This is the accessible text file for GAO report number GAO-09-96 
entitled 'Homeland Security: U.S. Visitor and Immigrant Status 
Indicator Technology Program Planning and Execution Improvements 
Needed' which was released on December 12, 2008.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Committees: 

United States Government Accountability Office: 
GAO: 

December 2008: 

Homeland Security: 

U.S. Visitor and Immigrant Status Indicator Technology Program Planning 
and Execution Improvements Needed: 

GAO-09-96: 

GAO Highlights: 

Highlights of GAO-09-96, a report to congressional committees. 

Why GAO Did This Study: 

The Department of Homeland Security (DHS) has established a program 
known as U.S. Visitor and Immigrant Status Indicator Technology (US-
VISIT) to collect, maintain, and share information, including biometric 
identifiers, on certain foreign nationals who travel to and from the 
United States. By congressional mandate, DHS is to develop and submit 
an expenditure plan for US-VISIT that satisfies certain conditions, 
including being reviewed by GAO. GAO’s objectives were to (1) determine 
if the plan satisfies the twelve legislative conditions and (2) provide 
observations about the plan and management of the program. To 
accomplish this, GAO assessed the plan and related DHS certification 
letters against each aspect of each legislative condition and assessed 
program documentation against federal guidelines and industry 
standards. 

What GAO Found: 

The fiscal year 2008 US-VISIT expenditure plan does not fully satisfy 
any of the eleven conditions required of DHS by the Consolidated 
Appropriations Act, 2008, either because the plan does not address key 
aspects of the condition or because what it does address is not 
adequately supported or is otherwise not reflective of known program 
weaknesses. More specifically, of the eleven conditions, the plan 
partially satisfies eight. For example, while the plan includes a 
listing of GAO recommendations, it does not provide milestones for 
addressing these recommendations, as required by the act. Further, 
although the plan includes a certification by the DHS Chief Procurement 
Officer that the program has been reviewed and approved in accordance 
with the department’s investment management process, and that this 
process fulfills all capital planning and investment control 
requirements and reviews established by the Office of Management and 
Budget, the certification is based on information that pertains to the 
fiscal year 2007 expenditure plan and fiscal year 2009 budget 
submission, rather than to the fiscal year 2008 expenditure plan. 
Moreover, even though the plan provides an accounting of operations and 
maintenance and program management costs, the plan does not separately 
identify the program’s contractor services costs, as required by the 
act. With regard to the remaining three legislative conditions, the 
plan does not satisfy any of them. For example, the plan does not 
include a certification by the DHS Chief Human Capital Officer that the 
program’s human capital needs are being strategically and proactively 
managed and that the program has sufficient human capital capacity to 
execute the expenditure plan. Further, the plan does not include a 
detailed schedule for implementing an exit capability or a 
certification that a biometric exit capability is not possible within 5 
years. The twelfth legislative condition was satisfied by our review of 
the expenditure plan. 

Beyond the expenditure plan, GAO observed that other program planning 
and execution limitations and weaknesses also confront DHS in its quest 
to deliver US-VISIT capabilities and value in a timely and cost-
effective manner. Concerning DHS’s proposed biometric air and sea exit 
solution, for example, the reliability of the cost estimates used to 
justify the proposed solution is not clear, the proposed solution would 
provide less security and privacy than other alternatives, and public 
comments on the proposed solution raise additional concerns, including 
the impact the solution would have on the industry’s efforts to improve 
passenger processing and travel. Moreover, the program’s risk 
management database shows that key risks are not being managed. 
Finally, frequent rebaselining of one of the program’s task orders has 
minimized the significance of schedule variances. Collectively, this 
means that additional management improvements are needed to effectively 
define, justify, and deliver a US-VISIT system solution that meets 
program goals, reflects stakeholder input, minimizes exposure to risk, 
and provides Congress with the means by which to oversee program 
execution. Until these steps are taken, US-VISIT program performance, 
transparency, and accountability will suffer. 

What GAO Recommends: 

GAO is recommending that the Secretary direct the department’s 
Investment Review Board to immediately review the program relative to 
the findings and observations in this report and report the results to 
Congress. In written comments on a draft of this letter, DHS officials 
said that they agreed with GAO’s recommendations. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-09-96]. For more 
information, contact Randolph C. Hite at (202) 512-3439 or 
hiter@gao.gov. 

[End of section] 

Contents: 

Letter: 

Compliance with Legislative Conditions: 

Observations on US-VISIT: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Briefing for Staff Members of the Subcommittees on Homeland 
Security, Senate and House Committees on Appropriations: 

Appendix II: Comments from the Department of Homeland Security: 

Appendix III: GAO Contact and Staff Acknowledgments: 

Abbreviations: 

ADIS: Arrival and Departure Information System: 

APIS: Advance Passenger Information System: 

CHCO: chief human capital officer: 

CIO: chief information officer: 

CPO: chief procurement officer: 

CLAIMS 3: Computer Linked Application Information Management System: 

DHS: Department of Homeland Security: 

DCMA: Defense Contract Management Agency: 

EA: enterprise architecture: 

EAB: enterprise architecture board: 

ELCM: enterprise life cycle methodology: 

EVM: earned value management: 

FBI: Federal Bureau of Investigation: 

IAFIS: Integrated Automated Fingerprint Identification System: 

IV&V: independent verification and validation: 

IBIS: Interagency Border Inspection System: 

IDENT: Automated Biometric Identification System: 

iDSM: Interim Data Sharing Model: 

MDP: milestone decision point: 

NPRM: Notice of Proposed Rule Making: 

OMB: Office of Management and Budget: 

OIG: Office of Inspector General: 

POE: ports of entry: 

SEVIS: Student and Exchange Visitor Information System: 

TECS: Treasury Enforcement Communications System: 

UDM: US-VISIT Delivery Methodology: 

US-VISIT: U.S. Visitor and Immigrant Status Indicator Technology: 

[End of section] 

United States Government Accountability Office:
Washington, DC 20548: 

December 12, 2008: 

The Honorable Robert C. Byrd: 
Chairman: 
The Honorable Thad Cochran: 
Ranking Member: 
Subcommittee on Homeland Security: 
Committee on Appropriations: 
United States Senate: 

The Honorable David E. Price: 
Chairman: 
The Honorable Harold Rogers: 
Ranking Member: 
Subcommittee on Homeland Security: 
Committee on Appropriations: 
House of Representatives: 

The Department of Homeland Security (DHS) submitted to Congress on June 
12, 2008, its fiscal year 2008 expenditure plan for the U.S. Visitor 
and Immigrant Status Indicator Technology (US-VISIT) program pursuant 
to the Consolidated Appropriations Act, 2008.[Footnote 1] US-VISIT is a 
governmentwide program to collect, maintain, and share information on 
foreign nationals who enter and exit the United States. The program's 
goals are to enhance the security of U.S. citizens and visitors, 
facilitate legitimate trade and travel, ensure the integrity of the 
U.S. immigration system, and protect the privacy of visitors to the 
United States. Currently, US-VISIT entry capabilities are operating at 
over 300 land, sea, and air ports of entry; however, exit capabilities 
are not yet operating. DHS near-term plans call for enhancing existing 
biometric collection, identification, and sharing capabilities, as well 
as introducing an exit capability at airports and seaports. 

As required by the appropriations act, we reviewed US-VISIT's fiscal 
year 2008 expenditure plan. Our objectives were to (1) determine 
whether the plan satisfies the legislative conditions and (2) provide 
observations about the plan and management of the program. 

On September 15, 2008, we briefed the staffs of the Senate and House 
Appropriations Subcommittees on Homeland Security on the results of our 
review. This letter summarizes and transmits these results, with the 
exception of information that DHS deemed contractor sensitive. A 
redacted version of the briefing, including our scope and methodology, 
is reprinted in appendix I.[Footnote 2] In a separate report designated 
"For Official Use Only," we summarize and transmit the full briefing. 

We performed this audit from June 2008 to September 2008 in accordance 
with generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. We believe that the evidence 
obtained provides a reasonable basis for our findings and conclusions 
based on our audit objectives. 

Compliance with Legislative Conditions: 

The US-VISIT expenditure plan partially satisfies 8 of the 11 
legislative conditions required of DHS.[Footnote 3] For example, the 
plan partially satisfies the legislative conditions that it: 

* contain a listing of all open GAO and DHS Office of Inspector General 
recommendations. Specifically, while the plan did include a listing and 
status of our recommendations, it did not provide milestones for 
addressing any of the recommendations, as required by the act. 

* include a certification by the DHS Chief Procurement Officer that the 
program was reviewed and approved in accordance with the department's 
investment management process and that this process fulfilled all 
capital planning and investment control requirements and reviews 
established by the Office of Management and Budget (OMB). While the 
plan did include such a certification, it was based on information that 
pertains to the fiscal year 2007 expenditure plan and the fiscal year 
2009 budget submission, rather than on the fiscal year 2008 expenditure 
plan, as required by the act. 

* include an architectural compliance certification by the Chief 
Information Officer that the system architecture of the program is 
sufficiently aligned with the information system enterprise 
architecture of DHS. Specifically, while the plan did include such a 
certification, the basis for the certification was an assessment 
against the 2007 DHS enterprise architecture, which is a version that 
we recently reported to be missing important US-VISIT architectural 
content.[Footnote 4] 

* provide a detailed accounting of operations and maintenance, 
contractor services, and program management costs. While the plan did 
provide an accounting of operations and maintenance, and program 
management costs, it did not separately identify the program's 
contractor costs, as required by the act. 

The plan does not satisfy the remaining three conditions that apply to 
DHS. Specifically: 

* The expenditure plan did not explicitly define how funds are to be 
obligated to meet future program commitments, including linking the 
planned expenditure of funds to milestone-based delivery of specific 
capabilities and services. While the plan linked funding to four broad 
core capability areas and associated projects, it did not link this 
planned use of funds to milestones, and it did not consistently 
decompose projects into specific mission capabilities, services, 
performance levels, benefits and outcomes, or program management 
capabilities. 

* The expenditure plan did not include a certification by the DHS Chief 
Human Capital Officer that the program's human capital needs are being 
strategically and proactively managed and that the program has 
sufficient human capital capacity to execute the expenditure plan. 
While the plan contained a certification, it only addressed that the 
human capital plan reviewed by the Chief Human Capital Officer 
contained specific initiatives to address the hiring, development, and 
retention of program employees and that a strategy existed to develop 
indicators to measure the progress and results of these initiatives. It 
did not address the implementation of this plan or whether the current 
human capital capabilities were sufficient to execute the expenditure 
plan. 

* The expenditure plan did not include a complete schedule for the full 
implementation of a biometric exit program or certification that a 
biometric exit program is not possible within 5 years. While the plan 
contains a very high-level schedule that identifies five broadly 
defined tasks and high-level milestones, the schedule did not include, 
among other things, decomposition of the program into a work breakdown 
structure or sequencing, integrating, or resourcing each work element 
in the work breakdown structure. 

Observations on US-VISIT: 

We are making five observations about US-VISIT relative to its proposed 
exit solution, its management of program risks, and its use of earned 
value management. These observations are summarized here. 

* Reliability of cost estimates for air and sea exit alternatives is 
not clear. 

In developing its air and sea exit Notice of Proposed Rule Making 
(NPRM), DHS is required to prepare a written assessment of the costs, 
benefits, and other effects of its proposal and a reasonable number of 
alternatives and to adopt the least costly, most cost-effective, or 
least burdensome among them. To accomplish this, it is important that 
DHS have reliable cost estimates for its proposed and alternative 
solutions. 

However, the reliability of the estimates that DHS developed is not 
clear because (1) DHS documents characterize the estimates as being, by 
definition, rough and imprecise, but DHS officials responsible for 
developing the estimates stated that this characterization is not 
accurate; (2) our analysis of the estimates' satisfaction of cost 
estimating best practices shows that while DHS satisfied some key 
practices, it did not fully satisfy others or the documentation 
provided was not sufficient for us to determine whether still other 
practices were met; and (3) data on certain variables pertaining to 
airline costs were not available for inclusion in the estimates, and 
airlines report that these costs were understated in the estimates. 

* DHS reports that the proposed air and sea exit solution provides less 
security and privacy than other alternatives. 

Adequate security and privacy controls are needed to assure that 
personally identifiable information is secured against unauthorized 
access, use, disclosure, or retention. Such controls are especially 
needed for government agencies, where maintaining public trust is 
essential. In the case of US-VISIT, one of its stated goals is to 
protect the security and privacy of U.S. citizens and visitors. 

DHS's proposed air and sea exit solution would require air and vessel 
carriers to implement and manage the collection of biometric data at 
the location(s) of their choice. However, the NPRM states that having 
carriers collect the biometric information is less secure than 
alternatives where DHS collects the information, regardless of the 
information collection point. Similarly, the NPRM states that the 
degree of confidence in compliance with privacy requirements is lower 
when DHS does not maintain full custody of personally identifiable 
information. 

* Public comments on the proposed air and sea exit solution raise a 
range of additional concerns. 

Ninety-one entities--including the airline, trade, and travel 
industries, as well as federal, state, and foreign governments-- 
commented on the air and sea exit proposal. The comments that were 
provided raised a number of concerns and questions about the proposed 
solution. For example, comments stated that (1) technical requirements 
the carriers must meet in delivering their respective parts of the 
proposed solution had yet to be provided; (2) the proposed solution 
conflicts with air and vessel carrier passenger processing 
improvements; (3) the proposed solution is not fully integrated with 
other border screening programs involving air carriers; and (4) 
stakeholders were not involved in this rulemaking process as they had 
been in previous rulemaking efforts. 

* Risk management database shows that some program risks have not been 
effectively managed. 

Proactively managing program risks is a key acquisition management 
control and, if defined and implemented properly, it can increase the 
chances of programs delivering promised capabilities and benefits on 
time and within budget. To its credit, the US-VISIT program office has 
defined a risk management plan and related process that is consistent 
with relevant guidance. However, its own risk database shows that all 
risks have not been proactively mitigated. As we have previously 
reported, not proactively mitigating risks increases the chances that 
risks become actual cost, schedule, and performance problems. 

* Significance of a task order's schedule variances have been minimized 
by frequent rebaselining. 

According to the GAO Cost Assessment Guide,[Footnote 5] rebaselining 
should occur rarely, as infrequently as once in the life of a program 
or project. Schedule rebaselining should occur only when a schedule 
variance is significant enough to limit its utility as a predictor of 
future schedule performance. For task order 7, the prime contractor's 
largest task order,[Footnote 6] the program office has rebaselined its 
schedule twice in the last 2 years--first in October 2006 and again in 
October 2007. This rebaselining has resulted in the task order showing 
a $3.5 million variance, rather than a $7.2 million variance that would 
exist without either of the rebaselinings. 

Conclusions: 

DHS has not adequately met the conditions associated with its 
legislatively mandated fiscal year 2008 US-VISIT expenditure plan. The 
plan does not fully satisfy any of the conditions that apply to DHS, 
either because it does not address key aspects of the condition or 
because what it does address is not adequately supported or is 
otherwise not reflective of known program weaknesses. Given that the 
legislative conditions are intended to promote the delivery of promised 
system capabilities and value, on time and within budget, and to 
provide Congress with an oversight and accountability tool, these 
expenditure plan limitations are significant. 

Beyond the expenditure plan, other program planning and execution 
limitations and weaknesses also confront DHS in its quest to deliver US-
VISIT capabilities and value in a timely and cost-effective manner. 
Most notably, DHS has proposed a solution for a long-awaited exit 
capability, but it is not clear if the cost estimates used to justify 
it are sufficiently reliable to do so. Also, DHS has reported that the 
proposed solution provides less security and privacy than other 
alternatives analyzed, and the proposed solution is being challenged by 
those who would be responsible for implementing it. Further, DHS's 
ability to measure program performance and progress, and thus be 
positioned to address cost and schedule shortfalls in a timely manner, 
is hampered by weaknesses in the prime contractor's implementation of 
earned value management. Each of these program planning and execution 
limitations and weaknesses introduce risk to the program. 

In addition, DHS is not effectively managing the program's risks, as 
evidenced by the program office's risk database showing that known 
risks are being allowed to go years without risk mitigation and 
contingency plans. Overall, while DHS has taken steps to implement a 
significant percentage of our prior recommendations aimed at improving 
management of US-VISIT, additional management improvements are needed 
to effectively define, justify, and deliver a system solution that 
meets program goals, reflects stakeholder input, minimizes exposure to 
risk, and provides Congress with the means by which to oversee program 
execution. Until these steps are taken, US-VISIT program performance, 
transparency, and accountability will suffer. 

Recommendations for Executive Action: 

To assist DHS in planning and executing US-VISIT, we recommend that the 
Secretary of Homeland Security direct the department's Investment 
Review Board to review the reasons for the plan's limitations and 
address the challenges and weaknesses raised by our observations about 
the proposed air and sea exit solution, risk management, and the 
implementation of earned value management, and to report the results to 
Congress. 

Agency Comments and Our Evaluation: 

In written comments on a draft of this report, signed by the Director, 
Departmental Audit Liaison Office, and reprinted in appendix II, DHS 
concurred with our recommendations and stated that the department's 
Investment Review Board would meet for the purpose of reviewing US- 
VISIT and addressing our findings and recommendations. Moreover, DHS 
commented that our report has prompted the department to modify the 
fiscal year 2009 US-VISIT expenditure plan to provide greater 
visibility into operations and maintenance and program management 
expenditures, and to include milestones and performance targets for 
planned accomplishments, mitigation plans, milestones for closing open 
recommendations, and results relative to prior year commitments. DHS 
also commented that after it received our report for comment, it issued 
an interim policy for managing investments, such as US-VISIT, and thus 
it disagreed with one of our findings relative to one of the 
legislative conditions--namely that DHS's investment management process 
is not sufficiently mature. However, DHS did not provide the policy 
itself, thus we were not able to determine whether it addressed our 
concerns. Further, the memo states that the policy is draft and that 
implementation of the policy, including training, still needs to occur. 
Thus, while we have modified our briefing document to reflect the 
policy's issuance, we have not modified our conclusion that DHS's 
investment management process is not sufficiently mature. 

We are sending copies of this report to the Chairmen and Ranking 
Minority Members of other Senate and House committees and subcommittees 
that have authorization and oversight responsibilities for homeland 
security. We are also sending copies to the Secretary of Homeland 
Security, Secretary of State, and the Director of OMB. Copies of this 
report will also be available at no charge on our Web site at 
[hyperlink, http://www.gao.gov]. 

If you or your staffs have any questions on matters discussed in this 
report, please contact me at (202) 512-3439 or at hiter@gao.gov. 
Contact points for our Offices of Congressional Relations and Public 
Affairs may be found on the last page of this report. GAO staff who 
have made significant contributions to this report are listed in 
appendix III. 

Signed by: 

Randolph C. Hite: 
Director, Information Technology Architecture and Systems Issues: 

[End of section] 

Appendix I: Briefing for Staff Members of the Subcommittees on Homeland 
Security, Senate and House Committees on Appropriations: 

Homeland Security: U.S. Visitor and Immigrant Status Indicator 
Technology Program Planning and Execution Improvements Needed: 

Briefing for staff members of the Subcommittees on Homeland Security 
Senate and House Committees on Appropriations: 

September 15, 2008*: 

* This briefing has been amended on page 44 to address DHS comments. 

Briefing Overview: 

Introduction: 

Objectives: 

Scope and Methodology: 

Results in Brief: 

Background: 

Results: 
* Legislative Conditions; 
* Observations: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments: 

Attachment 1: Objectives, Scope, and Methodology: 

Attachment 2: Related Projects List: 

Attachment 3: Detailed Description of Increments and Component Systems; 

Attachment 4: Status of Prior GAO Recommendations: 

[End of Briefing Overview section] 

Introduction: 

U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) is a 
Department of Homeland Security (DHS) program for collecting, 
maintaining, and sharing information on foreign nationals who enter and 
exit the United States. The goals of US-VISIT are to: 

* enhance the security of U.S. citizens and visitors, 

* facilitate legitimate travel and trade, 

* ensure the integrity of the U.S. immigration system, and; 

* protect the privacy of our visitors. 

Currently, US-VISIT entry capabilities are operating at over 300 land, 
sea, and air ports of entry; however, exit capabilities are not yet 
operating. DHS near-term plans call for enhancing existing biometric 
collection, identification, and sharing capabilities, as well as 
introducing an exit capability at airports and seaports. 

[End of Introduction section] 

Objectives: 

The Consolidated Appropriations Act, 2008,[Footnote 7] states that DHS 
may not obligate $125 million of the $475 million appropriated[Footnote 
8] for US-VISIT until the Senate and House Committees on Appropriations 
receive a plan for expenditure[Footnote 9] that includes the following: 

* a detailed accounting of the program’s progress to date relative to 
system capabilities or services, system performance levels, mission 
benefits and outcomes, milestones, cost targets, and program management 
capabilities; 

* an explicit plan of action defining how all funds are to be obligated 
to meet future program commitments, with the planned expenditure of 
funds linked to the milestone-based delivery of specific capabilities, 
services, performance levels, mission benefits and outcomes, and 
program management capabilities; 

* a listing of all open GAO and DHS Office of the Inspector General 
(OIG) recommendations related to the program and the status of DHS 
actions to address the recommendations, including milestones for fully 
addressing them; 

* a certification by the DHS Chief Procurement Officer (CPO) that the 
program has been reviewed and approved in accordance with the 
department’s investment management process, and that this process 
fulfills all capital planning and investment control requirements and 
reviews established by the Office of Management and Budget (OMB), 
including Circular A-11, part 7; 

* a certification by the DHS Chief Information Officer (CIO) that an 
independent verification and validation agent is currently under 
contract for the project; 

* a certification by the DHS CIO that the system architecture of the 
program is sufficiently aligned with the department’s information 
systems enterprise architecture to minimize future rework, including a 
description of all aspects of the architectures that were and were not 
assessed in making the alignment determination, the date of the 
alignment determination, and any known areas of misalignment, along 
with the associated risks and corrective actions to address any such 
areas; 

* a certification by the DHS CPO that the plans for the program comply 
with federal acquisition rules, requirements, guidelines, and 
practices, and a description of the actions being taken to address any 
areas of noncompliance, the risks associated with them, along with any 
plans for addressing these risks and the status of their 
implementation; 

* a certification by the DHS CIO that the program has a risk management 
process that regularly identifies, evaluates, mitigates, and monitors 
risks throughout the system life cycle, and communicates high-risk 
conditions to agency and DHS investment decision makers, as well as a 
listing of all the program’s high risks, and a status of efforts to 
address them; 

* a certification by the DHS Chief Human Capital Officer (CHCO) that 
the human capital needs of the program are being strategically and 
proactively managed, and that current human capital capabilities are 
sufficient to execute the plans discussed in the report; 

* a complete schedule for the full implementation of a biometric exit 
program or a certification that such a program is not possible within 5 
years; 

* a detailed accounting of operations and maintenance, contractor 
services, and program management costs associated with the program. 
Footnote 10] 

The act also requires that we review this plan. DHS submitted its 
fiscal year 2008 US-VISIT expenditure plan to the House and Senate 
Appropriations Subcommittees on Homeland Security on June 12, 2008. As 
agreed, our objectives were to (1) determine whether the plan satisfies 
the legislative conditions and (2) provide observations about the plan 
and management of the program. 

[End of Objectives section] 

Scope and Methodology: 

To accomplish the first objective, we compared the information provided 
in the plan with each aspect of the eleven conditions. Further, for 
those conditions requiring a DHS certification, we analyzed 
documentation, interviewed cognizant officials, and leveraged our 
recent work to determine the basis for each certification. We then 
determined whether the plan satisfies, partially satisfies, or does not 
satisfy the conditions based on the extent to which (1) the plan 
addresses all aspects of the applicable condition, as specified in the
act or (2) the applicable certification letter contained in the plan 
(a) addresses all aspects of each condition, as specified in the act, 
(b) is sufficiently supported by documented and verifiable analysis, 
(c) contains significant qualifications, and (d) is otherwise consistent
with our related findings. 

To accomplish the second objective, we analyzed DHS’s Notice of 
Proposed Rule Making (NPRM) for Air/Sea Exit, the Regulatory Impact 
Analysis, Privacy Impact Assessment, and US-VISIT’s Exit Pilot Report. 
We also compared available information on the USVISIT prime 
contractor’s implementation of earned value management and the program
office’s implementation of risk management to relevant guidance. (See 
attachment 1 for more detailed information on our scope and 
methodology.) We conducted this performance audit at US-VISIT offices 
in Arlington, Virginia, and DHS offices in Washington, D.C. from June 
2008 to September 2008 in accordance with generally accepted government 
auditing standards. Those standards require that we plan and perform 
the audit to obtain sufficient, appropriate evidence to provide a 
reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a reasonable 
basis for our findings and conclusions based on our audit objectives. 

[End of Scope and Methodology section] 

Results in Brief: Legislative Conditions: 

Table: Expenditure Plan’s Satisfaction of Legislative Conditions: 

Legislative condition: Detailed accounting of the program’s progress to 
date relative to system capabilities; 
Expenditure Plan’s Satisfaction of Legislative Conditions: Partially 
satisfies. 

Legislative condition: Explicit plan defining how funds are to be 
obligated to meet future program commitments, linked to the milestone-
based delivery of specific capabilities and services; 
Expenditure Plan’s Satisfaction of Legislative Conditions: Does not 
satisfy. 

Legislative condition: Listing of all open GAO and OIG recommendations; 
Expenditure Plan’s Satisfaction of Legislative Conditions: Partially 
satisfies. 

Legislative condition: DHS investment management and OMB capital 
planning and investment control certification by the CPO; 
Expenditure Plan’s Satisfaction of Legislative Conditions: Partially 
satisfies. 

Legislative condition: Independent verification and validation 
certification by the CIO; 
Expenditure Plan’s Satisfaction of Legislative Conditions: Partially 
satisfies. 

Legislative condition: Architecture certification by the CIO; 
Expenditure Plan’s Satisfaction of Legislative Conditions: Partially 
satisfies. 

Legislative condition: Acquisition certification by the CPO; 
Expenditure Plan’s Satisfaction of Legislative Conditions: Partially 
satisfies. 

Legislative condition: Risk management certification by the CIO; 
Expenditure Plan’s Satisfaction of Legislative Conditions: Partially 
satisfies. 

Legislative condition: Human Capital certification by the CHCO; 
Expenditure Plan’s Satisfaction of Legislative Conditions: Does not 
satisfy. 

Legislative condition: Exit implementation schedule or certification 
that not possible within 5 years; 
Expenditure Plan’s Satisfaction of Legislative Conditions: Does not 
satisfy. 

Legislative condition: Detailed accounting of operations and 
maintenance, contractor services, program management costs; 
Expenditure Plan’s Satisfaction of Legislative Conditions: Partially 
satisfies. 

Legislative condition: Reviewed by GAO; 
Expenditure Plan’s Satisfaction of Legislative Conditions: Satisfies. 

Source: GAO analysis based on DHS data. 

[End of table] 

Results in Brief: Observations: 

* The reliability of DHS Air and Sea Exit cost estimates is not clear 
for various reasons, including program officials’ statements that 
contradict how the department characterized the estimates in the public 
documents and supporting documentation about the estimates’ derivation 
that we have yet to receive. 

* The proposed Air and Sea Exit solution, according to DHS, would 
provide less security and privacy than other alternatives, because it 
relies on private carriers to collect, store, and transmit passenger 
data. 

* Comments on the Proposed Air and Sea Exit solution, provided by 
airlines and others, raised a number of additional stakeholder 
concerns, such as conflicts with air carrier business models and impact 
on trade and travel. 

* The program office’s risk database shows that risk mitigation and 
contingency plans have not been developed and implemented in a timely 
fashion for a number of risks, which increases the chances that known 
risks will become actual problems. 

* Significant schedule variances are being minimized by frequent 
redefinition of baselines, thus limiting the use of earned value 
management as a performance management tool. 

Results in Brief: Recommendation and Agency Comments: 

We are recommending that DHS’ Investment Review Board review the 
reasons for the plan’s limitations and address the challenges and 
weaknesses raised by our observations about the proposed Air and Sea 
Exit solution, and the implementation of earned value management and 
risk management, and to report the results to the Congress. 

We provided a draft of this briefing to DHS officials, including the 
Director of US-VISIT. While these officials did not state whether they 
agreed or not with our findings, conclusions, or recommendations, they 
did provide a range of technical comments, which we have incorporated 
into the briefing, as appropriate. They also sought clarification on 
our scope and methodology, which we have also incorporated into the 
briefing. 

[End of Results in Brief section] 

Background: US-VISIT Strategic Goals: 

The strategic goals of US-VISIT are to enhance the security of U.S. 
citizens and visitors, facilitate legitimate travel and trade, ensure 
the integrity of the U.S. immigration system, and protect the privacy 
of our visitors. It is to accomplish these things by: 

* collecting, maintaining, and sharing biometric and other information 
on certain foreign nationals who enter and exit the United States; 

* identifying foreign nationals who (1) have overstayed or violated the 
terms of their admission; (2) can receive, extend, or adjust their 
immigration status; or (3) should be apprehended or detained by law 
enforcement officials; 

* detecting fraudulent travel documents, verifying traveler identity, 
and determining traveler admissibility through the use of biometrics; 
and; 

* facilitating information sharing and coordination within the 
immigration and border management community. 

Background: History/Status: 

Overview of History and Status of US-VISIT Increments: 

As defined in expenditure plans prior to fiscal year 2006, US-VISIT 
biometric entry and exit capabilities were to be delivered in four 
increments. 

* Increments 1 through 3 were to be interim, or temporary, solutions 
that would focus on building interfaces among existing (legacy) 
systems; enhancing the capabilities of these systems; and deploying 
these systems to air, sea, and land ports of entry (POEs). 

* Increment 4 was to be a series of yet-to-be-defined releases, or 
mission capability enhancements, that were to deliver long-term 
strategic capabilities for meeting program goals. 

* Increments 1 through 3 have produced an entry capability that began 
operating at over 300 POEs by 2006. (See the system diagram on the next 
slide for an overview of this entry capability; attachment 3 provides 
further details on each of the systems.) 

Figure: Systems Diagram of Entry Capability Operating at Points of 
Entry[Footnote 11]: 

[Refer to PDF for image] 

This figure is a detailed diagram of Entry Capability Operating at 
Points of Entry. Included in the diagram are systems/applications which 
are: 
* Common to all increments; 
* Increment 1 only; 
* Increment 2B and 3 only. 

Source: GAO analysis of US-VISIT data. 

[End of figure] 

Increment 4 has continued to evolve. 

* The fiscal year 2006 expenditure plan described increment 4 as the 
combination of two projects: (1) Transition to 10 fingerprints in the 
Automated Biometric Identification System (IDENT) and (2) 
interoperability between IDENT and the Federal Bureau of 
Investigation’s (FBI) Integrated Automated Fingerprint Identification 
System (IAFIS). 

* The fiscal year 2007 expenditure plan combines these two projects 
with a third project called Enumeration (developing a single identifier 
for each individual) into a larger project referred to as Unique 
Identity. During fiscal year 2007, the following Unique Identity 
efforts were completed. 

- The Interim Data Sharing Model (iDSM) was deployed. It allows sharing 
of certain biometric information between US-VISIT and the FBI, as well 
as with the Office of Personnel Management and police departments in 
Houston, Dallas, and Boston. The next phase of IDENT/IAFIS 
interoperability (referred to as Initial Operating Capability) is to be 
deployed in October 2008. 

- The 10-print scanners were deployed to 10 air locations for pilot 
testing. Deployment of the scanners to 292 POEs is to begin during 
fiscal year 2008 and is to be completed by December 2008. 

* Also in fiscal year 2007, steps were taken relative to a biometric 
exit solution. Specifically, 

- Exit pilot projects were halted at 12 airports and 2 seaports in May 
2007. 

- Exit radio frequency identification[Footnote 12] proof-of-concept 
projects were discontinued at selected land ports in November 2006. 

- Planning for an air and sea exit solution based on lessons learned 
from the pilot projects was begun, to include studying the costs, 
impacts, and privacy concerns of alternative solutions. 

The fiscal year 2008 expenditure plan provides additional information 
on these and other projects in the context of the program’s four core 
mission capabilities: (1) providing identity management and screening 
services, (2) developing and enhancing biometric identity collection 
and data sharing, (3) providing information technology support for 
mission services, and (4) enhancing program management. For example, 
under developing and enhancing biometric capabilities, the plan 
allocates $228 million for further development and deployment of Unique 
Identity and $13 million for development of an Air and Sea Exit 
solution. (See table on next slide). 

Table: Summary of Fiscal Year 2008 Expenditure Plan Budget: 

Core Mission Areas: Provide identity management and screening services: 

Project: Biometric support; 
Fiscal Year 2008 Total: $7.9 million. 

Project: Data integrity; 
Fiscal Year 2008 Total: $6.4 million. 

Project: Law enforcement and intelligence; 
Fiscal Year 2008 Total: $1.5 million. 

Core Mission Areas: Develop and enhance biometric identity collection 
and data sharing: 

Project: Unique Identity; 
Fiscal Year 2008 Total: $228.0 million. 

Project: Comprehensive Biometric Exit – Air/Sea; 
Fiscal Year 2008 Total: $13.0 million. 

Core Mission Areas: Provide information technology support to mission 
service: 

Project: Operations and maintenance; 
Fiscal Year 2008 Total: $103.0 million. 

Core Mission Areas: Enhance Program Management: 

Project: Mission support; 
Fiscal Year 2008 Total: $109.2 million. 

Project: Management reserve; 
Fiscal Year 2008 Total: $6.0 million. 

Core Mission Areas/Projects: Total; 
Fiscal Year 2008 Total: $475.0 million. 

Source: DHS Fiscal Year 2008 Expenditure Plan. 

[End of table] 

Background: Projects’ Approach and Status: 

Life Cycle Approach for and Status of US-VISIT Projects: 

US-VISIT projects are subject to the program’s Enterprise Life Cycle 
Methodology (ELCM). Within ELCM is a component methodology for managing 
software-based system projects, such as Unique Identity and Air/Sea 
Exit, known as the US-VISIT Delivery Methodology (UDM). According to 
version 4.3 of UDM (April 2007), it: 

* applies to both new development and operational projects; 

* specifies the documentation and reviews that should take place within 
each of the methodology’s six phases: plan, analyze, design, build, 
test, and deploy; and; 

* allows for tailoring to meet the needs and requirements of individual 
projects, in which specific activities, deliverables, and milestone 
reviews that are appropriate for the scope, risk, and context of the 
project can be set for each phase of the project. 

The chart on the following page shows the status of each US-VISIT 
project within the life cycle methodology as of August 2008. 

Table: Project Status: 

Project: Comprehensive Exit Land; 		
ELCM Gate Review, Plan: [Check]; 
ELCM Gate Review, Analyze: [Empty]; 
ELCM Gate Review, Design: [Empty]; 
ELCM Gate Review, Build: [Empty]; 
ELCM Gate Review, Test: [Empty]; 
ELCM Gate Review, Deploy: [Empty]; 
ELCM Gate Review, Operational: [Empty]. 

Project: Comprehensive Exit Air/Sea Release 1[A]; 	
ELCM Gate Review, Plan: [Check]; 
ELCM Gate Review, Analyze: [Check]; 
ELCM Gate Review, Design: [Check]; 
ELCM Gate Review, Build: [Check]; 
ELCM Gate Review, Test: [Check]; 
ELCM Gate Review, Deploy: [Empty]; 
ELCM Gate Review, Operational: [Empty]. 

Project: Comprehensive Exit Air/Sea Release 2[B]: 
ELCM Gate Review, Plan: [Check]; 
ELCM Gate Review, Analyze: [Empty]; 
ELCM Gate Review, Design: [Empty]; 
ELCM Gate Review, Build: [Empty]; 
ELCM Gate Review, Test: [Empty]; 
ELCM Gate Review, Deploy: [Empty]; 
ELCM Gate Review, Operational: [Empty]. 

Project: Unique Identity 10-Print Initial Deployment; 
ELCM Gate Review, Plan: [Check]; 
ELCM Gate Review, Analyze: [Check]; 
ELCM Gate Review, Design: [Check]; 
ELCM Gate Review, Build: [Check]; 
ELCM Gate Review, Test: [Check]; 
ELCM Gate Review, Deploy: [Check]; 
ELCM Gate Review, Operational: [Check]. 

Project: Unique Identity 10-Print National Deployment; 
ELCM Gate Review, Plan: [Check]; 
ELCM Gate Review, Analyze: [Check]; 
ELCM Gate Review, Design: [Check]; 
ELCM Gate Review, Build: [Check]; 
ELCM Gate Review, Test: [Check]; 
ELCM Gate Review, Deploy: [Check]; 
ELCM Gate Review, Operational: [Empty]. 

Project: Increment 1 Air/Sea Entry; 
ELCM Gate Review, Plan: [Check]; 
ELCM Gate Review, Analyze: [Check]; 
ELCM Gate Review, Design: [Check]; 
ELCM Gate Review, Build: [Check]; 
ELCM Gate Review, Test: [Check]; 
ELCM Gate Review, Deploy: [Check]; 
ELCM Gate Review, Operational: [Check]. 

Project: Increment 2 Land Entry Top 50; 
ELCM Gate Review, Plan: [Check]; 
ELCM Gate Review, Analyze: [Check]; 
ELCM Gate Review, Design: [Check]; 
ELCM Gate Review, Build: [Check]; 
ELCM Gate Review, Test: [Check]; 
ELCM Gate Review, Deploy: [Check]; 
ELCM Gate Review, Operational: [Check]. 

Project: Increment 3 Remaining Land; 
ELCM Gate Review, Plan: [Check]; 
ELCM Gate Review, Analyze: [Check]; 
ELCM Gate Review, Design: [Check]; 
ELCM Gate Review, Build: [Check]; 
ELCM Gate Review, Test: [Check]; 
ELCM Gate Review, Deploy: [Check]; 
ELCM Gate Review, Operational: [Check]. 

Project: IDENT/IAFIS iDSM; 		
ELCM Gate Review, Plan: [Check]; 
ELCM Gate Review, Analyze: [Check]; 
ELCM Gate Review, Design: [Check]; 
ELCM Gate Review, Build: [Check]; 
ELCM Gate Review, Test: [Check]; 
ELCM Gate Review, Deploy: [Check]; 
ELCM Gate Review, Operational: [Check]. 

Project: Unique Identity Interoperability IOC; 
ELCM Gate Review, Plan: [Check]; 
ELCM Gate Review, Analyze: [Check]; 
ELCM Gate Review, Design: [Check]; 
ELCM Gate Review, Build: [Check]; 
ELCM Gate Review, Test: [Empty]; 
ELCM Gate Review, Deploy: [Empty]; 
ELCM Gate Review, Operational: [Empty]. 

Project: Unique Identity Interoperability FOC; 
ELCM Gate Review, Plan: [Check]; 
ELCM Gate Review, Analyze: [Empty]; 
ELCM Gate Review, Design: [Empty]; 
ELCM Gate Review, Build: [Empty]; 
ELCM Gate Review, Test: [Empty]; 
ELCM Gate Review, Deploy: [Empty]; 
ELCM Gate Review, Operational: [Empty]. 

Project: Enumeration Services; 
ELCM Gate Review, Plan: [Check]; 
ELCM Gate Review, Analyze: [Check]; 
ELCM Gate Review, Design: [Check]; 
ELCM Gate Review, Build: [Check]; 
ELCM Gate Review, Test: [Check]; 
ELCM Gate Review, Deploy: [Check]; 
ELCM Gate Review, Operational: [Check]. 

Project: Mobile Biometrics at Sea; 
ELCM Gate Review, Plan: [Check]; 
ELCM Gate Review, Analyze: [Check]; 
ELCM Gate Review, Design: [Check]; 
ELCM Gate Review, Build: [Check]; 
ELCM Gate Review, Test: [Check]; 
ELCM Gate Review, Deploy: [Check]; 
ELCM Gate Review, Operational: [Check]. 

[A] Release 1 deploys backend capabilities to receive and process the 
biometric exit data captured and transmitted in compliance with the 
Final Rule. 

[B] Release 2 focuses on exit reporting capabilities. 

Source GAO based on agency data. 

[End of table] 

Contract and Task Order Overview and Status: 

In May 2004, DHS awarded an indefinite-delivery/indefinite-quantity 
[Footnote 13] prime contract to Accenture and its partners[Footnote 14] 
for delivering US-VISIT products and services. Thus far, 

* 20 task orders have been issued against this contract, and their 
total value[Footnote 15] is about $501 million. 

* 11 of these task orders are ongoing, and their total value is about 
$331 million. 

The table on the following slides provides additional information about 
the ongoing task orders organized by the four core mission capabilities 
and projects. 

Table: Contract and Task Order Overview and Status: 

Core Capability: Provide identity management and screening services: 

Project: Data integrity and biometric support; 
Task Order Name: Data management support; 
Start: August 2004; 
Approximate Value: $3 million; 
Description: Support Program Office Data Management Branch to identify 
errors, omissions, and trends in data; recommend corrective actions; 
provide refined data to other offices (e.g., U.S. Immigration and 
Customs Enforcement) to support criminal investigations, lookout 
creation, and informed managerial/operational decision making. 

Core Capability: Develop and enhance biometric identity collection and 
data sharing capabilities: 

Project: Biometric solutions delivery; 
Task Order Name: Unique Identity; 
Start: October 2004; 
Approximate Value: $82.5 million; 
Description: Planning, development, and implementation of Unique 
Identity (IDENT/IAFIS integration and IDENT 10-print). 

Project: Biometric solutions delivery; 
Task Order Name: Integration support to the Unique Identity ID Project 
Office; 
Start: November 2006; 
Description: Approximate Value: $1.6 million; 
Program and technical integration support services. 

Project: Biometric solutions delivery; 
Task Order Name: Secure Information Management Systems; 
Start: October 2007; 
Approximate Value: $2.3 million; 
Description: Planning, development, and implementation of enumeration 
functionality for Unique Identity and the US Customs and Immigration 
Service’s Inter-Country Adoption Pilot. 

Project: Biometric solutions delivery; 
Task Order Name: Biometric Solutions Delivery; 
Start: February 2008; 
Approximate Value: $18 million; 
Description: Deployment of solutions—includes installation of scanning 
equipment for 10-print collection. 

Core Capability: Provide information technology support mission 
services: 

Project: Operations and maintenance; 
Task Order Name: Facilities and infrastructure; 
Start: March 2005; 
Approximate Value: $6.3 million; 
Description: Provisioning of office/facility space, furniture, 
workstations, telecommunications, and other infrastructure to support 
contractor activities. 

Project: Operations and maintenance; 
Task Order Name: Operations and maintenance; 
Start: August 2006; 
Approximate Value: $27.7 million; 
Description: Management of operations and maintenance activities for 
deployed capabilities. 

Project: Information technology services; 
Task Order Name: IT services; 
Start: September 2007; 
Approximate Value: $10.8 million; 
Description: Information technology services for implemented 
functionality, including security upgrades, system changes, etc. 

Core Capability: Enhance program management: 

Project: Contractor support/program management; 
Task Order Name: Program-level engineering; 
Start: September 2004; 
Approximate Value: $16 million; 
Description: Develop and maintain the standards, guidance, 
architectures, performance models, and other engineering processes 
necessary to support the development of functionality. 

Project: Contractor support/program management; 
Task Order Name: Development and support of program planning 
activities; 
Start: November 2006; 
Description: Approximate Value: $1.8 million; 
Support the development and maintenance of program planning artifacts 
and analyze phases of project execution and planning, updating, and 
implementation of the US-VISIT strategic plan. 

Source: GAO analysis of DHS data. 

[End of table] 

Overview of DHS Investment Management Process: 

DHS issued a draft Investment Review Process guide in March 2006 that 
includes milestone decision points (MDP) linking five life cycle 
phases: project initiation (MDP1), concept and technology development 
(MDP2), capability development and demonstration (MDP3), production and 
deployment (MDP4), and operations and support (MDP5).Under the draft 
guide, a program sends an investment review request prior to the 
initial milestone date. The program is then to be reviewed by the DHS 
Enterprise Architecture Board (EAB), Joint Requirements Council and/or 
Investment Review Board, depending on such factors as the program’s 
cost and significance. According to the official from DHS’s Program 
Analysis and Evaluation Directorate who is responsible for overseeing 
program adherence to the investment control process, the draft guide is 
being used for all DHS programs, including US-VISIT. This official also 
stated that milestone reviews can be performed concurrently with an 
expenditure plan review. 

In December 2006, the DHS Investment Review Board held an MDP1 review 
of US-VISIT. Since then, the EAB held an MDP2 review in April 2007, and 
the EAB is currently performing an MDP3 review. Neither the Joint 
Requirements Council nor the Investment Review Board have reviewed US-
VISIT since MDP1. 

Overview of DHS Notice of Proposed Rule Making (NPRM) for Air/Sea Exit: 

On April 24, 2008, DHS published its NPRM for establishing a biometric 
exit capability at commercial air and sea ports. At the same time, it 
published an Air/Sea Biometric Exit Regulatory Impact Analysis 
providing information on the projected costs and benefits of several 
alternatives discussed in the proposed rule. Key aspects of the NPRM 
are summarized here. 

* The proposed rule would require aliens who are subject to US-VISIT 
biometric requirements on entry at POEs to provide biometric 
information to commercial carriers before departing air and sea POEs. 
The rule also proposed that the biometric information collected be 
submitted to DHS within 24 hours of securing the airplane doors for air 
travel or departing the seaport. According to the NPRM, these 
requirements would not apply to persons departing on certain private or 
small carriers. 

* The proposed rule discussed nine exit alternatives for collecting 
biometrics: (1) at the check-in counter by air and vessel carriers, (2) 
at the check-in counter by DHS, (3) at the security checkpoint by DHS, 
(4) at the departure gate by air and vessel carriers, (5) at the 
departure gate by DHS, (6) at the check-in counter by air and vessel 
carriers with verification at the departure gate, (7) at the check-in 
counter by DHS with verification at the departure gate, (8) at the 
security checkpoint by DHS with verification at the departure gate, and 
(9) within the sterile area (after passing through the Transportation 
Security Administration checkpoint) by DHS. 

The following five alternatives were subject to further analysis of 
costs and benefits. 

* Proposed Alternative: Air and vessel carriers implement and manage 
the collection of biometric data at location(s) of their choice. 

* Alternative 1: Air and vessel carriers implement and manage the 
collection of biometric data at their check-in counter. 

* Alternative 2: DHS implements and manages the collection of biometric 
data at the TSA Security checkpoint.[Footnote 16] 

* Alternative 3: DHS implements and manages the collection of biometric 
data at location(s) of the air or vessel carrier’s choice. 

* Alternative 4: DHS implements and manages the collection of biometric 
data at kiosks placed in various locations. 

DHS provided a 60-day comment period for the NPRM. A total of 91 
organizations provided 117 comments and supporting documents. These 
included: 12 air industry associations, 44 air carriers (9 domestic and 
35 foreign), 4 vessel industry associations, 1 vessel carrier, 9 
commerce associations, 1 congressional committee, 5 foreign 
governments, and 2 local governments. 

[End of Background section] 

Objective 1: Legislative Conditions: 

Of the 12 legislative conditions pertaining to DHS’s fiscal year 2008 
expenditure plan for US-VISIT, the plan partially satisfies 8 and does 
not satisfy 3 of them. Our review has satisfied the remaining 
condition. 

Given that the act’s conditions are designed to help ensure that the 
program is effectively managed and that congressional oversight of 
program can occur, a partially or a not satisfied condition should be 
viewed as introducing risk to the program. Each of the conditions is 
addressed in detail on the following slides. 

Condition 1: 

Condition 1: The plan partially satisfies the legislative condition to 
include a detailed accounting of the program’s progress to date 
relative to system capabilities or services, system performance levels, 
mission benefits and outcomes, milestones, cost targets, and program 
management capabilities. 

As we previously reported,[Footnote 17] describing how well DHS is 
progressing relative to US-VISIT program commitments (e.g., cost, 
schedule, capabilities, and benefits commitments) that it has made in 
previous expenditure plans is essential to permitting meaningful 
program oversight and promoting accountability for results. 

System Capabilities and Services: The current plan provides information 
on some US-VISIT capabilities and services that have been completed or 
delivered. For example, the fiscal year 2007 plan stated that US-VISIT 
would make IDENT modifications to support the transition to 10-print 
capability. The fiscal year 2008 plan identifies the modifications that 
were implemented, such as consolidating several IDENT databases, 
deploying a watch list demotion capability, introducing improved 
fingerprint-matching algorithms, and developing new requirements for an 
enhanced Candidate Verification Tool. However, the information 
presented is not always sufficient to measure progress. For example, 

* The fiscal year 2007 plan stated that US-VISIT would begin 10-print 
pilot deployment in late 2007 to ten air locations, but the fiscal year 
2008 plan only states that DHS selected a number of pilot locations and 
evaluated the performance and operational impacts at those locations. 
According to program officials, although the plan does not state the 
number of locations for the pilot, it was in fact deployed to ten 
locations, and this information has been previously provided to the 
Congress. 

System Performance Levels: 

The fiscal year 2008 plan describes progress in achieving some, but not 
all, system performance levels. For example, the fiscal year 2007 plan 
cited a target of 1,850 biometric watch list hits for travelers 
processed at POEs, and the latest plan reports that the number of these 
hits was 11,838. However, many of the target measures included in the 
fiscal year 2007 plan are not described in the current plan. For 
example, 

* The fiscal year 2007 plan cited a target of having biometric 
information on file for 49 percent of foreign nationals prior to their 
entering the United States (also referred to as the “Unique Identity 
baseline”). However, this measure is not discussed in the fiscal year 
2008 plan. 

* The fiscal year 2007 plan cited a target of 26 days for resolving 
requests by visitors to correct their baseline data. However, this 
measure is not discussed in the fiscal year 2008 plan. 

* The fiscal year 2007 plan stated that US-VISIT would establish a 
baseline of the number of individuals who were biometrically verified 
based on 10-print enrollment. However, this baseline measure is not 
discussed in the fiscal year 2008 plan. 

According to program officials, although these measures are not 
mentioned in the expenditure plan, performance data relative to each is 
in fact collected and monitored. 

Cost Targets: 

The fiscal year 2008 plan identifies estimated costs (i.e., funding 
levels) for each of the four broad capability areas. In some cases, the 
broad areas are decomposed and meaningful detail is provided to 
understand how the funds will be used. However, in many cases, 
capabilities and costs are not decomposed to a level that permits such 
understanding and oversight. For example, 

* The fiscal year 2008 plan states that $7.9 million will be used for 
the Biometric Support Center. However, allocations for specific support 
center capabilities and services are not provided. 

* The fiscal year 2008 plan states that $72.6 million will be used to 
update DHS border and process technology in support of 10-print and 
IDENT/IAFIS interoperability. However, the funds are not allocated 
between the two activities or to major tasks, products, and services 
under each activity, such as the completion of initial operating 
capability for IDENT/IAFIS integration. 

* The fiscal year 2008 plan states that $6.4 million will be used for 
data integrity efforts. However, the funds are not allocated among 
specific data integrity activities described in the plan, such as 
upgrading the integrity of the system and data to meet stakeholder 
needs. 

Furthermore, the fiscal year 2007 and 2008 plans use different 
terminology to describe categories of spending under the broad 
capability areas. For example, 

* The fiscal year 2008 plan shows $5.0 million in fiscal year 2007 
funds allocated to “Information Technology” under the “Comprehensive 
Biometric Exit Solution—Air and Sea” project, but the 2007 plan does 
not identify an “Information Technology” component to this project, but 
rather shows $5.0 million being allocated to “Planning and Design.” 

* The fiscal year 2008 plan shows $1.4 million in fiscal year 2007 
funds allocated to “Law Enforcement and Intelligence” under Biometric 
Support Services, but the fiscal year 2007 plan does not identify a Law 
Enforcement and Intelligence component, but instead shows $1.4 million 
being allocated to “Management.” 

Benefits/Outcomes: 

The fiscal year 2008 plan cites benefits associated with each of the 
four broad capability areas and in some cases, provides specific and 
measurable benefits that are linked to specific capabilities. For 
example, the plan states that 10-print capability would provide several 
benefits, including facilitating travel by reducing the number of 
travelers sent to secondary inspection. More specifically, the plan 
states that the IDENT False Accept Rate fell from 0.093 percent to 
0.0034 percent in fiscal year 2007 through the implementation of 
improved fingerprint matching algorithms, and estimates that this 
improvement provided operational benefits by reducing the number of 
individuals sent to secondary processing due to erroneous 
identification by approximately 25,000 travelers. However, in other 
cases, the benefits are not specific and measurable and are not linked 
to specific capabilities and services committed to in the prior plan. 
For example, 

* The plan cites the following benefits relative to the Comprehensive 
Biometric Exit Solution – Air and Sea project: “Provides greater 
accuracy in recording identity of persons leaving the country, enables 
improved assessment by DHS of travelers’ compliance with immigration 
laws, and enables DHS to more easily match records across multiple 
identities or travel documents.” 

However, since these benefits/outcomes are not linked to a baseline 
measure, and the amount of the expected improvement is not specified, 
the proposed benefits are not meaningful. 

* The plan cites benefits from sharing biometric data globally, 
including enabling countries to redirect the course of an immigration 
claims or enforcement activity, improving the accuracy of records 
through vetting and validation, identifying patterns of legal and 
illegal migration, achieving efficiency savings, establishing the 
identities of individuals who sought benefits among partner agencies 
and governments, and helping to prevent fraud through identity 
verification of individuals seeking benefits. However, it does not link 
any of these benefits to specific baseline measures. 

Milestones: 

The fiscal year 2008 plan cites high-level milestones that are 
traceable to the prior plan. However, neither of the plans provides 
enough specificity to measure progress. For example: 

* The fiscal year 2007 plan stated that the first phase of IDENT/IAFIS 
interoperability was implemented via the iDSM prototype in 2006. It 
also identified high-level activities to design, build, and deploy the 
initial operating capability for IDENT/IAFIS interoperability, such as 
advancing the data sharing architecture and enabling the assignment of 
a unique number to each individual. While the fiscal year 2008 plan 
states that some of these efforts were completed, neither plan provided 
specific milestones to measure progress. 

* The fiscal year 2007 plan stated that efforts to deploy a biometric 
exit solution for air and sea environments would be launched. While the 
fiscal year 2008 plan states that US-VISIT developed a Comprehensive 
Biometric Exit strategy and began planning to address the air and sea 
environments, neither plan provided specific milestones to measure 
progress. 

Program Management: 

The fiscal year 2008 plan discusses several initiatives to enhance and 
leverage key program management capabilities, such as continuing 
efforts to improve the program’s use of earned value management, the 
maturity of software acquisition/development processes, and the quality 
of internal governance. In some cases, the plan cites program 
management efforts that can be traced to the fiscal year 2007 plan. For 
example, the fiscal year 2007 plan stated that an assessment of the 
prime contractor’s earned value management system was to be conducted 
during fiscal year 2007. According to the fiscal year 2008 plan, an 
assessment was completed in June 2007 that identified a number of 
weaknesses, a plan of action and milestones was developed to address 
the weaknesses, and this plan is to be executed in 2008. (These 
weaknesses are discussed in detail later in this briefing.) 

However, the fiscal year 2008 plan also identifies program management 
capability improvements that are not traceable to prior plan 
commitments. For example, the fiscal year 2008 plan states that a 
Planning, Programming, Budgeting, and Execution process was developed 
during fiscal year 2007. However, this effort was not mentioned in the 
prior plan as a commitment and thus as a basis for measuring progress. 

Condition 2: 

Condition 2: The plan does not satisfy the condition that it include an 
explicit plan of action defining how all funds are to be obligated to 
meet future program commitments, with the planned expenditure of funds 
linked to the milestone-based delivery of specific capabilities, 
services, performance levels, mission benefits and outcomes, and 
program management capabilities. 

As we have previously reported,[Footnote 18] the purpose of the 
expenditure plan is to provide Congress with sufficient information to 
exercise effective oversight of US-VISIT and to hold DHS accountable 
for results. As such, the plan should specify planned system 
capabilities, schedules, costs, and expected benefits for each of its 
projects and for its program management activities. While the fiscal 
year 2008 plan links funding to four broad core capability areas and 
associated projects, it does not link this planned use of funds to 
milestones and it does not consistently decompose projects into 
specific mission capabilities, services, performance levels, benefits 
and outcomes, or program management capabilities. 

To illustrate, the expenditure plan allocates funding among the 
program’s four broad core capability areas. For one of these capability 
areas, the plan identifies major projects, such as Unique Identity and 
Comprehensive Biometric Exit Solution—Air and Sea. These projects are 
then decomposed into general functional activities (e.g., project 
integration and analysis, and acquisition and procurement), which are 
then associated with fiscal year 2007 and 2008 funding. However, these 
functional activities do not constitute specific capabilities, 
services, performance levels, or benefits. Rather, they represent 
functions to be performed that presumably will produce such 
capabilities, services, performance levels, or benefits. 

Similarly, the remaining three core capability areas are also divided 
into general functional activities (e.g., biometric support, data 
integrity, program staffing, data center operations) that do not 
constitute capabilities, services, performance levels, or benefits. 

Moreover, the funding associated with the broad core capability areas, 
projects, or functional activities is not linked to any milestones. For 
example, the plan states that $72.6 million of fiscal year 2008 funds 
will be used to update DHS border and process technology for 10-print 
transition and IDENT/IAFIS, but does not state what updates will be 
accomplished or by when. The plan also states that $45.1 million will 
be used to operate and maintain applications, but does not state what 
maintenance activities will be performed and when they will be 
performed. 

Condition 3: 

Condition 3: The plan, including related program documentation and 
program officials’ statements,partially satisfies the condition that it 
include a listing of all open GAO and OIG recommendations related to 
the program and the status of DHS actions to address them, including 
milestones. 

We reported in August 2007[Footnote 19] that US-VISIT’s progress in 
implementing our prior recommendations had been slow, as indicated by 
the 4-year-old recommendations that were less than fully implemented. 
Given that our recommendations focus on fundamental limitations in the 
management of US-VISIT, they are integral to DHS’s ability to execute 
its expenditure plans, and thus should be addressed in the plans. 

Since 2003, GAO has made 44 recommendations to the US-VISIT program. 
The fiscal year 2008 plan provides a listing and status of our 
recommendations. However, the plan does not provide milestones for 
addressing these recommendations. The table on the next slide 
summarizes our analysis of the status of our recommendations. 

Table: Status of Recommendations: 

Status: Implemented; 
Number of recommendations: 26. 

Status: Partially Implemented; 
Number of recommendations: 9. 

Status: Not Implemented; 
Number of recommendations: 9. 

Source: GAO analysis of DHS data. 

[End of table] 

In addition, the plan does not include two OIG recommendations. 
According to program officials, this is because these two 
recommendations were made the same month that the plan was sent to the 
appropriations committee. (See attachment 4 for more detailed 
information on the status of our recommendations.) 

Condition 4: 

Condition 4: The plan partially satisfies the condition that it include 
a certification by the DHS CPO that (1) the program has been reviewed 
and approved in accordance with the department’s investment management 
process and (2) the process fulfills all capital planning and 
investment control requirements and reviews established by the Office 
of Management and Budget (OMB), including Circular A-11, part 7. 
[Footnote 20] 

As we have previously reported,[Footnote 21] it is important for 
organizations such as DHS, which rely heavily on IT to support 
strategic outcomes and meet mission needs, to adopt and employ an 
effective institutional approach to IT investment management. Such an 
approach provides agency management with the information needed to 
ensure that IT investments cost-effectively meet strategic mission 
needs and that projects are meeting cost, schedule, and performance 
expectations. We have also reported[Footnote 22] that the capital 
investment control requirements and reviews outlined in the OMB 
Circular A-11, part 7, are important because they are intended to 
minimize a program’s exposure to risk, permit performance measurement 
and oversight, and promote accountability. 

On March 14, 2008, the DHS CPO certified that (1) US-VISIT was reviewed 
and approved in accordance with the department’s investment management 
process and (2) this process fulfills all capital planning and 
investment control requirements and reviews established by OMB, 
including Circular A-11, part 7. 

In support of certifying the first aspect of the condition, the CPO 
stated that OMB scored US-VISIT’s fiscal year 2009 budget submission 
(i.e., budget exhibit 300) a 35 out of a possible 50 in November 2007. 
According to OMB, this score means that the submission has “very few 
points...but still needs strengthening.” In addition, the CPO stated 
that the program had been reviewed by the DHS Investment Review Board 
in December 2006, and that the board had issued a decision memorandum 
in April 2007 stating that the fiscal year 2007 expenditure plan met, 
among other things, OMB capital planning and investment review 
requirements and satisfied that aspect of the DHS investment management 
process that requires investments to comply with DHS’s enterprise 
architecture. 

However, this support is not sufficient to fully satisfy the first 
aspect of the legislative condition because this condition applies to 
the fiscal year 2008 expenditure plan, and the support that the CPO 
cites does not relate to either the fiscal year 2008 budget submission 
or to the fiscal year 2008 expenditure plan. Rather, it pertains to the 
following year’s budget submission and the prior year’s plan. 

In support of certifying the second aspect of the condition, the CPO 
again cites the fiscal year 2009 budget submission, which DHS documents 
show underwent a series of reviews and revisions before being sent to 
OMB that raised the department’s scoring of the submission from a 29 to 
a 37. According to OMB, a score of 29 means, among other things, that 
“much work remains to solidify and quantify” the submission. In 
certifying to this aspect, the CPO also stated that his office will 
continue to oversee US-VISIT through the department’s emerging 
investment management process. 

However, the cited support is not sufficient to satisfy the legislative 
condition for two reasons. 

* As previously noted, the cited budget submission is for fiscal year 
2009 rather than fiscal year 2008. 

* DHS’s investment management process is not sufficiently mature. As we 
reported in April 2007,[Footnote 23] this process does not satisfy the 
key practices outlined in the Information Technology Investment 
Management Framework,[Footnote 24] which is a maturity framework based 
on corporate investment management best practices employed by leading 
public and private sector organizations and is consistent with OMB 
capital planning and investment control requirements. In particular, we 
reported that: 

- DHS’s process (policies and procedures) for project-level management 
do not include all key elements, such as specific criteria or steps for 
prioritizing and selecting new investments. 

- DHS has not fully implemented the practices needed to control 
investments—at the project level or at the portfolio level, including 
regular project-level reviews by the DHS Investment Review Board. 

- DHS’s process does not identify a methodology with explicit decision-
making criteria to determine an investment’s alignment with the DHS 
enterprise architecture. 

In its comments on a draft of this report, DHS disagreed that its 
investment management process is not sufficiently mature, stating that 
on November 7, 2008 it issued an interim operational policy for 
investment control that addresses the limitations that we reported in 
April 2007. However, because DHS’s comments only provided the memo that 
issued the interim policy, and not the policy itself, we have yet to 
review it to determine whether it addresses the above limitations. 
Also, the memo describes the interim policy as a “resulting draft” that 
is the product of an “informal staffing process” and that changes will 
be made to “the policy prior to completing this process.” Moreover, 
implementation of the policy, including training on its implementation, 
still needs to occur. Therefore, we continue to view DHS’s investment 
management process as not sufficiently mature. 

Condition 5: 

Condition 5: The plan partially satisfies the condition that it include 
a certification by the DHS CIO that an independent verification and 
validation (IV&V) agent is currently under contract. 

As we have previously reported,[Footnote 25] IV&V is a recognized best 
practice for large and complex system development and acquisition 
programs, like US-VISIT, as it provides management with objective 
insight into the program’s processes and associated work products. 

On February 25, 2008, the former DHS Acting CIO conditionally certified 
that the program has an IV&V agent under contract. However, this 
certification was qualified to recognize that the contract only 
provided for IV&V services relative to testing system applications 
(i.e., it did not extend to other key program activities). Accordingly, 
the certification was made conditional on the program office providing 
an update on its efforts to award a contract for program-level IV&V by 
April 15, 2008. According to program officials, they are in the process 
of evaluating a program-wide IV&V contract proposal and plan to award a 
contract in September 2008. 

Condition 6: 

Condition 6: The plan partially satisfies the condition that it include 
a certification by the DHS CIO that the program’s system architecture 
is sufficiently aligned with the department’s enterprise architecture 
(EA), including a description of all aspects of the architectures that 
were and were not assessed in making the alignment determination, the 
date of the alignment determination, and any known areas of 
misalignment, along with the associated risks and corrective actions to 
address any such areas. 

According to federal guidelines[Footnote 26] and best practices, 
[Footnote 27] investment compliance with an EA is essential for 
ensuring that new and existing systems are defined, designed, and 
implemented in a way that promotes integration and interoperability and 
minimizes overlap and redundancy, thus optimizing enterprisewide 
efficiency and effectiveness. A compliance determination is not a one-
time event that occurs when an investment begins, but rather occurs 
throughout an investment’s life cycle as changes to both the EA and the 
investment’s architecture are made. Within DHS, the EAB, supported by 
the Enterprise Architecture Center of Excellence, is responsible for 
ensuring that system investments demonstrate adequate technical and 
strategic compliance with the department’s EA. 

In early 2008, the DHS Acting CIO certified that the US-VISIT system 
architecture was aligned with the DHS EA based on an assessment of the 
program’s alignment to the 2007 version of DHS’s EA, which was 
conducted by the EAB in support of the program’s MDP2 review. 

Consistent with the legislative condition, the fiscal year 2008 
expenditure plan includes the former Acting CIO’s certification, the 
date of the board’s conditional approval of architectural alignment for 
MDP2 (September 27, 2007) and the date of the certification (February 
25, 2008). It also includes areas of misalignment and corrective 
actions to address the identified areas. Specifically, it identifies 
such areas of misalignment as: 

* US-VISIT requirements and products to support 10-print solution not 
having been defined and included in the 2007 EA technical reference 
model, and; 

* US-VISIT data standards not having been vetted with the DHS 
Enterprise Data Management Office for compliance. 

It states that corrective actions to address these areas were completed 
in September 2007, and that no outstanding MDP2 conditions 
remain.However, the certification does not fully satisfy the 
legislative conditions for three reasons. 

First, the basis for the certification is an assessment against the 
2007 EA, which is a version that we recently reported to be missing 
important US-VISIT architectural content.[Footnote 28] Further, while 
DHS recently issued a 2008 version of its EA, it does not address these 
content shortfalls. The following are examples of the missing 
architecture content: 

* US-VISIT’s representation in this version’s business model—which 
associates the department’s business functions with the organizations 
that support and/or implement them—does not align US-VISIT with certain 
business functions (e.g., verify identity and establish identity) that 
the program office has identified as a critical part of its mission. 

* US-VISIT business rules and requirements are not included in this 
version’s business model. Business rules are important because they 
explicitly translate business policies and procedures into specific, 
unambiguous rules that govern what can and cannot be done. As such, 
they facilitate the consistent implementation of policies and 
procedures. 

* US-VISIT’s baseline and target performance goals (e.g., for 
transaction volume) are not reflected in this version. 

* US-VISIT-owned and managed component systems are not all accurately 
captured in the 2007 EA. For example, it erroneously identifies two US-
VISIT component systems as being owned by two other DHS entities. 

* All US-VISIT system interfaces are not included in the 2007 EA’s 
system reference model. For example, it does not identify key 
interfaces between the IDENT, Advance Passenger Information System 
(APIS), Arrival and Departure Information System (ADIS), and Treasury 
Enforcement Communications System. Additionally, it does not identify 
the interface between IDENT and the Global Enrollment System, even 
though US-VISIT officials confirmed that the interface exists and is 
operating. 

Second, the department lacks a defined methodology for determining an 
investment’s compliance with its EA, including explicit steps and 
criteria. According to federal guidance,[Footnote 29] such a 
methodology is important because the benefits of using an EA cannot be 
fully realized unless individual investments are defined, designed, and 
developed in a way that avoids duplication and promotes 
interoperability. However, we reported in April 2007 that DHS does not 
have such a methodology.[Footnote 30] Without this methodology and 
verifiable documentation demonstrating its use in making compliance 
determinations, the basis for concluding that a program sufficiently 
complies with any version of the 2007 EA will be limited. 

Third, the certification attachment includes a description of what was 
assessed to provide the basis for the compliance certification. For 
example, the attachment states that the board “evaluated the program’s 
ability to support the Department’s line of business and strategic 
goals; their alignment to a DHS Office of the CIO portfolio; the data, 
data objects, and data entity that encompass the investment; the 
technology leveraged to deliver capabilities and functions by the 
program; and compliance with information security, Section 508, and 
screening coordination.” However, the descriptions do not link directly 
to key 2007 EA artifacts. For example, it aligns US-VISIT’s data 
entities (e.g., Watch List and Warrants) to the data object “Record”. 
The 2007 EA, however, does not define that data object. Moreover, those 
aspects of the architectures that were not assessed are not identified, 
such as the business rules and enterprise security architecture. 

Condition 7: 

Condition 7: The plan partially satisfies the condition that it include 
a certification by the DHS CPO that the plans for the program comply 
with federal acquisition rules, requirements, guidelines and practices, 
and a description of the actions being taken to address any areas of 
noncompliance, the risks associated with them, along with any plans for 
addressing these risks, and the status of their implementation. 

As we have previously reported,[Footnote 31] federal IT acquisition 
requirements, guidelines, and management practices provide an 
acquisition management framework that is based on the use of rigorous 
and disciplined processes for planning, managing, and controlling the 
acquisition of IT resources. If implemented effectively, these 
processes can greatly increase the chances of acquiring software-
intensive systems that provide promised capabilities on time and within 
budget. 

On March 14, 2008, the DHS CPO certified that US-VISIT complied with 
federal acquisition rules, requirements, guidelines, and practices. In 
support of this certification, the CPO stated that the program was 
reviewed by the DHS Investment Review Board in December 2006, and that 
the board issued a decision memorandum in April 2007 that stated that 
the fiscal year 2007 expenditure plan met, among other things, federal 
acquisition rules, requirements, guidelines, and system acquisition 
management practices. In addition, the CPO stated that DHS's Office of 
Procurement Operations had conducted self-assessments of US-VISIT-
related contracts in fiscal years 2006 and 2007, and that these 
assessments had not identified any areas of non-compliance that 
required risk mitigation.However, the cited support is not sufficient 
to fully satisfy the legislative condition because the condition 
applies to the fiscal year 2008 expenditure plan, while the support 
that is cited pertains to the fiscal year 2007 expenditure plan and 
assessments that were completed in fiscal years 2006 and 2007. 

Condition 8: 

Condition 8: The plan partially satisfies the condition that it include 
(1) a certification by the DHS CIO that the program has a risk 
management process that regularly identifies, evaluates, mitigates, and 
monitors risks throughout the system life cycle and communicates high-
risk conditions to department investment decision makers, as well as 
(2) a listing of all the program’s high risks and the status of efforts 
to address them. 

As we have previously reported,[Footnote 32] proactively managing 
program risks is a key acquisition management control, and if defined 
and implemented properly, it can increase the chances of programs 
delivering promised capabilities and benefits on time and within 
budget. 

On February 25, 2008, the former DHS Acting CIO certified that US-VISIT 
had a sufficient risk management process in place, adding that this 
process satisfied all process-related aspects of the legislative 
condition. In doing so, the then Acting CIO relied on an assessment of 
a range of US-VISIT risk management documents, including a policy, 
plan, periodic listings of high risks and related status reports, and 
communications with department decision makers. 

However, the certification does not fully satisfy the legislative 
condition. Our analysis of the same risk management documents that the 
certification is based on revealed key weaknesses: 

* The US-VISIT risk management plan is not being effectively 
implemented, which is also a weakness that we reported in February 
2006.[Footnote 33] For example, of the 33 high risks identified as 
being in or past the handling phase of the risk management process 
[Footnote 34] in the February 6, 2008 risk inventory, 8 (about 24 
percent) did not have a mitigation plan, and 19 (about 58 percent) did 
not have a contingency plan. Moreover, considerable time has passed 
without such plans being developed, in some cases more than 3 years. 
According to the risk management plan, mitigation and contingency plans 
should be developed for all high and medium risks once they have 
reached the handling phase of the risk management process. (This 
weakness is discussed in greater detail later in this briefing.) 

* The US-VISIT process for managing risk does not contain thresholds 
for elevating risks beyond the program office. Moreover, program 
officials told us that an update to this process that is currently in 
draft does not include such thresholds. Without thresholds, it is 
unlikely that senior DHS officials will become aware of those risks 
requiring their attention. In this regard, we reported in February 2006 
[Footnote 35] that the thresholds for elevating risks to department 
executives that were in place were not being applied. In August 2007, 
[Footnote 36] we reported that these thresholds had been eliminated and 
that no risks had been elevated to department executives since December 
2005. During the following 32 months, only one risk was elevated beyond 
the program office. 

Condition 9: 

Condition 9: The plan does not satisfy the condition that it include a 
certification by the DHS Chief Human Capital Officer that the human 
capital needs of the program are being strategically and proactively 
managed, and that current human capital capabilities are sufficient to 
execute the plans discussed in the report. 

As we have previously reported,[Footnote 37] strategic management of 
human capital is both a best practice and a provision in federal 
guidance.Among other things, it involves proactive efforts to 
understand an entity’s future workforce needs, existing workforce 
capabilities, and the gap between the two and charting a course of 
action to define how this gap will be continuously addressed. By doing 
so, agencies and programs can better ensure that they have the 
requisite human capital capacity to execute agency and program plans. 

On March 6, 2008, the DHS Chief Human Capital Officer certified that 
the US-VISIT human capital strategic plan provides specific initiatives 
to address the hiring, development, and retention of program employees, 
and that a strategy exists to develop indicators to measure the 
progress and results of these initiatives.However, this certification 
does not satisfy the legislative condition for two reasons. 

* The certification does not address the strategic plan’s 
implementation, which is important because just having a human capital 
strategic plan does not constitute strategic and proactive management 
of the program’s human capital. 

* The certification does not address whether the current human capital 
capabilities are sufficient to execute the expenditure plan. For 
example, it does not recognize that US-VISIT is under staffed. We 
reported in August 2007[Footnote 38] that the program office had 21 
vacancies and had taken the interim step to address this shortfall by 
temporarily assigning other staff to cover the vacant positions, and 
planned to fill all the positions through aggressive recruitment. As of 
July 2008, the program office reported having 23 vacancies, including 
vacancies in leadership positions, such as the program’s deputy 
director. Since then, the program office reports that it has filled 
nine of these vacancies. 

Condition 10: 

Condition 10: The plan does not satisfy the condition that it include a 
complete schedule for the full implementation of a biometric exit 
program or a certification that such a program is not possible within 5 
years. 

As we stated in our June 2007 testimony,[Footnote 39] a complete 
schedule for the full deployment of an exit capability would specify, 
at a minimum, what work will be done, by what entities, and at what 
cost to define, acquire, deliver, deploy, and operate expected system 
capabilities. A complete schedule is essential to ensuring that the 
solution is developed and implemented effectively and efficiently. 

The fiscal year 2008 plan does not contain either a complete schedule 
for fully implementing biometric exit capabilities at air, sea, and 
land POEs, or a statement that this cannot be completed within a 5-year 
time frame. Rather, the plan contains a very high-level schedule that 
only identifies five broadly-defined tasks, and a date by which each is 
to be completed, as shown in the table on the following slide. 

Table: Air/Sea/Land Biometric Exit Schedule-High Level: 

Activity: Pilot closeout activities; 
Date: September 28, 2007. 

Activity: Air/Sea Exit outreach; 
Date: December 31, 2008. 

Activity: Air/Sea Exit planning; 
Date: April 24, 2008. 

Activity: Air/Sea Exit design; 
Date: December 31, 2008. 

Activity: Land border planning document; 
Date: December 31,2008. 

Source: DHS data. 

[End of table] 

Such high-level milestones do not constitute a “complete schedule for 
the full implementation of a biometric exit program,” as requested by 
the act, because they are not supported by the kind of verifiable 
analysis and documentation that we have previously reported as 
necessary for a reliable program schedule.[Footnote 40] For example, 
these milestones do not include (1) decomposition of the program into a 
work breakdown structure; (2) sequencing, integration, and resourcing 
of each work element in the work breakdown structure; and (3) 
identification of the critical path through the schedule of linked work 
elements. 

Condition 11: 

Condition 11: The plan partially satisfies the condition that it 
include a detailed accounting of operation and maintenance, contractor 
services, and program management costs associated with the program. 
[Footnote 41] 

As we have previously reported,[Footnote 42] the purpose of the 
expenditure plan is to provide Congress with sufficient information to 
exercise effective oversight of US-VISIT and to hold DHS accountable 
for results. To accomplish this, the act sought specific information 
relative to planned US-VISIT spending for operations and maintenance, 
contractor services, and program management. 

Operations and Maintenance: 

The fiscal year 2008 plan provides a decomposition of program 
operations and maintenance costs according to functional areas of 
activity, such as operations and maintenance of system applications, 
data center operations, network/data communications, and IT services. 
While this decomposition does satisfy the condition, it nevertheless 
could be more informative if the costs were associated with specific 
capabilities, systems, and services, such as the cost to operate and 
maintain ADIS, IDENT, and iDSM. 

Contractor Services: 

The fiscal year 2008 plan does not separately identify the program’s 
costs for contractor services. According to program officials, such 
services are embedded in other cost categories, such as Program 
Staffing (which is a combination of government and contractor staff), 
Prime Integrator, and Project Integration and Analysis. The one 
exception is for the Provide Identity Management and Screening Services 
broad core capability area, which identifies $15.8 million in 
contractor services. 

Program Management Costs: 

The fiscal year 2008 plan states that program management costs will 
total $115.2 million, and allocates them to items such as program 
staffing ($46.2 million), planning and logistics ($14.3 million), prime 
integrator ($33.5 million), and working capital and management reserve 
($ 21.2 million). It also describes a number of program management 
related initiatives, such as maturing program monitoring and control 
processes, developing strategic plans and related policies, conducting 
public information dissemination and outreach, and strengthening human 
capital management and stakeholder training. 

However, it does not allocate the $115.2 million to these initiatives. 
For example, the plan does not describe what portion of the $115.2 
million will be used to develop criteria for estimating life cycle 
costs, which is one effort within the maturing program processes 
initiative, or to properly align program management staffing to tasks 
and rewrite position descriptions, which are efforts within 
strengthening human capital management. In addition, the $115.2 million 
does not include $11.6 million in contractor program management support 
provided to specific projects, such as Air and Sea Exit. As a result, 
total cost allocated to program management in fiscal year 2008 is 
$126.8 million, which is similar to the program management costs we 
reported in the fiscal year 2006 and 2007 expenditure plans. As we 
previously reported,[Footnote 43] these levels of program management 
costs represented a sizeable portion of the US-VISIT planned spending, 
but were not adequately justified. 

Condition 12: 

Condition 12: We have reviewed the plan, thus satisfying the condition. 
Our review was completed on September 15, 2008. 

[End of Legislative Conditions section] 

Objective 2: Observations: 

Observation 1: Reliability of DHS Air and Sea Exit cost estimates is 
not clear: 

In developing its Air and Sea Exit NPRM, DHS is required to prepare a 
written assessment of the costs, benefits, and other effects of its 
proposal and a reasonable number of alternatives, and to adopt the 
least costly, most cost-effective, or least burdensome among them. To 
accomplish this, it is important that DHS have reliable cost estimates 
for its proposed and alternative solutions. 

However, the reliability of the estimates that DHS developed is not 
clear because (1) DHS documents characterize the estimates as being by 
definition rough and imprecise, but DHS officials that were responsible 
for developing the estimates stated that this characterization is not 
accurate, (2) our analysis of the estimates’ satisfaction of estimating 
best practices shows that while DHS satisfied some key practices, it 
either did not fully satisfy others or it has yet to provide us with 
documentation to determine whether still other practices were met, and 
(3) data on certain variables pertaining to airline costs were not 
available for inclusion in the estimates, and airlines report that 
these costs were understated in the estimates. 

DHS Documents and Program Officials Statements Characterizing the 
Nature of the Estimates Are Not Consistent: 

As noted earlier in this briefing, the NPRM and regulatory impact 
analysis cite the estimated costs of each of the five alternatives that 
were analyzed. For example, the impact analysis states that the 
estimated cost of the proposed solution is $3.6 billion. Moreover, this 
analysis states that each of the cost estimates are “rough order of 
magnitude” estimates, meaning that they are by definition rough and 
imprecise, to the point of being potentially understated by as much as 
100 percent, and overstated by as much as 50 percent. Restated, this 
means that the estimated cost of the proposed solution could be 
anywhere from $1.8 billion to $7.2 billion. 

According to DHS’s analysis, these broad cost risk ranges were used to 
reflect the degree to which Air and Sea Exit has been defined, 
including the assumptions that had to be made about airline solution 
configurations in the absence of airline data. According to GAO’s Cost 
Estimating Guide, rough order of magnitude estimates are used when few 
details are available about the alternatives, and they should not be 
considered budget-quality cost estimates. Accordingly, they should not 
be viewed as sufficiently credible, accurate, or comprehensive to be 
considered reliable for making informed choices among competing 
investment options. 

Notwithstanding the regulatory impact analysis’ characterization of the 
cost estimates as rough order of magnitude estimates, program officials 
responsible for deriving the estimates stated that the estimates were 
“mislabeled” in the analysis, and thus the risk ranges for the 
estimates are overstated. They added that the estimates should have 
been characterized as parametric and partial engineering estimates, 
which would have produced much smaller risk ranges. 

Available Documentation Shows Some Estimating Best Practices Were Met, 
While Others Were Not: 

GAO’s Cost Estimating Guide identifies four characteristics of reliable 
cost estimates and associates a number of estimating best practices 
with each characteristic. The four characteristics of reliable cost 
estimates are that they are well-documented, credible, comprehensive, 
and accurate. 

The cost estimates for the Air and Sea Exit alternatives satisfied a 
number of the best practices in GAO’s Cost Estimating Guide. For 
example, the estimate’s purpose and scope are clearly defined, the cost 
team included experienced cost analysts, and the cost estimate included 
a description of the cost estimation process, data sources, and 
methods. 

However, these cost estimates did not satisfy other best practices in 
our guide. For example, the cost estimate was not compared to an 
independent estimate and a technical baseline was not developed to 
provide the underlying basis for this estimate. These are important 
because the technical baseline provides a detailed technical, program, 
and schedule description of the system to be developed, and thus is the 
basis for the program and independent cost estimates. Additionally, an 
independent estimate provides an unbiased check on the reliability of 
the program’s estimate. 

Moreover, we have yet to receive documentation from DHS relative to 
other best practices cited in the guide. For example, the guide 
recognizes the importance of performing risk analyses that allow for 
risks to be examined across the work breakdown structure so that the 
uncertainties associated with individual work elements can be 
determined, and risk levels can be assigned to each. According to the 
regulatory impact analysis, a standard level 5 risk range (50 percent 
below to 100 percent above) was used with the cost estimates because a 
comprehensive risk analysis had not been done. Program officials told 
us, however, that a risk analysis was performed, but we have yet to 
receive it. Further, we have yet to receive evidence showing that all 
relevant costs were addressed, such as the cost of spare, refreshed, 
and updated equipment and technology. 

Estimates May Not Include Major Cost Elements: 

The regulatory impact analysis states that data on several variables 
were not available for inclusion in the analysis, including estimates 
for burden to carriers and travelers. Of the 56 airlines and airline 
associations that provided comments on the NPRM, 21 commented that 
DHS’s cost estimate for its proposed solution was understated because 
it did not adequately reflect the burden to carriers. In particular, 
the International Air Transport Association commented that the proposed 
solution could cost the air carriers as much as $12.3 billion over 10 
years. According to this association, its estimate was developed in 
collaboration with airlines, network service providers, and hardware 
manufacturers. The association attributed the understatement of DHS’s 
estimate to its omission of relevant costs for data transmission, 
secure networks, and secure data warehouses. Specifically, it stated 
that: 

* transmission requirements for biometric data would be between 350 and 
800 times greater that what the airlines currently use for the 
transmission of biographic and manifest text data (between 31 and 128 
megabytes of information for each international flight versus about 100 
kilobytes currently transferred); 

* secure networks required for transmission of biometric data would 
need to be installed between the airports and the airlines’ departure 
control systems because they currently do not exist (estimated to cost 
about $150 million over 10 years); and; 

* secure data warehouses for biometric data storage would need to be 
installed to store the data prior to transmission to DHS (estimated to 
cost about $1 billion to operate over 10 years). 

In addition, United Airlines commented that its start-up costs would be 
about $21.8 million. It also commented that DHS’s cost estimate does 
not include the cost of additional traveler burden, which they 
estimated to be about $30 per hour. According to United Airlines, 
passenger time is potentially the highest cost element with as many as 
50 million persons being affected by queuing, congested space, and 
flight delays. DHS’s regulatory impact analysis acknowledges the 
omission of the cost of additional travel burden and the impact on the 
cost to each carrier’s business processes. 

Further, Air Canada Jazz, a regional airline, commented that because 
the requirement for airline personnel to collect biometric data is 
beyond the scope of duties outlined in current collective agreements, 
it would have to renegotiate its agreements to add these duties. 

Observation 2: DHS reports that proposed solution would provide less 
security and privacy than other alternatives: 

Adequate security and privacy controls are needed to assure that 
personally identifiable information is secured against unauthorized 
access, use, disclosure, or retention. Such controls are especially 
needed for government agencies, where maintaining public trust is 
essential. In the case of US-VISIT, one of its stated goals is to 
protect the security and privacy of U.S. citizens and visitors. 

However, DHS's proposed solution would have more privacy and security 
risks than alternative solutions. According to the NPRM, having 
carriers collect the biometric information is less secure than 
alternatives where DHS collects the information, regardless of the 
information collection point. Moreover, it states that information that 
is in the sole custody of one entity (e.g., DHS) is less likely to be 
compromised than information passed from private carriers to DHS. 
Similarly, the NPRM states that the degree of confidence in compliance 
with privacy requirements is lower when DHS does not maintain full 
custody of personally identifiable information. 

Further, the privacy impact assessment that DHS prepared for Air and 
Sea Exit states that carrier custody of personally identifiable 
information introduces vulnerabilities, including inadequate 
information security and data integrity, and it concludes that this 
could impact travelers in several ways, such as travel inconveniences, 
subsequent denial of admission to the United States based on faulty 
data, or misuse of personally identifiable information. In fact, the 
privacy impact assessment rated misuse of personally identifiable 
information as a high risk under the proposed solution due to the 
serious impact that misuse of personally identifiable information would 
have on both the individual traveler and the integrity of US-VISIT. 

According to the NPRM, these privacy and security risks will be 
addressed in two ways. First, DHS will require carriers to ensure that 
their systems and transmission methods of biometric data meet DHS 
technical, security and privacy requirements to be established in 
guidance and issued in conjunction with the final rule. However, it is 
unclear how DHS will ensure that the guidance is effectively 
implemented. Second, when the data are received by DHS, the NPRM states 
that it will be protected in accordance with a robust privacy and 
security program. However, we recently reported[Footnote 44] that the 
systems supporting US-VISIT have significant information security 
weaknesses that place sensitive and personally identifiable information 
at increased risk of unauthorized and possibly undetected disclosure 
and modification, misuse, and destruction. 

Observation 3: Public comments on the NPRM raise a range of additional 
concerns: 

As noted earlier, 91 entities, including the airline, trade, and travel 
industries, and federal, state, and foreign governments, commented on 
the Air and Sea Exit proposal. In addition to the comments discussed 
earlier relative to the reliability of the cost estimates and the 
security and privacy implications of a carrier-implemented solution, a 
number of other comments were provided that raise further concerns and 
questions about the proposed solution. Specifically, the entities 
provided the following comments: 

* According to some carriers, DHS has yet to provide technical 
requirements for the carriers to meet in delivering their respective 
parts of the proposed solution. In particular, the NPRM stated that 
carriers will be required to comply with the DHS Consolidated User’s 
Guide. However, they stated that this guide does not define, for 
example, how biometric images are to be incorporated into the existing 
message format used for APIS transmissions. Similarly, the NPRM states 
that all biometric data transmissions would be bound by existing 
regulations, including the FBI’s Criminal Justice Information Services 
Electronic Transmission Specifications.However, carriers stated that 
these specifications had not been made available. 

* According to some of the carriers, DHS’s proposed solution conflicts 
with air and vessel carrier passenger processing improvements. 
Requiring passenger-agent contact goes against recent simplifications 
to carriers’ business models in which new technologies are being 
introduced to eliminate time-consuming passenger-agent interactions. 
For example, most airlines and cruise ships allow passengers to confirm 
arrival and check-in online prior to entering the airport or sea 
terminal, or to check in and print a boarding pass at a kiosk. These 
carriers commented that the passenger-agent contact required under the 
NPRM is at odds with this evolution in business processes and will slow 
down the travel process, delay flights, and make air and sea ports more 
crowded. According to one carrier’s estimates, the proposed solution 
will add 1 to 2 minutes processing time per passenger, which will 
collectively add an estimated 3 to 5 hours per flight. While the 
regulatory impact analysis projected flight delays to be less lengthy, 
it nevertheless acknowledged that most travelers would be delayed by 
about 50 minutes. A number of entities said that such significant 
delays will cause foreign travelers to vacation elsewhere. 

* According to several airlines and airline associations, DHS’s 
proposed solution is not fully integrated with other border screening 
programs involving air carriers. DHS has recently issued proposed or 
final rules for four DHS programs,[Footnote 45] and each of these 
require or propose requiring carriers to collect and transmit 
additional data in 2008 and 2009. As such, these organizations viewed 
the four as duplicative (require very similar data) and inefficient 
(use different transmission methods), and claimed that DHS’ sequential 
introduction of these programs will require carriers to undertake 
separate and repeated system development and employee training efforts 
that will impact their operations. 

* According to several carriers, DHS did not involve the stakeholders 
in this rulemaking process as it had in previous rulemaking efforts. 
Carriers stated that for US-VISIT entry and the Advance Passenger 
Information System-Quick Query, which is about to be deployed, they 
were involved in developing a solution, but for US-VISIT exit, they 
were not. 

Observation 4: US-VISIT risk management database shows that some risks 
have not been effectively managed: 

Proactively managing program risks is a key acquisition management 
control and, if defined and implemented properly, it can increase the 
chances of programs delivering promised capabilities and benefits on 
time and within budget. To its credit, the program office has defined a 
risk management plan and related process that is consistent with 
relevant guidance. However, its own risk database shows that not all 
risks have been proactively mitigated. As we have previously reported, 
[Footnote 46] not proactively mitigating risks increases the chances 
that risks become actual cost, schedule, and performance problems. 

Federal guidance and related best practices[Footnote 47] advocate 
identifying facts and circumstances that can increase the probability 
of a program failing to meet cost, schedule, and performance 
commitments and then taking steps to reduce the probability of their 
occurrence and impact. Among other things, effective risk management 
includes (1) establishing a written plan for managing risks; (2) 
designating responsibility for risk management activities; (3) defining 
and implementing a process that provides for identifying, analyzing, 
and mitigating risks; and (4) periodically examining the status of 
identified risks and their mitigation. The US-VISIT Risk Management 
Plan defines a five-step process for managing program risks, as 
illustrated in the figure. 

Figure: Five-step process for managing program risks: 

[Refer to PDF for image] 

1) Prepare for risk management; 

2) Risk identification; 

3) Risk analysis; 

4) Risk handling; 

5) Risk monitoring and control. 

[End of figure] 

Within each of these steps, the plan defines a number of activities 
that are consistent with federal guidance and related best practices. 
For example, 

* In the preparation phase, each project office is to develop a 
strategy for managing risk that includes, among other things, the scope 
of the project risks to be addressed and the risk management tools to 
be used. 

* In the risk identification phase, risks are to be identified in as 
much detail as possible and a risk owner is to be designated. 

* In the risk analysis phase, the estimated probability of occurrence 
and impact on the program or project of each risk is to be determined 
and used to assign a priority (high, medium, or low). 

* In the risk handling phase, detailed mitigation and contingency plans 
are to be prepared for all medium-and-high priority risks as early as 
possible. 

* In the risk monitoring phase, the status of risk mitigation and 
contingency plans is to be tracked, and decisions are to be reached as 
to whether to close a risk or to designate it as a realized issue 
(i.e., actual problem). 

However, the program office’s own data show that it is not following 
its Risk Management Plan. Specifically, of the list of 39 high-priority 
risks provided to the DHS CIO to support the earlier described risk 
management-related expenditure plan certification, the program office 
reported that 6 were in the analysis phase, 9 were in the handling 
phase, 13 were in the monitoring phase, and 11 were now realized and 
became program issues. Our analysis shows that of the 13 risks in the 
monitoring phase, 6 did not have contingency plans and 1 did not have a 
mitigation plan, even though both plans were to have been developed in 
the prior phase. Further, of the 11 risks that had been realized, none 
were included in the list of program issues provided to the DHS CIO. 

Further, many of these risks had not had mitigation and/or contingency 
plans developed in a time frame that can be considered either “as early 
as possible” or timely. In fact, some risks had been open for over 3 
years without having such plans. For example, of the six risks in the 
monitoring phase without at least one of the two required plans, one 
risk had been open for 1212 days (about 3 years and 3 months) without a 
mitigation plan, and the median number of days that risks in this phase 
had gone without one or both of these plans was 178 (about 6 months). 
The chance of risks becoming actual problems and impacting the program 
is increased by not having mitigation and contingency plans. This is 
evident by the fact that of the 11 high risks that the program office 
reported at the time as having become realized issues (actual 
problems), all were missing mitigation and/or contingency plans, and 
the median number of days these 11 had gone without these plans was 299 
(see table below). 

Table: Risks without mitigation and/or contingency plans: 

Management step: Handle (6 risks); 
Days the risk has been open (as of February 6, 2008), Minimum: 22; 
Days the risk has been open (as of February 6, 2008), Maximum: 652; 
Days the risk has been open (as of February 6, 2008), Median: 230. 

Management step: Monitor (6 risks); 
Days the risk has been open (as of February 6, 2008), Minimum: 2; 
Days the risk has been open (as of February 6, 2008), Maximum: 1212; 
Days the risk has been open (as of February 6, 2008), Median: 178. 

Management step: Realized (11 risks); 
Days the risk has been open (as of February 6, 2008), Minimum: 19; 
Days the risk has been open (as of February 6, 2008), Maximum: 1204; 
Days the risk has been open (as of February 6, 2008), Median: 299. 

[End of table] 

Our analysis of a more recent risk listing confirmed that this pattern 
has continued. Specifically, the July 3, 2008, risk listing contained 
34 high-priority risks, of which none were in the analysis phase, 10 
were in the handling phase, 12 were in the monitoring phase, and 12 
were now realized and became program issues. However, 6 of the 12 risks 
in the monitoring phase, for example, did not have contingency plans 
and 3 of these 6 did not have mitigation plans. Moreover, some of the 
risks in either the monitoring phase or the realized phase have not had 
mitigation and/or contingency plans for more than 3½ years (see table 
below). 

Table: Risks without mitigation and/or contingency plans: 

Management step: Handle (7 risks) 22652230 
Days the risk has been open (as of February 6, 2008), Minimum: 114; 
Days the risk has been open (as of February 6, 2008), Maximum: 800; 
Days the risk has been open (as of February 6, 2008), Median: 260. 

Management step: Monitor (6 risks) 21212178
Days the risk has been open (as of February 6, 2008), Minimum: 4; 
Days the risk has been open (as of February 6, 2008), Maximum: 1360; 
Days the risk has been open (as of February 6, 2008), Median: 78.5. 

Management step: Realized (11 risks) 191204299
Days the risk has been open (as of February 6, 2008), Minimum: 77; 
Days the risk has been open (as of February 6, 2008), Maximum: 1352; 
Days the risk has been open (as of February 6, 2008), Median: 821. 

Source: GAO analysis of DHS data. 

[End of table] 

The absence of timely risk mitigation and contingency planning is 
exacerbated by the fact that these are high risks which, according to 
the Risk Management Plan, means that there is at least a 41 percent 
chance they will significantly affect critical cost, schedule, and 
performance baselines. By not effectively managing key program risks, 
the program office is unnecessarily increasing its chances of 
experiencing actual cost, schedule, and performance problems, and will 
be less likely to be able to deliver system capabilities on time and 
within budget. 

Observation 5: Significance of task order 7 schedule variances have 
been minimized by frequent rebaselining: 

According to the GAO Cost Assessment Guide,[Footnote 48] rebaselining 
should occur very rarely, as infrequently as once in the life of a 
program or project and only when a schedule variance is significant 
enough to limit its utility as a predictor of future schedule 
performance. 

For task order 7, the largest task order,[Footnote 49] which provides 
for development and deployment of new capabilities (e.g., Unique 
Identity and Biometric Solutions Delivery) the program office has 
rebaselined its schedule twice in the last 2 years—first in October 
2006, when the task order had a negative schedule variance of $958,216, 
and then in October 2007, when the negative schedule variance for 
Unique Identity and Biometric Solutions was $4.1 million. Since this 
last rebaselining, the program office reports a negative variance 
through May 2008 of $3.5 million. Without the rebaselinings, this would 
have amounted to a $7.2 million schedule variance. The graphic on the 
next slide shows the cumulative schedule variance with and without the 
rebaselining. 

Figure: Cumulative Schedule Variance, TO7 (Biometric Solutions + Unique 
ID): 

[Refer to PDF for image] 

This figure is a multiple line graph depicting the Cumulative Schedule 
Variance. The vertical axis of the graph represents Schedule variance 
in millions of dollars. The horizontal axis of the graph represents a 
series of dates from July 2006 to June 2008. 

Date: September 2006; 
Rebaseline: -$.958; 
Cumulative Schedule Variance without rebaseline: -$.958. 

Date: October 2006; 
Rebaseline: 0.0; 
Cumulative Schedule Variance without rebaseline: -$.958. 

Date: November 2006; 
Rebaseline: -$0.227; 
Cumulative Schedule Variance without rebaseline: -$1.185. 

Date: December 2006; 
Rebaseline: -$0.332; 
Cumulative Schedule Variance without rebaseline: -$1.290. 

Date: January 2007; 
Rebaseline: -$0.369; 
Cumulative Schedule Variance without rebaseline: -$1.327; 

Date: February 2007; 
Rebaseline: -$0.384; 
Cumulative Schedule Variance without rebaseline: -$1.343. 

Date: March 2007; 
Rebaseline: -$0.170
Cumulative Schedule Variance without rebaseline: -$1.128

Date: April 2007; 
Rebaseline: -$0.220; 
Cumulative Schedule Variance without rebaseline: -$1.179. 

Date: May 2007; 
Rebaseline: -$0.825; 
Cumulative Schedule Variance without rebaseline: -$1.783. 

Date: June 2007; 
Rebaseline: -$1.674; 
Cumulative Schedule Variance without rebaseline: -$2.632. 

Date: July 2007; 
Rebaseline: -$3.052; 
Cumulative Schedule Variance without rebaseline: -$4.010. 

Date: August 2007; 
Rebaseline: -$3.675; 
Cumulative Schedule Variance without rebaseline: -$4.634. 

Date: September 2007; 
Rebaseline: -$4.128; 
Cumulative Schedule Variance without rebaseline: -$5.086. 

Date: October 2007; 
Rebaseline: -$1.390; 
Cumulative Schedule Variance without rebaseline: -$5.086. 

Date: November 2007; 
Rebaseline: -$1.679; 
Cumulative Schedule Variance without rebaseline: -$5.375. 

Date: December 2007; 
Rebaseline: -$1.304; 
Cumulative Schedule Variance without rebaseline: -$5.001. 

Date: January 2008; 
Rebaseline: -$2.081; 
Cumulative Schedule Variance without rebaseline: -$5.778. 

Date: February 2008; 
Rebaseline: -$3.128; 
Cumulative Schedule Variance without rebaseline: -$6.824. 

Date: March 2008; 
Rebaseline: -$3.168; 
Cumulative Schedule Variance without rebaseline: -$6.865. 

Date: April 2008; 
Rebaseline: -$3.554; 
Cumulative Schedule Variance without rebaseline: -$7.251. 

Date: May 2008; 
Rebaseline: -$$3.500; 
Cumulative Schedule Variance without rebaseline: -$7.197. 

[End of figure] 

As the graphic shows, frequent rebaselining does not adequately 
disclose the potential extent of the shortfall in meeting the baseline. 
Given that EVM reporting is to alert management to magnitude and 
significance of potential problems sooner rather than later, this 
practice does not adequately support informed program decision making. 
Moreover, it is an indicator of the limitations in the baselines being 
set. According to program officials, these schedule variances are due 
to (1) increases in scope of the work, such as the addition of new 
requirements and (2) underestimating the complexity and difficulty of 
the work to be completed (i.e., limitations in the schedule baseline). 

End of Observations section] 

Conclusions: 

DHS has not adequately met the conditions associated with its 
legislatively mandated fiscal year 2008 US-VISIT expenditure plan. The 
plan does not fully satisfy any of the conditions that apply to DHS, 
either because it does not address key aspects of the condition or 
because what it does address is not adequately supported or is 
otherwise not reflective of known program weaknesses. Given that the 
legislative conditions are intended to promote the delivery of promised 
system capabilities and value, on time and within budget, and to 
provide Congress with an oversight and accountability tool, these 
expenditure plan limitations are significant. 

Beyond the expenditure plan, other program planning and execution 
limitations and weaknesses also confront DHS in its quest to deliver US-
VISIT capabilities and value in a timely and cost-effective manner. 
Most notably, DHS has proposed a solution for a long-awaited exit 
capability, but it is not clear if the cost estimates used to justify 
it are sufficiently reliable to do so. DHS has reported itself that the 
proposed solution provides less security and privacy than other 
alternatives analyzed, and the proposed solution is being challenged by 
those responsible for implementing it. Further, DHS’s ability to 
measure program performance and progress, and thus be positioned to 
address cost and schedule shortfalls in a timely manner, is hampered by 
weaknesses in the prime contractor’s implementation of EVM. Each of 
these program planning and execution limitations and weaknesses 
introduce risk to the program. 

In addition, DHS is not effectively managing the program’s risks, as 
evidenced by the program office’s risk database showing that known 
risks are being allowed to go years without risk mitigation and 
contingency plans. Overall, while DHS has taken steps to implement a 
significant percentage of our prior recommendations aimed at improving 
management of US-VISIT, additional management improvements are needed 
to effectively define, justify, and deliver a system solution that 
meets program goals, reflects stakeholder input, minimizes exposure to 
risk, and provides Congress with the means by which to oversee program 
execution. Until these steps are taken, US-VISIT program performance, 
transparency, and accountability will suffer. 

[End of conclusions section] 

Recommendations for Executive Action: 

To assist DHS in planning and executing US-VISIT, we recommend that the 
Secretary of Homeland Security direct the department’s Investment 
Review Board to immediately hold a review of the US-VISIT program that, 
at a minimum, addresses: 

* The reasons for the fiscal year 2008 expenditure plan not fully 
addressing each of the legislative conditions and corrective action to 
ensure that this does not occur for future expenditure plans; 

* The adequacy of the basis for any future Air and Sea Exit solution, 
including the reliability of cost estimates, implication of privacy and 
security issues, and addressing key concerns raised in comments to the 
proposed rule; 

* The weaknesses in the program’s implementation of risk management, 
and; 

* The weaknesses in the prime contractor’s implementation of earned 
value management, including the limitations in the quality of the 
schedule baselines and the schedule variance measurements. We further 
recommend that the Secretary of Homeland Security report the results of 
this Investment Review Board review to Congress. 

End of Recommendations for Executive Action section] 

Agency Comments and Our Evaluation: 

We provided a draft of this briefing to DHS officials, including the 
Director of US-VISIT. In their oral comments on the draft, these 
officials did not state whether they agreed or not with our findings, 
conclusions, or recommendations. They did, however, provide a range of 
technical comments, which we have incorporated in the briefing, as 
appropriate. They also sought clarification on our scope and 
methodology, which we have also incorporated in the briefing. 

[End of Agency Comments and Our Evaluation] 

Attachment 1: Objectives, Scope and Methodology: 

Our objectives were to (1) determine whether the plan satisfies the 
legislative conditions specified in the fiscal year 2008 Consolidated 
Appropriations Act, and (2) provide observations about the expenditure 
plan and management of US-VISIT. Information on scope and methodology 
for each objective follows: 

To accomplish conditions 1, 2, 3, 10 and 11 of our first objective, we 
determined whether the plan[Footnote 50] satisfies, partially 
satisfies, or does not satisfy the conditions based on the extent to 
which the plan addresses all aspects of the applicable condition, as 
specified in the act. Specifically, 

* For condition 1, we compared information in the fiscal year 2008 
expenditure plan to previous expenditure plans to determine whether the 
current plan provided a detailed accounting of the program’s progress 
to date related to systems capabilities or services, system performance 
levels, mission benefits and outcomes, milestones, cost targets, and 
program management capabilities; 

* For condition 2, we reviewed the fiscal year 2008 expenditure plan to 
determine whether it contained an explicit plan of action defining how 
all funds were to be obligated to meet future commitments, with funds 
linked to the milestone-based delivery of specific capabilities, 
services, system performance levels, mission benefits and outcomes, and 
program management capabilities; 

* For condition 3, we reviewed and analyzed information in the fiscal 
year 2008 expenditure plan, US-VISIT's most recent status reports on 
the implementation of our open recommendations, and related key 
documents (e.g., the program's product test plans, capacity management 
plan, configuration management plan, and cost estimation process), 
augmented as appropriate by interviews with program officials to 
determine whether the expenditure plan contained a listing of all open 
GAO and OIG recommendations and the status of DHS actions to address 
them, including milestones; 

* For condition 10, we reviewed the fiscal year 2008 expenditure plan 
to determine whether it contained a schedule for the full 
implementation of a biometric exit capability that fully defines, at a 
minimum, what work will be done, by what entities, and at what cost to 
define, acquire, deliver, deploy, and operate expected system 
capabilities; and; 

* For condition 11, we reviewed the fiscal year 2008 expenditure plan 
to determine whether it contained a detailed accounting of all 
operation and maintenance, contractor services, and program management 
costs associated with management of the program. For this condition, we 
obtained clarification from staff from the House and Senate 
Appropriations Subcommitees on Homeland Security to ensure that our 
assessment met their intent. As a result, we have modified the wording 
slightly from what was in the Act. 

To accomplish conditions 4, 5, 6, 7, 8, and 9 of objective 1 we 
determined whether the plan satisfies, partially satisfies, or does not 
satisfy the conditions based on the extent to which the applicable 
certification letter contained in the plan (a) addresses all aspects of 
each condition, as specified in the act, (b) is sufficiently supported 
by documented and verifiable analysis, (c) contains significant 
qualifications, and (d) is otherwise consistent with our related 
findings. 

* For condition 4, we reviewed the DHS certification and supporting 
documentation for US-VISIT’s capital planning and investment controls, 
including US-VISIT’s most recent OMB submission and documents related 
to the milestone decision point 1 and 2 approvals, to determine whether 
a sufficient basis existed for the certification; 

* For condition 5, we reviewed the DHS certification for the 
independent verification and validation agent and analyzed supporting 
documentation, such as DHS’s assessment of US-VISIT’s independent 
verification and validation efforts, to determine whether a sufficient 
basis existed for the certification; 

* For condition 6, we reviewed the DHS certification that the US-VISIT 
architecture is sufficiently aligned with the DHS EA, and assessed 
supporting documentation, including US-VISIT program documents against 
the DHS EA 2007, and criteria in DHS’s Investment Review Process and 
DHS’s EA Governance Process Guide to determine whether a sufficient 
basis existed for the certification; 

* For condition 7, we reviewed the DHS certification that the plans for 
the US-VISIT program comply with federal acquisition rules, guidelines, 
and practices, and analyzed supporting documentation, such as DHS’s 
assessment of US-VISITs contracts, to determine whether there was a 
sufficient basis for the certification; 

* For condition 8, we reviewed the DHS certification that US-VISIT have 
a risk management process that identifies, evaluates, mitigates, and 
monitors risks throughout the life cycle, and communicates high risks 
to the appropriate managers at the US-VISIT program and DHS levels. We 
also analyzed the most current US-VISIT risk management plan, risk 
lists, and risk meeting minutes, to determine whether there was a 
sufficient basis for the certification; and; 

* For condition 9, we reviewed the DHS certification that the human 
capital needs of the US-VISIT program were being strategically and 
proactively managed, and analyzed supporting documentation, such as US-
VISIT’s Human Capital Strategic Plan, to determine whether there was a 
sufficient basis for the certification. 

To accomplish our second objective, we reviewed the fiscal year 2008 
plan and other available program documentation related to US-VISIT’s 
plans for deploying an biometric exit capability, US-VISIT’s use of 
earned value management, and US-VISIT’s implementation of risk 
management. In doing so, we examined planned and completed actions and 
steps, including program officials' stated commitments to perform them. 
For earned value management, we reported data provided by the 
contractor to US-VISIT that is verified by US-VISIT. To assess its 
reliability, we reviewed relevant documentation and interviewed the 
system owner for the earned value data. More specifically, we addressed 
US-VISIT efforts to: 

* define and implement an exit strategy for air, sea, and land by 
reviewing and analyzing information provided as part of the expenditure 
plan; the notice of proposed rulemaking for air and sea exit; the 
regulatory impact analysis and privacy impact assessment for air and 
sea exit; and comments made to the notice of proposed rule for air and 
sea exit;[Footnote 51] 

* track and manage cost and schedule commitments by applying 
established earned value analysis techniques to baseline and actual 
performance data from cost performance reports;[Footnote 52] and 

* define and implement a risk management process that addresses the 
identification, analysis, evaluation, and monitoring of risks by 
reviewing the risk management policy, risk management plan, active and 
high risk lists, risk meeting minutes, and a risk elevation memorandum. 

Additionally, in February 2007, we reported[Footnote 53] that the 
system that US-VISIT uses to manage its finances (U.S. Immigration and 
Customs Enforcement’s Federal Financial Management System) has 
reliability issues. In light of these issues, the US-VISIT Budget 
Office tracks program obligations and expenditures separately using a 
spreadsheet and comparing this spreadsheet to the information in 
Federal Financial Management System. Based on a review of this 
spreadsheet, there is reasonable assurance that the US-VISIT budget 
numbers being reported by Federal Financial Management System are 
accurate. 

For DHS-provided data that our reporting commitments did not permit us 
to substantiate, we have made appropriate attribution indicating the 
data’s source. 

[End of Attachment 1] 

Attachment 2: Related GAO Products List: 

Homeland Security: Strategic Solution for US-VISIT Program Needs to Be 
Better Defined, Justified, and Coordinated. [hyperlink, 
http://www.gao.gov/products/GAO-08-361]. Washington, D.C.: February 29, 
2008. 

Homeland Security: U.S. Visitor and Immigrant Status Program’s Long-
standing Lack of Strategic Direction and Management Controls Needs to 
be Addressed. [hyperlink, http://www.gao.gov/products/GAO-07-1065]. 
Washington, D.C.: August 31, 2007. 

Homeland Security: DHS Enterprise Architecture Continues to Evolve But 
Improvements Needed. [hyperlink, 
http://www.gao.gov/products/GAO-07-564]. Washington, D.C.: May 9, 2007. 

Homeland Security: US-VISIT Program Faces Operational, Technological, 
and Management Challenges. [hyperlink, 
http://www.gao.gov/products/GAO-07-632T]. Washington D.C.: March 20, 
2007. 

Homeland Security: US-VISIT Has Not Fully Met Expectations and 
Longstanding Program Management Challenges Need to Be Addressed. 
[hyperlink, http://www.gao.gov/products/GAO-07-499T]. Washington, D.C.: 
February 16, 2007. 

Homeland Security: Planned Expenditures for U.S. Visitor and Immigrant 
Status Program Need to Be Adequately Defined and Justified. [hyperlink, 
http://www.gao.gov/products/GAO-07-278]. Washington, D.C.: February 14, 
2007. 

Border Security: US-VISIT Program Faces Strategic, Operational, and 
Technological Challenges at Land Ports of Entry. [hyperlink, 
http://www.gao.gov/products/GAO-07-378T]. Washington, D.C.: January 31, 
2007. 

Border Security: US-VISIT Program Faces Strategic, Operational, and 
Technological Challenges at Land Ports of Entry. [hyperlink, 
http://www.gao.gov/products/GAO-07-248]. Washington, D.C.: December 6, 
2006. 

Homeland Security: Contract Management and Oversight for Visitor and 
Immigrant Status Program Need to Be Strengthened. [hyperlink, 
http://www.gao.gov/products/GAO-06-404]. Washington, D.C.: June 9, 
2006. 

Homeland Security: Progress Continues, but Challenges Remain on 
Department’s Management of Information Technology. [hyperlink, 
http://www.gao.gov/products/GAO-06-598T]. Washington, D.C.: March 29, 
2006. 

Homeland Security: Recommendations to Improve Management of Key Border 
Security Program Need to Be Implemented. [hyperlink, 
http://www.gao.gov/products/GAO-06-296]. Washington, D.C.: February 14, 
2006. 

Homeland Security: Visitor and Immigrant Status Program Operating, but 
Management Improvements Are Still Needed. [hyperlink, 
http://www.gao.gov/products/GAO-06-318T]. Washington, D.C.: January 25, 
2006. 

Information Security: Department of Homeland Security Needs to Fully 
Implement Its Security Program. [hyperlink, 
http://www.gao.gov/products/GAO-05-700]. Washington, D.C.: June 17, 
2005. 

Information Technology: Customs Automated Commercial Environment 
Program Progressing, but Need for Management Improvements Continues. 
[hyperlink, http://www.gao.gov/products/GAO-05-267]. Washington, D.C.: 
March 14, 2005. 

Homeland Security: Some Progress Made, but Many Challenges Remain on 
U.S. Visitor and Immigrant Status Indicator Technology Program. 
[hyperlink, http://www.gao.gov/products/GAO-05-202]. Washington, D.C.: 
February 23, 2005. 

Border Security: State Department Rollout of Biometric Visas on 
Schedule, but Guidance Is Lagging. [hyperlink, 
http://www.gao.gov/products/GAO-04-1001]. Washington, D.C.: September 
9, 2004. 

Border Security: Joint, Coordinated Actions by State and DHS Needed to 
Guide Biometric Visas and Related Programs. [hyperlink, 
http://www.gao.gov/products/GAO-04-1080T]. Washington, D.C.: September 
9, 2004. 

Homeland Security: First Phase of Visitor and Immigration Status 
Program Operating, but Improvements Needed. [hyperlink, 
http://www.gao.gov/products/GAO-04-586]. Washington, D.C.: May 11, 
2004. 

Homeland Security: Risks Facing Key Border and Transportation Security 
Program Need to Be Addressed. [hyperlink, 
http://www.gao.gov/products/GAO-04-569T]. Washington, D.C.: March 18, 
2004. 

Homeland Security: Risks Facing Key Border and Transportation Security 
Program Need to Be Addressed. [hyperlink, 
http://www.gao.gov/products/GAO-03-1083]. Washington, D.C.: September 
19, 2003. 

Information Technology: Homeland Security Needs to Improve Entry Exit 
System Expenditure Planning. [hyperlink, 
http://www.gao.gov/products/GAO-03-563]. Washington, D.C.: June 9, 
2003. 

[End of Attachment 2] 

Attachment 3: Detailed Description of Increments and Component Systems: 

Description of the processes underlying each increment and the systems 
that provide information to US-VISIT. 

Increment 1 processes—Increment 1 includes the following five processes 
at air and sea ports of entry (POE): pre-entry, entry, status 
management, exit, and analysis, which are depicted in the graphic 
below. 

Figure: Increment 1 processes: 

[Refer to PDF for image] 

The following information is illustrated: 

Pre-entry: occurs at Embassy or consulate; 
Entry: via air, sea, automobile, or on foot; 
Status: monitored throughout the nation; 
Exit: via air, sea, automobile, or on foot; 
Analysis: occurs throughout the entire process. 

Source: GAO analysis of US-VISIT data, NOva Development Corp. 
(clipart). 

[End of figure] 

Pre-entry process: 

Pre-entry processing begins with initial petitions for visas, grants of 
visa status, or the issuance of travel documentation. When a foreign 
national applies for a visa at a U.S. consulate, biographic and 
biometric data are collected and shared with border management 
agencies. The biometric data[Footnote 54] are transmitted from the 
Department of State (State) to the Department of Homeland Security 
(DHS), where the fingerprints are run against the Automated Biometric 
Identification System (IDENT) to verify identity and to run a check 
against the biometric watch list. The results of the biometric check 
are transmitted back to State. A “hit” response prevents State’s system 
from printing a visa for the applicant until the information is cleared 
by a consular officer.Pre-entry also includes transmission by 
commercial air and sea carriers of crew and passenger manifests before 
arriving in the United States.[Footnote 55] These manifests are 
transmitted through the Advance Passenger Information System (APIS). 
The APIS lists are run against the biographic lookout system and 
identify those arrivals who have biometric data available. In addition, 
POEs review the APIS list in order to identify foreign nationals who 
need to be scrutinized more closely. 

Entry process: 

When the foreign national arrives at a primary POE inspection booth, 
the inspector, using a document reader, scans the machine-readable 
travel documents. APIS returns any existing records on the foreign 
national to the CBP primary inspection workstation screen, including 
manifest data matches and biographic lookout hits. When a match is 
found in the manifest data, the foreign national’s name is highlighted 
and outlined on the manifest data portion of the screen.Biographic 
information, such as name and date of birth, is displayed on the bottom 
of the computer screen,[Footnote 56] as well as the photograph from 
State’s Consular Consolidated Database. The inspector at the booth 
scans the foreign national’s fingerprints and takes a digital 
photograph. This information is forwarded to the IDENT database, where 
it is checked against stored fingerprints in the IDENT lookout 
database. 

If no prints are currently found in IDENT, the foreign national is 
enrolled in US-VISIT (i.e., biographic and biometric data are entered). 
If the foreign national’s fingerprints are already in IDENT, the system 
performs a match (a comparison of the fingerprints captured during the 
primary inspection to the ones on file) to verify that the person 
submitting the fingerprints is the person on file. If the system finds 
a mismatch of fingerprints or a watch list hit, the foreign national is 
sent to an inspection booth for further screening or processing. 

While the system is checking the fingerprints, the inspector questions 
the foreign national about the purpose of his or her travel and length 
of stay. The inspector adds the class of admission and duration of stay 
information into the Treasury Enforcement Communications System (TECS), 
and stamps the “admit until” date on the Form I-94. If the foreign 
national is ultimately determined to be inadmissible, the person is 
detained, lookouts are posted in the databases, and appropriate actions 
are taken. 

Within 2 hours after a flight lands and all passengers have been 
processed, TECS is to send the Arrival and Departure Information System 
(ADIS) the records showing the class of admission and the “admit until” 
dates that were modified by the inspector. 

Status management process: 

The status management process manages the foreign national’s temporary 
presence in the United States, including the adjudication of benefits 
applications and investigations into possible violations of immigration 
regulations. 

Commercial air and sea carriers transmit departure manifests 
electronically for each departing passenger. These manifests are 
transmitted through APIS and shared with ADIS. ADIS matches entry and 
exit manifest data to ensure that each record showing a foreign 
national entering the United States is matched with a record showing 
the foreign national exiting the United States. ADIS maintains a status 
indicator for each traveler and computes the number of overstay days a 
visitor remains beyond their original entry duration. 

ADIS also provides the ability to run queries on foreign nationals who 
have entry information but no corresponding exit information. 

ADIS receives status information from the Computer Linked Application 
Information Management System and the Student and Exchange Visitor 
Information System on foreign nationals. 

Exit process: 

The exit process includes the carriers’ electronic submission of 
departure manifest data to APIS. This biographic information is passed 
to ADIS, where it is matched against entry information. 

Analysis: 

An ongoing analysis capability is to provide for the continuous 
screening against watch lists of individuals enrolled in US-VISIT for 
appropriate reporting and action. As more entry and exit information 
becomes available, it is to be used to analyze traffic volume and 
patterns as well as to perform risk assessments. The analysis is to be 
used to support resource and staffing projections across the POEs, 
strategic planning for integrated border management analysis performed 
by the intelligence community, and determination of travel use levels 
and expedited traveler programs. 

Increment 2B and Increment 3 processes: 

Increments 2B and 3 deployed US-VISIT entry processing capabilities to 
land POEs. These two increments are similar to Increment 1 (air and sea 
POEs), with several noteworthy differences. 

* No advance passenger information is available to the inspector before 
the traveler arrives for inspection. 

* Travelers subject to US-VISIT are processed at secondary inspection, 
rather than at primary inspection. 

* Inspectors’ workstations use a single screen, which eliminates the 
need to switch between the TECS and IDENT screens. 

* Form I-94 data are captured electronically. The form is populated by 
data obtained when the machine-readable zone of the travel document is 
swiped. If visa information about the traveler exists in the Datashare 
database,[Footnote 57] it is used to populate the form. Fields that 
cannot be populated electronically are manually entered. A copy of the 
completed form is printed and given to the traveler for use upon exit. 

* No electronic exit information is captured. 

Component systems: 

US-VISIT Increments 1 through 3 include the interfacing and integration 
of existing systems and, with Increment 2C, the creation of a new 
system. The three main existing systems are as follows: 

Arrival and Departure Information System (ADIS) stores: 

* non-citizen traveler arrival and departure data received from air and 
sea carrier manifests, 

* arrival data captured by CBP officers at air and sea POEs, 

* Form I-94 issuance data captured by CBP officers at Increment 2B land 
POEs, 

* Form I-94 data captured at air and sea ports of entry, and, 

* status update information provided by the Student and Exchange 
Visitor Information System (SEVIS) and the Computer Linked Application 
Information Management System (CLAIMS 3) (described on the next slide). 

ADIS provides biographic identity record matching, query, and reporting 
functions. 

The passenger processing component of the Treasury Enforcement 
Communications System (TECS) includes two systems: 

* Advance Passenger Information System (APIS) captures arrival and 
departure manifest information provided by air and sea carriers, and; 

* Interagency Border Inspection System (IBIS) maintains lookout data 
and interfaces with other agencies’ databases. 

CBP officers use these data as part of the admission process. The 
results of the admission decision are recorded in TECS and ADIS. 

The Automated Biometric Identification System (IDENT) collects and 
stores biometric data on foreign visitors, including data such as: 

* Federal Bureau of Investigation information[Footnote 58] on all known 
and suspected terrorists, all active wanted persons and warrants, and 
previous criminal histories for visitors from high-risk countries; 

* DHS Immigration and Customs Enforcement information on deported 
felons and sex offender registrants; and; 

* DHS information on previous criminal histories and previous IDENT 
enrollments. 

US-VISIT also exchanges biographic information with other DHS systems, 
including SEVIS and CLAIMS 3: 

* SEVIS is a system that contains information on foreign students and; 

* CLAIMS 3 is a system that contains information on foreign nationals 
who request benefits, such as change of status or extension of stay. 

Some of the systems involved in US-VISIT, such as IDENT and ADIS, are 
managed by the program office, while some systems are managed by other 
organizational entities within DHS. For example: 

* TECS is managed by CBP, 

* SEVIS is managed by Immigration and Customs Enforcement, and, 

* CLAIMS 3 is under United States Citizenship and Immigration Services. 

US-VISIT also interfaces with other, non-DHS systems for relevant 
purposes, including watch list[Footnote 59] (i.e. lookout) updates and 
checks to determine whether a visa applicant has previously applied for 
a visa or currently has a valid U.S. visa. In particular, US-VISIT 
receives biographic and biometric information from State’s Consular 
Consolidated Database as part of the visa application process, and 
returns finger scan information and watch list changes. IDENT also 
receives data from FBI’s IAFIS fingerprint system. 

[End of Attachment 3] 

Attachment 4: Status of Prior GAO Recommendations: 

Recommendation: 1. Develop and approve complete test plans before 
testing begins. These plans, at a minimum, should (1) specify the test 
environment, including test equipment, software, material, and 
necessary training; (2) describe each test to be performed, including 
test controls, inputs, and expected outputs; (3) define the test 
procedures to be followed in conducting the tests; and (4) provide 
traceability between test cases and the requirements to be verified by 
the testing.(GAO-04-586); 
Included in plan: Yes; 
Status: Partially Implemented: The program office has developed and 
approved test plans for various system components, such as the US-
VISIT/IDENT Product Integration and the Unified IDENT Release 2 
Component/Assembly. Our analysis of these plans shows that they (1) 
specified the test environment, including test equipment, software, 
material, and necessary training; (2) described each test to be 
performed, including test controls, inputs, and expected outputs; (3) 
defined test procedures to be followed in conducting tests; and (4) 
provided traceability between test cases and the requirements to be 
verified by the testing. However, we were unable to verity that these 
plans were approved prior to testing. 

Recommendation: 2. Implement effective configuration management 
practices, including establishing a US-VISIT change control board to 
manage and oversee system changes. (GAO-04-586); 
Included in plan: Yes; 
Status: Implemented: The program office has developed a configuration 
control board that is responsible for, among other things, to manage 
and oversee system changes. The office has also developed a 
configuration management plan and begun implementing practices 
specified in the plan. For example, a project level configuration 
management plan was developed for Unique Identity and a change control 
request submitted and approved by the board. 

Recommendation: 3. Develop a plan, including explicit tasks and 
milestones, for implementing all of our open recommendations, including 
those provided in this report. The plan should provide for periodic 
reporting to the Secretary and Under Secretary on progress in 
implementing this plan. The Secretary should report this progress, 
including reasons for delays, in all future US-VISIT expenditure 
plans.(GAO-04-586); 
Included in plan: Yes; 
Status: Partially Implemented: US-VISIT audit coordination and 
resolution is governed by formal audit guidance and coordinated through 
an Integrated Project Team. The team has developed a plan that includes 
tasks and milestones for implementing GAO recommendations. The plan 
also provides for the periodic reporting to the Secretary and Under 
Secretary. Further, the status of efforts to address a number of GAO 
recommendations has been included in recent US-VISIT expenditure plans, 
although reasons for delays in implementing them have not. 

Recommendation: 4. Fully and explicitly disclose in all future 
expenditure plans how well DHS is progressing against the commitments 
that it made in prior expenditure plans. (GAO-05-202); 
Included in plan: No; 
Status: Partially Implemented: As discussed earlier in this briefing, 
while the fiscal year 2008 expenditure plan provides some information 
on how well DHS is progressing against commitments made in the fiscal 
year 2007 expenditure plan, it does not fully and explicitly disclose 
how well it is progressing against all previous commitments, and it 
describes progress in areas not committed to in the prior year’s plan. 

Recommendation: 5. Reassess its plans for deploying an exit capability 
to ensure that the scope of the exit pilot provides for adequate 
evaluation of alternative solutions and better ensures that the exit 
solution selected is in the best interest of the program. (GAO-05-202); 
Included in plan: Yes; 
Status: Implemented: The program office has reassessed its plans for 
deploying an exit capability. As a result of that assessment, the 
program office discontinued the US-VISIT exit pilots in May 2007. 

Recommendation: 6. Develop and implement processes for managing the 
capacity of the US-VISIT system. (GAO-05-202); 
Included in plan: Yes; 
Status: Implemented: The program has developed a capacity management 
handbook that provides guidance for managing system capacity and has 
incorporated the activities to be performed into its Universal Delivery 
Method. Further, the program office has begun implementing this 
guidance. For example, it has developed US-VISIT/IDENT business and 
service capacity baselines. 

Recommendation: 7. Follow effective practices for estimating the costs 
of future increments. (GAO-05-202); 
Included in plan: Yes; 
Status: Partially Implemented: According to the program office, they 
have (1) established a Cost Process Action Team, (2) defined cost 
estimation and analysis practices and processes, (3) developed 
processes for developing both program life cycle cost estimates and 
Independent Government Cost Estimates, and (4) conducted a self-
assessment of the program’s cost estimating practices against 
guidelines from the Software Engineering Institute. However, the 
program office has yet to provide documentation demonstrating that it 
is implementing its defined cost estimation practices. 

Recommendation: 8. Make understanding the relationships and 
dependencies between the US-VISIT and ACE programs a priority matter, 
and report periodically to the Under Secretary on progress in doing so. 
(GAO-05-202); 
Included in plan: Yes; 
Status: Implemented: The program office has been working with the DHS 
Screening and Coordination Office to, among other priorities; develop a 
greater understanding between US-VISIT and other programs, including 
ACE. Further, because the program is no longer organizationally within 
the Office of the Under Secretary, reporting on progress to the Under 
Secretary is no longer warranted. Instead, the Screening and 
Coordination Office, which reports directly to the Secretary and Deputy 
Secretary, is aware of progress in this area. 

Recommendation: 9. Explore alternative means of obtaining an 
understanding of the full impact of US-VISIT at all land POEs, 
including its impact on workforce levels and facilities; these 
alternatives should include surveying the sites that were not part of 
the previous assessment. (GAO-06-296); 
Included in plan: Yes; 
Status: Implemented: The program office reassessed its plans for 
deploying an exit capability to land POEs, and as a result, 
discontinued the demonstration project in November 2006. 

Recommendation: 10. For each US-VISIT contract action that the program 
manages directly, establish and maintain a plan for performing the 
contractor oversight process, as appropriate. (GAO-06-404); 
Included in plan: Yes; 
Status: Implemented: For contract actions that the program manages 
directly, and where it is appropriate for the program office to oversee 
contractor activities, the program office has established and maintains 
an oversight plan. For example, the program office has developed 
individual oversight plans for 10-Print, Unique Identity, Interim Data 
Sharing Model, and Independent Test and Support Evaluation Services. 
Each individual oversight plan describes the roles, responsibilities, 
and authorities involved in conducting contract administration and 
oversight of the contract action. 

Recommendation: 11. Develop and implement practices for overseeing 
contractor work managed by other agencies on the program office’s 
behalf, including (1) clearly defining roles and responsibilities for 
both the program office and all agencies managing US-VISIT-related 
contracts; (2) having current, reliable, and timely information on the 
full scope of contract actions and activities; and (3) defining and 
implementing steps to verify that deliverables meet requirements. (GAO-
06-404); 
Included in plan: Yes; 
Status: Implemented: The program office has developed and implemented 
practices for overseeing contractor work managed by other agencies on 
the program office’s behalf. Specifically, it has developed a 
contractor administration management plan that includes (1) clearly 
defining roles and responsibilities for both the program office and all 
agencies managing US-VISIT-related contracts; (2) having current, 
reliable, and timely information on the full scope of contract actions 
and activities; and (3) defining and implementing steps to verify that 
deliverables meet requirements. 

Recommendation: 12. Require, through agreements, that agencies managing 
contract actions on the program office’s behalf implement effective 
contract management practices consistent with acquisition guidance for 
all US-VISIT contract actions, including at a minimum, (1) establishing 
and maintaining a plan for performing contract management activities; 
(2) assigning responsibility and authority for performing contract 
oversight; (3) training the people performing contract oversight; (4) 
documenting the contract; (5) verifying that deliverables satisfy 
requirements; (6) monitoring contractor-related risk; and (7) 
monitoring contractor performance to ensure that the contractor is 
meeting schedule, effort, cost, and technical performance requirements. 
(GAO-06-404); 
Included in plan: Yes; 
Status: Implemented: The program office has amended the language used 
in its interagency agreements (IAA) to require agencies that manage 
contract actions on the program’s behalf to implement certain practices 
designed to strengthen contract management and oversight. These 
requirements are specified in the May 2007 US-VISIT Contracts 
Administration Management Plan and have been included in each of the 
IAAs. Specifically, each IAA specifies that the agent agency is to (1) 
establish and maintain a plan for performing contract management 
activities; (2) designate a contracting officer and contracting 
officer’s technical representative to manage all contractual actions; 
(3) train the people performing contract oversight, (4) document the 
contract; (5) verify that deliverables satisfy requirements; (6) 
monitor contractor-related risk; and (7) monitor contractor performance 
to ensure that the contractor is meeting schedule, effort, cost, and 
technical performance requirements. 

Recommendation: 13. Require DHS and non-DHS agencies that manage 
contracts on behalf of US-VISIT to (1) clearly define and delineate the 
US-VISIT work from non-US-VISIT work as performed by contractors; (2) 
record, at the contract level, amounts being billed and expended on US-
VISIT-related work so that these can be tracked and reported separately 
from amounts not for US-VISIT purposes; and (3) determine if they have 
received reimbursement from the program for payments not related to US-
VISIT work by contractors, and, if so, refund to the program any amount 
received in error. (GAO-06-404); 
Included in plan: Yes; 
Status: Partially Implemented: The program office reports that it has 
begun efforts to establish the processes that are to (1) ensure that 
both DHS and non-DHS agencies that manage contracts on behalf of the 
program clearly define and delineate the US-VISIT work from non-US-
VISIT work performed by contractors, (2) record, at the contract level, 
amounts being billed and expended on US-VISIT-related work so that 
these can be tracked and reported separately from amounts not for US-
VISIT purposes; and (3) determine if they have received reimbursement 
from the program for payments not related to US-VISIT work by 
contractors, and, if so, refund to the program any amount received in 
error; however, they have yet to demonstrate that these processes are 
in place and being used by all DHS and non-DHS agencies. 

Recommendation: 14. Ensure that payments to contractors are timely and 
in accordance with the Prompt Payment Act. (GAO-06-404); 
Included in plan: Yes; 
Status: Partially Implemented: The program office reports that it has 
begun efforts to establish the controls needed to ensure that payments 
to contractors are made timely and in accordance with the Prompt 
Payment Act. 

Recommendation: 15. Improve existing management controls for 
identifying and reporting computer processing and other operational 
problems as they arise at land POEs and ensure that these controls are 
consistently administered. (GAO-07-248); 
Included in plan: Yes; 
Status: Not Implemented:DHS has yet to implement improved management 
controls for identifying and reporting computer processing and other 
operational problems as they arise at land POEs or to implement a 
method for ensuring that these controls are consistently administered. 

Recommendation: 16. Develop performance measures for assessing the 
impact of US-VISIT operations specifically at land POEs. (GAO-07-248); 
Included in plan: Yes; 
Status: Not Implemented: DHS has yet to develop performance measures 
for assessing the impact of US-VISIT operations at land POEs. 

Recommendation: 17. As DHS finalizes the statutorily mandated report 
describing a comprehensive biometric entry and exit system for US-
VISIT, that it include, among other things, information on the costs, 
benefits, and feasibility of deploying biometric and nonbiometric exit 
capabilities at land POEs. (GAO-07-248); 
Included in plan: No; 
Status: Not Implemented: DHS reports that it has recently begun to 
develop the statutorily mandated report, and department officials said 
that they expect to issue it in early 2009. DHS officials stated that 
they expect it to include information on costs, benefits, and 
feasibility of biometric and nonbiometric exit capabilities at land 
POEs. 

Recommendation: 18. As DHS finalizes the statutorily mandated report 
describing a comprehensive biometric entry and exit system for US-
VISIT, that it include, among other things, a discussion of how DHS 
intends to move from a nonbiometric exit capability, such as the 
technology currently being tested, to a reliable biometric exit 
capability that meets statutory requirements. (GAO-07-248); 
Included in plan: No; 
Status: Not Implemented: DHS has recently begun to develop the 
statutorily mandated report, and department officials stated that it is 
to be issued in early 2009. DHS officials stated that they expect it to 
include a discussion on how it intends to move to a biometric exit 
capability at land ports of entry. 

Recommendation: 19. As DHS finalizes the statutorily mandated report 
describing a comprehensive biometric entry and exit system for US-
VISIT, that it include, among other things, a description of how DHS 
expects to align emerging land border security initiatives with US-
VISIT and what facility or facility modifications would be needed to 
ensure that technology and processes work in harmony. (GAO-07-248); 
Included in plan: No; 
Status: Not Implemented: DHS has recently begun to develop the 
statutorily mandated report, and department officials stated that it is 
to be issued in early 2009. DHS officials stated that they expect it to 
show how US-VISIT is to align with emerging land border initiatives as 
well as what facility modifications would be needed to ensure that 
technology and processes work in harmony. 

Recommendation: 20. Report regularly to the Secretary and to the DHS 
authorization and appropriations committees on the range of program 
risks associated with not having fully satisfied all expenditure plan 
legislative conditions, reasons why they were not satisfied, and steps 
being taken to mitigate these risks. (GAO-07-278); 
Included in plan: Yes; 
Status: Not Implemented: Program officials stated that they 
periodically brief authorization and appropriations committees on a 
range of program risks, including those associated with not having 
fully satisfied all expenditure plan legislative conditions, reasons 
why they were not satisfied, and steps being taken to mitigate these 
risks. However, they did not provide any verifiable evidence that these 
matters were discussed, and staff with the House and Senate 
appropriations committees that focus on US-VISIT told us that they are 
not aware of such briefings in which these matters were discussed. 

Recommendation: 21. Limit planned expenditures for exit pilots and 
demonstration projects until such investments are economically 
justified and until each investment has a well-defined evaluation plan. 
The projects should be justified on the basis of costs, benefits, and 
risks, and the evaluation plans should define what is to be achieved 
and should include a plan of action and milestones and measures for 
demonstrating achievement of pilot and project goals and desired 
outcomes. (GAO-07-278); 
Included in plan: Yes; 
Status: Implemented: The program office has limited planned 
expenditures in exit pilots and demonstration projects by reassessing 
its plans and discontinuing the exit pilots in May 2007 and the 
demonstration project in November 2006. 

Recommendation: 22. Work with the DHS Enterprise Architecture Board to 
identify and mitigate program risks associated with investing in new US-
VISIT capabilities in the absence of a DHS-wide operational and 
technological context for the program. These risks should reflect the 
absence of fully defined relationships and dependencies with related 
border security and immigration enforcement programs. (GAO-07-278); 
Included in plan: Yes; 
Status: Not Implemented: The program office provided DHS Enterprise 
Architecture Board meeting meetings. However, none of the meeting 
minutes provided contained information on identifying and mitigating 
program risks associated with investing in new US-VISIT capabilities in 
the absence of a DHS-wide technological context for the program. 

Recommendation: 23. Limit planned expenditures for program management-
related activities until such investments are economically justified 
and have well-defined plans detailing what is to be achieved, a plan of 
action and milestones, and measures for demonstrating progress and 
achievement of desired outcomes. (GAO-07-278); 
Included in plan: Yes; 
Status: Not Implemented: The program office has yet to provide either 
an economic justification or well-defined plans for its program 
management-related activities detailing what is to be achieved and 
including a plan of action and milestones and measures for 
demonstrating progress and achievement of desired outcomes. Moreover, 
the amount of funding for program management in FY2008 remains at the 
level mentioned in FY2006 expenditure plan, which was the basis for 
this recommendation. 

Recommendation: 24. The Secretary of DHS report to the department’s 
authorization and appropriations committees on its reasons for not 
fully addressing its expenditure plan legislative conditions and our 
prior recommendations.(GAO-07-1065); 
Included in plan: Yes; 
Status: Not Implemented: Program officials stated that they 
periodically brief authorization and appropriations committees on 
program-related issues, including reasons for not having fully 
satisfied all expenditure plan legislative conditions and GAO 
recommendations. However, they did not provide any verifiable evidence 
that these matters were discussed, and staff with the House and Senate 
appropriations committees that focus on US-VISIT told us that they are 
not aware of such briefings in which these matters were discussed. 

Recommendation: 25. Develop a plan for a comprehensive exit capability, 
which includes, at a minimum, a description of the capability to be 
deployed, the cost of developing, deploying and operating the 
capability, identification of key stakeholders and their respective 
roles and responsibilities, key milestones, and measurable performance 
indicators. (GAO-08-361); 
Included in plan: No; 
Status: Partially Implemented: DHS recently issued a notice of proposed 
rulemaking for implementing an exit capability at air and sea POEs. 
This notice provides a high-level description of a proposed Air and Sea 
Exit solution, and an estimate of the cost to develop, deploy, and 
operate the solution. Further, it describes the roles and 
responsibilities of key stakeholders, such as air and sea carriers, and 
sets some performance indicators, such as when passenger biometrics are 
to be transmitted to DHS. However, as discussed in this briefing, this 
proposed solution raises a number of questions that need to be 
resolved. 

Recommendation: 26. Develop an analysis of costs, benefits, and risks 
for proposed exit solutions before large sums of money are committed on 
those solutions, and use the analysis in selecting the final solution. 
(GAO-08-361); 
Included in plan: No; 
Status: Partially Implemented: As noted earlier in this briefing, DHS’s 
Air and Sea Exit regulatory impact analysis analyzed the costs and 
benefits of the proposed solution and four alternatives, and DHS used 
this analysis in proposing its exit solution. However, the cost 
estimates that were used in this analysis were not sufficiently 
reliable to justify the proposed solution. 

Recommendation: 27. Direct the appropriate DHS parties involved in 
defining, managing, and coordinating relationships across the 
department’s border and immigration management programs to address the 
program collaboration shortcomings identified in this report, such as 
fully defining the relationships between US-VISIT and other immigration 
and border management programs and, in doing so, to employ the 
collaboration practices discussed in this report. (GAO-08-361); 
Included in plan: No; 
Status: Partially Implemented: DHS has yet to direct all of the 
appropriate parties involved in defining, managing, and coordinating 
relationships across the department’s border and immigration management 
programs to address the program collaboration shortcomings identified 
in this report and, in doing so, to employ the collaboration practices 
discussed in this report. Specifically, while US-VISIT has begun to 
coordinate with specific border and immigration management programs 
such as the Secure Border Initiative and Western Hemisphere Travel 
Initiative. 

[End of Attachment 4] 

[End of Appendix I] 

Appendix II: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

November 19, 2008: 

Randolph C. Hite: 
Director, Information Technology Architecture and Systems: 
U.S. Government Accountability Office: 
441 G Street, N.W.
Washington, D.C. 20548: 

Dear Mr. Hite: 

The Department of Homeland Security (DHS) is submitting this written 
response regarding the Government Accountability Office (GAO) 
recommendation contained in its report, U.S. Visitor and Immigrant 
Status indicator Technology Program Planning and Execution Improvements 
Needed, 09-96. 

GAO Recommendation: 

To assist DHS in planning and executing US-VISIT, we recommend that the 
Secretary of Homeland Security direct the department's Investment 
Review Board to immediately hold a review of the US-VISIT program that, 
at a minimum, addresses: 

* The reasons for the fiscal year 2008 expenditure plan not fully 
addressing each of the legislative conditions and corrective action to 
ensure that this does not occur for future expenditure plans; 

* The adequacy of the basis for any future Air and Sea Exit solution, 
including the reliability of cost estimates, implication of privacy and 
security issues, and addressing key concerns raised in comments to the 
proposed rule; 

* The weaknesses in the program's implementation of risk management; 
and; 

* The weaknesses in the prime contractor's implementation of its earned 
value management, including the limitations in the quality of the 
schedule baselines and the schedule variance measurements. 

Response: 

DHS concurs with this recommendation. The DHS Investment Review Board 
will convene on November 17, 2008, for the purpose of reviewing the US-
VISIT program. The objectives of this review are to address the 
recommendation made in GAO-09-96. US-VISIT is prepared to discuss the 
following: 

* How the FY09 Spend Plan will address GAO concerns raised in the audit 
of the FY08 Spend Plan; 

* How the Air/Sea Exit solution will address GAO concerns regarding 
cost estimates, security and privacy of the solution and the level of 
detail for the solution; 

* How US-VISIT's improvements in risk management will address GAO 
concerns regarding the currency of the information in the risk 
management database, risk management plan and the elevation of risks; 
and; 

* How US-VISIT will continue its oversight and the Defense Contract 
Management Agency (DCMA) will perform periodic assessments of the 
contractor's progress toward compliance of the 32 published standards 
for earned value management. 

Additionally, GAO writes that Legislative Condition 4, regarding DHS 
investment management and OMB capital planning and investment control 
certification by the CPO, is only partially satisfied: 

DHS's investment management process is not sufficiently mature. As we 
reported in April 2007, this process does not satisfy the key practices 
outlined in the Information Technology Investment Management Framework, 
which is a maturity framework based on corporate investment management 
best practices employed by leading public and private sector 
organizations and is consistent with OMB capital planning and 
investment control requirements. In particular, we reported that: 

* DHS's process (policies and procedures) for project level management 
do not include all key elements, such as specific criteria or steps for 
prioritizing and selecting new investments. 

* DHS has not fully implemented the practices needed to control 
investments - at the project level or at the portfolio level, including 
regular project-level reviews by the DHS Investment Review Board. 

* DHS's process does not identify a methodology with explicit decision-
making criteria to determine an investment's alignment with the DHS 
enterprise architecture. 

DHS nonconcurs with this finding. On November 7, 2008, the DHS Under 
Secretary for Management signed out the interim operational policy for 
the investment control requirements. This policy provides for the 
following: 

* A DHS process (including policies and procedures) for project level 
management that includes all key elements, including specific criteria 
and steps for prioritizing and selecting new investments; 

* A set of practices to control investments at the project and 
portfolio level, including regular project-level reviews by the DHS 
Investment Review Board; and; 

* Identification of a methodology with explicit decision-making 
criteria to determine an investment's alignment with the DHS enterprise 
architecture. 

Lessons learned from the FY08 expenditure plan have prompted the 
Department to make adjustments in developing the FY09 spend plan. For 
example, greater visibility will be provided into operations and 
maintenance and program management planned expenditures; milestones 
will be provided and quantitative performance targets will be 
incorporated into planned accomplishments; mitigation plans for open 
GAO recommendations will also include milestones and the Department 
will make every effort to close out GAO's previous recommendations; and 
FY08 results will be reported for all planned accomplishments from the 
FY 08 plan. When fully executed it is our aim to fully satisfy the 
legislative conditions in accordance with the Consolidated 
Appropriations Act, 2008, Public Law No. 110-161. 

Sincerely, 

Signed by: 

Jerald E. Levine: 
Director: 
Departmental Audit Liaison Office: 

Attachment: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

November 7, 2008: 

Memorandum For:	Distribution List 

From: [Signed by] Elaine C. Duke: 
Under Secretary for Management: 

Subject: Departmental Acquisition Management: 

As you know, I tasked the Acquisition Program Management Division 
(APMD) of the Office of the Chief Procurement Officer to re-engineer 
the Department's Investment Review Process (Management Directive (MD) 
1400). This re-engineering had, as its objective, improvement in 
acquisition management and oversight across the Department of Homeland 
Security (DHS) enterprise. APMD. in collaboration with Departmental and 
Component stakeholders, has developed and informally staffed the 
attached Directive (102-01). Because of the extensive coordination to 
date, this Directive is authorized as an interim policy effective 
today. In parallel with this interim authorization, Directive 102-01 
will be formally staffed through the Department's executive 
correspondence process. Changes resulting from this formal review 
(along with changes proposed by users as a result of initial 
implementation) will be incorporated in the policy prior to its 
completing this process. 

I appreciate the tremendous collaboration and inputs provided by your 
organizations throughout the development and informal staffing 
process - this resulting draft marks another critical milestone toward 
the integration of DHS. 

This Directive's overarching goal is to establish an acquisition 
management system that effectively provides required capability to DHS 
users in support of DHS missions. The Directive leverages proven 
management, governance, and oversight practices within the Department, 
streamlines the acquisition process, and addresses the issues and 
problems with the previous MD 1400. Specifically, it: 

* Creates a common acquisition policy across the Department; 

* Creates the Acquisition Decision Authority position as a single point 
of accountability; 

* Establishes a single, but tailorable life cycle framework for all 
acquisitions; and; 

* Delegates acquisition decision authority to Components wherever 
feasible. 

This Directive supersedes all versions of MD 1400; consequently, all 
previous versions of MD 1400 are hereby revoked. The Department is 
required to commence implementing the Directive's policies and align 
internal policies accordingly. Individual programs should transition to 
this policy at their next formal decision point, but not later than six 
months from the date of this memorandum. APMD will work with each 
Component or Headquarters contingent to establish a collaborative 
transition schedule for each acquisition portfolio. 

Training on this policy will be provided by cadres of individuals 
(trained by APMD) within each Component/Headquarters contingent. "Train-
the-Trainers" training began on November S. and will continue until all 
who need instruction have attended. 

For further information, please contact John Higbee, Director, APMD at 
(202) 447-5398 or by e-mail at,john.higbee@adhs.gov, or Page Glennie at 
(202) 447-5492 or by e-mail at page.glennie@dhs.gov. 

Attachment: 

Distribution List: 

Under Secretary, Science & Technology: 

Under Secretary, National Protection & Programs Under Secretary, 
Intelligence & Analysis Assistant Secretary, Policy: 

Assistant Secretary, Legislative Affairs: 

Assistant Secretary. Public Affairs: 

Assistant Secretary, Health Affairs/Chief Medical Officer: 

Assistant Secretary, Transportation Security Administration: 

Assistant Secretary, United States Immigration & Customs Enforcement: 

Commissioner, Customs and Border Protection: 

Commandant, United States Coast Guard: 

Administrator, Federal Emergency Management Agency: 

Director. Operations Coordination Director, Counternarcotics 
Enforcement: 

Director, Federal Law Enforcement Training Center: 

Director, Domestic Nuclear Detection Office: 

Director, United States Citizenship & Immigration Services: 

Director, United States Secret Service: 

Ombudsman Citizenship & Immigration Services: 

Officer for Civil Rights & Civil Liberties: 

General Counsel (Acting): 

Inspector General: 

Military Advisor's Officer: 

Gulf Coast Region Office: 

Chief Financial Officer: 

Chief Information Officer: 

Chief Administrative Officer: 

Chief Procurement Officer: 

Chief Human Capital Officer: 

Chief Privacy Officer: 

Chief Security Officer: 

Director, Screening Coordination Office: 

Director, U.S. Visitor and Immigrant Status Indicator Technology: 

Director, Acquisition & Program Management Support Division, 
Transportation Security Administration: 

Director, Investment Management, Office of Finance, Customs and Border 
Protection: 

Chief Acquisition Support Office, United States Coast Guard: 

[End of section] 

Appendix III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Randolph C. Hite, (202) 512-3439, or hiter@gao.gov: 

Staff Acknowledgments: 

In addition to the individual named above, Tonia Johnson (Assistant 
Director), Bradley Becker, Season Dietrich, Neil Doherty, Jennifer 
Echard, Elena Epps, Nancy Glover, Rebecca LaPaze, Anjalique Lawrence, 
Anh Le, Emily Longcore, Lee McCracken, Freda Paintsil, Karl Seifert, 
and Jeanne Sung made key contributions to this report. 

[End of section] 

Footnotes: 

[1] Pub L. No. 110-161, 121 Stat. 1844, 2059-60 (Dec. 26, 2007). 

[2] The briefing document includes a few minor editorial changes to 
clarify certain points. 

[3] The twelfth legislative condition--that the plan be reviewed by us-
-was satisfied. 

[4] GAO, Homeland Security: Strategic Solution for US-VISIT Program 
Needs to Be Better Defined, Justified, and Coordinated, [hyperlink, 
http://www.gao.gov/products/GAO-08-361] (Washington, D.C.: Feb. 29, 
2008). 

[5] GAO, Cost Assessment Guide: Best Practices for Estimating and 
Managing Program Costs, Exposure Draft, [hyperlink, 
http://www.gao.gov/products/GAO-07-1134SP] (Washington, D.C.: July 
2007), at p. 251. 

[6] Task order 7 provides for development and deployment of new 
capabilities. 

[7] Pub. L. No. 110-161 (Dec. 26, 2007). 

[8] Since fiscal year 2002, $2.22 billion has been appropriated for US-
VISIT. 

[9] This is the seventh legislatively-mandated US-VISIT expenditure 
plan. 

[10] As discussed in the scope and methodology section of this briefing 
(attachment 1), we sought clarification from staff with the House and 
Senate Appropriations Committees, Subcommittees on Homeland Security, 
on this condition. As a result, the wording of this condition has been 
modified slightly from that in the act. 

[11] For details on the processes underlying each increment and systems 
supplying information on US-VISIT, see attachment 3. 

[12] Radio frequency technology relies on proximity cards and card 
readers. Radio frequency devices read the information contained on the 
card when the card is passed near the device. The information can 
contain personal information of the cardholder. 

[13] An indefinite delivery/indefinite quantity contract provides for 
an indefinite quantity, within stated limits, of supplies or services 
during a fixed period of time. The government schedules deliveries or 
performance by placing orders with the contractor. 

[14] Accenture’s partners in this contract include, among others, 
Raytheon Company, the Titan Corporation, and SRA International, Inc. 

[15] Total value is the reported budget at completion as of May 2008. 

[16] This solution would not be applicable to vessel carriers because 
there are no TSA checkpoints at seaports. 

[17] GAO, Information Technology: Homeland Security Needs to Improve 
Entry Exit System Expenditure Planning, [hyperlink, 
http://www.gao.gov/products/GAO-03-563] (Washington, D.C.: June 9, 
2003) and Homeland Security: Some Progress Made, but Many Challenges 
Remain on U.S. Visitor and Immigrant Status Indicator Technology 
Program, [hyperlink, http://www.gao.gov/products/GAO-05-202] 
(Washington, D.C.: Feb. 23, 2005). 

[18] GAO, Homeland Security: U.S. Visitor and Immigrant Status 
Program’s Long-standing Lack of Strategic Direction and Management 
Controls Needs to Be Addressed, [hyperlink, 
http://www.gao.gov/products/GAO-07-1065] (Washington, D.C.: Aug. 31, 
2007). 

[19] [hyperlink, http://www.gao.gov/products/GAO-07-1065]. 

[20] Office of Management and Budget Circular A-11, Part 7 establishes 
policy for planning, budgeting, acquisition, and management of federal 
capital assets. 

[21] GAO, Information Technology: DHS Needs to Fully Define and 
Implement Policies and Procedures for Effectively Managing Investments, 
[hyperlink, http://www.gao.gov/products/GAO-07-424] (Washington, D.C.: 
April 27, 2007). 

[22] [hyperlink, http://www.gao.gov/products/GAO-07-1065]. 

[23] [hyperlink, http://www.gao.gov/products/GAO-07-424]. 

[24] GAO, Information Technology Investment: A Framework for Assessing 
and Improving Process Maturity, [hyperlink, 
http://www.gao.gov/products/GAO-04-394G] (Washington, D.C.: March 
2004). 

[25] GAO, Homeland Security: First Phase of Visitor and Immigration 
Status Program Operating, but Improvements Needed, [hyperlink, 
http://www.gao.gov/products/GAO-04-586] (Washington, D.C.: May 11, 
2004). 

[26] Chief Information Officer Council, A Practical Guide to Federal 
Enterprise Architecture, Version 1.0, February 2001. 

[27] GAO, Information Technology: A Framework for Assessing and 
Improving Enterprise Architecture Management (version 1.1), [hyperlink, 
http://www.gao.gov/products/GAO-03-584G] (Washington, D.C.: April 
2003). 

[28] GAO, Homeland Security: Strategic Solution for US-VISIT Program 
Needs to Be Better Defined, Justified, and Coordinated, [hyperlink, 
http://www.gao.gov/products/GAO-08-361] (Washington, D.C.: Feb. 29, 
2008). 

[29] [hyperlink, http://www.gao.gov/products/GAO-03-584G]. 

[30] [hyperlink, http://www.gao.gov/products/GAO-07-424]. 

[31] [hyperlink, http://www.gao.gov/products/GAO-07-1065]. 

[32] GAO,DOD Business Systems Modernization: Key Marine Corps System 
Acquisition Needs to Be Better Justified, Defined, and Managed, 
[hyperlink, http://www.gao.gov/products/GAO-08-22] (Washington, D.C.: 
July. 28, 2008). 

[33] GAO, Homeland Security: Recommendations to Improve Management of 
Key Border Security Program Needs to Be Implemented, [hyperlink, 
http://www.gao.gov/products/GAO-06-296] (Washington, D.C.: Feb. 14, 
2006). 

[34] The US-VISIT Risk Management Plan separates the risk management 
process into five steps. The fourth step—risk handling—is the process 
of selecting and implementing responses to identified and prioritized 
risks. 

[35] [hyperlink, http://www.gao.gov/products/GAO-06-296]. 

[36] [hyperlink, http://www.gao.gov/products/GAO-07-1065]. 

[37] [hyperlink, http://www.gao.gov/products/GAO-07-1065]. 

[38] [hyperlink, http://www.gao.gov/products/GAO-07-1065]. 

[39] GAO, Homeland Security: Prospects for Biometric US-VISIT Exit 
Capability Remains Unclear, [hyperlink, http://www.gao.gov/products/GAO-
07-1044T (Washington, D.C.: June 28, 2007). 

[40] [hyperlink, http://www.gao.gov/products/GAO-08-361]. 

[41] As discussed in the scope and methodology section of this briefing 
(attachment 1), we sought clarification from staff with the House and 
Senate Appropriations Committees, Subcommittees on Homeland Security, 
on this condition. As a result, the wording of this condition has been 
modified slightly from that in the act. 

[42] [hyperlink, http://www.gao.gov/products/GAO-07-1065]. 

[43] GAO, Homeland Security: Planned Expenditures for U.S. Visitor and 
Immigrant Status Program Need to be Adequately Defined and Justified, 
[hyperlink, http://www.gao.gov/products/GAO-07-278] (Washington, D.C.: 
Feb. 14, 2007). 

[44] GAO, Information Security: Homeland Security Needs to Immediately 
Address Significant Weaknesses in Systems Supporting the US-VISIT 
Program, [hyperlink, http://www.gao.gov/products/GAO-07-870] 
(Washington, D.C.: July 13, 2007). 

[45] These are the Air/Sea Exit, Secure Flight, the Electronic Travel 
Authorization System, and the Advance Passenger Information System-
Quick Query. 

[46] [hyperlink, http://www.gao.gov/products/GAO-06-296]. 

[47] OMB, Circular No. A-11, Part 7 Supplement - Capital Programming 
Guide, 2006, [hyperlink, 
http://www.whitehouse.gov/omb/circulars/a11/current_year/a_11_2006.pdf] 
(accessed June 16, 2008) and Software Engineering Institute, CMMI for 
Acquisition, Version 1.2, CMU/SEI-2007-TR-017 (Pittsburgh, PA; November 
2007). 

[48] GAO, Cost Assessment Guide: Best Practices for Estimating and 
Managing Program Costs, Exposure Draft, [hyperlink, 
http://www.gao.gov/products/GAO-07-1134SP]. (Washington, D.C.: July 
2007). 

[49] Task order 7 has an approximate value of $141 million. 

[50] As agreed, our scope of work focused on the plan delivered to the 
House and Senate Appropriations Committees. 

[51] We did not attempt to validate the comments. 

[52] For observation 6, we used the Unique ID and Biometric Solutions 
Delivery subtasks of task order 7. These tasks covered 98 percent of 
the total value of task order 7 and the remaining 2 percent were 
related to subtasks issued in fiscal year 2008. 

[53] [hyperlink, http://www.gao.gov/products/GAO-07-278]. 

[54] US-VISIT is currently transitioning from scanning only the right 
and left index fingers to scanning all 10 fingers. 

[55] 8 U.S.C. § 1221(a). 

[56] The new 10-print process will also integrate this information with 
manifest data so that it is all represented on one screen. 

[57] Datashare includes a data extract from State’s Consular 
Consolidated Database system and includes the visa photograph, 
biographical data, and the fingerprint identification number assigned 
when a nonimmigrant applies for a visa. 

[58] Information from the Federal Bureau of Investigation includes 
fingerprints from the Integrated Automated Fingerprint Identification 
System. 

[59] Watch list data sources include DHS’s Customs and Border 
Protection and Immigration and Customs Enforcement; the Federal Bureau 
of Investigation; legacy DHS systems; the U.S. Secret Service; the U.S. 
Coast Guard; the Internal Revenue Service; the Drug Enforcement Agency; 
the Bureau of Alcohol, Tobacco, & Firearms; the U.S. Marshals Service; 
the U.S. Office of Foreign Asset Control; the National Guard; the 
Treasury Inspector General; the U.S. Department of Agriculture; the 
Department of Defense Inspector General; the Royal Canadian Mounted 
Police; the U.S. State Department; Interpol; the Food and Drug 
Administration; the Financial Crimes Enforcement Network; the Bureau of 
Engraving and Printing; and the Department of Justice Office of Special 
Investigations. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: