Border Security:

DHS's Efforts to Modernize Key Enforcement Systems Could be Strengthened

GAO-14-62: Published: Dec 5, 2013. Publicly Released: Jan 6, 2014.

Additional Materials:

Contact:

David A. Powner
(202) 512-9286
pownerd@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Customs and Border Protection (CBP) has defined the scope for its TECS (not an acronym) modernization (TECS Mod) program, but its schedule and cost continue to change; while Immigration and Customs Enforcement (ICE) is overhauling the scope, schedule, and cost of its program after discovering that its initial solution is not technically viable. CBP's $724 million program intends to modernize the functionality, data, and aging infrastructure of legacy TECS and move it to DHS's data centers. CBP plans to develop, deploy, and implement these capabilities between 2008 and 2015. To date, CBP has deployed functionality to improve its secondary inspection processes to air and sea ports of entry and, more recently, to land ports of entry in 2013. However, CBP is in the process of revising its schedule baseline for the second time in under a year. Further, portions of CBP's schedule remain undefined and the program does not have a fully developed master schedule. These factors increase the risk of CBP not delivering TECS Mod by its 2015 deadline. Regarding ICE's $818 million TECS Mod program, it is redesigning and replanning its program, having determined in June 2013 that its initial solution was not viable and could not support ICE's needs. As a result, ICE halted development and is now assessing design alternatives and will revise its schedule and cost estimates. Program officials stated the revisions will be complete in December 2013. Until ICE completes the replanning effort, it is unclear what functionality it will deliver, when it will deliver it, or what it will cost to do so, thus putting it in jeopardy of not completing the modernization by its 2015 deadline.

CBP and ICE have managed many risks in accordance with some leading practices, but they have had mixed results in managing requirements for their programs. In particular, neither program identified all known risks and escalated them for timely management review. Further, CBP's guidance defines key practices associated with effectively managing requirements, but important requirements development activities were underway before these practices were established. ICE, meanwhile, operated without requirements management guidance for years, and its requirements activities were mismanaged as a result. For example, ICE did not complete work on 2,600 requirements in its initial release, which caused testing failures and the deferral and deletion of about 70 percent of its original requirements. ICE issued requirements guidance in March 2013 that is consistent with leading practices, but it has not yet been implemented.

The Department of Homeland Security's (DHS) governance bodies have taken actions to oversee the two TECS Mod programs that are generally aligned with leading practices. Specifically, DHS's governance bodies have monitored TECS Mod performance and progress and have ensured that corrective actions have been identified and tracked. However, the governance bodies' oversight has been based on sometimes incomplete or inaccurate data, and therefore the effectiveness of these efforts is limited. For example, one oversight body rated CBP's program as moderately low risk, based partially on the program's use of earned value management, even though program officials stated that neither they nor their contractor had this capability. Until these governance bodies base their performance reviews on timely, complete, and accurate data, they will be constrained in their ability to effectively provide oversight.

Why GAO Did This Study

DHS's border enforcement system, known as TECS, is the primary system available for determining admissibility of persons to the United States. It is used to prevent terrorism, and provide border security and law enforcement, case management, and intelligence functions for multiple federal, state, and local agencies. It has become increasingly difficult and expensive to maintain because of technology obsolescence and its inability to support new mission requirements. Accordingly, in 2008, DHS began an effort to modernize the system. It is being managed as two separate programs working in parallel by CBP and ICE.

GAO's objectives were to (1) determine the scope and status of the two TECS Mod programs, (2) assess selected CBP and ICE program management practices for TECS Mod, and (3) assess the extent to which DHS is executing effective executive oversight and governance of the two TECS Mod programs.

To do so, GAO reviewed requirements documents and cost and schedule estimates, and determined the current scope, completion dates, and life cycle expenditures. GAO also reviewed risk management and requirements management plans, as well as governance bodies' meeting minutes.

What GAO Recommends

GAO is recommending DHS improve its efforts to manage requirement and risk, as well as its governance of the TECS Mod programs. DHS agreed with all but one of GAO's eight recommendations, and described actions planned and underway to address them.

For more information, contact David A. Powner at (202) 512-9286 or pownerd@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: The Department of Homeland Security (DHS) reports it has taken steps to address this recommendation. In August 2015, U.S. Customs and Border Patrol (CBP) described steps taken to link the TECS Mod master schedule files with the program's system architecture tool. According to CBP, this is intended to provide the program manager with the ability to monitor the status of the program, project and integration tasks, but did not demonstrate how these tools show work activity sequencing and dependencies between tasks. In August 2016, CBP provided additional information about how the program's master schedule and system architecture tool are integrated by showing how each displayed the timing of project tasks. However, CBP officials still could not show how task sequencing and dependency are managed. We will continue to monitor agency progress and provide updated information.

    Recommendation: To improve DHS's efforts to develop and implement its TECS Mod programs, the Secretary of Homeland Security should direct the CBP Commissioner to ensure that the appropriate individuals develop an integrated master schedule that accurately reflects all of the program's work activities, as well as the timing, sequencing, and dependencies between them.

    Agency Affected: Department of Homeland Security

  2. Status: Open

    Comments: The Department of Homeland Security (DHS) agreed with and has begun steps to address this recommendation. In July 2015, U.S. Customs and Border Protection (CBP) officials provided an example from their TECS Mod risk register and two management briefings on the program's status. While these items show that risks are being identified, tracked, and briefed to management, they do not address integrated master schedule and earned value management (EVM) risks that we identified in our report. In August 2016, CBP officials stated that the program had established a new contract to implement EVM and was making progress in implementing it on three TECS Mod projects: Lookout Record Data and Services, Manifest Processing, and Primary Inspection Processes. Further, officials stated that the program has been monitoring cost and schedule performance to ensure alignment of the program life cycle cost estimate and integrated master schedule with the approved program baseline. However, the agency had not yet updated the program's risk register to include risks related to the integrated master schedule or the use of EVM, as we recommended. We will continue to monitor agency actions on this recommendation.

    Recommendation: To improve DHS's efforts to develop and implement its TECS Mod programs, the Secretary of Homeland Security should direct the CBP Commissioner to ensure that the appropriate individuals ensure that all significant risks associated with the TECS Mod acquisition are documented in the program's risk and issue inventory inventory--including acquisition risks mentioned in this report report-- and are briefed to senior management, as appropriate.

    Agency Affected: Department of Homeland Security

  3. Status: Closed - Implemented

    Comments: The Department of Homeland Security (DHS) agreed with, and has taken action to address, this recommendation. Specifically, in January 2014, U.S. Customs and Border Protection (CBP) updated its TECS Mod Program Risk Management Plan to include thresholds for when risks should be escalated. For example, the risk management plan states that all risks with a high impact rating will be escalated to the Passenger Systems Program Directorate (PSPD) Executive Director for awareness and decision making in implementing the associated issue action plan. Further, the plans establishes criteria regarding when the PSPD Executive Director and TECS Mod Program Manager will escalate high severity risks to senior leadership at 1) Program Management Reviews, 2) Executive Steering Committee meetings, and 3) the DHS Chief Information Officer Joint Program Review with CBP and Immigration and Customs Enforcement. For example, high severity risks are escalated to the Executive Steering Committee if the program costs increase greater than 10 percent of baseline threshold costs. CBP also provided examples of Executive Steering Committee briefings between April 2015 and April 2016 where the committee was briefed on critical risks and issues, including status updates regarding the TECS Mod program's efforts to mitigate the risks and resolve the issues. As a result, CBP has increased assurance that key decision makers are fully informed regarding critical program risks and better positioned to mitigate them and minimize their impact on program commitments.

    Recommendation: To improve DHS's efforts to develop and implement its TECS Mod programs, the Secretary of Homeland Security should direct the CBP Commissioner to ensure that the appropriate individuals revise and implement the TECS Mod program's risk management strategy and guidance to include clear thresholds for when to escalate risks to senior management, and implement as appropriate.

    Agency Affected: Department of Homeland Security

  4. Status: Closed - Implemented

    Comments: The Department of Homeland Security (DHS) agreed with and has implemented this recommendation. Customs and Border Protection (CBP) officials provided an updated version of its requirements management plan (dated Nov. 23, 2013) that includes specific criteria requiring each requirement to be unique, unambiguous and testable. By revising its plan, CBP should have greater assurance that TECS Mod will perform as intended in the user environments and has reduced the risk of deployment delays as a result.

    Recommendation: To improve DHS's efforts to develop and implement its TECS Mod programs, the Secretary of Homeland Security should direct the CBP Commissioner to ensure that the appropriate individuals revise and implement the TECS Mod program's requirements management guidance to include the validation of requirements to ensure that each is unique, unambiguous, and testable.

    Agency Affected: Department of Homeland Security

  5. Status: Open

    Comments: The Department of Homeland Security (DHS) agreed with and has begun steps to address this recommendation. In February 2014, the department stated in written correspondence that the U.S. Immigration and Customs Enforcement (ICE) TECS Mod program office had created a program-level acquisition risk and added it to its risk inventory. In December 2015, the department provided an IT program health assessment for the ICE TECS Mod program that identifies the assigned risk level for the acquisition and discusses mitigation strategies. A DHS Management and Program analyst from the Enterprise Business Management Office stated that the program's acquisition risk is one of the factors the CIO considers before rating an investment, and noted that the document includes the DHS chief information officer's rating for the program at the end of the assessment. However, as of September 2016, ICE had not yet provided evidence that acquisition risks had been briefed to senior management, as we recommended. We will continue to monitor agency actions on this recommendation.

    Recommendation: The Secretary of Homeland Security should direct the Acting Director of ICE to ensure that the appropriate individuals ensure that all significant risks associated with the TECS Mod acquisition are documented in the program's risk and issue inventory--including the acquisition risks mentioned in this report-- and briefed to senior management, as appropriate.

    Agency Affected: Department of Homeland Security

  6. Status: Open

    Comments: The Department of Homeland Security (DHS) agreed with and has begun steps to address this recommendation. In February 2014, the department stated in written correspondence that the U.S. Immigration and Customs Enforcement (ICE) TECS Mod program office had refined its criteria for escalating risks and identified 3 risk events that could trigger an escalated status for a given risk. Specifically, if a risk has a score that exceeds a certain threshold, if a risk meets a trigger date/event, or if the Risk Advisory Board exercises its discretion to escalate a given risk. However, as of September 2016, ICE has not provided evidence that existing risks have been evaluated and escalated. We will continue to monitor agency actions to address this recommendation.

    Recommendation: The Secretary of Homeland Security should direct the Acting Director of ICE to ensure that the appropriate individuals revise and implement the TECS Mod program's risk management strategy and guidance to include clear thresholds for when to escalate risks to senior management, and implement as appropriate.

    Agency Affected: Department of Homeland Security

  7. Status: Open

    Comments: The Department of Homeland Security (DHS) agreed with and has begun steps to address this recommendation. In February 2014, the department stated in written correspondence that the U.S. Immigration and Customs Enforcement (ICE) TECS Mod program office had updated its requirements management plan, revised its requirements baseline, and approved a change control package that are intended to address this recommendation. However, as of September 2016, ICE had not provided any documentation to verify the actions taken by DHS to address this recommendation. We will continue to monitor agency actions on this recommendation.

    Recommendation: The Secretary of Homeland Security should direct the Acting Director of ICE to ensure that the appropriate individuals ensure that the newly developed requirements management guidance and recently revised guidance for controlling changes to requirements are fully implemented.

    Agency Affected: Department of Homeland Security

  8. Status: Closed - Implemented

    Comments: The Department of Homeland Security (DHS) agreed with and has taken steps to address this recommendation. For example, the department directed use of a decision-making support tool intended to improve governance decisions. It also discussed information available via the Information Technology Dashboard and how that information could be used to support decision-making activities. In April 2015, DHS further described efforts to implement this recommendation for 3 programs. In addition, in December 2015, DHS officials provided examples of how information in the investment tool is used to support decision-making for the program. For example, they provided an investment summary page from the DHS IT investment management system INVEST, which is used to support investment decision-making. The summary page shows links to information about investment reviews, project milestones, and other program management areas such as risk management. The summary page also shows the date of the last update. A DHS Management and Program analyst from the Enterprise Business Management Office explained that the data is updated in real time as changes occur, for example, as a result of program status meetings and decision milestones. Further, in March 2016, CBP's Component Acquisition Executive & Assistant Commissioner, Office of Acquisition, certified the TECS Mod data in the INVEST system As a result, DHS has increased assurance that the information used by the department's oversight bodies to assess TECS Mod progress and performance is complete , timely, and accurate.

    Recommendation: The Secretary of Homeland Security should direct the Under Secretary for Management and acting Chief Information Officer to ensure that data used by the department's governance and oversight bodies to assess the progress and performance of major information technology program acquisition programs are complete, timely, and accurate.

    Agency Affected: Department of Homeland Security

 

Explore the full database of GAO's Open Recommendations »

Nov 30, 2016

Nov 14, 2016

Oct 24, 2016

Oct 19, 2016

Oct 17, 2016

Sep 22, 2016

Sep 15, 2016

Sep 14, 2016

Looking for more? Browse all our products here