This is the accessible text file for GAO report number GAO-04-586 entitled 'Homeland Security: First Phase of Visitor and Immigration Status Program Operating, but Improvements Needed' which was released on May 11, 2004. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: May 2004: HOMELAND SECURITY: First Phase of Visitor and Immigration Status Program Operating, but Improvements Needed: [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-586]: GAO Highlights: Highlights of GAO-04-586, a report to the Subcommittees on Homeland Security, Senate and House Committees on Appropriations Why GAO Did This Study: The Department of Homeland Security (DHS) has established a program—the United States Visitor and Immigrant Status Indicator Technology (US- VISIT)—to collect, maintain, and share information, including biometric identifiers, on selected foreign nationals who travel to the United States. By congressional mandate, DHS is to develop and submit for approval an expenditure plan for US-VISIT that satisfies certain conditions, including being reviewed by GAO. Among other things, GAO was asked to determine whether the plan satisfied these conditions, and to provide observations on the plan and DHS’s program management. What GAO Found: DHS’s fiscal year 2004 US-VISIT expenditure plan and related documentation at least partially satisfies all conditions imposed by the Congress, including meeting the capital planning and investment control review requirements of the Office of Management and Budget (OMB). For example, DHS developed a draft risk management plan and a process to implement and manage risks. However, DHS does not have a current life cycle cost estimate or a cost/benefit analysis for US- VISIT. The US-VISIT program merges four components into one integrated whole to carry out its mission (see figure). US-VISIT Integrates People, Process, Technology, and Facilities: [See PDF for image] [End of figure] GAO also developed a number of observations about the expenditure plan and DHS’s management of the program. These generally recognize accomplishments to date and address the need for rigorous and disciplined program practices. For example, US-VISIT largely met its commitments for implementing an initial operating capability, known as Increment 1, in early January 2004, including the deployment of entry capability to 115 air and 14 sea ports of entry. However, DHS has not employed rigorous, disciplined management controls typically associated with successful programs, such as test management, and its plans for implementing other controls, such as independent verification and validation, may not prove effective. More specifically, testing of the initial phase of the implemented system was not well managed and was completed after the system became operational. In addition, multiple test plans were developed during testing, and only the final test plan, completed after testing, included all required content, such as describing tests to be performed. Such controls, while significant for the initial phases of US-VISIT, are even more critical for the later phases, as the size and complexity of the program will only increase. Finally, DHS’s plans for future US-VISIT resource needs at the land ports of entry, such as staff and facilities, are based on questionable assumptions, making future resource needs uncertain. What GAO Recommends: To better ensure that the US-VISIT program is worthy of investment, GAO is reiterating its previous recommendations aimed at establishing effective program management capabilities. Additionally, GAO is making several new recommendations designed to encourage stronger management of the initial phases of the US-VISIT program, including implementing effective test management practices and assessing the full impact of future US-VISIT deployment on land port of entry workforce levels and facilities. DHS agreed with all of GAO’s recommendations and most of its observations. www.gao.gov/cgi-bin/getrpt?GAO-04-586. To view the full product, including the scope and methodology, click on the link above. For more information, contact Randolph C. Hite at (202) 512-3439 or hiter@gao.gov. [End of section] Contents: Letter: Compliance with Legislative Conditions: Status of Open Recommendations: Observations on the Expenditure Plan: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendixes: Appendix I: Briefing to the Staffs of the Subcommittees on Homeland Security, Senate and House Committees on Appropriations: Appendix II: Comments from the Department of Homeland Security: GAO Comments: Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Staff Acknowledgments: Abbreviations: ADIS: Arrival Departure Information System: APIS: Advance Passenger Information System: CBP: U.S. Customs and Border Protection: CCD: Consular Consolidated Database: CIO: Chief Information Officer: CIS: U.S. Citizenship and Immigration Services: CLAIMS 3: Computer Linked Application Information Management System 3: DHS: Department of Homeland Security: FFRDC: Federally Funded Research and Development Center: IBIS: Interagency Border Inspection System: ICE: U.S. Immigration and Customs Enforcement: IDENT: Automated Biometric Identification System: INS: Immigration and Naturalization Service: IRB: Investment Review Board: IV&V: independent verification and validation: OMB: Office of Management and Budget: POE: port of entry: RF: radio frequency: RFP: request for proposal: SA-CMM: Software Acquisition Capability Maturity Model: SAT: system acceptance test: SEI: Software Engineering Institute: SER: security evaluation report: SEVIS: Student Exchange Visitor Information System: US-VISIT: U.S. Visitor and Immigrant Status Indicator Technology: Letter May 11, 2004: The Honorable Thad Cochran: Chairman: The Honorable Robert C. Byrd: Ranking Minority Member: Subcommittee on Homeland Security: Committee on Appropriations: United States Senate: The Honorable Harold Rogers: Chairman: The Honorable Martin Olav Sabo: Ranking Minority Member: Subcommittee on Homeland Security: Committee on Appropriations: House of Representatives: Pursuant to the Department of Homeland Security Appropriations Act, 2004,[Footnote 1] the Department of Homeland Security (DHS) submitted to the Congress in January 2004 its fiscal year 2004 expenditure plan for the United States Visitor and Immigrant Status Indicator Technology (US-VISIT) program. US-VISIT is a governmentwide program to collect, maintain, and share information on foreign nationals.[Footnote 2] The program's goals are to enhance national security, facilitate legitimate trade and travel, contribute to the integrity of the U.S. immigration system, and adhere to U.S. privacy laws and policies. On January 5, 2004, DHS began operating the first stage of its planned US-VISIT operational capability, known as Increment 1, at 115 air and 14 sea ports of entry (POE). As required by the appropriations act, we reviewed US-VISIT's fiscal year 2004 expenditure plan. Our objectives were to (1) determine whether the expenditure plan satisfies the legislative conditions specified in the act,[Footnote 3] (2) determine the status of our US-VISIT open recommendations,[Footnote 4] and (3) provide any other observations about the expenditure plan and DHS's management of US-VISIT. On March 2, 2004, we provided your offices with a written briefing detailing the results of our review. This report summarizes and transmits this briefing; the full briefing, including our scope and methodology, is reprinted as appendix I. The purpose of this report is to provide the published briefing slides to you and to officially transmit our recommendations to the Secretary of Homeland Security. Compliance with Legislative Conditions: DHS satisfied or partially satisfied each of the applicable legislative conditions specified in the act. In particular, the plan, including related program documentation and program officials' statements, satisfied or provided for satisfying all key aspects of (1) compliance with the DHS enterprise architecture;[Footnote 5] (2) federal acquisition rules, requirements, guidelines, and systems acquisition management practices; and (3) review and approval by DHS and the Office of Management and Budget (OMB). Additionally, the plan, including program documentation and program officials' statements, satisfied or provided for satisfying many, but not all, key aspects of OMB's capital planning and investment review requirements. For example, DHS fulfilled the OMB requirement that it justify and describe its acquisition strategy. However, DHS does not have current life cycle costs or a current cost/benefit analysis for US-VISIT. Status of Open Recommendations: DHS has implemented one, and either partially implemented or has initiated action to implement most of the remaining recommendations contained in our reports on the fiscal year 2002 and fiscal year 2003 expenditure plans. Each recommendation, along with its current status, is summarized below: * Develop a system security plan and privacy impact assessment. The department has partially implemented this recommendation. As to the first part of this recommendation, the program office does not have a system security plan for US-VISIT. However, the US-VISIT Chief Information Officer (CIO) accredited Increment 1 based upon security certifications[Footnote 6] for each of Increment 1's component systems and a review of each component's security-related documentation. Second, although the program office has conducted a privacy impact assessment for Increment 1, the assessment does not satisfy all aspects of OMB guidance for conducting an assessment. For example, the assessment does not discuss alternatives to the methods of information collection, and the system documentation does not address privacy issues. * Develop and implement a plan for satisfying key acquisition management controls, including acquisition planning, solicitation, requirements management, program management, contract tracking and oversight, evaluation, and transition to support, and implement the controls in accordance with the Software Engineering Institute's (SEI) guidance.[Footnote 7] The department plans to implement this recommendation. The US-VISIT program office has assigned responsibility for implementing the recommended controls. However, it has not yet developed explicit plans or time frames for defining and implementing them. * Ensure that future expenditure plans are provided to the department's House and Senate Appropriations Subcommittees in advance of US-VISIT funds being obligated. With respect to the fiscal year 2004 expenditure plan, DHS implemented this recommendation by providing the plan to the Senate and House subcommittees on January 27, 2004. According to the program director, as of February 2004 no funds had been obligated to US-VISIT. * Ensure that future expenditure plans fully disclose US-VISIT capabilities, schedule, cost, and benefits. The department has partially implemented this recommendation. Specifically, the plan describes high-level capabilities, high-level schedule estimates, categories of expenditures by increment, and general benefits. However, the plan does not describe planned capabilities by increment and provides only general information on how money will be spent in each increment. Moreover, the plan does not identify all expected benefits in tangible, measurable, and meaningful terms, nor does it associate any benefits with increments. * Establish and charter an executive body composed of senior-level representatives from DHS and each US-VISIT stakeholder organization to guide and direct the program. The department has implemented this recommendation by establishing a three-entity governance structure. The entities are (1) the Homeland Security Council, (2) the DHS Investment Review Board, and (3) the US- VISIT Federal Stakeholders Advisory Board. The purpose of the Homeland Security Council is to ensure the coordination of all homeland security-related activities among executive departments and agencies, and the Investment Review Board is expected to monitor US-VISIT's achievement of cost, schedule, and performance goals. The advisory board is chartered to provide recommendations for overseeing program management and performance activities, including providing advice on the overarching US-VISIT vision; recommending changes to the vision and strategic direction; and providing a communications link for aligning strategic direction, priorities, and resources with stakeholder operations. * Ensure that human capital and financial resources are provided to establish a fully functional and effective program office. The department is in the process of implementing this recommendation. DHS has determined that US-VISIT will require 115 government personnel and has filled 41 of these, including 12 key management positions. However, 74 positions have yet to be filled, and all filled positions are staffed by detailees from other organizational units within the department. * Clarify the operational context in which US-VISIT is to operate. The department is in the process of implementing this recommendation. DHS released Version 1 of its enterprise architecture in October 2003,[Footnote 8] and it plans to issue Version 2 in September 2004. * Determine whether proposed US-VISIT increments will produce mission value commensurate with cost and risks. The department plans to implement this recommendation. The fiscal year 2004 expenditure plan identifies high-level benefits to be delivered, but the benefits are not associated with specific increments. Additionally, the plan does not identify the total cost of Increment 2. Program officials expected to finalize a cost-benefit analysis this past March and a US-VISIT life cycle cost estimate this past April. * Define program office positions, roles, and responsibilities. The department is in the process of implementing this recommendation. Program officials are currently working with the Office of Personnel Management to define program position descriptions, including roles and responsibilities. The program office has partially completed defining the competencies for all 12 key management areas. These competencies are to be used in defining the position descriptions. * Develop and implement a human capital strategy for the program office. The department plans to implement this recommendation in conjunction with DHS's ongoing workforce planning, but stated that they have yet to develop a human capital strategy. According to these officials, DHS's departmental workforce plan is scheduled for completion during fiscal year 2004. * Develop a risk management plan and report all high risks areas and their status to the program's governing body on a regular basis. The department has partially implemented this recommendation. The program has completed a draft risk management plan, and is currently defining risk management processes. The program is creating a risk management team to operate in lieu of formal processes until these are completed, and also maintains a risk-tracking database that is used to manage risks. * Define performance standards for each program increment that are measurable and reflect the limitations imposed by relying on existing systems. The department is in the process of implementing this recommendation. The program office has defined limited performance standards, but not all standards are being defined in a way that reflects the performance limitations of existing systems. Observations on the Expenditure Plan: Our observations recognize accomplishments to date and address the need for rigorous and disciplined program management practices relating to system testing, independent verification and validation, and system change control. An overview of specific observations follows: * Increment 1 commitments were largely met. An initial operating capability for entry (including biographic and biometric data collection) was deployed to 115 air and 14 sea ports of entry on January 5, 2004, with additional capabilities deployed on February 11, 2004. Exit capability (including biometric capture) was deployed to one air and one sea port of entry. * Increment 1 testing was not managed effectively and was completed after the system became operational. The Increment 1 system acceptance test plan[Footnote 9] was developed largely during and after test execution. The department developed multiple plans, and only the final plan, which was done after testing was completed, included all required content, such as tests to be performed and test procedures. None of the test plan versions, including the final version, were concurred with by the system owner or approved by the IT project manager, as required. By not having a complete test plan before testing began, the US-VISIT program office unnecessarily increased the risk that the testing performed would not adequately address Increment 1 requirements and failed to have adequate assurance that the system was being fully tested. Further, by not fully testing Increment 1 before the system became operational, the program office assumed the risk of introducing errors into the deployed system. In fact, post-deployment problems surfaced with the Student and Exchange Visitor Information System (SEVIS) interface as a result of this approach, and manual work-arounds had to be implemented. * The independent verification and validation contractor's roles may be in conflict.[Footnote 10] The US-VISIT program plans to use its contractor to review some of the processes and products that the contractor may be responsible for defining or executing. Depending on the products and processes in question, this approach potentially impedes the contractor's independence, and thus its effectiveness. * A program-level change control board has not been established.[Footnote 11] Changes related to Increment 1 were controlled primarily through daily coordination meetings (i.e., oral discussions) among representatives from Increment 1 component systems teams and program officials, and the various boards already in place for the component systems. Without a structured and disciplined approach to change control, program officials do not have adequate assurance that changes made to the component systems for non-US-VISIT purposes do not interfere with US-VISIT functionality. * The fiscal year 2004 expenditure plan does not disclose management reserve funding.[Footnote 12] Program officials, including the program director, stated that reserve funding is embedded within the expenditure plan's various areas of proposed spending. However, the plan does not specifically disclose these embedded reserve amounts. By not creating, earmarking, and disclosing a specific management reserve fund in the plan, DHS is limiting its flexibility in addressing unexpected problems that could arise in the program's various areas of proposed spending, and it is limiting the ability of the Congress to exercise effective oversight of this funding. * Plans for future US-VISIT increments do not call for additional staff or facilities at land ports of entry. However, these plans are based on various assumptions that potential policy changes could invalidate. These changes could significantly increase the number of foreign nationals who would require processing through US-VISIT. Additionally, the Data Management Improvement Act Task Force's 2003 Second Annual Report to Congress[Footnote 13] has noted that existing land port of entry facilities do not adequately support even the current entry and exit processes. Thus, future US-VISIT staffing and facility needs are uncertain. Conclusions: The fiscal year 2004 US-VISIT expenditure plan (with related program office documentation and representations) at least partially satisfies the legislative conditions imposed by the Congress. Further, steps are planned, under way, or completed to address most of our open recommendations. However, overall progress on all of our recommendations has been slow, and considerable work remains to fully address them. The majority of these recommendations are aimed at correcting fundamental limitations in the program office's ability to manage US-VISIT in a way that reasonably ensures the delivery of mission value commensurate with costs and provides for the delivery of promised capabilities on time and within budget. Given this background, it is important for DHS to implement the recommendations quickly and completely through active planning and continuous monitoring and reporting. Until this occurs, the program will continue to be at high risk of not meeting expectations. To the US-VISIT program office's credit, the first phase of the program has been deployed and is operating, and the commitments that DHS made regarding this initial operating capability were largely met. However, this was not accomplished in a manner that warrants repeating. In particular, the program office did not employ the kind of rigorous and disciplined management controls that are typically associated with successful programs, such as effective test management and configuration management practices. Moreover, the second phase of US- VISIT is already under way, and these controls are still not established. These controls, while significant for the initial phases of US-VISIT, are even more critical for the later phases, because the size and complexity of the program will only increase, and the later that problems are found, the harder and more costly they are to fix. Also important at this juncture in the program's life are the still open questions surrounding whether the initial phases of US-VISIT will return value to the nation commensurate with their costs. Such questions warrant answers sooner rather than later, because of the program's size, complexity, cost, and mission significance. It is imperative that DHS move swiftly to address the US-VISIT program management weaknesses that we previously identified, by implementing our remaining open recommendations. It is equally essential that the department quickly corrects the additional weaknesses that we have identified. Doing less will only increase the risk associated with US- VISIT. Recommendations for Executive Action: To better ensure that the US-VISIT program is worthy of investment and is managed effectively, we are reiterating our prior recommendations, and we further recommend that the Secretary of Homeland Security direct the Under Secretary for Border and Transportation Security to ensure that the US-VISIT program director takes the following actions: * Develop and approve complete test plans before testing begins. These plans, at a minimum, should (1) specify the test environment, including test equipment, software, material, and necessary training; (2) describe each test to be performed, including test controls, inputs, and expected outputs; (3) define the test procedures to be followed in conducting the tests; and (4) provide traceability between test cases and the requirements to be verified by the testing. * Establish processes for ensuring the independence of the IV&V contractor. * Implement effective configuration management practices, including establishing a US-VISIT change control board to manage and oversee system changes. * Identify and disclose to the Appropriations Committees management reserve funding embedded in the fiscal year 2004 expenditure plan. * Ensure that all future US-VISIT expenditure plans identify and disclose management reserve funding. * Assess the full impact of a key future US-VISIT increment on land port of entry workforce levels and facilities, including performing appropriate modeling exercises. To ensure that our recommendations addressing fundamental program management weaknesses are addressed quickly and completely, we further recommend that the Secretary direct the Under Secretary to have the program director develop a plan, including explicit tasks and milestones, for implementing all of our open recommendations, including those provided in this report. We further recommend that this plan provide for periodic reporting to the Secretary and Under Secretary on progress in implementing this plan. Lastly, we recommend that the Secretary report this progress, including reasons for delays, in all future US-VISIT expenditure plans. Agency Comments and Our Evaluation: In written comments on a draft of this report signed by the US-VISIT Director (reprinted in app. II, along with our responses), DHS agreed with our recommendations and most of our observations. It also stated that it appreciated the guidance that the report provided and described actions that it is taking or plans to take in response to our recommendations. However, DHS stated that it did not fully agree with all of our findings, specifically offering comments on our characterization of the status of one open recommendation and two observations. First, it did not agree with our position that it had not developed a security plan and completed a privacy impact assessment. According to DHS, it has completed both. We acknowledge DHS's activity on both of these issues, but disagree that completion of an adequate security plan and privacy impact assessment has occurred. As we state in the report, the department's security plan for US-VISIT, titled Security and Privacy: Requirements & Guidelines Version 1.0, is a draft document, and it does not include information consistent with relevant guidance for a security plan, such as a risk assessment methodology and specific controls for meeting security requirements.[Footnote 14] Moreover, much of the document discusses guidelines for developing a security plan, rather than specific contents of a plan. Also, as we state in the report, the Privacy Impact Assessment was published but is not complete because it does not satisfy important parts of OMB guidance governing the content of these assessments, such as discussing alternatives to the designed methods of information collection and handling. Second, DHS stated that it did not fully agree with our observation that the Increment 1 system test plan was developed largely during and after testing, citing several steps that it took as part of Increment 1 requirements definition, test preparation, and test execution. However, none of the steps cited address our observations that DHS did not have a system acceptance test plan developed, approved, and available in time to use as the basis for conducting system acceptance testing and that only the version of the test plan modified on January 16, 2004 (after testing was completed) contained all of the required test plan content. Moreover, DHS's comments acknowledge that the four versions of its Increment 1 test plan were developed during the course of test execution, and that the test schedule did not permit sufficient time for all stakeholders to review, and thus approve, the plans. Third, DHS commented on the roles and responsibilities of its various support contractors, and stated that we cited the wrong operative documentation governing the role of its independent verification and validation contractor. While we do not question the information provided in DHS's comments concerning contractor roles, we would add that its comments omitted certain roles and responsibilities contained in the statement of work for one of its contractors. This omitted information is important because it is the basis for our observation that the program office planned to task the same contractor that was responsible for program management activities with performing independent verification and validation activities. Under these circumstances, the contractor could not be independent. In addition, we disagree with DHS's comment that we cited the wrong operative documentation, and note that the document DHS said we should have used relates to a different support contractor than the one tasked with both performing program activities and performing independent verification and validation activities. The department also provided additional technical comments, which we have incorporated as appropriate into the report. We are sending copies of this report to the Chairmen and Ranking Minority Members of other Senate and House committees and subcommittees that have authorization and oversight responsibilities for homeland security. We are also sending copies to the Secretary of State and the Director of OMB. Copies of this report will also be available at no charge on our Web site at [Hyperlink, http://www.gao.gov]. Should you or your offices have any questions on matters discussed in this report, please contact me at (202) 512-3439 or at [Hyperlink, hiter@gao.gov]. Another contact and key contributors to this report are listed in appendix III. Signed by: Randolph C. Hite, Director, Information Technology Architecture and Systems Issues: [End of section] Appendixes: Appendix I: Briefing to the Staffs of the Subcommittees on Homeland Security, Senate and House Committees on Appropriations: [See PDF for image] [End of figure] [End of section] Appendix II: Comments from the Department of Homeland Security: U.S. Department of Homeland Security Washington, DC 20528: 27 April 2004: Randolph C. Hite: Director, Information Technology Architecture And Systems Issues: U.S. General Accounting Office Washington, DC 20548: Dear Mr. Hite: Thank you for the opportunity to review the draft report, Homeland Security: First Phase of Visitor and Immigration Status Program Operating, but Improvements Needed (GAO-04-586). The Department of Homeland Security largely agrees with GAO on the majority of the findings. However, there are some findings with which we cannot agree, and we have provided appropriate comments in the enclosure. You will also note that we have concurred with, and addressed, the new recommendations generated by this review. As you know, US-VISIT represents the greatest advancement in border technology in three decades. The Department of Homeland Security established US-VISIT to achieve the following goals: * Enhance the safety of our citizens and visitors; * Facilitate legitimate travel and trade; * Ensure the integrity of our immigration system; and: * Protect the privacy of travelers to the United States. The first increment of US-VISIT was deployed on time and within budget, and has exceeded the mandate established by Congress as it includes biometrics ahead of schedule. On January 5, 2004, US-VISIT entry procedures were operational at 115 airports and 14 seaports and by the end of this year US-VISIT will be in operation at our 50 busiest land ports of entry. In addition, we began pilot testing biometric exit procedures at one airport and one seaport and will be expanding to additional pilot locations later this summer. As of April 20, 2004, more than three million foreign visitors have been processed through the US-VISIT entry procedures - without any increase in wait times. On average, US-VISIT procedures take less than 15 seconds during the inspection process. US-VISIT has already matched over 300 persons against criminal databases and prevented more than 100 known or suspected criminals from entering the country. Over 200 were matched while applying for a visa at a State Department post overseas. Through the US-VISIT biometric process, the Departments of Homeland Security and State have identified many individuals who are the subjects of lookout records. These included rapists, drug traffickers, convicted criminals, and those who have committed immigration offenses or visa fraud. US-VISIT is critical to our national security as well as our economic security, and its implementation is already making a significant contribution to the efforts of the Department to provide a safer and more secure America. We recognize that we have a long way still to go. We will build upon the initial framework and solid foundation to ensure that we continue to meet our goals of enhancing the security of our citizens and visitors while facilitating travel for the millions of visitors we welcome each year. For all the successes of US-VISIT, the Department realizes, and your report supports the fact, that we need to improve the management of the program. We have already established a great deal of the foundation for meeting future challenges and will continue to improve the necessary disciplines for excellent program management. We realize that much needs to be done, and we appreciate the guidance that reports such as this provide. Sincerely, Signed by: James A. Williams: Enclosure: Enclosure: Proposed Changes, Clarifications, and Responses to Recommendations for Draft Report GAO-04-586: Letter to Sen. Cochran and Rep. Rogers: Page 3, Status of Open Recommendations: 1. Develop a system security plan and privacy impact assessment. The US-VISIT program does have an existing security plan. In addition, as GAO notes in the explanation of this action item, US-VISIT did complete a Privacy Impact Assessment for Increment 1. As US-VISIT proceeds with future increments, these documents will be updated to reflect changes in the program. Pages. 3 - 6, Status of Open Recommendations 2 through 12: With respect to recommendations 2 through 12, we recognize GAO' acknowledges that US-VISIT has implemented, partially implemented, or plans to implement them. While we could offer minor clarifications to the status of these issues, we agree in general with the recommendations and therefore provide no further comment. Page 6, Observations on the Expenditure Plan: A management reserve fund has been identified in the amount of $33 million in fiscal year 2004. However, this was not specifically detailed in the FY 2004 Expenditure Plan. While we concur with the concept for such a reserve, our concern lies with any potential restrictions and/or new approval processes that may accompany such a set-aside. Page 10 - Recommendations for Executive Action: 1. Develop and approve complete test plans before testing begins. These plans, at a minimum, should (1) specify the test environment, including test equipment, software, material, and necessary training; (2) describe each test to be performed, including test controls, inputs, and expected outputs; (3) define the test procedures to be followed in conducting the tests; and (4) provide traceability between test cases and the requirements to be verified by the testing. We concur. Complete test plans will be developed and approved before future testing begins. Corrective action completed. 2. Establish processes for ensuring the independence of the IV & V contractor. We concur. US-VISIT is aggressively researching IV&V resources that will be utilized to independently evaluate any future development work to be performed by the US-VISIT prime integrator and future increments. Corrective action completed. 3. Implement effective configuration management practices, including establishing a US-VISIT change control board to manage and oversee system changes. We concur. Effective configuration management practices for US-VISIT will be implemented. Corrective action in progress. 4. Identify and disclose management reserve funding embedded in the fiscal year 2004 expenditure plan to the Appropriations Committees. We concur. The FY 2004 Expenditure Plan has been revised to identify a $33 million management reserve, separate from incremental spending Corrective action completed. 5. Ensure that all future US-VISIT expenditure plans identify and disclose management reserve funding. We concur. All future expenditure plans will identify and disclose management reserve funding. Corrective action completed. 6. Assess the full impact of a key future US-VISIT increment [2B] on land port of entry workforce levels and facilities, including performing appropriate modeling exercises. We concur. A full reassessment of the impact of Increment 2B will be performed with the new prime contractor, pending award of the contract in May 2004. Corrective action in progress. Slides: Slide 58: The listing of membership for the US-VISIT Advisory Board needs correction. The "Associate Director of Operations, Customs and Immigration Services" needs to be changed to "...Citizenship and Immigration Services." In addition, the "Assistant Commissioner, Office of Field Operations, Customs and Border Protection" needs to be added. Slide 70. Observation 2: The system test (SAT) plan was developed largely during and a ter testing (and Recommendations. Slide 103). US-VISIT does not fully concur with the observation that the systems test plan was developed largely during and after testing. A comprehensive test strategy outlining the work pattern to be following for independent end-to-end testing was developed in a structured and disciplined fashion and was approved by the US-VISIT Chief Information Officer in May 2003. This document outlined the environment and interfaces to be tested, as well as assumptions and constraints. Coordination between the US-VISIT IV&V contractor and the component development teams (CPB/ICE/TSA/CIS) took place from July through September 2003 to ensure that Use Cases were documented from the US- VISIT Functional Requirements Document and that technical requirements regarding the environment were resolved prior to the commencement of testing in September 2003. These Use Cases were the basis for the development of the Draft Test Plan that was delivered on September 19, 2003. Furthermore, since US-VISIT Increment 1 leveraged established systems, test cases were available in previous test plans and were established in the test cases repository of Test Director (the software toolset/application utilized by the independent testers). Additional versions of the Test Plan were developed throughout the Systems Assurance Testing period due to corrections or inclusion of clarifying data provided by the component development teams. Throughout this iterative process the overarching Use Cases were never modified. US- VISIT does agree with GAO's observation that the compressed timeline did not allow ample time for all US-VISIT stakeholders to review the draft Test Plan, although daily status reports were provided as a basis for validating that all Use Cases were fully tested, as documented in the Test Analysis Report. Slide 90-91: The US-VISIT program office was established in July 2003 and acquired two contractors, PEC (Program Office Support) and the MITRE Corporation (FFRDC), to initially help with the implementation of the program office (PO), acquisition of a prime contractor, and establishment of SA-CMM compliant processes and procedures to guide and manage the US- VISIT program acquisition. During the initiation phase, PEC is responsible for helping the PO with the establishment of plans, processes, and procedures for program planning and program/project management and control. Once these processes are established, PEC will assist in executing these processes, under PO direction. MITRE is responsible for assisting with strategic planning for the program and PO. MITRE is also responsible for assisting the PO in the acquisition and source selection of the prime contractor, and for working with PEC to ensure that the program planning, management, and control processes being developed are SA-CMM compliant and that an effective process improvement program is being put in place. As the program moves to the execution phase, PEC will continue to provide program management planning and process execution support. MITRE will focus on providing oversight of the prime contractor and PO support contractor to ensure that: SA-CMM compliant processes are being followed: The plans, designs, and products being developed by the prime contractor address the program requirements, conform to the DHS enterprise architecture, and are cost-effective for the government: The program risks are being identified and managed: The peformance of the program (US-VISIT mission goals and program management controls) is being measured and validated: Slide 90. Observation S: Independent verification and validation (IV&V) contractor's roles may be conflicting. The US-VISIT program office endorses the concept of Independent Validation and Verification (IV&V) as a mechanism to provide an independent review of system processes and work products. Furthermore, US-VISIT recognizes the need for the IV&V to be independent of the processes and products that are being developed. US-VISIT utilized an existing IV&V vehicle for Increment 1 that was available through the Bureau of Immigration and Customs Enforcement (ICE) and identified by DHS as a center of excellence. Unit testing was performed by component system owners and their respective application development contractors under distinctly separate task orders, while end-to-end, security, and performance testing was completed by SAIC. The technology IV&V work completed under this contract vehicle was provided by SAIC under Task Order 02-SM/I-IRM-417, dated September 25, 2003. GAO incorrectly cited the July 18, 2003, statement of work for other general program and project management support. The scope of the September 25, 2003, task order specifically addressed the provision for technical governance, systems assurance standards and direction, as well as independent end- to-end testing. Slide 92, Observation 6: Program-level change control board has not been established (and Recommendations, Slide 103). The US-VISIT program office endorses a structured and disciplined approach to change control and is actively building a process to establish and maintain the integrity of work products with its stakeholders. While the principles of software configuration management were followed based on the ICE Enterprise Systems Assurance Plan (i.e., the establishment of a Functional Baseline [FB] and Allocated Baseline [AB], versioned naming conventions for software, and recording all documentation to an Enterprise Library) a formal Change Control Board was not established prior to the implementation of Increment 1. It is the intention of the US-VISIT Program Office to institute a CM process that will define policy for any modifications or System Change Requests for any future releases of software. The following are GAO's comments on the Department of Homeland Security's letter dated April 27, 2004. GAO Comments: 1. We do not agree that the US-VISIT program has a security plan. In response to our request for the US-VISIT security plan, DHS provided a draft document entitled Security and Privacy: Requirements & Guidelines Version 1.0. However, as we state in the report, this document does not include information consistent with relevant guidance for a security plan.[Footnote 15] For example, this guidance states that a system security plan should (1) provide an overview of the system security requirements, (2) include a description of the controls in place or planned for meeting the requirements, (3) delineate roles and responsibilities of all individuals who have access to the system, (4) describe the risk assessment methodology to be used, and (5) address security awareness and training. The document provided by DHS addressed two of these requirements--security requirements and training and awareness. As we state in the report, the document does not (1) describe specific controls to satisfy the security requirements, (2) describe the risk assessment methodology, and (3) identify roles and responsibilities of individuals with system access. Further, much of the document discusses guidelines for developing a security plan, rather than providing the specific content expected of a plan. 2. Although DHS has completed a Privacy Impact Assessment for Increment 1, the assessment is not consistent with the Office of Management and Budget guidance.[Footnote 16] This guidance says that a Privacy Impact Assessment should, among other things, (1) identify appropriate measures for mitigating identified risks, (2) discuss the rationale for the final design or business process choice, (3) discuss alternatives to the designed information collection and handling, and (4) address whether privacy is provided for in system development and documentation. While the Privacy Impact Assessment for US-VISIT Increment 1 discusses mitigation strategies for identified risks and briefly discusses the rationale for design choices, it does not discuss alternatives to the designed information collection and handling. Further, Increment 1 system documentation does not address privacy. 3. DHS's comments did not include a copy of its revised fiscal year 2004 expenditure plan because, according to an agency official, OMB has not yet approved the revised plan for release, and thus we cannot substantiate its comments concerning either the amount or the disclosure of management reserve funding. Further, we are not aware of any unduly burdensome restrictions and/or approval processes for using such a reserve. We have modified our report to reflect DHS's statement that it supports establishing a management reserve and the status of revisions to its expenditure plan. 4. We have modified the report as appropriate to reflect these comments and subsequent oral comments concerning the membership of the US-VISIT Advisory Board. 5. We do not believe that DHS's comments provide any evidence to counter our observation that the system acceptance test plan was developed largely during and after testing. In general, these comments concern the Increment 1 test strategy, test contractor and component system development team coordination, Increment 1 use cases, and pre- existing component system test cases, none of which are related to our point about the completeness of the four versions of the test plan. More specifically, our observation does not address whether or not an Increment 1 test strategy was developed and approved, although we would note that the version of the strategy that the program office provided to us was incomplete, was undated, and did not indicate any level of approval. Further, our observation does not address whether some unspecified level of coordination occurred between the test contractor and the component system development teams; it does not concern the development, modification, and use of Increment 1 "overarching" use cases, although we acknowledge that such use cases are important in developing test cases; and it does not address the pre-existence of component system test cases and their residence in a test case repository, although we note that when we previously asked for additional information on this repository, none was provided. Rather, our observation concerns whether a sufficiently defined US- VISIT Increment 1 system acceptance test plan was developed, approved, and available in time to be used as the basis for conducting system acceptance testing. As we state in the report, to be sufficient such a plan should, among other things, define the full complement of test cases, including inputs and outputs, and the procedures for executing these test cases. Moreover, these test cases should be traceable to system requirements. However, as we state in our report, this content was added to the Increment 1 test plan during the course of testing, and only the version of the test plan modified January 16, 2004, contained all of this content. Moreover, DHS's comments recognize that these test plan versions were developed during the course of test execution and that the test schedule did not permit sufficient time for all stakeholders to review the versions. 6. We do not disagree with DHS's comments describing the roles and responsibilities of its program office support contractor and its Federally Funded Research and Development Center (FFRDC) contractor. However, DHS's description of the FFRDC contractor's roles and responsibilities do not cover all of the taskings envisioned for this contractor. Specifically, DHS's comments state that the FFRDC contractor is to execute such program and project management activities as strategic planning, contractor source selection, acquisition management, risk management, and performance management. These roles and responsibilities are consistent with the FFRDC contractor's statement of work that was provided by DHS. However, DHS's comments omit other roles and responsibilities specified in this statement of work. In particular, the comments do not cite that this contractor is also to conduct audits and evaluations in the form of independent verification and validation activities. It is this audit and evaluation role, particularly the independence element, which is the basis for our concern and observation. As we note above and state in the report, US- VISIT program plans and the contractor's statement of work provide for using the same contractor both to perform program and project management activities, including creation of related products, and to assess those activities and products. Under these circumstances, the contractor could not be sufficiently independent to effectively discharge the audit and evaluation tasks. 7. We do not agree with DHS's comment that we cited the wrong operative documentation pertaining to US-VISIT independent verification and validation plans. As discussed in our comment No. 6, the statement of work that we cite in the report relates to DHS plans to use the FFRDC contractor to both perform program and project management activities and develop related products and to audit and evaluate those activities and products. The testing contractor and testing activities discussed in DHS comments are separate and distinct from our observation about DHS plans for using the FFRDC contractor. Accordingly, our report does not make any observation regarding the independence of the testing contractor. 8. We agree that US-VISIT lacks a change control board and support DHS's stated commitment to establish a structured and disciplined change control process that would include such a board. [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Deborah Davis, (202) 512-6261: Staff Acknowledgments: In addition to the individual named above, Barbara Collier, Gary Delaney, Neil Doherty, Tamra Goldstein, David Hinchman, Thomas Keightley, John Mortin, Debra Picozzi, Karl Seifert, and Jessica Waselkow made key contributions to this report. (310277): FOOTNOTES [1] Pub. L. 108-90 (Oct. 1, 2003). [2] The US-VISIT program has a large number of government stakeholders, including the Departments of State, Transportation, Commerce, Justice, and the General Services Administration. State will play a significant role in creating a coordinated and interlocking network of border security by gathering biographic and biometric data during the application process for visas, grants of visa status, and the issuance of travel documentation. DHS inspectors will use this information at ports of entry to verify the identity of the foreign national. [3] The legislative conditions are that the plan (1) meet the capital planning and investment control review requirements established by the Office of Management and Budget (OMB), including those in OMB Circular A-11, part 3 (capital investment and control requirements are now found in part 7, rather than part 3); (2) comply with DHS's enterprise architecture; (3) comply with the acquisition rules, requirements, guidelines, and systems acquisition management practices of the federal government; (4) be reviewed and approved by DHS and OMB; and (5) be reviewed by GAO. [4] Our previous recommendations regarding US-VISIT's expenditure plans were published in U.S. General Accounting Office, Information Technology: Homeland Security Needs to Improve Entry Exit System Expenditure Planning, GAO-03-563 (Washington, D.C.: June 9, 2003) and Homeland Security: Risks Facing Key Border and Transportation Security Program Need to Be Addressed, GAO-03-1083 (Washington, D.C.: Sept. 19, 2003). [5] Enterprise architectures are blueprints, or models, simplifying the complexity of how agencies operate today, how they want to operate in the future, and how they will get there. [6] Accreditation is the authorization and approval granted to a system to process sensitive data in an operational environment; this is made on the basis of a compliance certification by designated technical personnel of the extent to which design and implementation of the system meet defined technical requirements for achieving data security. Certification is the evaluation of the extent to which a system meets a set of security requirements. [7] Carnegie Mellon University Software Engineering Institute, Software Acquisition Capability Maturity Model", Version 1.03 (March 2002) defines acquisition process management controls for planning, managing, and controlling software-intensive system acquisitions. [8] Department of Homeland Security Enterprise Architecture Compendium Version 1.0 and Transitional Strategy. [9] The purpose of system acceptance testing is to verify that the complete system satisfies functional, performance, and security requirements and is acceptable to end users. [10] The purpose of independent verification and validation (IV&V) is to provide an independent review of system processes and products. To be effective, the IV&V function must be performed by an entity that is independent of the processes and products that are being reviewed. [11] The purpose of configuration management is to establish and maintain the integrity of work products (e.g., hardware, software, and documentation). A key ingredient to effectively controlling configuration change is the functioning of a change control board. [12] The creation and use of a management reserve fund to earmark resources for addressing the many uncertainties that are inherent in large-scale systems acquisition programs is an established practice and a prudent management approach. [13] Data Management Improvement Act Task Force, Second Annual Report to Congress (Washington, D.C., December 2003). [14] Office of Management and Budget Circular Number A-130, Revised (Transmittal Memorandum No. 4), Appendix III, "Security of Federal Automated Information Resources" (Nov. 28, 2000) and National Institute of Standards and Technology, Guide for Developing Security Plans for Information Systems, NIST Special Publication 800-18 (December 1998). [15] Office of Management and Budget Circular Number A-130, Revised (Transmittal Memorandum No. 4), Appendix III, "Security of Federal Automated Information Resources" (Nov. 28, 2000) and National Institute of Standards and Technology, Guide for Developing Security Plans for Information Systems, NIST Special Publication 800-18 (December 1998). [16] OMB Guidance for Implementing the Privacy Provisions of the E- Government Act of 2002, OMB M-03-22 (Sept. 26, 2003). GAO's Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: