Homeland Security Acquisitions: Joint Requirements Council's Initial Approach Is Generally Sound and It Is Developing a Process to Inform Investment Priorities
Fast Facts
The Department of Homeland Security plans to invest over $180 billion on major IT systems, aircraft, and other major acquisitions to help secure the nation from the many threats it faces.
Who helps DHS decide how to spend all that money?
DHS's Joint Requirements Council was created in 2014 to help inform investment priorities and identify, develop, and approve department needs. Given that two-thirds of such investment priorities are IT-related, the Office of the Chief Information Officer needs a more permanent seat on the Council.
We recommend that the Secretary of Homeland Security direct the Council to make the OCIO a member.
DHS's Multi-Role Enforcement Aircraft
Photo of aircraft flying.
Highlights
What GAO Found
GAO found that the Department of Homeland Security's (DHS) Joint Requirements Council's (JRC) structure and management approach—informed by assessments of requirements processes, guidance, and lessons learned from DHS components and the Department of Defense—are generally consistent with key practices for mergers and organizational transformations. However, although 24 of DHS's 36 major acquisitions are information technology programs, the department's Office of the Chief Information Officer (OCIO) serves as a non-voting advisor to the JRC. Because GAO has previously identified poor requirements definition as a factor in failed information technology programs, a more formal and consistent role for the OCIO could help minimize the risk that programs will begin with poorly developed requirements. In addition, some components lack the capacity to develop sound capability and requirements documents to present to the JRC. DHS officials are aware of this issue and are planning to take steps to address it, but it will likely take some time to do so.
The JRC has begun to review or validate capability and requirements documents, including one joint-operational requirements document between the U.S. Coast Guard and U.S. Customs and Border Protection for a common aircraft mission system.
JRC-Reviewed or Validated Capability and Requirements Documents
|
Capability Analysis Study Plan |
Capability Analysis Report |
Mission Needs Statement |
Concept of Operations |
Operational Requirements Document |
Joint Operational Requirements Document |
|
13 |
0 |
8 |
0 |
8 |
1 |
Source: GAO analysis of DHS data, as of August 2016. | GAO-17-171
The JRC's role in prioritizing requirements and informing DHS's investment decisions is just beginning under a new joint assessment of requirements process. As the process evolves, the JRC will brief senior officials responsible for preparing DHS's budget requests. As shown below, the JRC plans for almost all of DHS's requirements to be evaluated under the new process in time to inform resource tradeoffs for the fiscal year 2021 budget request.
Plans for the Joint Assessment of Requirements to Prioritize Investments
|
Year of review |
Fiscal year 2016 |
Fiscal year 2017 |
Fiscal year 2018 |
|
Scope of requirements JRC will prioritize |
Limited number (8-10) of new |
All new and existing for major acquisitions |
All new and existing, including for some smaller acquisitions |
|
Planned outcome |
Informational briefing in spring 2017 |
Informational briefing in spring 2018 |
Spring 2019 briefing to inform fiscal year 2021 budget request |
Source: GAO analysis of DHS data and discussions with agency officials. | GAO-17-171
While it is too soon to tell what impact the JRC and associated processes will have on investment priorities or inefficiencies, JRC and other senior DHS officials recognize that sustained management focus is needed to continue momentum.
Why GAO Did This Study
In 2003, DHS established a JRC to review and prioritize requirements across the department's components—such as the U.S. Coast Guard and U.S. Customs and Border Protection. However, due to a lack of senior management involvement, it became inactive. Over a decade later and after a 2008 GAO recommendation that the JRC be reinstated, the Secretary of Homeland Security directed the creation of a new JRC in June 2014.
GAO was asked to review the organization and activities of the current JRC. This report addresses, among other things, the extent to which the JRC (1) has a structure and management approach consistent with key practices; and (2) has begun reviewing and validating capability and requirements documents and informing DHS investment priorities.
GAO reviewed relevant policies and procedures, examined capability and requirements documents, and assessed the JRC's efforts against GAO's key practices for organizational transformation. GAO also interviewed JRC and senior DHS officials, the OCIO and other DHS headquarters officials, component officials, and officials from a non-generalizable sample of 10 program offices that had at least one document reviewed or validated by the JRC or were early in the acquisition life cycle.
Recommendations
GAO recommends that the Secretary of Homeland Security direct the JRC to make the OCIO a JRC principal. DHS concurred with the recommendation and expects to implement it by October 31, 2016.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Homeland Security | To ensure that the JRC has members with the skills to enable discussion and make appropriate decisions, the Secretary of Homeland Security should direct the JRC to make the OCIO a principal of the JRC, given that the majority of DHS's major acquisition programs are Information Technology (IT)-related. |
On November 29, 2016, the JRC Chair signed a memo to the Deputy Under Secretary for Management (USM) formally modifying JRC membership and requesting a senior executive from OCIO to be appointed to the JRC who would join the other USM representatives from the Management Offices of Program Accountability and Risk Management, and Program Analysis and Evaluation. On January 18, 2017, the Deputy USM and Chief Financial Officer designated the Chief Technology Officer as the OCIO representative on the JRC.
|