Information Technology: DHS Needs to Fully Define and Implement Policies and Procedures for Effectively Managing Investments
GAO-07-424
Published: Apr 27, 2007. Publicly Released: Apr 27, 2007.
Skip to Highlights
Highlights
The Department of Homeland Security (DHS) relies extensively on information technology (IT) to carry out its mission. For fiscal year 2008, DHS requested about $4 billion--the third largest planned IT expenditure among federal departments. Given the size and significance of DHS's IT investments, GAO's objectives were to determine whether DHS (1) has established the management structure and associated policies and procedures needed to effectively manage these investments and (2) is implementing key practices needed to effectively control them. GAO used its IT Investment Management (ITIM) framework and associated methodology to address these objectives, focusing on the framework's stages related to the investment management provisions of the Clinger-Cohen Act.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Homeland Security | To strengthen DHS's investment management capability and address the weaknesses discussed in this report, the Secretary of Homeland Security should direct the Undersecretary for Management, in collaboration with the Chief Financial Officer (CFO) and Chief Information Officer (CIO), to devote the appropriate attention to development and implementation of effective investment management processes. At a minimum, this should include fully defining and documenting project-and portfolio-level policies and procedures that address selecting new investments, including specifying the criteria and steps for prioritizing and selecting these proposals. |
Closed – Not Implemented
In September 2011, DHS officials stated that the selection of new project proposals is a function of the Office of the Chief Financial Officer's Program Analysis and Evaluation group and directed us to the department's Financial Management Policy Manual for related procedures, including the criteria and steps for prioritizing and selecting proposals. We reviewed the manual; however it did not include these procedures. Given the amount of time elapsed since we made this recommendation, we are closing it as not implemented.
|
| Department of Homeland Security | To strengthen DHS's investment management capability and address the weaknesses discussed in this report, the Secretary of Homeland Security should direct the Undersecretary for Management, in collaboration with the CFO and CIO, to devote the appropriate attention to development and implementation of effective investment management processes. At a minimum, this should include fully defining and documenting project-and portfolio-level policies and procedures that address reselecting ongoing IT investments, including specifying the criteria and steps for prioritizing and reselecting these investments. |
Closed – Not Implemented
In September 2011, DHS officials stated that the reselection of ongoing projects is a function of the Office of the Chief Financial Officer's Program Analysis and Evaluation group and directed us to the department's Financial Management Policy Manual for related procedures, including the criteria and steps for prioritizing and reselecting proposals. We reviewed the manual; however it did not include these procedures. Given the amount of time elapsed since we made this recommendation, we are closing it as not implemented.
|
| Department of Homeland Security | To strengthen DHS's investment management capability and address the weaknesses discussed in this report, the Secretary of Homeland Security should direct the Undersecretary for Management, in collaboration with the CFO and CIO, to devote the appropriate attention to development and implementation of effective investment management processes. At a minimum, this should include fully defining and documenting project-and portfolio-level policies and procedures that address overseeing (i.e., controlling) IT projects and systems, including specifying the procedural rules for the investment boards' operations and decision making during project oversight. |
Closed – Implemented
The January 2010 revision of DHS's Acquisition Management Directive (MD 102-01) and the August 2010 update of the Capital Planning and Investment Control Guide include policies and procedures for the Acquisition Review Board's operations and decision-making during project oversight.
|
| Department of Homeland Security | To strengthen DHS's investment management capability and address the weaknesses discussed in this report, the Secretary of Homeland Security should direct the Undersecretary for Management, in collaboration with the CFO and CIO, to devote the appropriate attention to development and implementation of effective investment management processes. At a minimum, this should include fully defining and documenting project-and portfolio-level policies and procedures that address identifying and collecting information about investments, including assigning responsibility for the process and ownership of the information and defining the locations for information storage. |
Closed – Implemented
In October 2008 DHS updated the manual for its Next Generation Periodic Reporting System (nPRS) to, among other things, provide guidance for collecting information on investments, including assigning responsibility for the process and ownership of the information, and defining the location for storing the information. The manual also specifies the type of information that should be collected and the frequency of data collection. In September 2011, DHS officials also noted that the department has several efforts underway to improve the quality of the data needed to inform investment management decisions, including the creation of a decision support tool.
|
| Department of Homeland Security | To strengthen DHS's investment management capability and address the weaknesses discussed in this report, the Secretary of Homeland Security should direct the Undersecretary for Management, in collaboration with the CFO and CIO, to devote the appropriate attention to development and implementation of effective investment management processes. At a minimum, this should include fully defining and documenting project-and portfolio-level policies and procedures that address creating and modifying IT portfolio selection criteria. |
Closed – Not Implemented
In September 2011, DHS officials stated that the creation of portfolio selection criteria is primarily a function of the enterprise architecture group. We followed up with this group to obtain the related policies and procedures, but as of September 30, 2011, had not received the requested documentation. Given the amount of time elapsed since we made this recommendation, we are closing it as not implemented.
|
| Department of Homeland Security | To strengthen DHS's investment management capability and address the weaknesses discussed in this report, the Secretary of Homeland Security should direct the Undersecretary for Management, in collaboration with the CFO and CIO, to devote the appropriate attention to development and implementation of effective investment management processes. At a minimum, this should include fully defining and documenting project-and portfolio-level policies and procedures that address analyzing, selecting, and maintaining the investment portfolios. |
Closed – Not Implemented
In September 2011, DHS officials stated that analyzing, selecting, maintaining portfolios is primarily a function of the enterprise architecture group. We followed up with this group to obtain the related policies and procedures, but as of September 30, 2011, had not received the requested documentation. Given the amount of time elapsed since we made this recommendation, we are closing it as not implemented.
|
| Department of Homeland Security | To strengthen DHS's investment management capability and address the weaknesses discussed in this report, the Secretary of Homeland Security should direct the Undersecretary for Management, in collaboration with the CFO and CIO, to devote the appropriate attention to development and implementation of effective investment management processes. At a minimum, this should include fully defining and documenting project-and portfolio-level policies and procedures that address assessing portfolio performance at regular intervals to reflect current performance expectations. |
Closed – Implemented
DHS has developed high-level procedures, including a template, for the Office of the Chief Information Officer's (OCIO) annual reviews of the department's portfolios. According to the OCIO's Executive Director for the Enterprise Business Management Office, more specific procedures are to be documented in a concept of operations for portfolio management which is expected to be finalized by the end of 2011.
|
| Department of Homeland Security | To strengthen DHS's investment management capability and address the weaknesses discussed in this report, the Secretary of Homeland Security should direct the Undersecretary for Management, in collaboration with the CFO and CIO, to devote the appropriate attention to development and implementation of effective investment management processes. At a minimum, this should include fully defining and documenting project-and portfolio-level policies and procedures that address conducting post-implementation reviews of IT investments, including defining roles and responsibilities for doing so, and specifying how conclusions, lesson learned, and recommended management actions are to be shared with executives and others. |
Closed – Implemented
The August 2010 update of DHS's Capital Planning and Investment Control Guide includes procedures that address conducting post-implementation reviews of IT investments, including defining roles and responsibilities for doing so, and specifying how conclusions, lesson learned, and recommended management actions are to be shared with executives and others.
|
| Department of Homeland Security | In addition, the Department of Homeland Security should implement key investment control processes. At a minimum, this should include providing adequate resources, including people, funding, and tools, for IT project oversight. |
Closed – Implemented
According to DHS, the Acquisition Program Management Division and the Enterprise Business Management Office, who have primarily responsibility for supporting the review of DHS's projects, the department has adequate resources (both in numbers and skills) to perform their oversight activities. For example, within the Enterprise Business Management Office there are currently 31 federal employees and approximately 20 contractors. This contrasts with the six staff (with only one of them being full-time) that we reported the department had to support departmentwide investment management activities in 2007. According to the Chief Information Officer, the department expects to continue to augment its information technology staff, including those for investment management functions, through the end of fiscal year 2012.
|
| Department of Homeland Security | In addition, the Department of Homeland Security should implement key investment control processes. At a minimum, this should include having IT projects and systems, including those in steady state (operations and maintenance), maintain approved project management plans that include expected cost and schedule milestones and measurable benefit and risk expectations. |
Closed – Implemented
All major programs are required to develop and maintain an acquisition program baseline which, among other things, include expected cost and schedule milestones and measurable benefit and risk expectations. The Acquisition Review Board has been reviewing and approving these program baselines on a more consistent basis than in the past. DHS officials also stated that the development of a new decision support tool and other tools is expected improve the department's ability to monitor the status and review of acquisition program baselines.
|
| Department of Homeland Security | In addition, the Department of Homeland Security should implement key investment control processes. At a minimum, this should include providing data on actual performance (including cost, schedule, benefit, and risk performance) to the appropriate IT investment board. |
Closed – Implemented
Data on actual project performance (including cost, schedule, benefit, and risk performance) are provided to the Acquisition Review Board for its review. According to officials, the department also has efforts underway, including the development of a new decision support tool, to improve the quality of the data.
|
| Department of Homeland Security | In addition, the Department of Homeland Security should implement key investment control processes. At a minimum, this should include having each investment board use verified data to regularly review the performance of IT projects and systems against stated expectations. |
Closed – Implemented
The Acquisition Review Board reviews the performance of IT projects and systems against expectations at key milestone decision points and is also informed of the results of portfolio reviews and the Techstat reviews of projects needing special attention. While, according to officials, the cost and schedule data are verified by the Program Analysis and Evaluation group, the quality of the data used for the board reviews is expected to improve as a result of efforts to create a new decision support tool and other tools.
|
| Department of Homeland Security | In addition, the Department of Homeland Security should implement key investment control processes. At a minimum, this should include taking appropriate actions to correct or terminate each underperforming IT project or system in accordance with defined criteria and the documented policies and procedures for management oversight. |
Closed – Implemented
The results of Acquisition Review Board project review are summarized in Acquisition Decision Memos which capture all action items. The Acquisition Program Management Division tracks the status of these action items until completion in accordance with the Acquisition Review Board's documented procedures.
|
| Department of Homeland Security | In addition, the Department of Homeland Security should implement key investment control processes. At a minimum, this should include having the investment board regularly track the implementation of corrective actions for each underperforming project until the actions are completed. |
Closed – Implemented
The Acquisition Program Management Division is responsible for tracking the status of corrective actions for underperforming projects until completion.
|
| Department of Homeland Security | In addition, the Department of Homeland Security should implement key investment control processes. It should also include portfolio-level practices such as providing adequate resources, including people, funding, and tools, for reviewing the investment portfolios and their projects. |
Closed – Implemented
According to DHS, the Acquisition Program Management Division and the Enterprise Business Management Office, who have primarily responsibility for supporting the review of DHS's investment portfolios, the department has adequate resources (both in numbers and skills) to perform their oversight activities. For example, within the Enterprise Business Management Office there are currently 31 federal employees and approximately 20 contractors. This contrasts with the six staff (with only one of them being full-time) that we reported the department had to support departmentwide investment management activities in 2007. According to the Chief Information Officer, the department expects to continue to augment its information technology staff, including those for investment management functions, through the end of fiscal year 2012.
|
| Department of Homeland Security | In addition, the Department of Homeland Security should implement key investment control processes. It should also include portfolio-level practices such as making board members familiar with the process for evaluating and improving the portfolio's performance. |
Closed – Implemented
While, according to DHS officials, including the Executive Director for the Enterprise Business Management Office, there is no formal mechanism for making the Acquisition Review Board members familiar with the process for evaluating and improving the portfolio's performance, these members recently received training in the use the decision support tool that will soon be implemented to support investment management decisions.
|
| Department of Homeland Security | In addition, the Department of Homeland Security should implement key investment control processes. It should also include portfolio-level practices such as providing results of relevant Providing Investment Oversight reviews from Stage 2 to the investment boards. |
Closed – Implemented
The Acquisition Review Board reviews investments at key milestones, which is the focus of the stage 2 providing investment oversight critical process. The Acquisition Review Board is also informed of, and in some cases, participates in--other relevant oversight reviews, including portfolio reviews and Techstat reviews.
|
| Department of Homeland Security | In addition, the Department of Homeland Security should implement key investment control processes. It should also include portfolio-level practices such as developing, reviewing, and modifying criteria for assessing portfolio performance at regular intervals to reflect current performance expectations. |
Closed – Implemented
DHS has developed criteria to assess the performance of its portfolios to reflect current performance expectations. They include a combination of mission-specific, acquisition health, and cross-cutting criteria which are examined to determine recommendations for next steps.
|
| Department of Homeland Security | In addition, the Department of Homeland Security should implement key investment control processes. It should also include portfolio-level practices such as defining and collecting IT portfolio performance measurement data that are consistent with portfolio performance criteria. |
Closed – Implemented
DHS collects data on the performance of its portfolios that are consistent with the assessment criteria that have been defined.
|
| Department of Homeland Security | In addition, the Department of Homeland Security should implement key investment control processes. It should also include portfolio-level practices such as executing adjustments to the IT investment portfolios in response to actual portfolio performance. |
Closed – Implemented
DHS has begun performing portfolio reviews in which the department makes recommendations to adjust the portfolios based on the results of its performance. We obtained two examples of cases in which adjustments had been made as a result of portfolio reviews.
|
Full Report
Office of Public Affairs
Topics
Best practicesEnterprise architectureHomeland securityInformation systems investmentsInformation technologyInternal controlsIT investment managementStrategic planningSystems analysisSystems designSystems evaluationPolicies and procedures