Defense Biometrics:

DOD Can Better Conform to Standards and Share Biometric Information with Federal Agencies

GAO-11-276: Published: Mar 31, 2011. Publicly Released: May 2, 2011.

Additional Materials:

Contact:

Brian J. Lepore
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Biometrics technologies that collect and facilitate the sharing of fingerprint records, and other identity data, are important to national security and federal agencies recognize the need to share such information. The Department of Defense (DOD) plans to spend $3.5 billion for fiscal years 2007 to 2015 on biometrics. GAO was asked to examine the extent to which DOD has (1) adopted standards and taken actions to facilitate the collection of biometrics that are interoperable with other key federal agencies, and (2) shares biometric information across key federal agencies. To address these objectives, GAO reviewed documents including those related to standards for collection, storage, and sharing of biometrics; visited selected facilities that analyze and store such information; and interviewed key federal officials.

DOD has adopted a standard for the collection of biometric information to facilitate sharing of that information with other federal agencies. DOD recognized the importance of interoperability and directed adherence to internationally accepted biometric standards. DOD applied adopted standards in some but not all of its collection devices. Specifically, a collection device used primarily by the Army does not meet DOD adopted standards. As a result, DOD is unable to automatically transmit biometric information collected to federal agencies, such as the Federal Bureau of Investigation (FBI). For example, this device is responsible for 13 percent of the records maintained by DOD--the largest number of submissions collected by a handheld device, according to DOD. Further, this constitutes approximately 630,000 DOD biometric records that cannot be searched automatically against FBI's approximately 94 million. DOD has not taken certain actions that would likely improve its adherence to standards, all of which are based on criteria from the Standard for Program Management, the National Science and Technology Council, and the Office of Management and Budget guidance, respectively. First, DOD does not have an effective process, procedure, or timeline for implementing updated standards. Second, DOD does not routinely test at sufficient levels of detail for conformance to these standards. Third, DOD has not fully defined roles and responsibilities specifying accountability needed to ensure its collection devices meet new and updated standards. DOD is sharing its biometric information and has an agreement to share biometric information with the Department of Justice, which allows for direct connectivity and the automated sharing of biometric information between their biometric systems. DOD's ability to optimize sharing is limited by not having a finalized sharing agreement with DHS, and its capacity to process biometric information. Currently, DOD and DHS do not have a finalized agreement in place to allow direct connectivity between their biometric systems. DOD is working with DHS to develop a memorandum of understanding to share biometric information now scheduled for completion in May 2011; however, without the agreement, it is unclear whether direct connectivity will be established between DOD and DHS, which affects response times to search queries. Further, agencies' biometric systems have varying system capacities based on their mission needs, which affects their ability to similarly process each other's queries for biometric information. As a result, DOD and other agency officials have expressed concern that DOD's biometric system may be unable to meet the search demands from their other biometric systems over the long-term. DOD officials do not believe that they need to match other agencies' biometric system capacities because they do not anticipate receiving the same number of queries given differences in mission. However, the advancements other agencies make in their biometric systems may continue to overwhelm DOD's efforts as it works to identify its long-term biometric system capability needs and associated costs. To improve DOD's ability to collect and share information, GAO recommends that DOD implement processes for updating and testing biometric collection devices to adopted standards; fully define and clarify the roles and responsibilities for all biometric stakeholders; finalize an agreement with the Department of Homeland Security (DHS); and identify its long-term biometric system capability needs. DOD agreed with all of GAO's recommendations.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To improve DOD's ability to collect and help ensure that federal agencies are sharing biometric information on individuals who pose a threat to national security to the fullest extent possible, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, in collaboration with other key federal agencies and internal DOD stakeholders, including DOD's Biometric Identity Management Agency (BIMA), U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force, to implement a process for updating collection devices to adopted standards to help ensure that all DOD systems related to biometrics, including collection devices, conform to adopted standards.

    Agency Affected: Department of Defense

    Status: Open

    Comments: In response to GAO's report, DOD noted that the legacy Handheld Interagency Identity Detection Equipment (HIIDE) devices are near the end of their service life and are being retired. According to DOD, in February 2012 a contract was awarded for an updated handheld device compliant with the mandated data standards to replace the HIIDE, which was Electronic Biometric Transmission Specification (EBTS) 1.2 at the time the solicitation was developed and published, and as required by DODD 8521.01E for all new acquisitions. In July 2013, DOD further stated that DOD is working on completing a EBTS conformance policy that will require all biometric devices to meet standards. DOD expects that this policy will be available at the end of 2013 (calendar year).

    Recommendation: To improve DOD's ability to collect and help ensure that federal agencies are sharing biometric information on individuals who pose a threat to national security to the fullest extent possible, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, in collaboration with other key federal agencies and internal DOD stakeholders, including BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force, to implement a process for testing collection devices at a sufficiently detailed level to help ensure that all DOD systems related to biometrics, including collection devices, conform to adopted standards.

    Agency Affected: Department of Defense

    Status: Open

    Comments: In response to GAO's report, DOD stated that it has established a Biometrics Standards Conformity Assessment Test Program, accredited in January 2011 as part of the National Institute of Standards and Technology's National Voluntary Laboratory Accreditation Program for biometric testing. DOD added that the current DODD 8521.01E requires compliance testing for new biometrics acquisitions, but DOD noted and GAO agrees that the directive does not fully address quick reaction capabilities such as the Handheld Interagency Identity Detection Equipment. DOD added that it plans to work with the FBI to develop a co-sharing arrangement to leverage existing standards compliance testing at the FBI Biometric Center of Excellence to strengthen interagency interoperability. DOD stated that it plans to include these requirements in the biometric DOD directive expected to be updated by December 2013. In July 2013, DOD further stated that the Biometrics Identity Management Agency in West Virginia, which manages the Automated Biometric Identification System and acts as the DOD's Biometrics Center of Excellence has gained laboratory accreditation for Electronic Biometric Transmission Specification conformance. GAO has requested and DOD agreed to provide a copy of their laboratory accreditation, testing and evaluation plans.

    Recommendation: To improve DOD's ability to collect and help ensure that federal agencies are sharing biometric information on individuals who pose a threat to national security to the fullest extent possible, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, in collaboration with other key federal agencies and internal DOD stakeholders, including BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force, to more fully define and further clarify the roles and responsibilities needed to achieve DOD's biometric program and objectives for all stakeholders that include ensuring collection devices conform to adopted standards.

    Agency Affected: Department of Defense

    Status: Open

    Comments: In response to GAO's report, DOD indicated that it is updating DOD Directive 8521.01E "Defense Biometrics," which establishes policy, assigns responsibilities, and describes procedures for DOD biometrics. DOD further noted that the update to the DOD Directive will more fully define and clarify the roles and responsibilities for testing collection devices for compliance with adopted standards. In July 2013, DOD stated that the biometric directive will be completed by December 2013. GAO requested and DOD agreed to provide a copy of the updated directive when it is available.

    Recommendation: To improve DOD's ability to collect and help ensure that federal agencies are sharing biometric information on individuals who pose a threat to national security to the fullest extent possible, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, in collaboration with other key federal agencies and internal DOD stakeholders, including BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force, to complete the memorandum of agreement with the Department of Homeland Security regarding the sharing of biometric information as appropriate and consistent with U.S. laws and regulations and international agreements, as well as information-sharing environment efforts.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: On February 14, 2011, we provided DOD a draft of this report and comment. In response to our draft recommendation, and while the report was under review, DOD finalized an agreement with DHS regarding biometric sharing on March 2, 2011.

    Recommendation: To improve DOD's ability to collect and help ensure that federal agencies are sharing biometric information on individuals who pose a threat to national security to the fullest extent possible, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, in collaboration with other key federal agencies and internal DOD stakeholders, including BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force, to identify its long-term biometric system capability needs, including the technological capacity and associated costs needed to support both the warfighter and to facilitate sharing of biometric information across federal agencies, and take steps to meet those capability needs, as appropriate and consistent with U.S. laws and regulations, international agreements, and available resources.

    Agency Affected: Department of Defense

    Status: Open

    Comments: In response to GAO's report, DOD noted that the Automated Biometric Identification System (ABIS) is currently meeting all the sharing transactions required by DHS and FBI, and DOD has expansion plans in place to increase ABIS's capacity to over 40,000 transactions, which according to DOD will continue to meet the 14,000 daily biometric transaction rate articulated by DHS for 2012. Further, DOD stated that it continues to work closely with the interagency interoperability Executive Steering Committee to ensure DOD has visibility as new interagency requirements coalesce, and can modify ABIS expansion plans to be responsive to interagency sharing responsibilities. In July 2013, DOD noted that the Biometric Enabled Capability (BEC) Capability Development Document (CDD) that describes the overall plan to address ABIS incremental capacity and capability increases, is currently in draft. An updated BEC CDD is expected in December 2013. Further, DOD noted that associated costs to support this technological capacity is being planned, and that once the CDD is validated (scheduled for early FY2014) the Program Manager for Biometrics will determine resourcing of the requirements approved in the CDD.

    Jul 28, 2014

    Jul 17, 2014

    Jul 14, 2014

    Jul 11, 2014

    Jul 9, 2014

    Jul 8, 2014

    Jun 30, 2014

    Jun 26, 2014

    Looking for more? Browse all our products here