This is the accessible text file for GAO report number GAO-05-202 entitled 'Homeland Security: Some Progress Made, but Many Challenges Remain on U.S. Visitor and Immigrant Status Indicator Technology Program' which was released on February 23, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: February 2005: Homeland Security: Some Progress Made, but Many Challenges Remain on U.S. Visitor and Immigrant Status Indicator Technology Program: [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-202] GAO Highlights: Highlights of GAO-05-202, a report to the Senate and House Committees on Appropriations Why GAO Did This Study: The Department of Homeland Security (DHS) has established a program—the U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT)—to collect, maintain, and share information, including biometric identifiers, on selected foreign nationals who travel to the United States. By congressional mandate, DHS is to develop and submit for approval an expenditure plan for US-VISIT that satisfies certain conditions, including being reviewed by GAO. Among other things, GAO was asked to determine whether the plan satisfied these conditions and to provide observations on the plan and DHS’s program management. What GAO Found: DHS’s fiscal year 2005 expenditure plan and related documentation at least partially satisfied all conditions established by the Congress, including meeting the capital planning and investment control requirements of the Office of Management and Budget (OMB). For example, DHS has developed a plan and a process for developing, implementing, and institutionalizing a program to manage risk. In its observations about the expenditure plan and DHS’s management of the program, GAO recognizes accomplishments to date and addresses the need for rigorous and disciplined program practices. For example, US- VISIT has acquired the services of a prime integration contractor to augment its ability to complete US-VISIT. However, DHS has not employed rigorous, disciplined processes typically associated with successful programs, such as tracking progress against commitments. More specifically, the fiscal year 2005 plan does not describe progress against commitments made in previous plans (e.g., capabilities, schedule, cost, and benefits). According to GAO’s analysis, delays have occurred in delivering capability to track the entry and exit of persons entering the United States at air, land, and sea ports of entry; the figure compares original and current commitments in this effort, as well as progress in delivering capability. Such information is essential for oversight. DHS Fiscal Year 2003 and 2004 Commitments Compared with Current Commitments and Reported Progress in Delivering Capabilities: [See PDF for image] [End of figure] Additionally, the effort to pilot alternatives for delivering the capability to track the departure of persons exiting the United States is faced with a compressed time line, missed milestones, and potentially reduced scope. In particular, the pilot evaluation period has been reduced from 3 to 2 months, and as of early November 2004, the alternatives were deployed and operating in only 5 of the 15 ports of entry scheduled to be operational by November 1, 2004. According to US- VISIT officials, this is largely due to delays in DHS granting security clearances to the civilian employees who would operate the equipment at the ports of entry. These changing facts and circumstances surrounding the pilot introduce additional risk concerning US-VISIT’s delivery of promised capabilities and benefits on time and within budget. What GAO Recommends: To better ensure that the US-VISIT program is worthy of investment and is managed effectively, GAO is reiterating its previous recommendations and is making several new recommendations, including that DHS fully disclose in future expenditure plans its progress against previous commitments and that it reassess plans for deploying an exit capability. DHS concurred with GAO’s findings and recommendations. www.gao.gov/cgi-bin/getrpt?GAO-05-202. To view the full product, including the scope and methodology, click on the link above. For more information, contact Randolph C. Hite at (202) 512-3439 or hiter@gao.gov. [End of section] Contents: Letter: Compliance with Legislative Conditions: Status of Open Recommendations: Observations on the Expenditure Plan: Conclusions: Recommendations for Executive Action: Agency Comments: Appendixes: Appendix I: Briefing to the Staffs of the Subcommittees on Homeland Security, Senate and House Committees on Appropriations: Appendix II: Comments from the Department of Homeland Security: Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Staff Acknowledgments: Abbreviations: ACE: Automated Commercial Environment: ADIS: Arrival Departure Information System: APIS: Advance Passenger Information System: APMO: Acquisition and Program Management Office: BIF: Biometric Information File: CCD: Consular Consolidated Database: CLAIMS 3: Computer Linked Application Information Management System: DHS: Department of Homeland Security: EA: enterprise architecture: IDENT: Automated Biometric Identification System: NIIS: I-94/Non-Immigrant Information System: NIST: National Institute of Standards and Technology: OMB: Office of Management and Budget: OPM: Office of Personnel Management: POE: port of entry: SA-CMM: Software Acquisition Capability Maturity Model: SEI: Software Engineering Institute: SEVIS: Student Exchange Visitor Information System: TECS: Treasury Enforcement Communications Systems: US-VISIT: U.S. Visitor and Immigrant Status Indicator Technology: WSA: Work Station Attendant: Letter February 23, 2005: The Honorable Thad Cochran: Chairman: The Honorable Robert C. Byrd: Ranking Minority Member: Committee on Appropriations: United States Senate: The Honorable Jerry Lewis: Chairman: The Honorable David R. Obey: Ranking Minority Member: Committee on Appropriations: House of Representatives: Pursuant to the Department of Homeland Security Appropriations Act, 2005,[Footnote 1] the Department of Homeland Security (DHS) submitted to the Congress in October 2004 its fiscal year 2005 expenditure plan for the U.S. Visitor and Immigrant Status Indicator Technology (US- VISIT) program. US-VISIT is a governmentwide program to collect, maintain, and share information on foreign nationals. The program's goals are to enhance the security of U.S. citizens and visitors, facilitate legitimate trade and travel, ensure the integrity of the U.S. immigration system, and protect the privacy of U.S. visitors. As required by the appropriations act, we reviewed US-VISIT's fiscal year 2005 expenditure plan. Our objectives were to (1) determine whether the expenditure plan satisfies certain legislative conditions, (2) determine the status of our US-VISIT open recommendations,[Footnote 2] and (3) provide any other observations about the expenditure plan and DHS's management of US-VISIT. On November 23, 2004, we briefed the Homeland Security Subcommittee staff on the results of our review. This report transmits the results of our work. The full briefing, including our scope and methodology, is reprinted as appendix I. Compliance with Legislative Conditions: DHS satisfied or partially satisfied each of the applicable legislative conditions specified in the appropriations act. In particular, the plan, including related program documentation and program officials' statements, satisfied or provided for satisfying all key aspects of federal acquisition rules, requirements, guidelines, and systems acquisition management practices. Additionally, the plan partially satisfied the conditions that specified (1) compliance with the capital planning and investment review requirements of the Office of Management and Budget (OMB), (2) compliance with DHS's enterprise architecture, and (3) the plan's review and approval by DHS's Investment Review Board, the Secretary of Homeland Security, and OMB. Status of Open Recommendations: DHS has completely implemented, has partially implemented, is in the process of implementing, or plans to implement all the remaining recommendations contained in our reports on the fiscal years 2002, 2003, and 2004 expenditure plans. Each recommendation, along with its current status, is summarized below: * Develop a system security plan and privacy impact assessment. The department has partially implemented this recommendation. First, the US-VISIT program has developed a security plan that provides an overview of system security requirements, describes the controls in place or planned for meeting those requirements, and refers to the applicable documents that prescribe the roles and responsibilities for managing the US-VISIT component systems. However, a security risk assessment of the program has not been completed, and the plan does not include a date for the assessment's completion. Second, the US-VISIT program has completed a privacy impact assessment for Increment 2. However, the assessment does not satisfy all aspects of OMB guidance for such an assessment, such as fully addressing privacy issues in relevant system documentation. * Develop and implement a plan for satisfying key acquisition management controls, including acquisition planning, solicitation, requirements development and management, project management, contract tracking and oversight, evaluation, and transition to support, and implement the controls in accordance with the Software Engineering Institute's (SEI) guidance.[Footnote 3] The department is in the process of implementing this recommendation. The US-VISIT Acquisition and Program Management Office has initiated a process improvement program and drafted a process improvement plan. The office has also developed processes or plans, some of which are approved and some of which are in draft, for all except one of SEI's Software Acquisition Capability Maturity Model (SA-CMM") Level 2[Footnote 4] key process areas. * Ensure that future expenditure plans are provided to the department's House and Senate Appropriations Subcommittees in advance of US-VISIT funds being obligated. With respect to the fiscal year 2005 expenditure plan, DHS implemented this recommendation by providing the plan to the Senate and House Subcommittees on October 19, 2004. * Ensure that future expenditure plans fully disclose US-VISIT system capabilities, schedule, cost, and benefits to be delivered. The department has partially implemented this recommendation. The expenditure plan identifies high-level capabilities and high-level schedule estimates. It also identifies the amounts budgeted for each increment for fiscal years 2003 through 2005, but it does not associate this funding with specific capabilities and benefits. Further, while the plan identifies several benefits and associates these benefits with increments, it does not include any information on related metrics or on progress against achieving any of the benefits. * Ensure that future expenditure plans fully disclose how the US-VISIT acquisition is being managed. The department is in the process of implementing this recommendation. The fiscal year 2005 plan describes some activities being employed to manage the US-VISIT acquisition, such as the governance structure, program office organizational structure, and staffing levels. However, the department does not describe how other important aspects of the program are being managed, such as testing, system capacity, and system configuration. * Ensure that human capital and financial resources are provided to establish a fully functional and effective program office. The department has partially implemented this recommendation. As of October 2004, US-VISIT had filled 59 of its 115 government positions, with plans to fill about half the vacant positions once security clearances have been completed. As of November 2004, the program office had filled 88 of a planned 117 contractor positions. The expenditure plan indicates that DHS has budgeted $83 million to maintain the US- VISIT program management structure and baseline operations. * Clarify the operational context in which US-VISIT is to operate. The department is in the process of implementing this recommendation. In September 2003, DHS released version 1.0 of its enterprise architecture. We reviewed version 1.0 and found that it is missing, either partially or completely, all the key elements expected in a well- defined architecture, such as descriptions of business processes, information flows among these processes, and security rules associated with these information flows. Since we reviewed version 1.0 of the architecture, DHS has drafted version 2.0. We have not reviewed version 2.0. * Determine whether proposed US-VISIT increments will produce mission value commensurate with cost and risks. The department is in the process of implementing this recommendation. US-VISIT developed a cost-benefit analysis for Increment 2B,[Footnote 5] but it is unclear whether this increment will produce mission value commensurate with cost and risk. For example, the analysis addresses only government costs and does not address potential nongovernmental costs. Further, the analysis identifies three alternatives and identifies the third alternative as the preferred choice. However, US- VISIT is pursuing an alternative more closely aligned with alternative 2, because alternative 3 was considered too ambitious to meet statutorily required time lines. * Define US-VISIT program office positions, roles, and responsibilities. The department has partially implemented this recommendation. US-VISIT has developed descriptions for positions within each office, and working with the Office of Personnel Management (OPM), it has drafted a set of core competencies that define the knowledge, skills, abilities, and other competencies needed for successful employee performance. * Develop and implement a human capital strategy for the US-VISIT program office that provides for staffing positions with individuals who have the appropriate knowledge, skills, and abilities. The department has partially implemented this recommendation. The US- VISIT program office, in conjunction with OPM, has drafted a Human Capital Plan. The plan includes an action plan that identifies activities, proposed completion dates, and the organization responsible for completing these activities. The program office has completed some of the activities called for in the plan, including the designation of a liaison responsible for ensuring alignment between DHS and US-VISIT human capital policies. * Develop a risk management plan and report all high risks and their status to the executive body on a regular basis. The department has partially implemented this recommendation. The US- VISIT program office has developed a risk management plan and process and has established a governance structure involving three primary groups--the Risk Review Board, Risk Review Council, and Risk Management Team. The Risk Review Board represents the highest level of risk management within the program and is composed of senior level staff, such as the program director and functional area directors. However, US- VISIT has not reported high risks beyond this board. * Define performance standards for each US-VISIT program increment that are measurable and reflect the limitations imposed by relying on existing systems. The department is in the process of implementing this recommendation. The US-VISIT program office has defined some technical performance measures--such as availability, timeliness, and output quantity--for Increments 1 and 2B, but it has not defined others, such as reliability, resource utilization, and scalability. Additionally, US- VISIT systems documentation does not contain sufficient information to determine the limitations imposed by US-VISIT's reliance on existing systems that have less demanding performance requirements, such as the 98.0 percent availability of the Treasury Enforcement Communications Systems.[Footnote 6] * Develop and approve test plans before testing begins. These test plans should (1) specify the test environment; (2) describe each test to be performed, including test controls, inputs, and expected outputs; (3) define the test procedures to be followed in conducting the tests; and (4) provide traceability between test cases and the requirements to be verified by the testing. The department is in the process of implementing this recommendation. According to the US-VISIT Systems Assurance Director, the Increment 2B system acceptance test plan was approved on October 15, 2004. However, no documentation was provided that explicitly indicated the approval of the plan. Further, the test plan did not fully address the test environment, include descriptions of tests to be performed, or provide test procedures to be followed in conducting the tests. The plan also did not provide traceability between test cases and the requirements to be verified by the testing. For example, 15 of the 116 requirements did not have test cases, and 2 requirements were labeled "not testable." * Ensure the independence of the Independent Verification and Validation (IV&V) Contractor. The department is in the process of implementing this recommendation. The US-VISIT Information Technology (IT) Management Office is developing high-level requirements for IV&V, including a strategy and statement of work for acquiring an IV&V contractor. * Implement effective configuration management practices, including establishing a US-VISIT change control board to manage and oversee system changes. The department plans to implement this recommendation. The US-VISIT program office has not yet developed or implemented US-VISIT-level configuration management practices or a change control board. The office has developed a draft configuration management plan that describes key configuration management activities that are to be defined and implemented, such as defining and identifying processes and products to be controlled and recording and monitoring changes to the controlled items. The draft plan also proposes a governance structure, including change control boards. * Identify and disclose management reserve funding embedded in the fiscal year 2004 expenditure plan to the Appropriations Subcommittees. The department has implemented this recommendation. The US-VISIT program office reported management reserve funding of $33 million for fiscal year 2004 in a briefing to the Subcommittees on Homeland Security, Senate and House Committees on Appropriations. * Ensure that all future US-VISIT expenditure plans identify and disclose management reserve funding. With respect to the fiscal year 2005 expenditure plan, DHS implemented this recommendation. The fiscal year 2005 plan specified management reserve funding of $23 million. * Assess the full impact of Increment 2B on land ports of entry workforce levels and facilities, including performing appropriate modeling exercises. The department has partially implemented this recommendation. The US- VISIT program office conducted an analysis to help determine the impact of Increment 2B on workforce and travelers. According to program officials, additional staff will not be needed to implement this increment at the land borders. In addition, the US-VISIT program office has conducted space utilization surveys at all of the 166 land ports of entry and has completed survey reports at 16 of the 50 busiest land ports of entry, with the remaining 34 reports planned to have been completed in the fall of 2004. Although the survey reports indicated that most of the ports reviewed were at or near capacity and that facilities had no room for expansion, the program office maintains that Increment 2B will not require expansion of any facilities and will only require minor modifications. * Develop a plan, including explicit tasks and milestones for implementing all our open recommendations and periodically report to the DHS Secretary and Under Secretary on progress in implementing this plan; also report this progress, including reasons for delays, in all future US-VISIT expenditure plans. The Department is in the process of implementing this recommendation. The US-VISIT program office has developed a report for tracking the status of our open recommendations. This report is shared with the program office director but is not shared with the Secretary and Under Secretary. Observations on the Expenditure Plan: Our observations recognize accomplishments to date and address the need for rigorous and disciplined program management practices relating to describing progress against commitments, managing the exit alternatives pilot, managing system capacity, and estimating cost, as well as collaborating with DHS's Automated Commercial Environment (ACE) program.[Footnote 7] An overview of specific observations follows: * The program office has acquired the services of a prime integration contractor to augment its ability to complete US-VISIT. On May 28, 2004, and on schedule, DHS awarded a contract for integrating existing and new business processes and technologies to a prime contractor and its related partners. * The fiscal year 2005 expenditure plan does not describe progress against commitments made in previous plans. Although this is the fourth US-VISIT expenditure plan, it does not describe progress against commitments made in the previous three plans. For example, the fiscal year 2004 plan committed to analyzing, field testing, and initiating deployment of alternative approaches for capturing biometrics during the exit process at air and sea ports of entry. However, while the fiscal year 2005 plan states that US-VISIT was to expand its exit pilot sites during the summer and fall of 2004 and deploy the exit solution during fiscal year 2005, it does not explain the reason for the change or its potential impact. Additionally, the fiscal year 2004 plan stated that $45 million in fiscal year 2004 was to be used for exit activities. However, the fiscal year 2005 plan states that $73 million in fiscal year 2004 funds were to be used for exit activities, but it does not highlight this difference or address the reason for the change in amounts. * The exit capability alternatives are faced with a compressed time line, missed milestones, and potentially reduced scope. In January 2004, US-VISIT deployed an initial exit capability as a pilot to two ports of entry, while simultaneously developing other exit alternatives. The May 2004 Exit Pilot Evaluation Plan stated that all exit pilot evaluation tasks were to be completed by September 2004. The plan allotted about 3 months to conduct the evaluation and report the results. However, an October 2004 schedule indicated that all exit pilot evaluation tasks were to be completed between late October 2004 and December 2004, which is about a 2-month evaluation and reporting period. As of early November 2004, exit alternatives were deployed and operating in only 5 of the 15 ports of entry that were scheduled to be operational by November 1, 2004. According to program implementation officials, this was because of delays in DHS granting security clearances to the civilian employees who would operate the equipment at the ports of entry. Additionally, the Evaluation Execution Plan describes the sample size of outbound passengers required to be evaluated at each port. This sample size will produce a specified confidence level in the evaluation results. Because of the reduced evaluation time frame, the program still plans to collect the desired sample size at each port by adding more personnel to the evaluation teams if needed. These changing facts and circumstances surrounding the exit pilot introduce additional risk concerning US-VISIT's delivery of promised capabilities and benefits on time and within budget. * US-VISIT and ACE collaboration is moving slowly. In February 2003, we recognized the relationship between US-VISIT and ACE and recommended steps to promote close collaboration between these two programs. Since then, US-VISIT and ACE managers have met to identify potential areas for collaboration between the two programs and to clarify how the programs can best support the DHS mission and provide officers with the information and tools they need. However, explicit plans have not been developed nor actions taken to understand US-VISIT/ACE dependencies and relationships. Because both programs are making decisions on how to further define, design, develop, and implement these systems, it is important that they exploit their relationships to reduce rework that might be needed to integrate the programs. * US-VISIT system capacity is being managed in a compartmentalized manner. Currently, DHS does not have a capacity management program.[Footnote 8] Instead, the US-VISIT IT Management Office relies on the respective performance management activities of the pre-existing systems, such as those managed by U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement. Until US-VISIT has developed a comprehensive performance management and capacity planning program, the program will continue to be reactive in its efforts to ensure that US-VISIT system resources are sufficient to meet current workloads, increasing the risk that it may not be able to adequately support mission needs. * The cost estimating process used for Increment 2B did not follow some key best practices. The US-VISIT cost estimate did not fully satisfy most of the criteria called for in SEI guidance.[Footnote 9] For example, costs related to development and integration tasks for US- VISIT component systems are specified, but information about estimated software lines of code is not. Additionally, no one outside the US- VISIT program office reviewed and concurred with the cost estimating categories and methodology. Without reliable cost estimates, the ability to make informed investment decisions and effectively manage progress and performance is reduced. Conclusions: The fiscal year 2005 expenditure plan (with related program office documentation and representations) either partially satisfies or satisfies the legislative conditions imposed by Congress. Further, steps are planned, initiated, under way, or completed to address all of our open recommendations. However, overall progress in addressing the recommendations has been slow, leaving considerable work to be done. Given that most of these open recommendations are aimed at correcting fundamental limitations in DHS's ability to manage the program in a way that ensures the delivery of (1) mission value commensurate with costs and (2) promised capabilities on time and within budget, it is important that DHS implement the recommendations quickly and completely through effective planning and continuous monitoring and reporting. Until this occurs, the program will be at high risk of not meeting its stated goals on time and within budget. To its credit, the program office now has its prime contractor on board to support both near-term increments and to plan for and deliver the yet-to-be-defined US-VISIT strategic solution. However, it is important to recognize that this accomplishment is a beginning and not an end. The challenge for DHS is now to effectively and efficiently work with the prime contractor in achieving desired mission outcomes. To accomplish this, it is important that DHS move swiftly in building its program management capacity, which is not yet in place, as shown by the status of our open recommendations and our recent observations about (1) economic justification of US-VISIT Increment 2B, (2) completion of the exit pilot evaluation, (3) collaboration with a closely related import/export processing and border security program, (4) system capacity management activities, and (5) cost estimating practices. Moreover, it is important that DHS improve its measurement and disclosure to its Appropriations Subcommittees of its progress against commitments made in prior expenditure plans, so that the Subcommittees' ability to effectively oversee US-VISIT's plans and progress is not unnecessarily constrained. Nevertheless, the fact remains that the program continues to invest hundreds of millions of dollars for a mission-critical capability under circumstances that introduce considerable risk that cost-effective mission outcomes will not be realized. At a minimum, it is incumbent upon DHS to fully disclose these risks, along with associated mitigation steps, to executive and congressional leaders so that timely and informed decisions about the program can be made. Recommendations for Executive Action: To better ensure that the US-VISIT program is worthy of investment and is managed effectively, we reiterate our prior recommendations and further recommend that the Secretary of Homeland Security direct the Under Secretary for Border and Transportation Security to ensure that the US-VISIT program director takes the following five actions: * Fully and explicitly disclose in all future expenditure plans how well DHS is progressing against the commitments that it made in prior expenditure plans. * Reassess its plans for deploying an exit capability to ensure that the scope of the exit pilot provides for adequate evaluation of alternative solutions and better ensures that the exit solution selected is in the best interest of the program. * Develop and implement processes for managing the capacity of the US- VISIT system. * Follow effective practices for estimating the costs of future increments. * Make understanding the relationships and dependencies between the US- VISIT and ACE programs a priority matter, and report periodically to the Under Secretary on progress in doing so. Agency Comments: In written comments on a draft of this report, signed by the Acting Director, Departmental GAO/IG Liaison Office (reprinted in app. II), DHS concurred with our findings and recommendations. DHS also stated that it appreciated the guidance that the report provides for future efforts and described actions taken and progress made in implementing the US-VISIT program. We are sending copies of this report to the Chairmen and Ranking Minority Members of other Senate and House committees and subcommittees that have authorization and oversight responsibilities for homeland security. We are also sending copies to the Secretary of Homeland Security, Secretary of State, and the Director of OMB. Copies of this report will also be available at no charge on our Web site at www.gao.gov. Should you or your offices have any questions on matters discussed in this report, please contact me at (202) 512-3439 or at hiter@gao.gov. Another contact and key contributors to this report are listed in appendix III. Signed by: Randolph C. Hite: Director, Information Technology Architecture and Systems Issues: [End of section] Appendixes: Appendix I: Briefing to the Staffs of the Subcommittees on Homeland Security, Senate and House Committees on Appropriations: Homeland Security: Some Progress Made, but Many Challenges Remain on U.S. Visitor and Immigrant Status Indicator Technology Program: Briefing to the Staffs of the Subcommittees on Homeland Security: Senate and House Committees on Appropriations: November 23, 2004: * Introduction: * Objectives: * Results in Brief: * Background: * Results: - Legislative Conditions: - Status of Open Recommendations: - Observations: * Conclusions: * Recommendations for Executive Action: * Agency Comments: * Attachment 1. Scope and Methodology: * Attachment 2. Recent Studies of US-VISIT: Introduction: The U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) program of the Department of Homeland Security (DHS) is a governmentwide program to collect, maintain, and share information on foreign nationals. The goals of US-VISIT are to: enhance the security of U.S. citizens and visitors, * facilitate legitimate travel and trade, * ensure the integrity of the U.S. immigration system, and: * protect the privacy of our visitors. The US-VISIT program involves the interdependent application of people, processes, technology, and facilities. [See PDF for image] Sources: GAO (analysis), Nova Development Corp. (images). [End of figure] The Department of Homeland Security Appropriations Act, 2005, [NOTE 1] states that DHS may not obligate $254 of the $340 million appropriated for the US-VISIT program until the Senate and House Committees on Appropriations receive and approve a plan for expenditure that: * meets the capital planning and investment control review requirements established by the Office of Management and Budget (OMB), including OMB Circular A-11, part 7; [NOTE 2] * complies with DHS's enterprise architecture; * complies with the acquisition rules, requirements, guidelines, and systems acquisition management practices of the federal government; * is reviewed and approved by the DHS Investment Review Board, the Secretary of Homeland Security, and OMB; and: * is reviewed by GAO. On October 19, 2004, DHS submitted its fiscal year 2005 expenditure plan for $340 million to the House and Senate Appropriations Subcommittees on Homeland Security. Objectives: As agreed, our objectives were to: 1. determine whether the US-VISIT fiscal year 2005 expenditure plan satisfies the legislative conditions, 2. determine the status of our US-VISIT open recommendations, and: 3. provide any other observations about the expenditure plan and DHS's management of US-VISIT. We conducted our work at US-VISIT offices in Rosslyn, Virginia, from June 2004 through November 2004, in accordance with generally accepted government auditing standards. Details of our scope and methodology are described in attachment 1 of this briefing. Results in Brief: Objective 1: Legislative Conditions: Fiscal Year 2005 US-VISIT Expenditure Plan's Satisfaction of Legislative Conditions: Legislative conditions: 1. Meets the capital planning and investment control review requirements established by OMB, including OMB Circular A-11, part 7; Status: Partially satisfies [A]. Legislative conditions: 2. Complies with the DHS enterprise architecture; Status: Partially satisfies. Legislative conditions: 3. Complies with the acquisition rules, requirements, guidelines, and systems acquisition management practices of the federal government; Status: Satisfies [B]. Legislative conditions: 4. Is reviewed and approved by the DHS Investment Review Board, the Secretary of Homeland Security, and OMB. Status: Partially satisfies. Legislative conditions: 5. Is reviewed by GAO. Status: Satisfies. Source: GAO. [A] Satisfies or provides for satisfying many, but not all, key aspects of the condition that we reviewed. [B] Satisfies or provides for satisfying every aspect of the condition that we reviewed. [End of table] Results in Brief: Objective 2: Open Recommendations: Status of Actions to Implement Our 19 Open Recommendations: Open Recommendation: 1. Develop a system security plan and privacy impact assessment; Status: Partially complete [C]. Open Recommendation: 2. Develop and implement a plan for satisfying key acquisition management controls, including acquisition planning, solicitation, requirements development and management, project management, contract tracking and oversight, evaluation, and transition to support, and implement the controls in accordance with SEI [E] guidance; Status: In progress [B]. Open Recommendation: 3. Ensure that future expenditure plans are provided to the department's House and Senate Appropriations Subcommittees on Homeland Security in advance of US-VISIT funds being obligated; Status: Complete [D,F]. Open Recommendation: 4. Ensure that future expenditure plans fully disclose US-VISIT system capabilities, schedule, cost, and benefits to be delivered; Status: Partially complete [C,F]. Open Recommendation: 5. Ensure that future expenditure plans fully disclose how the US-VISIT acquisition is being managed; Status: In progress [B,F]. Open Recommendation: 6. Ensure that human capital and financial resources are provided to establish a fully functional and effective program office; Status: Partially complete [C]. Open Recommendation: 7. Clarify the operational context in which US- VISIT is to operate; Status: In progress [B]. Open Recommendation: 8. Determine whether proposed US-VISIT increments will produce mission value commensurate with cost and risks; Status: In progress [B]. Open Recommendation: 9. Define US-VISIT program office positions, roles, and responsibilities; Status: Partially complete [C]. Open Recommendation: 10. Develop and implement a human capital strategy for the US-VISIT program office that provides for staffing positions with individuals who have the appropriate knowledge, skills, and abilities; Status: Partially complete [C]. Open Recommendation: 11. Develop a risk management plan and report all high risks and their status to the executive body on a regular basis; Status: Partially complete [C]. Open Recommendation: 12. Define performance standards for each US-VISIT increment that are measurable and reflect the limitations imposed by relying on existing systems; Status: In progress [B]. Open Recommendation: 13. Develop and approve test plans before testing begins. These test plans should (1) specify the test environment; (2) describe each test to be performed, including test controls, inputs, and expected outputs; (3) define the test procedures to be followed in conducting the tests; and (4) provide traceability between test cases and the requirements to be verified by the testing; Status: In progress [B]. Open Recommendation: 14. Ensure the independence of the independent verification and validation contractor.[G]; Status: In progress [B]. Open Recommendation: 15. Implement effective configuration management practices, including establishing a US-VISIT change control board to manage and oversee system changes. Status: Planned [A]. Open Recommendation: 16. Identify and disclose management reserve funding embedded in the fiscal year 2004 expenditure plan to the Appropriations Subcommittees; Status: Complete [D]. Open Recommendation: 17. Ensure that all future US-VISIT expenditure plans identify and disclose management reserve funding; Status: Complete [D,F]. Open Recommendation: 18. Assess the full impact of Increment 213 on land ports of entry workforce levels and facilities, including performing appropriate modeling exercises; Status: Partially complete [C]. Open Recommendation: 19. Develop a plan, including explicit tasks and milestones, for implementing all our open recommendations and periodically report to the DHS Secretary and Under Secretary on progress in implementing this plan, and report on this progress, including reasons for delays, in all future US-VISIT expenditure plans; Status: In progress [B]. Source: GAO. [A] Actions are planned to implement the recommendation. [B] Actions have been initiated to implement the recommendation. [C] Actions are under way to implement the recommendation. [D] Actions have been taken that fully implement the recommendation. [E] The Software Acquisition Capability Maturity Model (SA-CMM®) developed by Carnegie Mellon University's Software Engineering Institute (SEI) defines acquisition process management controls for planning, managing, and controlling software-intensive system acquisitions. [F] With respect to the fiscal year 2005 expenditure plan. [G] The purpose of independent verification and validation is to provide an independent review of processes and products throughout the acquisition and deployment phase. [End of table] Results in Brief: Objective 3: Observations: Summary of GAO Observations: * The program office has acquired the services of a prime integration contractor to augment its ability to complete US-VISIT. * The fiscal year 2005 Expenditure Plan does not describe progress against commitments (e.g., capabilities, schedule, cost, and benefits) made in previous plans. * The exit capability alternatives evaluation is faced with a compressed time line, missed milestones, and potentially reduced scope. * US-VISIT and Automated Commercial Environment (ACE)[NOTE 3] collaboration is moving slowly. * US-VISIT system capacity is being managed in a compartmentalized manner. * The cost estimating process used for Increment 213 did not follow some key best practices. To assist DHS in managing US-VISIT, we are making five recommendations to the Secretary of DHS. In their comments on a draft of this briefing, US-VISIT program officials stated that they generally agreed with our findings, conclusions, and recommendations. Background: US-VISIT Overview: The US-VISIT program is a governmentwide endeavor intended to enhance the security of U.S. citizens and visitors, facilitate legitimate travel and trade, ensure the integrity of the U.S. immigration system, and protect the privacy of our visitors. US-VISIT is to accomplish these things by: * collecting, maintaining, and sharing information on certain foreign nationals who enter and exit the United States; * identifying foreign nationals who (1) have overstayed or violated the terms of their visit; (2) can receive, extend, or adjust their immigration status; or (3) should be apprehended or detained by law enforcement officials; * detecting fraudulent travel documents, verifying traveler identity, and determining traveler admissibility through the use of biometrics; and: * facilitating information sharing and coordination within the border management community. Background: US-VISIT Program Office: US-VISIT Program Office Structure: [See PDF for image] Source: US-VISIT. [End of figure] Background: Acquisition Strategy: DHS plans to deliver US-VISIT capability incrementally. Currently, DHS has decided that there will be four increments, with Increments 1 through 3 being interim, or temporary, solutions, and Increment 4 being the yet-to-be-defined future vision for US-VISIT. Increments 1 through 3 include the interfacing and enhancement of existing system capabilities and the deployment of these capabilities to air, sea, and land ports of entry (POE). These increments are to be largely acquired through the implementation of existing contracts and task orders. In May 2004, DHS awarded an indefinite-delivery/indefinite-quantity [NOTE 4] prime contract to Accenture and its partners. [NOTE 5] This collection of contractors is known as the Smart Border Alliance. According to the contract, the prime contractor will support the integration and consolidation of processes, functionality, and data, and will develop a strategy to build on the technology and capabilities already available to fully support the US-VISIT vision. Meanwhile, the US-VISIT program will continue to leverage existing contractors in deploying the interim solution using the prime contractor to assist. Overview of Increments: Increment 1 Status: Increment 1 (air and sea) includes the electronic collection and matching of biographic and biometric information at all major air and some sea POEs for selected foreign travelers with visas. [NOTE 6] As of September 30, 2004, Increment 1 was expanded to include foreign nationals from visa waiver countries. On January 5, 2004, Increment 1 capability was deployed to 115 airports and 14 seaports for entry and as a pilot to 2 POEs for exit. [NOTE 7] US-VISIT is evaluating three additional exit alternatives and has recently deployed these alternatives to three additional POEs. [NOTE 8] The three alternatives are as follows: * The enhanced kiosk captures a digital photograph and prints out a receipt. * The mobile device includes a handheld wireless unit at the gates to capture electronic fingerprints and photographs. * The hybrid combines the enhanced kiosk, which is used to generate a receipt, with the mobile device, which scans the receipt and the electronic fingerprint of the traveler at the gate to verify exit. As of November 18, 2004, US-VISIT had processed about 13 million foreign nationals, including about 2 million from visa waiver countries. According to US-VISIT, it had positively matched over 1,500 persons against watch list databases. Increment 2 Plans: Increment 2 is divided into three Increments-2A, 213, and 2C. Increment 2A (air, sea, and land) is to provide all POEs the capability to process machine-readable visas and other travel and entry documents that use biometric identifiers; it is to be implemented by October 26, 2005.[NOTE 9] Increment 213 (land) is to expand the Increment 1 solution for entry to secondary inspection [NOTE 10] at the 50 highest volume land POEs by December 31, 2004. [NOTE 11] According to the US-VISIT Increment 213 Manager, US-VISIT deployed Increment 213 as a pilot to three sites on November 15, 2004. [NOTE 12] * Increment 2C (border technology and infrastructure) is to deliver a solution that captures both entry and exit information using technologies such as radio frequency technology [NOTE 13] at primary inspection and exit lanes. US-VISIT plans to deploy this technology to one or more POEs by June 2005. Increment 3 Plans: * Increment 3 (land) is to expand Increment 213 system capability to the remaining 115 land POEs. It is to be implemented by December 31, 2005. [NOTE 14] Increment 4 Plans: Increment 4 (long-term strategy) is the yet-to-be-defined future vision of US-VISIT program capability, which US-VISIT officials have stated will likely consist of a series of releases. The program is currently working with its prime contractor and partners to develop an overall vision for immigration and border management operations. Facilities and Staffing: For facilities, US-VISIT is installing the infrastructure, such as new computer workstations, printers, peripherals (fingerprint scanning machines/camera), modifications to the counters, and printer stands, and ensuring adequate power availability for the collection of biometric and biographical information in secondary inspection areas for Increment 213. DHS is working with the Federal Highway Administration, state transportation departments, and the U.S. General Services Administration on a "proof of concept" for the new RF technology associated with Increment 2C, which is still in the preliminary stages. For human capital, DHS does not anticipate the need for additional inspection staff for Increment 2B. Component Systems: US-VISIT (Increments 1 through 4) will potentially include the interfacing of over 19 existing systems. Examples of systems included in Increment 1 and 213 are as follows: * Treasury Enforcement Communications Systems (TECS) is a system that maintains lookout (i.e., watch list) data, [NOTE 15] interfaces with other agencies' databases, and is currently used by inspectors at POEs to verify traveler information and update traveler data. Within TECS are several databases, including the following: - Advance Passenger Information System (APIS) includes arrival and departure manifest information provided by air and sea carriers. - Crossing History includes information about individuals' crossing histories. * Biographic Watchlist includes biographic information on individuals of interest. * Secondary includes the results of prior secondary inspections performed on an individual, including if the person was admitted or denied entry. * US-VISIT Biometric Information File (BI F) includes keys or links to other databases in TECS, IDENT, and ADIS and includes such information as fingerprint identification numbers, name, and date of birth. * Addresses includes addresses of individuals. * 1-94/Non-Immigrant Information System (NIIS) includes information from I-94 forms. * US-Visa (Datashare) includes Department of State records of visa applications, such as photographs, biographic information, and fingerprint identification number. * Arrival Departure Information System (ADIS) is a database that stores traveler arrival and departure data and that provides query and reporting functions. * Automated Biometric Identification System (IDENT) is a system that collects and stores biometric data about foreign visitors. [NOTE 16] * Student Exchange Visitor Information System (SEVIS) is a system that contains information on foreign students. * Computer Linked Application Information Management System (CLAIMS 3) is a system that contains information on foreign nationals who request benefits, such as change of status or extension of stay. * Consular Consolidated Database (CCD) is a system that includes information on whether a visa applicant has previously applied for a visa or currently has a valid U.S. visa. Background: Increment 1 Process: Increment 1 Processes: According to DHS, Increment 1 includes the following five processes: pre-entry, entry, status management, exit, and analysis, which are depicted in the graphic below. [See PDF for image] Sources: US-VISIT, GAO (analysis), Nova Development Corp. (images). [End of figure] Pre-entry Process: Pre-entry processing begins with initial petitions for visas, grants of visa status, or the issuance of travel documentation. When a foreign national applies for a visa at a U.S. consulate, biographic and biometric data are collected. The biometric data (i.e., fingerprint scan of the right and left index fingers) are transmitted from State to DHS, where the fingerprints are run against (DENT to verify identity. The results of the biometric check are transmitted back to State. A "hit" response prevents State's system from printing a visa for the applicant until the information is reviewed and cleared by a consular officer. Commercial air and sea carriers are required by law to transmit crew and passenger manifests before arriving in the United States. [NOTE 17] These manifests are transmitted through APIS. The APIS lists are run against the biographic lookout system and identify those arrivals who have biometric data available. In addition, POEs review the APIS list for a variety of factors that would target arriving crew and passengers for additional processing. Entry Process: When the foreign national arrives at a primary POE inspection booth, the inspector, using a document reader, scans the machine-readable travel documents. APIS returns any existing records on the foreign national, including manifest data matches and biographic lookout hits. When a match is found in the manifest data, the foreign national's name is highlighted and outlined on the manifest data portion of the screen. Biographic information, such as name and date of birth, is displayed on the bottom half of the screen, as well as the photograph from State's CCD. TECS also returns information about whether there are, within IDENT, existing fingerprints for the foreign national. The inspector switches to another screen and scans the foreign national's fingerprints (left and right index fingers) and takes a photograph. The system accepts the best fingerprints available within the 5-second scanning period. This information is forwarded to IDENT, where it is checked against stored fingerprints in the IDENT lookout database. If no prints are currently in (DENT, the foreign national is enrolled in US-VISIT (i.e., biographic and biometric data are entered). If the foreign national's fingerprints are already in DDENT, the system performs a 1:1 match (a comparison of the fingerprint taken during the primary inspection to the one on file) to confirm that the person submitting the fingerprints is the person on file. If the system finds a mismatch of fingerprints or a watch list hit, the foreign national is sent to secondary inspection for further screening or processing. While the system is checking the fingerprints, the inspector questions the foreign national about the purpose of his or her travel and length of stay. The inspector adds the class of admission and duration of stay information into TECS, and stamps the "admit until" date on the I-94 form. [NOTE 18] If the foreign national is ultimately determined to be inadmissible, the person is detained, lookouts are posted in the databases, and appropriate actions are taken. Within 2 hours after a flight lands and all passengers have been processed, TECS is to send ADIS the records showing the class of admission and the "admit until" dates that were modified by the inspector. Status Management Process: The status management process manages the foreign national's temporary presence in the United States, including the adjudication of benefits applications and investigations into possible violations of immigration regulations. Commercial air and sea carriers are required by law to transmit departure manifests electronically for each passenger. [NOTE 19] These manifests are transmitted through APIS and shared with ADIS. ADIS matches entry and exit manifest data to ensure that each record showing a foreign national entering the United States is matched with a record showing the foreign national exiting the United States. ADIS also provides the ability to run queries on foreign nationals who have entry information but no corresponding exit information. ADIS receives status information from CLAIMS 3 and SEVIS on foreign nationals. Exit Process: The exit process includes the carriers' electronic submission of departure manifest data to APIS. This biographic information is passed to ADIS, where it is matched against entry information. As we have previously discussed, when the foreign national departs the country through a pilot location, the departure is processed by one of three alternative pilot methods. The alternative used is dependent on the departure port. Within each port, one or more alternatives will be deployed. Not all alternatives are deployed to every pilot port. All three alternatives are generally operated by a Work Station Attendant (WSA), although the mobile device can sometimes be operated by a law enforcement officer. Foreign nationals are informed of the requirement to process through exit upon departure. The three alternatives are as follows. * Enhanced kiosk: The traveler approaches the kiosk for departure processing. At the kiosk, the traveler, guided by a WSA if needed, scans the machine-readable travel documents, provides electronic fingerprints, and has a digital photograph taken. A receipt is printed to provide documentation of compliance with the exit process and to assist in compliance on the traveler's next attempted entry to the country. After the receipt prints, the traveler proceeds to his/her departure gate. At the conclusion of the transaction, the collected information is transmitted to IDENT. * Mobile device: At the departure gate, and just before the traveler boards the departure craft, either a WSA or law enforcement officer scans the machine-readable travel documents, scans the traveler's fingerprints (right and left index fingers), and takes a digital photograph. A receipt is printed to provide documentation of compliance with the exit process and to assist in compliance on the traveler's next attempted entry to the country. The device wirelessly transmits the captured data in real time to IDENT via the Transportation Security Administration's Data Operations Center. If the device is being operated by a WSA, the WSA provides a printed receipt to the traveler, and the traveler then boards the departure craft. If the mobile device is being operated by a law enforcement officer, the captured biographic and biometric information is checked in near real time against watch lists. Any potential match is returned to the device and displayed visually for the officer. If no match is found, the traveler boards the departure craft. * Hybrid: Using an enhanced kiosk, the traveler, guided by a WSA if needed, scans the machine-readable travel documents, provides electronic fingerprints, and has a digital photograph taken. As with the enhanced kiosk alternative, a receipt is printed to provide documentation of compliance with the exit process and to assist in compliance on the traveler's next attempted entry to the country. However, this receipt has biometrics (i.e., the traveler's fingerprints and photograph) embedded on the receipt. At the conclusion of the transaction, the collected information is transmitted to IDENT. The traveler presents his or her receipt to the WSA or law enforcement officer at the gate or departure area, who scans the receipt using a mobile device. The traveler's identity is verified against the biometric data embedded on the receipt. Once the traveler's identity is verified, he/she is allowed to board the departure craft. The captured information is not transmitted in real time back to IDENT. Data collected on the mobile device are periodically uploaded through the kiosk to IDENT. Analysis: An ongoing analysis capability is to provide for the continuous screening against watch lists of individuals enrolled in US-VISIT for appropriate reporting and action. As more entry and exit information becomes available, it can be used to analyze traffic volume and patterns as well as to perform risk assessments. The analysis is to be used to support resource and staffing projections across the POEs, strategic planning for integrated border management analysis performed by the intelligence community, and determination of travel use levels and expedited traveler programs. Background: Increment 213 Process: Increment 213 Processes: As mentioned previously, US-VISIT has recently deployed Increment 213 (which is focused on land POEs) as a pilot and plans to fully deploy the increment by December 31, 2004. Increment 213 is similar to Increment 1, with several noteworthy differences. * No advance passenger information is to be available to the inspector before the traveler arrives for inspection. * Travelers subject to US-VISIT are to be processed at secondary inspection, rather than at primary inspection. * Inspectors' workstations are to use a single screen, which eliminates the need to switch between the TECS and IDENT screens. * Form I-94 data are to be captured electronically. The form is populated by data obtained when the machine-readable zone of the travel document is swiped. If visa information about the traveler exists in the Datashare database, [NOTE 20] it is used to populate the form. Fields that cannot be populated electronically are manually entered. A copy of the completed form is printed and given to the traveler for use upon exit. * No electronic exit information is to be captured. Background: Increments 1 and 2B Overview: Simplified Diagram of US-VISIT Increment 1 and 213 Systems: [See PDF for image] Sources: US-VISIT, GAO (analysis), Nova Development Corp. (images). [End of figure] Background: Chronology of Expenditure Plans: Chronology of US-VISIT Expenditure Plans: Since November 2002, four US-VISIT expenditure plans have been submitted. * On November 15, 2002, the Immigration and Naturalization Service (INS) [NOTE 21] submitted to its appropriations subcommittees its first expenditure plan, which outlined $13.3 million in expenditures for contract activities; design, development, and deployment of the Visa Waiver Support System; facilities assessments; biometric standards development; prototyping; IBIS support activities; travel; program office operations; and fingerprint scanner procurements. * On June 5, 2003, the second expenditure plan outlined $375 million in expenditures for system enhancements and infrastructure upgrades, POE information technology (IT) and communication upgrades, facilities planning analysis and design, program management support, proof of concept demonstrations, operations and system sustainment, and training. * On January 27, 2004, the third expenditure plan outlined $330 million in expenditures for exit pilots; capability to read biometrically enabled travel documents; land infrastructure upgrades; system development and testing; radio frequency technology deployment to the 50 busiest land POEs; technical infrastructure planning and development; program management; and operations and maintenance. * The current and fourth expenditure plan, submitted on October 19, 2004, outlines $340 million in expenditures (see table, next slide). Background: Review of Current Expenditure Plan: Fiscal Year 2005 Expenditure Plan Summary (see next slides for descriptions): Area of expenditure: Increment 1-Air and Sea; Amount: $32,000,000. Area of expenditure: Increment 2A-Air, Sea, and Land; Amount: $15,000,000. Area of expenditure: Increment 2B-Land; Amount: $0. Area of expenditure: Increment 2C-Border Technology and Infrastructure; Amount: $55,000.000. Area of expenditure: Increment 3-Land; Amount: $25,000,000. Area of expenditure: Increment 4-Long-Term Strategy; Amount: $21,000,000. Area of expenditure: Program Management; Amount: $83,000,000. Area of expenditure: Operations and Maintenance; Amount: $86,000,000. Area of expenditure: Management Reserve; Amount: $23,000,000. Total; Amount: $340,000,000. Source: DHS. [End of table] Background: Current Expenditure Plan: Increment 1-Air and Sea: Includes deploying an exit capability to capture departure information and acquiring lease space for exit at air and sea POEs. Increment 2A-Air, Sea, and Land: Includes continued work on developing and testing the US-VISIT equipment and software necessary to biometrically compare and authenticate travel documents. Increment 2C-Border Technology and Infrastructure: Includes testing, modeling, and deploying technology to provide the capability to view previously collected biographic and biometric data of enrolled travelers and integrating Border Crossing Card biometric data with IDENT. Increment 3-Land: Includes extending the Increment 2B capability to collect biometric data and verify identity at the 115 remaining land POEs. Increment 4-Long-Term Strategy: Includes developing the long-term strategy; integrating the strategy with the interim system, legacy systems, and the DHS enterprise architecture; and planning for facilities compliance. Program Management: Includes maintaining the program management structure and baseline operations. Operations and Maintenance: Includes operations and maintenance of existing information systems and support costs for ongoing software configuration and maintenance. Objective 1: Legislative Conditions: Condition 1: The US-VISIT expenditure plan satisfies or partially satisfies each of the legislative conditions. Condition 1. The plan, including related program documentation and program officials' statements, partially satisfies the capital planning and investment control review requirements established by OMB, including OMB Circular A-11, part 7, which establishes policy for planning, budgeting, acquisition, and management of federal capital assets. The table that follows provides examples of the results of our analysis. Examples of A-11 conditions: Provide justification and describe acquisition strategy; Results of our analysis: US-VISIT has completed an Acquisition Plan, dated November 2003. The plan provides a high-level justification and description of the acquisition strategy for the system. Examples of A-11 conditions: Summarize life-cycle costs and cost/benefit analysis, including the return on investment; Results of our analysis: US-VISIT completed a cost/benefit analysis for Increment 2B on June 11, 2004. Examples of A-11 conditions: Provide performance goals and measures; Results of our analysis: The plan includes benefits, but does not identify corresponding metrics. The plan states that performance measures are under development. Examples of A-11 conditions: Address security and privacy; Results of our analysis: US-VISIT has developed a security plan that partially satisfies OMB and the National Institute of Standards and Technology security guidance. US-VISIT has not yet conducted a security risk assessment on the overall US-VISIT program. While the plan states the intention to do the assessment, it does not specify when it will be completed. The US-VISIT program published a privacy policy and privacy impact assessment for Increment 2. Examples of A-11 conditions: Provide risk inventory and assessment; Results of our analysis: US-VISIT has developed a risk management plan and process for developing, implementing, and institutionalizing a risk management program. Risks are currently tracked using a risk-tracking database. Source: GAO. Objective 1: Legislative Conditions: Condition 2: Condition 2. The plan, including related program documentation and program officials' statements, partially satisfies the condition that it provide for compliance with DHS's enterprise architecture (EA). DHS released version 1.0 of the architecture in September 2003. [NOTE 22] We reviewed the initial version of the architecture and found that it was missing, either partially or completely, all the key elements expected in a well-defined architecture, such as a description of business processes, information flows among these processes, and security rules associated with these information flows. [NOTE 23] Since we reviewed version 1.0, DHS has drafted version 2.0 of its EA. We have not reviewed this draft. According to officials from the Office of the Chief Strategist, concurrent with the development of the strategic vision, the US-VISIT program office has been working with the DHS EA program office in developing version 2.0 to ensure that US-VISIT is aligned with DHS's evolving EA. According to these officials, US-VISIT representatives participate in both the DHS EA Center of Excellence and the DHS Enterprise Architecture Board. [NOTE 24] In July 2004, the Center of Excellence reviewed US-VISIT's submission for architectural alignment with some EA components, but not all. Specifically, the submission included information intended to show compliance with business and data components, but not, for example, the application and technology components. According to the head of DHS's EA Center of Excellence, the application and technical components were addressed by this center, which found that US-VISIT was in compliance. Based on its review, the DHS Enterprise Architecture Board recommended that the US-VISIT program be given conditional approval to proceed for investment, provided that the program resubmit its documentation upon completion of its strategic plan, which is anticipated in January 2005. DHS has not yet provided us with sufficient documentation to allow us to understand DHS architecture compliance methodology and criteria, or verifiable analysis justifying the conditional approval. Objective 1: Legislative Conditions: Condition 3: Condition 3. The plan, including related program documentation and program officials' statements, satisfies the condition that it comply with the acquisition rules, requirements, guidelines, and systems acquisition management practices of the federal government. The plan provides for satisfying this condition, in part, by describing efforts to develop Software Engineering Institute (SEI) Software Acquisition Capability Maturity Model (SA-CMM®) key process areas, such as requirements development and management and contract tracking and oversight. The plan also states that the program intends to achieve SA- CMM Level 2 [NOTE 25] by establishing a process improvement program based on SEI-identified industry best practices. As part of establishing this program, US-VISIT has developed a draft process improvement plan that specifies process improvement goals, objectives, assumptions, and risks, and which describes a process improvement time line and phase methodology. If these processes are implemented effectively, they will help US-VISIT meet federal acquisition rules, requirements, and guidelines and comply with systems acquisition management practices. Objective 1: Legislative Conditions: Condition 4: Condition 4. The plan, including related program documentation and program officials' statements, partially satisfies the requirement that it be reviewed and approved by the DHS Investment Review Board (IRB), the Secretary of Homeland Security, and OMB. The DHS Under Secretary for Management [NOTE 26] reviewed and approved the fiscal year 2005 expenditure plan on October 14, 2004, and OMB approved the plan on October 15, 2004. According to the US-VISIT Budget and Finance Director, the IRB reviewed the fiscal year 2005 expenditure plan but did not approve it because DHS management determined that review of the expenditure plan was not in the scope of the IRB review process. Objective 1: Legislative Conditions: Condition 5: Condition 5. The plan satisfies the requirement that it be reviewed by GAO. Our review was completed on November 23, 2004. Objective 2: Open Recommendations: Recommendation 1: Open Recommendation 1: Develop a system security plan and privacy impact assessment. Status: Partially complete: Security Plan. US-VISIT has developed a security plan. [NOTE 27] OMB and the National Institute of Standards and Technology (NIST) have issued security planning guidance [NOTE 28] requiring, in part, the completion of system security plans that (1) provide an overview of the system security requirements, (2) include a description of the controls in place or planned for meeting the security requirements, and (3) delineate roles and responsibilities of all individuals who access the system. According to the guidance, the plan should also describe the methodology used to identify system threats and vulnerabilities and to assess risks, and it should include the date the assessment was conducted. If no system risk assessment has been completed, the plan is to include a milestone date for completion. The US-VISIT security plan provides an overview of the system security requirements, describes the controls in place or planned for meeting those requirements, and references the applicable documents that contain roles and responsibilities for the US-VISIT component systems. However, the plan states that although a security risk assessment on the US-VISIT program will be completed in accordance with NIST guidelines, it has not yet been completed, and the plan does not indicate a date for doing so. Privacy Impact Assessment. The US-VISIT program has conducted a privacy impact assessment for Increment 2, and according to the US-VISIT Privacy Officer, a privacy impact assessment will be completed for the exit portion of Increment 1 in early 2005. According to OMB guidance, [NOTE 29] the depth and content of such an assessment should be appropriate for the nature of the information to be collected and the size and complexity of the system involved. The assessment should also, among other things, (1) be updated when a system change creates new privacy risk, (2) ensure that privacy is addressed in the documentation related to system development, (3) address the impact the system will have on an individual's privacy, (4) analyze the consequences of collection and flow of information, and (5) analyze alternatives to collection and handling as designed. The Increment 2 assessment satisfies some, but not all, of the above OMB guidance areas. To DHS's credit, the assessment, which was completed in September 2004, states that the DHS Chief Privacy Officer directed that the assessment be updated as necessary to reflect future changes to Increment 2. The assessment also discusses the impact that Increment 2 will have on an individual's privacy and analyzes the consequences of collection and flow of information. However, privacy is only partially addressed in the Increment 2 system documentation. For example, privacy is used in the Increment 2B cost- benefit analysis to evaluate the weighted risk of Increment 2B alternative solutions. Additionally, the ADIS functional requirements specify that access to information contained in the system, which is protected by the Privacy Act, [NOTE 30] must be limited to authorized users. However, the IDENT Server 2.0 requirements do not consider privacy at all. Additionally, the assessment's only discussion of design is a statement that a major choice for US-VISIT was whether to develop an entirely new system, develop a largely new system, or build upon existing systems. The assessment does not analyze these options. The timing of the planned privacy impact assessment for the exit portion of Increment 1 is consistent with plans for completing the exit pilots. Objective 2: Open Recommendations: Recommendation 2: Open Recommendation 2: Develop and implement a plan for satisfying key acquisition management controls-including acquisition planning, solicitation, requirements development and management, project management, contract tracking and oversight, evaluation, and transition to support-and implement the controls in accordance with SEI guidance. Status: In progress: The US-VISIT program plans to achieve SEI SA-CMM Level 2 status in October 2006. According to SEI, a process improvement effort should involve building a process infrastructure, establishing current levels of process maturity, and completing an action plan. The plan should include, among other things, process improvement assumptions and risks, goals, objectives, and criteria for success. The US-VISIT Acquisition and Program Management Office (APMO) has initiated a process improvement program and drafted a process improvement plan. The draft US-VISIT plan discusses assumptions, such as the improvement program being sponsored and supported by senior US-VISIT management, and risks, such as not meeting the process improvement time line if the process improvement effort is not fully staffed. The plan also lists both process improvement goals and short-and long- term objectives. However, the goals and objectives are generally not defined in measurable terms. For example, the plan identifies the following goal and objective: * Goal: ensure that US-VISIT is in compliance with federal mandates, making future funding more likely. * Objective: define a strategy for attaining SEI SA-CMM Level 2 as soon as possible within the existing constraints-limited contractor and government staff resources and centralized facility. The plan also does not address criteria for success. APMO has developed processes or plans, some of which are approved and some of which are in draft, for all key process areas except "transition to support." [NOTE 31] The Director of APMO could not say when APMO plans to develop the documentation for this key process area, but noted that US-VISIT is considering a transition from the SA-CMM to SEI's Capability Maturity Model Integration (CMMI) model. [NOTE 32] No time line was provided as to when this decision might be made. The Director of APMO acknowledges that a transition to the CMMI will likely change the previously mentioned time line for CMM certification. Objective 2: Open Recommendations: Recommendation 3: Open Recommendation 3: Ensure that future expenditure plans are provided to the DHS's House and Senate Appropriations Subcommittees on Homeland Security in advance of US-VISIT funds being obligated. Status: Complete: On October 18, 2004, the President signed the Department of Homeland Security Appropriations Act, 2005, which included $340 million in fiscal year 2005 funds for the US-VISIT program. [NOTE 33] The act states that $254 million of the $340 million is subject to the expenditure plan requirement. On October 19, 2004, DHS provided its fiscal year 2005 expenditure plan to the Senate and House Appropriations Subcommittees on Homeland Security. Objective 2: Open Recommendations: Recommendation 4: Open Recommendation 4: Ensure that future expenditure plans fully disclose US-VISIT system capabilities, schedule, cost, and benefits to be delivered. Status: Partially complete: Capabilities: The expenditure plan identifies high-level capabilities by increments. However, the capabilities are not consistently presented. For example, in one section of the plan, Increment 2B capabilities are identified as: * collect biometric data and verify identity at the 50 busiest land POEs, * develop global enrollment system capability, and: * support facilities delivery. However, later in the plan, Increment 2B capabilities are identified as: * Increment 1 functionality at the top 50 land POEs, * biometric data collection, and: * infrastructure upgrades. Further, some of the capabilities are described in vague and ambiguous terms. For example, the plan describes such Increment 2C capabilities as: * integration of Border Crossing Cards with US-VISIT, * test, model, and deploy technology to preposition biographic and biometric data of enrolled travelers, and: * desktop upgrades. Schedule: The plan identifies specific milestones for some increments, but not for others. For example, it states that Increment 2B is to be implemented by December 31, 2004, and Increment 3 by December 31, 2005. However, it states that Increment 1 exit and Increment 2C are to be implemented in fiscal year 2005. Costs: The plan identifies the amounts budgeted for each increment for fiscal years 2003 through 2005. For example, the plan states that US-VISIT plans to obligate $55 million in fiscal year 2005 funds for Increment 2C. However, the plan does not associate the $55 million with specific Increment 2C capabilities and benefits. Rather, it states that this amount will be used to support Increment 2C by funding the installation of technology in entry and exit lanes at land borders and supporting facility delivery. Further, the plan does not identify any estimated nongovernmental costs, such as the social costs associated with any potential economic impact at the border. Benefits: The plan identifies several benefits and associates these benefits with increments. For example, for Increment 1, the plan identifies such benefits as: * prevention of entry of high-threat or inadmissible individuals through improved and/or advanced access to data before the foreign national's arrival, * improved enforcement of immigration laws through improved data accuracy and completeness, * reduction in foreign nationals remaining in the country under unauthorized circumstances, and: * reduced threat of terrorist attack and illegal immigration through improved identification of national security threats and inadmissible individuals. As we previously reported, [NOTE 34] these benefits were identified in the fiscal year 2004 expenditure plan, although they were not associated with Increment 1. Further, the fiscal year 2004 plan included planned metrics for the first two benefits identified above and stated that US-VISIT was developing metrics for measuring the projected benefits, including baselines by which progress can be assessed. However, the fiscal year 2005 plan does not include any information on these metrics or on progress against any of the benefits. The fiscal year 2005 plan again states that performance measures are still under development. While the plan does not associate any measures with the defined benefits, it does identify several measures and links them to the US- VISIT processes-pre-entry, entry, status management, exit, and analysis. The plan also identifies examples of how US-VISIT is addressing its four stated goals. The examples, however, largely describe US-VISIT functions rather than measures of goal achievement. For example, in support of the stated goal of ensuring the integrity of our immigration system, the plan states that through US-VISIT, officers at primary inspection are able to instantly search databases of known criminals and known and suspected terrorists. It does not, however, identify how this ensures immigration system integrity. Objective 2: Open Recommendations: Recommendation 5: Open Recommendation 5: Ensure that future expenditure plans fully disclose how the US-VISIT acquisition is being managed. Status: In progress: The expenditure plan describes some activities being employed to manage the US-VISIT acquisition. For example, the plan describes the US-VISIT governance structure, as well as the program office organizational structure and staffing levels. The plan also describes certain management processes currently being used. For example, the plan states that US-VISIT program officials hold formal weekly meetings to discuss program risks/issues, schedule items, and critical path items. In addition, it states that formal points of contact for risk issues have been designated across the Increment Integrated Project teams, and the US-VISIT program organization and the plan states that US-VISIT is establishing a formal risk review board to review and manage risk. However, the plan does not describe how other important aspects of the program are being managed, several of which are discussed in this briefing. For example, it does not describe how testing, system capacity, and systems configuration are being managed. Objective 2: Open Recommendations: Recommendation 6: Open Recommendation 6: Ensure that human capital and financial resources are provided to establish a fully functional and effective program office. Status: Partially complete: DHS established the US-VISIT program office in July 2003 and determined the office's staffing needs to be 115 government and 117 contractor personnel. As of October 2004, DHS had filled 59 of the 115 government positions. Of those positions that have not been filled, 5 have reassignments in progress and 51 have competitive announcements pending. According to US- VISIT, about half of these positions are to be filled when security clearances are completed. In addition, US-VISIT has changed its organizational structure, and some positions were moved to other offices within US-VISIT. For example, the number of positions in the Office of Mission Operations Management decreased from 23 to 18, and the number of positions in the Office of Chief Strategist increased from 10 to 14. Also, the number of positions in the Office of Administration and Management-now called the Office of Administration and Training-increased from 10 to 11. The graphic on the next page shows the US-VISIT program office organization structure and functions, the number of positions needed by each office, and the number of positions filled. This graphic reflects the recent changes to the US-VISIT organizational structure. US-VISIT Program Organizational Structure, Functions, and Filled and Vacant Positions: [See PDF for image] Source: US-VISIT. [End of figure] In addition to the 115 government staff that were anticipated, the program anticipated 117 contractor support staff. As of November 2004, program officials told us they had filled 88 of these 117 positions. The expenditure plan also states that DHS has budgeted $83 million to maintain the program management structure and baseline operations, including, among other things, salaries and benefits for government full-time equivalents, personnel relocation costs, rent, and supplies. Objective 2: Open Recommendations: Recommendation 7: Open Recommendation 7: Clarify the operational context in which US- VISIT is to operate. Status: In progress: DHS is in the process of defining the operational context in which US- VISIT is to operate. In September 2003, DHS released version 1.0 of its enterprise architecture. [NOTE 35] We reviewed the initial version of the architecture and found that this architecture was missing, either partially or completely, all the key elements expected in a well- defined architecture, such as descriptions of business processes, information flows among these processes, and security rules associated with these information flows. [NOTE 36] Since we reviewed version 1.0, DHS has drafted version 2.0 of its architecture. We have not reviewed the draft, but DHS EA program officials told us this version focuses on departmental operations, and that later versions will incrementally focus on the national homeland security picture. This is important to the US-VISIT operational context because US-VISIT is a governmentwide program, including entities outside DHS, such as the Departments of State and Justice. Objective 2: Open Recommendations: Recommendation 8: Open Recommendation 8: Determine whether proposed US-VISIT increments will produce mission value commensurate with cost and risks. Status: In progress: US-VISIT developed a cost-benefit analysis (CBA) for Increment 213, dated June 11, 2004. However, the CBA's treatment of both benefits and costs raises several issues, making it unclear whether Increment 2B will produce mission value commensurate with cost and risks. First, the CBA primarily addresses government costs and is silent on some potential nongovernmental costs. For example, the CBA does not consider potential social costs like the economic impact on border communities. Second, the CBA identifies two categories of quantifiable benefits, but it does not provide any quantitative or monetary estimates for those benefits. Instead, the CBA focuses on two categories of nonquantifiable benefits: * strategic alignment benefits, such as the improvement of national security and the promotion of legitimate trade and travel, and: * operational performance benefits, such as improvement of traveler identification and validation of traveler documentation. Moreover, the CBA does not explain why these benefits cannot be quantified. Also, the CBA states that none of the proposed alternatives result in a positive net present value or return on investment, which it attributes to the limited scope of Increment 2B. Third, the CBA includes three alternatives and identifies alternative 3 as the preferred alternative. However, US-VISIT is not pursuing alternative 3, but rather is pursuing an alternative more aligned with alternative 2. According to the Program Director, this is because alternative 3 was considered too ambitious to meet the statutory requirement that US-VISIT be implemented at the 50 busiest land POEs by December 31, 2004. Objective 2: Open Recommendations: Recommendation 9: Open Recommendation 9: Define US-VISIT program office positions, roles, and responsibilities. Status: Partially complete: US-VISIT has developed descriptions for positions within each office. In addition, US-VISIT has worked with the Office of Personnel Management (OPM) to draft a set of core competencies that define the knowledge, skills, abilities, and other characteristics (competencies) needed for successful employee performance. According to US-VISIT's draft Human Capital Plan, these core competencies will form the foundation for recruitment and selection, training and development, and employee performance evaluations. Currently, US-VISIT is using some of these draft core competencies in its employee performance appraisal process. Objective 2: Open Recommendations: Recommendation 10: Open Recommendation 10: Develop and implement a human capital strategy for the US-VISIT program office that provides for staffing positions with individuals who have the appropriate knowledge, skills, and abilities. Status: Partially complete: The US-VISIT program office awarded a contract to OPM to develop a draft Human Capital Plan. Our review of the draft plan showed that OPM developed a plan for US-VISIT that employed widely accepted human capital planning tools and principles. OPM's recommendations to US-VISIT include the following: * Develop and adopt a competency-based system and a corresponding human capital planning model that illustrate the alignment of US-VISIT's mission with individual and organizational performance. * Conduct a comprehensive workforce analysis to determine diversity trends, retirement and attrition rates, and mission-critical and leadership competency gaps. * Develop a leadership competency model and establish a formal leadership development program to ensure continuity of leadership. * Link the competency-based human capital management system to all aspects of human resources, including recruitment, assessment, training and development, and performance. The draft human capital plan includes an action plan that identifies activities, proposed completion dates, and the office (OPM or US-VISIT) responsible for completing these activities. According to OPM, it has completed its work under the draft plan. As of October 2004, US-VISIT had completed some of the activities called for in the draft plan. For example, US-VISIT's Office of Administration and Training has designated a liaison responsible for ensuring alignment between DHS and US-VISIT human capital policies. However, it remains to be seen how full implementation of the plan will impact the US-VISIT program office. For example, the workforce analysis called for in the draft plan could result in a change in the number and competencies of the staff needed to implement US-VISIT. Objective 2: Open Recommendations: Recommendation 11: Open Recommendation 11: Develop a risk management plan and report all high risks and their status to the executive body on a regular basis. Status: Partially complete: The US-VISIT program office has developed a risk management plan (dated June 2, 2004) and process (dated June 9, 2004). The plan addresses, among other things, the process for identifying, analyzing, mitigating, tracking, and controlling risks. As part of its process, US-VISIT has developed a risk management database. The database includes, among other things, a description of the risk, its priority (e.g., high, medium, low), and mitigation strategy. US-VISIT has also established the governance structure for managing risks. The governance structure includes three primary groups-the Risk Review Board, Risk Review Council, and Risk Management Team. The Risk Review Board provides overall decision making, communication, and coordination in regard to risk activities. The board is composed of senior-level staff, such as the program director and functional area directors. * The Risk Review Council reviews initially reported risks, validates their categorizations, and ensures that a mitigation approach has been developed. It also serves as a filter for the Board by deciding which risks can be mitigated without being elevated to the Board. * The Risk Management Team provides risk management expertise and institutional knowledge. This group is staffed by APMO. * According to the Director, APMO, US-VISIT has not reported high risks beyond the Review Board. Objective 2: Open Recommendations: Recommendation 12: Open Recommendation 12: Define performance standards for each US-VISIT increment that are measurable and reflect the limitations imposed by relying on existing systems. Status: In progress: Available documentation shows that some technical performance measures for Increments 1 and 2B have been defined. For example: Availability. [NOTE 37] The system will be available 99.5 percent of the time. Timeliness. [NOTE 38] Login, visa query, and TECS/NCIC default query will be less than 5 seconds; TECS optional queries will be less than 60 seconds; and IDENT watch list queries will be less than 10 seconds (matcher time only). * Output quantity. [NOTE 39] 70,000 primary inspection transactions per user, per day, with a maximum of 105,000 transactions during peak times. However, other measures, such as reliability, [NOTE 40] resource utilization, [NOTE 41] and scalability, [NOTE 42] are not defined in the documentation. Further, the documentation does not contain sufficient information to determine the limitations imposed by US- VISIT's reliance on existing systems that have less demanding performance requirements, such as TECS availability of 98.0 percent. Such information would include, for example, the processing sequencing and dependencies among the existing systems. Objective 2: Open Recommendations: Recommendation 13: Open Recommendation 13: Develop and approve test plans before testing begins. These test plans should (1) specify the test environment; (2) describe each test to be performed, including test controls, inputs, and expected outputs; (3) define the test procedures to be followed in conducting the tests; and (4) provide traceability between test cases and the requirements to be verified by the testing. Status: In progress: According to the US-VISIT Systems Assurance Director, the Increment 2B system acceptance test (SAT) plan was approved during an October 15, 2004, test readiness review (TRR). However, no documentation was provided that explicitly indicated the approval of the plan, and the results of the TRR were not approved until October 28, 2004, which is 11 days after the date we were told that acceptance testing began. Further: * The test plan does not fully address the test environment. For example, the plan does not describe the scope, complexity, and completeness of the test environment or identify necessary training. The plan does include generic descriptions of testing hardware, such as printers and card readers. * The plan does not include descriptions of tests to be performed. However, officials from the IT Management Office provided us with other documentation describing the tests to be performed that included expected outputs, but it did not include inputs or controls. * The plan does not provide test procedures to be followed in conducting the tests. * The plan does not provide traceability between test cases and the requirements to be verified by the testing. Our analysis of the 116 requirements identified in the consolidated requirements document showed that: - 39 requirements mapped to test cases that lacked sufficient detail to determine whether the test cases are testable, - 15 requirements did not have test cases, - 2 requirements were labeled "not testable," and: - 1 requirement was identified as "TBD," but was mapped to an actual test case. Objective 2: Open Recommendations: Recommendation 14: Open Recommendation 14: Ensure the independence of the Independent Verification and Validation (IV&V) contractor. Status: In progress: According to the US-VISIT Program Director, the US-VISIT IT Management Office is developing high-level requirements for IV&V. In particular, it is developing a strategy and statement of work for acquiring an IV&V contractor. Objective 2: Open Recommendations: Recommendation 15: Open Recommendation 15: Implement effective configuration management practices, including establishing a US-VISIT change control board to manage and oversee system changes. Status: Planned: According to US-VISIT's draft configuration management (CM) plan, dated July 2004, and US-VISIT officials, US-VISIT has not yet developed or implemented US-VISIT-level configuration management practices or a change control board. In the interim, for Increments 1, 2A and 213, US- VISIT continues to follow relevant IDENT, ADIS, and TECS configuration management procedures, including applicable change control boards and system change databases. According to the US-VISIT System Assurance Director, for Increment 213, US-VISIT is using the TECS change requests database for US-VISIT change requests, including those for IDENT and ADIS. The draft configuration management plan describes key configuration activities that are to be defined and implemented, including (1) defining and identifying processes and products to be controlled; (2) evaluating, coordinating, and approving/rejecting changes to controlled items; (3) recording and monitoring changes to the controlled items; and (4) verifying that the controlled items meet their requirements and are accurately documented. The draft plan also proposes a governance structure, including change control boards. The proposed governance structure includes the following: * A US-VISIT CM team is responsible for implementing, controlling, operating, and maintaining all aspects of configuration management and administration for US-VISIT. The team is to be composed of a CM manager, CM team staff, DHS system CM liaisons, prime integrator CM liaison, and testers and users. * A change control board is to serve as the ultimate authority on changes to any US-VISIT system baseline, decide the content of system releases, and approve the schedule of releases. Objective 2: Open Recommendations: Recommendation 16: Open Recommendation 16: Identify and disclose management reserve funding embedded in the fiscal year 2004 expenditure plan to the Appropriations Subcommittees. Status: Complete: The US-VISIT program office reported the management reserve funding of $33 million for fiscal year 2004 to the Appropriations Subcommittees. According to the Deputy Program Manager, US-VISIT provided this information in a briefing to the Subcommittee staff. Objective 2: Open Recommendations: Recommendation 17: Open Recommendation 17: Ensure that all future US-VISIT expenditure plans identify and disclose management reserve funding. Status: Complete: The fiscal year 2005 expenditure plan specified management reserve funding of $23 million. Objective 2: Open Recommendations: Recommendation 18: Open Recommendation 18: Assess the full impact of Increment 2B on land POE workforce levels and facilities, including performing appropriate modeling exercises. Status: Partially complete: US-VISIT conducted an Increment 2B baseline analysis to help determine the impact of Increment 2B on workforce and travelers. The analyses included three sites and addressed the Form I-94 issuance process and the Form 1-94W [NOTE 43] process in secondary inspection. According to program officials, additional staff will not be needed to implement 2B at the border. Instead, US-VISIT has developed a plan to train existing Customs and Border Protection officers on the collection of traveler entry data, has completed the "train the trainer" classes at the training academy, and has begun training at three land POEs. In addition, US-VISIT has conducted space utilization surveys at all of the 166 land POEs and completed survey reports at 16 of the 50 busiest land POEs. US-VISIT expects to have completed survey reports for the remaining 34 busiest land POEs during the fall of 2004. According to the 16 completed survey reports, existing traffic at most of these facilities was at or near capacity and the facilities had no room for expansion. However, US-VISIT officials said that Increment 2B will not require expansion at any facilities; rather, it will require mostly minor modifications, such as the installation of new or updated countertops and electrical power outlets to accommodate new equipment. Objective 2: Open Recommendations: Recommendation 19: Open Recommendation 19: Develop a plan, including explicit tasks and milestones, for implementing all our open recommendations and periodically report to the DHS Secretary and Under Secretary on progress in implementing this plan; also report this progress, including reasons for delays, in all future US-VISIT expenditure plans. Status: In progress: The US-VISIT program office has developed a report for tracking the status of our open recommendations. This report is shared with the program office director, but according to the Deputy Program Director, it is not shared with the Secretary and Under Secretary. In addition, he stated that the program office meets weekly with the Under Secretary, but the status of our recommendations are not discussed. The fiscal year 2005 expenditure plan summarizes our recommendations, but it does not identify tasks and milestones for implementing them or discuss progress in implementing them. Objective 3: Observations: Contract: Observation 1: The program office has acquired the services of a prime integration contractor to augment its ability to complete US-VISIT. DHS reported in its fiscal year 2004 US-VISIT expenditure plan that it had intended to award a contract by the end of May 2004 to a prime contractor for integrating existing and new business processes and technologies. US-VISIT awarded the contract on time. Specifically, on May 28, 2004, DHS awarded its prime contract to Accenture LLP and its related partners. Objective 3: Observations: Progress: Observation 2: The fiscal year 2005 Expenditure Plan does not describe progress against commitments (e.g., capabilities, schedule, cost, and benefits) made in previous plans. Given the immense importance of the US-VISIT program to the security of our nation's borders and the need to acquire and implement it efficiently and effectively, the Congress has placed limitations on the use of appropriations for the US-VISIT program until DHS submits periodic expenditure plans. As we had previously reported, [NOTE 44] to permit meaningful congressional oversight, it is important that expenditure plans describe how well DHS is progressing against the commitments made in prior expenditure plans. The fiscal year 2005 expenditure plan does not describe progress against commitments made in prior expenditure plans. For example, in its fiscal year 2004 expenditure plan, US-VISIT committed to, among other things, * analyzing, field testing, and initiating deployment of alternative approaches for capturing biometrics during the exit process at air and sea POEs and: * implementing entry and exit capabilities at the 50 busiest land POEs by December 31, 2004, including delivering the capability to read radio frequency enabled documents at the 50 busiest land POEs for both entry and exit processes. The fiscal year 2005 plan does not address progress against these commitments. For example, the plan does not describe the status of the exit pilot testing or deployment, such as whether it has met its target schedule or whether the schedule has slipped. While the plan does state that US-VISIT will expand its pilot sites during the summer and fall of 2004 and deploy the exit solution during fiscal year 2005, it does not explain the reason for the change or its potential impact. The following graphic provides our analysis of the commitments made in the fiscal year 2003 and 2004 plans, compared with currently reported and planned progress. Time Line Comparing Commitments Made in the US-VISIT Fiscal Year 2003 and 2004 Plans with Current Commitments and Reported Progress: [See PDF for image] Source: US-VISIT, GAO (analysis). [End of figure] Further, the fiscal year 2004 plan states that $45 million in fiscal year 2004 funds were to be used for exit activities. However, the fiscal year 2005 plan states that $73 million in fiscal year 2004 funds were to be used for exit activities, but does not highlight this difference or address the reason for the change in budget amounts. Also, the fiscal year 2005 expenditure plan includes benefits stated in the fiscal year 2004 plan, but it does not provide progress in addressing those benefits, despite the fact that, in the fiscal year 2004 plan, US-VISIT stated that it was developing metrics for measuring the projected benefits, including baselines by which progress could be assessed. The fiscal year 2005 plan again states that performance measures are under development. This information is needed to allow meaningful congressional oversight of plans and progress. Objective 3: Observations: Exit Deployment: Observation 3: The exit capability alternatives are faced with a compressed time line, missed milestones, and potentially reduced scope. On January 5, 2004, US-VISIT deployed an initial exit capability in pilot status to two POEs. At that time, the Program Director stated that US-VISIT was developing other exit alternatives, along with criteria for evaluating and selecting one or more of the alternatives by December 31, 2004. Planned evaluation time line compressed: In May 2004, US-VISIT issued an Exit Pilot Evaluation Execution Plan. This plan states that three alternative exit solutions are to be evaluated while deployed to a total of 15 air and sea POEs. The plan allotted about 3 months to conduct the evaluation and report the results. Specifically, the deployment was to be completed by August 1, 2004, and all exit pilot evaluation tasks were to be completed by September 30, 2004, with an evaluation report finished by October 28, 2004. However, according to the exit master schedule provided to us on October 26, 2004, the three alternatives were scheduled to be fully deployed by October 29, 2004, and all evaluation tasks are to be completed on December 6, 2004, with delivery of the evaluation report on December 30, 2004, which is about a 2-month evaluation and reporting period. The following graphic illustrates how the exit pilot schedule has been shortened from the originally planned 3 months to the currently planned 2 months and compares the original plan with the current plan. Changes in Planned Exit Pilot Evaluation Period: [See PDF for image] Source: US-VISIT, GAO (analysis). [End of figure] Objective 3: Observations Exit Deployment: Pilot deployment delayed: As of November 8, 2004, the three alternatives were deployed and operational in only 5 of the 15 POEs that were to be operational by November 1. According to the Exit Implementation Manager, all ports had received and installed the exit equipment. However, the requisite number of contract employees (WSAs) is not yet available to make all 15 POEs operational because of delays in DHS granting security clearances to the attendants. The manager stated that a recent meeting with DHS security officials has helped to improve the pace of finalized security clearances, but the manager did not know when the remaining 10 ports would become operational. Potentially reduced evaluation scope: The Evaluation Execution Plan describes the evaluation methodology that is to be employed for the three alternatives. An important element of that methodology is the targeted sample size per port. For each port, a targeted number of outbound passengers will be processed by the three alternatives and data gathered on these encounters. The plan's specified sample sizes are described as sufficient to achieve a 95 percent confidence level with a margin of error of 5 percent. According to the Exit Implementation Manager, the desired sample size will be collected at each port, despite the compressed time frame for conducting the evaluations, by adding additional personnel to the evaluation teams if needed. These changing facts and circumstances surrounding the exit pilot introduce additional risk concerning US-VISIT's delivery of promised capabilities and benefits on time and within budget. On November 12, 2004, US-VISIT issued a revised draft Exit Pilot Evaluation Plan. However, the plan does not address any of the concerns cited, in part because it does not include a planned completion date. Instead, the plan states that the evaluation period is planned for October 31, 2004, until completion. Without a planned completion date, it is not possible to determine the length of the evaluation period or any impact that the length of the evaluation may have on the evaluation's scope. Objective 3: Observations: Collaboration: Observation 4: US-VISIT and Automated Commercial Environment (ACE) collaboration is moving slowly. The US-VISIT EA alignment analysis document describes a port of entry/ exit management conceptual project that is to establish uniform processes at POEs and the capability to inspect and categorize people and goods and act upon the information collected. The document recognizes that both US-VISIT and ACE [NOTE 45] support this project because they have related missions and a planned presence at the borders, including the development and deployment of infrastructure and technology. We recognized the relationships between these two programs in February 2003, [NOTE 46] when we recommended that future ACE expenditure plans specifically address any proposals or plans, whether tentative or approved, for extending and using ACE infrastructure to support other homeland security applications. In February 2004, US-VISIT and ACE managers met to identify potential areas for collaboration between the two programs and to clarify how the programs could best support the DHS mission and provide officers with the information and tools they need. During the meeting, US-VISIT and ACE managers recognized that the system infrastructure built to support the two programs was likely to become the infrastructure for future border security processes and system applications. Further, they identified four areas of collaboration: business cases; program management; inventory; and people, processes, and technology. These areas were later refined to be: * program management and business case coordination, which includes such activities as creating a high-level integrated master schedule for both programs; sharing acquisition strategies, plans, and practices; and coordinating business case activities, such as OMB budget submissions and acquisition management baselines; * inventory, which includes identifying connections among legacy systems and establishing a technical requirements and architecture team to review, among other things, system interfaces, data formats, and system architectures; and: * people, processes, and technology, which includes establishing a team to review deployment schedules and establishing a team and process to review and normalize business requirements. In August 2004, the US-VISIT and ACE programs tasked their respective contractors to form collaboration teams to address the three areas. Nine teams have been formed: * investment management; * business; * organizational change management; * facilities; * information and data; * technology; * privacy and security; * deployment, operations, and maintenance; and: * program management. The teams met in September 2004 to develop team charters, identify specific collaboration opportunities, and develop time lines and next steps. In October 2004, US-VISIT and ACE contractors met US-VISIT and ACE management to present their preliminary results. According to a US- VISIT official, the team charters have not yet been formally approved. Since we recommended steps to promote close collaboration between these two programs, about 20 months have passed, and explicit plans have not been developed nor actions taken to understand US-VISIT/ACE dependencies and relationships so that these can be exploited to optimize border operations. During this time and in the near future, the management of both programs have been and will be making and acting on decisions to further define, design, develop, and implement their respective programs. The longer it takes for the programs to exploit their relationships, the more rework will be needed at a later date to integrate the two programs. According to the US-VISIT Program Director, the pace of collaboration activities has been affected by scheduling and priority conflicts, as well as staff availability. Objective 3: Observations: Capacity Management: Observation 5: US-VISIT system capacity is being managed in a compartmentalized manner. Capacity management is intended to ensure that systems are properly designed and configured for efficient performance and have sufficient processing and storage capacity for current, future, and unpredictable workload requirements. Capacity management includes (1) demand forecasting, (2) capacity planning, and (3) performance management. Demand forecasting ensures that the future business requirement workloads are considered and planned. Capacity planning involves determining current and future resource requirements and ensuring that they are acquired and implemented in a timely and cost-effective manner. Performance management involves monitoring the performance of system resources to ensure required service levels are met. The US-VISIT system, as noted earlier, is actually a system made up of various pre-existing (or legacy) systems that are operated by different DHS organizational components and that have been enhanced and interfaced. Currently, DHS does not have a capacity management program. Instead, the US-VISIT IT Management Office relies on the performance management activities of the respective pre-existing DHS systems. For example: * A quarterly report provided by the Customs and Border Protection Systems Engineering Branch Performance Engineering Team tracks such system measures as transaction volume, central processing unit utilization, and workload growth. * Immigration and Customs Enforcement tracks such system measures as hourly and daily transaction rates and response times. According to the program office, the system-of-systems nature of US- VISIT does not lend itself to easily tracking systemwide performance. Nevertheless, program officials told us that the US-VISIT program has tasked two of its contractors with developing a comprehensive performance management and capacity planning effort. Until this is developed, the program will continue to rely on component system performance management activities to ensure that US-VISIT system resources are sufficient to meet current US-VISIT workloads, which increases the risk that they may not be able to adequately support US- VISIT mission needs. Objective 3: Observations: Cost Estimate: Observation 6: The cost estimating process used for Increment 2B did not follow some key best practices. SEI recognizes the need for reliable cost-estimating processes in managing software-intensive system acquisitions. To this end, SEI has issued a checklist [NOTE 47] to help determine the reliability of cost estimates. Our analysis found that US-VISIT did not fully satisfy most of the criteria on SEI's checklist. The US-VISIT Increment 2B estimate met two of the checklist items that we evaluated, partially met six, and did not meet five. For example, US- VISIT provided no evidence that Increment 2B was appropriately sized. Specifically, costs related to development and integration tasks for the TECS, IDENT, and ADIS systems are specified, but estimated software lines of code to be reused, modified, added, or deleted are not. As another example, no one outside the US-VISIT program office reviewed and concurred with the cost estimating categories and methodology. The table on the following slides summarizes our analysis of the extent to which US-VISIT's cost-estimating process for Increment 2B met SEI's criteria. Summary of US-VISIT Satisfaction of SEI Criteria: Criterion: 1. The objectives of the estimate are stated in writing; Satisfies: Yes[A]. Criterion: 2. The life cycle to which the estimate applies is clearly defined; Satisfies: Partially[B]. Criterion: 3. The task has been appropriately sized (e.g., software lines of code); Satisfies: No[C]. Criterion: 4. The estimated cost and schedule are consistent with demonstrated accomplishments on other projects; Satisfies: Partially. Criterion: 5. A written summary of parameter values[D] and their rationales accompanies the estimate; Satisfies: Partially. Criterion: 6. Assumptions have been identified and explained; Satisfies: Yes. Criterion: 7. A structured process such as a template or format has been used to ensure that key factors have not been overlooked; Satisfies: Partially. Criterion: 8. Uncertainties in parameter values have been identified and quantified; Satisfies: Partially. Criterion: 9. If a dictated schedule has been imposed, an estimate of the normal schedule has been compared to the additional expenditures required to meet the dictated schedule; Satisfies: No. Criterion: 10. If more that one cost model or estimating approach has been used, any differences in results have been analyzed and explained; Satisfies: No. Criterion: 11. Estimators independent of the performing organization concurred with the reasonableness of the parameter values and estimating methodology; Satisfies: No. Criterion: 12. Estimates are current; Satisfies: Partially. Criterion: 13. The results of the estimate have been integrated with project planning and tracking; Satisfies: No. Source: GAO. [A] US-VISIT provided substantiating evidence for the criterion. [B] US-VISIT provided partial evidence, including testimonial evidence, for the criterion. [C] No evidence was found for the criterion. [D] Parameter values are the lowest level of the cost categories used to develop the cost estimate. [End of table] Without reliable cost estimates, the ability to make informed investment decisions and effectively measure progress and performance is reduced. Conclusions: The fiscal year 2005 expenditure plan (with related program office documentation and representations) either partially satisfies or satisfies the legislative conditions imposed by Congress. Further, steps are planned, initiated, under way, or completed to address all of our open recommendations. However, overall progress in addressing the recommendations has been slow, leaving considerable work to be done. Given that most of these open recommendations are aimed at correcting fundamental limitations in DHS's ability to manage the program in a way that ensures the delivery of (1) mission value commensurate with costs and (2) promised capabilities on time and within budget, it is important that DHS implement the recommendations quickly and completely through effective planning and continuous monitoring and reporting. Until this occurs, the program will be at high risk of not meeting its stated goals on time and within budget. To its credit, the program office now has its prime contractor on board to support both near-term increments and to plan for and deliver the yet-to-be-defined US-VISIT strategic solution. However, it is important to recognize that this accomplishment is a beginning and not an end. The challenge for DHS is now to effectively and efficiently work with the prime contractor in achieving desired mission outcomes. To accomplish this, it is important that DHS move swiftly in building its program management capacity, which is not yet in place, as shown by the status of our open recommendations and our recent observations about (1) economic justification of US-VISIT Increment 213, (2) completion of the exit pilot evaluation, (3) collaboration with a closely related import/export processing and border security program, (4) system capacity management activities, and (5) cost-estimating practices. Moreover, it is important that DHS improve its measurement and disclosure to its Appropriations Subcommittees of its progress against commitments made in prior expenditure plans, so that the Subcommittees' ability to effectively oversee US-VISIT's plans and progress is not unnecessarily constrained. Nevertheless, the fact remains that the program continues to invest hundreds of millions of dollars for a mission-critical capability under circumstances that introduce considerable risk that cost-effective mission outcomes will not be realized. At a minimum, it is incumbent upon DHS to fully disclose these risks, along with associated mitigation steps, to executive and congressional leaders so that timely and informed decisions about the program can be made. Recommendations for Executive Action: To better ensure that the US-VISIT program is worthy of investment and is managed effectively, we reiterate our prior recommendations and further recommend that the Secretary of DHS direct the Under Secretary for Border and Transportation Security to ensure that the US-VISIT program director takes the following actions: * Fully and explicitly disclose in all future expenditure plans how well DHS is progressing against the commitments that it made in prior expenditure plans. * Reassess its plans for deploying an exit capability to ensure that the scope of the exit pilot provides for adequate evaluation of alternative solutions, and better ensures that the exit solution selected is in the best interest of the program. * Develop and implement processes for managing the capacity of the US- VISIT system. * Follow effective practices for estimating the costs of future increments. * Make understanding the relationships and dependencies between the US- VISIT and ACE programs a priority matter, and report periodically to the Under Secretary on progress in doing so. Agency Comments: We provided this briefing to, and discussed its contents with, US-VISIT program officials, including the Program Director. These officials stated that they generally agreed with our findings, conclusions, and recommendations. They also provided technical comments on the briefing, which we have incorporated into the briefing, as appropriate. With respect to the program accomplishments during fiscal year 2004, the Program Director also stated that US-VISIT has continued to operate as intended every day at air and sea POEs, and it has produced such accomplishments as making the country more secure while expanding its coverage to include visitors from visa waiver countries. The director further stated that while the program's management capability is not yet mature and has much to accomplish, progress to date has been limited by a shortage of staff. Attachment 1: Scope and Methodology: To accomplish our objectives, we performed the following tasks: * We analyzed the expenditure plan against legislative conditions and other relevant federal requirements, guidance, and best practices to determine the extent to which the conditions were met. * We analyzed key acquisition management controls documentation and interviewed program officials to determine the status of our open recommendations. * We analyzed supporting documentation and interviewed DHS and US-VISIT program officials to determine capabilities in key program management areas, such as enterprise architecture and capacity management. * We analyzed Increment 2B systems and software testing documentation and compared them with relevant guidance to determine completeness. * We attended program working group meetings. * We assessed the reliability of US-VISIT's Increment 2B cost estimate by selecting 13 criteria from the SEI checklist [NOTE 48] that, in our professional judgment, represent the minimum set of criteria necessary to develop a reliable cost estimate. We analyzed the Increment 2B cost- benefit analysis and supporting documentation and interviewed program officials to determine how the estimate was derived. We then assessed each of the criteria as satisfied (US-VISIT provided substantiating evidence for the criterion), partially satisfied (US-VISIT provided partial evidence, including testimonial evidence, for the criterion), and not satisfied (no evidence was found for the criterion). * We did not review the State Department's implementation of machine- readable, tamper-resistant visas that use biometrics. For DHS-provided data that our reporting commitments did not permit us to substantiate, we have made appropriate attribution indicating the data's source. We conducted our work at US-VISIT program offices in Rosslyn, Virginia, from June 2004 through November 2004, in accordance with generally accepted government auditing standards. Attachment 2: Recent US-VISIT Studies: Recent Studies of US-VISIT: Border Security. State Department Rollout of Biometric Visas on Schedule, but Guidance Is Lagging. GAO-04-1001. Washington, D.C.: September 9, 2004. Border Security. Joint, Coordinated Actions by State and DHS Needed to Guide Biometric Visas and Related Programs. GAO-04-1080T. Washington, D.C.: September 9, 2004. Homeland Security: First Phase of Visitor and Immigration Status Program Operating, but Improvements Needed. GAO-04-586. Washington, D.C.: May 11, 2004. DHS Office of Inspector General. An Evaluation of the Security Implications of the Visa Waiver Program. OIG-04-26. Washington, D.C.: April 2004. Homeland Security: Risks Facing Key Border and Transportation Security Program Need to Be Addressed. GAO-04-569T. Washington, D.C.: March 18, 2004. Homeland Security: Risks Facing Key Border and Transportation Security Program Need to Be Addressed. GAO-03-1083. Washington, D.C.: September 19, 2003. Information Technology. Homeland Security Needs to Improve Entry Exit System Expenditure Planning. GAO-03-563. Washington, D.C.: June 9, 2003. NOTES: [1] Pub. L. 108-334 (Oct. 18, 2004). [2] OMB Circular A-11 establishes policy for planning, budgeting, acquisition, and management of federal capital assets. [3] ACE is a new trade processing system planned to support the movement of legitimate imports and exports and strengthen border security. [4] An indefinite-delivery/indefinite-quantity contract provides for an indefinite quantity, within stated limits, of supplies or services during a fixed period of time. The government schedules deliveries or performance by placing orders with the contractor. [5] Accenture's partners include, among others, Raytheon Company, the Titan Corporation, and SRA International, Inc. [6] 8 C.F.R. 235.1(d)(1)(iv) and 215.8(a)(2) state that classes of travelers that are not subject to US-VISIT are foreign nationals admitted on A-1, A-2, C-3 (except for attendants, servants, or personal employees of accredited officials), G-1, G-2, G-3, G-4, NATO-1, NATO-2, NATO-3, NATO-4, NATO-5, or NATO-6 visas; certain Taiwan officials who hold E-1 visas and members of their immediate families who hold E-1 visas, unless the Secretary of State and the Secretary of Homeland Security jointly determine that a class of such aliens should be subject to the rule; children under the age of 14; persons over the age of 79; classes of aliens to whom the Secretary of Homeland Security and the Secretary of State jointly determine it shall not apply; and an individual alien to whom the Secretary of Homeland Security, the Secretary of State, or the Director of Central Intelligence determines shall not be subject to the rule. [7] At that time, the pilot employed a self-serve kiosk to capture biographic information and biometric data (two index fingerprints). The pilots are deployed to Miami Royal Caribbean seaport and the Baltimore/ Washington International Airport. [8] Chicago O'Hare International Airport, Denver International Airport, and Dallas/Ft. Worth International Airport. [9] Pub. L. 108-299 (Aug. 9, 2004) extended the deadline from October 26, 2004, to October 26, 2005. [10] Secondary inspection is used for more detailed inspections that may include checking more databases, conducting more intensive interviews, or both. [11] As required by the Immigration and Naturalization Service Data Management Improvement Act of 2000, 8 U.S.C. 1365a(d)(2). [12] The three sites are Laredo, Texas; Port Huron, Michigan; and Douglas, Arizona. [13] Radio frequency (RF) technology relies on proximity cards and card readers. RF devices read the information contained on the card when the card is passed near the device and can also be used to verify the identity of the cardholder. [14] As required by the Immigration and Naturalization Service Data Management Improvement Act of 2000, 8 U.S.C. 1365a(d)(3). [15] Lookout data sources include DHS's Customs and Border Protection and Immigration and Customs Enforcement; the Federal Bureau of Investigation (FBI); legacy DHS systems; the U.S. Secret Service; the U.S. Coast Guard; the Internal Revenue Service; the Drug Enforcement Agency; the Bureau of Alcohol, Tobacco, & Firearms; the U.S. Marshals Service; the U.S. Office of Foreign Asset Control; the National Guard; the Treasury Inspector General; the U.S. Department of Agriculture; the Department of Defense Inspector General; the Royal Canadian Mounted Police; the U.S. State Department; Interpol; the Food and Drug Administration; the Financial Crimes Enforcement Network; the Bureau of Engraving and Printing; and the Department of Justice Office of Special Investigations. [16] Includes data such as FBI information on all known and suspected terrorists, selected wanted persons (foreign-born, unknown place of birth, previously arrested by DHS), and previous criminal histories for high-risk countries; DHS Immigration and Customs Enforcement information on deported felons and sexual registrants; and DHS information on previous criminal histories and previous IDENT enrollments. Information from the FBI includes fingerprints from the Integrated Automated Fingerprint Identification System. [17] 8 U.S.C. 1221(a). [18] The I-94 form is used to track the arrival and departure of nonimmigrants. It is divided into two parts. The first part is an arrival portion, which includes, for example, the nonimmigrant's name, date of birth, and passport number. The second part is a departure portion, which includes the name, date of birth, and country of citizenship. [19] 8 U.S.C. 1221(b) [20] Datashare includes a data extract from State's CCD system and includes the visa photograph, biographical data, and the fingerprint identification number assigned when a nonimmigrant applies for a visa. [21] Effective March 1, 2003, INS became part of DHS. [22] Department of Homeland Security Enterprise Architecture Compendium Version 1.0 and Transitional Strategy. [23] GAO, Homeland Security. Efforts Under Way to Develop Enterprise Architecture, but Much Work Remains, GAO-04-777 (Washington, D.C.: Aug. 6, 2004). [24] The Center of Excellence supports the Enterprise Architecture Board in reviewing component documentation. The purpose of the Board is to ensure that investments are aligned with the DHS EA. [25] The SA-CMM ranks organizational maturity according to five levels. Maturity levels 2 through 5 require verifiable existence and use of certain key process areas. [26] According to DHS Delegation Number 0201.1, the Secretary of Homeland Security delegated authority to the Under Secretary for Management for, among other things, the budget, appropriations, and expenditure of funds. [27] US-VISIT Program, Security Plan for US-VISIT Program Version 1.1 (Sept. 13, 2004). [28] OMB Circular A-130, Revised (Transmittal Memorandum No. 4), Appendix III, Security of Federal Automated Information Resources (Nov. 28, 2000) and NIST, Guide for Developing Security Plans for Information Technology Systems, NIST Special Publication 800-18 (December 1998). [29] 0MB, Guidance for Implementing the Privacy Provisions of the E- Government Act of 2002, OMB M-03-22 (Sept. 26, 2003). [30] 5 U.S.C. 552(a). [31] The purpose of transition to support is to provide for the effective and efficient "handing off" of the acquired software products to the support organization responsible for software maintenance. [32] CMU/SEI-2004-TR-001 (February 2004). [33] Department of Homeland Security Appropriations Act, 2005, Pub. L. 108-334 (Oct. 18, 2004). [34] GAO, Homeland Security. First Phase of Visitor and Immigration Status Program Operating, but Improvements Needed, GAO-04-586 (Washington, D.C.: May 11, 2004). [35] Department of Homeland Security Enterprise Architecture Compendium Version 1.0 and Transitional Strategy. [36] GAO, Homeland Security. Efforts Under Way to Develop Enterprise Architecture, but Much Work Remains, GAO-04-777 (Washington, D.C.: Aug. 6, 2004). [37] The time the system is operating satisfactorily, expressed as a percentage of time that the system is required to be operational. [38] The time needed to perform a unit of work correctly and on time. [39] The number of transactions processed. [40] The probability that a system, including all hardware, firmware, and software, will satisfactorily perform the task for which it was designed. [41] A ratio representing the amount of time a system or component is busy divided by the time it is available. [42] Ability of a system to function well when it is changed in size or volume. [43] 1-94W is used for foreign nationals from visa waiver countries. [44] GAO, Information Technology. Homeland Security Needs to Improve Entry Exit System Expenditure Planning, GAO-03-563 (Washington, D.C.: June 9, 2003). [45] ACE is a new trade processing system planned to support the movement of legitimate imports and exports and strengthen border security. [46] GAO, Customs Service Modernization: Automated Commercial Environment Progressing, but Further Acquisition Management Improvements Needed, GAO-03-406 (Washington D.C.: Feb. 28, 2003). [47] Carnegie Mellon University Software Engineering Institute, A Manager's Checklist for Validating Software Cost and Schedule Estimates, CMU/SEI-95-SR-004 (January 1995). [48] Carnegie Mellon University Software Engineering Institute, A Manager's Checklist for Validating Software Cost and Schedule Estimates, CMU/SEI-95-SR-004 (January 1995). [End of slide presentation] [End of section] Appendix II: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington DC 20528: January 28, 2005: Randolph C. Hite: Director, Information Technology Architecture and Systems Issues: U.S. Government Accountability Office: Washington, DC 20548: Dear Mr. Hite: Thank you for the opportunity to review the draft report, Homeland Security: Some Progress Made, but Many Challenges Remain on U.S. Visitor and Immigrant Status Indicator Technology Program (GAO-05-202). The Department of Homeland Security concurs with GAO's findings and recommendations. I believe it is important to note for the record that US-VISIT has been extremely successful in fulfilling its mission. As you know, US-VISIT represents the greatest advancement in border technology in three decades. Since its start on January 5, 2004, the US-VISIT program has demonstrated solid accomplishments against its four stated goals: Enhancing the security of our citizens and visitors; facilitating legitimate travel and trade; ensuring the integrity of our immigration system; and protecting the privacy of our visitors. Our efforts to enhance the security of our citizens and visitors have produced tangible results. We have taken adverse action against more than 400 wanted criminals, smugglers, violent felons, immigration violators, and escaped prisoners attempting to enter the United States. With the use of biometric identifiers - specifically digital fingerscans and photographs - we are protecting our visitors by making it virtually impossible for anyone else to claim their identity should their travel documents be stolen or duplicated. And U.S. Customs and Border Protection Officers at inspection areas instantly search biographical and biometric databases of known criminals and known and suspected terrorists. To facilitate legitimate travel and trade, we have so far enrolled over 16.9 million foreign visitors in US-VISIT. Visa Waiver Program travelers began participating in US-VISIT on September 30, 2004. The Visa Waiver Program allows foreign visitors from 27 countries to visit the United States for a temporary period not to exceed 90 days without having to first obtain a tourist or visitor visa. In FY 2003, over 13 million visitors to the United States entered using the Visa Waiver Program. The implementation of US-VISIT at the 50 busiest land ports of entry was completed on December 29, 2004, two days ahead of schedule. Initial feedback from the land ports of entry is that US-VISIT deployment is, in almost every case, expediting processing times for those visitors who are subject to US-VISIT procedures. Travelers have not been inconvenienced and, in fact, wait times have actually gone slightly down; and surveys from travelers show the vast majority do not mind this biometric procedure. US-VISIT has gained worldwide acceptance and has inspired the European Union to recently announce the inclusion of fingerprints into its biometric passport and visa issuance processes. Our work has also enhanced the integrity of the United States' immigration system. US-VISIT compares arrival and departure biographical manifest data provided by the airlines and cruise lines to know when someone entered and exited the country. Pilot exit testing programs are now ongoing at international airports in Chicago, Baltimore-Washington, Dallas-Ft. Worth, and Denver, as well as the Miami seaport, with plans to expand pilots to 10 more sites. We will use the lessons learned during these pilots to deploy an exit solution to 80 airports by late 2005. We are also looking at incorporating biometrics into an international registered traveler program in the future. Protecting the privacy of our visitors is a priority for US-VISIT. We ensured that travel data is securely stored and is made available only to authorized officials and selected law enforcement agencies on a need-to-know basis. Travel data will only be stored as long as necessary for law enforcement purposes. We published a Privacy Impact Assessment (PIA) and are now applying aspects of the Privacy Act to non-immigrants. The DHS Chief Privacy Officer and the US-VISIT Privacy Officer have met with numerous advocacy, privacy, and immigration groups to solicit input and hear concerns, which have been taken into account in the development of the program. The US-VISIT PIA has been hailed by many in the privacy community as an excellent model of transparency, including detailed information about the program, the technology, and the privacy protections. In addition, a US-VISIT privacy officer is always available to answer questions or resolve concerns. Through a successful US-VISIT outreach program reflecting the transparent privacy policies and principles of the US-VISIT system, we have received almost no serious privacy complaints raised with regard to US-VISIT. In the course of this review, the GAO auditors demonstrated a sense of professionalism and fairness that should be recognized. We developed a positive relationship that, I believe, resulted in better understanding and a shared commitment to making US-VISIT the best it can be. Consequently, I appreciate the guidance that this report provides for our future efforts. Sincerely, Signed by: Steven J. Pecinovsky: Acting Director, Departmental GAO/IG Liaison Office: [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Deborah Davis, (202) 512-6261: Staff Acknowledgments: In addition to the individual named above, Barbara Collier, Neil Doherty, David Hinchman, James Houtz, Carolyn Ikeda, Anh Le, John Mortin, David Noone, Karen Richey, Karl Seifert, and Randolph Tekeley made key contributions to this report. (310296): FOOTNOTES [1] Pub. L. 108-334 (Oct. 18, 2004). [2] Our previous recommendations regarding US-VISIT's expenditure plans were published in GAO, Information Technology: Homeland Security Needs to Improve Entry Exit System Expenditure Planning, GAO-03-563 (Washington, D.C.: June 9, 2003); Homeland Security: Risks Facing Key Border and Transportation Security Program Need to Be Addressed, GAO- 03-1083 (Washington, D.C.: Sept. 19, 2003); and Homeland Security: First Phase of Visitor and Immigration Status System Operating, but Improvements Needed, GAO-04-586 (Washington, D.C.: May 11, 2004). [3] Carnegie Mellon University SEI, Software Acquisition Capability Maturity Model®, Version 1.03 (March 2002), defines acquisition process management controls for planning, managing, and controlling software- intensive system acquisitions. [4] The SA-CMM ranks organizational maturity according to five levels. Levels 2 through 5 require verifiable existence and use of certain key processes. [5] Increment 2B includes the electronic collection and matching of biographic and biometric information for foreign nationals entering the United States at the 50 busiest land ports of entry. DHS had planned to deploy this increment by December 2004. [6] The Treasury Enforcement Communications Systems is a system that maintains lookout (i.e., watch list) data, interfaces with other agencies' databases, and is currently used by inspectors at ports of entry to verify traveler information and update traveler data. [7] ACE is a new trade processing system planned to support the movement of legitimate imports and exports and strengthen border security. [8] Capacity management is intended to ensure that systems are properly designed and configured for efficient performance and have sufficient processing and storage capacity for current, future, and unpredictable workload requirements. [9] Carnegie Mellon University SEI, A Manager's Checklist for Validating Software Cost and Schedule Estimates, CMU/SEI-95-SR-004 (January 1995). GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: