Information Technology: Homeland Security Needs to Improve Entry Exit System Expenditure Planning
Highlights
Pursuant to legislative direction, the Immigration and Naturalization Service (INS), now part of the Department of Homeland Security, plans to acquire and deploy an entry exit system to assist in monitoring the flow of foreign nationals in and out of the United States. By separate legislative direction, INS must submit to the Senate and House Committees on Appropriations a plan for this system that meets certain conditions, including being reviewed by GAO, before funds can be obligated. This report satisfies GAO's mandated review obligation by (1) addressing whether the plan submitted by INS, along with related INS documentation and plans, meets required conditions and (2) providing observations about the plan and INS's management of the system.
INS's initial expenditure plan and associated system acquisition documentation and plans for the entry exit system partially meet the legislative conditions imposed by the Congress. That is, INS has implemented or has defined plans for implementing most of the legislatively mandated requirements for the plan's content, which include such areas as capital planning and investment control, acquisition, and systems acquisition management. However, key issues related to understanding and implementing system requirements, such as developing a system security plan and assessing system impact on the privacy of individuals, remain to be addressed. Moreover, INS reported that it had obligated some entry exit funding before it submitted the plan to the Appropriations Committees. Since then, INS officials told GAO that they have de-obligated and reclassified these obligations to other available funding sources. GAO observed that INS has preliminary plans showing that it intends to acquire and deploy a system that has functional and performance capabilities that satisfy the general scope of capabilities required under various laws. These include the capability to (1) collect and match alien arrival and departure data electronically; (2) be accessible to the border management community (including consular officers, federal inspection agents, and law enforcement and intelligence agencies responsible for identifying and investigating foreign nationals); and (3) support machine-readable, tamper-resistant documents with biometric identifiers at ports of entry. Each of these capabilities is integral to supporting our nation's border security process. However, GAO also observed that the initial plan does not provide sufficient information about INS commitments for the system, such as what specific system capabilities and benefits will be delivered, by when, and at what cost, and how INS intends to manage the acquisition to provide reasonable assurance that it will meet these commitments. Without sufficiently detailed information on system plans and progress, the Congress will be impeded in its efforts to oversee the system.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Management Directorate | To help ensure the effective management and acquisition of the entry exit system, the Secretary of Homeland Security should, through whatever entry exit program governance structure is established, direct the entry exit program manager to ensure that planned investment and acquisition management controls, including the development of a business case, are fully implemented in accordance with recognized best practices and relevant federal requirements and guidance. |
Closed – Implemented
The program office has continued to take actions that are consistent with our recommendation, and more activities are underway or planned. For example, US-VISIT has improved its cost estimating capabilities by establishing a Cost Process Action Team to refine the program's cost analysis policies and procedures, defining a cost estimation and analysis process, and acquiring professional services in the areas of life cycle cost modeling and independent cost analysis. Further, it has recently completed business cases for new program elements, such as Unique Identity. In addition, it plans to further strengthen the methodologies and tools for developing business cases. As a result, we are closing this recommendation as having been largely implemented.
|
| Management Directorate | At a minimum, the Secretary of Homeland Security's direction should include having the entry exit program manager immediately develop and begin implementing a system security plan. At the same time, the Secretary should have the program manager perform a privacy impact analysis and use the results of this analysis in near-term and subsequent system acquisition decision-making. |
Closed – Implemented
The program office has continued to take actions that are consistent with our recommendation, and more activities are underway or planned. Most recently, in December 2006, the program office developed a US-VISIT security strategy and has begun implementing it. For example, it is conducting security evaluations of commercial off-the-shelf software products before adding them to the program's technical baseline. The program office has also developed and is periodically updating its privacy impact assessment. Further, program officials are taking steps to ensure that the impact assessment's results are used in deciding and documenting the content of US-VISIT projects as evidenced by the fact that recently issued system documentation shows that privacy concerns are being addressed. As a result, we are closing this recommendation as being largely implemented.
|
| Management Directorate | In light of INS's recent transition to the new department and potential changes to system investment and acquisition controls provided for in the first plan, we recommend that controls in the areas of acquisition planning, solicitation, requirements management, project management, contract tracking and oversight, and evaluation should be implemented in accordance with Software Engineering Institute guidance. |
Closed – Implemented
The program office has continued to take actions that are consistent with our recommendation, and more activities are underway or planned. In May 2005, the program office developed a plan for satisfying SEI acquisition management guidance and began implementing it. In April 2006, the program office updated its plan to focus on six key process areas: acquisition project planning, requirements management, project monitoring and control, risk management, configuration management, and product and process quality assurance. In March 2007, the program office reported that it has made progress in implementing the 113 practices associated with these six key process areas; 83 percent of key practices are now either fully or largely implemented, up from 26 percent in August 2005. Further, the 2007 CMMI implementation plan provides a road map for continuing to improve the above areas as well as addressing additional areas, such as solicitation and transition to support. Also, contract tracking and oversight improvements are underway, such as instituting use of oversight plans for each task order and developing requirements for reimbursable contracts. As a result, we are closing this recommendation as having been largely implemented.
|
| Management Directorate | The Secretary of Homeland Security should ensure that future expenditure plans be provided to the department's Senate and House Appropriations Subcommittees in advance of entry exit system funds being obligated. |
Closed – Implemented
In May 2004, we reported that the program office implemented this recommendation when it submitted its fiscal year 2004 expenditure plan to the Senate and House Subcommittees on January 27, 2004, in advance of funds being obligated. In February 2005, we reported that the program office again implemented this recommendation when it submitted its fiscal year 2005 expenditure plan to the Senate and House Subcommittees on October 19, 2004. In February 2007, we again reported that the program office implemented this recommendation when it submitted its fiscal year 2006 expenditure plan to the Senate and House Subcommittees on August 10, 2006. Because the program office has established a pattern of following this recommendation, we are closing it as implemented.
|
| Management Directorate | The Secretary of Homeland Security should ensure that future expenditure plans fully disclose what entry exit system capabilities and benefits are to be delivered, by when, and at what cost, and how it intends to manage the acquisition to provide reasonable assurance that these system capability, benefit, schedule, and cost commitments will be met. |
Closed – Implemented
The program office has continued to take actions that are consistent with our recommendation, and more activities are underway or planned. For example, the fiscal year 2007 expenditure plan discloses planned system capabilities, expected benefits, and estimated schedules and costs. More specifically, the expenditure plan identifies capabilities for various US-VISIT projects, such as the capability to receive and store 10-Print finger scans that are captured by U.S. consulates for Unique Identity and the capability to make alterations to passports more apparent for e-Passport. Additionally, the expenditure plan identifies benefits associated with these capabilities. Benefits of Unique Identity that are cited include reduced information gaps and enhanced immigration and border enforcement; benefits of e-Passport include reduced fraud and improved security and document integrity. Furthermore, the expenditure plan provides timeframes, such as the deployment of the 10-print pilot to 10 air locations in late 2007 and the Initial Operating Capability functionality targeted for September 2008, which are both for Unique Identity. Moreover, the expenditure plan provides meaningful cost information for some of its projects, such as costs associated with updating DHS border and process technology and acquisition and procurement for Unique Identity. The plan also describes a range of key acquisition management activities and control areas, such as requirements development and management, configuration management, and data governance. Finally, the program office told us that the fiscal year 2008 expenditure plan will further improve the program's discussion of capabilities, benefits, costs, and schedule. As a result, we are closing this recommendation as having been largely implemented.
|