This is the accessible text file for GAO report number GAO-11-276 
entitled 'Defense Biometrics: DOD Can Better Conform to Standards and 
Share Biometric Information with Federal Agencies' which was released 
on May 2, 2011. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 
GAO: 

Report to Congressional Requesters: 

March 2011: 

Defense Biometrics: 

DOD Can Better Conform to Standards and Share Biometric Information 
with Federal Agencies: 

GAO-11-276: 

GAO Highlights: 

Highlights of GAO-11-276, a report to congressional requesters. 

Why GAO Did This Study: 

Biometrics technologies that collect and facilitate the sharing of 
fingerprint records, and other identity data, are important to 
national security and federal agencies recognize the need to share 
such information. The Department of Defense (DOD) plans to spend $3.5 
billion for fiscal years 2007 to 2015 on biometrics. GAO was asked to 
examine the extent to which DOD has (1) adopted standards and taken 
actions to facilitate the collection of biometrics that are 
interoperable with other key federal agencies, and (2) shares 
biometric information across key federal agencies. To address these 
objectives, GAO reviewed documents including those related to 
standards for collection, storage, and sharing of biometrics; visited 
selected facilities that analyze and store such information; and 
interviewed key federal officials. 

What GAO Found: 

DOD has adopted a standard for the collection of biometric information 
to facilitate sharing of that information with other federal agencies. 
DOD recognized the importance of interoperability and directed 
adherence to internationally accepted biometric standards. DOD applied 
adopted standards in some but not all of its collection devices. 
Specifically, a collection device used primarily by the Army does not 
meet DOD adopted standards. As a result, DOD is unable to 
automatically transmit biometric information collected to federal 
agencies, such as the Federal Bureau of Investigation (FBI). For 
example, this device is responsible for 13 percent of the records 
maintained by DOD—the largest number of submissions collected by a 
handheld device, according to DOD. Further, this constitutes 
approximately 630,000 DOD biometric records that cannot be searched 
automatically against FBI's approximately 94 million. DOD has not 
taken certain actions that would likely improve its adherence to 
standards, all of which are based on criteria from the Standard for 
Program Management, the National Science and Technology Council, and 
the Office of Management and Budget guidance, respectively. First, DOD 
does not have an effective process, procedure, or timeline for 
implementing updated standards. Second, DOD does not routinely test at 
sufficient levels of detail for conformance to these standards. Third, 
DOD has not fully defined roles and responsibilities specifying 
accountability needed to ensure its collection devices meet new and 
updated standards. 

DOD is sharing its biometric information and has an agreement to share 
biometric information with the Department of Justice, which allows for 
direct connectivity and the automated sharing of biometric information 
between their biometric systems. DOD’s ability to optimize sharing is 
limited by not having a finalized sharing agreement with DHS, and its 
capacity to process biometric information. Currently, DOD and DHS do 
not have a finalized agreement in place to allow direct connectivity 
between their biometric systems. DOD is working with DHS to develop a 
memorandum of understanding to share biometric information now 
scheduled for completion in May 2011; however, without the agreement, 
it is unclear whether direct connectivity will be established between 
DOD and DHS, which affects response times to search queries. Further, 
agencies’ biometric systems have varying system capacities based on 
their mission needs, which affects their ability to similarly process 
each other’s queries for biometric information. As a result, DOD and 
other agency officials have expressed concern that DOD’s biometric 
system may be unable to meet the search demands from their other 
biometric systems over the long-term. DOD officials do not believe 
that they need to match other agencies’ biometric system capacities 
because they do not anticipate receiving the same number of queries 
given differences in mission. However, the advancements other agencies 
make in their biometric systems may continue to overwhelm DOD’s 
efforts as it works to identify its long-term biometric system 
capability needs and associated costs. 

What GAO Recommends: 

To improve DOD’s ability to collect and share information, GAO 
recommends that DOD implement processes for updating and testing 
biometric collection devices to adopted standards; fully define and 
clarify the roles and responsibilities for all biometric stakeholders; 
finalize an agreement with the Department of Homeland Security (DHS); 
and identify its long-term biometric system capability needs. DOD 
agreed with all of GAO’s recommendations. 

View [hyperlink, http://www.gao.gov/products/GAO-11-276] or key 
components. For more information, contact Davi M. D'Agostino, (202) 
512-5431 or dagostinod@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

DOD Has Adopted Biometric Collection Standards to Enhance 
Interoperability, but Taking Certain Actions Could Better Ensure 
Adherence to Standards: 

DOD Is Sharing Biometric Information but Sharing Is Limited by the 
Absence of an Agreement with DHS and DOD's System Capacity: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Scope and Methodology: 

Appendix II: Funding for DOD's Biometric Program: 

Appendix III: Comments from the Department of Defense: 

Appendix IV: GAO Contact and Staff Acknowledgments: 

Related GAO Products: 

Tables: 

Table 1: Agencies Where GAO Obtained Documentary Evidence and 
Officials' Views on the Collection, Use, Storage, and Sharing of 
Biometric Information: 

Table 2: Biometric Program Funding, Fiscal Year 2007 through Fiscal 
Year 2011: 

Table 3: Biometric Program Funding Fiscal Year 2012 through Fiscal 
Year 2015: 

Figures: 

Figure 1: DOD Collects Biometric Information from Persons Seeking 
Access to U.S. Installations in Iraq and Afghanistan and Persons 
Encountered by U.S. Forces during Military Operations: 

Figure 2: Timeline of DOD's Biometric Standard: 

Figure 3: Current Biometric Information-Sharing Connectivity between 
DOD, DOJ/FBI, and DHS/State: 

Figure 4: Desired Biometric Information-Sharing Connectivity between 
DOD, DOJ/FBI, and DHS/State: 

Abbreviations: 

ABIS: Automated Biometric Identification System: 

BIMA: Biometric Identity Management Agency: 

DHS: Department of Homeland Security: 

DOD: Department of Defense: 

DOD EBTS: Department of Defense Electronic Biometric Transmission 
Specification: 

DOJ: Department of Justice: 

FBI: Federal Bureau of Investigation: 

HIIDE: Handheld Interagency Identity Detection Equipment: 

IAFIS: Integrated Automated Fingerprint Identification System: 

IDENT: Automated Biometric Identification System: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

March 31, 2011: 

Congressional Requesters: 

The U.S. government continues in its efforts to positively identify 
those individuals who may do harm to its citizens, whether discovered 
at the border, airports, military installations, and during operations 
around the world, or as a result of criminal investigations. 
Biometrics technologies that collect and facilitate the sharing of 
fingerprint records, iris scans, and other data, play an important 
role as a tool to protect national security, and federal agencies 
increasingly recognize the need to share terrorism-related biometric 
information. Challenges to national security arise from multiple 
sources, which make it difficult, if not impossible, for any single 
agency to effectively address these new threats alone. In that sense, 
effective collaboration among multiple agencies and across federal, 
state, and local governments is critical. 

On June 5, 2008, the President issued a new national security 
directive establishing a governmentwide framework for the sharing of 
biometric information.[Footnote 1] This directive requires federal 
agencies to use compatible methods and procedures in the collection, 
storage, use, analysis, and sharing of biometric information, among 
other things. In November 2008, as a response to the Presidential 
directive, the Department of Justice (DOJ) in coordination with the 
Department of State (State), the Department of Homeland Security 
(DHS), and the Department of Defense (DOD), among others, developed an 
action plan to recommend actions and timelines for enhancing the 
existing identification and screening processes by expanding the use 
of biometrics. 

DOD, DOJ (including the Federal Bureau of Investigation (FBI)), DHS, 
and State collect biometric information to meet their missions. Prior 
to the issuance of National Security Presidential Directive-
59/Homeland Security Presidential Directive-24, these agencies had 
established formal and informal arrangements regarding the sharing of 
information among three major biometric systems: (1) the FBI's 
Integrated Automated Fingerprint Identification System (IAFIS), which 
is used for law enforcement purposes; (2) DHS's Automated Biometric 
Identification System, known as IDENT, which is used by the department 
in cooperation with its components for several missions and functions 
including border security, naturalization, and counterterrorism 
activities, as well as State as part of its visa approval process; and 
(3) DOD's Automated Biometric Identification System, known as ABIS, 
which stores biometric information collected on non-U.S. persons. 
[Footnote 2] These agencies have implemented policies that use 
standards to facilitate the sharing of information among the three 
systems.[Footnote 3] According to officials at DOD, DHS, and FBI, 
efforts continue to ensure that biometric information is captured so 
it can be shared by these three biometric systems, and efforts 
continue to ensure that National Security Presidential Directive-
59/Homeland Security Presidential Directive-24 is implemented. DOD's 
Biometric Identity Management Agency (BIMA) is responsible for DOD's 
activities to program, integrate, and synchronize biometric 
technologies and capabilities, including the operation and maintenance 
of ABIS. The Handheld Interagency Identity Detection Equipment (HIIDE) 
is one of several biometric collection devices that feed ABIS with 
collected biometric information, including that from enemy combatants. 
According to funding figures provided by DOD, about $3.5 billion has 
been or will be spent to fund its biometrics programs from fiscal year 
2007 through fiscal year 2015. More detailed information on funding 
for DOD's biometric program appears in appendix II. 

We have previously reported on DOD's management of its biometrics 
activities, its efforts to collect and share biometrics information to 
support military activities, and gaps in the interagency information 
sharing effort.[Footnote 4] In light of the continued importance of 
biometrics, and its impact on DOD's and other federal agencies' 
abilities to protect the homeland, you asked us to examine several 
matters related to biometrics, including standards and interagency 
processes for sharing biometric information. Accordingly, our 
objectives were to assess the extent to which DOD (1) adopted 
standards and has taken actions to facilitate the collection of 
biometrics that are interoperable with other key federal agencies and 
(2) shares biometric information across key federal agencies. 

DOD, DOJ, State, and DHS rely on three major federal biometric systems 
as part of preventing terrorists and criminals from harming national 
security. Our review, therefore, obtained information from these four 
agencies, with special focus on DOD. We also confined our review to 
biometric information related to non-U.S. persons, including enemy 
combatants, and foreign persons of interest as national security 
threats as well as persons who are local nationals, third-country 
nationals or contractors, or coalition forces. In addition, we did not 
evaluate the technical performance of collection devices used to 
gather identity information. 

To conduct this review, we analyzed Presidential directives related to 
biometrics information, DOD's biometric capability documents, 
standards for the collection, storage, and sharing of biometrics 
issued by standards organizations such as the National Institute for 
Standards and Technology, and interviewed officials from DOD, DHS, 
DOJ, and State that collect and share biometric information. We 
conducted site visits to a selection of facilities that gather, 
analyze, and store biometric information, including the Army's 
National Ground Intelligence Center, the Army's Biometric Identity 
Management Agency, and the FBI's Criminal Justice Information Services 
complex. We also met with U.S. Central Command and U.S. Special 
Operations Command officials to obtain their views on how these two 
combatant commands had operationalized the collection of biometric 
information. More detailed information on our scope and methodology 
appears in appendix I. 

We conducted this performance audit from December 2009 through March 
2011, in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. 

Background: 

The FBI, DHS, and DOD are responsible for managing and maintaining the 
following major biometric systems: 

(1) FBI's Integrated Automated Fingerprint Identification System 
(IAFIS). Established in July 1999 and managed by the FBI's Criminal 
Justice Information Services division, IAFIS is a national fingerprint 
and criminal history system that stores, searches, matches, and shares 
fingerprints. The FBI is currently in the process of transitioning 
from IAFIS to the Next Generation Identification system, which will 
include an expansion to biometrics storage and search capabilities for 
fingerprints; scars, marks, and tattoos; faces; irises; and palms. The 
Next Generation Identification system is a multiyear effort with six 
increments that is expected to be completed by 2014. 

(2) DHS's Automated Biometric Identification System (IDENT). 
Established in 1994 and managed by the United States Visitor and 
Immigrant Status Indicator Technology program, which falls under the 
purview of the National Protection and Programs Directorate within 
DHS, IDENT is used by DHS and State for many purposes including border 
security, information on persons undergoing naturalization and visa 
processes, and in the agencies' counterterrorism efforts. IDENT 
stores, searches, matches, and shares fingerprints.[Footnote 5] 
According to DHS officials, the department is beginning to look at the 
collection of irises and has a goal to begin collecting iris images 
and facial biometrics by 2013. 

(3) DOD's Automated Biometric Identification System (ABIS). 
Established in July 2004 and managed by the Biometrics Identity 
Management Agency (BIMA, formerly the Biometric Task Force)--which 
falls under the purview of the Army--ABIS information is used by DOD 
to identify and verify non-U.S. persons as friend, foe, or neutral, 
and to help determine if the individual poses a threat or potential 
threat to national security. BIMA updated ABIS to the Next Generation 
ABIS in January 2009, which stores, searches, matches, and shares 
face, fingerprint, iris, palm, and latent fingerprint biometrics. 

Several DOD organizations are involved in the management of the 
biometrics program and in developing guidance on the collection and 
sharing of biometric information. In July 2000, Congress designated 
the Secretary of the Army as the Executive Agent for Defense 
Biometrics. Subsequently, the Secretary of the Army designated the 
Director of the Army's Biometrics Task Force as the Executive Manager 
for Biometrics making this office responsible for developing guidance 
for collecting and processing biometric information. In March 2010, 
the Biometric Task Force's name was changed and it became the 
Biometrics Identity Management Agency. Additionally, DOD appointed the 
Director, Defense Research and Engineering, as the Principal Staff 
Assistant for Biometrics. In February 2008, DOD issued a biometrics 
directive identifying organizational roles and authorities for 
managing biometrics.[Footnote 6] 

Within DOD, biometric capabilities were initially used in the late 
1990s as a tool to protect U.S. forces in Korea, and in Kosovo as an 
intelligence tool. Since the September 11, 2001, terrorist attacks, 
DOD's mission has included military operations in both Iraq and 
Afghanistan--where a biometric system was used to protect U.S. 
soldiers and allies from an unidentified enemy by screening and 
vetting non-U.S. persons. DOD collects biometric information from 
persons seeking access to U.S. installations in Iraq and Afghanistan, 
detainees, and persons encountered by U.S. forces during military 
operations. (See figure 1 below.) In January 2007, DOD issued a 
memorandum stating that DOD would immediately adopt the practice of 
sharing unclassified DOD biometric information collected from non-U.S. 
persons[Footnote 7] with other U.S. departments and agencies having a 
counter-terrorism mission.[Footnote 8] DOD considers the variety of 
mission-needs for collecting biometric information, such as 
counterintelligence screening, and detainee management and 
interrogation, and in business operations, such as base access control 
to verify Common Access Card credentials, which take place in a combat 
environment.[Footnote 9] However, DOD's reasons to collect biometric 
data continuously change as DOD's role evolves wherever military 
operations are under way; whether in a desert environment fighting 
insurgents or on the high-seas fighting piracy. 

Figure 1: DOD Collects Biometric Information from Persons Seeking 
Access to U.S. Installations in Iraq and Afghanistan and Persons 
Encountered by U.S. Forces during Military Operations: 

[Refer to PDF for image: 3 photographs] 

DOD servicemembers collect biometrics from a non-U.S. engineer for 
access purposes. 

DOD servicemembers collect an Iraqi man's biometrics during a mission 
to prevent smuggling. 

DOD servicemembers collect biometrics on volunteers in Iraq for 
security purposes. 

Source: BIMA (photos). 

[End of figure] 

DOD's directive that describes the purpose, scope, policy, and 
responsibilities for the biometrics program uses terms defined by the 
National Science and Technology Council Subcommittee on Biometrics 
Glossary.[Footnote 10] Included in the list of terms and their 
respective definitions are the following. 

* Collect--capture biometric and related contextual data from an 
individual, with or without his or her knowledge. Create and transmit 
a standardized, high-quality biometric file consisting of a biometric 
sample and contextual data to a data source for matching. 

* Match--for the purpose of DOD's Directive on biometrics, the process 
of accurately identifying or verifying the identity of an individual 
by comparing a standardized biometric file to an existing source of 
standardized biometric data. Matching consists of either one to one 
(verification) or one to many (identification) searches. 

* Share--exchange standardized biometric files and match results among 
approved DOD, interagency, and multinational partners in accordance 
with applicable law and policy. 

* Store--the process of enrolling, maintaining, and updating biometric 
files to make available standardized, current biometric information on 
individuals when and where required. 

To achieve interoperability, policies and implementation guidance on 
the collection, storage, and sharing of information should be created 
to ensure compatible implementation of systems based on standards. 
Standards are developed by Standards Development Organizations, 
including the National Institute of Standards and Technology, to 
provide rules and guidelines to promote interoperability among various 
systems, including biometric systems. Standards Development 
Organizations also provide rules and guidelines for testing biometrics 
and for testing conformance to biometric standards. Standards are 
generally developed through a consensus process that includes the 
input of various stakeholders from various sectors such as government, 
academia, and industry. Federal agencies, such as DOD, adopt standards 
developed by Standards Development Organizations. For example, DOD 
used standards recommended by the American National Standards 
Institute and the National Institute of Standards and Technology as a 
basis to develop DOD's Electronic Biometric Transmission Specification 
(DOD EBTS). 

DOD Has Adopted Biometric Collection Standards to Enhance 
Interoperability, but Taking Certain Actions Could Better Ensure 
Adherence to Standards: 

DOD has adopted standards for collection of biometric information to 
facilitate sharing of that information with other federal agencies. 
DOD recognized the importance of such interoperability and directed 
adherence to internationally accepted biometric standards. Moreover, 
DOD has applied the standards to some of its collection devices. 
However, DOD has not applied the adopted standards to the Army's 
primary handheld collection device used in Iraq and Afghanistan. As a 
result, DOD is unable to automatically transmit information collected 
by this device, which is about 13 percent of approximately 4.8 million 
biometric records maintained by DOD, to federal agencies, such as the 
FBI. Further, DOD has not taken certain actions that would help ensure 
its collection devices meet new and updated standards. First, DOD does 
not have an effective process, procedure, or timeline for implementing 
updated standards. Second, DOD does not routinely test devices at 
sufficient levels of detail for conformance to these standards. Third, 
DOD has not fully defined roles and responsibilities that specify 
accountability needed to ensure its collection devices meet new or 
updated standards. 

DOD Has Adopted Standards to Enhance Interoperability with Other 
Federal Agencies: 

DOD adopted a standard--DOD EBTS--to facilitate the collection of 
biometrics and to enhance interoperability of biometrics collected by 
DOD with other federal agencies' biometric systems.[Footnote 11] The 
first version, DOD EBTS version 1.0, was published on August 19, 2005, 
and the standard has since been updated three times, with the most 
recent update, DOD EBTS version 2.0, adopted for use by DOD in April 
2010.[Footnote 12] (See figure 2 for timeline of DOD's biometric 
standard.) These DOD standards are based on recommended standards from 
the American National Standards Institute and the National Institute 
of Standards and Technology; these standards are also used by the FBI 
as the basis for its mission-specific requirements.[Footnote 13] The 
conformance of biometric collection devices to standards promotes 
their interoperability with biometric systems within DOD and with 
other federal agencies, though it does not guarantee interoperability. 

Figure 2: Timeline of DOD's Biometric Standard: 

[Refer to PDF for image: illustrated timeline] 

February 2, 2004: 
DOD’s Chief Information Officer issued a memorandum entitled "DOD 
Compliance with the Internationally Accepted Standard for Electronic 
Transmission and Storage of Fingerprint Data from 'Red Force' 
Personnel." 

August 19, 2005: 
The DOD Electronic Biometric Transmission Specification version 1.0 
was issued. 

August 23, 2005: 
The DOD Electronic Biometric Transmission Specification version 1.1 
was issued. 

November 29, 2005: 
The U.S. Army’s Chief Information Officer issued a memorandum entitled 
“Department of Defense Compliance with the Electronic Biometric 
Transmission Specification.” 

November 8, 2006: 
The DOD Electronic Biometric Transmission Specification version 1.2 
was issued. 

February 21, 2008: 
DOD Undersecretary of Defense for Acquisition, Technology, and 
Logistics published DOD Directive 8521.01E, “Department of Defense 
Biometrics.” 

March 27, 2009: 
The DOD Electronic Biometric Transmission Specification version 2.0 
was issued. 

Source: GAO analysis of DOD documents. 

[End of figure] 

Prior to adopting DOD EBTS in 2005, DOD had recognized the importance 
of interoperability and directed adherence to internationally accepted 
biometric standards. According to a February 2004 DOD's Chief 
Information Officer memorandum on DOD compliance with international 
standards, standardization and interoperability are important for 
success in fighting terrorism. Success, the memorandum continued, 
could be enhanced with systems that communicate and share fingerprint 
data on "red force" personnel, such as detainees, enemy combatants, 
and foreign persons of interest as national security threats, with 
other U.S. government systems.[Footnote 14] Further, DOD's Chief 
Information Officer directed that all new and upgraded DOD biometric 
collection devices used to collect certain data[Footnote 15] must 
conform to the FBI's mission-specific requirement and the devices must 
be certified as interoperable with the FBI's biometric systems. 

In November 2005, the Army's Chief Information Officer reiterated the 
importance of standardization and interoperability of DOD's biometric 
systems in fighting terrorism and stated that conformance to standards 
strengthens DOD's abilities to fulfill its missions.[Footnote 16] The 
memorandum further stated that all new or updated DOD collection 
devices must meet the DOD EBTS standard and be interoperable with 
DOD's biometric system ABIS. Consistent with the Army's position on 
interoperability, the DOD Directive on Biometrics, issued in February 
2008, stated that collection and transmission of biometric information 
shall be controlled through the use of DOD adopted standards to 
enhance consistency and interoperability of biometric information. 
[Footnote 17] A 2009 Joint Interoperability report, which reviewed 
selected biometric systems that interfaced with DOD's ABIS and 
analyzed data collected by these systems for conformance issues that 
have an impact on interoperability, stated that several DOD biometric 
collection devices meet DOD adopted standards.[Footnote 18] For 
example, the Guardian, Fusion, and Secure Electronic Enrollment Kit 
for Identification all meet the EBTS standard current at the time of 
the report, specifically, EBTS version 1.2. 

DOD Has Not Taken Certain Actions Needed to Help Ensure New and 
Updated Standards Are Implemented: 

DOD has not taken certain actions necessary to help ensure that its 
collection devices adhere to new and updated standards, including not 
having an effective process, procedure, or timeline for implementing 
updated standards, not routinely testing collection devices at 
sufficient levels of detail for conformance to these standards, and 
not fully defining roles and responsibilities to ensure 
accountability. For example, a collection device used by the Army to 
meet an urgent need in 2005 and currently still in use in Iraq and 
Afghanistan, did not meet the standard current at the time of the 2009 
Joint Interoperability report, and according to DOD officials, 
continues to not adhere to DOD EBTS version 1.2 or the more current 
version 2.0. As of late 2009, this collection device, known as the 
Handheld Interagency Identity Detection Equipment or HIIDE, continued 
to be purchased by DOD. According to DOD officials, DOD continues to 
use the HIIDE because it meets DOD's mission needs and since it was 
developed as an urgent mission need for Central Command to collect and 
authenticate the identity of individuals, it does not have to adhere 
to DOD's information technology standards. Those standards are 
included in the DOD Information Technology Standards Registry, the 
central repository for DOD-approved information technology standards, 
and are mandated for programs of record for biometric technologies, 
which are considered permanent capabilities. Therefore urgent needs do 
not have to adhere to DOD adopted standards. According to information 
provided by BIMA about the composition of ABIS as of September 2010, 
the HIIDE device is responsible for the collection of 13 percent of 
the biometric records in ABIS, the largest number of submissions by a 
handheld device. 

Because the HIIDE device does not conform to standards, DOD cannot 
seamlessly share biometric information from this device with other 
federal agencies. For example, of the approximately 4.8 million 
biometric records maintained by DOD, approximately 630,000 HIIDE 
biometric records cannot be searched automatically against the 
approximately 94 million biometric records in the FBI's system. 
Further, if the biometric information collected by the HIIDE is not 
stored in the FBI IAFIS system, DHS loses the benefit of searching its 
119 million biometric records against HIIDE information as well. Both 
DOD and DHS access FBI's IAFIS in order to share information. 
Therefore, if FBI does not have access to DOD information, for 
example, HIIDE biometric records, then neither does DHS when they 
search against IAFIS. However, according to DHS and DOD officials, DOD 
manually provides biometric records of individuals on its watch list, 
which can include HIIDE-collected biometric information. These records 
are then manually added to DHS's IDENT. Without biometric collection 
devices that conform to DOD adopted standards, DOD limits its and 
federal partners' ability to identify potential criminals or 
terrorists who have biometric records in other federal agency's 
biometric systems. 

DOD Does Not Have an Effective Process, Procedure, or Timeline for 
Implementing Updated Standards: 

DOD would benefit from establishing or communicating a process, 
procedure, or timeline for implementing updated standards for 
biometric collection devices that are in the acquisition process. 
Although DOD has updated its EBTS standard several times, most 
recently from DOD EBTS version 1.2 to DOD EBTS version 2.0 in April 
2010, it has not established or communicated to biometric stakeholders 
a process, procedure, or timeline for implementing the updated 
standard for biometric collection devices that are in the acquisition 
process. The Standard for Program Management states a program should 
adhere to technical standards, and should be managed as these 
technical standards are updated.[Footnote 19] However, DOD did not 
provide the date that the most recently updated DOD EBTS standard 
would be mandated in a clear and timely way to ensure that military 
services responsible for acquiring biometric capabilities could plan 
to implement the updated standard on collection devices that were 
already in DOD's acquisition process.[Footnote 20] For example, the 
Navy's acquisition of a collection device has been disrupted by late 
and conflicting information about when to conform to the new or 
updated standard. Prior to the adoption of DOD EBTS 2.0, the Navy, in 
November 2009, requested that BIMA provide information on which 
version of the EBTS standard to implement in its collection device 
that was already in the acquisition process. The Navy specifically 
requested in a letter that this information be provided by February 
26, 2010, prior to major development milestones for the collection 
device, occurring in March 2010, to ensure that the device would meet 
the correct version of the standard. However, BIMA did not provide 
information to the Navy on the effective date of the updated standard 
or which version of the standard to implement in the device until a 
month after the device had reached the development milestones. In 
addition, DOD provided contradicting information to the Navy. On April 
2, 2010, BIMA recommended the Navy use DOD EBTS version 1.2 for the 
standard for the collection device, but on the same day, the new DOD 
EBTS version 2.0 standard was adopted through the DOD Information 
Technology Standards Registry, the central repository for DOD-approved 
information technology standards, as the biometric standard for use in 
all collection devices. 

According to BIMA, additional guidance was not necessary for the 
current update to the DOD EBTS 2.0 standard because biometric 
stakeholders knew about the update since DOD EBTS version 2.0 was an 
emerging standard. BIMA also stated that emerging standards are 
provided to help military services plan for updates to DOD adopted 
standards, and an emerging standard should become a DOD adopted 
standard within 3 years. However, without timely guidance that 
documents and communicates a process, procedure, or timeline for 
updating biometric capabilities from one version of a standard to 
another, the military services may continue to lack accurate 
information that is necessary to implement new or updated standards 
during the acquisition process. Specifically, military services may 
not have information on when an emerging DOD standard will become 
mandated[Footnote 21] within the 3-year time frame, but must ensure 
that collection devices being developed conform to the DOD mandated 
standard, not the emerging standard. The Army established the 
Biometrics Standards Working Group based on the 2008 biometric 
directive that, among other activities, it should provide guidance for 
consistent standards implementation, however, the 2009 DOD joint 
interoperability assessment found that DOD lacked a process beyond the 
Working Group to address the impact of changes to the DOD adopted 
standards. Further, absent such a process, procedure, or timeline to 
manage the update to new standards, the military services may also 
face increased costs in developing biometric collection devices when 
time frames for the update of standards are not documented or managed. 
Service officials said that the Navy's collection device would have to 
be updated to the new version of EBTS at the next major development 
milestone, incurring an additional cost for the development of the 
collection device. Navy officials estimate that the service will incur 
$3.4 million in additional costs because of the delay. 

DOD Does Not Routinely Test Devices at Sufficient Levels of Detail for 
Conformance to These Standards: 

DOD tests collection devices for conformance to adopted standards, but 
testing efforts have not always been at a sufficient level of detail 
or integrated to facilitate interoperability across DOD and federal 
agencies.[Footnote 22] The National Science & Technology Council's 
policy for enabling the development, adoption, and use of biometric 
standards acknowledges that the capability to share biometric 
information will be dependent on rigorous conformance testing. 
[Footnote 23] BIMA conducts standards conformance testing to evaluate 
conformance of collection devices to DOD adopted standards, but the 
2009 joint interoperability assessment found that conformance testing 
efforts have not been integrated and formalized into the biometric 
enterprise's processes and procedures that are necessary to facilitate 
interoperability across DOD and with interagency partners. In 
addition, a BIMA official told us that the conformance testing done at 
BIMA is not sufficiently detailed to ensure that collection devices 
conform to DOD adopted standards. Since certain DOD collection devices 
were acquired to meet urgent needs, DOD may have relied on vendors to 
provide devices that purport to, but may not, conform to DOD adopted 
standards. Without an integrated and formalized process for 
sufficiently detailed conformance testing, DOD has no mechanism to 
hold vendors accountable for ensuring that biometric collection 
devices meet DOD adopted standards. 

DOD issued a biometrics program directive in February 2008, and a 
companion draft instruction could provide some guidelines, including 
on the testing of biometric collection devices for conformance to 
standards and interoperability.[Footnote 24] Based on our review of 
the draft instruction though, it is unclear that it will provide 
guidance on a process that holds DOD biometric stakeholders 
accountable for collection devices that conform to standards. Without 
a process that ensures collection devices are tested at a sufficiently 
detailed level to conform to DOD adopted standards and that holds DOD 
biometric stakeholders accountable for device conformance, DOD limits 
its ability to collect biometric information that is interoperable 
with other federal agency systems. 

DOD Has Not Fully Defined Roles and Responsibilities Specifying 
Accountability Needed to Ensure Its Collection Devices Meet New and 
Updated Standards: 

DOD has a biometric program directive, but could more fully define the 
roles and responsibilities of DOD entities with the intention of 
instilling accountability for ensuring its collection devices meet new 
or updated standards. The Office of Management and Budget guidance on 
establishing internal controls emphasizes that agencies should ensure 
accountability for results, and our work on internal controls states 
that defined roles and responsibilities are needed to achieve an 
organization's mission.[Footnote 25] 

DOD's February 2008 biometric program directive assigned some roles 
and responsibilities to DOD biometric stakeholders, such as 
designating the Office of the Director for Defense, Research and 
Engineering, as the Principal Staff Assistant responsible for 
oversight of DOD biometrics programs and policies.[Footnote 26] 
However, based on our review of the directive and according to agency 
officials, DOD has not fully clarified the differing responsibilities 
that each DOD biometric stakeholder has in ensuring that collection 
devices conform to adopted standards. In addition, according to DOD 
officials, DOD has not clarified roles and responsibilities for DOD 
biometrics and this has caused confusion related to overlapping 
responsibilities and accountability within Army entities, such as 
whether BIMA can send requirements for acquiring biometrics 
capabilities directly to the program manager or whether such 
requirements should be provided by Army officers and staff responsible 
for operational requirements. The Office of Management and Budget's 
guidance on establishing internal controls emphasizes that agencies 
should design management structures for programs to help ensure 
accountability for results.[Footnote 27] Moreover, GAO's Standards for 
Internal Control in Federal Government states that management 
structures should establish and document roles and responsibilities 
needed to achieve an organization's mission and objectives, and that 
such documentation should be approved, current, and binding on all 
appropriate stakeholders.[Footnote 28] 

DOD recognized that further guidance may be needed to implement the 
biometrics directive and began developing a draft instruction that 
would clarify the roles and responsibilities of DOD biometric 
stakeholders. However, the instruction has been in draft since 2008, 
and continues to be in draft as of February 2011. A DOD official told 
us that the instruction is being updated to include a larger oversight 
role for the Office of the Director for Defense, Research and 
Engineering, especially for oversight of the Army's role as DOD's 
biometrics Executive Agent. It is not clear that DOD's draft 
instruction, when completed, will improve stakeholders' understanding 
of roles and responsibilities for DOD biometric activities. For 
example, with the March 2010 DOD change of the Biometrics Task Force 
to BIMA it is unclear if the new instruction would include redefined 
roles and responsibilities associated with BIMA. DOD officials told us 
that the only documentation they received about the change of the 
Biometrics Task Force to BIMA was a memorandum in March 2010 that 
simply stated the name change, but contained no additional information 
on roles and responsibilities. Further, DOD documents that could 
provide some clarity to roles and responsibilities by assigning 
specific actions to DOD biometric stakeholders have not been updated 
to reflect the change, such as the Biometric Enterprise Strategic Plan 
2008-2015 and the corresponding Implementation Plan. According to BIMA 
officials, both the Biometric Enterprise Strategic Plan and its 
corresponding Implementation Plan are currently being revised. DOD has 
an opportunity to further clarify roles and responsibilities through 
its implementing instruction to help ensure that collection devices 
are interoperable with other federal agencies. 

DOD Is Sharing Biometric Information but Sharing Is Limited by the 
Absence of an Agreement with DHS and DOD's System Capacity: 

DOD is sharing its biometric information and has an agreement to share 
biometric information with DOJ, which allows for direct connectivity 
and the automated sharing of biometric information between their 
biometric systems. However, DOD's ability to optimize sharing is 
limited by not having a finalized sharing agreement with DHS,[Footnote 
29] and its capacity to process biometric information. Currently, DOD 
and DHS do not have a finalized agreement in place to allow direct 
connectivity between their biometric systems, due to the need for 
additional reviews of the proposed agreement by certain DHS officials, 
among others. DOD is working with DHS to develop a memorandum of 
understanding to share biometric information now scheduled for 
completion in May 2011; however, without the agreement, it is unclear 
whether direct connectivity will be established between DOD and DHS, 
which affects response times to search queries. In addition, agencies' 
biometric systems have varying system capacities based on their 
mission needs, which affects their ability to similarly process each 
other's queries for biometric information. Moreover, the advancements 
other agencies make in their biometric systems may continue to 
overwhelm DOD's efforts as it works to identify its long-term 
biometric system capability needs and associated costs. 

DOD Has an Agreement with DOJ, Which Allows for Direct Connectivity 
and Automated Sharing of Biometric Information: 

DOD is sharing its biometric information and has an agreement to share 
biometric information with DOJ, which allows for direct connectivity 
and the automated sharing of biometric information between their 
biometric systems. DOD and the FBI (a component of DOJ) have an 
agreement in place that allows for direct connectivity and the 
automated sharing of unclassified biometric information between their 
biometric systems. Until DOD and DHS establish direct connectivity 
between their two biometric systems, they have the option to use the 
FBI's biometric system as an indirect link to share limited biometric 
information (see figure 3 below).[Footnote 30] Additionally, as 
mentioned earlier, according to DOD and DHS officials, DOD manually 
provides DHS with biometric records on watch listed individuals. In 
support of national directives and laws directing federal agencies to 
share information, the DOD directive on biometrics directs the 
development of interagency agreements for biometrics activities, as 
appropriate, to maximize effectiveness. According to officials from 
the Office of the Under Secretary of Defense for Policy,[Footnote 31] 
in 2003 the FBI formally requested that DOD share biometric 
information, and from that point, the agencies established data 
sharing with each other. DOD and the FBI finalized the memorandum of 
understanding in 2009 to provide for the sharing of, among other 
things, unclassified biometric information, as part of the agencies' 
efforts to comply with the National Security Presidential Directive-
59/Homeland Security Presidential Directive-24. As part of the 
memorandum, DOD and the FBI agree to share their biometric information 
with each other in a timely manner when their respective missions 
require access to such data. 

Figure 3: Current Biometric Information-Sharing Connectivity between 
DOD, DOJ/FBI, and DHS/State: 

[Refer to PDF for image: illustration] 

Automated Biometric Identification System (ABIS): Department of 
Defense: 
Stores biometrics from: 
* Foreign nationals requesting access to U.S. installations overseas; 
* Latent prints from improvised explosive devices and other hostile 
actions; 
* Enemy combatants; 
* Detainees. 

Connectivity with: 

Integrated Automated Fingerprint Identification System (IAFIS): 
Department of Justice/Federal Bureau of Investigation: 
Stores biometrics from: 
* Arrested individuals; 
* Criminals and criminal history; 
* Latent prints from crime scenes. 
FBI’s system serves as a pass through for ABIS and IDENT matches. 

Connectivity with: 

Automated Biometric Identification System (IDENT): Department of 
Homeland Security/Department of State: 
Stores biometrics from: 
* Visa applicants; 
* Visitors to the U.S. 
* Illegal border crossers; 
* Immigration violators; 
* Lawful permanent residents; 
* Applications for naturalization; 
* Refugees, asylees. 

Source: GAO analysis of information provided by DOD. 

[End of figure] 

In addition to DOD and the FBI's agreement to share biometric 
information, DHS, State, and DOJ have agreements in place that allow 
for direct connectivity and the automated sharing of biometric 
information among their biometric systems--capabilities that support 
the collection, storage, use, and sharing of biometric data. 
Specifically, DHS and State established a memorandum of understanding 
in 2005 to facilitate interagency cooperation and sharing of, among 
other things, biometric information on visa applicants and biometric 
information stored on DHS's biometric system, to enhance border 
security and facilitate legitimate travel.[Footnote 32] State uses 
DHS's biometric system for storing and sharing copies of their 
biometric information.[Footnote 33] Additionally, DHS, DOJ, and State 
established a memorandum of understanding in July 2008 to improve 
information sharing among the three agencies for the purposes of such 
missions as national security, law enforcement, immigration, and 
border management.[Footnote 34] The July 2008 memorandum included an 
agreement to share, among other things, biometric information through 
interoperability between the agencies' biometric systems. According to 
FBI officials, the FBI initiated the interoperability agreement in 
2005 to exchange biometric information between DOJ's and DHS's 
biometric systems and gained access to DHS's full biometric system in 
2008. However, according to DHS officials, initial sharing of DHS high 
priority biometric information with DOJ's biometric system began in 
2006, such as information on individuals expedited for removal and 
those denied visas. 

DOD Does Not Have an Agreement with DHS or with State, Which Limits 
Its Ability to Efficiently Share Biometric Information: 

DOD and DHS currently do not have an agreement in place that allows 
for direct connectivity between their biometric systems; however, DOD 
is currently in the process of working with DHS to develop a 
memorandum of agreement to share biometric information. DOD also does 
not have an agreement in place to directly share information with 
State; however, according to DOD officials, State sharing requirements 
will be covered in the agreement between DOD and DHS.[Footnote 35] 
According to the draft memorandum, the intent of the document is to 
formalize the ongoing relationship between DOD and DHS and to clarify 
their commitment to permitting the maximum amount of biometric 
information sharing permitted by law. Among other delays, in July 
2010, DOD officials informed us that the draft memorandum was 
undergoing a subsequent review at DHS because some individuals at DHS 
had been inadvertently left off the initial review. As of January 
2011, DOD and DHS have not signed an agreement that allows for direct 
connectivity between their biometric systems. 

We reported in 2008 that DHS officials acknowledged that establishing 
a sharing agreement with DOD would increase sharing of biometric 
information between the agencies and close any gaps.[Footnote 36] 
According to DHS officials, having such an agreement in place would 
allow DOD and DHS to access each other's biometric systems when needed 
for reasons such as detainee screening and airport passenger 
screening. Direct access would reduce response times to search queries 
because currently DOD and DHS biometric systems do not have direct 
connectivity and therefore do not have automated search capabilities 
so the response times vary. We recognize that developing an agreement 
to share information takes time; for example, it took over 5 years to 
develop the memorandum of understanding between DOD and the FBI. DOD 
and DHS officials stated they had hoped to have the memorandum 
completed by the end of 2010; however, as of January 2011 the 
agreement had not yet been completed. Several dates of completion and 
reasons for delay of the memorandum between DOD and DHS were provided 
to us by DOD officials throughout our review. In December 2010, DOD 
anticipated completing a signed agreement with DHS no later than May 
31, 2011. 

According to DOD and DHS officials, some sharing of information is 
occurring between DOD, DHS, and State, even though DOD and DHS do not 
have a finalized sharing agreement. We reported in 2008 that DOD and 
DHS had not established direct connectivity between their two 
biometric systems and relied on the FBI's biometric system as an 
indirect link between DOD and DHS. At the time, while limited 
occasional sharing of DOD and DHS biometrics occurred, it did not 
happen on a regular basis. According to DOD, DHS, and FBI officials, 
the indirect sharing arrangement through the FBI's biometric system is 
still in place, as shown in figure 3. The FBI maintains an Interim 
Data Sharing Model, which consists of two parts--the FBI provides a 
set of data to DHS for DHS stakeholders to access and DHS provides a 
set of data to the FBI for FBI stakeholders to access, to include DOD, 
which includes biometric information on individuals with expedited 
removals and individuals who were denied visas. Furthermore, the FBI 
retains on its IAFIS some biometric information from DOD on non-U.S. 
persons, such as those who have criminal records, which allows DHS and 
State to access limited information from DOD through the FBI biometric 
system. However, both DOD and FBI officials noted that the FBI may be 
terminating its Interim Data Sharing Model as the FBI transitions to 
its new biometric system. In March 2011, FBI officials reported that 
DOD searches of the portion of the Interim Data Sharing Model 
containing information on expedited removals and individuals who were 
denied visas were discontinued on January 20, 2011. However, FBI's 
IAFIS will continue to facilitate searches of DHS information for DOD 
until a direct connection has been established between DHS and DOD's 
biometric systems, according to FBI officials. 

Since we reported in 2008, DOD and DHS have established a manual 
process for sharing information on at least a daily basis--once every 
24 hours--through the use of a secured Web site. DOD manually inputs 
to this web site copies of critical DOD biometric information that DHS 
can manually access to place onto its own biometric system. The State 
Department can access this information once it is stored on DHS's 
biometric system. However, DHS and State may not be able to take 
immediate action should they have a query prior to DOD's once-a-day 
update. In addition, as noted in our 2008 report,[Footnote 37] if DHS 
and State do not have access to DOD biometric information on 
individuals trying to enter the United States, then they may not be 
able to determine whether those individuals should be denied entry, 
and potential harm could come to U.S. interests from individuals 
inadvertently allowed into the United States. 

Officials from DOD, DHS, and the FBI have discussed the goal for 
direct connectivity among their biometric systems to better enable 
automated sharing of biometric information (see figure 4). However, as 
noted earlier, without a finalized agreement between DOD and DHS, it 
remains unclear when or whether direct connectivity will be 
established between DOD's and DHS's biometric systems. 

Figure 4: Desired Biometric Information-Sharing Connectivity between 
DOD, DOJ/FBI, and DHS/State: 

[Refer to PDF for image: illustration] 

Each system is connected to all others: 

Automated Biometric Identification System (ABIS): Department of 
Defense: 
Stores biometrics from: 
* Foreign nationals requesting access to U.S. installations overseas; 
* Latent prints from improvised explosive devices and other hostile 
actions; 
* Enemy combatants; 
* Detainees. 

Connectivity with: 

Integrated Automated Fingerprint Identification System (IAFIS): 
Department of Justice/Federal Bureau of Investigation: 
Stores biometrics from: 
* Arrested individuals; 
* Criminals and criminal history; 
* Latent prints from crime scenes. 
FBI’s system serves as a pass through for ABIS and IDENT matches. 

Connectivity with: 

Automated Biometric Identification System (IDENT): Department of 
Homeland Security/Department of State: 
Stores biometrics from: 
* Visa applicants; 
* Visitors to the U.S. 
* Illegal border crossers; 
* Immigration violators; 
* Lawful permanent residents; 
* Applications for naturalization; 
* Refugees, asylees. 

Connectivity with: Automated Biometric Identification System (ABIS): 
Department of Defense. 

Source: GAO analysis of information provided by DOD. 

[End of figure] 

DOD's Biometric System Is Limited in Meeting Demands from Key Federal 
Agencies' Biometric Systems: 

To enable agencies to meet the demand for searching stored biometric 
information on their systems, agencies' biometric systems have varying 
system capacities based on their mission needs, which affects their 
ability to similarly process each other's queries for biometric 
information. As noted previously, the FBI's IAFIS is a national 
fingerprint and criminal history system, while DHS's IDENT is used for 
many purposes, including border security and visa and naturalization 
processing. DOD's Next Generation ABIS is used to identify and verify 
non-U.S. persons and helps determine if the individual poses a threat 
or potential threat to national security. DOD's Next Generation ABIS 
is currently capable of handling 8,000 transactions per day. In 
contrast, according to FBI officials, the FBI's IAFIS system currently 
performs over 100,000 to 200,000 search queries a day, while DHS 
manages over 160,000 search queries a day, according to DHS officials. 
DOD has plans to increase the capacity to 22,000 transactions per day 
in the third quarter of fiscal year 2011 and upgrades to later bring 
capacity up to 45,000 transactions per day, according to DOD officials. 

DOD officials do not believe that they need to match other agencies' 
biometric system capacities because they do not anticipate receiving 
the same number of queries given differences in mission. However, DOD 
and other agency officials have expressed concern that DOD's biometric 
system is limited in its ability to maximize sharing of biometric 
information. The FBI has reported that DOD is currently meeting their 
needs by supporting a capacity of 3,000-4,000 transactions per day, 
for which the FBI could query DOD's Next Generation ABIS to search 
against. However, FBI officials told us that they are concerned with 
DOD's capacity as the Next Generation ABIS is not capable of handling 
all of the queries that the FBI receives. FBI officials noted that DOD 
does not want the FBI to send every search query it receives through 
DOD's biometric system. At this time, the FBI and DOD are working to 
target and define a set of search queries for the FBI to send through 
Next Generation ABIS, according to FBI officials. However, a maximum 
transaction capacity has not yet been set for FBI submissions to DOD. 
Additionally, DHS officials believe DOD will need more capacity to 
handle search queries in order for direct interoperability between DOD 
and DHS to occur. DHS reported in November 2010 that when it 
establishes direct interconnectivity with DOD, DHS plans to send 
13,000 search queries in 2011 and 14,000 search queries in 2012 to 
DOD's Next Generation ABIS for searching per day. DHS noted in January 
2011 that transaction volumes for search queries from DHS to DOD's 
biometric system are currently in flux and have not been finalized. 
However, DOD officials have acknowledged that their current system's 
transaction capacity is limited for sharing because the number of 
queries from other federal agencies currently exceeds their biometric 
system capacity of 8,000 transactions per day. 

The advancements other agencies continue to make in their biometric 
systems may overwhelm DOD's efforts as it works to identify its long- 
term biometric system capability needs and associated costs. At the 
same time that DOD carries out these expansion efforts, other agencies 
continue to make advancements in their biometric systems and will 
continue to do so in the future for various reasons, including the 
addition of new technology and biometric modalities as emerging 
technologies and modalities are identified and matured. For example, 
as previously mentioned, DHS is considering iris and facial biometrics 
for future incorporation into its biometric system. In addition, the 
FBI is moving to an enhanced biometric system that will incorporate 
scars, marks, tattoos, face, iris, and palm biometrics. Such agency 
biometric system advancements could exceed DOD's biometric system's 
capability to respond. In light of this, DOD may not be able to 
facilitate sharing of biometric information across federal agencies in 
a timely and efficient manner, in accordance with DOD policies. 
Specifically, DOD's biometric directive requires that biometric 
systems be interoperable with other identity management capabilities 
and systems both internal and external to DOD, to maximize 
effectiveness, as well as information-sharing efforts.[Footnote 38] 
Furthermore, DOD's biometrics strategic plan outlines as a primary 
objective that DOD operate and maintain biometric systems that enable 
sharing with other biometric systems as part of DOD's goal to meet the 
warfighters' needs in a timely manner.[Footnote 39] 

Conclusions: 

National security challenges from multiple sources continue to 
increase, therefore making it critical that federal agencies find 
effective ways to collaborate and share information--particularly 
biometric information--on those who would threaten the United States. 
DOD has taken steps to adopt biometric standards that could improve 
the quality of biometric information collected and has increased its 
efforts to share biometric information with key federal agencies. 
However, DOD could take certain actions to help improve its ability to 
collect and share biometric information with other federal agencies. 
For example, DOD has adopted standards for the collection of 
biometrics to enhance interoperability with other key federal 
agencies' biometric systems, but at least one DOD device responsible 
for the collection of over 600,000 biometric records, does not meet 
DOD adopted standards, such as a handheld biometric collection device 
used by the Army. DOD can take steps to improve conformance to DOD 
adopted standards with a process for implementing updated standards 
for biometric collection devices that are in the acquisition process, 
more sufficient testing of devices for conformance to adopted 
standards to better facilitate interoperability with federal agencies, 
and more fully defining the roles and responsibilities of DOD entities 
to ensure its collection devices meet DOD adopted standards. Without 
these steps, DOD limits its ability to identify potential criminals or 
terrorists who have biometric records in other federal agency's 
biometric systems, and may result in the military services incurring 
delays and additional costs if they find they have acquired a device 
that is no longer acceptable to DOD. In addition, DOD has agreements 
in place with key federal agencies such as DOJ to help facilitate 
direct connectivity between their biometric systems, but it has not 
finalized an agreement with DHS and by extension the State Department. 
This has an impact on timely interoperability. Finally, the varying 
system capacities at these key federal agencies exceeds that of DOD to 
the extent that agencies have expressed concern that DOD's biometric 
system may be unable to meet the search demands from their own 
biometric systems within useful response time frames. Without efforts 
to address these issues, the quality and process of collecting and 
sharing biometrics may continue to limit DOD's ability to identify 
potential criminals or terrorists who have biometric records in other 
federal agency's biometric systems in a timely manner, and ultimately 
these challenges to interoperability may place U.S. national security 
at greater risk. 

Recommendations for Executive Action: 

To improve DOD's ability to collect and help ensure that federal 
agencies are sharing biometric information on individuals who pose a 
threat to national security to the fullest extent possible, we 
recommend that the Secretary of Defense direct the Under Secretary of 
Defense for Acquisition, Technology, and Logistics, as the Principal 
Staff Assistant responsible for the oversight of DOD biometrics, to 
take the following five actions in collaboration with other key 
federal agencies and internal DOD stakeholders, including BIMA, U.S. 
Army, U.S. Navy, U.S. Marines, and U.S. Air Force: 

* Implement a process for updating collection devices to adopted 
standards to help ensure that all DOD systems related to biometrics, 
including collection devices, conform to adopted standards. 

* Implement a process for testing collection devices at a sufficiently 
detailed level to help ensure that all DOD systems related to 
biometrics, including collection devices, conform to adopted standards. 

* More fully define and further clarify the roles and responsibilities 
needed to achieve DOD's biometric program and objectives for all 
stakeholders that include ensuring collection devices conform to 
adopted standards. 

* Complete the memorandum of agreement with the Department of Homeland 
Security regarding the sharing of biometric information as appropriate 
and consistent with U.S. laws and regulations and international 
agreements, as well as information-sharing environment efforts. 

* Identify its long-term biometric system capability needs, including 
the technological capacity and associated costs needed to support both 
the warfighter and to facilitate sharing of biometric information 
across federal agencies, and take steps to meet those capability 
needs, as appropriate and consistent with U.S. laws and regulations, 
international agreements, and available resources. 

Agency Comments and Our Evaluation: 

In written comments on a draft of this report, DOD agreed with all of 
our recommendations. DOD's comments appear in their entirety in 
appendix III. DHS DOJ, State, and the Department of Commerce/National 
Institute of Standards and Technology also reviewed a draft of this 
report. We received technical comments from DHS and DOJ, which we have 
incorporated as appropriate. 

DOD agreed with our recommendation to implement a process for updating 
collection devices to adopted standards to help ensure that all DOD 
systems related to biometrics, including collection devices, conform 
to adopted standards. In its response, DOD noted that the legacy HIIDE 
devices are near the end of their service life and are being retired. 
DOD intends to procure an updated handheld device compliant with the 
mandated data standard to replace the HIIDE, which was EBTS 1.2 at the 
time the solicitation was developed and published, and as required by 
DOD Directive 8521.01E for all new acquisitions. DOD expects to award 
this contract in April 2011, with fielding in August 2011. DOD further 
stated that DOD's Biometrics Standards Conformity Assessment Test 
Program plans to verify compliance of the updated handheld devices 
before deployment, and DOD plans additional engineering efforts to 
update devices to the recently adopted EBTS 2.0 standard to ensure 
compatibility with interagency partners. 

DOD agreed with our recommendation to implement a process for testing 
collection devices at a sufficiently detailed level to help ensure 
that all DOD systems related to biometrics, including collection 
devices, conform to adopted standards. In its response, DOD stated 
that it has established a Biometrics Standards Conformity Assessment 
Test Program, accredited in January 2011 as part of the National 
Institute of Standards and Technology's (NIST) National Voluntary 
Laboratory Accreditation Program (NVLAP) for biometric testing. 
Relevant tests include conformance tests to DOD EBTS and FBI 
Electronic Fingerprint Transmission Specification, as well as 
evaluations and assessments of biometric-enabled devices and systems 
that interoperate with the authoritative biometrics database and other 
repositories of biometric data. DOD added that the current DODD 
8521.01E already requires such compliance testing for new biometrics 
acquisitions, but DOD noted and we agree that the directive does not 
fully address quick reaction capabilities such as the HIIDE. DOD 
further added that it plans to work with the FBI to develop a co-
sharing arrangement to leverage existing standards compliance testing 
at the FBI Biometric Center of Excellence to strengthen interagency 
interoperability. DOD stated that it plans to include these 
requirements in the biometric DOD directive no later than September 
2011. We agree that incorporating into the biometric DOD directive the 
requirements of conformance testing of biometric systems through the 
newly established Biometrics Standards Conformity Assessment Test 
Program, conformance testing for all biometric devices, and co-sharing 
arrangements with FBI Biometric Center of Excellence would be 
beneficial. 

DOD agreed with our recommendation to more fully define and further 
clarify the roles and responsibilities needed to achieve DOD's 
biometric program and objectives for all stakeholders that include 
ensuring collection devices conform to adopted standards. In its 
response, DOD indicated that it is updating DOD Directive 8521.01E 
"Defense Biometrics," which establishes policy, assigns 
responsibilities, and describes procedures for DOD biometrics. DOD 
further noted that the update to the DOD biometrics directive will 
more fully define and clarify the roles and responsibilities of 
biometrics stakeholders, including responsibilities for testing 
collection devices for compliance with adopted standards. According to 
DOD, the biometric directive will be completed by September 2011. 

DOD agreed with our recommendation to complete the memorandum of 
agreement with the Department of Homeland Security regarding the 
sharing of biometric information as appropriate and consistent with 
U.S. laws and regulations and international agreements, as well as 
information-sharing environment efforts. On February 14, 2011, we 
provided DOD a draft of this report for review and comment. In 
response to our draft recommendation, and while the report was under 
review, DOD finalized an agreement with DHS regarding biometric 
sharing on March 3, 2011. 

DOD agreed with our recommendation to identify its long-term biometric 
system capability needs, including the technological capacity and 
associated costs needed to support both the warfighter and to 
facilitate sharing of biometric information across federal agencies, 
and take steps to meet those capability needs, as appropriate and 
consistent with U.S. laws and regulations, international agreements, 
and available resources. In its response, DOD noted that ABIS is 
currently meeting all the sharing transactions required by DHS and 
FBI, and DOD has expansion plans in place to increase ABIS's 
capability to over 40,000 daily transactions, which according to DOD 
will continue to meet the 14,000 daily biometrics transaction rate 
articulated by DHS for 2012. Further, DOD stated that it continues to 
work closely with the interagency Interoperability Executive Steering 
Committee to ensure DOD has visibility as new interagency requirements 
coalesce, and can modify ABIS expansion plans to be responsive to our 
interagency sharing responsibilities. According to DOD, it expects to 
have an updated ABIS sizing plan to support the projected future DOD 
and interagency transaction requirements by July 2011. 

As agreed with your office, unless you publicly announce its contents 
earlier, we plan no further distribution until 30 days from the report 
date. At that time, we will send copies to the appropriate 
congressional committees; the Secretary of Defense; the Secretary of 
State; the Attorney General; Secretary of Commerce; the Secretary of 
Homeland Security, and other interested parties. In addition, the 
report will be available at no charge on the GAO website at 
[hyperlink, http://www.gao.gov]. 

If you or your staff has any questions about this report, please 
contact me at (202) 512-5431 or at dagostinod@gao.gov. Contact points 
for our Offices of Congressional Relations and Public Affairs may be 
founds on the last page of this report. Key contributors to this 
report are listed in appendix IV. 

Signed by: 

Davi M. D'Agostino: 
Director: 
Defense Capabilities and Management: 

List of Requesters: 

The Honorable Adam Smith: 
Ranking Member: 
Committee on Armed Services: 
House of Representatives: 

The Honorable W. "Mac" Thornberry: 
Chairman: 
Subcommittee on Emerging Threats and Capabilities: 
Committee on Armed Services: 
House of Representatives: 

The Honorable Jim Langevin: 
Ranking Member: 
Subcommittee on Emerging Threats and Capabilities: 
Committee on Armed Services: 
House of Representatives: 

The Honorable Jeff Miller: 
House of Representatives: 

[End of section] 

Appendix I: Scope and Methodology: 

This report addresses the extent to which DOD (1) adopted standards 
and has taken actions to facilitate the collection of biometrics that 
are interoperable with other key federal agencies, and (2) shares 
biometric information across key federal agencies. 

Scope and Methodology: 

To address our objectives, we reviewed prior GAO reports related to 
the collection, storage, use, sharing, and management of biometric 
information and interagency sharing of information for national 
security purposes. We also analyzed a number of Presidential 
Directives, Executive Orders and Memorandums, and laws that affect the 
collection and sharing of biometric and biographic information. For 
example, we analyzed the National Security Presidential Directive-59/ 
Homeland Security Presidential Directive-24 and the companion action 
plan for Biometrics for Identification and Screening to Enhance 
National Security, which establish a framework to ensure that federal 
executive departments and agencies use compatible methods and 
procedures for the collection and sharing of identity information 
across federal departments and agencies. In addition, we reviewed 
national strategies focused on information sharing and national 
security to gain an understanding of how biometrics collection and 
sharing plays a part in achieving national goals of gathering and 
sharing information to protect the United States. 

We contacted and obtained information from officials and entities 
associated with the collection, storage, use, and sharing of biometric 
information across the Department of Defense (DOD), as well as other 
key federal agencies,[Footnote 40] including the Department of Justice 
(DOJ)/Federal Bureau of Investigation (FBI), Department of State 
(State), and the Department of Homeland Security (DHS). Further, we 
conducted an interview with officials of the National Science and 
Technology Council to determine the role and interests that the White 
House has in biometrics.[Footnote 41] We conducted site visits to a 
selection of facilities that analyze, store, and share biometric 
information, including the Army's National Ground Intelligence Center, 
in Charlottesville, Virginia; the Army's Biometric Identity Management 
Agency; and the FBI's Criminal Justice Information Services complex, 
both located in Clarksburg, West Virginia; to discuss the use of 
applicable standards, federal agency biometric systems 
interoperability, and to gain perspective on the sharing of biometric 
information between federal agencies. We met with U.S. Central Command 
and U.S. Special Operations Command officials to obtain their views on 
how these two combatant commands had operationalized the collection of 
biometric information. More detailed information on the federal 
agencies and officials we obtained information from on the collection, 
use, storage, and sharing of biometric information during our review 
appears below in table 1. 

Table 1: Agencies Where GAO Obtained Documentary Evidence and 
Officials' Views on the Collection, Use, Storage, and Sharing of 
Biometric Information: 

Federal agency: Executive Office of the President; 
Entities visited or contacted during our review: 
* Office of Science and Technology Policy, National Science and 
Technology Council, Committee on Technology, Subcommittee on 
Biometrics and Identity Management. 

Federal agency: Department of Commerce; 
Entities visited or contacted during our review: 
* National Institute of Standards and Technology. 

Federal agency: Department of Defense; 
Entities visited or contacted during our review: 
* Under Secretary of Defense for Acquisitions, Technology, and 
Logistics; Director, Defense Research and Engineering; 
* Assistant Secretary of Defense for Networks and Information 
Integration; 
* Under Secretary of Defense for Policy; 
* Department of the Army, Biometric Identity Management Agency; 
* Department of the Army, National Ground Intelligence Center; 
* Headquarters, Department of the Army, G-3/5/7, Capability 
Integration Division; 
* Department of the Army, Program Executive Office, Enterprise 
Information Systems, Program Manager, Biometrics; 
* Department of the Air Force, Office of the Secretary of the Air 
Force, Communications Directorate; 
* United States Marine Corps, Plans, Policies & Operations; 
* Department of the Navy, Deputy Assistant Secretary of the Navy, 
Expeditionary Warfare; 
* U.S. Africa Command; 
* U.S. Central Command; 
* U.S. European Command; 
* U.S. Northern Command; 
* U.S. Pacific Command; 
* U.S. Special Operations Command; 
* U.S. Southern Command. 

Federal agency: Department of Homeland Security; 
Entities visited or contacted during our review: 
* United States Visitor and Immigrant Status Indicator Technology 
Office; 
* Immigration and Customs Enforcement; 
* Customs and Border Protection; 
* Screening and Coordination Office; 
* U.S. Coast Guard. 

Federal agency: Department of Justice; 
Entities visited or contacted during our review: 
* Federal Bureau of Investigation, Criminal Justice Information 
Services; 
* Office of the Deputy Attorney General. 

Federal agency: Department of State; 
Entities visited or contacted during our review: 
* Consular Affairs. 

Source: GAO. 

[End of table] 

To determine the extent to which DOD adopted standards and has taken 
actions to facilitate the collection of biometrics that are 
interoperable with other key federal agencies, we interviewed DOD 
officials and reviewed key DOD memoranda, directives, and guidance, 
such as the DOD Directive on Biometrics. In addition, we interviewed 
officials from DHS, State, and DOJ/FBI to gain their perspective on 
the collection and sharing of comparable biometric information among 
federal agencies. We reviewed national standards and requirements for 
the electronic formatting of biometric information to see whether key 
federal agencies follow a common set of standards for the collection 
of biometric information. For example, we reviewed DOD's Electronic 
Biometric Transmission Specification, which is based on recommended 
standards from the American National Standards Institute and the 
National Institute of Standards and Technology. We interviewed 
officials from the National Institute for Standards and Technology in 
order to obtain their perspective on the use of standards for the 
consistent collection of biometric information and how these standards 
are adopted by federal agencies to help ensure interoperability of the 
devices used to collect biometric information. We reviewed a DOD 
interoperability assessment report of its Automated Biometric 
Identification System and Army evaluations of the Handheld Interagency 
Identity Detection Equipment to identify DOD's interoperability and 
conformance to standards within these systems. We did not evaluate the 
technical performance of collection devices used to gather identity 
information. We discussed with federal agency officials the potential 
impact of collection devices and systems that do not conform to 
adopted standards on their ability to collect comparable biometric 
information. In addition, we reviewed key DOD biometric documentation 
to determine DOD management practices related to the collection of 
biometrics and interviewed key officials from DOD responsible for the 
management of the collection of biometrics. (See above table 1). 
Specifically, using criteria on internal control and program 
management from the Office of Management and Budget and the Project 
Management Institute's The Standard for Program Management, we 
analyzed DOD guidance on the collection of biometrics to determine 
whether any internal control or program management weakness may reduce 
its ability to collect biometric information and meet biometric 
mission objectives. To gather the perspective of DOD biometric program 
management, we interviewed DOD biometric stakeholders such as the 
military services, Biometric Identity Management Agency, and combatant 
commands. In addition, we interviewed agency officials from the FBI 
and DHS to gather their perspectives on DOD's management practices 
related to the collection of biometrics. 

To determine the extent to which biometric information is shared and 
has the system capacity needed to facilitate biometric sharing across 
key federal agencies, including DOD, we interviewed officials from 
DOD, DHS, State, and the FBI on the policies, governance processes, 
and systems in place for sharing biometric information--DOD's 
Automated Biometric Identification System (ABIS), DHS's Automated 
Biometric Identification System (IDENT), and the FBI's Integrated 
Automated Fingerprint Identification System (IAFIS). We analyzed the 
formal and draft agreements for sharing biometric information between 
agencies to better understand the scope of the biometric information 
shared, as well as any limitations, and the degree to which they help 
facilitate direct connectivity between the biometric systems to 
promote automated sharing.[Footnote 42] In addition, we collected and 
reviewed federal policies, guidance, and other documentation that 
covered the sharing of biometric information and the current and 
planned systems that support biometric information sharing. For 
example, we reviewed DHS's IDENT Data Response Sharing Policy, which 
reinforces the DHS agreement with State and DOJ/FBI on sharing 
biometric information. We reviewed information provided by the FBI on 
IAFIS and their planned changes to the Next Generation Identification 
system that would expand their biometric capabilities from 
fingerprints to include the collection, matching, storage, and sharing 
of other biometrics such as facial and iris images. In order to 
confirm information provided by agency officials in interviews on the 
three primary biometric systems, we developed a structured 
questionnaire that was pre-tested and provided to key agency officials 
responsible for each of the three biometric systems. 

We conducted this performance audit from December 2009 through March 
2011, in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. 

[End of section] 

Appendix II: Funding for DOD's Biometric Program: 

Based on the figures provided by DOD as of November 2010, about $3.5 
billion has been or will be spent to fund its biometrics programs from 
fiscal year 2007 through fiscal year 2015. DOD reports that almost two-
thirds of the funding for its biometric program from fiscal year 2007 
through fiscal year 2015 is drawn from the supplemental budget, which 
is in excess of DOD's base defense budget. Specifically, DOD reports 
that for fiscal years 2007 through 2011, supplemental funding accounts 
for over $2.0 billion for DOD's biometric programs with less than $500 
million from defense base funding (see table 2). 

Table 2: Biometric Program Funding, Fiscal Year 2007 through Fiscal 
Year 2011: 

Funding type (in millions): Base; 
FY 2007: $29.1; 
FY 2008: $52.0; 
FY 2009: $87.8; 
FY 2010: $134.3; 
FY 2011: $163.7; 
Total funding FY 2007 through FY 2011: $466.9. 

Funding type (in millions): Supplemental; 
FY 2007: $347.7; 
FY 2008: $442.3; 
FY 2009: $499.2; 
FY 2010: $528.7; 
FY 2011: $606.0; 
Total funding FY 2007 through FY 2011: $2,423.9. 

Funding type (in millions): Total; 
FY 2007: $376.8; 
FY 2008: $494.3; 
FY 2009: $587.0; 
FY 2010: $663.0; 
FY 2011: $769.7; 
Total funding FY 2007 through FY 2011: $2,890.8. 

Source: GAO analysis of DOD documentation. 

Note: This table reflects budget information provided as of November 
2010 for DOD's biometrics program. 

[End of table] 

In contrast, in fiscal years 2012 through 2015 DOD is estimating base 
funding at more than $600 million, with no funding from supplements 
(see table 3). The change in funding, from supplemental support to 
base funding, is due in part to efforts to make a permanent program of 
record of DOD's biometric systems. DOD has begun to establish a more 
formal biometric program by identifying the requirements needed by the 
warfighter, assessing gaps in warfighting capabilities, and 
recommending solutions to resolve those gaps. DOD officials explain 
that as biometric technologies and systems become programs of records, 
funding should be built into base defense funding, rather than 
supplemental funding. 

Table 3: Biometric Program Funding Fiscal Year 2012 through Fiscal 
Year 2015: 

Funding type (in millions): Base; 
FY 2012: $149.9; 
FY 2013: $178.2; 
FY 2014: $161.9; 
FY 2015: $175.9; 
Total funding FY 2012 through FY 2015: $665.9. 

Funding type (in millions): Supplemental; 
FY 2012: 0.0; 
FY 2013: 0.0; 
FY 2014: 0.0; 
FY 2015: 0.0; 
Total funding FY 2012 through FY 2015: 0.0. 

Funding type (in millions): Total; 
FY 2012: $149.9; 
FY 2013: $178.2; 
FY 2014: $161.9; 
FY 2015: $175.9; 
Total funding FY 2012 through FY 2015: $665.9. 

Source: GAO analysis of DOD documentation. 

Note: This table reflects budget information provided as of November 
2010 for DOD's biometrics program. Potential supplemental budget 
amounts for future years are not reflected in this table. 

[End of table] 

As shown, table 2 includes fiscal year 2007 through and including 
fiscal year 2011, and identifies biometric program base and 
supplemental funding while table 3 sets out fiscal year 2012 through 
fiscal year 2015, where it is currently unknown whether supplemental 
funding for the biometrics program will be requested. 

We have previously recommended that DOD shift certain contingency 
costs into the annual base budget to allow for prioritization and 
trade-offs among its needs and to enhance visibility in defense 
spending.[Footnote 43] With regard to its biometric program, DOD 
fiscal year 2012 through fiscal year 2015 budget plans shift funding 
into the base defense budget; however, DOD officials told us they 
anticipate continued need for supplemental funding to support the war 
efforts, but were unable to provide an estimate. As DOD identifies the 
warfighter needs related to developing future biometric capabilities, 
these requirements will likely affect its future budget requests. 

[End of section] 

Appendix III: Comments from the Department of Defense: 

Assistant Secretary Of Defense: 
Research And Engineering:	
3030 Defense Pentagon: 
Washington, DC 20301-3030: 

March	24,	2011: 

Ms. Davi M. D'Agostino: 
Director, Acquisition and Sourcing Management: 
U.S. Government Accountability Office: 
441 G Street, N.W. 
Washington, DC 20548: 

Dear Ms. D'Agostino: 

This is the Department of Defense (DoD) response to the GAO draft 
report 11-276, "Defense Biometrics: DoD Can Better Conform to 
Standards and Share Biometric Information with Federal Agencies," 
dated February 14, 2011 (GAO Code 351424). Detailed comments on the 
report recommendations are enclosed. 

The Department concurs that adherence to technical interoperability 
standards for all biometric equipment, including verification devices, 
contributes to successful data sharing within the DoD and across the 
interagency. Additionally, the DoD remains committed to establishing 
and enforcing biometric data standards; and, since the time of the 
research for this GAO report, DoD has taken further steps to improve 
standards compliance testing. These steps have included the 
establishment of a Biometrics Standards Conformity Assessment Test 
Program that was accredited in January 2011 by the National Institute 
of Standards and Technology (NIST). The Department is also updating 
the existing authorities and responsibilities for standards testing in 
the DoD Directive 8521.01E, "Department of Defense Biometrics" to 
further strengthen our interoperability. 

The Department also concurs with the need to look forward to the 
future data sharing requirements of our interagency partners, and to 
continually update our biometric database's ability to keep pace with 
those requirements as they evolve. DoD is actively engaged with the
Department of Homeland Security, the Federal Bureau of Investigation, 
and other government departments and agencies on the steps required to 
achieve and maintain full interoperability. 

Sincerely, 

Signed by: 

Zachary J. Lemnois: 

Enclosure: As stated. 

[End of letter] 

GAO Draft Report Dated February 14, 2011: 
GA0-11-276 (GAO CODE 351424): 

"Defense Biometrics: DOD Can Better Conform To Standards And Share 
Biometric Information With Federal Agencies." 

Department Of Defense Comments To The GAO Recommendations: 

Recommendation 1: The GAO recommends that the Secretary of Defense 
direct the Under Secretary of Defense for Acquisition, Technology, and 
Logistics, as the Principal Staff Assistant responsible for the 
oversight of DOD biometrics, to take action in collaboration with 
other key federal agencies and internal DOD stakeholders, including
BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force to 
implement a process for updating collection devices to adopted 
standards to help ensure that all DOD systems related to biometrics, 
including collection devices, conform to adopted standards. (See page 
28/GAO Draft Report.) 

DOD Response: Concur. The legacy HIIDE verification devices are 
approaching the end of their service life and are being retired, and 
DoD is in the process of procuring an updated handheld device to 
replace the HIIDE. The solicitation requires the replacement device to 
be compliant with the mandated data standard, which was EBTS 1.2 at 
the time the solicitation was developed and published, as required by 
DOD Directive 8521.01E for all new acquisitions. The Department 
expects to award this contract in April 2011, with fielding in August 
2011. The Department's Biometrics Standards Conformity
Assessment Test Program will verify compliance before deployment, and 
a separate engineering contract is already in place to upgrade devices 
to the recently-adopted EBTS 2.0 to ensure compatibility with 
interagency partners. 

Recommendation 2: The GAO recommends that the Secretary of Defense 
direct the Under Secretary of Defense for Acquisition, Technology, and 
Logistics, as the Principal Staff Assistant responsible for the 
oversight of DOD biometrics, to take action in collaboration with 
other key federal agencies and internal DOD stakeholders, including
BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force to 
implement a process for testing collection devices at a sufficiently 
detailed level to help ensure that all DOD systems related to 
biometrics, including collection devices, conform to adopted standards.
(See page 28/GAO Draft Report.) 

DOD RESPONSE: Concur. The Department has established a Biometrics 
Standards Conformity Assessment Test Program, accredited in January 
2011 as part of the National Institute of Standards and Technology's 
(NIST) National Voluntary Laboratory Accreditation Program (NVLAP) for 
biometric testing. Relevant tests include conformance tests to DoD 
EBTS and FBI Electronic Fingerprint Transmission Specification, as 
well as evaluations and assessments of biometric-enabled devices and 
systems that interoperate with the authoritative biometrics database 
and other repositories of biometric data. While the current DoDD 
8521.01E already requires such compliance testing for new biometrics 
acquisitions, the directive does not fully address quick reaction 
capabilities such as the HIIDE. Additionally, the Department will work 
with the Federal Bureau of Investigation to develop a co-sharing 
arrangement to leverage existing standards compliance testing at the 
FBI Biometric Center of Excellence to further strengthen interagency 
interoperability. The Department will update the Biometrics
DoDD to include these requirements no later than September 2011. 

Recommendation 3: The GAO recommends that the Secretary of Defense 
direct the Under Secretary of Defense for Acquisition, Technology, and 
Logistics, as the Principal Staff Assistant responsible for the 
oversight of DOD biometrics, to take action in collaboration with 
other key federal agencies and internal DOD stakeholders, including
BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force to more 
fully define and further clarify the roles and responsibilities needed 
to achieve DOD's biometric program and objectives for all stakeholders 
that include ensuring collection devices conform to adopted standards. 
(See page 28/GAO Draft Report.) 

DOD Response: Concur. The Department is updating DoD Directive 8521.01E
"Defense Biometrics," which establishes policy, assigns 
responsibilities, and describes procedures for DoD biometrics. This 
update will more fully define and clarify the roles and 
responsibilities of biometrics stakeholders, including 
responsibilities for testing collection devices for compliance with 
adopted standards. This update will be completed by September 2011. 

Recommendation 4: The GAO recommends that the Secretary of Defense 
direct the Under Secretary of Defense for Acquisition, Technology, and 
Logistics, as the Principal Staff Assistant responsible for the 
oversight of DOD biometrics, to take action in collaboration with 
other key federal agencies and internal DOD stakeholders, including
BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force to 
complete the memorandum of agreement with the Department of Homeland 
Security regarding the sharing of biometric information as appropriate 
and consistent with U.S. laws and regulations and international 
agreements, as well as information sharing environment efforts. (See 
page 28/GAO Draft Report.) 

DOD Response: Concur. The Memorandum of Agreement between DoD and DHS
regarding biometric sharing was signed into effect on 03 March 2011. 

Recommendation 5: The GAO recommends that the Under Secretary of
Defense for Acquisition, Technology, and Logistics, as the Principal 
Staff Assistant responsible for the oversight of DOD biometrics, to 
take action in collaboration with other key federal agencies and 
internal DOD stakeholders, including BIMA, U.S. Army, U.S. Navy, U.S. 
Marines, and U.S. Air Force to identify its long-term biometric system 
capability needs, including the technological capacity and associated 
costs needed to support both the warfighter and to facilitate sharing 
of biometric information across federal agencies, and to take steps to 
meet those capability needs, as appropriate and consistent with U.S. 
laws and regulations, international agreements, and available 
resources. (See page 28/GAO Draft Report.) 

DOD Response: Concur. DoD ABIS is currently meeting all the sharing 
transactions required by DHS and FBI, and the Department has expansion 
plans in place to grow ABIS's capability to over 40,000 daily 
transactions. This growth will meet the 14,000 daily biometrics 
transaction rate articulated by DHS for 2012. DoD continues to work 
closely with the interagency Interoperability Executive Steering 
Committee to ensure the DoD has visibility as new interagency 
requirements coalesce, and can modify ABIS expansion plans to be 
responsive to our interagency sharing responsibilities. The
Department expects to have an updated ABIS sizing plan to support the 
projected future DoD and interagency transaction requirements by July 
2011. 

[End of section] 

Appendix IV: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Davi M. D'Agostino, (202) 512-5431 or dagostinod@gao.gov: 

Acknowledgments: 

In addition to the contact named above, Penney Harwell Caramia, 
Assistant Director; Rebekah Boone; John Clary; Grace Coleman; Michele 
Fejfar; Lori Kmetz; Katherine Lenane; Amber Lopez Roberts; Greg 
Marchand; Jennifer Neer; Maria Stattel; Amie Steele; and Sonja Ware 
made key contributions to this report. 

[End of section] 

Related GAO Products: 

Homeland Security: Key US-VISIT Components at Varying Stages of 
Completion, but Integrated and Reliable Schedule Needed. [hyperlink, 
http://www.gao.gov/products/GAO-10-13]. Washington, D.C.: November 19, 
2009. 

Defense Management: DOD Can Establish More Guidance for Biometrics 
Collection and Explore Broader Data Sharing. [hyperlink, 
http://www.gao.gov/products/GAO-09-49]. Washington, D.C.: October 15, 
2008. 

Defense Management: DOD Needs to Establish Clear Goals and Objectives, 
Guidance, and a Designated Budget to Manage Its Biometrics Activities. 
[hyperlink, http://www.gao.gov/products/GAO-08-1065]. Washington, 
D.C.: September 26, 2008. 

Information Sharing Environment: Definition of the Results to Be 
Achieved in Improving Terrorism-Related Information Sharing Is Needed 
to Guide Implementation and Assess Progress. [hyperlink, 
http://www.gao.gov/products/GAO-08-492]. Washington, D.C.: June 25, 
2008. 

Homeland Security: Strategic Solution for US-VISIT Program Needs to be 
Better Defined, Justified, and Coordinated. [hyperlink, 
http://www.gao.gov/products/GAO-08-361]. Washington, D.C.: February 
29, 2008. 

GAO Management Letter to the Secretary of Defense. Washington, D.C.: 
December 13, 2007. 

Terrorist Watch List Screening: Opportunities Exist to Enhance 
Management Oversight, Reduce Vulnerabilities in Agency Screening 
Processes, and Expand Use of the List. [hyperlink, 
http://www.gao.gov/products/GAO-08-110]. Washington, D.C.: October 11, 
2007. 

Border Security: Security of New Passports and Visas Enhanced, but 
More Needs to Be Done to Prevent Their Fraudulent Use. [hyperlink, 
http://www.gao.gov/products/GAO-07-1006]. Washington, D.C.: July 31, 
2007. 

Border Security: Strengthened Visa Process Would Benefit from 
Improvements in Staffing and Information Sharing. [hyperlink, 
http://www.gao.gov/products/GAO-05-859]. Washington, D.C.: September 
13, 2005. 

Port Security: Better Planning Needed to Develop and Operate Maritime 
Worker Identification Card Program. [hyperlink, 
http://www.gao.gov/products/GAO-05-106]. Washington D.C.: December 10, 
2004. 

Border Security: Joint, Coordinated Actions by State and DHS Needed to 
Guide Biometric Visas and Related Programs. [hyperlink, 
http://www.gao.gov/products/GAO-04-1080T]. Washington, D.C.: September 
9, 2004. 

Border Security: State Department Rollout of Biometric Visas on 
Schedule, but Guidance is Lagging. [hyperlink, 
http://www.gao.gov/products/GAO-04-1001]. Washington, D.C.: September 
9, 2004. 

Technology Assessment: Using Biometrics for Border Security. 
[hyperlink, http://www.gao.gov/products/GAO-03-174]. Washington, D.C.: 
November 15, 2002. 

[End of section] 

Footnotes: 

[1] The White House, National Security Presidential Directive/NSPD-59 
and Homeland Security Presidential Directive/HSPD-24, Biometrics for 
Identification and Screening to Enhance National Security (Washington, 
D.C.: June 5, 2008). 

[2] A more complete definition of biometric systems is found in DOD's 
Biometrics Glossary. As defined in the Glossary, a biometric system 
contains multiple individual components (such as sensor, matching 
algorithm, and result display) that combine to make a fully 
operational system. A biometric system is an automated system capable 
of: (1) capturing a biometric sample for a biometric subject; (2) 
extracting and processing the biometric data from that sample; (3) 
storing the extracted information in a database; (4) comparing the 
biometric data with data contained in one or more references; and (5) 
deciding how well they match and indicating whether or not an 
identification or verification of identity has been achieved. A 
biometric system may be a component of a larger system. 

[3] Standards provide rules and guidelines to promote interoperability 
among various systems and are developed through consensus by Standards 
Development Organizations, such as the National Institute of Standards 
and Technology and InterNational Committee for Information Technology 
Standards. 

[4] GAO, Defense Management: DOD Needs to Establish Clear Goals and 
Objectives, Guidance, and a Designated Budget to Manage Its Biometric 
Activities, [hyperlink, http://www.gao.gov/products/GAO-08-1065] 
(Washington, D.C.: Sept. 26, 2008) and GAO, Defense Management: DOD 
Can Establish More Guidance for Biometrics Collection and Explore 
Broader Data Sharing, [hyperlink, 
http://www.gao.gov/products/GAO-09-49] (Washington, D.C.: Oct. 15, 
2008). 

[5] IDENT also currently stores facial images, but does not have a 
search and match capability for facial images at this time. 

[6] DOD Directive 8521.01E, Department of Defense Biometrics (Feb. 21, 
2008). 

[7] The January 2007 memorandum defined the term U.S. persons as U.S. 
citizens and aliens lawfully admitted for permanent residence. 

[8] The memorandum states that such unclassified biometric information 
includes data related to terrorism information defined in the 
Intelligence Reform and Terrorism Prevention Act (Pub. L. No. 108-458) 
regarding terrorists, detainees, and those individuals/groups posing a 
threat to the U.S., but excludes data pertaining to U.S. persons, and 
any sharing of unclassified biometric information unrelated to 
terrorism information will be determined based upon relevant law and 
directives and require, at a minimum, a written memorandum from the 
requesting agency stating the official need for the records, the 
intended use of the records, the protections and safeguards that will 
be afforded the records, and the nature or extent of possible further 
distribution of the records to other organizations or agencies. 
Memorandum from Deputy Secretary of Defense on the Sharing of DOD 
Biometric Data and Associated Unclassified Information from Non-U.S. 
Persons with Interagency Entities (Jan. 10, 2007). 

[9] In 1999, the Deputy Secretary of Defense issued a memorandum 
directing the implementation of a standard smart-card-based 
identification system for all active duty military personnel, DOD 
civilian employees, and eligible contractor personnel, to be called 
the Common Access Card. 

[10] DOD Directive 8521.01E, Department of Defense Biometrics § 3 
(Feb. 21, 2008). 

[11] The adoption of standards does not guarantee interoperability, 
but is an important step in promoting interoperability. According to 
the Office of Management and Budget (OMB) Circular A-119, Federal 
Participation in the Development and Use of Voluntary Consensus 
Standards and in Conformance Assessment Activities (Washington, D.C.: 
February 1998), a standard may include a common and repeated use of 
rules, conditions, guidelines, or characteristics for products, among 
other things. In addition, a standard may include a specification of 
dimensions, materials, performance, designs, or operations. DOD 
Directive 8521.01E, Department of Defense Biometrics (Feb. 21, 2008), 
states, "Biometric collection, transmission, storage, caching, 
tagging, and use shall be controlled through the use of DOD-approved 
national, international, and other consensus-based standards, 
protocols, best practices, and equipment to ensure consistency and 
support interoperability." 

[12] The DOD Information Technology Standards Registry is the central 
repository for DOD-approved information technology standards, 
including biometric standards. Each standard accepted to the DOD 
Information Technology Standards Registry is assigned a status as 
"emerging" or "mandated." "Mandated standards" are mandated for the 
management, development, and acquisition of new or improving systems 
throughout DOD. "Information guidance" is also provided in the DOD 
Information Technology Standards Registry. Updates included DOD EBTS 
version 1.1 issued on August 23, 2005; DOD EBTS version 1.2 issued on 
November 8, 2006; and DOD EBTS version 2.0 issued on March 27, 2009. 
DOD EBTS version 2.0 is currently included in the DOD Information 
Technology Standards Registry as a "Mandated" standard. 

[13] DOD EBTS v.1.1 and v.1.2 were based on ANSI/NIST ITL 1-2000 and 
EFTS v.7. The most recent, DOD EBTS v. 2.0 is based on ANSI/NIST ITL 1-
2007. FBI's requirements include its Electronic Fingerprint 
Transmission Specification and its Electronic Biometric Transmission 
Specification. 

[14] On February 2, 2004, DOD's Chief Information Officer issued a 
memorandum, entitled "Department of Defense Compliance with 
Internationally Accepted Standard for Electronic Transmission and 
Storage of Fingerprint Data from 'Red Force' Personnel." 

[15] The February 2004 memorandum directed that all new and upgraded 
DOD biometric collection devices used to collect "red force" 
fingerprint data must be certified as interoperable with the FBI's 
biometric systems. DOD officials told us that the HIIDE device may be 
used to collect such "red force" data. 

[16] On November 29, 2005, the U.S. Army's Chief Information Officer 
issued a memorandum, entitled "Department of Defense Compliance with 
the Electronic Biometric Transmission Specification." 

[17] DOD Directive 8521.01E, Department of Defense Biometrics § 4.3 
(Feb. 21, 2008). 

[18] Joint Interoperability Test Command, Baseline Interoperability 
Assessment Report of the Department of Defense Automated Biometric 
Identification System, version 1.0.13, (November 2009). 

[19] The Project Management Institute, The Standard for Program 
Management © (2006). For the purposes of this report, we are referring 
to DOD's biometric program in its entirety, not the acquisition 
program for one particular biometric collection device. 

[20] DOD standards are adopted through updates to the DOD Information 
Technology Standards Registry. 

[21] Each standard accepted to the DOD Information Technology 
Standards Registry is assigned a status. One such status is referred 
to as "mandated standards." The DOD Information Technology Standards 
Registry defines "mandated standards" as "the minimum set of essential 
standards for implementation in the acquisition of all DOD systems 
that produce, use, or exchange information and, when implemented, 
facilitate the flow of information in support of the warfighter. These 
standards are mandated for the management, development, and 
acquisition of new or improving systems throughout the DOD." 
Department of Army, Biometrics Task Force, Biometrics Collection, 
Transmission and Storage Standards Technical Reference (July 24, 
2006). In this report, the terms mandated and mandated DOD standards 
refer to the status assigned to such standards as defined in 
Biometrics Collection, Transmission and Storage Standards Technical 
Reference. 

[22] Chairman of the Joint Chiefs of Staff, Instruction (CJCSI) 
6212.01E requires results from standards conformance testing to be 
part of the interoperability evaluation. The Joint Interoperability 
Test Command has conducted interoperability evaluations on its 
biometrics systems, though it was a limited assessment due to a lack 
of conformance testing by DOD. 

[23] National Science & Technology Council, Subcommittee on Biometrics 
and Identity Management, NSTC Policy for Enabling the Development, 
Adoption and Use of Biometric Standards (Sept. 7, 2007). 

[24] DOD Directive 8521.01E, Department of Defense Biometrics (Feb. 
21, 2008). 

[25] OMB Circular No. A-123, Management's Responsibility for Internal 
Control (Washington, D.C., December 2004), and GAO, Standards for 
Internal Control in the Federal Government, [hyperlink, 
http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: 
November 1999). OMB issued Circular A-123, revised December 21, 2004, 
to provide the specific requirements for assessing the reporting on 
internal controls. Internal control standards and the definition of 
internal control in Circular A-123 are based on GAO's Standards for 
Internal Control in the Federal Government. 

[26] DOD Directive 8521.01E, Department of Defense Biometrics § 1.2 
(Feb. 21, 2008). 

[27] OMB Circular No. A-123. 

[28] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[29] DOD does not have an agreement in place to directly share 
information with State, and there are no plans to establish direct 
connectivity between DOD and State. State utilizes DHS's biometric 
system for sharing State's biometric information with other key 
federal agencies. 

[30] Memorandum of Understanding Between the Federal Bureau of 
Investigation and the Department of Defense for Sharing of Biometric 
and Other Identity Management Information, September 2009. The FBI is 
a component of DOJ. 

[31] DOD Directive 8521.01E, Department of Defense Biometrics § 5.2.2 
(Feb. 21, 2008), designates responsibility to the Under Secretary of 
Defense for Policy to prepare and issue interagency agreements, among 
other things, for biometrics activities, as appropriate. 

[32] Memorandum of Understanding Between the Department of State and 
the Department of Homeland Security for Cooperation in: Enhanced 
Border Security - the US-VISIT Program, the Biometric Visa Program, 
and the Visa Datashare Program, January 2005. 

[33] There are no plans to establish direct connectivity between State 
and DOJ, according to State officials. 

[34] Memorandum of Understanding Among the Department of Homeland 
Security, the Department of Justice, Federal Bureau of Investigation, 
Criminal Justice Information Services Division; and the Department of 
State, Bureau of Consular Affairs for Improved Information Sharing 
Services, July 1, 2008. 

[35] There are no plans to establish direct connectivity between DOD 
and State, according to State officials. 

[36] GAO, Defense Management: DOD Can Establish More Guidance for 
Biometrics Collection and Explore Broader Data Sharing, [hyperlink, 
http://www.gao.gov/products/GAO-09-49] (Washington, D.C.: Oct. 15, 
2008). 

[37] [hyperlink, http://www.gao.gov/products/GAO-09-49]. 

[38] DOD, Directive 8521.01E, Department of Defense Biometrics § 4.4 
and § 4.11 (Feb. 21, 2008). The Intelligence Reform and Terrorism 
Prevention Act created an Information Sharing Environment, defined as 
an approach that facilitates the sharing of terrorism and homeland 
security information, with a Program Manager responsible for 
information sharing across the federal government. The Intelligence 
Reform and Terrorism Prevention Act (IRTPA) of 2004, Pub. L. No. 108- 
458, § 1016 (2004). 

[39] Department of Defense Biometrics Enterprise Strategic Plan, 
2008 - 2015 (Aug. 27, 2008). 

[40] We identified DOD, DHS, DOJ/FBI, and State as key federal 
agencies in the collection and sharing of biometric information. DOD, 
DOJ, and DHS have responsibility for our nation's security and 
maintain three major federal biometric systems that are used to 
prevent harm to our nation's security, and State helps protect our 
national security through the use of vital information from these 
systems to screen potential foreign visitors who may want to harm our 
nation. 

[41] The National Science and Technology Council is responsible for 
the Committee on Technology, which has a Subcommittee on Biometrics 
and Identity Management. The National Science and Technology Council 
falls under the purview of the Office of Science and Technology Policy 
in the Executive Office of the President. 

[42] Memorandum of Understanding Between the Department of State and 
the Department of Homeland Security for Cooperation in: Enhanced 
Border Security – the US-VISIT Program, the Biometric Visa Program, 
and the Visa Datashare Program, January 2005; Memorandum of 
Understanding Among the Department of Homeland Security; the 
Department of Justice, Federal Bureau of Investigation, Criminal 
Justice Information Services Division; and the Department of State, 
Bureau of Consular Affairs for Improved Information Sharing Services 
(July 1, 2008); and Memorandum of Understanding Between the Federal 
Bureau of Investigation and the Department of Defense for Sharing of 
Biometric and Other Identity Management Information (Sept. 2009). 

[43] GAO, Global War on Terrorism: DOD Needs to Take Action to 
Encourage Fiscal Discipline and Optimize the Use of Tools Intended to 
Improve GWOT Cost Reporting, [hyperlink, 
http://www.gao.gov/products/GAO-08-68] (Washington, D.C.: Nov. 6, 
2007). 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: