Biometric Identity System: DHS Needs to Address Significant Shortcomings in Program Management and Privacy
Fast Facts
Since 2016, the Department of Homeland Security has been working to replace its outdated biometric identity management system that matches fingerprints and facial features. DHS expects the new system to store hundreds of millions of identities.
But the system is way behind schedule and costs more than estimated—even after readjusting the schedule and cost estimates twice. And these estimates are unreliable because DHS doesn't follow our best practices for calculating them.
In addition, DHS needs to do much more to protect the privacy of individuals whose information is in this new system. We recommended addressing these issues.
Highlights
What GAO Found
Since rebaselining its original cost and schedule commitments in 2019, the Department of Homeland Security's (DHS) Homeland Advanced Recognition Technology (HART) program has further delayed its schedule. Specifically, in 2020 the program declared a second schedule breach and its first cost breach. Accordingly, DHS rebaselined the program again. This extended the schedule for delivering the initial capabilities to replace the legacy system by an additional 33 months beyond the 2019 plan. In addition, the 2022 rebaseline did not include an estimate for completing the program (see table).
Changes in the Homeland Advanced Recognition Technology (HART) Program Schedule from 2019 to 2022
|
Milestone |
Planned completion datea (as of May 2019) |
Planned completion datea (as of May 2022) |
|---|---|---|
|
Initial operational capability |
December 31, 2020 |
September 30, 2023 |
|
Complete full program |
June 30, 2024 |
Not yet planned |
Source: GAO analysis of Department of Homeland Security data. | GAO-23-105959
aThis represents the schedule threshold dates defined in the HART acquisition program baseline.
Regarding costs, the program's 2022 rebaseline increased its estimated costs by $354 million. In April 2023, program officials stated that they needed to rebaseline HART's schedule a third time due to, among other things, higher than expected software defects and performance issues.
The program's 2022 cost and schedule estimates did not fully follow GAO's identified cost and schedule best practices and were, therefore, unreliable. Specifically, the program's cost estimate did not substantially or fully meet the four characteristics of a reliable cost estimate. Moreover, the program's schedule estimate did not substantially or fully meet three of the four characteristics of a reliable schedule estimate. Until these weaknesses are addressed, the HART cost and schedule estimates will continue to be unreliable. In turn, this will impair the ability of senior leadership to make informed decisions regarding the program's future.
DHS fully implemented five of 12 selected Office of Management and Budget privacy requirements. For example, the program addressed the requirement to appropriately encrypt information by demonstrating encryption settings for information at rest and in transit. However, DHS had gaps in the remaining seven requirements. For example, the program's privacy impact assessment, which is intended to analyze how personal information is collected, shared, and managed, was missing key information. Specifically, the assessment was missing information on (1) individuals whose data will be stored in the system and (2) the partners with whom the system will share information. In addition, the program did not have assurances that partners that provide information to the system will appropriately retain and dispose of personally identifiable information. Until DHS addresses these privacy weaknesses, the department lacks assurance that the hundreds of millions individuals' personally identifiable information that will be stored and shared by HART will be appropriately protected.
Why GAO Did This Study
DHS currently uses an outdated system, implemented over 29 years ago, for providing biometric identity management services (e.g., fingerprint matching). The system stores over 290 million identities. In 2016, DHS initiated a multi-billion dollar program known as HART, which is intended to replace the legacy system. GAO previously reported that due to several challenges, in 2017 the program breached its schedule baseline. In 2019 the program established new cost and schedule commitments with DHS leadership (referred to as a rebaseline). This resulted in delaying the program by 3 years.
GAO was asked to evaluate the HART program. This report's objectives were to (1) determine how the HART program has changed since the 2019 baseline, (2) assess the extent to which the program's cost and schedule estimates followed best practices, and (3) assess the extent to which DHS implemented selected privacy requirements for the program.
GAO reviewed HART planning documentation, evaluated cost and schedule estimates against best practices identified by GAO, and compared privacy documentation to selected Office of Management and Budget privacy requirements. GAO also interviewed appropriate officials.
Recommendations
GAO is making nine recommendations to DHS to follow best practices when preparing HART cost and schedule estimates and implement selected privacy requirements for the system. DHS concurred with the recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Homeland Security | The Secretary of DHS should direct the OBIM Director to update the cost estimate for the HART program to account for all costs and incorporate the best practices called for in the GAO Cost Estimating and Assessment Guide. (Recommendation 1) |
DHS officials stated that they plan to update the HART lifecycle cost estimate (LCCE) by June 2024 and that the update will include a crosswalk to demonstrate alignment with GAO's best practices that were not met in the prior versions of the estimate. The department officials added that they will update the LCCE to include costs for implementing future capabilities after DHS delivers increment 1. DHS set an estimated completion date for this recommendation of September 30, 2027.
|
| Department of Homeland Security | The Secretary of DHS should direct the OBIM Director to revise the schedule estimate for the HART program that incorporates the best practices called for in the GAO Schedule Assessment Guide. (Recommendation 2) |
DHS stated that they plan to provide an updated high-level schedule for HART increment 1 (referred to as the HART Roadmap) to GAO, by June 2024. The officials added that the roadmap for implementing future capabilities will be developed after DHS delivers increment 1. DHS plans to fully implement this recommendation by September 2027.
|
| Department of Homeland Security | The Secretary of DHS should direct the OBIM Director to coordinate with the Privacy Office to establish and implement a timeline for updating the HART PIA to fully describe the categories of individuals whose data will be stored in HART and the partners with whom the system shares information. (Recommendation 3) |
In March 2024, DHS stated that the OBIM Privacy Office continues to work with the DHS Privacy Office to update the HART Increment 1 Privacy Impact Assessment (PIA). The department stated that OBIM plans to include the identification of categories of individuals whose personally identifiable information (PII) is stored in HART, and the partners with whom the system shares information, by July 31, 2024.
|
| Department of Homeland Security | The Secretary of DHS should direct the Privacy Office to describe planned methodologies for determining that all privacy controls are implemented correctly and operating as intended for future control assessments of the HART program. (Recommendation 4) |
In March 2024, DHS officials stated that they will provide documentation demonstrating that they addressed this recommendation. As of April 2024, the department had not provided this documentation. We will continue to monitor DHS's progress to address this recommendation.
|
| Department of Homeland Security | The Secretary of DHS should direct the Privacy Office to develop a timeline for completing the planned HART privacy compliance review. (Recommendation 5) |
In March 2024, the department stated that the DHS Privacy Office has an ongoing privacy compliance review of HART, which focuses on recommendation implementation and expected to complete the review by the end of FY 2024. In April 2024, DHS provided support of internally tracking completion of the privacy compliance review. We are reviewing this support and will update the status of this recommendation accordingly.
|
| Department of Homeland Security | The Secretary of DHS should direct the OBIM Director to coordinate with the Privacy Office to establish and implement plans for correcting seven remaining privacy deficiencies identified in the HART PIA. (Recommendation 6) |
In March 2024, the department stated that the DHS Privacy Office and OBIM Privacy Office will collaborate to develop plans to address the recommendations made in the HART Increment 1 PIA as part of the privacy compliance review process by September 30, 2024.
|
| Department of Homeland Security | The Secretary of DHS should direct the Privacy Office to ensure the complete HART authorization package is reviewed by the office prior to future system authorizations. (Recommendation 7) |
DHS official agreed with this recommendation and stated that they will provide supporting documentation by June 2024.
|
| Department of Homeland Security | The Secretary of DHS should direct the OBIM Director to establish and implement a timeline for maintaining a reliable inventory of information sharing and access agreements with partners that share data with HART. (Recommendation 8) |
In its 180-day letter provided in March 2024, DHS stated that OBIM continues to work on the internal information sharing and access agreement inventory. The department added that once the internal inventory listing has been completed and updated, OBIM will upload the inventory of information sharing and access agreements to the DHS's enterprise architecture system to support efforts to maintain all agreements in a central system. DHS set a goal of July 31, 2024 to address this recommendation.
|
| Department of Homeland Security | The Secretary of DHS should direct the OBIM Director to establish and maintain a process for ensuring that partners that provide data to HART have used the system's services to help to appropriately dispose of PII from the system, in accordance with applicable records retention schedules. (Recommendation 9) |
In its 180-day letter provided in March 2024, DHS stated that OBIM is conducting its first Data Retention review in Fiscal Year 2024. The department stated that review preparation began in Quarter 1 Fiscal Year 2024, which included drafting a standard operating procedure for conducting the review, and obtaining record schedules for all partners. DHS noted that obtaining the records schedules is requiring more time than originally estimated and expects to address this recommendation by March 31, 2025.
|