This is the accessible text file for GAO report number GAO-06-296 
entitled 'Homeland Security: Recommendations to Improve Management of 
Key Border Security Program Need to Be Implemented' which was released 
on February 14, 2006. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

February 2006: 

Homeland Security: 

Recommendations to Improve Management of Key Border Security Program 
Need to Be Implemented: 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-296]: 

GAO Highlights: 

Highlights of GAO-06-296, a report to congressional requesters: 

Why GAO Did This Study: 

The Department of Homeland Security (DHS) has established a program—the 
U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT)—to 
collect, maintain, and share information, including biometric 
identifiers, on selected foreign nationals entering and exiting the 
United States. US-VISIT uses these identifiers (digital fingerscans and 
photographs) to screen persons against watch lists and to verify that a 
visitor is the person who was issued a visa or other travel document. 
Visitors are also to confirm their departure by having their visas or 
passports scanned and undergoing fingerscanning at selected air and sea 
ports of entry (POE). GAO has made many recommendations to improve the 
program, all of which DHS has agreed to implement. GAO was asked to 
report on DHS’s progress in responding to 18 of these recommendations. 

What GAO Found: 

The current status of DHS’s implementation of the 18 recommendations is 
mixed, but progress in critical areas has been slow. DHS has 
implemented 2 of the recommendations: it defined program staff 
positions, roles, and responsibilities, and it hired an independent 
verification and validation contractor. It has also taken steps to 
implement the other recommendations, partially completing 11 and 
beginning to implement another 5. ? In September 2003, GAO reported 
that the program had not assessed the costs and benefits of Increment 1 
(which provides entry capabilities to air and sea POEs) and recommended 
that the program determine whether proposed increments will produce 
mission value commensurate with cost. In the latest cost-benefit 
analysis, dated June 23, 2005, the program identified potential costs 
and benefits for three alternatives for an air and sea exit solution. 
However, the analysis does not meet key Office of Management and Budget 
criteria; for example, it does not include a complete uncertainty 
analysis, which helps to provide decision makers with perspective on 
the potential variability of the cost and benefit estimates should 
circumstances change. ? GAO reported in May 2004 and February 2005 that 
system testing was not based on well-defined test plans and recommended 
that before testing begins, the program develop and approve test plans 
meeting certain criteria. However, although the latest test plan did 
cover many required areas (such as the tests to be performed), it did 
not adequately trace between test cases and the requirements to be 
verified by testing. Without complete and traceable test plans, the 
risk is increased that the deployed system will not perform as 
intended. ? In May 2004, GAO reported that the program had not assessed 
its workforce and facility needs for Increment 2B (which extends entry 
capabilities to the 50 busiest land POEs) and recommended that it do 
so. Since then, the program evaluated the processing times to issue and 
process entry/exit forms at 3 of the 50 busiest POEs and concluded that 
the results showed that no additional staff and only minor facilities 
modifications were required. However, the scope of the evaluation was 
limited. Since then, DHS has deployed and implemented Increment 2B 
capabilities to these 50 POEs, making the collection of predeployment 
baseline data for these sites impractical. Nonetheless, other 
alternatives, such as surveying site officials about the increment’s 
impacts, have yet to be explored. Until they are, the program may not 
be able to accurately project resource needs or make any needed 
modifications to achieve its goals of minimizing US-VISIT’s impact on 
POE operations, which was the impetus for GAO’s recommendation. DHS 
attributed the pace of progress to competing demands on time and 
resources. The longer that US-VISIT takes to implement the 
recommendations, the greater the risk that the program will not meet 
its stated goals on time and within budget. 

What GAO Recommends: 

GAO is closing its existing recommendation related to DHS’s assessment 
of Increment 2B and recommending that DHS explore alternative means to 
fully assess the impact of US-VISIT entry capabilities on land POEs. In 
its comments on a draft of this report, DHS stated that it agreed with 
many areas of the report and disagreed with others. It also concurred 
with the need to quickly implement GAO’s open recommendations. 

www.gao.gov/cgi-bin/getrpt?GAO-06-296. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Randolph C. Hite at (202) 
512-3439 or hiter@gao.gov. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

The Status of DHS's Implementation of Our Recommendations Is Mixed: 

Conclusions: 

Recommendation for Executive Action: 

Agency Comments and Our Evaluation: 

Appendixes: 

Appendix I: Objective, Scope, and Methodology: 

Appendix II: Comments from the Department of Homeland Security: 

Appendix III: Description of US-VISIT Processes: 

Pre-entry Process: 

Entry Process: 

Status Management Process: 

Exit Process: 

Analysis Process: 

Appendix IV: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: US-VISIT Satisfaction of OMB Economic Analysis Criteria: 

Table 2: Reduction in Reported Processing Times for Increment 2B Pilot 
and Full Deployment: 

Table 3: Satisfaction of SEI's 13 Cost-Estimating Criteria: 

Figures: 

Figure 1: US-VISIT Program Office Structure: 

Figure 2: DHS's Progress toward Implementing GAO's 18 Recommendations: 

Figure 3: Summary of Program Office Structure, Functions, and Filled 
and Vacant Positions: 

Figure 4: US-VISIT Process Overview: 

Abbreviations: 

ACE: Automated Commercial Environment: 

ADIS: Arrival Departure Information System: 

AIDMS: Automated Identification Management System: 

APIS: Advance Passenger Information System: 

APMO: Acquisition and Program Management Office: 

CBA: cost-benefit analysis: 

CBP: Customs and Border Protection: 

CLAIMS 3: Computer Linked Application Information Management System: 

CMMI: Capability Maturity Model-Integration: 

DHS: Department of Homeland Security: 

ICE: Immigration and Customs Enforcement: 

IDENT: Automated Biometric Identification System: 

IV&V: independent verification and validation: 

NIST: National Institute of Standards and Technology: 

NSEERS: National Security Entry Exit Registration System: 

OMB: Office of Management and Budget: 

OPM: Office of Personnel Management: 

POE: port of entry: 

RF: radio frequency: 

SEI: Software Engineering Institute: 

SEVIS: Student Exchange Visitor Information System: 

TECS: Treasury Enforcement Communications Systems: 

US-VISIT: U.S. Visitor and Immigrant Status Indicator Technology: 

Letter February 14, 2006: 

Congressional Requesters: 

The U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) 
is a multibillion-dollar program of the Department of Homeland Security 
(DHS) that is intended to record the entry into and exit from the 
United States of selected individuals, verify their identity, and 
confirm their compliance with the terms of their admission into and 
stay in the United States. The goals of the program are to (1) enhance 
the security of our citizens and visitors, (2) facilitate legitimate 
travel and trade, (3) ensure the integrity of the U.S. immigration 
system, and (4) protect the privacy of our visitors. 

Since fiscal year 2002, DHS has been legislatively directed to submit 
annual expenditure plans for the program, and we have been directed to 
review these plans and issue reports. These reports have, among other 
things, identified risks that face the department in delivering 
promised program capabilities and benefits on time and within 
cost.[Footnote 1] For example, we reported that the program office did 
not have the human capital and acquisition process discipline needed to 
effectively manage the program. Because of the number and severity of 
program management challenges that we identified, we concluded that the 
program was risky. 

To address program risks, our reports have included 18 recommendations 
in such areas as system acquisition process controls, economic 
justification, human capital management, cost estimating, and test 
management, all of which DHS has agreed to implement.[Footnote 2] 
Because of your continued interest in ensuring that DHS is taking the 
necessary actions to successfully implement US-VISIT, you asked us to 
determine the progress being made in implementing these 
recommendations. To achieve this objective, we analyzed program plans, 
reports, and system documentation relative to the intent of each of our 
recommendations, and we interviewed appropriate DHS and program 
officials. (Further details on our objective, scope, and methodology 
are provided in app. I.) Our work was performed from August 2005 
through December 2005 in accordance with generally accepted government 
auditing standards. 

Results in Brief: 

The current status of DHS's implementation of the 18 recommendations is 
mixed, but progress in critical areas has been slow. DHS has 
implemented 2 of the recommendations: it defined program staff 
positions, roles, and responsibilities, and it hired an independent 
verification and validation contractor. It has also taken steps to 
implement the other recommendations, partially completing 11 and 
beginning to implement another 5. However, although considerable time 
has passed since the recommendations were made, key actions have not 
yet been taken in such critical areas as (1) assessing security risks 
and planning for cost-effective controls to address the risks, (2) 
determining--before US-VISIT increments are deployed--whether each 
increment will produce mission value commensurate with cost and risk, 
and (3) ensuring that each increment is adequately tested. Of the 11 
recommendations that are partially implemented, 7 are about 2 years 
old, and 4 are about 10 to 19 months old. Of the 5 that are in 
progress, 3 are about 10 months old.[Footnote 3] According to the 
Program Director, the pace of progress is attributable to competing 
demands on time and resources. The longer that US-VISIT takes to 
implement the recommendations, the greater the risk that the program 
will not meet its stated goals on time and within budget. 

DHS provided written comments on a draft of this report. In its 
comments, the department stated that it agreed with many areas of the 
report and that our recommendations had made US-VISIT a stronger 
program. Further, the department stated that while it disagreed with 
certain areas of the report, it nevertheless concurred with the need to 
implement our open recommendations with all due speed and diligence. 
One area of disagreement was regarding the program's ability to 
thoroughly assess the impact of US-VISIT entry capabilities on the 50 
busiest land port of entry (POE) facilities and staffing levels, an 
assessment that we called for in our recommendation. In particular, DHS 
stated that since US-VISIT was operational at these POEs, the 
collection of predeployment baseline performance data was no longer 
practical. In light of these comments, we are making a new 
recommendation to the Secretary of DHS that recognizes these facts and 
circumstances and that replaces the open recommendation discussed in 
this report. This recommendation provides for the department to explore 
alternative means of assessing the impact of US-VISIT entry 
capabilities on land POE facilities and staffing levels. All of DHS's 
comments, along with our responses, are discussed in detail in the 
Agency Comments and Our Evaluation section of this report. The comments 
are also reprinted in their entirety in appendix II. 

Background: 

US-VISIT is a governmentwide program intended to enhance the security 
of U.S. citizens and visitors, facilitate legitimate travel and trade, 
ensure the integrity of the U.S. immigration system, and protect the 
privacy of our visitors. Its scope includes the pre-entry, entry, 
status, and exit of hundreds of millions of foreign national travelers 
who enter and leave the United States at over 300 air, sea, and land 
POEs, and the provision of new analytical capabilities across the 
overall process. 

To achieve its goals, US-VISIT uses biometric information (digital 
fingerscans and photographs) to verify identity.[Footnote 4] In many 
cases, the US-VISIT process begins overseas at U.S. consular offices, 
which collect biometric information from applicants for visas and check 
this information against a database of known criminals and suspected 
terrorists. When a visitor arrives at a POE, the biometric information 
is used to verify that the visitor is the person who was issued the 
visa. In addition, at certain sites, visitors are required to confirm 
their departure by undergoing US-VISIT exit procedures--that is, having 
their visas or passports scanned and undergoing fingerscanning. The 
exit confirmation is added to the visitor's travel records to 
demonstrate compliance with the terms of admission to the United 
States. (App. III provides a detailed description of the pre-entry, 
entry, status, exit, and analysis processes.) 

Key US-VISIT functions include: 

* collecting, maintaining, and sharing information on certain foreign 
nationals who enter and exit the United States; 

* identifying foreign nationals who (1) have overstayed or violated the 
terms of their admission; (2) may be eligible to receive, extend, or 
adjust their immigration status; or (3) should be apprehended or 
detained by law enforcement officials; 

* detecting fraudulent travel documents, verifying traveler identity, 
and determining traveler admissibility through the use of biometrics; 
and: 

* facilitating information sharing and coordination within the 
immigration and border management community. 

In July 2003, DHS established a program office with responsibility for 
managing the acquisition, deployment, operation, and sustainment of the 
US-VISIT system and its associated supporting people (e.g., Customs and 
Border Protection (CBP) officers), processes (e.g., entry/exit policies 
and procedures), and facilities (e.g., inspection booths and lanes), in 
coordination with its stakeholders (CBP and the Department of State). 

As of October 2005, about $1.4 billion has been appropriated for the 
program, and, according to program officials, about $962 million has 
been obligated. 

Acquisition and Implementation Strategy: A Brief Description: 

DHS plans to deliver US-VISIT capability in four increments, with 
Increments 1 through 3 being interim, or temporary, solutions that 
fulfill legislative mandates to deploy an entry/exit system, and 
Increment 4 being the implementation of a long-term vision that is to 
incorporate improved business processes, new technology, and 
information sharing to create an integrated border management system 
for the future. In Increments 1 through 3, the program is building 
interfaces among existing ("legacy") systems; enhancing the 
capabilities of these systems; and deploying these capabilities to air, 
sea, and land POEs. These increments are to be largely acquired and 
implemented through existing system contracts and task orders. 

In May 2004, DHS awarded an indefinite-delivery/indefinite- 
quantity[Footnote 5] prime contract to Accenture and its partners. 
According to the contract, the prime contractor will help support the 
integration and consolidation of processes, functionality, and data, 
and it will develop a strategy to build on the technology and 
capabilities already available to produce the strategic solution, while 
also assisting the program office in leveraging existing systems and 
contractors in deploying the interim solutions. 

US-VISIT Is Being Implemented in Four Increments: 

Increment 1 concentrates on establishing capabilities at air and sea 
POEs. It is divided into two parts--1 and 1B. 

* Increment 1 (air and sea entry) includes the electronic capture and 
matching of biographic and biometric information (two digital index 
fingerscans and a digital photograph) for selected foreign nationals, 
including those from visa waiver countries.[Footnote 6] Increment 1 was 
deployed on January 5, 2004, for individuals requiring a nonimmigrant 
visa to enter the United States, through the modification of pre- 
existing systems.[Footnote 7] These modifications accommodated the 
collection and maintenance of additional data fields and established 
interfaces required to share data among DHS systems in support of entry 
processing at 115 airports and 14 seaports. 

* Increment 1B (air and sea exit) involves the testing of exit devices 
to collect biometric exit data for select foreign nationals at 11 
airports and seaports. Three exit alternatives were pilot tested: 

* Kiosk--A self-service device (which includes a touch-screen 
interface, document scanner, finger scanner, digital camera, and 
receipt printer) that captures a digital photograph and fingerprint and 
prints out an encoded receipt. 

* Mobile device--A hand-held device that is operated by a workstation 
attendant;[Footnote 8] it includes a document scanner, finger scanner, 
digital camera, and receipt printer and is used to capture a digital 
photograph and fingerprint. 

* Validator--A hand-held device that is used to capture a digital 
photograph and fingerprint, which are then matched to the photograph 
and fingerprint captured via the kiosk and encoded in the receipt. 

Increment 2 focuses primarily on extending US-VISIT to land POEs. It is 
divided into three parts--2A, 2B, and 2C. 

* Increment 2A (air, sea, and land) includes the capability to 
biometrically compare and authenticate valid machine-readable visas and 
other travel and entry documents issued by State and DHS to foreign 
nationals at all POEs. Increment 2A was deployed on October 23, 2005, 
according to program officials. It also includes the deployment by 
October 26, 2006, of technology to read biometrically enabled passports 
from visa waiver countries. 

* Increment 2B (land entry) redesigns the Increment 1 entry solution 
and expands it to the 50 busiest land POEs. The process for issuing 
Form I-94[Footnote 9] was redesigned to enable the electronic capture 
of biographic, biometric (unless the traveler is exempt), and related 
travel documentation for arriving travelers. This increment was 
deployed to the busiest 50 U.S. land border POEs as of December 29, 
2004. Before Increment 2B, all information on the Form I-94s was 
handwritten. The redesigned systems electronically capture the 
biographic data included in the travel document. In some cases, the 
form is completed by CBP officers, who enter the data electronically 
and then print the form. 

* Increment 2C is to provide the capability to automatically, 
passively, and remotely record the entry and exit of covered 
individuals using radio frequency (RF) technology tags at primary 
inspection and exit lanes.[Footnote 10] An RF tag that includes a 
unique ID number is to be embedded in each Form I-94, thus associating 
a unique number with a record in the US-VISIT system for the person 
holding that Form I-94. In August 2005, the program office deployed the 
technology to five border crossings (three POEs) to verify the 
feasibility of using passive RF technology to record traveler entries 
and exits via a unique ID number embedded in the CBP Form I-94. The 
results of this demonstration are to be reported in February 2006. 

Increment 3 extended Increment 2B (land entry) capabilities to 104 land 
POEs; this increment was essentially completed as of December 19, 
2005.[Footnote 11] 

Increment 4 is the strategic US-VISIT program capability, which program 
officials stated will likely consist of a further series of incremental 
releases or mission capability enhancements that will support business 
outcomes. The program reports that it has worked with its prime 
contractor and partners to develop this overall vision for the 
immigration and border management enterprise. 

Increments 1 through 3 include the interfacing and integration of 
existing systems and, with Increment 2C, the creation of a new system, 
the Automated Identification Management System (AIDMS). The three main 
existing systems are as follows: 

* The Arrival Departure Information System (ADIS) stores: 

* noncitizen traveler arrival and departure data received from air and 
sea carrier manifests, 

* arrival data captured by CBP officers at air and sea POEs, 

* Form I-94 issuance data captured by CBP officers at Increment 2B land 
POEs, 

* departure information captured at US-VISIT biometric departure pilot 
(air and sea) locations, 

* pedestrian arrival information and pedestrian and vehicle departure 
information captured at Increment 2C POE locations, and: 

* status update information provided by the Student and Exchange 
Visitor Information System (SEVIS) and the Computer Linked Application 
Information Management System (CLAIMS 3) (described below). 

ADIS provides record matching, query, and reporting functions. 

* The passenger processing component of the Treasury Enforcement 
Communications System (TECS) includes two systems: Advance Passenger 
Information System (APIS), a system that captures arrival and departure 
manifest information provided by air and sea carriers, and the 
Interagency Border Inspection System, a system that maintains lookout 
data and interfaces with other agencies' databases. CBP officers use 
these data as part of the admission process. The results of the 
admission decision are recorded in TECS and ADIS. 

* The Automated Biometric Identification System (IDENT) collects and 
stores biometric data on foreign visitors. 

US-VISIT also exchanges biographic information with other DHS systems, 
including SEVIS and CLAIMS 3. These two systems contain information on 
foreign students and foreign nationals who request benefits, such as a 
change of status or extension of stay. 

Some of the systems previously described, such as IDENT and the new 
AIDMS, are managed by the program office, while some systems are 
managed by other organizational entities within DHS. For example, TECS 
is managed by CBP, SEVIS is managed by Immigration and Customs 
Enforcement, CLAIMS 3 is under United States Citizenship and 
Immigration Services, and ADIS is jointly managed by CBP and US-VISIT. 

US-VISIT also interfaces with other, non-DHS systems for relevant 
purposes, including watch list updates and checks to determine whether 
a visa applicant has previously applied for a visa or currently has a 
valid U.S. visa. In particular, US-VISIT receives biographic and 
biometric information from State's Consular Consolidated Database as 
part of the visa application process, and returns fingerscan 
information and watch list changes. 

Program Management Roles and Responsibilities: 

The US-VISIT program office structure includes nine component offices. 
Each of the program offices includes a director and subordinate 
organizational units, as established by the director. The 
responsibilities for each office are stated below. Figure 1 shows the 
program office structure, including its nine offices. 

Figure 1: US-VISIT Program Office Structure: 

[See PDF for image] 

[End of figure] 

The roles and responsibilities for each of the nine offices include the 
following: 

* Chief Strategist is responsible for developing and maintaining the 
strategic vision, strategic documentation, transition plan, and 
business case. 

* Budget and Financial Management is responsible for establishing the 
program's costs estimates; analysis; and expenditure management 
policies, processes, and procedures that are required to implement and 
support the program by ensuring proper fiscal planning and execution of 
the budget and expenditures. 

* Mission Operations Management is responsible for developing business 
and operational requirements based on strategic direction provided by 
the Office of the Chief Strategist. 

* Outreach Management is responsible for enhancing awareness of US- 
VISIT requirements among foreign nationals, key domestic audiences, and 
internal stakeholders by coordinating outreach to media, third parties, 
key influencers, Members of Congress, and the traveling public. 

* Information Technology Management is responsible for developing 
technical requirements based on strategic direction provided by the 
Office of the Chief Strategist and business requirements developed by 
the Office of Mission Operations Management. 

* Implementation Management is responsible for developing accurate, 
measurable schedules and cost estimates for the delivery of mission 
systems and capabilities. 

* Acquisition and Program Management is responsible for establishing 
and managing the execution of program acquisition and management 
policies, plans, processes, and procedures. 

* Administration and Training is responsible for developing and 
administering a human capital plan that includes recruiting, hiring, 
training, and retaining a diverse workforce with the competencies 
necessary to accomplish the mission. 

* Facilities and Engineering Management is responsible for establishing 
facilities and environmental policies, procedures, processes, and 
guidance required to implement and support the program office. 

Our Prior Work Has Resulted in Several Recommendations: 

In response to legislative mandate, we have issued four reports on 
DHS's annual expenditure plans for US-VISIT.[Footnote 12] Our reports 
have, among other things, assessed whether the plans satisfied the 
legislative conditions and provided observations on the plans and DHS's 
program management. As a result of our assessments, we made 24 
recommendations aimed at improving both plans and program management, 
all of which DHS has agreed to implement. Of these 24 recommendations, 
18 address risks stemming from program management.[Footnote 13] 

The Status of DHS's Implementation of Our Recommendations Is Mixed: 

The current status of DHS's implementation of our 18 recommendations on 
program risks is mixed, but progress in critical areas has been slow. 
For example, over 2 years have passed, and the program office has yet 
to develop a security plan consistent with federal guidance or to 
economically justify its investment in system increments. According to 
the Program Director, the pace of progress is attributable to competing 
demands on time and resources. 

DHS agreed to implement all 18 recommendations. Of these 18, DHS has 
completely implemented 2, has partially implemented 11, and is in the 
process of implementing another 5. Of the 11 that are partially 
implemented, 7 are about 2 years old, and 4 are about 10 to 19 months 
old. Of the 5 that are in progress, 3 are about 10 months old. 

These 18 recommendations are aimed at strengthening the program's 
management effectiveness. The longer that the program takes to 
implement the recommendations, the greater the risk that the program 
will not meet its goals on time and within budget. 

Figure 2 provides an overview of the extent to which each 
recommendation has been implemented.The figure is followed by sections 
providing details on each recommendation and our assessment of its 
implementation status. 

Figure 2: DHS's Progress toward Implementing GAO's 18 Recommendations: 

[See PDF for image] 

[A] A recommendation is completely implemented when documentation 
demonstrated that it had been fully addressed. 

[B] A recommendation is partially implemented when documentation 
indicated that actions were under way to implement it. 

[C] A recommendation is in progress when documentation indicated that 
actions had been initiated to implement it. 

[D] Carnegie Mellon University Software Engineering Institute, Software 
Acquisition Capability Maturity Model, Version 1.03 (March 2002). 

[E] Automated Commercial Environment is a new trade processing system 
planned to support the movement of legitimate imports and exports and 
to strengthen border security. 

[End of figure] 

Development and Implementation of a Security Plan and Performance of a 
Privacy Impact Assessment Are Partially Complete: 

In June 2003,[Footnote 14] we reported that the Immigration and 
Naturalization Service[Footnote 15] had not developed a security plan 
and performed a privacy impact assessment for the entry exit program 
(as US-VISIT was then known). A security plan and privacy impact 
assessment are important to understanding system requirements and 
ensuring that the proper safeguards are in place to protect system data 
and resources. System acquisition best practices and federal guidance 
advocate understanding and defining security and privacy requirements 
both early and continuously in a system's life cycle, and effectively 
planning for their satisfaction. Accordingly, we recommended that DHS 
do the following: 

Develop and begin implementing a system security plan, and perform a 
privacy impact assessment and use the results of the analysis in near- 
term and subsequent system acquisition decision making. 

Security Plan: 

Since we made the system security plan recommendation about 2½ years 
ago, its implementation has been slow. For example, we reported in 
September 2003 and again in May 2004 that the program office had not 
developed a security plan. In February 2005, we reported that the 
program office had developed a security plan, dated September 2004, and 
that this plan was generally consistent with federal guidance.[Footnote 
16] That is, the plan provided an overview of system security 
requirements, described the controls in place or planned for meeting 
those requirements, referred to the applicable documents that prescribe 
the roles and responsibilities for managing the US-VISIT component 
systems, and addressed security awareness and training. However, the 
program office had not conducted a risk assessment or included in the 
plan when an assessment would be completed. According to guidance from 
the Office of Management and Budget (OMB), the security plan should 
describe the methodology that is used to identify system threats and 
vulnerabilities and to assess risks, and it should include the date the 
risk assessment was completed. 

According to program officials, they completed a programwide risk 
assessment in December 2005, but have yet to provide a copy of the 
assessment to us. Therefore, we cannot confirm that the assessment has 
been done, and done properly. The absence of a risk assessment and a 
security plan that reflects this assessment is a significant program 
weakness. Risk assessments are critical to establishing effective 
security controls because they provide the basis for establishing 
appropriate policies and selecting cost-effective controls to implement 
these policies. Without such an assessment, US-VISIT does not have 
adequate assurance that it knows the risks associated with the program 
and thus whether it has implemented effective controls to address them. 

Notwithstanding these limitations in the security plan, the program 
office has begun to implement aspects of its September 2004 security 
plan. For example, the Information Systems Security Manager told us 
that a security awareness program is established and key personnel have 
attended security training. 

Privacy Impact Assessment: 

Since June 2003, US-VISIT has also developed and periodically updated a 
privacy impact assessment. An initial impact assessment was issued in 
January 2004, and a revised assessment was issued in September 
2004.[Footnote 17] A more recent assessment, dated July 2005, reflects 
changes related to Increments 1B and 2C. Each of these assessments is 
generally consistent with OMB guidance.[Footnote 18] That is, each of 
the assessments addressed most OMB requirements, including the impact 
that the system will have on individual privacy, the privacy 
consequences of collecting the information, and alternatives considered 
to collect and handle information. The most recent impact assessment, 
for example, states that three alternatives were considered for 
Increment 1B--the kiosk, the mobile device, and the validator (a 
combination of the two)--and discusses proposals to mitigate the 
privacy risks of all three, such as by limiting the duration of data 
retention on the exit devices and using encryption. 

However, OMB guidance also requires that privacy impact assessments 
developed for systems under development address privacy in relevant 
system documentation, including statements of need, functional 
requirements documents, and cost-benefit analyses. As we reported about 
previous privacy impact assessments, privacy is only partially 
addressed in system documentation. For example, the Increment 1B cost- 
benefit analysis assesses the privacy risk associated with each exit 
alternative, and the Increment 2C business requirements state that all 
solutions are to be compliant with privacy laws and regulations and 
adhere to US-VISIT privacy policy. However, we did not find privacy in 
the Increment 1B business requirements or the Increment 2C functional 
requirements. Program officials, including the US-VISIT Privacy 
Officer, acknowledged that privacy is not included in the system 
documentation, but stated that privacy is considered in the development 
of the documentation and that the privacy office reviews key system 
documentation at relevant times during the system development life 
cycle. Nevertheless, we did not find evidence of privacy being 
addressed in the system documentation, and program officials 
acknowledged that it was not included. 

Until the program performs a risk assessment and fully implements a 
security plan that reflects this assessment, it cannot adequately 
ensure that US-VISIT is cost-effectively safeguarding assets and data. 
Moreover, without reflecting privacy in system documentation, it cannot 
adequately ensure that privacy needs are being fully addressed. 

Development and Implementation of Key Acquisition Controls Are 
Partially Complete: 

We reported in September 2003[Footnote 19] that the program office had 
not defined key acquisition management controls to support the 
acquisition of US-VISIT, and therefore its efforts to acquire, deploy, 
operate, and maintain system capabilities were at risk of not 
satisfying system requirements and of not meeting benefit expectations 
on time and within budget. 

The Capability Maturity Model-Integration® (CMMI) developed by Carnegie 
Mellon University's Software Engineering Institute (SEI) explicitly 
defines process management controls that are recognized hallmarks of 
successful organizations and that, if implemented effectively, can 
greatly increase the chances of successfully acquiring software- 
intensive systems.[Footnote 20] SEI's CMMI model uses capability levels 
to assess process maturity.[Footnote 21] Because establishing the basic 
acquisition process capabilities, according to SEI, can take on average 
about 19 months, we recognized the importance of starting early to 
build effective acquisition management capabilities by recommending 
that DHS do the following: 

Develop and implement a plan for satisfying key acquisition management 
controls, including acquisition planning, solicitation, requirements 
management, program management, contract tracking and oversight, 
evaluation, and transition to support, and implement the controls in 
accordance with SEI guidance. 

The program office has recently taken foundational steps to establish 
key acquisition management controls. For example, it has developed a 
process improvement plan, dated May 16, 2005 (about 20 months after our 
recommendation), to define and implement these controls. As part of its 
improvement program, the program office is implementing a governance 
structure for overseeing improvement activities, consisting of three 
groups: a Management Steering Group, an Enterprise Process Group, and 
Process Action Teams. Specific roles for each of these groups are 
described below. 

* The Management Steering Group is to provide policy and procedural 
guidance and to oversee the entire improvement program. The steering 
group is chaired by the US-VISIT Director, with the Deputy Director and 
the functional office directors serving as core members. 

* The Enterprise Process Group is to provide planning, management, and 
operational guidance in day-to-day process improvement activities. The 
group is chaired by the process improvement leader and is composed of 
individuals from each functional office. 

* Process Action Teams are to provide specific process documentation 
and to provide implementation support and training services. These 
teams are to be active as long as a particular process improvement 
initiative is under way. To date, the program office has chartered five 
process teams--configuration management, cost analysis, process 
development, communications, and policy. 

In addition, the program office has recently completed a self- 
assessment of its acquisition process maturity, and it plans to use the 
assessment results to establish a baseline of its acquisition process 
maturity for improvement. According to program officials, the 
assessment included 13 key process areas that are generally consistent 
with the process areas cited in our recommendation. The program has 
ranked these 13 process areas according to their priority, and, for 
initial implementation, it plans to focus on the following 6:[Footnote 
22] 

* Configuration management. Establishing and maintaining the integrity 
of the products throughout their life cycle. 

* Process and product quality assurance. Taking actions to provide 
management with objective insight into the quality of products and 
processes. 

* Project monitoring and control. Tracking the project's progress so 
that appropriate corrective actions can be taken when performance 
deviates significantly from plans. 

* Project planning. Establishing and maintaining plans for work 
activities. 

* Requirements management. Managing the requirements and ensuring a 
common understanding of the requirements between the customer and the 
product developers. 

* Risk management. Identifying potential problems before they occur so 
that they can be mitigated to minimize any adverse impact. 

The improvement plan is currently being updated to reflect the results 
of the baseline assessment and to include a detailed work breakdown 
structure, process prioritization, and resource estimates. According to 
the Director, Acquisition and Program Management Office (APMO), the 
goal is to conduct a formal SEI appraisal to assess the capability 
level of some or all of the six processes by October 2006. 

Notwithstanding the recent steps to begin addressing our 
recommendation, much work remains to fully implement key acquisition 
management controls. Moreover, effectively implementing these controls 
takes considerable time. Therefore, it is important that these 
improvement efforts stay on track. Until these processes are 
effectively implemented, US-VISIT will be at risk of not delivering 
promised capabilities on time and within budget. 

Determination and Disclosure of Whether Increments Produce Mission 
Value Commensurate with Costs and Risks Are Partially Complete: 

In September 2003, we reported that the program had not assessed the 
costs and benefits of Increment 1, which is extremely important because 
the decision to invest in any capability should be based on reliable 
analyses of return on investment. Further, according to OMB guidance, 
individual increments of major systems are to be individually supported 
by analyses of benefits, cost, and risk.[Footnote 23] Without reliable 
analyses, an organization cannot adequately know that a proposed 
investment is a prudent and justified use of limited resources. 
Accordingly, we recommended that DHS do the following: 

Determine whether proposed US-VISIT increments will produce mission 
value commensurate with cost and risks and disclose to the Congress 
planned actions. 

As we reported in September 2003 and again in February 2005,[Footnote 
24] the program office did not justify its planned investment in 
Increments 1 and 2B, respectively, based on expected return on 
investment. Since then, the program has developed a cost-benefit 
analysis for Increment 1B. 

OMB has issued guidance concerning the analysis needed to justify 
investments.[Footnote 25] According to this guidance, such analyses 
should meet certain criteria to be considered reasonable. These 
criteria include, among other things, comparing alternatives on the 
basis of net present value and conducting uncertainty analyses of costs 
and benefits. DHS has also issued guidance on such economic analyses 
that is consistent with that of OMB.[Footnote 26] 

The latest cost-benefit analysis for Increment 1B (dated June 23, 2005) 
identifies potential costs and benefits for three exit solutions at air 
and sea POEs and provides a general rationale for the viability of the 
three alternatives described. This latest analysis meets four of eight 
OMB economic analysis criteria. However, it does not, for example, 
include a complete uncertainty analysis (i.e., both a sensitivity 
analysis and a Monte Carlo simulation[Footnote 27]) for the three exit 
alternatives evaluated. That is, the cost-benefit analysis does include 
a Monte Carlo simulation, but it does not include a sensitivity 
analysis for the three alternatives. An analysis of uncertainty is 
important because it provides decision makers with a perspective on the 
potential variability of the cost and benefit estimates should the 
facts, circumstances, and assumptions change. 

Table 1 summarizes our analysis of the extent to which US-VISIT's June 
23, 2005, cost-benefit analysis for Increment 1B satisfies eight OMB 
criteria. 

Table 1: US-VISIT Satisfaction of OMB Economic Analysis Criteria: 

Criterion: 1. The cost-benefit analysis clearly explained why the 
investment was needed; 
Explanation: The analysis should clearly explain the reason why the 
investment is needed, that is, why the status quo is unacceptable; 
Criterion met? Yes; 
GAO analysis: The analysis identifies the need for the investment and 
identifies eight key business objectives of the Increment 1B exit 
solution. 

Criterion: 2. At least two alternatives to the status quo were 
considered; 
Explanation: At least two meaningful alternatives to the status quo 
should be examined to help ensure that the alternative chosen was not 
preselected; 
Criterion met? Yes; 
GAO analysis: The analysis considers three alternatives for the 
Increment 1B exit solution: kiosk, mobile, and validator. 

Criterion: 3. The general rationale for the cost-benefit analysis, 
including each alternative, was discussed; 
Explanation: The general rationale for the inclusion of each 
alternative considered should be discussed to enable reviewers of the 
analysis to gain an understanding of the context for the selection of 
one alternative over the others; 
Criterion met? Yes; 
GAO analysis: The assessment includes the rationale for the judgment 
that the three exit alternatives were viable options. 

Criterion: 4. The quality of the cost estimate for each alternative was 
reasonable; 
Explanation: The quality of the cost estimate for each alternative 
should be complete and reasonable for a net present value to be 
accurate; 
Criterion met? No; 
GAO analysis: The cost estimates are not complete or reliably derived. 
(See later section of this report for detailed analysis.) 

Criterion: 5. The quality of the benefits to be realized from each 
alternative was reasonable; 
Explanation: The quality of the benefit estimate for each alternative 
should be complete and reasonable for a net present value to be 
calculable and accurate. According to OMB Circular A-94,[A] year-by-
year estimates should be reported to promote independent analysis and 
review of those estimates; 
Criterion met? No; 
GAO analysis: Year-by-year benefit estimates were not reported. 

Criterion: 6. Alternatives were compared on the basis of net present 
value; 
Explanation: The net present value should be calculated because it 
consistently allows for the selection of the alternative with the 
greatest benefit net of cost; 
Criterion met? Yes; 
GAO analysis: Net present values were calculated for the three 
alternatives. However, the preferred alternative could not be selected 
on this basis, in part because the estimated net present value for all 
alternatives was negative. OMB guidance presumes that at least one will 
be positive, and that the selected alternative will have the greatest 
total benefit net of total cost. The alternative with the more 
favorable cost-benefit was identified on the basis of its lower labor 
intensity (resulting in lower operating and maintenance costs) and 
lower risk that personally identifiable information would be 
compromised. 

Criterion: 7. The proper discount rate for calculating each 
alternative's net present value should be used; 
Explanation: OMB Circular A-94 provides specific guidance on the choice 
of discount rate for evaluating projects whose benefits and costs will 
be distributed over time; 
Criterion met? No; 
GAO analysis: The analysis does not explicitly state the numerical 
value of the discount rate used for computing the alternatives' net 
present values. 

Criterion: 8. A complete uncertainty analysis of cost and benefit was 
included; 
Explanation: Estimates of costs and benefits are typically uncertain 
because of imprecision in both underlying data and modeling 
assumptions. Because such uncertainty is basic to virtually any cost- 
benefit analysis, its effects should be analyzed and reported. OMB 
guidance recommends both Monte Carlo simulation and sensitivity 
analysis as uncertainty analysis techniques; 
Criterion met? No; 
GAO analysis: Although the cost-benefit analysis did include Monte 
Carlo simulation results for the three exit alternatives, no 
sensitivity analysis was conducted for those alternatives. Instead, the 
cost- benefit analysis reports sensitivity analysis results for the 
five deployment scenarios. 

Source: GAO. 

[A] OMB's Circular A-94 is the general guidance for conducting cost- 
benefit analyses for the federal government. 

[End of table] 

It is important that the program adhere to relevant guidance in 
developing its incremental cost-benefit analyses. If this is not done, 
the reliability of the analyses is diminished, and an adequate basis 
for prudent investment decision making does not exist. Moreover, if the 
mission value of a proposed investment is not commensurate with costs, 
it is vital that this information be fully disclosed to DHS and 
congressional decision makers. The underlying intent of our 
recommendation is that this information be available to inform such 
decisions. 

Definition of the Operational Context for US-VISIT Is in Progress: 

In September 2003, we reported that key aspects of the larger homeland 
security environment in which US-VISIT would need to operate had not 
been defined. For example, we stated that certain policy and standards 
decisions had not been made (e.g., whether official travel documents 
will be required for all persons who enter and exit the country, 
including U.S. and Canadian citizens, and how many fingerprints are to 
be collected). In the absence of this operational context, program 
officials were making assumptions and decisions that, if they proved 
inconsistent with subsequent policy or standards decisions, would 
require US-VISIT rework. To minimize the impact of these changes, we 
recommended that DHS do the following: 

Clarify the operational context in which US-VISIT is to operate. 

After about 27 months, defining this operational context remains a work 
in progress. According to the Chief Strategist, an immigration and 
border management strategic plan was drafted in March 2005 that shows 
how US-VISIT is aligned with DHS's organizational mission and defines 
an overall vision for immigration and border management. This official 
stated that this vision provides for an immigration and border 
management enterprise that unifies multiple internal departmental and 
other external stakeholders with common objectives, strategies, 
processes, and infrastructures. 

Since the plan was drafted, DHS has reported that other relevant 
initiatives have been undertaken, such as the Security and Prosperity 
Partnership of North America and the Secure Border Initiative. The 
Security and Prosperity Partnership is to, among other things, 
establish a common approach to securing the countries of North America-
-the United States, Canada, and Mexico--by, for example, implementing a 
border facilitation strategy to build capacity and improve the 
legitimate flow of people and cargo at our shared borders. The Secure 
Border Initiative is to implement a comprehensive approach to securing 
our borders and reducing illegal immigration. According to the Chief 
Strategist, while portions of the strategic plan are being incorporated 
into these initiatives, these initiatives and their relationship with 
US-VISIT are still being defined. We have yet to receive the US-VISIT 
strategic plan because, according to program officials, it had not yet 
been approved by DHS management. 

Until US-VISIT's operational context is fully defined, DHS is 
increasing its risk of defining, establishing, and implementing a 
program that is duplicative of other programs and not interoperable 
with them. This in turn will require rework to address these areas. 
While this issue was significant 27 months ago, when we made the 
recommendation, it is still more significant now. 

Provision of Program Office Resources Is Partially Complete: 

We reported in September 2003 that the program had not fully staffed 
its program office. Our prior experience with major acquisitions like 
US-VISIT shows that to be successful, they need, among other things, to 
have adequate resources. Accordingly, we recommended that DHS do the 
following: 

Ensure that human capital and financial resources are provided to 
establish a fully functional and effective program office. 

About 2 years later, US-VISIT had filled 102 of its 115 planned 
government positions and all of its planned 117 contractor positions. 
For the remaining 13 government positions, 5 positions had been 
selected (pending completion of security clearances), and recruitment 
action was in process for filling the remaining 8 vacancies. According 
to the Office of Administration and Training Manager, funding is 
available to complete the hiring of all 115 government employees. 

Notwithstanding this progress, in February 2005, US-VISIT completed a 
workforce analysis and requested additional positions based on the 
results. According to program officials, a revised analysis was 
submitted in the summer of 2005, but the request has not yet been 
approved. Figure 3 shows the program office organization structure and 
functions and how many of the 115 positions needed have been filled. 

Figure 3: Summary of Program Office Structure, Functions, and Filled 
and Vacant Positions: 

[See PDF for image] 

[End of figure] 

Securing necessary resources will be a continuing challenge and an 
essential ingredient to the program's ability to acquire, deploy, 
operate, and maintain system capabilities on time and within budget. 

Definition of Program Office Roles and Responsibilities Has Been 
Completed: 

We reported in September 2003 that the program had not defined specific 
roles and responsibilities for its staff. Our prior experience and 
leading practices show that for major acquisitions like US-VISIT to be 
successful, program staff need, among other things, to understand what 
they are to do, how they relate to each other, and how they fit in 
their organization. Accordingly, we recommended that DHS do the 
following: 

Define program office positions, roles, and responsibilities. 

The program office has developed charters for its nine component 
offices that include roles and responsibilities for each. For example, 
the Acquisition and Program Management Office is responsible, among 
other things, for establishing acquisition and program management 
policies; coordinating development of configuration management plans 
and project schedules, including the integrated milestone schedule; and 
developing policies and procedures for guidance and oversight of 
systems development and implementation activities. The program has also 
defined a set of core competencies (knowledge, skills, and abilities) 
for each position. For example, it has defined critical competencies 
for program and management analysts that include, among others, 
flexibility, interpersonal skills, organizational awareness, oral 
communication, problem solving, and teamwork. 

These efforts to define position, roles, and responsibilities should 
help in managing the program effectively. 

Development and Implementation of a Human Capital Strategy Are 
Partially Complete: 

As previously stated, we reported in September 2003 that US-VISIT had 
not fully staffed its program office or defined roles and 
responsibilities for its program staff. We observed that prior research 
and evaluations of organizations showed that effective human capital 
management can help agencies establish and maintain the workforce they 
need to accomplish their missions. Accordingly, we recommended that DHS 
do the following: 

Develop and implement a human capital strategy for the program office 
that provides for staffing positions with individuals who have the 
appropriate knowledge, skills, and abilities. 

In February 2005, we reported that the program office, in conjunction 
with the Office of Personnel Management (OPM), developed a draft human 
capital plan that employed widely accepted human capital planning tools 
and principles. The draft plan included, for example, an action plan 
that identified activities, proposed completion dates, and the office 
(OPM or the program office) responsible for the action. We also 
reported that the program office had completed some of the activities, 
such as designating a liaison responsible for ensuring alignment 
between departmental and program human capital policies. 

Since then, the program office has finalized the human capital plan and 
completed more activities. For example, program officials told us that 
they have: 

* analyzed the program office's workforce to determine diversity 
trends, retirement and attrition rates, and mission-critical and 
leadership competency gaps; 

* updated the program's core competency requirements to ensure 
alignment between the program's human capital and business needs; 

* developed an orientation program for new employees; and: 

* administered competency assessments to incoming employees. 

Program officials also told us that they have plans to complete other 
activities, such as: 

* developing a staffing forecast to inform succession planning; 

* analyzing workforce data to maintain strategic focus on preserving 
the skills, knowledge, and leadership abilities required for the US- 
VISIT program's success; and: 

* developing organizational leadership competency models for the 
program's senior executive, managerial, and supervisory levels. 

In addition, the officials said that several activities in the plan 
have not been completed, such as assessing the extent of any current 
employees' competency gaps and developing a competency-based listing of 
training courses. These officials said that the reason these activities 
have not been completed is that they are related to the department's 
new human capital initiative, MAXHR, which is to provide greater 
flexibility and accountability in the way employees are paid, 
developed, evaluated, afforded due process, and represented by labor 
organizations. MAXHRis to include the development of departmentwide 
competencies. Because of this, the officials told us that it could 
potentially impact the program's ongoing competency-related activities. 
As a result, these officials said that they are coordinating these 
activities closely with the department as it develops and implements 
this new initiative, which is currently being reviewed by the DHS 
Deputy Secretary for approval. 

Until US-VISIT fully implements a comprehensive human capital strategy, 
it will continue to risk not having staff with the right skills and 
abilities to successfully execute the program. 

Defining Performance Standards for US-VISIT Increments Is Partially 
Complete: 

We reported in September 2003 that the operational performance of 
initial system increments was largely dependent on the performance of 
existing systems that were to be interfaced to create these increments. 
For example, we said that the performance of an increment will be 
constrained by the availability and downtime of the existing systems 
that it includes. Accordingly, we recommended that DHS do the 
following: 

Define performance standards for each increment that are measurable and 
reflect the limitations imposed by relying on existing systems. 

In February 2005 (17 months later), we reported that several technical 
performance standards for Increments 1 and 2B had been defined, but 
that it was not clear that these standards reflected the limitations 
imposed by the reliance on existing systems. Since then, for the 
Increment 2C Proof of Concept (Phase 1), the program office has defined 
certain other performance standards. For example, the functional 
requirements document for Increment 2C (Phase 1) defines several 
technical performance standards, including reliability, recoverability, 
and availability. For each, the document states that the performance 
standard is largely dependent on those of Increment 2B. More 
specifically, the document states that Phase 1 system availability is 
largely dependent upon the individual and collective availability of 
the current systems. The document also states that the Increment 2C 
components shall have an aggregated availability greater than or equal 
to 97.5 percent. However, the document does not contain sufficient 
information to determine whether these performance standards actually 
reflect the limitations imposed by reliance on existing systems. 

To further develop performance standards, the program office has 
prepared a Performance Engineering Plan, dated March 31, 2005, that 
links US-VISIT performance engineering activities to its System 
Development Life Cycle. Further, the plan (1) provides a framework to 
be used to align its business, application, and infrastructure 
performance goals and measures; (2) describes an approach to translate 
business goals into operational measures, and then to quantitative 
metrics; and (3) identifies system performance measurement areas 
(effectiveness, efficiency, reliability, and availability). According 
to program officials, they intend to establish a group to develop 
action plans for implementing the engineering plan, but did not have a 
time frame for doing so. 

Without defining performance standards that reflect the limitations of 
the existing systems upon which US-VISIT relies, the program lacks the 
ability to identify and effectively address performance shortfalls. 

Development and Implementation of a Risk Management Plan Are Partially 
Complete: 

In September 2003, we reported that US-VISIT was a risky undertaking 
because of several factors inherent to the program, such as its large 
scope and complexity, as well as because of various program management 
weaknesses. We concluded that these risks, if not effectively managed, 
would likely cause program cost, schedule, and performance problems. 

Risk management is a continuous, forward-looking process that is 
intended either to prevent such problems from occurring or to minimize 
their impact if they occur by proactively identifying risks, 
implementing risk mitigation strategies, and measuring and disclosing 
progress in doing so. Because of the importance of effectively managing 
program risks, we recommended that DHS do the following: 

Develop and implement a risk management plan and ensure that all high 
risks and their status are reported regularly to the executive body. 

About 2 years later, the program office has developed and has begun 
implementing a risk management plan. The plan, which was approved in 
September 2005, includes, among other things, a process for 
identifying, analyzing, handling, and monitoring risk. It also defines 
the governance structure to be used in overseeing and managing the 
process. The program also maintains a risk database, which includes, 
among other things, a description of the risk, its priority (e.g., 
high, medium, or low), and its mitigation strategy. According to 
program officials, the database is currently available to program 
management and staff. 

The program has also begun implementing its risk management plan. For 
example, it has established a Risk Review Board, Risk Review Council, 
and Risk Owners to govern its risk activities. The roles and 
responsibilities are described below. 

* The Risk Review Board directs all risk governance within the program 
and provides the mechanism to escalate/transfer the consideration of 
risks to program governing boards and to organizations external to the 
program. 

* The Risk Review Council oversees and manages program-related risks 
that are significant, controversial, or cross-project or that may 
require escalation to the Risk Review Board. 

* Risk Owners analyze, handle, and monitor risks. 

However, full implementation of the risk management plan has yet to 
occur. As part of its CMMI process maturity baseline self-assessment 
(previously discussed), the program office found that the risk 
management process detailed in its plan was not being consistently 
applied across the program. In response, according to program 
officials, they have developed risk management training and began 
conducting training sessions in November 2005. These officials also 
stated that the Risk Review Board, where risks are reviewed with 
program executives, has been meeting monthly since September 2005. 

With respect to regular risk reports to program executives, the plan 
includes thresholds for escalating risks within the risk governance 
structure and to DHS governance entities. For example, risks are to be 
elevated to the Risk Review Board when the cost of the project exceeds 
more than 5 percent of the project baseline cost, the schedule slippage 
exceeds more than 5 percent of the baseline schedule, major areas of 
scope are affected, or quality reduction requires approval. However, 
program officials stated that these thresholds are not currently being 
applied. They further stated that although the plan allows for 
escalation of risks to officials outside the program office, doing so 
is at the discretion of the Program Director; in addition, according to 
these officials, although high risks are not routinely escalated 
outside the program, selected high risks have been disclosed to the 
Assistant Secretary for Policy in weekly program status reports. As of 
December 5, 2005, the Program Director proposed submitting monthly 
reports of high-priority risks and issues through the Assistant 
Secretary for Policy to the Deputy Secretary. 

Until US-VISIT fully implements its risk management plan and process, 
it cannot be assured that all program risks are being identified and 
managed in order to effectively mitigate any negative impact on the 
program's ability to deliver promised capabilities on time and within 
budget. 

Development of Test Plans Is Partially Complete: 

We reported in May 2004, and again in February 2005, that system 
testing was not based on well-defined test plans, and thus the quality 
of testing being performed was at risk.[Footnote 28] The purpose of 
system testing is to identify and correct system defects (i.e., unmet 
system functional, performance, and interface requirements) and thereby 
obtain reasonable assurance that the system performs as specified 
before it is deployed and operationally used. To be effective, testing 
activities should be planned and implemented in a structured and 
disciplined fashion. Among other things, this includes developing 
effective test plans to guide the testing activities and ensuring that 
test plans are developed and approved before test execution. According 
to relevant systems development guidance, an effective test plan (1) 
specifies the test environment; (2) describes each test to be 
performed, including test controls, inputs, and expected outputs; (3) 
defines the test procedures to be followed in conducting the tests; and 
(4) provides traceability between the test cases and the requirements 
to be verified by the testing. Because these criteria were not being 
met, we recommended that DHS do the following: 

Develop and approve test plans before testing begins that (1) specify 
the test environment; (2) describe each test to be performed, including 
test controls, inputs, and expected outputs; (3) define the test 
procedures to be followed in conducting the tests; and (4) provide 
traceability between test cases and the requirements to be verified by 
the testing. 

About 19 months later, the quality of the system test plans, and thus 
system testing, is still problematic. To the program's credit, the test 
plans for the Increment 2C Proof of Concept (Phase 1), dated June 28, 
2005, satisfied part of our recommendation. Specifically, the test plan 
for this increment was approved on June 30, 2005, and, according to 
program officials, testing began on July 5, 2005. Further, the test 
plan described, for example, the scope, complexity, and completeness of 
the test environment, and it described the tests to be performed, 
including a high-level description of controls, inputs, and outputs, 
and it identified test procedures to be performed. 

However, the test plan did not adequately trace between test cases and 
the requirements to be verified by testing. For example, 300 of the 438 
functional requirements, or about 70 percent of the requirements that 
we analyzed, did not have specific references to test cases. 

In addition, we identified traceability inconsistencies, including the 
following: 

* One requirement was mapped to over 50 test cases, but none of the 50 
cases referenced the requirement. 

* One requirement was mapped to a group of test cases in the 
traceability matrix, but several of the test cases to which the 
requirement was mapped did not reference the requirement, and several 
test cases referenced the requirement and were not included in the 
traceability matrix. 

* One requirement was mapped to all but one of the test cases within a 
particular group of test cases, but that test case did refer to the 
requirement. 

Time and resources were identified as the reasons that test plans have 
not been complete. Specifically, program officials stated that 
milestones do not permit existing testing/quality personnel the time 
required to adequately review testing documents.[Footnote 29] According 
to these officials, even when the start of testing activities is 
delayed because, for example, requirements definition or product 
development takes longer than anticipated, testing milestones are not 
extended. 

Without complete test plans, the program does not have adequate 
assurance that the system is being fully tested, and thus unnecessarily 
assumes the risk that system defects will not be detected and addressed 
before the system is deployed. This means that the system may not 
perform as intended when deployed, and defects will not be addressed 
until late in the systems development cycle, when they are more 
difficult and time-consuming to fix. As we previously reported, this 
has happened: postdeployment system interface problems surfaced for 
Increment 1, and manual work-arounds had to be implemented after the 
system was deployed. 

Assessment of the Impact of Increment 2B on Workforce Levels and 
Facilities Is Partially Complete: 

We reported in May 2004 that the program had not assessed its workforce 
and facility needs for Increment 2B. Because of this, we questioned the 
validity of the program's workforce and facility assumptions used to 
develop its workforce and facility plans, noting that the program 
lacked a basis for determining whether its assumptions and thus its 
plans were adequate. Accordingly, we recommended that DHS do the 
following: 

Assess the full impact of Increment 2B on land POE workforce levels and 
facilities, including performing appropriate modeling exercises. 

Seven months later, the program office evaluated Increment 2B 
operational performance. The purpose of the evaluation was to determine 
the effectiveness of Increment 2B performance at the 50 busiest land 
POEs. To assist in the evaluation, the program office established a 
baseline for comparing the average Form I-94 or Form I-94W[Footnote 30] 
issuance processing times at 3 of the 50 POEs where processing times 
were to be evaluated.[Footnote 31] The program office then conducted 
two evaluations of the processing times at the 3 POEs following 
Increment 2B deployment. The first was in December 2004, after 
Increment 2B was deployed to these sites as a pilot, and the second was 
in February 2005, after Increment 2B was deployed to all 50 POEs. The 
evaluation results showed that the average processing times decreased 
for all 3 sites. Table 2 compares the results of the two evaluations 
and the baseline. 

Table 2: Reduction in Reported Processing Times for Increment 2B Pilot 
and Full Deployment: 

Pilot site: Douglas, Arizona; 
Baseline (October 2004): 4 minutes, 16 seconds; 
Pilot: Decrease in time from baseline (December 2004): -47 seconds; 
Full deployment: Change in time from pilot (February 2005): - 17 
seconds. 

Pilot site: Laredo, Texas; 
Baseline (October 2004): 12 minutes, 10 seconds; 
Pilot: Decrease in time from baseline (December 2004): -9 minutes, 37 
seconds; 
Full deployment: Change in time from pilot (February 2005): -15 
seconds. 

Pilot site: Port Huron, Michigan; 
Baseline (October 2004): 11 minutes, 42 seconds; 
Pilot: Decrease in time from baseline (December 2004): -1 minutes, 51 
seconds; 
Full deployment: Change in time from pilot (February 2005): +7 seconds. 

Source: GAO analysis of DHS data. 

[End of table] 

According to program officials, these evaluations supported the 
workforce and facilities planning assumption that no additional staff 
were required to support deployment of Increment 2B, and that minimal 
modifications to interior workspace were required to accommodate 
biometric capture devices and printers and to install electrical 
circuits. These officials stated that modifications to existing officer 
training and interior space were the only changes needed. 

However, the scope of the evaluation was too limited to satisfy the 
evaluation's stated purpose or our recommendation for assessing the 
full impact of Increment 2B. Specifically, program officials stated 
that the evaluation focused on the time to process Form I-94s and not 
on operational effectiveness, including workforce impacts and traveler 
waiting time. Second, the 3 sites were selected, according to program 
officials, on the basis of a number of factors, including whether the 
sites already had sufficient staff to support the pilot. Selecting 
sites on the basis of this factor could affect the results and 
presupposes that not all POEs have the staff needed to support 
Increment 2B. Third, evaluation conditions were not always held 
constant. For example, fewer workstations were used to process 
travelers in establishing the baseline processing times at 2 of the 
POEs--Port Huron (9 versus 14) and Douglas (4 versus 6)--than were used 
during the pilot evaluations. 

Moreover, CBP officials from 1 POE, which was not an evaluation site, 
told us that US-VISIT has actually lengthened processing times. (San 
Ysidro processes the highest volume of travelers of all land POEs.) 
While these officials did not provide specific data to support this 
statement, it nevertheless raises questions about the potential impact 
of Increment 2B on the 47 sites that were not evaluated. 

It is important that the impact of Increment 2B on workforce and 
facilities be fully assessed. Since we made our recommendation, 
Increment 2B deployment and operational facts and circumstances have 
materially changed, making the implementation of our recommendation 
using predeployment baseline data for the other 47 sites impractical. 
Nevertheless, other alternatives, such as surveying officials at these 
sites to better understand the increment's impact on workforce levels 
and facilities, have yet to be explored. Until they are, the program 
may not be able to accurately project resource needs or make required 
modifications to achieve its goals of minimizing US-VISIT's impact on 
POE processing times. 

Implementation of Configuration Management Practices Is in Progress: 

We reported in May 2004 that US-VISIT had not established effective 
configuration management practices. Configuration management 
establishes and maintains the integrity of system components and items 
(e.g., hardware, software, and documentation). A key ingredient is a 
change control board to evaluate and approve proposed configuration 
changes. Accordingly, we concluded that the program did not have 
adequate assurance that approved system changes were actually made, and 
that changes made to the component systems (for non-US-VISIT purposes) 
did not interfere with US-VISIT functionality. Accordingly, we 
recommended that DHS do the following: 

Implement effective configuration management practices, including 
establishing a US-VISIT change control board to manage and oversee 
system changes. 

After 19 months, US-VISIT has begun implementing configuration 
management practices. To its credit, the program recently issued a 
configuration management policy (September 2005) and prepared a draft 
configuration management plan (August 2005). The policy contains 
guiding principles, direction, and expectations for planning and 
performing configuration management, and includes activities, 
authorities, and responsibilities. The draft plan describes the 
configuration management governance structure, including organizational 
entities and their responsibilities, the processes and procedures to be 
applied, and how controls are to be applied to products. The governance 
structure includes the Executive Configuration Control Board and the 
Configuration Management Impact Review Team. According to its charter, 
the configuration control board is responsible for determining the 
status of requested configuration changes and resolving any conflicts 
related to those changes for US-VISIT-managed systems (i.e., not for US-
VISIT component systems managed by other DHS organizations). The Impact 
Review Team, which reports to the board, is responsible for reviewing 
requests for system changes and submitting a recommendation to the 
appropriate change review authority (i.e., either the US-VISIT control 
board or the control board in the DHS organization that manages the 
component system). According to program officials, for US-VISIT- 
managed systems, the review authority is the Executive Configuration 
Control Board. For other systems, such as TECS (which CBP manages), the 
US-VISIT review team may submit a recommendation to the appropriate 
control board (in this case, the CBP Control Board). 

The APMO director stated that the planned configuration management 
program is intended to complement rather than replace the configuration 
management programs for the legacy systems. That is, change requests 
approved by the US-VISIT Executive Configuration Control Board that 
require changes to a legacy system will be coordinated with the board 
having responsibility for that system. This means, however, that 
changes to component systems (e.g., IDENT, ADIS, and TECS) that are 
initiated and approved by another DHS organization, and that could 
affect US-VISIT performance, are not subject to US-VISIT configuration 
management processes and are not also being examined and approved by 
the US-VISIT control board. This lack of US-VISIT control was the 
impetus for our recommendation. 

Although US-VISIT has recently taken steps to begin addressing our 
recommendation, the program still does not adequately control changes 
to the component systems upon which US-VISIT performance depends. Until 
programwide configuration management practices are implemented, the 
program does not have an effective means for ensuring that approved 
system changes are actually made and that changes made to the component 
systems for non-US-VISIT purposes do not compromise US-VISIT 
functionality and performance. 

Efforts to Ensure the Independence of the Verification and Validation 
Contractor Are Complete: 

We reported in May 2004 that the program office's independent 
verification and validation (IV&V) contractor was not independent of 
the products and processes that it was verifying and validating. The 
purpose of IV&V is to provide management with objective insight into 
the program's processes and associated work products. Its use is a 
recognized best practice for large and complex system development and 
acquisition projects like US-VISIT. To be effective, the verification 
and validation function is to be performed by an entity that is 
independent of the processes and products that are being reviewed. 
Accordingly, we recommended that DHS do the following: 

Ensure the independence of the IV&V contractor. 

In July 2005, the program office issued a new contract for IV&V 
services. To ensure the contactor's independence, the program office 
(1) required that IV&V contract bidders be independent of the 
development and integration contractors; (2) reviewed each of the 
bidder's affiliations with the prime contract; (3) included provisions 
in the contract that prohibit the contractor from soliciting, 
proposing, or being awarded work (other than IV&V services) for the 
program; (4) required all contractor personnel to certify that they do 
not have any conflicts of interest; and (5) ensured that the 
contractor's management plan (Oct. 17, 2005) describes how the 
contractor will ensure technical, managerial, and financial 
independence. 

Such steps, if effectively enforced, should adequately ensure that 
verification and validation activities are performed in an objective 
manner and, thus, should provide valuable assistance to program 
managers and decision makers. 

Development of a Plan to Address Open Recommendations Is Partially 
Complete: 

We reported in May 2004 that US-VISIT's overall progress on 
implementing our recommendations had been slow, and considerable work 
remained to fully address them. As we also noted, given that most of 
our recommendations focused on fundamental limitations in US-VISIT's 
ability to manage the program, it was important to implement the 
recommendations quickly and completely. Accordingly, we recommended 
that DHS do the following: 

Develop a plan, including explicit tasks and milestones, for 
implementing all of our open recommendations and periodically report to 
the DHS Secretary and Under Secretary on progress in implementing this 
plan; and report this progress, including reasons for delays, in all 
future expenditure plans. 

About 19 months after our recommendation, the program assigned 
responsibility to specific individuals for preparing a plan, including 
specific actions and milestones, to address each recommendation. In 
addition, it developed a report that identifies the responsible person 
for each recommendation and summarizes progress made in implementing 
each. The program office provided this report for the first time to the 
DHS Deputy Secretary on October 3, 2005, and plans to forward 
subsequent reports every 6 months. 

However, the report's description of progress on 4 recommendations is 
inconsistent with our assessment, as discussed below: 

* First, the report states that the program completed a privacy impact 
assessment that is in full compliance with OMB guidance. As previously 
discussed, an assessment has been developed, but OMB guidance requires 
that these assessments for systems under development (such as Increment 
2C) address privacy in the system's documentation. Increment 2C systems 
documentation does not address privacy and therefore is not fully 
compliant with OMB guidance. 

* Second, the report states that a human capital strategy has been 
completed. However, as previously discussed, several of the activities 
in the human capital plan have yet to be implemented. For example, the 
program has not developed a staffing forecast to inform succession 
planning. 

* Third, the report states that the impact of Increment 2B on land POE 
workforce levels and facilities has been fully assessed. However, as we 
previously stated, the scope of the evaluations was not sufficient to 
satisfy our recommendation. For example, program officials stated that 
the evaluation focused on the time to process Form I-94s and not on 
operational effectiveness, including workforce impacts and traveler 
waiting time. Moreover, officials at the largest land POE told us that 
the effect of Increment 2B was the opposite of that reported in the 
pilot results. 

* Fourth, the report states that the program has partially completed 
implementing configuration management practices. However, as previously 
discussed, the program office has yet to implement practices or 
establish a configuration control board with authority over all changes 
affecting US-VISIT functionality and performance, including those made 
to component systems for non-US-VISIT purposes, which was the intent of 
our recommendation. 

In addition, the report does not specifically describe progress against 
11 of our other recommendations, so that we could not determine whether 
the program's assessment is consistent with ours (described in this 
report). For example, we recommended that the program reassess plans 
for deploying an exit capability to ensure that the scope of the exit 
pilot provides for adequate evaluation of alternative solutions. The 
report states that the program office has completed exit testing and 
has forwarded the exit evaluation report to the Deputy Secretary for a 
decision. However, it does not state whether the program office had 
expanded the scope or time frames of the pilot. 

Fully understanding and disclosing progress against our recommendations 
are essential to building the capability needed to effectively manage 
the program, and to ensuring that key decision makers have the 
information needed to make well-informed choices among competing 
investment options. 

Establishment of Effective Cost-Estimating Practices Is in Progress: 

We reported in February 2005 that US-VISIT had not followed effective 
practices to develop cost estimates for its system increments, and thus 
the reliability of its cost estimates was questionable.[Footnote 32] 
Such cost-estimating practices are embedded in the 13 criteria in SEI's 
checklist for determining the reliability of cost estimates.[Footnote 
33] Of these 13 criteria, we reported in February 2005 that the 
program's cost estimate met 2, partially met 6, and did not meet 5. 
Accordingly, we recommended that DHS do the following: 

Follow effective practices for estimating the costs of future 
increments. 

The latest US-VISIT-related cost estimate is for Increment 1B. This 
estimate is in the June 2005 cost-benefit analysis for Increment 1B and 
establishes the costs associated with three exit solutions for air and 
sea POEs. As was the case for the estimate described in our February 
2005 report, this latest estimate also did not meet all 13 criteria, 
meeting 3 and partially meeting another 5.[Footnote 34] For example, 
these estimates did not include a detailed work breakdown structure and 
omitted important cost elements, such as system testing. A work 
breakdown structure serves to organize and define the work to be 
performed, so that associated costs can be identified and estimated. 
Thus, it provides a reliable basis for ensuring that the estimates 
include all relevant costs. In addition, the uncertainties associated 
with the Increment 1B cost estimate were not identified. An uncertainty 
analysis provides the basis for adjusting these estimates to reflect 
unknown facts and circumstances that could affect costs and identifies 
the risk associated with the cost estimate. Table 3 summarizes our 
analysis of the extent to which US-VISIT's Increment 1B cost estimates 
satisfy SEI's 13 criteria. 

Table 3: Satisfaction of SEI's 13 Cost-Estimating Criteria: 

Criterion: 1. The objectives of the program are stated in writing; 
Explanation: The objectives of the program should be clearly and 
concisely stated for the cost estimator to use; 
Criterion met[A]? Yes; 
GAO analysis: The objectives of the program were clearly stated. 
Specifically, the objectives are to provide a more complete traveler 
history and to capture travelers' biometric and biographic data. 

Criterion: 2. The life cycle to which the estimate applies is clearly 
defined; 
Explanation: The life cycle should be clearly defined to ensure that 
the full cost of the program is captured--that is, all direct and 
indirect costs for planning, procurement, operations and maintenance, 
and disposal; 
Criterion met[A]? Partially; 
GAO analysis: The life cycle was not clearly defined to ensure that the 
full cost of the program was included. For example, the analysis did 
not include evidence that software maintenance costs were included in 
the cost estimate. 

Criterion: 3. The task has been appropriately sized; 
Explanation: An appropriate sizing metric should be used in the 
development of the estimate, such as the amount of software to be 
developed and the amount of software to be revised; 
Criterion met[A]? No; 
GAO analysis: The program office provided no evidence to demonstrate 
that an appropriate sizing mechanism was used, and program officials 
stated that they had not collected these data. 

Criterion: 4. The estimated cost and schedule are consistent with 
demonstrated accomplishments on other projects; 
Explanation: Estimates should be validated by being related back to 
demonstrated and documented performance on completed projects; 
Criterion met[A]? Partially; 
GAO analysis: Officials stated that pilot data were used to develop the 
estimate. They stated they extrapolated pilot data to estimate costs 
for all Increment 1B sites; however, they further stated that there 
were no previous projects with which to compare the results to see if 
they were consistent. 

Criterion: 5. A written summary of parameter values and their 
rationales accompanies the estimate; 
Explanation: If a parametric equation was used to generate the 
estimate, the parameters that feed the equation should be provided, 
along with an explanation of why they were chosen; 
Criterion met[A]? Partially; 
GAO analysis: High-level cost categories, such as labor, information 
technology, facilities, and other costs, were identified, but detailed 
parameters used to develop the estimate, such as number of software 
lines of code, which would be relevant to software maintenance costs, 
were not provided in the analysis. 

Criterion: 6. Assumptions have been identified and explained; 
Explanation: Assumptions regarding issues such as schedule, quantity, 
technology, development processes, manufacturing techniques, software 
language, etc., should be understood and documented; 
Criterion met[A]? Yes; 
GAO analysis: General cost assumptions are identified and explained, as 
well as assumptions for workforce, information technology, training, 
and facilities. 

Criterion: 7. A structured process, such as a template or format, has 
been used to ensure that key factors have not been overlooked; 
Explanation: A work breakdown structure or similar structure that 
organizes, defines, and graphically displays the individual work units 
to be performed should be used. The structure should be revised over 
time as more information becomes known about the work to be performed; 
Criterion met[A]? Partially; 
GAO analysis: The analysis included four high-level cost categories 
(labor, facilities, operations and maintenance, and information 
technology), but it did not include a detailed work breakdown structure 
and omitted important cost elements, such as system testing. 

Criterion: 8. Uncertainties in parameter values have been identified 
and quantified; 
Explanation: For all major cost drivers, an uncertainty analysis should 
be performed to recognize and reflect the risk associated with the cost 
estimate; 
Criterion met[A]? Partially; 
GAO analysis: A risk analysis was performed, but this analysis did not 
identify detailed parameter values. 

Criterion: 9. If a dictated schedule has been imposed, an estimate of 
the normal schedule has been compared to the additional expenditures 
required to meet the dictated schedule; 
Explanation: Managers should be informed of all potential cost savings 
associated with alternative schedules; 
Criterion met[A]? N/A; 
GAO analysis: Program officials stated that the Increment 1B schedule 
was not dictated. 

Criterion: 10. If more than one cost model or estimating approach has 
been used, any differences in results have been analyzed and explained; 
Explanation: The primary methodology or cost model results should be 
compared with any secondary methodology (e.g., cross checks) to ensure 
consistency; 
Criterion met[A]? No; 
GAO analysis: No evidence of a secondary cost model was included in the 
analysis, and program officials stated that they did not use a second 
model. 

Criterion: 11. Estimators independent of the performing organization 
concurred with the reasonableness of the parameter values and 
estimating methodology; 
Explanation: The purpose of an independent estimate is to determine the 
reasonableness of the parameter values based on an unbiased 
perspective. This approach usually results in a more accurate estimate 
because it allows for better insight into program risks; 
Criterion met[A]? No; 
GAO analysis: Program officials stated that the estimate was not 
independently reviewed. 

Criterion: 12. Estimates are current; 
Explanation: Estimates are updated whenever changes to requirements 
affect cost or schedule, constraints, and resources, or when priorities 
change; 
Criterion met[A]? Yes; 
GAO analysis: Estimates reflected current conditions. 

Criterion: 13. The results of the estimate have been integrated with 
project planning and tracking; 
Explanation: Plans are reviewed and updated whenever estimates change, 
and estimates used for project planning are also used as baselines for 
project tracking; 
Criterion met[A]? No; 
GAO analysis: Program officials stated that the results of the estimate 
have not been incorporated with project planning. 

Source: GAO. 

[A] We assessed each of the criteria as satisfied (US-VISIT provided 
substantiating evidence for the criterion), partially satisfied (US- 
VISIT provided partial evidence, including testimonial evidence, for 
the criterion), or not satisfied (no evidence was found for the 
criterion). 

[End of table] 

Program officials stated that they recognize the importance of 
developing reliable cost estimates and have initiated actions to more 
reliably estimate the costs of future increments. For example, as part 
of its process improvement program, the program has chartered a cost- 
analysis process action team, which is to develop, document, and 
implement a cost-analysis policy, process, and plan for the program. 
Program officials also stated that they have hired additional 
contracting staff with cost-estimating experience. 

Strengthening the program's cost-estimating capability is extremely 
important. The absence of reliable cost estimates, among other things, 
prevents the development of reliable economic justification for program 
decisions and impedes effective performance measurement. 

Reassessment of Plans for Deploying the Exit Capability Is Partially 
Complete: 

In February 2005, we reported that US-VISIT had not adequately planned 
for evaluating the Increment 1B exit alternative because its exit pilot 
evaluation's scope and timeline were compressed. Accordingly, we 
recommended that DHS do the following: 

Reassess plans for deploying an exit capability to ensure that the 
scope of the exit pilot provides for adequate evaluation of alternative 
solutions and better ensures that the exit solution selected is in the 
best interest of the program. 

Over the last 10 months, the program office has taken actions to expand 
the scope and time frames of the pilot. For example, it extended the 
pilot from 5 to 11 POEs--9 airports and 2 seaports.[Footnote 35] It 
also extended the time frame for data collection and evaluation to 
April 2005, which is about 7 months beyond the date for which all exit 
pilot evaluation tasks were to be completed. Further, according to 
program officials, they achieved the target sample sizes necessary to 
have a 95 percent confidence level. 

Notwithstanding the expanded scope of the pilot, questions remain about 
whether the exit alternatives have been evaluated sufficiently to 
permit selection of the best exit solution for national deployment. For 
example, each of the three exit alternatives was evaluated against 
three criteria, including compliance with the US-VISIT exit process 
(i.e., foreign travelers providing information as they exit the United 
States).[Footnote 36] However, across the three alternatives, the 
average compliance with this process was only 24 percent, which raises 
questions as to the effectiveness of the three alternatives.[Footnote 
37] The evaluation report cites several reasons for the low compliance 
rate, including that compliance during the pilot was voluntary. The 
report further concludes that national deployment of the exit solution 
will not have the desired compliance rate unless the exit process 
incorporates an enforcement mechanism, such as not allowing persons to 
reenter the United States if they do not comply with the exit process. 
Although an enforcement mechanism might indeed improve compliance, 
program officials stated that no formal evaluation has been conducted 
of enforcement mechanisms or their effect on compliance. The program 
director stated that he agrees that additional evaluation is needed to 
assess the impact of implementing potential enforcement mechanisms and 
plans to do so. 

Until the program office adequately evaluates the exit alternatives and 
knows whether the alternative to be selected will be effective, the 
program office will not be in a position to select the exit solution 
that is in the best interest of the program. This is very important 
because without an effective exit capability, the benefits and the 
mission value of US-VISIT are greatly diminished. 

Development and Implementation of Capacity Management Processes Are in 
Progress: 

We reported in February 2005 that the overall capacity of the system 
was not being effectively managed. At that time, US-VISIT, which 
comprises several legacy systems, was relying on the capacity 
management activities of these systems. It was not focused on the 
capacity requirements and performance of the collective systems that 
make up US-VISIT. This approach increases the risk that the system may 
not be properly designed and configured for efficient performance, and 
that it has insufficient processing and storage capacity for current, 
future, and unpredictable workload requirements. Accordingly, we 
recommended that DHS do the following: 

Develop and implement processes for managing the capacity of the US- 
VISIT system. 

According to program officials, they have initiated efforts to develop 
a capacity management process, including a high-level description of 
the necessary steps, such as identifying tools needed to implement the 
process. However, a plan, including specific tasks and milestones for 
developing and implementing capacity management processes, has not yet 
been developed. 

Until the program office develops a programwide capacity management 
program, it increases the risk that US-VISIT may not be able to 
adequately support program mission needs. 

Identification of ACE and US-VISIT Relationships and Dependencies Is in 
Progress: 

We reported in February 2005 that the program office recognized that US-
VISIT and the Automated Commercial Environment (ACE)[Footnote 38] have 
related missions and operational environments. In addition, US- VISIT 
and ACE could potentially develop, deploy, and use common information 
technology infrastructures and services. We also reported that managing 
this relationship has not been a priority. Accordingly, we recommended 
that DHS do the following: 

Make understanding the relationships and dependencies between the US- 
VISIT and ACE programs a priority matter, and report periodically to 
the Under Secretary on progress in doing so. 

US-VISIT and ACE managers met in February 2004, to identify potential 
areas for collaboration between the two programs and to clarify how the 
programs could best support the DHS mission and provide officers with 
the information and tools they need. According to program officials, 
they have established a US-VISIT/ACE integrated project team to, among 
other things, ensure that the two programs are programmatically and 
technically aligned. The team has discussed potential areas of focus 
and agreed to three areas: RF technology, program control, and data 
governance. However, it does not have an approved charter, and it has 
not developed explicit plans or milestone dates for identifying the 
dependencies and relationships between the two programs. Program 
officials stated that the team has met three times and plans to meet on 
a quarterly basis going forward. 

It is important that the relationships and dependencies between these 
two programs be managed effectively. The longer it takes for the 
programs to understand and exploit their relationships, the more rework 
will be needed at a later date to do so. 

Conclusions: 

Over the last 3 years, we have made recommendations aimed at correcting 
fundamental limitations in US-VISIT's program management ability and 
thereby better ensuring the delivery of mission capability and value on 
time and commensurate with costs. While progress on the implementation 
of the recommendations is mixed, progress in critical areas has been 
slow. As with any program, introducing and institutionalizing the 
program management and accountability discipline at which our 
recommendations are aimed require investing time and resources while 
continuing to meet other program demands. In making such investment 
choices, it is important to remember that institutionalizing such 
program discipline in the near term will produce long-term payback in a 
program's ability to meet these other demands. Accordingly, the longer 
that US-VISIT takes to implement our recommendations, the greater the 
risk that the program will not meet its stated goals and commitments. 

Our open recommendations are all aimed at strengthening US-VISIT 
program management and improving DHS's ability to make informed US- 
VISIT investment decisions. With the exception of one, these 
recommendations are still relevant and applicable. Since we made our 
recommendation, facts and circumstances surrounding Increment 2B 
deployment and operational status have materially changed, making the 
collection of Increment 2B predeployment impractical. Nevertheless, the 
need remains to better understand the impact of US-VISIT entry 
capabilities on all land POEs. Until this understanding exists, the 
department will be challenged in its ability to accurately estimate and 
provide facilities and staff resource needs. 

Recommendation for Executive Action: 

To recognize both the need to fully assess the impact of US-VISIT entry 
capabilities on staffing levels and facilities at land POEs, as well as 
the current operational status of Increment 2B, we are closing our 
existing recommendation related to assessing the impact of Increment 
2B. We recommend that the DHS Secretary direct the US-VISIT Program 
Director to explore alternative means of obtaining an understanding of 
the full impact of US-VISIT at all land POEs, including its impact on 
workforce levels and facilities; these alternatives should include 
surveying the sites that were not part of the previous assessment. 

Agency Comments and Our Evaluation: 

In its written comments on a draft of this report, signed by the 
Director, Departmental GAO/OIG Liaison Office, and reprinted in 
appendix II, DHS stated that it agreed with many areas of the report 
and that our recommendations had made US-VISIT a stronger program. 
Further, the department stated that while it disagreed with certain 
areas of the report, it nevertheless concurred with the need to 
implement our open recommendations with all due speed and diligence. 

DHS commented specifically on 11 of the 18 recommendations discussed in 
the report. The recommendations, the department's comments, and our 
responses follow: 

1. Recommendation: Develop and begin implementing a system security 
plan, and perform a privacy impact assessment and use the results of 
the analysis in near-term and subsequent system acquisition decision 
making. 

DHS stated that this recommendation has been fully implemented. In 
support, it said that it has completed a US-VISIT security plan that is 
consistent with National Institute of Standards and Technology (NIST) 
guidance, and that it provided the plan to us in September 2004. It 
also stated that the security risk assessment aspect of this 
recommendation was established in February 2005, 20 months after we 
made the recommendation, and thus the age of the recommendation should 
be shown as 10 months rather that the 30 months cited in the report. 

The department also commented that there is no US-VISIT system, but 
rather a US-VISIT program with capabilities delivered by existing 
interconnected systems. According to the department, these component 
systems have been certified and accredited, consistent with NIST 
guidance, and as part of their certification and accreditation, 
security plans and risk assessments, as well as risk mitigation 
strategies, have been developed for each system. The department stated 
that it provided us with these system-level risk assessments, as well 
as system-specific action plans and milestones for implementing the 
mitigation strategies. In addition, the department noted that it 
completed a programwide risk assessment in December 2005 that 
specifically addresses information security issues that might not be 
captured in the system-specific documentation used to certify and 
accredit each system. In light of its system-specific certification and 
accreditation efforts, existing system-level risk assessments, and the 
program-level risk management process (see response 4 for discussion of 
the risk management process), DHS commented that it is inaccurate to 
state that US-VISIT officials are not in a position to know program 
risks, and the recommendation should be closed. 

While we agree that we received a copy of the US-VISIT security plan, 
dated September 2004, we do not agree that the plan satisfied all 
relevant federal guidance and that DHS has fully implemented our 
recommendation. In particular, it has not provided us with evidence 
that a programwide risk assessment has been done and that a security 
plan reflective of such an assessment exists. According to relevant 
guidance,[Footnote 39] a security plan should describe, among other 
things, the methodology that is to be used to identify system threats 
and vulnerabilities and to assess risks, and it should include the date 
the risk assessment was completed because the assessment is a necessary 
driver of the security controls described in the plan. As we reported 
in February 2005 and state in this report, the US-VISIT security plan 
did not include this information; further, although DHS stated in its 
comments that it completed this risk assessment in December 2005, this 
statement is contradicted by a statement elsewhere in its comments that 
it is still in the process of doing the assessment. In addition to this 
contradiction, DHS's comments did not include any evidence to 
demonstrate that it has developed a complete risk assessment, such as a 
copy of the assessment. 

With regard to the age of the recommendation, we do not agree with 
DHS's position that we established a new finding regarding the lack of 
a programwide risk assessment in our February 2005 report. Rather, as 
part of our analysis of actions to implement our prior recommendation 
to develop a security plan, which is to include information about the 
related security risk assessment, we observed that the plan did not 
indicate a date for completing a risk assessment in accordance with 
federal guidelines. Therefore, our position that about 30 months had 
passed from the time of our initial recommendation (June 2003) is 
accurate. 

With regard to the individual system-level risk assessments, we agree 
that we have received them. However, we do not agree that we have 
received the action plans and milestones cited in the comments. 
Regardless, we do not believe that system-level assessments are a 
sufficient substitute for a programwide assessment. Accordingly, our 
recommendation focused on the need for an integrated US-VISIT system 
risk assessment as part of security planning. While the system-level 
plans and risk assessments are relevant and useful, they neither 
individually nor collectively address the threats and vulnerabilities 
imposed as a result of these systems' integration. By stating in its 
comments its commitment to having a programwide risk assessment that 
identifies and proposes mitigations for security risks that arise as a 
result of the interface and integration of the legacy systems, DHS is 
agreeing with our position. Moreover, without evidence that the program 
has completely assessed its risks, we continue to find no basis for how 
program officials would know the full range and degree of US-VISIT 
security risks. Our position in this regard has been reinforced by a 
recent DHS Inspector General report that identified a number of US- 
VISIT security risks.[Footnote 40] 

To further support its position that this recommendation has been fully 
implemented, DHS also commented that it has completed numerous privacy 
impact assessments and continues to update them to reflect system 
changes. In particular, it said that it updated the privacy impact 
assessment in December 2005 to reflect all increments and that it 
considers the assessment to be part of US-VISIT system documentation. 
It further commented that we appear to be unaware of privacy staff 
activities to review system documents and perform privacy risk 
assessments throughout the system life cycle. Nevertheless, the 
department acknowledged that its privacy work was not always noted 
within US-VISIT system documentation. Accordingly, DHS stated that it 
plans to appropriately reference all privacy requirements and privacy 
risk assessments in the program's system documentation in the future. 

We agree that US-VISIT has developed and updated its privacy impact 
assessment and would note that our report states this fact. We do not 
agree, however, with the comment that we are not aware that the privacy 
staff review system documents and perform privacy risk assessments. In 
fact, it is because we were aware of these facts that we were careful 
to ensure that they were reflected in our report. The point that we are 
making is that privacy is not addressed in all relevant systems 
documentation, which DHS acknowledged in its comments. With regard to 
this point of agreement, we support the department's stated plans to 
reference all privacy requirements and any privacy risk assessments in 
all relevant system documentation in the future. 

2. Recommendation: Develop and implement a plan for satisfying key 
acquisition management controls, including acquisition planning, 
solicitation, requirements management, program management, contract 
tracking and oversight, evaluation, and transition to support, and 
implement the controls in accordance with SEI guidance. 

DHS commented that the report should reflect that US-VISIT had 
initially adopted Carnegie Mellon University's Software Engineering 
Institute (SEI) Software Acquisition Capability Maturity Model®to guide 
its software-related process improvement efforts and that, in December 
2004, it transitioned to SEI's Capability Maturity Model-Integration 
(CMMI®). As a result, it said that the program's process improvement 
strategy and plans, process development, and process appraisals are now 
aligned to the most applicable CMMI process areas. 

We agree that US-VISIT has transitioned to CMMI. We state in our report 
that US-VISIT has done so and that the key process areas it is 
addressing in its process improvement strategy and plan are consistent 
with those cited in our recommendation. We do not believe that this 
transition materially affects our recommendation, however, because even 
though the names of the key processes in these two models may in some 
cases differ, the processes and respective practices are fundamentally 
consistent. 

3. Recommendation: Clarify the operational context in which US-VISIT is 
to operate. 

Consistent with our report, DHS commented that the operational context 
in which US-VISIT operates is in progress, meaning that it has yet to 
be fully established. For example, it said that the mission of DHS, and 
therefore the scope of US-VISIT activities to meet the mission, is 
continually expanding. Further, it acknowledged that more certainty in 
the operational context is desirable. In mitigation of the risks 
associated with not having a more stable operational context, DHS made 
several statements. For example, it said that the principal role of US- 
VISIT is to integrate information and immigration and border management 
systems across DHS and the State Department, and to facilitate agencies 
working toward a common environment that will eliminate redundancies. 
It also said that elements of its draft immigration and border 
management strategic plan are being used in current US-VISIT 
operations. In addition, the department said that mechanisms to 
mitigate the risks that we cited have been developed and are being 
implemented. 

We support DHS's acknowledgment of the importance of having a well- 
defined operational context within which to define and implement US- 
VISIT and related border security programs. However, we do not believe 
that DHS's comments provided any evidence showing that sufficient steps 
and activities to mitigate the associated risks have been taken or are 
planned. 

4. Recommendation: Determine whether proposed US-VISIT increments will 
produce mission value commensurate with cost and risks and disclose to 
the Congress planned actions. 

DHS commented that its cost-benefit analysis (CBA) for Increment 1B 
conforms to relevant federal guidance, and noted that our expectations 
as to the scope and level of detail of analysis that should be included 
in the CBA document are inconsistent with its understanding of OMB 
Circular A-94 and DHS's CBA workbook,[Footnote 41] which were used to 
guide the development of the CBA analysis. As an example, the 
department took exception with our statement that year-by-year benefit 
estimates were not reported by noting that the net present value was 
based on an estimate of annual benefits and costs, and that net present 
value could not be estimated without a year-by-year benefit analysis. 

The department further commented that a comprehensive uncertainty 
analysis was conducted because it completed a risk analysis, which is 
more comprehensive, rigorous, and appropriate than conducting a 
sensitivity analysis. In this regard, it added that the results of the 
risk analysis provided an indication of Increment 1B's worthiness in 
light of existing uncertainty, rather than information on a specific 
CBA variable or another. The department further noted that it had 
provided some of these supporting analyses to us. 

DHS also stated that any investment that has a 5-year life cycle and is 
considered interim in nature will face considerable challenge in 
providing economic benefits commensurate with cost. 

We do not agree that the CBA fully conforms to relevant federal 
guidance. As our report states, for example, the analysis does not 
explicitly state the numerical value of the discount rate used for 
calculating each alternative's net present value, and hence does not 
conform to OMB guidance. In addition, the cost estimates used in the 
analysis were not complete and reliably derived. In deriving the 
estimate, for example, the department did not clearly define the 
project's life cycle to ensure that key factors were not overlooked and 
that the full cost of the program was included. (See response 10 below 
for more information on this point.) Last, while we agree that a year- 
by-year benefit analysis is a necessary component of a net present 
value determination, OMB nevertheless requires that the year-by-year 
benefit estimates be reported in the analysis to promote independent 
review of the estimates. 

Also, we do not agree that DHS performed a complete uncertainty 
analysis. According to OMB and DHS guidance, a complete uncertainty 
analysis should include both a risk analysis and a sensitivity 
analysis. However, the latter was not done. Thus, our point is not, as 
DHS comments suggest, that US-VISIT should have performed a sensitivity 
analysis instead of a risk analysis, but rather, that both types of 
analyses are necessary to completely examine investment uncertainty. 

5. Recommendation: Develop and implement a risk management plan and 
ensure that all high risks and their status are reported regularly to 
the executive body. 

DHS commented that US-VISIT began the development and implementation of 
its risk management plan in 2004 immediately after we made our 
recommendation. It further commented that, as part of a CMMI maturity 
internal appraisal that it completed in July 2005, it found that the 
risk management process had not been consistently applied across the 
program. To address this, the department cited actions that it has 
taken to fully implement risk management, such as approving the risk 
management plan in September 2005; defining a risk governance 
structure; establishing and maintaining a risk database; and developing 
risk management training and providing this training to program 
personnel and contractors beginning in November 2005. 

We support the recent actions that the program cited as having been 
taken to strengthen risk management. However, the actions cited do not 
demonstrate that the risk management process is being consistently 
applied. Until US-VISIT fully implements its risk management plan and 
process, it cannot be assured that all program risks are being 
identified and managed in order to effectively mitigate any negative 
impact on the program's ability to deliver promised capabilities on 
time and within budget. 

6. Recommendation: Develop and approve test plans before testing begins 
that (1) specify the test environment; (2) describe each test to be 
performed, including test controls, inputs, and expected outputs; (3) 
define the test procedures to be followed in conducting the tests; and 
(4) provide traceability between test cases and the requirements to be 
verified by the testing. 

DHS stated that our report does not accurately reflect the status of 
the Increment 2C Phase 1 testing. In particular, it said that the 
issues associated with the traceability of requirements to test cases 
were minor and that the extent of the discrepancies is far less than 
what our report presents. It further stated that the discrepancies in 
our report are based on old traceability documentation and do not 
reflect revised documentation provided to us on November 9, 2005. 

We agree that DHS provided us with revised traceability matrixes after 
we had shared with them our analysis of the test plans and traceability 
matrixes, dated June 28, 2005, and June 27, 2005, respectively. 
However, the revised documentation referenced in DHS's comments was 
provided in November 2005, about 4 months after testing began. This 
means that the test plans and traceability matrixes available at the 
time of testing--which are what we reviewed because they governed the 
scope and nature of actual testing performed--did not adequately trace 
between test cases and the requirements to be verified. Specifically, 
300 of the 438 Increment 2C requirements, or about 70 percent, did not 
have specific references to test cases. 

7. Recommendation: Implement effective configuration management 
practices, including establishing a US-VISIT change control board to 
manage and oversee system changes. 

DHS commented that a US-VISIT representative attends all configuration 
control board meetings for all applicable legacy component systems, and 
that any proposed change request from a legacy component control board 
that could affect US-VISIT functionality is brought to the attention of 
the US-VISIT Executive Configuration Control Board for consideration. 

We do not question these statements. However, we do not believe that 
they demonstrate that US-VISIT has adequate control over system changes 
that could affect the program. That is, they do not ensure that changes 
to the component systems that are initiated and approved by another DHS 
organization and that could affect US-VISIT performance are subject to 
US-VISIT configuration management and approval processes. US-VISIT 
could establish explicit and enforceable control over changes to the 
legacy systems through such mechanisms as defined and enforced 
memorandums of understanding among the affected DHS organizations. It 
was the lack of such control that prompted our recommendation. 

8. Recommendation: Assess the full impact of Increment 2B on land POE 
workforce levels and facilities, including performing appropriate 
modeling exercises. 

The department stated that, given the imperative to meet the 
legislatively mandated time frames, the scope of Increment 2B was 
limited to only one part of POE operations--incorporating the 
collection of a biometric into the previously manual Form I-94 issuance 
process. It also stated that wait times are affected by various 
factors, including traffic volume, staffing levels, and availability of 
officers. Therefore, DHS focused the Increment 2B evaluation on just 
the change to this process. 

The department further commented that given the events since the 
evaluation--namely, Increment 2B full operations--it is not practical 
to collect and model baseline data for the 47 sites that were not part 
of the initial evaluation. 

Regarding the 3 pilot sites included in the assessment, the department 
stated that the sites were selected based on criteria developed from 
input from US-VISIT, as well as CBP operational constraints. The 
department further commented that the 3 sites provided a reasonable mix 
of travelers and they did not have other constraints that directly 
impacted the collection of performance data specific to Form I-94 
issuance. DHS also stated that the I-94 processing times vary by POE, 
and therefore they are not easily generalized from one port to another. 
Further, the department commented that the number of workstations and 
officers available to operate those workstations to process applicants 
for a Form I-94 do not impact the time it takes to issue a Form I-94. 

We agree that the scope of the Increment 2B evaluation was limited to 
the I-94 issuance process, and that it did not address the increment's 
impact on the POEs' ability to meet other performance parameters. Our 
point is that the limited nature of the evaluation does not satisfy 
either the intent of our recommendation or DHS's own stated purpose for 
the evaluation, which was to determine the effectiveness of Increment 
2B performance at the 50 busiest land POEs. We also agree that the I-94 
processing times vary by POE and cannot be easily generalized. It is 
for this reason, among others, that we questioned whether the 3 sites 
selected for the assessment were sufficiently representative to satisfy 
both our recommendation and the evaluation's stated purpose. 

In addition, while we also agree that collecting pre-Increment 2B 
baseline data is not practical at this time, the fact remains that the 
operational impact of Increment 2B on workforce levels and facilities 
has not been adequately assessed, as evidenced by officials at 1 large 
POE telling us that processing times have increased and DHS's 
recognition that each POE is somewhat different. In light of these new 
facts and circumstances, we are closing our existing recommendation and 
making a new recommendation to recognize the need for DHS to explore 
alternative means to assess the impact of US-VISIT entry capabilities 
at land POEs. This new recommendation will be shown as an open 
recommendation, and the original recommendation will be closed. 

9. Recommendation: Develop a plan, including explicit tasks and 
milestones, for implementing all of our open recommendations and 
periodically report to the DHS Secretary and Under Secretary on 
progress in implementing this plan; and report this progress, including 
reasons for delays, in all future expenditure plans. 

DHS stated that it is untrue that 19 months had elapsed from the time 
we made this recommendation to the time that it assigned 
responsibilities to program officials for addressing each of our 
recommendations. In support, it commented that it issued its first plan 
to address our recommendations on August 18, 2003, and subsequent 
reports have been issued periodically that update progress in doing so. 

We agree that DHS has assigned responsibilities to specific individuals 
for addressing each recommendation. However, we have yet to be provided 
any evidence to support its statement that it issued the first report 
addressing our recommendations on August 18, 2003. Similarly, we have 
not received evidence showing that it has prepared a plan, including 
specific actions and milestones, for implementing all of our open 
recommendations, which is a focus of this recommendation. We would also 
observe that we made this recommendation in May 2004, and at that time 
the department stated that it agreed with the recommendation but did 
not indicate that it had taken any steps to address it, such as 
commenting that a report was issued on August 18, 2003. 

10. Recommendation: Follow effective practices for estimating the costs 
of future increments. 

DHS either tacitly or explicitly agreed with our findings relative to 
its satisfaction of 8 of the 13 cost-estimating criteria presented in 
table 4 (now table 3) of our draft report. For example, it agreed that 
it did not clearly define the life cycle to which the cost estimate 
applies. It also agreed that it did not include a work breakdown 
structure, noting that it used the available project implementation 
schedule as a proxy for the activities related to the deployment of the 
exit alternatives. 

Regarding our five findings concerning its satisfaction of cost- 
estimating with which DHS disagreed, the department's primary area of 
disagreement was with the intended purpose of the Increment 1B CBA that 
used the cost estimate, which it said in its comments was to inform 
decision makers about the relative worthiness of each of the three exit 
alternatives considered for deployment. Hence, DHS stated that the 
purpose of the CBA was to analyze only the costs associated with 
deploying an operational solution, not to analyze the costs and 
benefits of both developing and deploying alternative solutions. DHS 
further stated that the CBA thus includes only those costs to be 
incurred in deploying a selected alternative, and it does not include 
costs already incurred in developing system alternatives (i.e., sunk 
costs). It further commented that DHS guidance states that sunk costs 
are not relevant to the current investment analysis because "only 
current decisions can affect the future consequences of investment 
alternatives." 

DHS also disagreed that the cost estimate in the CBA should have 
included nonrecurring development costs, and commented that it did 
appropriately size the task described in the cost estimates for each 
alternative exit solution, noting that sizing metrics related to 
software development were not relevant to deployment of the 
alternatives because development activities had already occurred and 
therefore are sunk costs. The department added that those sizing 
metrics that are relevant to the cost estimate are discussed in the 
CBA, as are the cost estimating parameters (i.e., those associated with 
deployment and not those associated with development and testing). 

In addition, DHS disagreed that DHS's cost estimate excluded important 
cost categories, such as system testing, and stated that the estimate 
addresses labor, facilities, operations and maintenance, information 
technology, travel, and training costs. Once again, DHS emphasized that 
since the focus of the CBA was on operational deployment and not system 
design and development, system testing costs were not included because 
they were not considered relevant. DHS also reiterated its early point 
that the uncertainty analysis that it conducted was comprehensive. 

We agree that actual sunk costs should not be included in a CBA cost 
estimate. However, we disagree that the cost categories that DHS cited 
as not relevant are only costs that are associated with predeployment 
activities. Testing, for example, is an activity that is normally 
performed before, during, and following deployment, and thus the 
associated costs would be relevant to the stated purpose of the 
Increment 1B CBA. However, a testing cost category was missing from the 
CBA cost estimate, as was a cost category for software maintenance. 

Regarding DHS's statement that it conducted a complete uncertainty 
analysis, we reiterate our previous point that a complete uncertainty 
analysis should include both a risk analysis and a sensitivity 
analysis, and the CBA did not include the latter. 

11. Recommendation: Reassess plans for deploying an exit capability to 
ensure that the scope of the exit pilot provides for adequate 
evaluation of alternative solutions and better ensures that the exit 
solution selected is in the best interest of the program. 

Concerning the questions we raised about the adequacy of the exit 
pilots in light of the 24 percent compliance rate, DHS commented that 
we failed to consider the compliance rate of the previous exit pilot 
program, the National Security Entry Exit Registration System (NSEERS), 
which, according to DHS, had a 75 percent compliance rate. DHS added 
that NSEERS achieved this compliance rate with a very limited number of 
exit locations, and therefore, any of the three US-VISIT exit 
alternatives would have at least a 75 percent compliance rate once 
national deployment was completed. 

Further, the department commented that Immigration and Customs 
Enforcement (ICE) had recently conducted enforcement operations at the 
Denver International Airport, and that the compliance rate during these 
operations increased from 30 percent to over 90 percent. It then 
concluded that the combined results of the exit pilot evaluation, the 
NSEERS pilot, and the ICE enforcement activities at the Denver 
International Airport lead it to believe that the US-VISIT exit 
alternatives have been adequately evaluated. 

We do not agree with this conclusion because it is based on unsupported 
assumptions. Specifically, DHS did not provide any evidence to support 
its claim that that US-VISIT would achieve a comparable compliance rate 
to the NSEERS program. Moreover, even if DHS could achieve a 75 percent 
compliance rate for US-VISIT exit,that still means that 25 percent of 
eligible persons would not be complying with the US-VISIT exit process. 

Further, DHS did not provide any information about the recent 
enforcement actions conducted by ICE, nor did it provide any evidence 
that this is a practical and viable option for the US-VISIT exit 
solution. While we agree that enforcement actions may indeed increase 
the exit compliance rate, DHS has not yet assessed the impact of such a 
solution on the US-VISIT exit process. Further, the US-VISIT program 
director acknowledged the need to evaluate the impact of implementing 
potential enforcement actions on US-VISIT exit and planned to do so. 

We are sending copies of this report to the Chairmen and Ranking 
Minority Members of the Senate and House Appropriations Committees, as 
well as to the Chairmen and Ranking Minority Members of other Senate 
and House committees that have authorization and oversight 
responsibilities for homeland security. We are also sending copies to 
the Secretary of Homeland Security, Secretary of State, and the 
Director of OMB. Copies of this report will also be available at no 
charge on our Web site at [Hyperlink, http://www.gao.gov]. 

Should you or your offices have any questions on matters discussed in 
this report, please contact me at (202) 512-3439 or at [Hyperlink, 
hiter@gao.gov]. Contact points for our Offices of Congressional 
Relations and Public Affairs may be found on the last page of this 
report. Key contributors to this report are listed in appendix IV. 

Signed by: 

Randolph C. Hite: 
Director, Information Technology Architecture and Systems Issues: 

List of Requesters: 

The Honorable Peter T. King: 
Chairman: 
The Honorable Bennie G. Thompson: 
Ranking Minority Member: 
Committee on Homeland Security: 
House of Representatives: 

The Honorable Bob Filner: 
House of Representatives: 

The Honorable Raul M. Grijalva: 
House of Representatives: 

The Honorable Ruben Hinojosa: 
House of Representatives: 

The Honorable Solomon Ortiz: 
House of Representatives: 

The Honorable Silvestre Reyes: 
House of Representatives: 

[End of section] 

Appendixes: 

Appendix I: Objective, Scope, and Methodology: 

Our objective was to determine the progress of the Department of 
Homeland Security (DHS) in implementing 18 of our recommendations 
pertaining to the U.S. Visitor and Immigrant Status Indicator 
Technology (US-VISIT) program. To accomplish this objective, we 
reviewed and analyzed US-VISIT's most recent status reports on the 
implementation of our open recommendations and related key documents, 
augmented as appropriate by interviews with program officials. More 
specifically, we analyzed relevant systems acquisition documentation, 
including the program's process improvement plan, risk management plan, 
and configuration management plan. We also analyzed the US-VISIT 
security plan, privacy impact assessment, cost-benefit analysis, cost 
estimates, test plans, human capital plans, and related evaluations and 
assessments. In performing our analyses, we compared available 
documentation and program officials' statements with relevant federal 
guidance and associated best practices.[Footnote 42] A more detailed 
description of our scope and methodology relative to the cost-benefit 
analysis, cost estimates, and test plans follows: 

* Our analysis of the cost-benefit analysis focused on Increment 1B 
because this was the latest cost-benefit analysis and cost estimate 
prepared. In doing this analysis, we compared the US-VISIT cost-benefit 
analysis to eight criteria in Office of Management and Budget (OMB) 
guidance.[Footnote 43] 

* Our analysis of the cost estimate also focused on Increment 1B for 
the same reason previously cited. In doing this analysis, we compared 
the estimate to 13 criteria from the Software Engineering 
Institute[Footnote 44] that we have previously reported to be the 
minimum set of actions needed to develop a reliable cost estimate. We 
then determined whether the criteria were satisfied, partially 
satisfied, or not satisfied using the definitions given below. 

* Our analysis of the test plans focused on Increment 2C because it is 
the most recently tested increment. This analysis included determining 
the extent to which the test plans for this increment met 4 key 
criteria that we have previously reported as essential to effective 
test plans. In doing this analysis, we examined Increment 2C systems 
documentation, including business and functional requirements and 
traceability matrixes. We also independently traced 58 business 
requirements and 438 functional requirements to the test cases in the 
test plan. Further, we independently traced all test cases to the 
requirements to determine consistency. 

In performing our work, we used the following categories and 
definitions in deciding the extent to which each recommendation had 
been implemented. Specifically, we considered a recommendation: 

* completely implemented when documentation demonstrated that it had 
been fully addressed, 

* partially implemented when documentation indicated that actions were 
under way to implement it, and: 

* in progress when documentation indicated that action had been 
initiated to implement it. 

These categories and definitions are consistent with those used in our 
prior US-VISIT reports. 

In determining the amount of time it has taken to implement actions on 
our recommendations, we calculated the time from the date the report 
was issued through December 2005. 

We conducted our audit work at the US-VISIT program office in Rosslyn, 
Virginia, from August 2005 through December 2005, in accordance with 
generally accepted government auditing standards. 

[End of section] 

Appendix II: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

January 13, 2006: 

Randolph C. Hite:
Director, Information Technology Architecture and Systems Issues: 
U.S. Government Accountability Office: 
Washington, D.C. 20548: 

Dear Mr. Hite: 

Thank you for the opportunity to review the draft report, Homeland 
Security: Recommendations to Improve Management of Key Border Security 
Program Need to Be Implemented (GAO-06-296). As with prior reports that 
your office has issued regarding US-VISIT, there are many areas with 
which we agree, and the recommendations have made US-VISIT a stronger 
program. However, as with those past reports, the Department of 
Homeland Security (DHS) has certain areas of disagreement. They appear 
in our comments, which begin on page 2 of this letter. 

All of the issues covered by this report need to be viewed in the 
larger framework of one simple fact: US-VISIT is working as Congress 
intended. 

Thanks to the hard work and dedication of the US-VISIT team, all three 
congressionally mandated phases of implementation were completed ahead 
of schedule and under budget. US-VISIT is now in place at our nation's 
airports, seaports, and land border ports of entry. As you know, this 
program has a significant effect on our national security, economic 
prosperity, and international relationships around the world. Through 
biometric authentication, US-VISIT makes entering the U.S. easier for 
legitimate tourists, students, and business travelers, while making it 
more difficult to illegally enter and stay in our country. 

US-VISIT-working in partnership with stakeholders within DHS, the 
federal government, the private sector, and other countries-has 
exceeded the goals set by Congress and DHS for this program. In the 
final report of the 9/11 Commission, which issued grades to U.S. 
government responses to the recommendations outlined in its 2004 
report, the 9/11 Commission awarded a "B" to "Biometric entry-exit 
screening system," one of the highest grades achieved by any government 
agency. The Commission recognized US-VISIT's successful screening 
operations at our ports of entry, and found that the program has 
collaborated well with Interpol. 

In the two and a half years since its inception, US-VISIT has processed 
more than 45 million visitors at ports of entry, linking together 
systems from DHS and the Departments of State and Justice. In FY 2005, 
US-VISIT was successfully deployed at the 154 land border ports of 
entry (POEs), with the majority of ports reporting improved process 
times. US-VISIT also worked closely with the Department of State to 
implement the same capability at its 211 visa issuing posts around the 
world. US-VISIT has now intercepted nearly 1,000 prior or suspected 
criminals and immigration violators-including murderers, rapists, 
pedophiles, and drug traffickers-from entering the country, and enabled 
the Department of State to identify criminals and immigration violators 
who applied for visas. During this same period, DHS has provided 14,700 
matches against the biometric watchlist to the Department of State 
through its BioVisa program, which is fully integrated with US-VISIT. 
Use of biometrics has allowed the United States to deprive potential 
terrorists of one of the tools they use to threaten our nation and 
other countries around the world: the ability to cross our borders 
using fraudulent documents and violate our immigration laws without 
detection. 

Even with US-VISIT's increased security checks, travelers have not been 
inconvenienced; in fact, wait times at land border ports of entry have 
actually gone slightly down, and surveys from travelers show that the 
vast majority do not object to US-VISIT's biometric procedures. By 
working closely with federal, state, and local governments; conducting 
a thorough, concentrated, and continuing global outreach campaign; and 
through a commitment to respect for the privacy of those who would be 
enrolled in the system, US-VISIT has gained worldwide acceptance. US- 
VISIT's success inspired the European Union to adopt the inclusion of 
fingerprints into its biometric passports; and the government of Japan 
has indicated that it will model its own biometric border management 
system after US-VISIT. 

The GAO draft report is organized by discussion of progress on the 
implementation of prior open recommendations. US-VISIT comments on 
GAO's assessments are also provided by recommendation: 

Recommendation: 

Develop and begin implementing a system security plan, and perform a 
privacy impact assessment and use the results of the analysis in near- 
term and subsequent system acquisition decision. 

Response: 

While US-VISIT has completed a security plan and is in the process of 
completing a risk assessment, the relationship of these documents to 
system security must be clearly understood. As the GAO report details, 
US-VISIT is being implemented incrementally. Increments 1 through 3 
fulfilled legislative mandates through the introduction of interfaces 
and enhancements to existing "legacy" systems. As such, there is no US- 
VISIT system, but rather a US-VISIT program with capabilities delivered 
by these interconnected systems. Consistent with both National 
Institute of Standards (KIST) guidance and the DHS inventory, these 
systems have undergone extensive security evaluation leading to the 
certification and accreditation of each component system. The 
accreditation status of these systems is shown below: 

[See PDF for image] 

[End of table] 

As an integral part of certification and accreditation, security plans 
and risk assessments are developed for each system. Additionally, risk 
mitigations are proposed and tracked in a DHS tool for each system. To 
posit that US-VISIT does not understand system requirements or did not 
ensure that "proper safeguards are in place to protect system data and 
resources" fails to acknowledge the extensive security procedures in 
place at the system level. 

As stated in the draft report, US-VISIT was preparing an enterprise- 
wide risk assessment. This document was completed in December 2005, and 
it identifies and proposes mitigations for security risks that arise 
from the complex interplay of the interconnected systems cited above. 
This document specifically addresses information security issues that 
might not be captured in the system-level documentation prepared for 
legacy system certification and accreditation. It also complements the 
security strategy document under development that supersedes the 
existing US-VISIT security plan. 

GAO properly notes that program management-as opposed to system 
security management-is the mechanism to address programmatic risks. US- 
VISIT coordinates issues derived from security reviews with a Risk 
Review Board to ensure that security issues are elevated when they 
impact overall program risk. 

In regard to the performance of privacy impact assessments, as GAO has 
noted, US-VISIT has completed numerous Privacy Impact Assessments 
(PIAs) and continues to update them to reflect changes in US-VISIT 
systems. The US-VISIT PIA is regarded throughout the privacy community 
as a model document. However, GAO appears to be unaware that the 
privacy program staff fully participates in US-VISIT integrated project 
teams and has effectively integrated privacy activities into the system 
development lifecycle by reviewing all system documents and performing 
privacy risk assessments for both specific issues as well as for 
overall increment planning and implementation. In this manner, US-VISIT 
believes that it has implemented the GAO recommendation to fully 
address privacy issues in the relevant system documentation, but 
understands that the privacy work completed was not always noted within 
each individual system document. To ensure that GAO has full visibility 
into the privacy work completed by US-VISIT in the future, all relevant 
system documents will be annotated to specifically reference the 
privacy requirements and reference any privacy risk assessments that 
were completed. 

There are specific areas of the draft report's assessment of progress 
on this recommendation that need clarification: 

In the Executive Summary on page 17, first bullet, Security Plan: 

The US-VISIT Security Plan provided to GAO was composed in accordance 
with DHS requirements and NIST SP 800-18. The security plan devotes an 
entire section (section 4.1) to Risk Assessment and Management. In 
February 2005, GAO established another finding to develop a program- 
wide risk assessment, which was completed at the end of calendar year 
2005. This finding was only open for less than 10 months, not "about 
30" as it appears in the chart.. In addition to the program-wide risk 
assessment, US-VISIT certifies and accredits all of its systems in 
accordance with DHS policies and NIST 800-37 guidance. Systems that 
operate to achieve the US-VISIT mission have individual system-level 
risk assessments completed, evaluated, and updated throughout the 
lifecycle to ensure that risk is known and managed by US-VISIT program 
officials. These risk assessments have been provided to GAO. Plans of 
Actions and Milestones (POA&Ms) exist for each US-VISIT system-also 
provided to GAO-that establish an implementation schedule for 
mitigation strategies to reduce the overall risk to the systems. In 
addition to the system-level risk assessments and POA&Ms, risks 
determined to be significant to US-VISIT are elevated to the US-VISIT 
Risk Management Team. Based on all of the certification and 
accreditation efforts, existing system security risk assessments, and 
the program level risk management process, it is inaccurate to state 
that US-VISIT officials "are not in a position to know the risks 
associated with their program." 

In regard to Table 1, the length of time that GAO asserts that this 
recommendation has been open is inaccurate. The initial recommendation 
was to complete a US-VISIT Program Security Plan. The Security Plan was 
written in accordance with the format proscribed by NIST SP 800-18. It 
was delivered in September 2004, which should have closed the 
recommendation. A second follow-on recommendation from GAO to complete 
a program-level security risk assessment was issued in February 2005. 
US-VISIT is in the process of finalizing this document. 

In regard to the Privacy Impact Assessment, page 18: 

US-VISIT has completed numerous Privacy Impact Assessments (PIAs) and 
continues to update them to reflect changes in US-VISIT systems. The 
July 2005 PIA was found to be consistent with federal guidance, as 
stated in the draft report. That PIA was updated in December 2005 based 
on the same guidelines. Numerous privacy risk assessments are also 
conducted to ensure that privacy is thoroughly accounted for throughout 
the entire US-VISIT program. The PIA has been updated to reflect all 
increments, and is considered to be part of system documentation. In 
addition, privacy is built into the US-VISIT lifecycle and is 
considered throughout the development of a system. GAO reports that 
privacy is not included in functional requirements documentation. A 
"functional privacy requirement" falls under the security controls and 
requirements which are included in both business and functional 
requirements documents. Security documentation specifically reflects 
that "Privacy Act Information" is processed by the systems comprising 
US-VISIT. A FIPS 199 Security Categorization was performed for each 
system to determine that adequate security controls are in place or 
planned to protect this Privacy Act information. System Security Plans 
outline the specific controls in place to protect the data. 

Recommendation: 

Develop and implement a plan for satisfying key acquisition management 
controls, including acquisition planning, solicitation, requirements 
development and management, project management, contract tracking and 
oversight, evaluation, and transition to support, and implement the 
controls in accordance with the Software Engineering Institute's (SEI) 
guidance. 

Response: 

In regard to the discussion of the Capability Maturity Model-Integrated 
(CMMI): 

The draft report should reflect that, initially, US-VISIT adopted 
Carnegie Mellon University's Software Engineering Institute (SEI) 
Software Acquisition Capability Maturity Model® (SA-CMM(R) to guide its 
management process implementation. US-VISIT transitioned from the SA- 
CMM to the Capability Maturity Model-Integration (CMMI®) in December 
2004 based on recommendations from the SEI, MITRE, and the newly hired 
US-VISIT Process Improvement Lead. The CMMI® is a more robust model and 
is now the "best practice" standard in use at hundreds of commercial 
and government organizations. Additionally, SEI expects to retire the 
SA-CMM® very soon. SEI developed a guidance document-the CMMIO- 
Acquisition Module-to assist acquisition organizations such as US-VISIT 
in applying the CMMI®. As a result, the US-VISIT process improvement 
strategy and plans, process development, and appraisals are now 
realigned to the selected CMMI® process areas most applicable to US- 
VISIT. 

Recommendation: 

Clarify the operational context in which US-VISIT is to operate. 

Response: 

As noted in the draft report, "..an immigration and border management 
strategic plan was drafted in March 2005 that shows how US-VISIT is 
aligned with DHS' organizational mission and defines an overall vision 
for immigration and border management." GAO further noted that, "Since 
the plan was drafted, DHS has reported that other relevant initiatives 
have been undertaken, such as the Security and Prosperity Partnership 
of North America and the Secure Border Initiative." And the draft 
report concluded that, "Until US-VISIT's operational context is fully 
defined, DHS is increasing its risk of defining, establishing, and 
implementing a program that is duplicative of other programs and not 
interoperable with them." 

The mission of DHS is continually expanding and, as a result, the scope 
of US-VISIT's activities in providing for capabilities to meet that 
mission is constantly evolving. US-VISIT agrees that the operational 
context in which it operates is, in a sense, "in progress" in that it 
continues to evolve in compliance with new legislative, administrative, 
and Departmental mandates and priorities. However, the principal role 
of US-VISIT is to integrate information and make interoperable 
immigration and border management systems across the Departments of 
Homeland Security and State and, as such, US-VISIT will be an enabler 
of other programs. A significant part of US-VISIT's role is to 
establish an environment that will ensure agencies work toward a common 
environment that will eliminate redundancies. The immigration and 
border' management strategic plan, as well as the first MCE derived 
from that plan, are being used in current operations. Elements of this 
plan are being incorporated into the planning and operational context 
for the projects noted by GAO as having potential for redundancy. 
Although US-VISIT concurs that more certainty would be desirable, 
mechanisms to mitigate the risk noted by GAO have been developed and 
are being implemented. 

Recommendation: 

Determine whether proposed US-VISIT increments will produce mission 
value commensurate with cost and risks and disclose to the Congress 
planned actions. 

Response: 

US-VISIT disagrees with the assertion in the draft report that it did 
not perform a complete uncertainty analysis for the three alternatives. 
A comprehensive uncertainty analysis was conducted throughout the 
study. The Risk Analysis Process, summarized in Appendix F, is a state- 
of-the-art process to account for uncertainty surrounding key benefit 
and cost assumptions used in the analysis. Chapter 6 of the cost 
benefit analysis (CBA) explicitly shows the assumptions used in the 
analysis, expressed in the form of ranges built around the major 
variables. These assumptions are based on observations of historical 
trends, pilot study results, and expert opinion solicited during risk 
analysis sessions that were organized with the participation of various 
stakeholders. Therefore, the process incorporates both objective and 
subjective perspectives. The results of the risk analysis are 
subsequently portrayed as probabilistic distributions in Chapter 7. 
This approach is comprehensive, more rigorous, and more appropriate for 
this study than sensitivity analysis. Sensitivity analysis 
theoretically provides insight into which factors in the decision are 
most important. Risk analysis, on the hand, allows for the simultaneous 
variation of key assumptions within their assigned boundaries-a better 
reflection of reality-rather than varying one variable at a time. The 
risk analysis outcome is more appropriate for this study as the results 
must provide the decision maker with an indication of the project's 
worthiness given the existing uncertainty, rather than how the outcome 
is sensitive to one specific variable or another. 

US-VISIT was guided by, and adhered to, OMB Circular A-94 and the DHS 
CBA handbook, Capital Planning and Investment Control: Department 
ofHomeland Security Cost Benefit Analysis (CBA) Work Book May 2003, in 
developing the Increment 1B CBA. US-VISIT's disagreement fundamentally 
concerns expectations as to the scope and level of detail of analysis 
that should be included with the formal CBA document. The auditors 
apparently believe that all detail should be included within the formal 
CBA document. US-VISIT instead chose to communicate the substance of 
its analysis in the formal CBA, believing the results of the final 
analyses were the more relevant input for DHS decision-makers. US- 
VISIT's reading of Circular A-94 and the DHS CBA Work Book does not 
lead to the conclusion that these documents require the level of detail 
GAO desires. US-VISIT provided GAO with some of the detailed analyses 
supporting the Increment 1 B CBA, and is prepared to provide other 
detailed analyses for GAO review. 

US-VISIT also takes exception to GAO's assertions in Table 2: US-VISIT 
Satisfaction of OMB Economic Analysis Criteria. For Criterion 5, "The 
quality of the benefits to be realized from each alternative was 
reasonable," GAO concludes that the criterion was not met based upon 
its analysis that "Year-by-year benefit estimates were not reported." 
It is important to note that the net present value (NPV) estimate was 
based upon an estimation of the stream of benefits and costs annually. 
The NPV cannot be estimated without a year-by-year benefit analysis. 
The detailed annual analysis GAO desires was performed and is available 
for review. Again, the content of the formal CBA was focused on meeting 
the information needs of DHS executives, with detailed supporting 
analyses available upon request. For Criterion 8, "a complete 
uncertainty analysis of cost and benefit was included," GAO concludes 
that the criterion was not met based upon its analysis that "Although 
the cost-benefit analysis did include Monte Carlo simulation results 
for the three exit alternatives, no sensitivity analysis was conducted 
for those alternatives. Instead, the cost-benefit analysis reports 
sensitivity analysis results for the five deployment scenarios." US- 
VISIT disagrees with the assertion that it did not perform a complete 
uncertainty analysis for the three alternatives. A comprehensive 
uncertainty analysis was conducted. 

The draft report also states, "It is important that the program adhere 
to relevant guidance in developing its incremental cost-benefit 
analyses. If this is not done, the reliability of the analyses is 
diminished, and an adequate basis for the prudent investment decision- 
making does not exist. Moreover, if the mission value of a proposed 
investment is not commensurate with costs, it is vital that this 
information be fully disclosed to DHS and congressional decision 
makers. The underlying intent of our recommendation is that this 
information be available to inform such decisions." US-VISIT believes 
that the Increment 1B CBA does conform to relevant guidance and that 
the heart of the disagreement with GAO involves a difference in 
interpretation as to the amount of detail necessary for inclusion 
within the formal CBA, as opposed to having supporting detailed 
analyses available upon request. Further, the NPV of each Increment 1B 
alternative was clearly communicated in the executive summary of the 
CBA in order to provide decision makers with the primary measure of 
each alternative's relative worthiness. As these NPVs indicate, any 
investment with a five-year lifecycle and considered interim in nature 
will face a considerable challenge in providing economic benefits 
commensurate with cost. To quote the CBA, "The full economic benefit of 
this exit solution is not realized during the initial five years of 
operation, but is harvested over an adequate life cycle of the 
investment." 

Recommendation: 

Develop and implement a risk management plan and ensure that all high 
risks and their status are reported regularly to the executive body. 

Response: 

In analyzing US-VISIT's efforts at managing risk, it is important to 
consider that US-VISIT began the development and implementation of its 
risk management plan in 2004 immediately after GAO made its initial 
recommendation. As part of its CMMI process maturity baseline internal 
appraisal completed in July 2005, US-VISIT found that the risk 
management process detailed in its plan was not consistently applied 
across the program. In response, positive steps have since been taken. 
The Risk Management Plan was approved in September 2005 and includes, 
among other things, a process for planning, identifying, analyzing, 
handling, and monitoring risk. It also defines the governance structure 
to be used in overseeing and managing the process. US-VISIT also 
maintains a risk management database, which includes among other things 
a description of the risk, its priority (high, medium, or low) and 
impact, and its mitigation strategy. The database is currently 
available to program management and staff. 

US-VISIT established a Risk Review Board, Risk Review Council, and Risk 
Owner to govern its risk activities. The roles and responsibilities are 
described below. 

* The Risk Review Board directs all risk governance within the program 
and provides the mechanism to escalate/transfer the consideration of 
risks to program governing boards and to organizations external to the 
program. 

* The Risk Review Council oversees and manages risks that are 
significant, controversial, or cross-project, or that may require 
escalation to the Risk Review Board. 

* Risk Owners analyze, handle, and monitor risks. 

Risk management training has been developed and training sessions for 
US-VISIT personnel and contractors began in November 2005. The Risk 
Review Board, chartered in September 2004, reviews risks with US-VISIT 
executives and has been meeting periodically since January 2005. 

Recommendation: 

Develop and approve test plans before testing begins that (1) specify 
the test environment; (2) describe each test to be performed, including 
test controls, inputs, and expected outcomes; (3) define the test 
procedures to be followed in conducting the tests; and (4) provide 
Taceability between test cases and the requirements to be verified by 
the testing. 

Response: 

While there were minor issues with the traceability of requirements to 
test cases, the extent of the discrepancies is far less than presented 
by the draft report. The data cited in the report is consistent with 
GAO's initial findings as reported in its document, Topics for 
Discussion and Request for Documentation Regarding Testing of US-VISIT 
Increment 2C Proof of Concept Phase I, received on October 12, 2005, by 
US-VISIT. However, the findings do not accurately reflect the status of 
Increment 2C Phase 1 testing. 

In the October 12, 2005, document, GAO requested the updated version of 
the Requirements Traceability Matrix (RTM) to "..show proof that the 
test cases were actually executed and the outcome(s) achieved." GAO 
also requested the updated RTM to resolve requirements and test case 
mapping issues identified in the GAO report. US-VISIT System Assurance 
provided the current versions of the US-VISIT Increment 2C RTM along 
with current versions of the US-VISIT Increment 2C Test Plan on 
November 9, 2005, to GAO. Documents provided that day included: 

* US-VISIT Increment 2C Requirements Traceability Matrix: 
* US-VISIT Increment 2C Proof of Concept IV&V Test Cases:
* US-VISIT Increment 2C Proof of Concept IV&V Test Cases Appendix A - H 
* US-VISIT System Engineering Plan:
* US-VISIT Task Order 4 Option Year 1: 

These documents resolved the issues that GAO identified with earlier 
versions of the documents, namely test case traceability to 
requirements and testing results. 

Recommendation: 

Implement effective configuration practices, including establishing a 
US-VISIT change control board to manage and oversee system changes. 

Response: 

The draft report states that "..changes to component systems that are 
initiated and approved by another DHS organization and that could 
affect US-VISIT performance are not subject to US-VISIT configuration 
management processes and are not also being examined and approved by 
the US-VISIT control board. This lack of US-VISIT control was the 
impetus for our' recommendation." A representative from US-VISIT's 
Office of Mission Operations or Office of Information Technology 
attends all CCB meetings for applicable legacy component systems. Any 
proposed change request from a legacy component CCB that could affect 
US-VISIT functionality is brought by the US-VISIT representative to the 
US-VISIT ECCB for consideration. 

Recommendation: 

Assess the full impact of Increment 2B on land POE workforce levels and 
facilities, including performing appropriate modeling exercises. 

Response: 

The draft report asserts that the scope of US-VISIT's evaluation of the 
impact of Increment 2B was too limited. Given the imperative to meet 
the December 31, 2004,' legislative mandate, US-VISIT's Increment 2B 
was limited by time, funding, and resources, and as such the 
performance evaluation had to focus on representative sites. Three 
pilot sites were identified by Customs and Border Protection (CBP), and 
the selection criteria were based upon input from US-VISIT as well as 
CBP's own operational constraints. The three locations offered by CBP 
provided a reasonable mix of travelers and did not have other 
constraints that would directly impact the collection of performance 
data specific to the Form 1-94 issuance. 

Wait times are a complex function of CBP operations, receipt of 
intelligence, traffic volume, staffing levels, availability of Officers 
to staff lanes/booths, weather, seasonal changes to traffic, holidays, 
and local events. Since Increment 2B incorporated the collection of a 
biometric into the previously manual process of Form I-94 issuance, 
which is only one process in CBP border operations, measurements were 
taken that specifically addressed the delta introduced by Increment 2B. 
[In addition, on page 38, Table 3, concerning the reduction in reported 
processing times, has an incorrect heading for the last column: it 
should read "(February 2005)," not "(February 2004)."] 

Going back to assess the full impact of Increment 2B would require 
baseline data collection that represents operational performance prior 
to the Increment 2B deployment. This is not practicable in the 
production environment that exists at the 47 ports that were not 
evaluated. The alternative approach is to model the baseline 
performance using historical data from the three ports evaluated and 
possibly supplement this data with data from previous studies. However, 
it is very likely that the modeling approach used to reconstruct the 
baseline performance will be subject to question. The detailed step-by- 
step processing times are site specific and not easily generalized from 
one port to another. As a result, any baseline estimates prepared ex 
post will not be as accurate as the actual results reported from the 
three ports. Lacking an acceptable baseline, any conclusions developed 
from such a follow-up study on the remaining 47 ports could be refuted. 

The reference in the draft report to the number of workstations 
(baseline versus evaluation) is confusing. The number of workstations 
available to process applicants for a Form 1-94 and/or the number of 
Officers available to operate those workstations are often utilized to 
address the number of applicants (or volume). Such resources do not 
impact the time it takes to issue a Form 1-94 to an individual; 
consequently, the time it takes to issue a Form 1-94 is the only true 
valid measure. 

The draft report also describes the San Ysidro port of entry (POE) as 
the busiest land POE. This is not entirely accurate; while San Ysidro 
is the largest POE by volume of travelers, the three bridges combined 
for Laredo make it the busiest port that issues Form I-94s. In 2003, 
San Ysidro issued approximately 409,683 I-94s; the combined bridges at 
Laredo issued 432,892 Form I-94s. 

Recommendation: 

Develop a plan, including explicit tasks and milestones, for 
implementing all our open recommendations and periodically report to 
the DHS Secretary and Under Secretary on progress in implementing this 
plan; and report this progress, including reasons for delays, in all 
future expenditure plans. 

Response: 

GAO's assertion that 19 months elapsed from the issuance of this 
recommendation until US-VISIT assigned responsibilities to specific 
individuals for addressing each recommendation is untrue. In fact, the 
first such plan for addressing GAO recommendations was issued on August 
18, 2003-less than a month after former DHS Secretary Ridge officially 
created the US-VISIT program office. Subsequent reports, issued 
periodically and updated with progress on implementation, have included 
all additional recommendations as they appeared in all GAO reports 
affecting US-VISIT. 

Recommendation: 

Follow effective practices for estimating the costs of future 
increments. 

Response: 

US-VISIT disagrees with GAO's evaluation in Table 4 of the Increment 1B 
cost benefit analysis against the 13 SEI criteria for satisfaction of 
cost estimating. 

For Criterion 2, the lifecycle to which the estimate applies is clearly 
defined. GAO concludes that the criterion was partially met based upon 
its analysis that "The lifecycle was not clearly defined to ensure that 
the full cost of the program was included. For example, the analysis 
did not include evidence that nonrecurring development costs were 
included in the cost estimate." US-VISIT does agree that it did not 
clearly identify the lifecycle to which the estimate applies. The crux 
of the disagreement is once again related to the purpose of the CBA 
document, which is to inform DHS decision makers as to the relative 
worthiness of each of the three exit alternatives considered for 
deployment as part of Increment 1 B. The analysis supports the decision 
related to the deployment of an operational solution for the project. 
It does not analyze conceptual alternatives early in the investment 
lifecycle that would necessitate the inclusion of planning, analysis, 
design, and development activities in the cost estimates for each 
alternative, as these activities had already occurred and therefore had 
no bearing on the decision to deploy. The general cost assumptions 
listed in Chapter 6 of the CBA include the following lifecycle 
assumption: "Cost estimates represent only the incremental cost 
associated with acquiring and maintaining the interim exit solution to 
be delivered to 76 airports and 12 seaports as part of Increment 1 B." 
Within the context of that overall lifecycle assumption, the following 
information technology cost assumption is stated in the CBA: "IT 
systems development, integration, and security costs [are] assumed to 
be sunk historical costs incurred prior to full deployment of exit 
alternatives and therefore not included in cost estimates." In other 
words, the analysis includes only those acquisition costs that will be 
incurred as a result of the decision on which exit alternative to 
deploy, and does not include sunk costs for the plan, analyze, design, 
build, and test stages that have already been incurred and do not 
impact the deployment decision informed by this analysis. Per the DHS 
CBA Work Book, pages 33-34, "Sunk costs are not relevant to the current 
investment analysis because only current decisions can affect; the 
future consequences of investment alternatives. The IPT will not 
include sunk costs in any CBA calculations." 

For Criterion 3, "The task has been appropriately sized," GAO concludes 
that the criterion was not met based upon its analysis that "An 
appropriate sizing metric should be used in the development of the 
estimate, such as the amount of software to be developed and the amount 
of software to be revised. The program office provided no evidence that 
an appropriate sizing mechanism was used, and program officials stated 
that they had not collected these data." US-VISIT believes that it 
appropriately sized the task described in the cost estimates for the 
Increment 1 B Exit CBA alternatives. As stated above, the alternatives 
considered in the analysis represent operational deployment 
alternatives, not conceptual program initiation phase alternatives. 
Therefore, activities related to the plan, analyze, design, build, and 
test stages were not considered relevant to the scope of the estimates 
and were not included. Sizing metrics related to software development 
were not applicable to the deployment phase because these activities 
had already occurred and were therefore considered sunk costs not to be 
included in the CBA calculations. Sizing metrics relevant to the 
deployment phase were used in the cost estimates and were derived based 
upon the actual costs of deployment experienced during the exit pilot. 
By determining the average cost of deployment for sample airports and a 
seaport based upon size and relative activity, and extrapolating those 
sample deployment cost estimates across their respective operational 
environments, a total cost of deployment was calculated. The deployment 
cost estimate sizing technique described above is clearly communicated 
in the CBA in the general cost assumptions in Chapter 6. 

For Criterion 5, "A written summary of parameter values and their 
rationales accompanies the estimate," GAO concludes that the criterion 
was partially met based upon its analysis that "If a parametric 
equation was used to generate the estimate, the parameters that feed 
the equation should be provided along with an explanation of why they 
were chosen. High-level cost categories, such as labor, information 
technology, facilities, and other costs were identified, but detailed 
parameters used to develop the estimate, such as number of software 
lines of code, were not provided in the analysis." US-VISIT did provide 
the detailed parameters used to develop the cost estimates for the 
Increment 1 B Exit CBA alternatives. As stated above, the alternatives 
considered in the analysis represent operational deployment 
alternatives, not conceptual program initiation phase alternatives. 
Therefore activities related to the plan, analyze, design, develop, and 
test stages were not considered relevant to the scope of the estimates 
and were not included. Parameters related to software development, such 
as the number of software lines of code, were not applicable to the 
deployment phase because these activities had already occurred and were 
therefore considered sunk costs not to be included in the CBA 
calculations. Cost estimating parameters relevant to the deployment 
phase were used in the cost estimates and were derived from actual 
costs of deployment experienced during the exit pilot. By determining 
the average cost of deployment for sample airports and a seaport based 
upon size and relative activity, and extrapolating those sample 
deployment cost estimates across their respective operational 
environments, a total cost of deployment was calculated. The deployment 
cost estimating parameters described above are clearly communicated in 
the CBA in the general cost assumptions in Chapter 6. 

For Criterion 7, "A structured process, such as a template or format, 
has been used to ensure that key factors have not been overlooked," GAO 
concluded that the criterion was partially met based upon its analysis 
that "The analysis included four high-level cost categories (labor, 
facilities, operations and maintenance, and information technology), 
but did not include a detailed work breakdown structure and omitted 
important cost elements, such as system testing and training." US-VISIT 
agrees that the estimate was not derived using a work breakdown 
structure, although it did use the available project implementation 
schedule as a proxy for the activities related to the deployment of the 
Increment 1B exit criterion. However, US-VISIT disagrees with GAO's 
assertion that the cost categories did not include important cost 
elements such as system testing and training. The analysis examined the 
costs of labor, facilities, operations and maintenance, information 
technology, travel, and training as stated in Chapter 6 of the CBA. In 
addition, as stated above, the alternatives considered in the analysis 
represent operational deployment alternatives, not conceptual program 
initiation phase alternatives. Therefore, activities related to the 
plan, analyze, design, build, and test stages were not considered 
relevant to the scope of the estimates and were not included. Costs 
related to systems development and testing were not applicable to the 
deployment phase because these activities had already occurred and were 
therefore considered sunk costs not to be included in the CBA 
calculations. 

For Criterion 8, "Uncertainties in parameter values have been 
identified and quantified," GAO concludes that the criterion was 
partially met based upon its analysis that "A sensitivity and risk 
analysis was performed, but this analysis did not identify detailed 
parameter values." As stated previously, US-VISIT did conduct a 
comprehensive uncertainty analysis. 

Recommendation: 

Reassess plans for deploying an exit capability to ensure that the 
scope of the exit pilot provides for adequate evaluation of alternative 
solutions and better ensures that the exit solution selected is in the 
best interest of the program. 

Response: 

The draft report states that "..questions remain about whether the exit 
alternatives have been evaluated sufficiently to permit selection of 
the best exit solution for national deployment." The draft report 
raises questions about the effectiveness of the three alternatives 
since the average compliance rate was only 24 percent for the three 
alternatives. 

The GAO analysis fails to take into account the compliance rate of the 
previous pilot program for exit, the National' Security Entry Exit 
Registration System (NSEERS). Since its inception, the NSEERS 
compliance rate is 75 percent. NSEERS has very limited exit locations- 
typically not in the departure areas of airports-for aliens to 
biometrically check out. Therefore, any of the three alternatives 
tested would have at least a minimum 75 percent compliance rate once 
the national deployment was completed. This information was not in the 
evaluation report but was presented in the US-VISIT memorandum to the 
Deputy Secretary with the subject, Direction for the US-VISIT Air/Sea 
Exit Program. 

GAO also states that the effect of the enforcement mechanism to improve 
compliance is unknown and that additional evaluation is warranted. 
However, within the past two months, Immigration and Customs 
Enforcement (ICE) has conducted enforcement operations at the Denver 
International Airport. As a result of these enforcement efforts, the 
compliance rate at Denver International Airport has increased from 30 
percent to over 90 percent. The combined results of the US-VISIT exit 
evaluation, the NSEERS pilot, and the ICE enforcement activities at 
Denver International Airport lead US-VISIT to believe that the exit 
alternatives have been adequately evaluated. 

While we may disagree with some of GAO's assessment of the amount of 
progress on the open recommendations addressed in the draft report, we 
nevertheless concur in the need for their implementation with all due 
speed and diligence. However, in perspective, the discussion of these 
recommendations does not alter the overall assessment of the Department 
and many others--that US-VISIT's continuing success is making a 
valuable contribution to the enhanced security of the United States. 

Sincerely, 

Signed by: 

Steven J. Pecinovsky:
Director, Departmental GAO/IG Liaison Office: 

[End of section] 

Appendix III: Description of US-VISIT Processes: 

US-VISIT involves complex processes governing the stages of a 
traveler's visit to the United States (pre-entry, entry, status, and 
exit) and analysis of hundreds of millions of foreign national 
travelers at over 300 air, sea, and land ports of entry (POE). A 
simplified depiction of these processes is shown in figure 4. 

Figure 4: US-VISIT Process Overview: 

[See PDF for image] 

[End of figure] 

Pre-entry Process: 

Pre-entry processing begins with initial petitions for visas, grants of 
visa status, or the issuance of travel documentation. When a foreign 
national applies for a visa at a U.S. consulate, biographic and 
biometric data are collected and shared with border management 
agencies. The biometric data are transmitted from the Department of 
State to DHS, where the prints are run against the Automated Biometric 
Identification System (IDENT) database[Footnote 45] to verify identity 
and to run a check against the biometric watch list. The results of the 
biometric check are transmitted back to State. A "hit" response 
prevents State's system from printing a visa for the applicant until 
the information is reviewed and cleared by a consular officer. 

Pre-entry also includes transmission by commercial air and sea carriers 
of crew and passenger manifests to appropriate immigration officers 
before these carriers arrive in the United States.[Footnote 46] These 
manifests are transmitted through the Advanced Passenger Information 
System (APIS). The APIS lists are run against the biographic lookout 
system to identify those arrivals for whom biometric data are 
available. In addition, POEs review the APIS list in order to identify 
foreign nationals who need to be scrutinized more closely. 

Entry Process: 

When a foreign national arrives at a POE's primary (air and sea) or 
secondary (land) inspection booth, the inspector, using a document 
reader, scans the machine-readable travel documents. APIS returns any 
existing records on the foreign national to the US-VISIT workstation 
screen, including manifest data matches and biographic lookout hits. 
When a match is found in the manifest data, the foreign national's name 
is highlighted and outlined on the manifest data portion of the screen. 

Biographic information, such as name and date of birth, is displayed on 
the bottom half of the computer screen, along with a photograph 
obtained from State's Consular Consolidated Database.[Footnote 47] The 
inspector at the booth scans the foreign national's fingerprints (left 
and right index fingers) and takes a digital photograph. This 
information is forwarded to the IDENT database, where it is checked 
against stored fingerprints in the IDENT lookout database. If the 
foreign national's fingerprints are already in IDENT, the system 
performs a match (a comparison of the fingerprint taken during the 
primary inspection to the one on file) to confirm that the person 
submitting the fingerprints is the person on file. If no prints are 
currently in IDENT, the foreign national is enrolled in US-VISIT (i.e., 
biographic and biometric data are entered into IDENT). 

During this process, the inspector also questions the foreign national 
about the purpose of his or her travel and length of stay. The 
inspector adds the class of admission and duration of stay information 
into the Treasury Enforcement Communications Systems,[Footnote 48] and 
stamps the "admit until" date on the Form I-94.[Footnote 49] If the 
foreign national is ultimately determined to be inadmissible, the 
person is detained, lookouts are posted in the databases, and 
appropriate actions are taken. 

Status Management Process: 

The status management process manages the foreign national's temporary 
presence in the United States, including the adjudication of benefits 
applications and investigations into possible violations of immigration 
regulations. 

As part of this process, commercial air and sea carriers transmit 
departure manifests electronically for each departing passenger. These 
manifests are transmitted through APIS and shared with the Arrival 
Departure Information System (ADIS).[Footnote 50] ADIS matches entry 
and exit manifest data (i.e., each record showing a foreign national 
entering the United States is matched with a record showing the foreign 
national exiting the United States). ADIS also receives status 
information from the Computer Linked Application Information Management 
System[Footnote 51] and the Student Exchange Visitor Information 
System[Footnote 52] on foreign nationals. 

Exit Process: 

The exit process includes the carriers' submission of electronic 
manifest data to APIS. This biographic information is transmitted to 
ADIS, where it is matched against entry information. At the 11 POEs 
where the exit solution is being implemented, the departure is 
processed by one of three exit methods. Within each port, one or more 
of the exit methods may be used. The three methods are as follows: 

* Kiosk: At the kiosk, the traveler, guided by a workstation attendant 
if needed, scans the machine-readable travel documents, provides 
electronic fingerprints, and has a digital photograph taken. A receipt 
is printed to provide documentation of compliance with the exit process 
and to assist in compliance on the traveler's next attempted entry to 
the country. After the receipt prints, the traveler proceeds to his or 
her departure gate. At the conclusion of the transaction, the collected 
information is transmitted to IDENT. 

* Mobile device: At the departure gate, and just before the traveler 
boards the departure craft, either a workstation attendant or law 
enforcement officer scans the machine-readable travel documents, scans 
the traveler's fingerprints (right and left index fingers), and takes a 
digital photograph. A receipt is printed to provide documentation of 
compliance with the exit process and to assist in compliance on the 
traveler's next attempted entry to the country. The device wirelessly 
transmits the captured data in real time to IDENT via the 
Transportation Security Administration's Data Operations Center. 

If the device is being operated by a workstation attendant, he or she 
provides a printed receipt to the traveler, and the traveler then 
boards the departure craft. If the mobile device is being operated by a 
law enforcement officer, the captured biographic and biometric 
information is checked in near real time against watch lists. Any 
potential match is returned to the device and displayed visually for 
the officer. If no match is found, the traveler is allowed to board the 
departure craft. 

* Validator: Using a kiosk, the traveler, guided by a workstation 
attendant if needed, scans the machine-readable travel documents, 
provides electronic fingerprints, and has a digital photograph taken. 

As with the kiosk, a receipt is printed to provide documentation of 
compliance with the exit process and to assist in compliance on the 
traveler's next attempted entry to the country. However, this receipt 
has biometrics (i.e., the traveler's fingerprints and photograph) 
embedded on the receipt. At the conclusion of the transaction, the 
collected information is transmitted to IDENT. 

The traveler presents his or her receipt to the attendant or law 
enforcement officer at the gate or departure area, who scans the 
receipt using a mobile device. The traveler's identity is verified 
against the biometric data embedded on the receipt. Once the traveler's 
identity is verified, he or she is allowed to board the departure 
craft. The captured data are not transmitted in real time back to 
IDENT. Instead, the data are periodically uploaded through the kiosk to 
IDENT. 

Analysis Process: 

An analysis capability is to provide for the continuous screening 
against watch lists of individuals enrolled in US-VISIT for appropriate 
reporting and action. As more entry and exit information becomes 
available, it is to be used for analysis of traffic volume and patterns 
as well as for risk assessments. The analysis is also to be used to 
support resource and staffing projections across POEs, strategic 
planning for integrated border management analysis performed by the 
intelligence community, and determination of travel use levels and 
expedited traveler programs. 

[End of section] 

Appendix IV: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Randolph C. Hite, (202) 512-3439 or [Hyperlink, hiter@gao.gov]: 

Staff Acknowledgments: 

In addition to the contact named above, the following people made key 
contributions to this report: Deborah Davis, Assistant Director; Hal 
Brumm; Tonia Brown; Joanna Chan; Barbara Collier; Neil Doherty; 
Jennifer Echard; James Houtz; Scott Pettis; Karen Richey; and Karl 
Seifert. 

(310606): 

FOOTNOTES 

[1] Our previous reports regarding US-VISIT's expenditure plans, which 
include recommendations, were published in GAO, Homeland Security: Some 
Progress Made, but Many Challenges Remain on U.S. Visitor and Immigrant 
Status Indicator Technology Program, GAO-05-202 (Washington, D.C.: Feb. 
23, 2005); Homeland Security: First Phase of Visitor and Immigration 
Status Program Operating, but Improvements Needed, GAO-04-586 
(Washington, D.C.: May 11, 2004); Homeland Security: Risks Facing Key 
Border and Transportation Security Program Need to Be Addressed, GAO- 
03-1083 (Washington, D.C.: Sept. 19, 2003); and Information Technology: 
Homeland Security Needs to Improve Entry Exit System Expenditure 
Planning, GAO-03-563 (Washington, D.C.: June 9, 2003). 

[2] Our reports included 24 recommendations, of which 6 related 
specifically to the contents of the expenditure plan. Those 6 are not 
included in the scope of this report, but they will be included in the 
scope of our fiscal year 2006 expenditure plan review. 

[3] We considered a recommendation (1) completely implemented when 
documentation demonstrated that it had been fully addressed, (2) 
partially implemented when documentation indicated that actions were 
under way to implement it, and (3) in progress when documentation 
indicated that actions had been initiated to implement it. 

[4] Biometric comparison is a means of identifying a person by 
biological features unique to that individual. 

[5] An indefinite-delivery/indefinite-quantity contract provides for an 
indefinite quantity, within stated limits, of supplies or services 
during a fixed period of time. The government schedules deliveries or 
performance by placing orders with the contractor. 

[6] The Visa Waiver Program permits foreign nationals from designated 
countries to apply for admission to the United States for a maximum of 
90 days as nonimmigrant visitors for business or pleasure. 

[7] On September 30, 2004, US-VISIT expanded biometric entry procedures 
to include individuals from visa waiver countries applying for 
admission. 

[8] Workstation attendants assist travelers in using the kiosk. 

[9] Form I-94s are used to record a foreign national's entry into the 
United States. The form has two parts--arrival and departure--and each 
part contains a unique number for the purposes of recording and 
matching the arrival and departure records of nonimmigrants. 

[10] RF technology relies on proximity cards and card readers. RF 
devices read the information contained on the card when the card is 
passed near the device and can also be used to verify the identity of 
the cardholder. 

[11] At one POE, these capabilities were deployed by December 19, 2005, 
but were not fully operational until January 7, 2006, because of a 
telephone company strike that prevented the installation of a T-1 line. 

[12] GAO-05-202, GAO-04-586, GAO-03-1083, and GAO-03-563. 

[13] As previously mentioned, the remaining 6 recommendations related 
specifically to the contents of the expenditure plans and are not 
reported on in this report; their status will be included in the scope 
of our fiscal year 2006 expenditure plan review. 

[14] GAO-03-563. 

[15] In March 2003, the Immigration and Naturalization Service was 
subsumed within DHS, and, in April 2003, the entry exit program became 
known as US-VISIT. 

[16] OMB, Security of Federal Automated Information Resources, Circular 
A-130, Revised (Transmittal Memorandum No. 4), Appendix III 
(Washington, D.C.: Nov. 28, 2000); and National Institute of Standards 
and Technology, Guide for Developing Security Plans for Information 
Technology Systems, Special Publication 800-18 (December 1998). 

[17] The initial assessment was updated in September 2004 to reflect 
the inclusion of Visa Waiver Program travelers in US-VISIT, the 
expansion of US-VISIT to the 50 busiest land border POEs (Increment 
2B), and changes in the business processes used by DHS to share 
information with federal law enforcement agencies. The assessment was 
again updated in June 2005 to include the live test to read 
biometrically enabled travel documents (Increment 2A). 

[18] OMB, Guidance for Implementing the Privacy Provisions of the E- 
Government Act of 2002, OMB M-03-22 (Sept. 26, 2003). 

[19] GAO-03-1083. 

[20] Carnegie Mellon University Software Engineering Institute, 
Capability Maturity Model Integration, Systems Engineering Integrated 
Product and Process Development, Continuous Representation, version 1.1 
(March 2002). 

[21] When we made our original recommendation, we referred to an 
earlier SEI model, the Software Acquisition Capability Maturity Model. 
However, SEI is transitioning to an integrated model, and the program 
office is using the CMMI model for its improvement program. 

[22] The 7 remaining process areas are supplier agreement management, 
measurement and analysis, solicitation and contract monitoring, 
transition to operations and support, organizational training, 
organizational process focus, and organizational process definition. 

[23] OMB, Planning, Budgeting, Acquisition and Management of Capital 
Assets, Circular A-11, Part 7 (Washington, D.C.: June 21, 2005). 

[24] GAO-05-202 and GAO-03-1083. 

[25] OMB, Guidelines and Discount Rates for Benefits-Cost Analysis of 
Federal Programs, Circular A-94 (Washington, D.C.: Oct. 29, 1992). 

[26] Department of Homeland Security, Capital Planning and Investment 
Control: Cost-Benefit Analysis Workbook (Washington, D.C.: May 2003). 

[27] Uncertainty analyses generally include both a sensitivity analysis 
and a Monte Carlo simulation. A sensitivity analysis is a quantitative 
assessment of the effect that a change in an assumption--the numerical 
value of a single parameter (such as unit labor cost)--will have on net 
present value. A Monte Carlo simulation allows all of the model's 
parameters to vary simultaneously according to their associated 
probability distribution. The result is a set of estimated 
probabilities of achieving alternative outcomes (costs, benefits, 
and/or net benefits), given the uncertainty in the underlying 
parameters. 

[28] GAO-05-202 and GAO-04-586. 

[29] The Systems Assurance Manager stated that she has only two staff, 
including herself, for ensuring testing quality of the US-VISIT 
composite system. 

[30] Form I-94W is used for foreign nationals from visa waiver 
countries. 

[31] The sites were Douglas, Arizona; Port Huron, Michigan; and Laredo, 
Texas. 

[32] GAO-05-202. 

[33] Carnegie Mellon University Software Engineering Institute, A 
Manager's Checklist for Validating Software Cost and Schedule 
Estimates, CMU/SEI-95-SR-004 (January 1995). 

[34] One criterion--when a dictated schedule is imposed, an estimate of 
the normal schedule is compared to the additional expenditures required 
to meet the dictated schedule--was not applicable because a schedule 
was not imposed. 

[35] The initial plan was to expand the pilot to 15 sites, but 4 of the 
sites were not fully operational in time to be evaluated. According to 
the Pilot Evaluation Report, this was largely due to the lengthy 
security clearance process for workstation attendants, who assist 
travelers in using one of the exit devices. 

[36] The other two evaluation criteria were conduciveness to travel and 
cost. 

[37] Compliance rate for kiosk was 23 percent; for the mobile device, 
36 percent; and for the validator, 26 percent. 

[38] ACE is a new trade processing system planned to support the 
movement of legitimate imports and exports and strengthen border 
security. 

[39] OMB, Security of Federal Automated Information Resources, Circular 
A-130, Revised (Transmittal Memorandum No. 4), Appendix III 
(Washington, D.C.: Nov. 28, 2000); and National Institute of Standards 
and Technology, Guide for Developing Security Plans for Information 
Technology Systems, Special Publication 800-18 (December 1998). 

[40] Department of Homeland Security, US-VISIT System Security 
Management Needs Strengthening (Redacted), Office of Inspector General, 
OIG-06-16 (Washington, D.C.: December 2005). 

[41] OMB, Guidelines and Discount Rates for Benefits-Cost Analysis of 
Federal Programs, Circular A-94 (Washington, D.C.: Oct. 29, 1992); and 
Department of Homeland Security, Capital Planning and Investment 
Control: Cost-Benefit Analysis Workbook (Washington, D.C.: May 2003). 

[42] See, for example, OMB, Guidance for Implementing the Privacy 
Provisions of the E-Government Act of 2002, OMB M-03-22 (Sept. 26, 
2003); and Planning, Budgeting, Acquisition and Management of Capital 
Assets, Circular A-11, Part 7 (Washington, D.C.: June 21, 2005). 

[43] OMB, Planning, Budgeting, Acquisition and Management of Capital 
Assets, Circular A-11, Part 7 (Washington, D.C.: June 21, 2005) and 
Guidelines and Discount Rates for Benefits-Cost Analysis of Federal 
Programs, Circular A-94 (Washington, D.C.: Oct. 29, 1992). 

[44] Carnegie Mellon University Software Engineering Institute, A 
Manager's Checklist for Validating Software Cost and Schedule 
Estimates, CMU/SEI-95-SR-004 (January 1995). 

[45] IDENT collects and stores biometric data about foreign nationals, 
including Federal Bureau of Investigation information on all known and 
suspected terrorists, selected wanted persons (foreign-born, unknown 
place of birth, previously arrested by DHS), and previous criminal 
histories for high-risk countries; DHS Immigration and Customs 
Enforcement information on deported felons and sexual registrants; and 
DHS information on previous criminal histories and previous IDENT 
enrollments. Information from the FBI includes fingerprints from the 
Integrated Automated Fingerprint Identification System. 

[46] Enhanced Border Security and Visa Entry Reform Act of 2002, Pub. 
L. No. 107-173 (May 14, 2002). 

[47] The Consular Consolidated Database is a system that includes 
information on whether a visa applicant has previously applied for a 
visa or currently has a valid visa. 

[48] Treasury Enforcement Communications Systems maintains lookout data 
and interfaces with other agencies' databases; it is currently used by 
inspectors at POEs to verify traveler information and update traveler 
data. 

[49] The Form I-94 is used to track the arrival and departure of 
nonimmigrants. It is divided into two parts. The first part is an 
arrival portion, which includes, for example, the nonimmigrant's name, 
date of birth, and passport number. The second part is a departure 
portion, which includes the name, date of birth, and country of 
citizenship. 

[50] ADIS is a database that stores traveler arrival and departure data 
and that provides query and reporting functions. 

[51] The Computer Linked Application Information Management System is a 
system that contains information on foreign nationals who request 
benefits, such as change of status or extension of stay. 

[52] The Student Exchange Visitor Information System is a system that 
contains information on foreign students. 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 

441 G Street NW, Room LM 

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm 

E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director, 

NelliganJ@gao.gov 

(202) 512-4800 

U.S. Government Accountability Office, 

441 G Street NW, Room 7149 

Washington, D.C. 20548: