Information Technology:

DHS Needs to Further Define and Implement Its New Governance Process

GAO-12-818: Published: Jul 25, 2012. Publicly Released: Jul 25, 2012.

Additional Materials:

Contact:

David A. Powner
(202) 512-9286
pownerd@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Department of Homeland Security (DHS) has defined a vision for its new information technology (IT) governance process, which includes a tiered oversight structure that defines distinct roles and responsibilities throughout the department. The new governance framework and the associated policies and procedures are generally consistent with recent Office of Management and Budget (OMB) guidance and with best practices for managing projects and portfolios identified in GAO’s IT Investment Management framework, with two practices partially addressed and seven others fully addressed. For example, consistent with OMB guidance calling for the Chief Information Officer (CIO) to play a significant role in overseeing programs, DHS’s draft procedures require that lower-level boards overseeing IT programs include the DHS CIO, a component CIO, or a designated executive representative from a CIO office. In addition, consistent with practices identified in GAO’s IT Investment Management framework, DHS’s draft procedures identify key performance indicators for gauging portfolio performance. However, DHS’s policies and procedures have not yet been finalized, because, according to officials, the focus has been on piloting the new governance process. While it is important to conduct pilots to test processes and identify lessons learned, until the department finalizes the policies and procedures associated with the new IT governance, it will have less assurance that its new IT governance will be consistent with best practices and address previously identified weaknesses in investment management.

DHS has begun to implement aspects of its new governance process. For example, it has established several governance entities and conducted program health assessment reviews for all of its major IT programs. In implementing its new governance, the department has generally followed key industry best practices, such as establishing an implementation team; however, the department has not fully followed other practices, including developing a mechanism to capture lessons learned. The table below summarizes GAO’s assessment of DHS’s implementation efforts. Until the department fully addresses these practices, its implementation approach may be less effective than intended.

Why GAO Did This Study

DHS has one of the largest IT budgets in the federal government. In fiscal year 2012, DHS plans to spend about $5.6 billion to, among other things, acquire, implement, and operate approximately 360 IT programs, including about 83 major programs, which are intended to assist in carrying out its diverse missions. With such a large portfolio of IT programs, it is important to ensure that the appropriate governance exists so that the programs meet their cost, schedule, and performance goals and continue to support the department’s strategies and objectives. In line with this, DHS has been working to define and implement a new IT governance process.

GAO was asked to (1) describe DHS's new IT governance process and associated policies and procedures, and assess them against best practices; and (2) determine progress made in implementing the new process and how DHS’s implementation efforts comport with relevant best practices. To do so, GAO analyzed relevant documentation and interviewed DHS officials responsible for defining and implementing the new governance process.

What GAO Recommends

To implement an effective IT governance process, GAO recommends that DHS finalize associated policies and procedures, and fully follow best practices for implementing the process. In comments on a draft of this report, DHS concurred with GAO’s recommendations and estimated it would address them by September 2013.

For more information, contact David A. Powner at (202) 512-9286 or pownerd@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To assist in implementing the new IT governance strategy, the Secretary of Homeland Security should direct the appropriate officials to establish mechanisms for capturing lessons learned.

    Agency Affected: Department of Homeland Security

  2. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To assist in implementing the new IT governance strategy, the Secretary of Homeland Security should direct the appropriate officials to fully define and document key measures to monitor the implementation process.

    Agency Affected: Department of Homeland Security

  3. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To assist in implementing the new IT governance strategy, the Secretary of Homeland Security should direct the appropriate officials to develop an implementation plan that draws together ongoing and additional efforts needed to implement the new IT governance process. The plan should: 1. build on existing strengths and weaknesses; 2. specify measurable goals, objectives, and milestones; 3. specify needed resources; 4. assign clear responsibility and accountability for accomplishing tasks; and 5. be approved by senior-level management.

    Agency Affected: Department of Homeland Security

  4. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To implement an effective IT governance strategy, the Secretary of Homeland Security should direct the appropriate officials to finish defining the new IT governance process by finalizing the IT governance policies and procedures and ensuring they fully address or reference existing documents that address the following: (1) how the IRB is to maintain responsibility for lower-level board activities; and (2) investment selection and prioritization criteria.

    Agency Affected: Department of Homeland Security

 

Explore the full database of GAO's Open Recommendations »

Jun 10, 2014

May 22, 2014

May 12, 2014

May 8, 2014

May 7, 2014

Apr 2, 2014

Feb 26, 2014

Feb 12, 2014

Looking for more? Browse all our products here