of sources, including intelligence, immigration, and child
support enforcement data. CLASS also includes information on passports
and visas reported lost or stolen.
[12] The Consular Consolidated Database determines whether the
applicant has previously applied for a visa or currently has a valid
U.S. visa. This database stores information about visa applications,
issuances, and refusals. It obtains information about visa cases every
5 to 10 minutes from each consular post and contains about 58 million
visa records.
[13] IBIS is a multiagency database of lookout information that alerts
inspectors of conditions that may make travelers inadmissible to the
United States. It contains data from law enforcement and other agencies
with inspection responsibilities at ports of entry, including the Drug
Enforcement Administration and the Federal Bureau of Investigation.
[14] The Visa Waiver Program permits foreign nationals from designated
countries to apply for admission to the United States for a maximum of
90 days as nonimmigrant visitors for business or pleasure without first
obtaining a nonimmigrant visa. Participating countries are Andorra,
Australia, Austria, Belgium, Brunei, Denmark, Finland, France, Germany,
Iceland, Ireland, Italy, Japan, Liechtenstein, Luxembourg, Monaco, the
Netherlands, New Zealand, Norway, Portugal, San Marino, Singapore,
Slovenia, Spain, Sweden, Switzerland, and the United Kingdom.
[15] Other classes of nonimmigrant aliens who are exempt from visa
processing requirements can be found in 8 CFR 212.1.
[16] Additional queries may include the following systems: the Non-
Immigrant Information System; the Central Index System; the Computer
Linked Application Information Management System; the National
Automated Immigration Lookout System; the National Crime Information
Center; the Treasury Enforcement Communications System; and the
Automated Biometric Identification System, among others.
[17] The Form I-94 is divided into two parts. The first is an arrival
portion, which includes, for example, the nonimmigrant's name, date of
birth, passport number, airline and flight number (if applicable),
country of citizenship, and address while in the United States. The
second is a departure portion, which includes the name, date of birth,
and country of citizenship. Each form contains a unique number printed
on both portions of the form for the purposes of recording and matching
the arrival and departure records of nonimmigrants.
[18] Classifications include passengers under the Visa Waiver Program,
passengers in transit, and passengers on a nonimmigrant visa.
[19] The Non-Immigrant Information System collects arrival and
departure Form I-94 data and reports information on confirmed
overstays.
[20] Temporary foreign visitors (nonimmigrant aliens) who come from
certain countries or who meet a combination of intelligence-based
criteria are fingerprinted and photographed when they enter the United
States and are required to report periodically to INS if their stay
exceeds 30 days. Countries currently included under the NSEERS program
are Afghanistan, Algeria, Bahrain, Bangladesh, Egypt, Eritrea,
Indonesia, Iran, Iraq, Jordan, Kuwait, Lebanon, Libya, Morocco, North
Korea, Oman, Pakistan, Qatar, Saudi Arabia, Somalia, Sudan, Syria,
Tunisia, United Arab Emirates, and Yemen.
[21] APIS is designed to electronically collect arrival and departure
manifests from commercial carriers.
[22] A border-crossing card permits the holder to enter for business or
pleasure, stay in the United States for 72 hours or less, and go no
farther than 25 miles from the border.
[23] The National Crime Information Center provides information on
wanted persons and criminal histories. Law enforcement officers
throughout the United States check this database regularly in the
course of traffic stops and routine encounters.
[24] Public Law 104-208 (Sept. 30, 1996).
[25] Public Law 106-215 (June 15, 2000).
[26] Public Law 106-396 (Oct. 30, 2000).
[27] Public Law 107-56 (Oct. 26, 2001).
[28] Public Law 107-71 (Nov. 19, 2001).
[29] Public Law 107-173 (May 14, 2002).
[30] Office of Homeland Security, National Strategy for Homeland
Security (Washington, D.C.: July 2002).
[31] The other critical mission areas are intelligence and warning,
domestic counterterrorism, protecting critical infrastructure,
defending against catastrophic terrorism, and emergency preparedness
and response.
[32] Homeland Security Act of 2002, Public Law 107-296 (Nov. 25, 2002).
[33] H.R. Conf. Rep. No. 107-350, at 416 (2001).
[34] The National Institute of Standards and Technology (NIST) is to
test biometrics and assist in developing standards for biometric
identifiers, as required by legislation. The Office of Science and
Technology Policy is to assist and advise INS on possible biometric
identifiers.
[35] According to Justice and OMB officials, the $18 million requested
in base resources reflects prior year funding to INS for several
smaller initiatives related to the entry exit system.
[36] Public Law 108-7 (Feb. 20, 2003).
[37] H.R. Conf. Rep. No. 108-10, at 623 (2003).
[38] According to the entry exit program manager, the Homeland Security
Council's Principals and Deputies Committees make up the external
governing body for the entry exit program. The Principals Committee is
made up of the major department secretaries, while the deputy
secretaries of the departments make up the Deputies Committee.
[39] On August 2, 2002, the Congress passed the supplemental
appropriations law (P.L. 107-206), which prohibited INS from obligating
funds for the entry exit system until the agency submitted an
expenditure plan to the Appropriations Committees that satisfied the
conditions under the law mentioned previously.
[40] OMB Circular A-130, Management of Federal Information Resources
(Washington, D.C.: Nov. 28, 2000); OMB Circular A-11, part 3, Planning,
Budgeting, and Acquisition of Capital Assets (Washington, D.C.: July
2000).
[41] An enterprise architecture is an essential tool for effectively
and efficiently engineering business processes and for implementing and
evolving their supporting systems. It consists of systematically
derived and captured descriptions--in useful models, diagrams, and
narrative--of the mode of operation for a given enterprise. The
architecture describes the enterprise's operations in both (1) logical
terms, such as interrelated business processes and business rules,
information needs and flows, and work locations and users; and
(2) technical terms, such as hardware, software, data, communications,
and security attributes and performance standards. It provides these
perspectives both for the enterprise's current or "as is" environment
and for its target or "to be" environment, as well as a transition plan
for moving from the "as is" to the "to be" environment. See U.S.
General Accounting Office, Information Technology: Enterprise
Architecture Use Across the Federal Government Can Be Improved,
GAO-02-6 (Washington, D.C.: Feb. 19, 2002).
[42] The board serves as the decision-making authority for all
investment decision points, serves as the review authority for
projects, and oversees the implementation of and adherence to the INS
investment process.
[43] Exhibit 300 is designed to assist OMB during budget review. It
includes information that demonstrates compliance with capital planning
and investment control policies, and it justifies new or continued
funding for major acquisitions by demonstrating, among other things,
acquisition planning, risk mitigation and management planning, and
measurable benefits.
[44] See, for example, the Clinger-Cohen Act of 1996 (P.L. 104-106),
OMB Circular A-130, and the Federal Acquisition Regulation.
[45] Carnegie Mellon Software Engineering Institute, Software
Acquisition Capability Maturity Model (SA-CMM®), Version 1.03 (March
2002).
[46] The Systems Development Life Cycle specifies development
activities to be performed, the products to be generated, and the
decision points to determine whether the project is ready for the next
phase.
[47] The Information Technology Investment Management process specifies
the process and activities for management oversight of IT projects,
including decision points for measuring and monitoring progress on IT
projects to ensure that they are meeting cost, schedule, and
performance goals.
[48] The Federal Acquisition Regulation specifies acquisition
activities to be performed and products to be generated.
[49] On August 2, 2002, the Congress passed the supplemental
appropriations law (P.L. 107-206), which prohibited INS from obligating
funds for the entry exit system until the agency submitted an
expenditure plan to the Appropriations Committees that satisfied the
conditions under the law mentioned previously.
[50] The biometric standard will be selected by NIST. The USA PATRIOT
Act, as amended by the Enhanced Border Security and Visa Entry Reform
Act of 2002, Public Law 107-173 (May 14, 2002), requires NIST to
develop and certify a technology standard that can be used to verify
the identity of persons applying for a U.S. visa or using a visa to
enter the United States.
[51] See, for example, U.S. General Accounting Office, Customs Service
Modernization: Third Expenditure Plan Meets Legislative Conditions, but
Cost Estimating Improvements Needed, GAO-02-908 (Washington, D.C.: Aug.
9, 2002) and Business Systems Modernization: IRS Needs to Better
Balance Management Capacity with Systems Acquisition Workload,
GAO-02-356 (Washington, D.C.: Feb. 28, 2002).
[52] OMB Circular A-130, Revised (Transmittal Memorandum No. 4),
Appendix III, "Security of Federal Automated Information Resources"
(Nov. 28, 2000); National Institute of Standards and Technology, Guide
for Developing Security Plans for Information Technology Systems, NIST
Special Publication 800-18 (December 1998); OMB Circular A-11, part 3,
Planning, Budgeting and Acquisition of Capital Assets (Washington,
D.C.: July 2000).
[53] 2002 Supplemental Appropriations Act for Further Recovery from and
Response to Terrorist Attacks on the United States, Public Law 107-206
(Aug. 2, 2002).
[54] OMB Circular A-130, Management of Federal Information Resources
(Washington, D.C.: Nov. 28, 2000) and OMB Circular A-11, part 3,
Planning, Budgeting, and Acquisition of Capital Assets (Washington,
D.C.: July 2000).
[55] INS, Information Technology Investment Management Process and
Procedure Guide, Version 1.0 (December 2001).
[56] INS, Systems Development Life Cycle Manual, Version 6.0 (Apr. 5,
2002).
[57] Carnegie Mellon Software Engineering Institute, Software
Acquisition Capability Maturity Model (SA-CMM®), Version 1.03 (March
2002).
[58] Specifically, we reviewed Part 1 (Federal Acquisition Regulations
System), Part 7 (Acquisition Planning), Part 11 (Describing Agency
Needs), Part 15 (Contracting by Negotiation), and Part 42 (Contract
Administration and Audit Services).
[59] Section 110 of the Illegal Immigration Reform and Immigrant
Responsibility Act of 1996, Public Law 104-208 (Sept. 30, 1996);
Immigration and Naturalization Service Data Management Improvement Act
of 2000, Public Law 106-215 (June 15, 2000); Visa Waiver Permanent
Program Act, Public Law 106-396 (Oct. 30, 2000); Uniting and
Strengthening America by Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism (USA PATRIOT Act) Act of 2001, Public
Law 107-56 (Oct. 26, 2001); Aviation and Transportation Security Act,
Public Law 107-71 (Nov. 19, 2001); and Enhanced Border Security and
Visa Entry Reform Act of 2002, Public Law 107-173 (May 14, 2002).
[60] Office of Management and Budget Circular Number A-130, Revised
(Transmittal Memorandum No. 4), Appendix III, "Security of Federal
Automated Information Resources" (Nov. 28, 2000); National Institute of
Standards and Technology, Guide for Developing Security Plans for
Information Technology Systems, NIST Special Publication 800-18
(December 1998).
[61] The ADIS system was originally developed as part of the Automated
Form I-94 system. The Automated Form I-94 system was developed to
electronically collect Form I-94 arrival and departure data. However,
INS determined that the electronic system was not meeting its mission
needs and retired the system in February 2002. The Form I-94 data
continue to be collected manually.
[62] Through the DataShare Program, information on nonimmigrant visa
applications is passed electronically between the Department of State
and INS. The National Visa Center receives INS petition data
electronically and, in turn, electronically transfers cases to U.S.
embassies and consulates.
[63] The Enforcement Case Tracking System is a case management system,
which supports INS's apprehension and booking process for illegal
aliens. Capabilities include interfacing with systems external to INS
(e.g., Customs Service inspection lookout systems, state prison
information systems, and State Department information systems).
[64] The Automated Biometric Identification System is an INS database
of more than 4.5 million foreign visitors' fingerprints. The system
includes a two-print biometric identification functionality that
collects fingerprints and photos.
[65] 8 CFR 214.1(f) and 264.1(f), published in the Federal Register,
Volume 67, No. 155 (Aug. 12, 2002)--Registration and monitoring of
certain nonimmigrants, which include nationals from Iran, Iraq, Libya,
and Sudan. Justice has subsequently identified other countries to be
subject to the special registration requirements; making these
identifications is now the responsibility of the Department of Homeland
Security. As of March 2003, the department reported that 25 countries
are subject to these special registration requirements.
[66] Section 263 of the Immigration and Nationality Act (ch. 477,66
stat. 163, 224 (1952)) authorizes the Attorney General, at his
discretion, to prescribe special registration requirements for certain
nonimmigrants admitted to the United States. Existing regulations
require INS to register nonimmigrants using Form I-94 (Arrival-
Departure Record), but contain general provisions waiving the
fingerprinting requirement for many nonimmigrants (8 CFR 264.1(e)).
Section 262 of the act gives the Attorney General additional general
registration authority.
GAO's Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to daily E-mail alert for newly
released products" under the GAO Reports heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office
441 G Street NW,
Room LM Washington,
D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.
General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.
20548:
