This is the accessible text file for GAO report number GAO-12-382T entitled 'Department of Homeland Security: Additional Actions Needed to Strengthen Strategic Planning and Management Functions' which was released on February 3, 2012. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Testimony: Before the Subcommittee on Oversight, Investigations, and Management, Committee on Homeland Security, House of Representatives: For Release on Delivery: Expected at 10:00 a.m. EST: Friday, February 3, 2012: Department of Homeland Security: Additional Actions Needed to Strengthen Strategic Planning and Management Functions: Statement of David C. Maurer, Director: Homeland Security and Justice Issues: GAO-12-382T: GAO Highlights: Highlights of GAO-12-382T, a testimony before the Subcommittee on Oversight, Investigations, and Management, Committee on Homeland Security, House of Representatives. Why GAO Did This Study: The Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act) requires that beginning in fiscal year 2009 and every 4 years thereafter the Department of Homeland Security (DHS) conduct a review that provides a comprehensive examination of the homeland security strategy of the United States. In February 2010, DHS issued its first Quadrennial Homeland Security Review (QHSR) report, outlining a strategic framework for homeland security. In July 2010 DHS issued a report on the results of its Bottom-Up Review (BUR), a departmentwide assessment to implement the QHSR strategy by aligning DHS’s programmatic activities, such as inspecting cargo at ports of entry, and its organizational structure with the missions and goals identified in the QHSR. This testimony addresses DHS’s efforts to (1) strategically plan its homeland security missions through the QHSR, (2) set strategic priorities and measure performance, and (3) build a unified department. This testimony is based on GAO reports issued in December 2010, February 2011, and September 2011. What GAO Found: DHS’s primary strategic planning effort in recent years has been the QHSR. In September 2011, GAO reported on the extent to which DHS consulted with stakeholders in developing the QHSR. DHS solicited input from various stakeholder groups in conducting the first QHSR, but DHS officials, several stakeholders GAO contacted, and other reviewers of the QHSR noted concerns with time frames provided for stakeholder consultations and outreach to nonfederal stakeholders. Specifically, DHS consulted with stakeholders-—federal agencies; department and component officials; state, local, and tribal governments; the private sector; academics; and policy experts—- through various mechanisms, such as the solicitation of papers to help frame the QHSR. DHS and these stakeholders identified benefits from these consultations, such as DHS receiving varied perspectives. However, stakeholders also identified challenges in the consultation process, such as concerns about the limited time frames for providing input into the QHSR or BUR and the need to examine additional mechanisms for including more nonfederal stakeholders in consultations. By providing more time for obtaining feedback and examining mechanisms to obtain nonfederal stakeholders’ input, DHS could strengthen its management of stakeholder consultations and be better positioned to review and incorporate, as appropriate, stakeholders’ input during future reviews. DHS considered various factors in identifying high-priority BUR initiatives for implementation in fiscal year 2012 but did not include risk information as one of these factors, as called for in GAO’s prior work and DHS’s risk-management guidance. Through the BUR, DHS identified 43 initiatives aligned with the QHSR mission areas to serve as mechanisms for implementing those mission areas. According to DHS officials, DHS did not consider risk information in prioritizing initiatives because of differences among the initiatives that made it difficult to compare risks across them, among other things. In September 2011, GAO reported that consideration of risk information during future implementation efforts could help strengthen DHS’s prioritization of mechanisms for implementing the QHSR. Further, GAO reported that DHS established performance measures for most of the QHSR objectives and had plans to develop additional measures. However, with regard to specific programs, GAO’s work has shown that a number of programs and efforts lack outcome goals and measures, hindering the department’s ability to effectively assess results. In 2003, GAO designated the transformation of DHS as high risk because DHS had to transform 22 agencies-—several with major management challenges-—into one department, and failure to effectively address DHS’s management and mission risks could have serious consequences for U.S. national and economic security. DHS has taken action to implement, transform, and strengthen its management functions, such as developing a strategy for addressing this high-risk area and putting in place common policies, procedures, and systems within individual management functions, such as human capital, that help to integrate its component agencies. However, DHS needs to demonstrate measurable, sustainable progress in implementing its strategy and corrective actions to address its management challenges. What GAO Recommends: GAO made recommendations in prior reports for DHS to, among other things, provide more time for consulting with stakeholders during the QHSR process, examine additional mechanisms for obtaining input from nonfederal stakeholders, and examine how risk information could be used in prioritizing future QHSR initiatives. DHS concurred and has actions planned or underway to address them. View [hyperlink, http://www.gao.gov/products/GAO-12-382T]. For more information, contact David C. Maurer at (202) 512-9627 or maurerd@gao.gov. [End of section] Chairman McCaul, Ranking Member Keating, and Members of the Subcommittee: I am pleased to be here today to discuss Department of Homeland Security (DHS) strategic planning. Various strategies and plans exist for guiding homeland security efforts across the homeland security enterprise.[Footnote 1] For example, the May 2010 National Security Strategy outlines key security priorities and the 2007 National Homeland Security Strategy defined the homeland security mission for the federal government. More specific to DHS, the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act) requires that beginning in fiscal year 2009 and every 4 years thereafter DHS conduct a review that provides a comprehensive examination of the homeland security strategy of the United States. [Footnote 2] In February 2010, DHS issued its first Quadrennial Homeland Security Review (QHSR) report, outlining a strategic framework for homeland security to guide the activities of homeland security partners, including federal, state, local, and tribal government agencies; the private sector; and nongovernmental organizations.[Footnote 3] In addition to the QHSR, in July 2010 DHS issued a report on the results of its Bottom-Up Review (BUR), a departmentwide assessment to implement the QHSR strategy by aligning DHS's programmatic activities, such as apprehending fugitive aliens and inspecting cargo at ports of entry, and its organizational structure with the missions and goals identified in the QHSR.[Footnote 4] The BUR report described DHS's current activities contributing to (1) QHSR mission performance, (2) departmental management, and (3) accountability. Subsequent to publishing the BUR report, DHS identified priority initiatives, such as strengthening aviation security and enhancing the department's risk management capability, to strengthen DHS's mission performance, improve departmental management, and increase accountability. DHS's ongoing efforts to identify strategic goals and align key missions and resources with those goals are supported by another key departmental goal: building a unified department. In 2003, GAO designated implementing and transforming DHS as high risk because DHS had to transform 22 agencies--several with major management challenges- -into one department. Failure to effectively address DHS's management and mission risks could have serious consequences for U.S. national and economic security. Our prior work, undertaken before the creation of DHS, found that successful transformations of large organizations, even those faced with less-strenuous reorganizations than DHS, can take years to achieve. DHS is now the third-largest federal department with more than 200,000 employees and $56 billion in budget authority, and its transformation is critical to achieving its homeland security missions. My testimony today focuses on the findings from our prior work in three key areas: * DHS's efforts to strategically plan its homeland security missions departmentwide through the QHSR, * DHS's efforts to set strategic priorities and measure performance departmentwide, and: * DHS's efforts to build and implement a unified department. This statement is based on four past reports, issued in December 2010, February 2011, and September 2011, related to DHS's QHSR, GAO's high- risk series, and DHS mission implementation.[Footnote 5] For these past reports, among other things, we interviewed DHS officials; analyzed DHS strategic documents; and reviewed our past reports, supplemented by DHS Office of Inspector General (IG) reports, issued since DHS began its operations in March 2003. We conducted this work in accordance with generally accepted government auditing standards. More detailed information on the scope and methodology from our previous work can be found within each specific report. DHS Strategically Planned Its Homeland Security Missions Departmentwide through the QHSR, but Stakeholder Consultations Could Be Enhanced: [Side bar: The QHSR identified five homeland security missions—-(1) Preventing Terrorism and Enhancing Security, (2) Securing and Managing Our Borders, (3) Enforcing and Administering Our Immigration Laws, (4) Safeguarding and Securing Cyberspace, and (5) Ensuring Resilience to Disasters—-and goals and objectives to be achieved within each mission. A sixth category of DHS activities—-Providing Essential Support to National and Economic Security-—was added in the fiscal year 2012 budget request but was not included in the 2010 QHSR report. End of side bar] DHS's primary strategic planning effort in recent years has been the QHSR. DHS approached the 9/11 Commission Act requirement for a quadrennial homeland security review in three phases. The QHSR identified five homeland security missions--(1) Preventing Terrorism and Enhancing Security, (2) Securing and Managing Our Borders, (3) Enforcing and Administering Our Immigration Laws, (4) Safeguarding and Securing Cyberspace, and (5) Ensuring Resilience to Disasters--and goals and objectives to be achieved within each mission. A sixth category of DHS activities--Providing Essential Support to National and Economic Security--was added in the fiscal year 2012 budget request but was not included in the 2010 QHSR report. * In the first phase, DHS defined the nation's homeland security interests, identified the critical homeland security missions, and developed a strategic approach to those missions by laying out the principal goals, objectives, and strategic outcomes for the mission areas. DHS reported on the results of this effort in the February 2010 QHSR report in which the department identified 5 homeland security missions, 14 associated goals, and 43 objectives. The QHSR report also identified threats and challenges confronting U.S. homeland security, strategic objectives for strengthening the homeland security enterprise, and federal agencies' roles and responsibilities for homeland security. * In the second phase--the BUR--DHS identified its component agencies' activities, aligned those activities with the QHSR missions and goals, and made recommendations for improving the department's organizational alignment and business processes. DHS reported on the results of this second phase in the July 2010 BUR report. * In the third phase DHS developed its budget plan necessary to execute the QHSR missions. DHS presented this budget plan in the President's fiscal year 2012 budget request, issued February 14, 2011, and the accompanying Fiscal Year 2012-2016 Future Years Homeland Security Program (FYHSP), issued in May 2011. In December 2010, we issued a report on the extent to which the QHSR addressed the 9/11 Commission Act's required reporting elements. [Footnote 6] We reported that of the nine 9/11 Commission Act reporting elements for the QHSR, DHS addressed three and partially addressed six.[Footnote 7] Elements DHS addressed included a description of homeland security threats and an explanation of underlying assumptions for the QHSR report. Elements addressed in part included a prioritized list of homeland security missions, an assessment of the alignment of DHS with the QHSR missions, and discussions of cooperation between the federal government and state, local, and tribal governments. In September 2011, we reported on the extent to which DHS consulted with stakeholders in developing the QHSR.[Footnote 8] DHS solicited input from various stakeholder groups in conducting the first QHSR, but DHS officials, stakeholders GAO contacted, and other reviewers of the QHSR noted concerns with time frames provided for stakeholder consultations and outreach to nonfederal stakeholders. DHS consulted with stakeholders--federal agencies; department and component officials; state, local, and tribal governments; the private sector; academics; and policy experts--through various mechanisms, such as the solicitation of papers to help frame the QHSR and a web-based discussion forum. DHS and these stakeholders identified benefits from these consultations, such as DHS receiving varied perspectives. However, stakeholders also identified challenges in the consultation process. For example: * Sixteen of 63 stakeholders who provided comments to GAO noted concerns about the limited time frames for providing input into the QHSR or BUR. * Nine other stakeholders commented that DHS consultations with nonfederal stakeholders, such as state, local, and private-sector entities, could be enhanced by including more of these stakeholders in QHSR consultations. * Reports on the QHSR by the National Academy of Public Administration, which administered DHS's web-based discussion forum, and a DHS advisory committee comprised of nonfederal representatives noted that DHS could provide more time and strengthen nonfederal outreach during stakeholder consultations. By providing more time for obtaining feedback and examining mechanisms to obtain nonfederal stakeholders' input, DHS could strengthen its management of stakeholder consultations and be better positioned to review and incorporate, as appropriate, stakeholders' input during future reviews. We recommended that DHS provide more time for consulting with stakeholders during the QHSR process and examine additional mechanisms for obtaining input from nonfederal stakeholders during the QHSR process, such as whether panels of state, local, and tribal government officials or components' existing advisory or other groups could be useful. DHS concurred and reported that it will endeavor to incorporate increased opportunities for time and meaningful stakeholder engagement and will examine the use of panels of nonfederal stakeholders for the next QHSR. DHS Did Not Prioritize QHSR Missions or Use Risk Assessments to Help Set Strategic Priorities and Could Improve Departmentwide Performance Measures: The 9/11 Commission Act called for DHS to prioritize homeland security missions in the QHSR.[Footnote 9] As we reported in December 2010, DHS identified five homeland security missions in the QHSR, but did not fully address the 9/11 Commission Act reporting element because the department did not prioritize the missions.[Footnote 10] According to DHS officials, the five missions listed in the QHSR report have equal priority--no one mission is given greater priority than another. Moreover, they stated that in selecting the five missions from the many potential homeland security mission areas upon which DHS could focus its efforts, the five mission areas are DHS's highest-priority homeland security concerns. Risk management has been widely supported by Congress and DHS as a management approach for homeland security, enhancing the department's ability to make informed decisions and prioritize resource investments. In September 2011, we also reported that in the 2010 QHSR report, DHS identified threats confronting homeland security, such as high-consequence weapons of mass destruction and illicit trafficking, but did not conduct a national risk assessment for the QHSR.[Footnote 11] DHS officials stated that at the time DHS conducted the QHSR, DHS did not have a well-developed methodology or the analytical resources to complete a national risk assessment that would include likelihood and consequence assessments--key elements of a national risk assessment. The QHSR terms of reference, which established the QHSR process, also stated that at the time the QHSR was launched, DHS lacked a process and a methodology for consistently and defensibly assessing risk at a national level and using the results of such an assessment to drive strategic prioritization and resource decisions. In recognition of a need to develop a national risk assessment, DHS created a study group as part of the QHSR process that developed a national risk assessment methodology. DHS officials plan to implement a national risk assessment in advance of the next QHSR, which DHS anticipates conducting in fiscal year 2013. Consistent with DHS's plans, we reported that a national risk assessment conducted in advance of the next QHSR could assist DHS in developing QHSR missions that target homeland security risks and could allow DHS to demonstrate how it is reducing risk across multiple hazards. DHS Could Strengthen Its Use of Risk Information in Prioritizing Initiatives and Planning and Investment Decision Making: DHS considered various factors in identifying high-priority BUR initiatives for implementation in fiscal year 2012 but did not include risk information as one of these factors as called for in our prior work and DHS's risk management guidance.[Footnote 12] Through the BUR, DHS identified 43 initiatives aligned with the QHSR mission areas to help strengthen DHS's activities and serve as mechanisms for implementing those mission areas (see app. I for a complete list). According to DHS officials, the department could not implement all of these initiatives in fiscal year 2012 because of, among other things, resource constraints and organizational or legislative changes that would need to be made to implement some of the initiatives. In identifying which BUR initiatives to prioritize for implementation in fiscal year 2012, DHS leadership considered (1) "importance," that is, how soon the initiative needed to be implemented; (2) "maturity," that is, how soon the initiative could be implemented; and (3) "priority," that is, whether the initiative enhanced secretarial or presidential priorities. Risk information was not included as an element in any of these three criteria, according to DHS officials, because of differences among the initiatives that made it difficult to compare risks across them, among other things. However, DHS officials stated that there are benefits to considering risk information in resource allocation decisions. Consideration of risk information during future implementation efforts could help strengthen DHS's prioritization of mechanisms for implementing the QHSR, including assisting in determinations of which initiatives should be implemented in the short or longer term. In our September 2011 report, we recommended that DHS examine how risk information could be used in prioritizing future QHSR initiatives. DHS concurred and reported that DHS intends to conduct risk analysis specific to the QHSR in advance of the next review and will use the analysis as an input into decision making related to implementing the QHSR. Further, in September 2011, we reported on progress made by DHS in implementing its homeland security missions since 9/11.[Footnote 13] As part of this work, we identified various themes that affected DHS's implementation efforts. One of these themes was DHS's efforts to strategically manage risk across the department. We reported that DHS made important progress in assessing and analyzing risk across sectors. For example, in January 2009 DHS published its Integrated Risk Management Framework, which, among other things, calls for DHS to use risk assessments to inform decision making. In May 2010, the Secretary issued a Policy Statement on Integrated Risk Management, calling for DHS and its partners to manage risks to the nation. We also reported that DHS had more work to do in using this information to inform planning and resource-allocation decisions. Our work shows that DHS has conducted risk assessments across a number of areas, but should strengthen the assessments and risk management process. For example: * In June 2011, we reported that DHS and Health and Human Services could further strengthen coordination for chemical, biological, radiological, and nuclear (CBRN) risk assessments. Among other things, we recommended that DHS establish time frames and milestones to better ensure timely development and interagency agreement on written procedures for development of DHS's CBRN risk assessments. DHS concurred and stated that the department had begun efforts to develop milestones and time frames for its strategic and implementation plans for interagency risk assessment development.[Footnote 14] * In November 2011, we reported that the U.S. Coast Guard used its Maritime Security Risk Assessment Model at the national level to focus resources on the highest-priority targets, leading to Coast Guard operating efficiencies, but use at the local level for operational and tactical risk-management efforts has been limited by a lack of staff time, the complexity of the risk tool, and competing mission demands. [Footnote 15] Among other things, we recommended that the Coast Guard provide additional training for sector command staff and others involved in sector management and operations on how the model can be used as a risk-management tool to inform sector-level decision making. The Coast Guard concurred and stated that it will explore other opportunities to provide risk training to sector command staff, including online and webinar training opportunities. * In November 2011, we reported that the Federal Emergency Management Agency (FEMA) used risk assessments to inform funding-allocation decisions for its port security grant program.[Footnote 16] However, we found that FEMA could further enhance its risk-analysis model and recommended incorporating the results of past security investments and refining other data inputs into the model. DHS concurred with the recommendation, but did not provide details on how it plans to implement it. * In October 2009, we reported that TSA's strategic plan to guide research, development, and deployment of passenger checkpoint screening technologies was not risk-based.[Footnote 17] Among other things, we recommended that DHS conduct a complete risk assessment related to TSA's passenger screening program and incorporate the results into the program's strategy. DHS concurred, and in July 2011 reported actions underway to address it, such as beginning to use a risk-management analysis process to analyze the effectiveness and efficiency of potential countermeasures and effect on the commercial aviation system. DHS Has Established Performance Measures, but Has Not Yet Fully Developed Outcome-Based Measures for Many of Its Mission Functions: In September 2011, we reported that DHS established performance measures for most of the QHSR objectives and had plans to develop additional measures.[Footnote 18] Specifically, DHS established new performance measures, or linked existing measures, to 13 of 14 QHSR goals, and to 3 of 4 goals for the sixth category of DHS activities-- Providing Essential Support to National and Economic Security. DHS reported these measures in its fiscal years 2010-2012 Annual Performance Report. For goals without measures, DHS officials told us that the department was developing performance measures and planned to publish them in future budget justifications to Congress. In September 2011, we also reported that DHS had not yet fully developed outcome-based measures for assessing progress and performance for many of its mission functions.[Footnote 19] We recognized that DHS faced inherent difficulties in developing performance goals and measures to address its unique mission and programs, such as in developing measures for the effectiveness of its efforts to prevent and deter terrorist attacks. While DHS had made progress in strengthening performance measurement, our work across the department has shown that a number of programs lacked outcome goals and measures, which may have hindered the department's ability to effectively assess results or fully assess whether the department was using resources effectively and efficiently. For example, our work has shown that DHS did not have performance measures for assessing the effectiveness of key border security and immigration programs, to include: * In September 2009, we reported that U.S. Customs and Border Protection (CBP) had invested $2.4 billion in tactical infrastructure (fencing, roads, and lighting) along the southwest border under the Secure Border Initiative--a multiyear, multibillion dollar program aimed at securing U.S. borders and reducing illegal immigration. [Footnote 20] However, DHS could not measure the effect of this investment in tactical infrastructure on border security. We recommended that DHS conduct an evaluation of the effect of tactical infrastructure on effective control of the border. DHS concurred with the recommendation and subsequently reported that the ongoing analysis is expected to be completed in February 2012. * In August 2009, we reported that CBP had established three performance measures to report the results of checkpoint operations, which provided some insight into checkpoint activity.[Footnote 21] However, the measures did not indicate if checkpoints were operating efficiently and effectively, and data reporting and collection challenges hindered the use of results to inform Congress and the public on checkpoint performance. We recommended that CBP improve the measurement and reporting of checkpoint effectiveness. CBP agreed and, as of September 2011, reported plans to develop and better use data on checkpoint effectiveness. * Further, we reported that U.S. Immigration and Customs Enforcement (ICE) and CBP did not have measures for assessing the performance of key immigration enforcement programs. For example, in April 2011, we reported that ICE did not have measures for its overstay enforcement efforts, and in May 2010 that CBP did not have measures for its alien smuggling investigative efforts, making it difficult for these agencies to determine progress made in these areas and evaluate possible improvements.[Footnote 22] We recommended that ICE and CBP develop performance measures for these two areas. They generally agreed and reported actions underway to develop these measures. DHS Has Taken Action to Implement, Strengthen, and Integrate Its Management Functions, but Needs to Demonstrate Sustainable Progress: In 2003, GAO designated the transformation of DHS as high risk because DHS had to transform 22 agencies--several with major management challenges--into one department, and failure to effectively address DHS's management and mission risks could have serious consequences for U.S. national and economic security. This high-risk area includes challenges in strengthening DHS's management functions--financial management, human capital, information technology, and acquisition management--the impact of those challenges on DHS's mission implementation, and challenges in integrating management functions within and across the department and its components. Addressing these challenges would better position DHS to align resources to its strategic priorities, assess progress in meeting mission goals, enhance linkages within and across components, and improve the overall effectiveness and efficiency of the department. On the basis of our prior work, in September 2010, we identified and provided to DHS 31 key actions and outcomes that are critical to addressing the challenges within the department's management functions and in integrating those functions across the department. These key actions and outcomes include, among others, validating required acquisition documents at major milestones in the acquisition review process; obtaining and then sustaining unqualified audit opinions for at least 2 consecutive years on the departmentwide financial statements while demonstrating measurable progress in reducing material weaknesses and significant deficiencies; and implementing its workforce strategy and linking workforce planning efforts to strategic and program-specific planning efforts to identify current and future human capital needs.[Footnote 23] In our February 2011 high-risk update, we reported that DHS had taken action to implement, transform, and strengthen its management functions, and had begun to demonstrate progress in addressing some of the actions and outcomes we identified within each management area. [Footnote 24] For example, we reported that the Secretary and Deputy Secretary of Homeland Security, and other senior officials, have demonstrated commitment and top leadership support to address the department's management challenges. DHS also put in place common policies, procedures, and systems within individual management functions, such as human capital, that help to integrate its component agencies. For example, DHS: * revised its acquisition management oversight policies to include more detailed guidance to inform departmental acquisition decision making. * strengthened its enterprise architecture, or blueprint to guide information technology acquisitions, and improved its policies and procedures for investment management. * developed corrective action plans for its financial management weaknesses, and, for the first time since its inception, DHS earned a qualified audit opinion on its fiscal year 2011 balance sheet; [Footnote 25] and: * issued its Workforce Strategy for Fiscal Years 2011-2016, which contains the department’s workforce goals, objectives, and performance measures for human capital management. Further, in January 2011, DHS provided us with its Integrated Strategy for High Risk Management, which summarized the department's preliminary plans for addressing the high-risk area. Specifically, the strategy contained details on the implementation and transformation of DHS, such as corrective actions to address challenges within each management area, and officials responsible for implementing those corrective actions. DHS provided us with updates to this strategy in June and December 2011. We provided DHS with written feedback on the January 2011 strategy and the June update, and have worked with the department to monitor implementation efforts. We noted that both versions of the strategy were generally responsive to actions and outcomes we identified for the department to address the high-risk area. For example, DHS included a management integration plan containing information on initiatives to integrate its management functions across the department. Specifically, DHS plans to establish a framework for managing investments across its components and management functions to strengthen integration within and across those functions, as well as to ensure that mission needs drive investment decisions. This framework seeks to enhance DHS resource decision making and oversight by creating new department-level councils to identify priorities and capability gaps, revising how DHS components and lines of business manage acquisition programs, and developing a common framework for monitoring and assessing implementation of investment decisions. These actions, if implemented effectively, should help to further and more effectively integrate the department and enhance DHS's ability to implement its strategies. However, we noted in response to the June update that specific resources to implement planned corrective actions were not consistently identified, making it difficult to assess the extent to which DHS has the capacity to implement these actions. Additionally, for both versions, we noted that the department did not provide information on the underlying metrics or factors DHS used to rate its progress, making it difficult for us to assess DHS's overall characterizations of progress. We are currently assessing the December 2011 update and plan to provide DHS with feedback shortly. Although DHS has made progress in strengthening and integrating its management functions, the department continues to face significant challenges affecting the department's transformation efforts and its ability to meet its missions. In particular, challenges within acquisition, information technology, financial, and human capital management have resulted in performance problems and mission delays. For example, DHS does not yet have enough skilled personnel to carry out activities in some key programmatic and management areas, such as for acquisition management. DHS also has not yet implemented an integrated financial management system, impeding its ability to have ready access to information to inform decision making, and has been unable to obtain a clean audit opinion on the audit of its consolidated financial statements since its establishment. Going forward, DHS needs to implement its Integrated Strategy for High Risk Management, and continue its efforts to (1) identify and acquire resources needed to achieve key actions and outcomes; (2) implement a program to independently monitor and validate corrective measures; and (3) show measurable, sustainable progress in implementing corrective actions and achieving key outcomes. Demonstrated, sustained progress in all of these areas will help DHS strengthen and integrate management functions within and across the department and its components. Chairman McCaul, Ranking Member Keating, and Members of the Subcommittee, this concludes my prepared statement. I would be pleased to respond to any questions that you may have. GAO Contact and Staff Acknowledgments: For questions about this statement, please contact David C. Maurer at (202) 512-9627 or maurerd@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this statement. Individuals making key contributions to this statement include Rebecca Gambler, Acting Director; Ben Atwater; Scott Behen; Janay Sam; Jean Orland; and Justin Dunleavy. Key contributors for the previous work that this testimony is based on are listed within each individual product. [End of section] Appendix I: Bottom-Up Review Initiatives: Initiatives selected by DHS for implementation in fiscal year 2012 listed in bold. Mission One: Preventing Terrorism and Enhancing Security: 1. Strengthen counterterrorism coordination across DHS: 2. Strengthen aviation security: 3. Create an integrated departmental information sharing architecture: 4. Deliver infrastructure protection and resilience capabilities to the field: 5. Set national performance standards for identification verification: 6. Increase efforts to detect and counter nuclear and biological weapons and dangerous materials: 7. Leverage the full range of capabilities to address biological and nuclear threats: 8. Standardize and institutionalize the National Fusion Center Network: 9. Promote safeguards for access to secure areas in critical facilities: 10. Establish DHS as a center of excellence for canine training and deployment: 11. Redesign the Federal Protective Service (FPS) to better match mission requirements: Mission Two: Securing and Managing Our Borders: 12. Expand joint operations and intelligence capabilities, including enhanced domain awareness: 13. Prioritize immigration and customs investigations: 14. Enhance the security and resilience of global trade and travel systems: 15. Strengthen and expand DHS-related security assistance internationally (e.g., border integrity and customs enforcement security assistance) consistent with U.S. government security, trade promotion, international travel, and foreign assistance objectives: 16. Enhance North American security: Mission Three: Enforcing and Administering Our Immigration Laws: 17. Comprehensive immigration reform: 18. Improve DHS immigration services processes: 19. Focus on fraud detection and national security vetting: 20. Target egregious employers who knowingly exploit illegal workers: 21. Dismantle human smuggling organizations: 22. Improve the detention and removal process: 23. Work with new Americans so that they fully transition to the rights and responsibilities of citizenship: 24. Maintain a model detention system commensurate with risk: Mission Four: Safeguarding and Securing Cyberspace: 25. Increase the focus and integration of DHS's operational cyber security and infrastructure resilience activities: 26. Strengthen DHS ability to protect cyber networks: 27. Increase DHS predictive and forensic capabilities for cyber intrusions and attacks: 28. Promote cyber security public awareness: Mission Five: Ensuring Resilience to Disasters: 29. Enhance catastrophic disaster preparedness: 30. Improve DHS's ability to lead in emergency management: 31. Explore opportunities with the private sector to "design-in" greater resilience for critical infrastructure: 32. Make individual and family preparedness and critical facility resilience inherent in community preparedness: Improving Department Management: 33. Seek restoration of the Secretary's reorganization authority for DHS headquarters: 34. Realign component regional configurations into a single DHS regional structure: 35. Improve cross-Departmental management, policy, and functional integration: 36. Strengthen internal DHS counterintelligence capabilities: 37. Enhance the Department's risk management capability: 38. Strengthen coordination within DHS through cross-Departmental training and career paths: 39. Enhance the DHS workforce: 40. Balance the DHS workforce by ensuring strong federal control of all DHS work and reducing reliance on contractors: Increasing Accountability: 41. Increase Analytic Capability and Capacity: 42. Improve Performance Measurement and Accountability: 43. Strengthen Acquisition Oversight: [End of section] Related GAO Products: Coast Guard: Security Risk Model Meets DHS Criteria, but More Training Could Enhance Its Use for Managing Programs and Operations. [hyperlink, http://www.gao.gov/products/GAO-12-14]. Washington, D.C.: November 17, 2011. Port Security Grant Program: Risk Model, Grant Management, and Effectiveness Measures Could Be Strengthened. [hyperlink, http://www.gao.gov/products/GAO-12-47]. Washington, D.C.: November 17, 2011. Quadrennial Homeland Security Review: Enhanced Stakeholder Consultation and Use of Risk Information Could Strengthen Future Reviews. [hyperlink, http://www.gao.gov/products/GAO-11-873]. Washington, D.C.: September 15, 2011. Department of Homeland Security: Progress Made and Work Remaining in Implementing Homeland Security Missions 10 Years after 9/11. [hyperlink, http://www.gao.gov/products/GAO-11-881]. Washington, D.C.: September 7, 2011. National Preparedness: DHS and HHS Can Further Strengthen Coordination for Chemical, Biological, Radiological, and Nuclear Risk Assessments. [hyperlink, http://www.gao.gov/products/GAO-11-606]. Washington, D.C.: June 21, 2011. Overstay Enforcement: Additional Mechanisms for Collecting, Assessing, and Sharing Data Could Strengthen DHS's Efforts but Would Have Costs. [hyperlink, http://www.gao.gov/products/GAO-11-411]. Washington, D.C.: April 15, 2011. High-Risk Series: An Update. [hyperlink, http://www.gao.gov/products/GAO-11-278]. Washington, D.C: February 2011. Alien Smuggling: DHS Needs to Better Leverage Investigative Resources to Measure Program Performance along the Southwest Border. [hyperlink, http://www.gao.gov/products/GAO-10-328]. Washington, D.C.: May 24, 2010. Quadrennial Homeland Security Review: 2010 Reports Addressed Many Required Elements, but Budget Planning Not Yet Completed. [hyperlink, http://www.gao.gov/products/GAO-11-153R]. Washington, D.C.: December 16, 2010. Aviation Security: DHS and TSA Have Researched, Developed, and Begun Deploying Passenger Checkpoint Screening Technologies, but Continue to Face Challenges. [hyperlink, http://www.gao.gov/products/GAO-10-128]. Washington, D.C.: October 7, 2009. Secure Border Initiative: Technology Deployment Delays Persist and the Impact of Border Fencing Has Not Been Assessed. [hyperlink, http://www.gao.gov/products/GAO-09-1013T]. Washington, D.C.: September 17, 2009. Border Patrol: Checkpoints Contribute to Border Patrol's Mission, but More Consistent Data Collection and Performance Measurement Could Improve Effectiveness. [hyperlink, http://www.gao.gov/products/GAO-09-824]. Washington, D.C.: August 31, 2009. Transportation Security: Comprehensive Risk Assessments and Stronger Internal Controls Needed to Help Inform TSA Resource Allocation. [hyperlink, http://www.gao.gov/products/GAO-09-492]. Washington, D.C.: March 27, 2009. Risk Management: Further Refinements Needed to Assess Risks and Prioritize Protective Measures at Ports and Other Critical Infrastructure. [hyperlink, http://www.gao.gov/products/GAO-06-91]. Washington. D.C.: Dec. 15, 2005. [End of section] Footnotes: [1] DHS defines the homeland security enterprise as the federal, state, local, tribal, territorial, nongovernmental, and private-sector entities, as well as individuals, families, and communities, who share a common national interest in the safety and security of the United States and the American population. [2] Pub. L. No. 110-53, § 2401(a), 121 Stat. 266, 543-45 (2007) (codified at 6 U.S.C. § 347). [3] DHS, Quadrennial Homeland Security Review Report: A Strategic Framework for a Secure Homeland (Washington, D.C.: February 2010). Although the act requires the first QHSR to be conducted in 2009--see 6 U.S.C. § 347(c)--the QHSR report was issued in February 2010 and we refer to it in this statement as the 2010 QHSR. [4] DHS, Bottom-Up Review Report (Washington, D.C.: July 2010). [5] GAO, Quadrennial Homeland Security Review: Enhanced Stakeholder Consultation and Use of Risk Information Could Strengthen Future Reviews, [hyperlink, http://www.gao.gov/products/GAO-11-873] (Washington, D.C.: Sept. 15, 2011); Department of Homeland Security: Progress Made and Work Remaining in Implementing Homeland Security Missions 10 Years after 9/11, [hyperlink, http://www.gao.gov/products/GAO-11-881] (Washington, D.C.: Sept. 7, 2011); High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-11-278] (Washington, D.C: February 2011); and Quadrennial Homeland Security Review: 2010 Reports Addressed Many Required Elements, but Budget Planning Not Yet Completed, [hyperlink, http://www.gao.gov/products/GAO-11-153R] (Washington, D.C.: Dec. 16, 2010). [6] [hyperlink, http://www.gao.gov/products/GAO-11-153R]. [7] We considered an element addressed if all portions of it were explicitly included in either the QHSR or BUR reports, addressed in part if one or more but not all portions of the element were included, and not addressed if neither the QHSR nor the BUR reports explicitly addressed any part of the element. [8] [hyperlink, http://www.gao.gov/products/GAO-11-873]. [9] 6 U.S.C. § 347(c)(2)(C). [10] [hyperlink, http://www.gao.gov/products/GAO-11-153R]. [11] [hyperlink, http://www.gao.gov/products/GAO-11-873]. [12] See GAO, Risk Management: Further Refinements Needed to Assess Risks and Prioritize Protective Measures at Ports and Other Critical Infrastructure, [hyperlink, http://www.gao.gov/products/GAO-06-91] (Washington, D.C.: Dec. 15, 2005), and Transportation Security: Comprehensive Risk Assessments and Stronger Internal Controls Needed to Help Inform TSA Resource Allocation, [hyperlink, http://www.gao.gov/products/GAO-09-492] (Washington, D.C.: Mar. 27, 2009). For DHS risk-management guidance, see DHS, Risk Management Fundamentals: Homeland Security Risk Management Doctrine (April 2011). [13] [hyperlink, http://www.gao.gov/products/GAO-11-881]. [14] GAO, National Preparedness: DHS and HHS Can Further Strengthen Coordination for Chemical, Biological, Radiological, and Nuclear Risk Assessments, [hyperlink, http://www.gao.gov/products/GAO-11-606] (Washington, D.C.: June 21, 2011). [15] GAO, Coast Guard: Security Risk Model Meets DHS Criteria, but More Training Could Enhance Its Use for Managing Programs and Operations, [hyperlink, http://www.gao.gov/products/GAO-12-14] (Washington, D.C.: Nov. 17, 2011). [16] GAO, Port Security Grant Program: Risk Model, Grant Management, and Effectiveness Measures Could Be Strengthened, [hyperlink, http://www.gao.gov/products/GAO-12-47] (Washington, D.C.: Nov. 17, 2011). [17] GAO. Aviation Security: DHS and TSA Have Researched, Developed, and Begun Deploying Passenger Checkpoint Screening Technologies, but Continue to Face Challenges. [hyperlink, http://www.gao.gov/products/GAO-10-128]. (Washington, D.C.: Oct. 7, 2009). [18] [hyperlink, http://www.gao.gov/products/GAO-11-873]. [19] [hyperlink, http://www.gao.gov/products/GAO-11-881]. [20] GAO, Secure Border Initiative: Technology Deployment Delays Persist and the Impact of Border Fencing Has Not Been Assessed, [hyperlink, http://www.gao.gov/products/GAO-09-1013T] (Washington, D.C.: Sept. 17, 2009). [21] GAO, Border Patrol: Checkpoints Contribute to Border Patrol's Mission, but More Consistent Data Collection and Performance Measurement Could Improve Effectiveness, [hyperlink, http://www.gao.gov/products/GAO-09-824] (Washington, D.C.: Aug. 31, 2009). [22] GAO, Overstay Enforcement: Additional Mechanisms for Collecting, Assessing, and Sharing Data Could Strengthen DHS's Efforts but Would Have Costs, [hyperlink, http://www.gao.gov/products/GAO-11-411] (Washington, D.C.: Apr. 15, 2011) and Alien Smuggling: DHS Needs to Better Leverage Investigative Resources to Measure Program Performance along the Southwest Border, [hyperlink, http://www.gao.gov/products/GAO-10-328] (Washington, D.C.: May 24, 2010). [23] A material weakness is a significant deficiency, or a combination of significant deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented or detected and corrected on a timely basis. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. [24] [hyperlink, http://www.gao.gov/products/GAO-11-278]. [25] For DHS, obtaining a qualified audit opinion is a first step toward achieving an unqualified audit opinion. [End of section] GAO’s Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select “E- mail Updates.” Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548.