This is the accessible text file for GAO report number GAO-07-1065 entitled 'Homeland Security: U.S. Visitor and Immigrant Status Program's Long-standing Lack of Strategic Direction and Management Controls Needs to Be Addressed' which was released on September 4, 2007. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: August 2007: Homeland Security: U.S. Visitor and Immigrant Status Program's Long-standing Lack of Strategic Direction and Management Controls Needs to Be Addressed: GAO-07-1065: GAO Highlights: Highlights of GAO-07-1065, a report to congressional committees. Why GAO Did This Study: The Department of Homeland Security (DHS) has established a program known as U.S. Visitor and Immigrant Status Indicator Technology (US- VISIT) to collect, maintain, and share information, including biometric identifiers, on certain foreign nationals who travel to the United States. By congressional mandate, DHS is to develop and submit an expenditure plan for US-VISIT that satisfies certain conditions, including being reviewed by GAO. GAO reviewed the plan to (1) determine if the plan satisfied these conditions, (2) follow up on certain recommendations related to the program, and (3) provide any other observations. To address the mandate, GAO assessed plans and related documentation against federal guidelines and industry standards and interviewed the appropriate DHS officials. What GAO Found: The US-VISIT expenditure plan, including related program documentation and program officials’ statements, satisfies or partially satisfies some but not all of the legislative conditions required by the Department of Homeland Security Appropriations Act, 2007. For example, the department satisfied the condition that it provide certification that an independent verification and validation agent is currently under contract for the program and partially satisfied the condition that US-VISIT comply with DHS’s enterprise architecture. However, the department did not satisfy the conditions that the plan include a comprehensive US-VISIT strategic plan and a complete schedule for biometric exit implementation. DHS partially implemented GAO’s oldest open recommendations pertaining to US-VISIT. For example, while the department partially completed the recommendation that it develop and begin implementing a US-VISIT system security plan, the scope of the plan does not extend to all the systems that comprise US-VISIT. In addition, while the expenditure plan provides some information on US-VISIT’s cost, schedule, and benefits associated with planned capabilities, the information provided is not sufficiently defined and detailed to address GAO’s recommendation and provide a reasonable basis for measuring progress and holding the department accountable for results. GAO identified several additional observations. On the positive side, DHS data show that the US-VISIT prime contract is being executed according to cost and schedule expectations. However, DHS continues to propose disproportionately heavy investment in US-VISIT program management-related activities without adequate justification or full disclosure. Further, DHS continues to propose spending tens of millions of dollars on US-VISIT exit projects that are not well-defined, planned, or justified on the basis of costs, benefits, and risks. Overall, the US-VISIT fiscal year 2007 expenditure plan and other available program documentation do not provide a sufficient basis for effective program oversight and accountability. Both the legislative conditions and GAO’s open recommendations are aimed at accomplishing both, and thus they need to be addressed quickly and completely. However, despite ample opportunity to do so, DHS has not done so and the reasons why are unclear. Until these recommendations are addressed, GAO does not believe that the program’s disproportionate investment in management-related activities represents a prudent and warranted course of action or to expect that the newly launched exit endeavor will produce results different from past results—namely, no operational exit solution despite expenditure plans allocating about a quarter of a billion dollars to various exit activities. What GAO Recommends: Because outstanding recommendations already address all of the management weaknesses discussed in this report, GAO is reiterating prior recommendations and recommending that the Secretary of DHS report to the department’s authorization and appropriations committees on its reasons for not fully addressing the legislative conditions and prior GAO recommendations. DHS largely agreed with the report and provided additional information and views that GAO has incorporated and addressed in the report as appropriate. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-1065]. To view the full product, including the scope and methodology, click on the link above. For more information, contact Randolph C. Hite at (202) 512-3439 or hiter@gao.gov. [End of section] Contents: Letter: Compliance with Legislative Conditions: Status of Open Recommendations: Observations on the Expenditure Plan and Management of US-VISIT: Conclusions: Recommendation for Executive Action: Agency Comments and Our Evaluation: Appendixes: Appendix I: Briefing Slides: Appendix II: Comments from the Department of Homeland Security: Appendix III: GAO Contact and Staff Acknowledgments: DHS: Department of Homeland Security: EA: enterprise architecture: EVM: earned value management: HLS: Homeland Security: OMB: Office of Management and Budget: POE: port of entry: SEI: Software Engineering Institute: TECS: Treasury Enforcement Communications System: US-VISIT: U.S. Visitor and Immigrant Status Indicator Technology: Letter: August 31, 2007: The Honorable Robert C. Byrd: Chairman: The Honorable Thad Cochran: Ranking Member: Subcommittee on Homeland Security: Committee on Appropriations: United States Senate: The Honorable David E. Price: Chairman: The Honorable Harold Rogers: Ranking Member: Subcommittee on Homeland Security: Committee on Appropriations: House of Representatives: The Department of Homeland Security (DHS) submitted to Congress in March 2007 its fiscal year 2007 expenditure plan for the U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) program pursuant to the Department of Homeland Security Appropriations Act, 2007.[Footnote 1] US-VISIT is a governmentwide program to collect, maintain, and share information on foreign nationals who enter and exit the United States. The program's goals are to enhance the security of U.S. citizens and visitors, facilitate legitimate trade and travel, ensure the integrity of the U.S. immigration system, and protect the privacy of visitors to the United States. As required by the appropriations act, we reviewed US-VISIT's fiscal year 2007 expenditure plan. Our objectives were to (1) determine whether the expenditure plan satisfies legislative conditions specified in the appropriations act, (2) determine the status of our oldest open recommendations pertaining to US-VISIT,[Footnote 2] and (3) provide observations about the expenditure plan and DHS' management of US-VISIT. On June 15, 2007, and on June 20, 2007, we briefed the staffs of the Senate and House Appropriations Subcommittees on Homeland Security, respectively, on the results of our review. This report transmits these results. The full briefing, including our scope and methodology, is reprinted in appendix I. Compliance with Legislative Conditions: The US-VISIT expenditure plan, including related program documentation and program officials' statements, satisfies or partially satisfies some, but not all, of the legislative conditions. Specifically, the legislative conditions that DHS certify that an independent verification and validation agent is currently under contract for the program and that the DHS Investment Review Board, the Secretary of Homeland Security, and the Office of Management and Budget (OMB) review and approve the plan were satisfied.[Footnote 3] However, DHS only partially satisfied the legislative conditions that it (1) meet the capital planning and investment control review requirements established by OMB, including OMB Circular A-11, part 7; (2) comply with DHS' enterprise architecture; and (3) comply with federal acquisition rules, requirements, guidelines, and systems acquisition management practices. In addition, DHS did not satisfy the legislative conditions that the plan include (1) a comprehensive US-VISIT strategic plan and (2) a complete schedule for biometric exit implementation. Status of Open Recommendations: DHS has partially implemented our recommendations pertaining to US- VISIT that have been open for 4 years. These recommendations, along with their status, are summarized here. * Recommendation: Develop and begin implementing a system security plan and perform a privacy impact analysis and use the results of this analysis in near term and subsequent system acquisition decision making. DHS has partially implemented this recommendation. In December 2006, the program office developed a US-VISIT security strategy and has since begun implementing it. However, the scope of this strategy does not extend to all the systems that comprise US-VISIT, such as the Treasury: Enforcement Communications System (TECS). We recently testified[Footnote 4] that TECS has neither the security controls and defensive perimeters in place for preventing an intrusion, nor the capability to detect an intrusion should one occur. Until a more comprehensive security strategy is developed, the systems that comprise US-VISIT could place it at increased risk. * Recommendation: Develop and implement a plan for satisfying key acquisition management controls, including acquisition planning, solicitation, requirements management, project management, contract tracking and oversight, evaluation, and transition to support, and implement the controls in accordance with Software Engineering Institute (SEI) guidance.[Footnote 5] DHS has partially implemented this recommendation. Since 2005, the program office reports progress in implementing 113 practices associated with six SEI key process areas. However, the six areas of focus do not include all of the management controls that our recommendations cover, such as solicitation and transition to support. As long as the program office does not address all of the management controls that we have recommended, it will unnecessarily increase program risks. * Recommendation: Ensure that expenditure plans fully disclose what system capabilities and benefits are to be delivered, by when, and at what cost, as well as how the program is being managed. DHS has partially implemented this recommendation. The fiscal year 2007 expenditure plan discloses planned system capabilities, estimated schedules and costs, and expected benefits. However, schedules, costs, and benefits are not always defined in sufficient detail to be measurable and to permit oversight. Finally, the plan does not fully disclose challenges or changes associated with program management. Without such information, the expenditure plan may not provide Congress with enough information to exercise effective oversight and to hold the department accountable. * Recommendation: Ensure that the human capital and financial resources provided are sufficient to establish a fully functional and effective program office and associated management capability. DHS has partially implemented this recommendation. At one point in 2006, all of the program office's 115 government positions were filled. However, 21 positions have since become vacant. Without adequate human capital, particularly in key positions and for extended periods, program risks will increase. * Recommendation: Clarify the operational context within which US-VISIT must operate. DHS has partially implemented this recommendation. DHS has yet to define the operational context in which US-VISIT is to operate, such as having a departmentally approved strategic plan or a well-defined department enterprise architecture (EA). While the expenditure plan includes a departmentally approved US-VISIT strategic plan, it does not address key elements of relevant federal strategic planning guidance. Moreover, we recently reported[Footnote 6] that the version of the department's EA[Footnote 7] that DHS has been using for US-VISIT alignment purposes was missing architecture content and was developed with limited stakeholder input. Finally, although program officials have met with related programs to coordinate their respective efforts, specific coordination efforts have not been assigned to any DHS entity. Until a well-defined operational context exists, the department will be challenged in its ability to define and implement US-VISIT and related border security and immigration management programs in a manner that promotes interoperability, minimizes duplication, and optimizes departmental capabilities and performance. * Recommendation: Determine whether proposed US-VISIT increments will produce mission value commensurate with costs and risks and disclose to its executive bodies and Congress the results of these business cases and planned actions. DHS has partially implemented this recommendation. We recently reported that, while a business case was prepared for Increment 1B,[Footnote 8] the analysis performed met only four of the eight criteria in OMB guidance. Since then, the program office has developed business cases for two projects: Unique Identity and U.S. Travel Documents-ePassports (formerly Increment 2A), and we have ongoing work to address, among other things, these business cases. Further, the program office has yet to develop a business case for another project that it plans to begin implementing this year--biometric exit at air ports of entry (POE). Until the program office has reliable business cases for each US-VISIT project in which alternative solutions for meeting mission needs are evaluated on the basis of costs, benefits, and risks, it will not be able to adequately inform its executive bodies and Congress about its plans and will not provide the basis for prudent investment decision making. * Recommendation: Develop and implement a human capital strategy that provides for staffing open positions with individuals who have the requisite core competencies (knowledge, skills, and abilities). DHS has partially implemented this recommendation. In February 2006, we reported[Footnote 9] that the program office issued a human capital plan and had begun implementing it. However, DHS stopped doing so during 2006 pending departmental approval of a DHS-wide human capital initiative and because all program office positions were filled. However, as noted earlier, the program office now reports that it has 21 government positions--including critical leadership positions--that are now vacant. Moreover, it has stated that it developed a new human capital plan but we did not review this plan because it is still undergoing departmental review. Until the department approves the human capital plan and the program office begins to implement it, the program will continue to be at risk. * Recommendation: Develop and implement a risk management plan and ensure that all high risks and their status are reported regularly to the appropriate executives. DHS has partially implemented this recommendation. US-VISIT has approved a risk management plan and has begun implementing it. However, the current risk management plan does not address when risks should be elevated beyond the level of the US-VISIT Program Director. According to program officials, elevation of US-VISIT risks is at the discretion of the Program Director, and no risks have been elevated to DHS executives since December 2005. Until the program office ensures that high risks are appropriately elevated, department executives will not have the information they need to make informed investment decisions. * Recommendation: Define performance standards for US-VISIT that are measurable and reflect the limitations imposed on US-VISIT capabilities by relying on existing systems. DHS has partially implemented this recommendation. The program office has defined technical performance standards for several increments, but these standards do not contain sufficient information to determine whether they reflect the limitations imposed by relying on existing systems. As a result, the ability of these increments to meet performance requirements remains uncertain and the ability to identify and effectively address performance shortfalls is missing. Observations on the Expenditure Plan and Management of US-VISIT: While available data show that prime contract cost and schedule expectations are being met, aspects of the US-VISIT program continue to lack definition and justification. Each of our observations in this regard are summarized here. * Earned value management (EVM) data on ongoing prime contract task orders show that cost and schedule baselines are being met. EVM is a program management tool for measuring progress by comparing the value of work accomplished with the amount of work expected to be accomplished.[Footnote 10] Data provided by the program office show that the cumulative cost and schedule variances for the overall prime contract and all 12 ongoing task orders are within an acceptable range of performance. * DHS continues to propose a heavy investment in program management- related activities without adequate justification or full disclosure. Program management is an important and integral aspect of any system acquisition program and should be justified in relation to the size and significance of the acquisition activities being performed. In 2006, program management costs represented 135 percent of planned development. This means that for every dollar spent on new capabilities, $1.35 was spent on management. The fiscal year 2007 expenditure plan similarly proposed investing $1.25 on management- related activities for every dollar invested in new development. However, the plan does not explain the reasons for the sizable investment in management-related activities or otherwise justify it on the basis of measurable expected value. Without disclosing and justifying its proposed investment and program management-related efforts, it is unclear that such a large amount of funding for these activities represents the best use of resources. * Lack of a well-defined and justified exit solution introduces the risk of repeating failed and costly past exit efforts. DHS has issued a high-level schedule for air exit, but information supporting that schedule is not yet available. In addition, there are no other exit program plans available that define what will be done, by what entities, and at what cost in order to define, acquire, deliver, deploy, and operate this capability. This includes developing plans describing expected system capabilities, identifying key stakeholder roles/responsibilities and buy-in, coordinating and aligning with related programs, and allocating funding to activities. Furthermore, DHS has not performed an analysis comparing the life cycle costs of the air exit solution to its expected benefits and risks. Since 2004, we have reported on a similar lack of definition and justification of prior US-VISIT exit efforts, even though prior expenditure plans have allocated funding of $250 million to completing these efforts. As of today, these prior efforts have not produced an operational exit solution. Without better definition and justification of its future exit efforts, the department runs the serious risk of repeating its past failures. Conclusions: US-VISIT's prime contract cost and schedule metrics show that expectations are being met, according to available data, although the EVM system that the metrics are based on has yet to be independently certified. Notwithstanding this, such performance is a positive sign. However, most of the many management weaknesses raised in this report have been the subject of our prior US-VISIT reports and testimonies and, thus, are not new. Accordingly, we have already made a litany of recommendations to correct each weakness, as well as follow-on recommendations to increase DHS attention to and accountability for doing so. Despite this, recurring legislative conditions associated with US-VISIT expenditure plans continue to be less than fully satisfied and recommendations that we made 4 years ago have still not been fully implemented. Exacerbating this situation is the fact that DHS did not satisfy two new legislative conditions associated with the fiscal year 2007 expenditure plan, and serious questions continue to exist about DHS' justification for and readiness to invest current, and potentially future, fiscal year funding relative to an exit solution and program management-related activities. DHS has had ample opportunity to address these many issues, but it has not. As a result, there is no reason to expect that its newly launched exit endeavor, for example, will produce results different from past endeavors--namely, DHS will not have an operational exit solution despite expenditure plans allocating about a quarter of a billion dollars to various exit activities. Similarly, on the basis of past efforts, there is no reason to believe that the program's disproportionate investment in management-related activities represents a prudent and warranted course of action. All told, this means that needed improvements in US-VISIT program management practices are long overdue. Both the legislative conditions and our open recommendations are aimed at accomplishing these improvements, and they need to be addressed quickly and completely. Thus far, they have not been, and the reasons that they have not are unclear. Recommendation for Executive Action: Because our outstanding US-VISIT recommendations already address all of the management weaknesses discussed in this report, we are reiterating our prior recommendations and recommending that the Secretary of DHS report to the department's authorization and appropriations committees on its reasons for not fully addressing its expenditure plan legislative conditions and our prior recommendations. Agency Comments and Our Evaluation: We received written comments on a draft of this report from DHS, which were signed by the Director, Departmental GAO/IG Liaison Office, and are reprinted in appendix II. In its comments, DHS stated that it agreed with the majority of our findings, adding that the department realizes, and our report supports the fact, that improvements to US-VISIT's management controls, operational context, and human capital are needed. DHS also stated that the US-VISIT program office would aggressively engage with us to address our open recommendations, noting that it appreciates the guidance provided by our reports. In this regard, DHS's comments described efforts completed, underway, and planned to address our recommendations, most of which were already reflected in the draft report. New information in DHS's comments covered its intentions relative to the next US-VISIT expenditure plan and the next US-VISIT strategic plan, both of which are to be issued in fiscal year 2008. This new information is consistent with the intent of our open recommendations. New information also included the US-VISIT Director's intention to communicate high-priority risks to the Under Secretary of the National Protection and Programs Directorate, which is also in line with our open recommendations. However, DHS also stated that it disagreed with the "partially complete" status that we assigned to one of our open recommendations. It also stated that our observation characterizing past US-VISIT exit efforts as failed and costly implicitly devalued the experience and empirical data that the department gained from these proof-of-concept efforts, and this observation did not recognize relevant information about the program's use of biographic exit procedures. We do not agree with either of these comments, as discussed below. * With the respect to the "partially complete" status that our report assigns to the open recommendation for the program to develop and begin implementing a system security plan, and to perform a privacy impact analysis and use the results of this analysis in near term and subsequent system acquisition decision making, DHS stated that it considers this recommendation satisfied. In this regard, the department describes a number of actions that the program has taken with respect to US-VISIT security and privacy. We do not take issue with the actions that DHS described, and would note that our draft report already recognizes them. Moreover, we too consider the privacy component of our recommendation satisfied. However, we do not agree with the department's position relative to the scope of US-VISIT's security strategy in that it does not address known vulnerabilities associated with a US-VISIT component system--TECS.[Footnote 11] As we state in our report, TECS is an integral component of US-VISIT and, according to federal security standards, a system security plan, or in US-VISIT's case the system security strategy, typically covers such component systems. Therefore, we believe that the US-VISIT security risk assessment and security strategy need to explicitly address such vulnerabilities, and thus we do not consider the entire recommendation as being fully satisfied. * With respect to our characterization of past US-VISIT exit efforts, the department stated that we incorrectly viewed these past efforts as "ends in themselves" and as "failed and costly" because they did not immediately conclude with operational systems. According to DHS, the program never intended for these efforts to be more than proof-of- concept learning experiences that would form the basis for more workable future system solutions. We do not agree with these comments. As we state in our report, the program first committed to full deployment of a biometric exit capability in 2003, and it has continued to make similar deployment commitments in subsequent years. At the same time, we have chronicled a pattern of inadequate analysis surrounding the expected costs, benefits, and risks of these exit efforts since 2004, and thus an absence of reliable information upon which to view their expected value and base informed exit-related investment decisions. Nevertheless, the program continued to invest each year in these biometric exit efforts, thus far having allocated about $250 million in funding to them. At no time, however, was any analysis produced to justify investing a quarter of a billion dollars to gain "experiences and empirical data" for such a sizeable investment. Rather, commitments were repeatedly made in expenditure plans for deploying an operational exit solution. While we recognize the value and role of demonstration and pilot efforts as a means for learning and informing future development efforts, our point is that exit-related efforts have been inadequately defined and justified over the last 4 years, despite being allocated $250 million, and the fiscal year 2007 expenditure proposes more of the same. With respect to not recognizing the program's use of biographic exit procedures in the above described observation, the department is correct that we describe these procedures in other sections of our report but not as part of this observation. We do not include this information under this observation because its focus is on the 4 years and $250 million that has been devoted to biometric-based exit efforts, and the lack of definition and justification in the fiscal year 2007 expenditure plan for these biometric efforts going forward. We are sending copies of this report to the Chairmen and Ranking Members of other Senate and House committees and subcommittees that have authorization and oversight responsibilities for homeland security. We are also sending copies to the Secretary of Homeland Security, Secretary of State, and the Director of OMB. We will also make copies available to others on request. In addition, the report will be available at no charge on GAO's Web site at [Hyperlink, http://www.gao.gov]. If you or your staffs have any questions on matters discussed in this report, please contact me at (202) 512-3439 or at hiter@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who have made significant contributions to this report are listed in appendix III. Signed by: Randolph C. Hite: Director: Information Technology Architecture and Systems Issues: [End of section] Appendix I: Briefing Slides: Homeland Security: U.S. Visitor and Immigrant Status Program's Long- standing Lack of Strategic Direction and Management Controls Needed to be Addressed: Briefing to the Staffs of the Subcommittee on Homeland Security Senate and House Committees on Appropriations: June 15, 2007: Briefing Overview: Introduction: Objectives: Results in Brief: Background: Results: * Legislative Conditions: * Status of Open Recommendations: * Observations: Conclusions: Recommendations for Executive Action: Agency Comments: Attachment 1. Scope and Methodology: Attachment 2. Related Products List: Attachment 3. Description of US-VISIT Program: Attachment 4. Description of Increments and Component Systems: Introduction: The U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) program of the Department of Homeland Security (DHS) is a governmentwide program to collect, maintain, and share information on foreign nationals who enter and exit the U.S. The goals of US-VISIT are to: enhance the security of U.S. citizens and visitors, facilitate legitimate travel and trade, ensure the integrity of the U.S. immigration system, and: protect the privacy of our visitors. The Department of Homeland Security Appropriations Act, 2007,[Footnote 12] states that DHS may not obligate $200 million of the $362.494 million appropriated for the US-VISIT project until the Senate and House Committees on Appropriations receive a plan for expenditure that: meets the capital planning and investment control review requirements established by the Office of Management and Budget (OMB), including Circular A-11, part 7;[Footnote 13] complies with DHS’s enterprise architecture; complies with the acquisition rules, requirements, guidelines, and systems acquisition management practices of the federal government; includes a certification by the DHS Chief Information Officer (CIO) that an independent verification and validation (IV&V) agent is currently under contract for the project; is reviewed and approved by the DHS Investment Review Board (IRB), the Secretary of Homeland Security, and OMB; is reviewed by GAO; includes a comprehensive US-VISIT strategic plan; and: includes a complete schedule for biometric exit implementation. On March 20, 2007, DHS submitted its fiscal year 2007 expenditure plan for $362.494 million to the House and Senate Appropriations Subcommittees on Homeland Security. Objectives: As agreed, our objectives were to: 1. determine whether the US-VISIT fiscal year 2007 expenditure plan satisfies the legislative conditions, 2. determine the status of our oldest open recommendations pertaining to US- VISIT,[Footnote 14] and: 3. provide observations about the expenditure plan and management of the program. We conducted our work at US-VISIT offices in Arlington, Virginia, from March 2007 through June 2007 in accordance with generally accepted government auditing standards. Details of our scope and methodology are described in attachment 1. Results in Brief: Objective 1: Legislative Conditions: Table: Summary of Fiscal Year 2007 US-VISIT Expenditure Plan’s Satisfaction of Legislative Conditions: Legislative conditions: Meets the capital planning and investment control review requirements established by OMB, including OMB A-11, part 7; Does not satisfy[A]: [Empty]; Partially satisfies[B]: [Check]; Satisfies[C]: [Empty]. Legislative conditions: Complies with the DHS enterprise architecture; Does not satisfy[A]: [Empty]; Partially satisfies[B]: [Check]; Satisfies[C]: [Empty]. Legislative conditions: Complies with the acquisition rules, requirements, guidelines, and systems; Does not satisfy[A]: [Empty]; Partially satisfies[B]: [Check]; Satisfies[C]: [Empty]. Legislative conditions: Includes a certification by the DHS CIO that an IV&V agent is currently under contract for the program; Does not satisfy[A]: [Empty]; Partially satisfies[B]: [Empty]; Satisfies[C]: [Check]. Legislative conditions: Is reviewed and approved by the DHS IRB, the DHS Secretary, and OMB; Does not satisfy[A]: [Empty]; Partially satisfies[B]: [Empty]; Satisfies[C]: [Check]. Legislative conditions: Is reviewed by GAO; Does not satisfy[A]: [Empty]; Partially satisfies[B]: [Empty]; Satisfies[C]: [Check]. Legislative conditions: Includes a comprehensive US-VISIT strategic plan; Does not satisfy[A]: [Check]; Partially satisfies[B]: [Empty]; Satisfies[C]: [Empty]. Legislative conditions: Includes a complete schedule for biometric exit implementation; Does not satisfy[A]: [Check]; Partially satisfies[B]: [Empty]; Satisfies[C]: [Empty]. Source: GAO. [A] Does not satisfy or provide for satisfying all key aspects of the condition we reviewed. [B] Satisfies or provides for satisfying some, but not all, key aspects of the condition that we reviewed. [C] Satisfies or provides for satisfying every aspect of the condition that we reviewed. [End of figure] Results in Brief: Objective 2: Open Recommendations: Table: Summary of Status of Open Recommendations: Open recommendations: 1. Develop and begin implementing a system security plan and perform a privacy impact analysis and use the results of this analysis in near term and subsequent system acquisition decision making; Partially complete[D]: [Check]; Complete[E]: [Empty]; Open recommendations: 2. Develop and implement a plan for satisfying key acquisition management controls, including acquisition planning, solicitation, requirements management, project management, contract tracking and oversight, evaluation, and transition to support, and implement the controls in accordance with Software Engineering Institute (SEI) guidance[F]; Partially complete[D]: [Check]; Complete[E]: [Empty]; Open recommendations: 3. Ensure that expenditure plans fully disclose what system capabilities and benefits are to be delivered, by when, and at what cost, as well as how the program is being managed; Partially complete[D]: [Check]; Complete[E]: [Empty]; Open recommendations: 4. Ensure that the human capital and financial resources are provided to establish a fully functional and effective program office and associated management capability; Partially complete[D]: [Check]; Complete[E]: [Empty]; Open recommendations: 5. Clarify the operational context within which US-VISIT must operate; Partially complete[D]: [Check]; Complete[E]: [Empty]; Open recommendations: 6. Determine whether proposed US-VISIT increments will produce mission value commensurate with costs and risks and disclose to its executive bodies and the Congress the results of these business cases and planned actions;[G] Partially complete[D]: [Check]; Complete[E]: [Empty]; Open recommendations: 7. Develop and implement a human capital strategy that provides for staffing open positions with individuals who have the requisite core competencies (knowledge, skills, and abilities); Partially complete[D]: [Check]; Complete[E]: [Empty]; Open recommendations: 8. Develop and implement a risk management plan and ensure that all high risks and their status are reported regularly to the appropriate executives; Partially complete[D]: [Check]; Complete[E]: [Empty]; Open recommendations: 9. Define performance standards for US-VISIT that are measurable and reflect the limitations imposed by relying on existing systems; Partially complete[D]: [Check]; Complete[E]: [Empty]; Source: GAO. [D] A recommendation is partially complete when documentation indicates that some, but not all, actions needed to implement it have been taken. E] A recommendation is complete when documentation demonstrates that it has been fully addressed. [F] This recommendation is the merger of two of our prior recommendations. [G] This recommendation is the merger of three of our prior recommendations. [End of figure] Results in Brief: Objective 3: Observations: Observation Summaries: DHS data show that the US-VISIT prime contract is being executed according to cost and schedule expectations, as defined and measured by a well- accepted progress measurement technique known as earned value management. DHS continues to propose disproportionately heavy investment in US- VISIT program management-related activities without adequate justification or full disclosure, to the point of spending $1.25 on management for every dollar invested in new development. Without justifying and fully disclosing such a large investment in program management, questions persist as to whether this represents the best use of DHS resources. DHS continues to propose spending tens of millions of dollars on exit projects that are not well-defined, planned, or justified on the basis of costs, benefits and risks. Without properly positioning itself for effectively and efficiently investing in an exit solution, DHS risks repeating its prior failed and costly exit efforts. Results in Brief: Recommendations: and Agency Comments: Because our outstanding US-VISIT recommendations already address all of the management weaknesses discussed in this briefing, we are reiterating our prior recommendations, and recommending that DHS report to its congressional authorization and appropriations committees the reasons for it not fully satisfying its US-VISIT expenditure plan legislative requirements and our prior recommendations. In comments on a draft of this briefing, DHS stated that the briefing was factually correct, that GAO's guidance provided value to the program, and that it would continue to address our recommendations. 12 Background: US-VISIT Overview: The goals of the US-VISIT program are to enhance the security of U.S. citizens and visitors, facilitate legitimate travel and trade, ensure the integrity of the U.S. immigration system, and protect the privacy of our visitors. US-VISIT is to accomplish these things by: collecting, maintaining, and sharing biometric and other information on certain foreign nationals who enter and exit the United States; identifying foreign nationals who (1) have overstayed or violated the terms of their admission; (2) can receive, extend, or adjust their immigration status; or (3) should be apprehended or detained by law enforcement officials; detecting fraudulent travel documents, verifying traveler identity, and determining traveler admissibility through the use of biometrics; and: facilitating information sharing and coordination within the immigration and border management community. Background: US-VISIT Program Office: Figure: Organizational Structure and Functional Responsibilities[Footnote 15] [See PDF for image] Source: US-VISIT. [End of figure] Background: Acquisition Strategy: DHS originally planned to deliver biometric entry and exit capability in for major increments: Increments 1 through 3 were to be interim, or temporary, solutions that focus on building interfaces among existing (legacy) systems; enhancing the capabilities of these systems; and deploying these systems to air, sea, and land ports of entry (POEs). Increment 4 was to be a series of incremental releases, or mission capability enhancements, that were to deliver long-term strategic capabilities for meeting program goals. In May 2004, DHS awarded an indefinite-delivery/indefinite- quantity[Footnote 16] prime contract to Accenture and its partners for delivering future US-VISIT capabilities.[Footnote 17] Background: Description and History of Increments: Increment 1: Increment 1 was intended to establish entry and exit capabilities at air and sea POEs. Increment 1 air and sea entry capabilities were deployed on January 5, 2004, at 115 airports and 14 seaports for individuals requiring nonimmigrant visas to enter the United States.[Footnote 18] These capabilities include collecting and matching biographic information, biometric data (two digital index finger scans) and a digital photograph for selected foreign nationals. In addition, several types of increment 1 air and sea exit devices for collecting biometric data were piloted at 12 airports and 2 seaports. This 3-year pilot focused on the technical feasibility of a biometric exit solution at air and sea POEs. The pilot ended in May 2007. Increment 2: Increment 2 was originally to extend US-VISIT entry and exit capabilities to the 50 busiest land POEs by December 31, 2004. Subsequently, the increment was divided into three parts—2A, 2B, and 2C. Increment 2A established entry capabilities at land, sea, and air POEs to biometrically authenticate machine-readable visas and other travel and entry documents issued by Department of State (State) and DHS to foreign nationals.[Footnote 19] These capabilities were deployed to all POEs by October 23, 2005, except for e-Passports, which were deployed to 33 POEs by November 14, 2006. These 33 POEs account for 97 percent of all travelers entering with e- Passports. Increment 2B extended the increment 1 entry solution to the 50 busiest land POEs and included redesigning the process for issuing a handwritten form I- 94[Footnote 20] to enable the electronic capture of biographic, biometric (unless the traveler is exempt),[Footnote 21] and related travel documentation for travelers arriving in secondary inspection. This capability was deployed to the 50 busiest land POEs as of December 29, 2004. Increment 2C was a proof-of-concept demonstration of the feasibility of using passive radio frequency identification (RFID) technology[Footnote 22] to record travelers’ entry and exit via a unique ID number tag embedded in the form I-94. It was originally deployed at five land POEs. The demonstration was terminated in November 2006. Increment 3: Increment 3 was to extend increment 2B entry capabilities to 104 land POEs by December 31, 2005. It was essentially completed as of December 19, 2005.[Footnote 23] Increment 4 – Unique Identity: All expenditure plans prior to fiscal year 2006 have described increment 4 as a yet- to-be-defined, strategic solution. The fiscal year 2006 plan described increment 4 as the combination of two projects: (1) Transition to 10 fingerprints in the Automated Biometric Identification System (IDENT) and (2) Interoperability between IDENT and the Federal Bureau of Investigation’s Integrated Automated Fingerprint Identification System (IAFIS). The fiscal year 2007 expenditure plan combines the two projects, with a third called enumeration (developing a single identifier for each individual), into a single project referred to as Unique Identity. Background: Entry Systems Overview:[Footnote 24] Figure: Systems Diagram of Entry Capability [See PDF for image] Source: GAO analysis of US-VISIT data. [End of figure] Background: Chronology of Expenditure Plans: Table: Chronology of Expenditure Plans: Fiscal year: 2002; Date submitted: 11/15/2002; Funds appropriated (in thousands): $13,300; Funds requested (in thousands): $13,300; Funds released to date (in thousands): $13,300. Fiscal year: 2003; Date submitted: 06/05/2003; Funds appropriated (in thousands): $362,000; Funds requested (in thousands): $375,000; Funds released to date (in thousands): $367,00014[Footnote 25]. Fiscal year: 2004; Date submitted: 01/27/2004; Funds appropriated (in thousands): $330,000; Funds requested (in thousands): $330,000; Funds released to date (in thousands): $330,000. Fiscal year: 2005; Date submitted: 10/19/2004; Funds appropriated (in thousands): $340,000; Funds requested (in thousands): $340,000 ; Funds released to date (in thousands): $340,000. Fiscal year: 2006; Date submitted: 08/10/2006; Funds appropriated (in thousands): $336,600; Funds requested (in thousands): $336,600 ; Funds released to date (in thousands): $336,600. Fiscal year: 2007 ; Date submitted: 03/20/2007; Funds appropriated (in thousands): $362,494; Funds requested (in thousands): $362,494; Funds released to date (in thousands): $162,494. Total; Funds appropriated (in thousands): $1,744,394; Funds requested (in thousands): $1,757,394; Funds released to date (in thousands): $1,557,394. Source: GAO, based on an analysis of DHS data. [End of figure] Background: 2007 Expenditure Plan Funding Allocation: Table: 2007 Expenditure Plan Funding Allocation: Areas of expenditure/Projects (see next slides for descriptions): Exit (air and sea); Government program management (costs in thousands): 0; Contractor program management support: 2,300; Development: 5,000; Operations and Maintenance: [Empty]; Other: [Empty]; Total: $7,300. Areas of expenditure/Projects (see next slides for descriptions): U.S. travel documents and e-Passports (2A PKD); Government program management (costs in thousands): 0; Contractor program management support: 2,700; Development: 8,100; Operations and Maintenance: [Empty]; Other: [Empty]; Total: 10,800. Areas of expenditure/Projects (see next slides for descriptions): Unique Identity (10-print, enumeration, and IDENT/IAFIS interoperability; Government program management (costs in thousands): 0; Contractor program management support: 17,400; Development: 76,500; Operations and Maintenance: [Empty]; Other: [Empty]; Total: 93,900. Areas of expenditure/Projects (see next slides for descriptions): Data integrity and biometric support services; Government program management (costs in thousands): 0; Contractor program management support: 1,400; Development: 14,100; Operations and Maintenance: [Empty]; Other: [Empty]; Total: 15,500. Areas of expenditure/Projects (see next slides for descriptions): Program management and operations; Government program management (costs in thousands): 25,700; Contractor program management support: 0; Development: 0; Operations and Maintenance: [Empty]; Other: [Empty]; Total: 25,700. Areas of expenditure/Projects (see next slides for descriptions): Contractor program management support; Government program management (costs in thousands): 0; Contractor program management support: 62,500; Development: 0; Operations and Maintenance: [Empty]; Other: [Empty]; Total: 62,500. Areas of expenditure/Projects (see next slides for descriptions): Operations and maintenance; Government program management (costs in thousands): 0; Contractor program management support: 0; Development: 0; Operations and Maintenance: 138,800; Other: [Empty]; Total: [Empty]. Areas of expenditure/Projects (see next slides for descriptions): Management reserve; Government program management (costs in thousands): 0; Contractor program management support: 0; Development: 0; Operations and Maintenance: [Empty]; Other: 8,000; Total: 8,000. Total; Government program management (costs in thousands): 25,700; Contractor program management support: 86,300; Development: 103,700; Operations and Maintenance: 138,800; Other: 8,000; Total: $362,500. Source: GAO, based on an analysis of DHS data. [End of table] Background: Summary of 2007 US-VISIT Expenditure Plan: Exit: Includes planning and implementation of the chosen deployment option for the implementation of an exit screening program at air and sea ports. U.S. travel documents and e-Passports: Includes development, testing, and deployment of public key directory (PKD) validation services[Footnote 26] for e-Passport readers. Unique Identity: Includes implementing the 10-fingerprint scanners and the interim data sharing model (iDSM);[Footnote 27] related systems interoperability; associated facilities and engineering support; and systems architecture, engineering and integration, and design. Data Integrity and Biometric Support Services: Includes providing qualified leads and actionable information to the U.S. Customs and Border Protection Service and U.S. Immigration and Customs Enforcement; establishment of lookout records for visa denials and adverse actions by border officials. Program management and operations: Includes the government salaries and benefits for 115 government program office positions necessary to manage and operate the program, including relocation costs, personnel security checks, and training. Contractor services-program management: Includes the program office support contractors. Operations and maintenance: Includes operations and maintenance of Increment 1, 2, and 3 systems, including technical, application, system, network, and infrastructure support costs. Program management reserve: Includes funds allocated to accommodate unknown timing and magnitude of risks. Background: US-VISIT Project Life Cycle Management: US-VISIT has adopted its own methodology for managing its projects throughout their respective life cycles. This methodology is known as the US-VISIT Enterprise Life Cycle Methodology (ELCM). Within the ELCM is a component methodology for managing software-based system projects known as the US-VISIT Delivery Methodology (UDM). According to version 4.3 of UDM (April 2007), it: Applies to new development projects and existing, operational projects. Specifies the documentation and reviews that should take place within each of the methodology’s six phases: plan, analyze, design, build, test, and deploy. Allows for tailoring to meet the needs and requirements of individual projects, in which specific activities, deliverables, and milestone reviews that are appropriate for the scope, risk, and context of the project can be set for each phase of the project. The chart on the following page shows where US-VISIT projects are in terms of the life cycle methodology. Background: US-VISIT Project Status: (New Development and Operational): Figure: New Development and Operational: [See PDF for image] Source: GAO, based on an analysis of DHS data. * Exit project in pre-planning; not within the UDM Technology Workstream. *** IOC: Initial Operational Capability. [End of figure] Background: US-VISIT Task Orders: Area of Expenditure: Exit; Task Order Name: Exit Pilot beta survey data collection; Start: August 2004; Status/Completion Date: Completed May 2005; Description: Pilot, test, and evaluate three exit alternatives (kiosk, mobile, hybrid) at selected international ports of departure. Area of Expenditure: Exit; Task Order Name: Increment 1B; Start: February 2005; Status/Completion Date: Completed Dec. 2006; Description: Air and Sea Exit Deployment-provide services for national deployment of the 1B exit solution as determined from results of 1B pilots. Area of Expenditure: Exit; Task Order Name: Increment 2C; Start: September 2004; Status/Completion Date: Ongoing[H]; Description: Planning and implementation of the US-VISIT Increment 2C Proof of Concept Project. Area of Expenditure: U.S. Travel Documents and e-Passports; Task Order Name: International Registered Traveler IPT; Start: February 2005; Status/Completion Date: Completed Aug 2005; Description: Support for SecurePass IPT, and integrated international registered program designed to enhance national security and improve efficiency. Area of Expenditure: U.S. Travel Documents and e-Passports; Task Order Name: Increment 2A-PKD; Start: March 2005; Status/Completion Date: Ongoing; Description: Development and implementation of PKD Validation service to allow for biometric comparison and authentication of US visas and other travel documents. Area of Expenditure: U.S. Travel Documents and e-Passports; Task Order Name: Material support to Increment 2A-PKD; Start: March 2007; Status/Completion Date: Ongoing; Description: Purchase of materials, including hardware and software, to meet requirements of the PKD validation services project. Area of Expenditure: Unique Identity; Task Order Name: IT solutions delivery; Start: October 2004; Status/Completion Date: Ongoing; Description: Planning, development, and implementation of the Biometric identification Systems Project, now referred to as Unique Identity (IDENT/IAFIS integration and IDENT 10-print). Area of Expenditure: Unique Identity; Task Order Name: Integration support to the Unique ID project office; Start: November 2006; Status/Completion Date: Ongoing; Description: Program and technical integration support services. Area of Expenditure: Unique Identity; Task Order Name: Material support to task order 007; Start: April 2007; Status/Completion Date: Ongoing; Description: Material, maintenance licenses, warrant, etc. in support of task 007 IT solutions. Area of Expenditure: Data Integrity and Biometric Support; Task Order Name: Data Management support; Start: August 2004; Status/Completion Date: Ongoing; Description: Support Program Office Data Management Branch-identity errors, omissions, and trends in data; recommend corrective actions; provide refined data to other offices (e.g. U.S. Immigration and Customs Enforcement) to support criminal investigations, lookout creation, and informed material/operational decision making. Area of Expenditure: Contractor Support-Program Management; Task Order Name: Program level management; Start: July 2004; Status/Completion Date: Ongoing; Description: Comprehensive program and project management methodology, policies, processes, procedures, and support to program office. Area of Expenditure: Contractor Support-Program Management; Task Order Name: Strategic Plan; Start: October 2004; Status/Completion Date: Completed March 2005; Description: Create and document a comprehensive strategic plan that describes necessary activities to integrate US- VISIT processes and systems. Area of Expenditure: Contractor Support-Program Management; Task Order Name: Blueprint; Start: May 2005; Status/Completion Date: Completed Nov 2006; Description: Create a US-VISIT blueprint that describes a comprehensive approach to achieving the overall vision for US-VISIT's immigration and border management enterprise. Area of Expenditure: Contractor Support-Program Management; Task Order Name: Program level engineering; Start: September 2004; Status/Completion Date: Ongoing; Description: Develop and maintain standards, guidance, architectures, performance models, and other engineering processes necessary to support the development of functionality. Area of Expenditure: Contractor Support-Program Management; Task Order Name: Development; Start: November 2006; Status/Completion Date: Ongoing; Description: Support the development and maintenance of program planning artifacts and analyze phases of project execution and planning, updating, and implementing the US-VISIT Strategic Plan. Area of Expenditure: Operations and Maintenance; Task Order Name: Facilities and infrastructure; Start: March 2005; Status/Completion Date: Ongoing; Description: Provisioning of office/faculty space, furniture, workstations, telecommunications, and other infrastructure to support contractor activities. Area of Expenditure: Operations and Maintenance; Task Order Name: Operations and Maintenance; Start: August 2006; Status/Completion Date: Ongoing; Description: Management of operations and maintenance activities for deployed capabilities. Source: GAO, based on analysis of DHS data. [H] Increment 2C was terminated in November 2006. This task order will closer once shutdown activities are complete. [End of table] Background: Overview of DHS Investment Management Process: DHS recently changed its investment management process. Prior to 2006, DHS IT programs, including US-VISIT, were subject to key decision point reviews. According to DHS, this approach was adopted from the Department of Defense’s investment management process, and while well- suited for the acquisition of fighter jets, ships, etc., was not well- suited for acquisition of IT systems. Accordingly, DHS drafted an Investment Review Process guide that adopts an approach using milestone decision points (MDP) linking five life cycle phases: (1) project initiation, (2) concept and technology development, (3) capability development and demonstration, (4) production and deployment, and (5) operations and support. According to DHS, this guide provides more flexibility, allowing DHS to tailor the number of phases and milestone reviews based on risk and visibility. MDP reviews can be performed concurrently with an expenditure plan review. The draft guide was issued in March 2006; as of May 2007, the draft guide had not been approved. Under the draft guide, a program sends an investment review request to the Integrated Project Review Team (IPRT) prior to the initial MDP. The IPRT assigns the program to a portfolio, and schedules the program for a Joint Requirements Council and/or IRB review. According to the official from DHS’s Program Analysis and Evaluation Directorate who is responsible for overseeing program adherence to the investment control process, it is being used for all DHS programs. Objective 1: Legislative Conditions: Condition 1: This fiscal year 2007 US-VISIT expenditure plan, related program documentation, and program officials' statements satisfy (in part or total) most, but not all, of the legislative conditions. Condition 1. The plan, including related program documentation and program officials' statements, satisfies or partially satisfies all aspects of the capital planning and investment control review requirements established by OMB, including OMB Circular A-11, part 7.[Footnote 28] The table that follows provides examples of the results of our analysis, including areas in which the A-11 requirements have been and have not been fully satisfied. Given that the A-11 requirements are intended to minimize a program's exposure to risk, permit performance measurement and oversight, and promote accountability, any areas in which the program falls short of the requirements reduce the chances of delivering cost-effective capabilities and measurable results of time and within budget. Table: Legislative Conditions: Condition 1: Examples of A-11 Conditions: Provide a brief description of the investment and its status in the capital planning and investment control review, including major assumptions made about the investment; Results of our analysis: The expenditure plan and fiscal year 2007 Exhibit 300 provide a description of investment and its status in the capital US-VISIT but do not include its status in the DHS capital planning and planning and investment control review, investment control process. According to program officials, the program was re- including major assumptions made evaluated under the MDP process defined in the draft DHS investment review about the investment process guide. On February 7, 2007, it passed its first MDP and is now undergoing its second MDP review. Also, the expenditure plan and related program documents identify a number of program assumptions. Examples of assumptions cited in the fiscal year 2007 Exhibit 300 submission include (1) existing facilities at land POEs will not support the proposed incorporation of biometric devices without investment in equipment and infrastructure, and (2) improved exit processes are needed to collect accurate data on departures. Examples of A-11 Conditions: Provide a summary of the investment’s risk assessment, including how 19 OMB- identified risk elements are being addressed; Results of our analysis: The US-VISIT enterprise risk assessment was completed in December 2005. It identified a number of risks, their likelihood of occurrence, their potential impact, and recommended controls to address each risk. The most recent version of the risk management plan was approved February 2007. Under the processes defined in this plan, risks are to be monitored and reviewed by program management and stakeholders through integrated project teams. All identified risks are to be logged in the risk database and are to be individually reviewed by the Director. Both the Exhibit 300 and the Risk Management Plan address the 19 OMB-identified risk elements. Examples of A-11 Conditions: Demonstrate that the investment is included in the agency's enterprise architecture and capital planning and investment control process. Illustrate agency's capability to align the investment to the Federal Enterprise Architecture (FEA); Results of our analysis: The plan does not describe US-VISIT relative to the DHS enterprise architecture (EA) or the capital planning and investment control process. Moreover, the last review of program compliance with the DHS EA was in August 2004, and since then US-VISIT and the DHS architecture have changed significantly. With regard to the FEA, the fiscal year 2007 OMB Exhibit 300 budget submission contains tables that satisfy OMB's requirement for listing the various aspects of the FEA that the program supports. In February 2007, the program completed a MDP1 review, which program officials told us revalidated the program. The program has since submitted to the Enterprise Architecture Center for Excellence its MDP2 review package. US-VISIT's architecture alignment is further discussed under the legislative condition 2 section of this briefing. Examples of A-11 Conditions: Provide a description of an investment's security and privacy issues. Summarize the agenda's ability to manage security at the system or application level. Demonstrate compliance with the certification and accreditation processes as well as the mitigation of IT security weaknesses; Results of our analysis: As we previously reported, US-VISIT's 2004 security plan and privacy impact assessments generally satisfied IMB and the National Institutes of Standards and Technology (NIST) security guidance. Further, the expenditure plan states that all of the US-VISIT component systems have been certified and accredited and given authority to operate. Also, the program office developed a security strategy in December 2006 that was based on the 2005 risk assessment. However, this security strategy was limited to the systems under US-VISIT control and does not mention, for example, the Treasury Enforcement Communications System (TECS) which provides biographic information to US-VISIT and is owned by Customs and Border Protection. According to NIST Special Publication 800-18, a comprehensive security strategy should include all component systems. We have ongoing work to evaluate the quality of US-VISIT security documents and practices. Examples of A-11 Conditions: Provide a summary of the investment's status in accomplishing baseline cost and schedule goals through the use of an earned value management (EVM) system or operational analysis, depending on the life-cycle stage; Results of our analysis: The program is currently relying on the prime contractor's EVM system to manage the prime contractor's progress against cost and schedule goals. This EVM system was self-certified by the prime contractor in December 2003 as meeting established standards, but has yet to be verified by the agency or an independent representative of the agency as required by OMB. In December 2006, the program office contracted with the Defense Contract Management Agency to conduct this investigation, but it will not be completed until August 2008. Finally, while the fiscal year 2006 expenditure plan stated that all US-VISIT contractors will perform EVM and program officials stated that this will be performed in accordance with the DHS guidelines for all contracts after October 1, 2006, the fiscal year 2007 expenditure plan does not continue to make this commitment. Source: OMB criteria and GAO analysis of DHS documentation. [End of table] Objective 1: Legislative Conditions: Condition 2: Condition 2. The plan, including related program documentation and program officials’ statements, partially provides for satisfying the condition that it comply with DHS’s EA. According to federal guidelines and best practices, investment compliance with an EA is essential for ensuring that an organization’s investment in new and existing systems is defined, designed, and implemented in a way that promotes integration and interoperability and minimizes overlap and redundancy, thus optimizing enterprise wide efficiency and effectiveness. A compliance determination is not a one- time event that occurs when an investment begins, but is, rather, a series of determinations that occurs throughout an investment’s life cycle as changes to both the EA and the investment’s architecture are made. The DHS Enterprise Architecture Board, supported by the Enterprise Architecture Center of Excellence, is responsible for ensuring that projects demonstrate adequate technical and strategic compliance with the department’s EA. The DHS Enterprise Architecture Board has not conducted a detailed review of US- VISIT architecture compliance in more than 2 years. In August 2004, the board reviewed US-VISIT’s architectural alignment with some aspects of the DHS EA, and it recommended that US-VISIT be given conditional approval to proceed.[Footnote 29] However, we reported [Footnote 30] in February 2005 that this architectural compliance was limited because: DHS’ determination was based on version 1.0 of the EA, which was missing, in part or in whole, all the key elements expected in a well- defined architecture, such as a description of business processes, information flows among these processes, and security rules associated with these information flows. DHS did not provide sufficient documentation to allow us to understand the methodology and criteria for architecture compliance or to verify analysis justifying the conditional approval. Moreover, the next architecture alignment review did not occur until more than 2 years later, in November 2006. This review was part of US- VISIT’s MDP1 revalidation review, and it focused on compliance with 2 components of the DHS EA 2006. In February 2007 US-VISIT received MDP1 approval with the stipulation that the program undergo a MDP2 review within 60 days. This February 2007 MDP1 alignment determination does not fully satisfy the legislative condition for several reasons. The review was based on US-VISIT documentation that was not current. In particular, the US-VISIT Mission Needs Statement[Footnote 31] did not reflect recent changes to the program, such as the IDENT/IAFIS interoperability and expansion of IDENT to collect 10, rather than 2, prints. The review assessed compliance with only general aspects of the DHS EA, such as the investment portfolio, the architecture principles, and the business model. It did not include US-VISIT’s compliance with other relevant aspects of the EA, such as the data and information security components. The review was based on DHS EA 2006. We reported[Footnote 32] in May 2007 that this version was missing important architectural content and did not address most of the comments made by DHS stakeholders. As a result, we concluded that it was not complete, consistent, understandable, or usable. Program officials told us that they submitted documentation for a more comprehensive MDP2 alignment review to the Enterprise Architecture Centers of Excellence in April 2007. They also stated that they have mitigated the risks of US-VISIT being misaligned with the DHS EA through other means. These included: submitting the technical baseline of existing hardware and software to the Center for Excellence for inclusion in the DHS EA; submitting technology insertion requests for new equipment planned for US-VISIT, such as RFID technology, to the EA Center of Excellence for review and inclusion in the DHS EA, and: relating US-VISIT capabilities with the business and services models of the FEA reference models. Notwithstanding these steps, DHS has yet to demonstrate, through verifiable documentation and methodologically-based analysis, that US- VISIT is aligned with a well-defined DHS EA. As a result, the program will remain at risk of being defined and implemented in a way that does not support optimized department wide operations, performance, and achievement of strategic goals and outcomes. Objective 1: Legislative Conditions: Condition 3: Condition 3. The plan, including related program documentation and program officials’ statements, partially provides for satisfying the condition that it comply with the acquisition rules, requirements, guidelines, and systems acquisition management practices of the federal government.[Footnote 33] Federal IT acquisition requirements, guidelines, and management practices provide an acquisition management framework that is based on the use of rigorous and disciplined processes for planning, managing, and controlling the acquisition of IT resources.[Footnote 34] Effective acquisition management processes are embodied in published best practices models, such as the Software Engineering Institute (SEI) Capability Maturity Models®. These models explicitly define, among other things, acquisition process management controls that are recognized hallmarks of successful organizations and that, if implemented effectively, can greatly increase the chances of acquiring software-intensive systems that provide promised capabilities on time and within budget. We reported in September 2003[Footnote 35] that the program office had not defined key acquisition management controls to support the acquisition of US-VISIT, and therefore its efforts to acquire, deploy, operate, and maintain system capabilities were at risk of not meeting system requirements and benefit expectations on time and within budget. Subsequently, the program adopted SEI Capability Maturity Model Integration[Footnote 36] (CMMI®) to guide its efforts to employ effective acquisition management practices and approved an acquisition management process improvement plan dated May 16, 2005. One of the goals of this plan was to achieve a CMMI® level 2 capability rating from SEI by October 2006. In September 2005, DHS’s initial assessment of 13 US-VISIT key acquisition process areas revealed a number of weaknesses. In light of this, US-VISIT updated its acquisition management process improvement plan, narrowing the scope of the process improvement activities to six of the CMMI process areas--project planning, project monitoring and control, requirements management, risk management, configuration management, and product and process quality assurance—and focusing on two US-VISIT projects—U.S. Travel Documents-ePassports (formerly Increment 2A) and Unique Identity. Under the updated plan, the goal for an external CMMI evaluation remained October 2006. During 2006, the program conducted periodic assessments in the six key process areas and reported that while it had increased the number of fully and largely implemented practices within these six areas, sufficient progress had not been made to pass an external evaluation in October 2006. Some of the weaknesses reported were: Insufficient definition of processes and preparation of supporting documents for areas such as systems development, budget and finance, facilities, and strategic planning (e.g., product work flow among organizational units was unclear and not documented, and roles, responsibilities, and assignments for performing work tasks and activities were not adequately defined and documented). Lack of policies, process descriptions, and templates for requirements development and management. Lack of definition of roles, responsibilities, work products, expectations, resources, and accountability of external stakeholder organizations. The program has since revised its process improvement plan. Among other things, the revised plan delays the date for having an external CMMI evaluation from October 2006 to November 2007. At the same time, it has continued to address the weaknesses discovered during earlier internal assessments. Based on its latest periodic assessment (March 2007), the program office reports that 83 percent of key practices are now either fully or largely implemented, up from 26 percent in August 2005 (see chart on next slide). Figure: State of US-VISIT Implementation of 113 Key Practices Associated with Six CMMI Key Process Areas: [See PDF for image] Source: GAO, based on an analysis of DHS data. [End of figure] In addition, the fiscal year 2007 expenditure plan reported progress in a seventh key process area not included in the program’s CMMI improvement efforts— contract tracking and oversight. In 2006, we reported[Footnote 37] that the program office had not effectively overseen US-VISIT related contract work performed on its behalf by other DHS and non-DHS agencies, and these agencies did not always establish and implement the full range of controls associated with effective management of contractor activities. Further, neither the program office nor the other agencies had implemented effective financial controls.[Footnote 38] Since this report was issued, the program office has instituted the use of oversight plans for new task order and contract awards and is developing a set of requirements for reimbursable contracts that address our recommendations to enhance the probability of successful performance and reduce risks. Notwithstanding this reported progress in implementing acquisition management process areas, the program’s acquisition management improvement efforts are focused on only seven acquisition management process areas. Other areas are also relevant to the program and need to be addressed. The status of the program office’s efforts to implement our recommendations aimed at implementing the full range of acquisition management controls is discussed later in this briefing. Objective 1: Legislative Conditions: Condition 4: Condition 4. The plan satisfies the condition that it include a certification by the DHS CIO that an IV&V agent is currently under contract for the project. On February 21, 2007, the DHS Deputy CIO certified in writing that two independent verification and validation agents[Footnore39] were under contract for US-VISIT and that these agents met the requirements and standards for an IV&V agent. 49 Objective 1: Legislative Conditions: Condition 5: Condition 5. The plan, including related program documentation and program officials’ statements, satisfies the requirement that it be reviewed and approved by the DHS Investment Review Board, the Secretary of Homeland Security, and OMB. The DHS Deputy Secretary, who is also the chair of the Investment Review Board, approved the fiscal year 2007 expenditure plan, and: OMB approved the plan on March 20, 2007. Objective 1: Legislative Conditions: Condition 6: Condition 6. The plan satisfies the requirement that it be reviewed by GAO. Our review was completed on June 15, 2007. Objective 1: Legislative Conditions: Condition 7: Condition 7. The plan does not satisfy the condition that it include a comprehensive US-VISIT strategic plan. Strategic plans are the starting point and basic underpinning for results-oriented management. Such plans articulate the fundamental mission of an organization, or program, and lay out its long-term goals and objectives for implementing that mission, including the resources needed to reach these goals. Federal legislation and guidelines[Footnote 40] require that agencies’ strategic plans include six key elements: (1) a comprehensive mission statement, (2) strategic goals and objectives, (3) strategies and the various resources needed to achieve the goals and objectives, (4) a description of the relationship between the strategic goals and objectives and annual performance goals, (5) an identification of key external factors that could significantly affect the achievement of strategic goals, and (6) a description of how program evaluations were used to develop or revise the goals and a schedule for future evaluations. As we have previously reported,[Footnote 41] strategic plans should also include a discussion of management challenges facing the program that may threaten its ability to meet long-term, strategic goals and efforts to coordinate among cross-cutting programs, activities, or functions. While the US-VISIT program is not required to explicitly follow these guidelines, the guidelines nonetheless provide a framework for effectively developing strategic plans and the basis for program accountability. However, the US-VISIT strategic plan[Footnote 42] does not include any of these key elements associated with effective strategic plans. In summary, the plan describes eight desired program capabilities[Footnote 43] and provides an implementation strategy that describes how each of these capabilities will be delivered over a multi- year investment horizon through three categories of activities – Foundation, Transformation, and Globalization. Foundation activities, which are described as modernization, enhancement, and expansion of capabilities and technologies, as well as leveraging current capabilities and technologies. Transformation activities, which are described as the implementation of processes and technologies that cut across the particular functions and entities that make up the immigration and border management system. Globalization activities, which are described as the coordination and sharing of information with foreign governments to improve the ability to detect and prevent potential threats from either entering the United States or remaining here. However, the plan does not provide time frames for the completion of these broad investment categories. The plan also does not include strategic goals and objectives or strategies for achieving goals and objectives. As a result, it is not clear what program capabilities will be delivered when and whether they are aligned with the program’s goals and objectives. Further, the plan does not include a comprehensive mission statement, describe the relationships between strategic goals and annual performance goals, the external factors that could affect the program, and the program evaluations used to establish or revise the goals. In addition, the US-VISIT strategic plan does not address management challenges facing the program, such as those addressed in our past recommendations. And although the strategic plan identifies the ability to communicate with external stakeholders as a desired capability, the plan does not provide any evidence of such past communication or explain the relationship between US-VISIT and other organizations within the border and immigration management enterprise. For example, it does not describe the relationship between US-VISIT and DHS’s Western Hemisphere Travel Initiative, even though both programs involve the entry of certain foreign individuals at U.S. POEs. While the strategic plan is missing important content, other related program documentation includes some of this content. For example, the fiscal year 2007 expenditure plan and the US-VISIT Mission Needs Statement state the program’s mission and goals. In addition, the US- VISIT Program Blueprint describes eight core capabilities, which are very similar to those described in the strategic plan, and maps those capabilities to four business outcomes. However, the Blueprint does not include strategic goals, so it is not clear whether the business outcomes are aligned with US-VISIT’s goals. Further, the outcomes are not described in the strategic plan. The Program Blueprint also notes that responsibilities for immigration and border management are spread across multiple agencies and departments. However, it does not provide clear delineations of these organizations’ respective tasks, services, or efforts. Further, the strategic plan does not cite or describe any coordination efforts to address this situation. Additionally, the Blueprint identifies border and immigration management enterprise stakeholders and identifies, for each stakeholder, needs and priorities, challenges, how the business outcomes will benefit the stakeholder, and stakeholder constraints that will affect business outcomes. This means that while some of the content of a US-VISIT strategic plan is captured in a fragmented fashion across a range of documents, the full range of content needed to define an authoritative strategic direction, focus, and roadmap for the program that is approved by departmental leadership is missing. Without it, DHS reduces the chances that the US-VISIT program will achieve desired results and succeed in achieving the program’s goals and objectives. Objective 1: Legislative Conditions: Condition 8: Condition 8. The plan, including related program documentation and program officials’ statements, does not satisfy the condition that it include a complete schedule for biometric exit implementation. The fiscal year 2007 expenditure plan addresses DHS’ near-term deployment plans for biometric exit capabilities at air and sea POEs. Further, it notes the absence of near-term biometric options for land POEs and mentions only a possible near-term, interim option that is being considered. In addition, the expenditure plan addresses all three locations of US-VISIT technology (air, sea, and land). However, the expenditure plan’s discussion of exit capabilities is conceptual and general and does not contain a schedule for the full implementation of US-VISIT exit capabilities at air, sea and land POEs. Air: The plan states that DHS plans to incorporate air exit into the airline check-in process. However, the plan does not provide any details as to what capabilities will be acquired and deployed when and at what cost. Instead, it states that DHS plans to integrate US-VISIT’s efforts with CBP’s pre-departure Advance Passenger Information System[Footnote 44] and TSA’s Secure Flight[Footnote 45] for purposes of partnering with the airline industry. Further, the plan does not include any schedule of air exit implementation activities, but rather, simply states that DHS plans to initiate efforts on its air exit solution at an unspecified time during the third quarter of fiscal year 2007, and will fully deploy the air exit solution by an unspecified time during calendar year 2008. On June 11, 2007, DHS provided us with a schedule for air exit, which the department characterized as high-level. For example, it does not include the underlying details supporting the timelines for such areas of activity as system design, system testing, and system development. However, program officials told us that greater detail existed to support the schedule, but that because this had not been approved by DHS, could not be provided. The schedule provided indicates that the air exit solution will be fully deployed by June 2009, which is at least six months after the deployment date provided in the expenditure plan. Sea: The plan states that DHS will initiate planning efforts on the sea exit deployment at an unspecified time during fiscal year 2007, and that it will emulate the technology and operational plans used for the air exit solution. However, the plan does not provide any details about how, when, and at what cost the sea exit solution will be accomplished, or provide a completion date or any interim dates. Land: Consistent with our December 2006 report,[Footnote 46] the plan states that implementing a biometric exit solution at land POEs is significantly more complicated and costly than air or sea exit because it would require a costly expansion of existing exit capacity, including physical infrastructure, land acquisition, and staffing. Because of this, the plan concludes that land exit cannot be practically based on biometric validation in the short term. In lieu of biometric-based exit at land POEs in the near term, the plan states that DHS will initially seek to match entry and exit records using biographic information in instances where departure information is not collected from an individual who leaves the country, as in the case of an individual who does not submit their Form I-94[Footnote 47] upon departure. However, the plan does not specify what this near-term focus entails and how, when, and at what cost it will be accomplished. Rather, it says that DHS has not yet determined a time frame or any cost estimates for the initiation of a land exit solution. Objective 2: Open Recommendations: Recommendation 1: Recommendation 1: Develop and begin implementing a system security plan and perform a privacy impact analysis and use the results of this analysis in near-term and subsequent system acquisition decision- making. Status: Partially complete: A system security plan and privacy impact assessment are important to understanding system requirements and ensuring that the proper safeguards are in place to protect system data, resources, and individuals’ privacy. Both best practices and federal guidance advocate their development and use. System Security Plan: The purpose of a system security plan is to define the steps that will be taken (i.e., security controls that will be implemented) to cost- effectively address known security risks. We reported[Footnote 48] in 2005 that the program office developed a US-VISIT system security plan that was generally consistent with federal practice. However, we also reported at that time that the plan was not based on a security risk assessment. In December 2005, the program office developed a US-VISIT risk assessment that addressed the risk elements required by OMB, including having an inventory of known risks, their probability of occurrence and impact, and recommended controls to address them. At that time, program officials told us that they intended to develop a US-VISIT security strategy that reflected the results of this risk assessment. In December 2006, the program office developed a US-VISIT security strategy and has since begun implementing it. For example, it has conducted security evaluations of commercial off-the-shelf software products before adding them to the program’s technical baseline. However, the scope of this strategy does not extend to all the systems that comprise US-VISIT. For example, the Treasury Enforcement Communications System (TECS), an integral component of US- VISIT, is not under the US-VISIT inventory of systems because it is owned by Customs and Border Protection. The fact that the US-VISIT security strategy’s scope is limited to only systems that the program office owns is not consistent with our recommendation. We have ongoing work to evaluate the quality of US- VISIT security documents and practices, including TECS implementation of security controls. Privacy Impact Assessment: The purpose of a privacy impact assessment is to ensure handling of information conforms to applicable legal, regulatory, and policy requirements regarding privacy, determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form[Footnote 49] in an electronic information system, and examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. In February 2006, we reported[Footnote 50] that the program office had developed and periodically updated a privacy impact assessment. However, we also reported that system documentation only partially addressed privacy. Since then, program officials told us that they have taken steps to ensure that the impact assessment’s results are used in deciding and documenting the content of US-VISIT projects. For example, they said that privacy office representatives are included in key project definition, design, and development meetings to ensure that privacy issues are addressed and that key system documentation now reflects privacy-based needs. Furthermore, US-VISIT privacy officials recently conducted an audit of system documentation to ensure that privacy is being addressed. They found only a single instance where privacy should have been addressed in system documentation but was not. Finally, our review of recently issued system documentation shows privacy concerns are being addressed. Objective 2: Open Recommendations: Recommendation 2: Recommendation 2: Develop and implement a plan for satisfying key acquisition management controls, including acquisition planning, solicitation, requirements management, project management, contract tracking and oversight, evaluation, and transition to support, and implement the controls in accordance with Software Engineering Institute (SEI) guidance.[Footnote 51] Status: Partially complete: Effective acquisition management controls are important contributors to the success of programs like US-VISIT. SEI has defined a range of acquisition management controls as part of its capability maturity models, which, when properly implemented, have been shown to increase the chances of delivering promised system capabilities on time and within budget. In June 2003, we first reported[Footnote 52] that the program did not have key acquisition management controls in place, and we reiterated this point in September 2003.[Footnote 53] In May 2005, the program office developed a plan for satisfying SEI acquisition management guidance and began implementing it. Its 2005 assessment addressed 13 SEI key process areas, a number of which were consistent with the seven management controls that we recommended. In April 2006, the program office updated its plan to focus on six key process areas: acquisition project planning, requirements management, project monitoring and control, risk management, configuration management, and product and process quality assurance. Since 2005, the program office reports that it has made progress in implementing the 113 practices associated with these six key process areas, as previously discussed. However, the six areas of focus do not include all of the management controls that we recommended. For example, solicitation, contract tracking and oversight, and transition to support are not included. While the program office reports that it has also addressed contract tracking and oversight as part of responding to a later recommendation that we made (not one of the nine recommendations addressed in this briefing), it also reports that it has yet to address the other two management controls. It is important for the program office to address all of the management controls that we recommended. If it does not, it will unnecessarily increase program risks. Objective 2: Open Recommendations: Recommendation 3: Recommendation 3: Ensure that expenditure plans fully disclose what system capabilities and benefits are to be delivered, by when, and at what cost, as well as how the program is being managed. Status: Partially complete The fiscal year 2007 expenditure plan discloses planned system capabilities, estimated schedules and costs, and expected benefits, but meaningful information about schedules, costs, and benefits is missing. Further, while the plan does provide information on some acquisition activities, it does not adequately describe how the program is being managed in a number of areas and does not disclose the management challenges that it continues to face. Without such information, the expenditure plan does not provide Congress with enough information to exercise effective oversight and hold the department accountable. Schedule: The fiscal year 2007 expenditure plan provides time commitments for some capabilities; however, these are not specific. For example, the plan states the following: Unique Identity: * Deployment of 10-print pilot to 10 air locations to begin in late 2007. * Initial Operating Capability functionality targeted for September 2008. Exit: * Air exit solution deployment will begin in third quarter 2007 and continue through 2008. * Begin work in fiscal year 2007 on sea exit deployment that will emulate technology and operational plans adopted for commercial aviation environment. Moreover, no schedule commitments are made for the development and deployment of PKD validation capabilities. Costs: The fiscal year 2007 expenditure plan identifies each project’s funding. In some cases, this information is provided with meaningful detail that allows for understanding of how the funds will be used. For example: Unique Identity shows the following activities and costs: * Acquisition and Procurement ($21.2 million)—purchase and initial deployment of 10-print capture devices and upgrades in network capabilities (bandwidth and technology refreshes) at 119 airports, 9 seaports, and 155 land ports. * Update DHS Border and Process Technology ($2.0 million)—update device to client biometric interfaces and further 10-print prototype testing and evaluation. However, in other cases, costs are not described at a level that would permit such understanding. For example: Contractor Services (Project Assigned) ($12.1 million) - contractor services and support for the project-related resource planning and management (including the areas of configuration, acquisition, and risk), as well as project performance metrics and reporting in the areas of cost, schedule, scope, and quality management. This exact wording is also used for this category in two other projects with different costs. In addition, unlike prior expenditure plans, carryover funds from prior years that are planned for use in 2007 are not allocated to 2007 activities. For example: Exit - A total of $7.3 million in fiscal year 2007 funds, plus fiscal year 2006 carryover funds of $20 million are mentioned as being allocated to begin the process of deploying DHS’ integrated air exit strategy and initial planning for sea exit. However, only the $7.3 million is allocated among the activities listed. No information is presented regarding the allocation of the $20 million in carryover funds to these activities or any others. Benefits: The fiscal year 2007 expenditure plan cites benefits associated with the projects. However, the benefits are broadly stated. For example, the plan describes exit benefits as “Safer and more secure travel” and Unique Identity benefits as “Facilitation of efficient, yet secure, trade and travel.” Acquisition Management: The 2007 expenditure plan describes a range of key acquisition management activities and control areas. These include: Requirements development and management: Configuration management: Data governance: However, the plan does not fully disclose challenges that the program faces in managing acquisition activities, nor does it discuss key areas in which change is occurring, such as capital planning and investment controls and human capital management. Objective 2: Open Recommendations: Recommendation 4: Recommendation 4: Ensure that the human capital and financial resources are provided to establish a fully functional and effective program office and associated management capability. Status: Partially complete: DHS established the US-VISIT program office in July 2003 and determined the office’s staffing needs to be 115 government and 117 contractor personnel. In September 2003, we reported[Footnote 54] that the program office lacked adequate human capital and financial resources. In August 2004, the program office, in conjunction with OPM developed a draft human capital plan. Agency officials stated that, at one point in 2006, all of the 115 government positions were filled. In addition, the program has received about $1.4 billion in funding, and we recently reported that it has devoted an increasing proportion of its annual appropriation to program office and related management activities. Since then, however, 21 of the government positions have become vacant. According to program officials, they have taken interim steps to address this void in leadership by temporarily assigning other staff to cover them. They added that they plan to fill all the positions through aggressive recruitment and that they do not consider the vacancies to present a risk to the program. However, without adequate human capital, particularly in key positions and for extended periods, program risks will invariably increase. Objective 2: Open Recommendations: Recommendation 5: Recommendation 5: Clarify the operational context within which US-VISIT must operate. Status: Partially complete: As we have previously reported, all programs exist within a larger operational (and technological) context or frame of reference that is captured in such strategically focused instruments as strategic plans and an EA. Additionally, having a strategic plan and an EA are recognized best practices and provided for in federal guidance. In 2003, we reported[Footnote 55] that DHS had yet to define the operational context in which US-VISIT is to operate, such as a well- defined department EA or a departmentally approved strategic plan. In the absence of this operational context, we stated that program officials could make assumptions and decisions that, if they proved inconsistent with subsequent departmental policy decisions, would require US- VISIT rework to make it interoperable with related programs and systems, such as the FBI’s 10-print biometric identity system known as IAFIS. Moreover, we stated that US-VISIT could be defined and implemented in a way that made it duplicative of other programs and systems, such as the Secure Border Initiative or the Western Hemisphere Travel Initiative. Since then, we have continued to report on the absence of this context. Most recently, we reported[Footnote 56]in February 2006 that this operational context was still a work in process. Specifically, we found that although a strategic plan was drafted that program officials said showed how US-VISIT was aligned with DHS’s organizational mission and defined an overall vision for immigration and border management across multiple departments and external stakeholders with common objectives, strategies, processes, and infrastructures, this plan had been awaiting departmental approval at that time for more than 11 months. In February 2007, we reported[Footnote 57] that US-VISIT was still lacking a departmentally approved operational context, and that this was exacerbated by DHS’s recent launching of other major programs without defining their relationships to US-VISIT. Examples of these programs are: Secure Border Initiative (SBI), a multi-year program to secure the borders and reduce illegal immigration by installing state-of-the-art surveillance technologies along the border, increasing border security personnel, and ensuring information access to DHS personnel at and between ports of entry. Western Hemisphere Travel Initiative (WHTI), which is to implement the provisions of the Intelligence Reform and Terrorism Prevention Act of 200448 requiring citizens of the United States, Canada, Bermuda, and Mexico to have a designated document for entry or re-entry into the United States that establishes the bearer’s identity and citizenship. US-VISIT continues to lack a well-defined operational context. As discussed earlier in this briefing, the fiscal year 2007 expenditure plan includes an appendix titled “Comprehensive Strategic Plan for US- VISIT,” which the Program Director told us is the department’s officially approved US- VISIT strategic plan. However, as we discussed in the legislative conditions section of the briefing, key elements of relevant federal guidance for a strategic plan are not addressed in this plan. For example, no specific outcome-related goals for major functions and operations of US-VISIT or specific objectives to meet those goals are provided, nor does it address external factors that could affect achievement of program goals. Finally, this strategic plan does not address the explicit relationships between US-VISIT and either the SBI or WHTI programs. We recently reported [Footnote 59] that DHS’s EA has evolved beyond prior versions. However, the DHS EA 2006[Footnote 60] was not complete for several reasons. For example, it was missing architecture content, such as a transition plan and evidence of a gap analysis between the “as is” and “to be” architectures, and it was developed with limited stakeholder input: support contractors and organizational stakeholders provided a range of comments on completeness, internal consistency, and understandability of a draft of the EA, but the majority of comments were not addressed. Because the EA was not complete, internally consistent and understandable, we concluded that its usefulness was limited, in turn limiting DHS’s ability to guide and constrain IT investments in a way that promotes interoperability and reduces overlap and duplication. Program officials told us that they have met with related programs to coordinate their respective efforts. They stated that DHS’s Office of Screening Coordination and Operations (SCO) has been trying to coordinate and unify the departmental components’ initiatives by bringing border management stakeholders together. However, specific coordination efforts have not been assigned to the SCO or any other DHS entity. The absence of a well-defined operational context within which to define and pursue US-VISIT has been longstanding. Until this context exists, the department will be challenged in its ability to define and implement US-VISIT and related border security and immigration management programs in a manner that promotes interoperability, minimizes duplication, and optimizes departmental capabilities and performance. Objective 2: Open Recommendations: Recommendation 6: Recommendation 6: Determine whether proposed US-VISIT increments will produce mission value commensurate with costs and risks and disclose to its executive bodies and the Congress the results of these business cases and planned actions.[Footnote 61] Status: Partially complete: The decision to invest in any system capability should be based on reliable analysis of return on investment. Moreover, according to relevant guidance, incremental investments in major systems should be individually supported by such analyses of benefits, costs, and risks. Without such analyses, an organization cannot adequately know that a proposed investment is a prudent and justified use of limited resources. In June and September 2003, and in February 2005, we reported[Footnote 62] that proposed investments in the then entry/exit system, US-VISIT Increment 1, and US-VISIT Increment 2B, respectively, were not justified by reliable business cases. Further, in February 2006 we reported[Footnote 63] that while a business case was prepared for Increment 1B, the analysis performed met only four of the eight criteria in OMB guidance. For example, it did not include a complete uncertainty analysis for the alternatives evaluated. More recently, the program office has developed business cases for two projects: Unique Identity and U.S. Travel Documents-ePassports (formerly Increment 2A).[Footnote 64] However, the program office has not developed a business case for another project that it plans to begin implementing this year—biometric exit at air POEs. As discussed later in the observations section of this briefing, the program office has defined very little about its proposed solution to meeting its exit needs at air POEs, including an analysis of alternative solutions to meeting this need on the basis of their relative costs, benefits, and risks. Until the program office has reliable business cases for each US-VISIT project in which alternative solutions for meeting mission needs are evaluated on the basis of costs, benefits, and risks, it will not be able to adequately inform its executive bodies and the Congress about its plans and will not provide the basis for prudent investment decision making. Objective 2: Open Recommendations: Recommendation 7: Objective 7: Open Recommendations Recommendation: Recommendation 7: Develop and implement a human capital strategy that provides for staffing open positions with individuals who have the requisite core competencies (knowledge, skills, and abilities). Status: Partially complete: Strategic management of human capital involves proactive efforts to understand an entity’s future workforce needs, existing workforce capabilities, and the gap between the two and to chart a course of action defining how this gap will be continuously addressed. Such an approach to human capital management is both a best practice and provision in federal guidance. In September 2003, we reported[Footnote 65] that US-VISIT did not have a human capital strategy. In February 2006, we reported[Footnote 66] that the program office issued a human capital plan and began implementing it. However, it stopped doing so during 2006 pending a departmental approval of a DHS-wide human capital initiative, known as MAXHR, and because all program office positions were filled. However, as noted earlier, the program office now reports that it has 21 government positions, including critical leadership positions, vacant. According to program officials, US-VISIT recently developed a new human capital plan as part of their Organizational Improvement Initiative and this plan is now being reviewed by the department. Because its approval is pending, we were not provided a copy. Objective 2: Open Recommendations: Recommendation 8: Recommendation 8: Develop and implement a risk management plan and ensure that all high risks and their status are reported regularly to the appropriate executives. Status: Partially complete: In September 2003, we reported[Footnote 67] that US-VISIT was a risky undertaking due to several factors, including its large scope and complexity and various program weaknesses. We concluded that these risks, if not effectively managed, would likely cause program cost, schedule, and performance problems. Since then, US-VISIT approved a risk management plan and began to put into place a risk management process that included, among other things, subprocesses for identifying, analyzing, managing, and monitoring risk. It also defined and began implementing a governance structure to oversee and manage the process, and it maintains a risk database that is available to program management and staff. In February 2006,[Footnote 68] we reported that the risk management process detailed in the risk management plan was not being consistently applied across the program. In addition, we reported that thresholds for elevating risks to department executives were not being applied and risk elevation was being left to the discretion of the Program Director. Since then, the program has provided training to its employees to ensure that they understood how to apply the risk management process. However, program officials told us that they have eliminated the thresholds for elevating risks beyond the US-VISIT Program Office. Further, no risks have been elevated to department executives since December 2005, and no specific guidance on when risks should be elevated beyond the US-VISIT Program Director is provided in the current risk management plan. Until the program office ensures that high risks are appropriately elevated, department executives will not have the information they need to make informed investment decisions. Objective 2: Open Recommendations: Recommendation 9: Recommendation 9: Define performance standards for US-VISIT that are measurable and reflect the limitations imposed on US-VISIT capabilities by relying on existing systems. Status: Partially complete: The operational performance of US-VISIT depends largely on the performance of the existing systems that have been integrated to form it. This means that, for example, the availability of US-VISIT is constrained by the downtime of existing systems. In February 2006, we reported[Footnote 69] that the program office had defined technical performance standards for several increments (e.g., Increments 1, 2B, and 2C), but these standards did not contain sufficient information to determine whether or not they reflected the limitations imposed by reliance on existing systems. Since then, program officials told us that they have not updated the performance standards for Increments 1-3 to reflect limitations imposed by relying on existing systems. As a result, the ability of these increments to meet performance requirements remains uncertain. Recently, the program office has developed requirements-related documentation on Unique Identity elements, including the iDSM. While this documentation specifies a requirement that the model be able to exchange information with external systems, and refers to this as a system constraint, it does not assess the quantitative impact that these changes would impose on the system. In order to determine such impacts, it is necessary to assess such factors as the response time and throughput of US-VISIT feeder systems on US-VISIT. Until the program defines performance standards that reflect the limitations of the existing systems upon which US-VISIT relies, the program lacks the ability to identify and effectively address performance shortfalls. Objective 3: Observation 1: Earned Value Data Show Favorable Variances: Observation 1: Earned value management data on ongoing prime contract task orders show that cost and schedule baselines are being met. Earned value management (EVM) is a program management tool for measuring progress by comparing, during a given period of time, the value of work accomplished with the amount of work expected to be accomplished. This comparison permits performance to be evaluated based on calculated variances from the planned (baselined) cost and schedule. EVM is both an industry accepted practice and an OMB requirement. The program office requires its prime contractor to use EVM,[Footnote 70] and the data provided by the program office show that the cumulative cost and schedule variances for the overall prime contract and all 12 ongoing task orders are within an acceptable range of performance. Our analysis of baseline and actual performance data using generally accepted earned value analysis techniques show that as of February 2007, the prime contractor had an overall: Positive cost variance for all task orders combined (i.e., was under budget) by about $17.1 million (about 7 percent of the $ 238.9 million worth of work to be completed). Negative schedule variance for all task orders combined (i.e., had a schedule slip) of only about $1.3 million worth of work (less than 1 percent of the work scheduled for the period). The six-month (September 2006-February 2007) trend in cost and schedule variances for the prime contract are shown on the next two pages. Figure: Cumulative Cost Variance: [See PDF for image] Source: GAO, based on an analysis of DHS data. [End of figure] Figure: Cumulative Cost Variance: [See PDF for image] Source: GAO, based on an analysis of DHS data. [End of figure] Our analysis of these data for two specific task orders showed similar results. Specifically, Task order 4: Program Level Engineering. This task order includes the development and maintenance of the US-VISIT target architecture, related standards, engineering plans, and guidance as well as performance modeling and technology assessments. As of February 2007, it: * Showed a positive cost variance (i.e., was under budget) by about $4.1 million (about 9.6 percent of the $ 42.7 million worth of work to be completed). * Showed a negative schedule variance (i.e., had a schedule slip) by about $230,000 worth of work (less than one percent of the work scheduled for the period). Task order 7: IT Solutions Delivery. This task order contains several Unique Identity project subtasks including (1) operation and maintenance of US- VISIT’s IDENT biometric identification system, (2) development and maintenance of the iDSM, (3) IDENT expansion to 10 prints, and (4) development and testing of enumeration functionality for the U.S. Citizenship and Immigration Services. As of February 2007, it: * Showed a positive cost variance (i.e., was under budget) by about $747,000 (less than 2 percent of the $44.5 million worth of work to be completed). * Showed a negative schedule variance (i.e., had a schedule slip) of about $384,000 worth of work (less than one percent of the work scheduled for the period). All of the above cited variances are within the expected range of 10 percent. Objective 3: Observation 2: Management Funding Remains High and Unsatisfied: Observation 2: DHS continues to propose a heavy investment in program management-related activities without adequate justification or full disclosure. Program management is an important and integral aspect of any system acquisition program. Our recommendations to DHS aimed at strengthening US- VISIT program management are grounded in our research, OMB requirements, and recognized best practices relative to the importance of strong program management capabilities. The importance of this area, however, does not in and of itself justify the level of investment in such activities. Rather, investment in program management-related activities, similar to investment in any program capability, should be based on full disclosure of the scope, nature, size, and value of the program and such investments should be justified in relation to the size and significance of the acquisition activities being performed. Earlier this year, we reported,[Footnote 71] that the program’s investment in program management had risen significantly over the past 4 years, particularly in relation to the program’s declining level of new system development. The fiscal year 2007 expenditure plan proposes a level of investment in program management similar to that for 2006. At the same time, no explanation or justification of such a relatively large investment in program management-related funding has been provided. Specifically, The fiscal year 2003 expenditure plan provided $30 million for program management and operations. In contrast, the fiscal year 2006 plan provided $126 million for program management-related functions. At the same time, funds provided for new development fell from $325 million in 2003 to $93 million in 2006. Restated, program management costs represented about 9 percent of planned development costs in 2003 but 135 percent of planned development in 2006. This means that in 2006, for every dollar spent on new capabilities, $1.35 was spent on management. * According to program officials, the fiscal year 2006 plan did not properly categorize proposed program management-related funding according to its intended use. They added that future expenditure plans would provide greater clarity into funds used for management versus development. The fiscal year 2007 expenditure plan proposed investing a comparable percentage of funding on management-related activities vis-a-vis new development. Specifically, our analysis shows that, for every dollar invested in new development, $1.25 is to be spent on management-related activities at either the program or project level. Charts showing this trend in management-related funding in relation to new development funding are on the following two pages. Figure: Development, Operations, and Program/Project Management Cost Trends, FY-2002-FY2007: (Dollars in millions.) [See PDF for image] Source: GAO analysis of DHS data. [End of figure] Figure: Program/Project Management Costs as Percentage of New Development: (Percentage of development) [See PDF for image] Source: GAO analysis of DHS data. [End of figure] The fiscal year 2007 expenditure plan does not explain the reasons for the sizable investment in management-related activities or otherwise justify it on the basis of measurable expected value. Without disclosing and justifying its proposed investment and program management-related efforts, it is unclear that such a large amount of funding for these activities represents the best use of resources. Objective 3: Observation 3: Exit Remains Inadequately Defined and Justified: Observation 3: Lack of a well-defined and justified exit solution introduces the risk of repeating failed and costly past exit efforts. The decision to invest in a system or system component should be based on a clear definition of what capabilities, what stakeholders, and what will be delivered according to what schedule and at what cost. Moreover, it should be economically justified via reliable analysis showing that execution of the plan will produce mission value commensurate with expected costs and risks. According to the fiscal year 2007 expenditure plan, DHS intends to begin deploying an exit capability at air and sea POEs and spend $27.3 million doing so. More specifically, the plan states that: $7.3 million in fiscal year 2007 funding and $20 million in fiscal year 2006 carryover funding will be used, in part, to begin the process of planning and designing an air and sea exit solution; the air exit solution will be fully deployed by an unspecified time during calendar year 2008; the air exit solution will be integrated with commercial airlines’ existing passenger check-in processes; and: the sea exit solution will emulate the technology and operational plans adopted for air exit. However, while US-VISIT has developed a high-level schedule for air exit, information supporting that schedule was not provided to GAO and no other exit program plans are available that define what will be done, by what entities, and at what cost to define, acquire, deliver, deploy, and operate this capability, including plans describing expected system capabilities, identifying key stakeholder (e.g., airlines) roles/responsibilities and buy-in, coordinating and aligning with related programs, and allocating funding to activities. In addition, the exit schedule provided by the program office indicates that the air exit solution is to be fully implemented by June 2009, which is at least 6 months after the full deployment date provided in the expenditure plan. Further, available documentation (e.g., the expenditure plan): does not define what key terms mean, such as “full implementation” and “integrated;” does not specify what the $20 million in fiscal year 2006 carryover funding will be spent on, and only allocates the $7.3 million in fiscal year 2007 funding to such broad categories of activities as project management, contractor services, and planning and design; and: does not describe what has been done and what is planned to engage with commercial airlines, even though the recently-provided air exit schedule states that the department plans to issue a proposed federal regulation requiring airlines to participate in this effort by end of calendar year 2007. Moreover, no analysis comparing the life cycle costs of the air exit solution to its expected benefits and risks is available. In particular, neither the 2007 expenditure plan nor any other program documentation describe measurable outcomes (benefits and results) that will result from an air exit solution. According to the expenditure plan, significant air exit planning and testing has been conducted over the past 3 years and the air exit solution is based in part on these efforts. However, during this time we have continued to report on fundamental limitations in the definition and justification of those efforts. For example, In September 2003,[Footnote 72] we reported that DHS had not economically justified the initial US-VISIT increment (which was to include an exit capability at air and sea POEs) on the basis of benefits, costs, and risks. As result, we recommended that DHS determine whether proposed incremental capabilities will produce value commensurate with program costs and risks. In May 2004,[Footnote 73] we reported that an exit capability (including biometric capture) was not deployed to the 80 air and 14 sea POEs as part of Increment 1 deployment in December 2003, as originally intended. Instead, a pilot exit capability was deployed to only one air and one sea POE on January 5, 2004. At that time, program officials told us that it was being piloted at only two locations because they decided to evaluate other exit alternatives and planned to select an alternative for full deployment by December 31, 2004. In February 2005,[Footnote 74] we reported that DHS had not adequately planned for evaluating the air and sea exit alternatives because the scope and timeline of the pilot evaluations were compressed. We recommended that the program office reassess its plans for deploying an exit capability to ensure that the scope of the pilot provided an adequate evaluation of alternatives. In February 2006,[Footnote 75] we reported that DHS had analyzed the cost, benefits, and risks for its air and sea exit capability, but the analyses did not demonstrate that the program was producing or would produce mission value commensurate with expected costs and benefits, and the costs upon which the analyses were based were not reliable. We also raised questions about the adequacy of the program’s air exit pilot evaluation, noting that the results showed an average compliance of only 24 percent across the three alternatives. We concluded that until exit alternatives were adequately evaluated, the program office would not be in a position to select the best solution. We further noted that without an effective exit capability, the benefits and the mission value of US-VISIT would be greatly diminished. We did not make a recommendation to address this because we had already addressed the situation through a prior recommendation. In December 2006,[Footnote 76] we reported that US-VISIT officials had concluded that a biometric US-VISIT land exit capability could not be implemented without incurring a major impact on land POE facilities. We also reported that the land exit pilots had surfaced several performance problems, such as RFID devices not reading a majority of travelers’ tags during testing and multiple RFID devices installed on poles or structures over roads reading information from the same traveler tag. We recommended that DHS report to Congress information on the costs, benefits, and feasibility of deploying biometric and nonbiometric exit capabilities at land POEs. In February 2007,[Footnote 77] we reported that DHS had not adequately defined and justified its past investment in exit pilots and demonstration projects. We noted that the program had devoted considerable time and resources to exit but still did not have either an operational exit capability or a viable exit solution to deploy. Further, exit-related program documentation did not adequately define what work was to be done or what these efforts would accomplish and did not describe measurable outcomes from the pilot or demonstration efforts, or related cost, schedule, and capability commitments that would be met. We recommended that planned expenditures be limited for exit pilots and demonstration projects until such investments are economically justified and until each investment has a well-defined evaluation plan. Notwithstanding these longstanding limitations in planning for and justifying its exit efforts, and notwithstanding that funding for exit- related efforts in US-VISIT expenditure plans for fiscal years 2003 through 200668 totals about $250 million, no operational exit capability exists. Unless the department better plans and justifies its new exit efforts, it runs the serious risk of repeating this past failure. Conclusions: US-VISIT’s prime contract cost and schedule metrics show that expectations are being met, according to available data, although their earned value management system that the metrics are based on has yet to be independently certified. Nothwithstanding this, such performance is a positive sign. However, the vast majority of the many management weaknesses raised in this briefing have been the subject of our prior US-VISIT reports and testimonies, and thus are not new. Accordingly, we have already made a litany of recommendations to correct each weakness, as well as follow- on recommendations to increase DHS attention to and accountability for doing so. Despite this, recurring legislative conditions associated with US-VISIT expenditure plans continue to be less than fully satisfied, and recommendations that we made 4 years ago are still not fully implemented. Exacerbating this situation is the fact that the DHS did not satisfy two new legislative conditions associated with the fiscal year 2007 expenditure plan, and serious questions continue to exist about DHS’s justification for and readiness to invest current, and potentially future, fiscal year funding relative to an exit solution and program management-related activities. DHS has had ample opportunity to address these many issues, but it has not. As a result, there is no reason to expect its newly launched exit endeavor, for example, to produce results different from its past endeavors—namely, no operational exit solution despite expenditure plans allocating about a quarter of billion dollars to various exit activities. Similarly, there is no reason to believe that the program’s disproportionate investment in management-related activities represents a prudent and warranted course of action. All told, this means that needed improvements in US-VISIT program management practices are long overdue. Both the legislative conditions and our open recommendations are aimed at accomplishing these improvements, and thus they need to be addressed quickly and completely. Thus far, they have not been and the reasons that they have not are unclear. Recommendations for Executive Action: Because our outstanding US-VISIT recommendations already address all of the management weaknesses discussed in this briefing, we are reiterating our prior recommendations, and recommending that the Secretary of DHS report to the department’s authorization and appropriations committees on its reasons for not fully addressing its expenditure plan legislative conditions and our prior recommendations. Agency Comments: We provided a draft of this briefing to DHS and US-VISIT program officials and solicited their comments on it. In response, DHS and US- VISIT program officials, including the program director, stated that the briefing was factually correct and that GAO's continued guidance provided value to the program. They also stated that the program office would continue to a