This is the accessible text file for GAO report number GAO-07-499T 
entitled 'Homeland Security: US-VISIT Has Not Fully Met Expectations 
and Longstanding Program Management Challenges Need to Be Addressed' 
which was released on February 16, 2007. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 



Before the Subcommittee on Homeland Security, Committee on 
Appropriations, U.S. House of Representatives: 

For Release on Delivery: 

Expected at 10:00 a.m. EST Friday, February 16, 2007: 

Homeland Security: 

US-VISIT Has Not Fully Met Expectations and Longstanding Program 
Management Challenges Need to Be Addressed: 

Statement of: 

Randolph C. Hite, Director: 
Information Technology Architecture and Systems Issues: 

Richard M. Stana, Director: 
Homeland Security and Justice Issues: 


GAO Highlights: 

Highlights of GAO-07-499T, a report to the Subcommittee on Homeland 
Security, Committee on Appropriations, U.S. House of Representatives 

Why GAO Did This Study: 

The Department of Homeland Security (DHS) is investing billions of 
dollars in its U.S. Visitor and Immigrant Status Indicator Technology 
(US VISIT) program to collect, maintain, and share information on 
selected foreign nationals who enter and exit the United States. The 
program uses biometric identifiers (digital fingerscans and 
photographs) to screen people against watch lists and to verify that a 
visitor is the person who was issued a visa or other travel document. 
The program is also to biometrically confirm the individual’s 
departure. For over 3 years, GAO has reported on US-VISIT capability 
deployments and shortfalls, as well as fundamental limitations in DHS’s 
efforts to define and justify US VISIT’s future direction and to cost-
effectively manage the delivery of program capabilities on time and 
within budget. 

GAO was asked to testify on (1) the status of the program’s 
implementation and (2) the program’s progress in addressing 
longstanding management weaknesses. Given where US-VISIT is today and 
the challenges and uncertainties associated with where it is going, GAO 
believes that DHS is long overdue in demonstrating that it is pursuing 
the right US-VISIT solution and that it is managing US-VISIT the right 

What GAO Found: 

After spending almost 4 years and more than $1 billion, DHS has 
implemented entry capabilities at most ports of entry; however, it has 
not implemented a biometric exit capability or a suitable alternative. 
As of December 2006, US VISIT had deployed and was operating entry 
capability at 115 airports, 14 seaports, and 154 of 170 land ports of 
entry. However, the implementation of a biometric land exit capability 
is currently not feasible, according to program officials, because the 
only proven technology available would require additional staffing and 
infrastructure demands, and cause delays with potential impacts on 
trade and commerce. Also, testing and analysis of a non biometric 
solution identified numerous performance and reliability problems, and 
such an alternative technology does not meet legislative requirements. 
DHS believes that advances over the next 5 to 10 years will allow 
solutions that do not require major infrastructure changes, but the 
prospects for such technology are uncertain. 

DHS continues to face longstanding US-VISIT management challenges and 
future uncertainties. 
* For almost 4 years, DHS has continued to pursue US-VISIT without 
producing the program’s operational and technological context. 
According to program officials, an immigration and border management 
strategic plan was drafted in March 2005 to show how US-VISIT is 
aligned with DHS’s organizational mission and to define an overall 
immigration and border management vision. After almost 2 years, this 
plan has not yet been approved, but the Acting Director said that it is 
currently with OMB for approval. At the same time, DHS has launched 
other major security programs without defining the relationship between 
US-VISIT and these programs. 
* DHS has yet to economically justify its investment in US-VISIT 
increments or assess their operational impacts. For over 3 years, we 
reported that the program did not adequately assess the increment’s 
costs and benefits because the assessments were unclear and 
insufficient, and the cost estimates upon which they were based did not 
meet key criteria for reliable cost estimating. GAO further reported 
that the program had not assessed the impact of the entry and exit 
capabilities on operations and facilities, in part, because the scope 
of the evaluations performed were too limited. 
* DHS has not implemented key acquisition and financial management 
controls. For example, GAO reported that the program had not 
effectively overseen contract work performed on its behalf by other DHS 
and non-DHS agencies, and these agencies did not always establish and 
implement effective contract oversight activities. 

Without these management controls, there is greater risk that US-VISIT 
will not produce the right solution, and be managed the right way. 
Accordingly, GAO has made numerous recommendations to address these 
management challenges. 


To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Randy Hite at (202) 512-
3439 or, or Rich Stana at (202) 512-8777 or 

[End of section] 

Mr. Chairman and Members of the Subcommittee, 

We appreciate the opportunity to participate in the Subcommittee's 
hearing on the United States Visitor and Immigrant Status Indicator 
Technology (US-VISIT). US-VISIT is multibillion-dollar program of the 
Department of Homeland Security (DHS) that is intended to achieve a 
daunting set of goals: to enhance the security of our citizens and 
visitors and ensure the integrity of the U.S. immigration system while 
facilitating legitimate trade and travel and protecting individuals' 
privacy. To achieve these goals, US-VISIT is to record selected 
travelers'[Footnote 1] entry and exit to and from the United States at 
over 300 ports of entry (POEs) around the country, verify their 
identity, and determine their compliance with the terms of their 
admission and stay. 

Since fiscal year 2002, the House and Senate Appropriations Committees 
have provided valuable oversight and direction for US-VISIT as the 
Congress directed DHS to submit annual expenditure plans that had to 
meet certain conditions, and directed GAO to review these plans. Our 
reviews have produced five reports, including the latest on the fiscal 
year 2006 expenditure plan,[Footnote 2] which we issued earlier this 
week. These reports and our recent reports to the House Committee on 
Homeland Security on US-VISIT contract and financial 
management[Footnote 3] and US-VISIT operations at land POEs[Footnote 4] 
have identified fundamental challenges that the DHS continues to face 
in meeting program expectations (i.e., delivering program capabilities 
and benefits on time and within cost). In light of these challenges, we 
continue to believe that the program carries an appreciable level of 
risk and must be managed effectively if it is to be successful. 

Our testimony today draws on this body of completed work to provide a 
snapshot of what US-VISIT capabilities have and have not been 
delivered, what work has recently begun to enhance already delivered 
capabilities, and the range of longstanding challenges that hamper DHS 
efforts to establish and live up to program expectations and 
commitments. All the work on which this testimony is based was 
performed in accordance with generally accepted government auditing 

In summary, after spending almost 4 years and more than $1 billion, DHS 
is operating US-VISIT entry capabilities at most POEs, has conducted 
various exit demonstration projects at a small number of POEs, and has 
begun to work to move from 2 to10 fingerprint biometric capabilities 
and expand electronic information sharing with stakeholders. Of 
particular note is the fact that a US-VISIT biometric-based entry 
screening capability is operating at 115 airports, 14 seaports, and 154 
land POEs. However, a biometric exit capability is not. According to 
program officials, this is due to a number of factors. For example, at 
this time the only proven technology available for biometric land exit 
verification would necessitate mirroring the processes currently in use 
for entry at these POEs, which would create costly staffing demands and 
infrastructure requirements, and introduce potential trade, commerce, 
and environmental impacts. Further, a pilot project to examine an 
alternative technology at land POEs did not produce a viable solution. 

Where US-VISIT stands today owes largely to the manner in which it has 
been managed. In this regard, we have reported a range of program 
management weaknesses related to ensuring that the program, as defined, 
is the right thing to do and that it is done the right way. To be the 
right thing to do, the program needs to fit properly within DHS's 
strategic plans and related operational and technology blueprints, and 
it needs to produce benefits in excess of costs over its useful life. 
Relatedly, program impacts and options need to be considered and 
addressed. To be done the right way, critical acquisition management 
processes need to be established and followed to ensure that program 
capabilities and expected mission outcomes are delivered on time and 
within budget. These processes include effective project planning, 
requirements management, contract tracking and oversight, test 
management, and financial management. As we have reported for several 
years, DHS has yet to adequately do these things. While program 
officials have stated that all the areas are being addressed, progress 
has been slow. Given that significant enhancements to existing program 
capabilities are envisioned and underway, it is critical for the 
department to expeditiously address the management challenges and 
weaknesses that we have identified. Until it does, the risk of US-VISIT 
continuing to fall short of expectations is increased. 


US-VISIT is a governmentwide program intended to enhance the security 
of U.S. citizens and visitors, facilitate legitimate travel and trade, 
ensure the integrity of the U.S. immigration system, and protect the 
privacy of our visitors. To achieve its goals, US-VISIT is to collect, 
maintain, and share information on certain foreign nationals who enter 
and exit the United States; detect fraudulent travel documents, verify 
traveler identity, and determine traveler admissibility through the use 
of biometrics; facilitate information sharing and coordination within 
the immigration and border management community; and identify foreign 
nationals who (1) have overstayed or violated the terms of their 
admission; (2) may be eligible to receive, extend, or adjust their 
immigration status; or (3) should be apprehended or detained by law 
enforcement officials. The scope of the program includes the pre-entry, 
entry, status, and exit of hundreds of millions of foreign national 
travelers who enter and leave the United States at over 300 air, sea, 
and land POEs, as well as analytical capabilities spanning this overall 

Management and Implementation of US-VISIT: 

The US-VISIT program office has responsibility for managing the 
acquisition, deployment, operation, and sustainment of US-VISIT. Until 
recently, the US-VISIT Director (currently Acting Director) reported 
directly to the Deputy Secretary for Homeland Security. However, as of 
March 31, 2007, the program office will report to the newly established 
Under Secretary for the National Protection and Programs Directorate. 

Since 2003, DHS has planned to deliver US-VISIT capability in four 
increments: Increment 1 (air and sea entry and exit), Increment 2 (air, 
sea, and land entry and exit), Increment 3 (land entry), and Increment 
4, which is to define, design, build, and implement more strategic 
program capability, and which program officials stated will consist of 
a series of incremental releases or mission capability enhancements 
that will support business outcomes. In Increments 1 through 3, the 
program has built interfaces among existing ("legacy") systems, 
enhanced the capabilities of these systems, and deployed these 
capabilities to air, sea, and land POEs. These first three increments 
have been largely acquired and implemented through existing system 
contracts and task orders. 

Through fiscal year 2007, about $1.7 billion has been appropriated for 
the US-VISIT program. About $162 million of the $362 million 
appropriated in fiscal year 2007 funds has been released to the 
program. The remaining $200 million is pending the submission of an 
expenditure plan to the House and Senate Appropriations Committees. The 
department has requested $462 million in fiscal year 2008 for the 

According to program officials, as of January 31, 2007, almost $1.3 
billion has been obligated to acquire, develop, deploy, enhance, 
operate, and maintain US-VISIT entry capabilities, and to test and 
evaluate exit capability options.[Footnote 5] 

Overview of Ports of Entry: 

The United States shares over 7,500 miles of land border with Canada 
and Mexico. Customs and Border Protection (CBP) operates 170 land POEs 
on the northern border with Canada and the southwest border with 
Mexico.[Footnote 6] These POEs are diverse in nature, with some 
operating in urban areas, such as Detroit, Michigan, and others 
operating in remote areas such as the northern plains in Montana or 
along the southwest border. Taken together, land POEs process the 
largest number of visitors to the United States each year (about 79 
percent of about 425 million total border crossings during fiscal year 
2004) and process fewer visitors subject to US-VISIT than other POEs 
(about 11 percent of about 42 million border crossings processed via US-
VISIT during fiscal year 2004). The volume of visitor traffic at land 
POEs in fiscal year 2005 varies widely, with the busiest four land POEs 
identified by CBP being San Ysidro, Calexico, and Otay Mesa, 
California, and Bridge of the Americas in El Paso, Texas. 

US-VISIT Operations and Processing at Ports of Entry: 

In many cases, the US-VISIT process begins overseas at U.S. consular 
offices where biometric information is collected from visa applicants 
and checked against a database of known criminals and suspected 
terrorists. When a visitor arrives at a U.S. POE, the biometric 
information is used to verify that the visitor is the person who was 
issued the visa or other travel documents. Ultimately, visitors are to 
confirm their departure from the United States by having their visas or 
passports scanned and undergoing fingerscanning. (Currently, at a few 
pilot sites, departing visitors are asked to undergo these exit 
procedures.) The exit confirmation is added to the visitor's travel 
records to demonstrate compliance with the terms of admission to the 
United States. 

However, most land border crossers--including U.S. citizens, lawful 
permanent residents, and most Canadian and Mexican citizens--are, by 
statute or implementing regulation, not required to enroll into US- 
VISIT.[Footnote 7] In fiscal year 2004, for example, U.S. citizens and 
lawful permanent residents comprised about 57 percent of land border 
crossers; Canadian and Mexican citizens comprised about 41 percent; and 
less than 2 percent were US-VISIT enrollees. Figure 1 shows the number 
and percent of persons processed under US-VISIT as a percentage of all 
border crossings at land, air, and sea POEs in fiscal year 2004. 

Figure 1: Persons Processed Under US-VISIT as a Percentage of All 
Border Crossings at Land, Air, and Sea Ports of Entry, Fiscal Year 

[See PDF for image] 

Source: GAO analysis of DHS data. 

Note: Persons processed by US-VISIT may include foreign nationals who 
were also issued an I-94 valid for multiple entries and who have re- 
entered multiple times. I-94s are used to record a foreign national's 
entry into the United States. Total entering the U.S. includes U.S. 
citizens who may have re-entered the country multiple times and foreign 
nationals, including those not issued I-94s, such as Canadian citizens 
and Mexicans with BCCs, and those issued multiple entry I-94s who also 
may have re-entered multiple times. U.S. citizens do not fall within 
the statutory scope of US-VISIT and therefore are exempt from US-VISIT 

[End of figure] 

Foreign nationals subject to US-VISIT who intend to enter the country 
encounter different inspection processes depending on their mode of 
travel. Those entering the United States at an air or sea POE are to be 
processed in the primary inspection area upon arrival. Before they 
arrive, these visitors generally are subject to prescreening via 
passenger manifests that are forwarded to CBP by commercial air or sea 
carriers.[Footnote 8] By contrast, foreign nationals entering the 
United States at land POEs are generally not subject to prescreening 
because they arrive in private vehicles or on foot and there is no 
manifest to record their pending arrival. Thus, when foreign nationals 
subject to US-VISIT arrive at a land POE in vehicles, they enter the 
primary inspection area where CBP officers--often located in booths-- 
are to visually inspect travel documents and query the visitors about 
such matters as their place of birth and proposed destination. Visitors 
arriving as pedestrians enter an equivalent primary inspection area, 
generally inside a CBP building. If the CBP officer believes a more 
detailed inspection is needed or if the visitors are required to be 
processed under US-VISIT for the first time,[Footnote 9] the visitors 
are to be referred to the secondary inspection area that is generally 
inside a facility away from the primary inspection area. The secondary 
inspection area generally contains office space, waiting areas, and 
space to process visitors, including US-VISIT enrollees. Equipment used 
for processing includes a computer, printer, digital camera, and a two- 
fingerprint scanner. 

DHS Has Delivered Some, But Not All, US-VISIT Capabilities: 

Under law, DHS was to create an electronic entry and exit system to 
screen and monitor the stay of foreign nationals who enter and leave 
the United States and implement the system at (1) air and sea POEs by 
December 31, 2003, (2) the 50 highest-volume land POEs by December 31, 
2004, and (3) the remaining POEs by December 31, 2005.[Footnote 10] In 
developing the system, DHS was to focus particularly on the use of 
biometric technology[Footnote 11] and was also to collect biometric 
data upon entry and exit for all individuals, who are required to be 
processed through US-VISIT.[Footnote 12] However, after almost 4 years 
and more than $1 billion, DHS has implemented entry capabilities at 
most POEs but has not implemented exit capabilities. According to 
program officials, several factors have affected the program's ability 
to develop, implement, and deploy a biometric exit capability. 

US-VISIT Entry Capabilities Are Operating at Most Ports of Entry and 
Have Prevented Some from Entering Illegally: 

The program office has largely met its expectations relative to a 
biometric entry capability. For example, on January 5, 2004, it 
deployed and began operating most aspects of its planned biometric 
entry capability at 115 airports and 14 seaports for selected foreign 
nationals, including those from visa waiver countries;[Footnote 13] as 
of December 2006, the program office had deployed and began operating 
this entry capability in the secondary inspection areas of 154 of 170 
land POEs. According to program officials, 14 of the remaining 16 POEs 
have no operational need to deploy US-VISIT because visitors who are 
required to be processed through US-VISIT are, by regulation, not 
authorized to enter into the United States at these locations.[Footnote 
14] The other two POEs do not have entry capability deployed because 
they do not have the necessary transmission lines to operate US-VISIT; 
CBP officers at those sites have continued to process visitors 

To the department's credit, the development and deployment of this 
entry capability was largely in accordance with legislative time lines 
and has occurred during a period of considerable organizational change, 
starting with the creation of DHS from 23 separate agencies in early 
2003, followed by the birth of a US-VISIT program office shortly 
thereafter--which was only about 5 months before the program had to 
meet its first legislative milestone. Compounding these program 
challenges was the fact that the systems that were to be used in 
building and deploying a biometric entry capability were managed and 
operated by a number of the separate agencies that had been merged to 
form the new department, each of which was governed by different 
policies, procedures, and standards. 

Moreover, DHS reports that US-VISIT entry capabilities have produced 
results. According to US-VISIT's Consolidated Weekly Summary Report, as 
of December 28, 2006, there have been more than 5,400 biometric hits in 
primary entry, resulting in more than 1,300 people having adverse 
actions, such as denial of entry, taken against them. According to the 
report, about 4,100 of these hits occurred at air and sea ports of 
entry and over 1,300 at land ports of entry. Further, the report 
indicates that more than 1,800 biometric hits have been referred to 
DHS's immigration enforcement unit, resulting in 293 arrests. We did 
not verify the information in the consolidated report. 

Another potential consequence, although difficult to demonstrate, is 
the deterrent effect of having an operational entry capability. 
Although deterrence is not an expressly stated goal of the program, 
officials have cited it as a potential byproduct of having a publicized 
capability at the border to screen entry on the basis of identity 
verification and matching against watch lists of known and suspected 
terrorists. Accordingly, the deterrent potential of the knowledge that 
unwanted entry may be thwarted and the perpetrators caught is arguably 
a layer of security that should not be overlooked. 

Despite these results, US-VISIT's entry capability at land POEs has not 
been without operational and system performance problems. During recent 
visits to land POEs, we identified some space constraints and other 
capacity issues. For example, at the Nogales-Morley Gate POE in 
Arizona, where up to 6,000 visitors are processed daily (and up to 
10,000 on holidays), equipment was installed[Footnote 15] but not used 
because of CBP concerns about its ability to carry out the US-VISIT 
process in a constrained space while thousands of other people not 
subject to US-VISIT are processed through the facility daily.[Footnote 
16] Thus, visitors that are to be processed into US-VISIT from Morley 
Gate are directed to return to Mexico (a few feet away) and to walk 
approximately 100 yards to the Nogales-DeConcini POE facility, which 
has the capability to handle secondary inspections of this kind. In 
addition, we found that POEs had experienced system downtime associated 
with US-VISIT. In particular, 12 of the 21 land POEs that we visited 
stated that they had experienced computer-processing problems that had 
an impact on processing times and traveler delays. In June 2006, a CBP 
data center official confirmed that POEs had experienced slowdowns 
associated with certain US-VISIT data queries.[Footnote 17] The CBP 
official also told us that these computer processing problems have 
since been identified and resolved, and that performance had greatly 
improved. We did not verify whether the actions taken fully resolved 
these problems. 

US-VISIT Is Unable to Implement a Biometric Exit Capability at Land 
Ports of Entry Due to Several Constraints and Testing of Non-biometric 
Exit Solution Has Identified Performance Problems: 

Several logistical, infrastructure, cost, and technological constraints 
have precluded DHS from implementing a biometric exit capability at 
land POEs. According to program officials, the major constraint at this 
time is that the only proven technology available to biometrically 
verify individuals upon exit at land POEs would necessitate mirroring 
the processes currently in use for entry. Such a process would require 
CBP officers to perform the same processes as for entry, including 
examining the travel documents of those leaving the country, taking 
fingerprints, comparing visitors' facial features to photographs, and, 
if questions about identity arise, directing the departing visitor to 
secondary inspection for additional questioning. The program office 
concluded in January 2005 that a mirror image solution was "an 
infeasible alternative for numerous reasons, including but not limited 
to, the additional staffing demands, new infrastructure requirements, 
and potential trade and commerce impacts."[Footnote 18] 

More specifically, program officials told us that implementing such a 
solution could result in delays at land POEs with a heavy daily volume 
of visitors, and would require both additional lanes for exiting 
vehicles and additional inspection booths and staff (though they had 
not determined precisely how many). It is unclear how new vehicle lanes 
and new facilities could be built at land POEs where space constraints 
already exist, such as those in congested urban areas. For example, San 
Ysidro, California, currently has 24 entry lanes, each with its own 
staffed booth, and 6 unstaffed exit lanes. Thus, if full biometric exit 
capability were implemented using a mirror image approach, San Ysidro's 
current capacity of 6 exit lanes would have to be expanded to 24 exit 
lanes. As shown in the following photo and confirmed during our site 
visit to the San Ysidro POE, the facility is surrounded by dense urban 
infrastructure, leaving little, if any, room to expand in place. Some 
of the 24 entry lanes for vehicle traffic heading north from Mexico 
into the United States appear in the bottom left portion of the 
photograph, where vehicles are shown waiting to approach primary 
inspection at the facility; the six exit lanes (traffic towards 
Mexico), which do not have fixed inspection facilities, are at the 
upper left. 

Figure 2: Aerial View of San Ysidro, California, POE: 

[See PDF for image] 

Source: GAO. 

[End of figure] 

Other POE facilities are similarly spatially constrained. For example, 
the Nogales-DeConcini, Arizona facility is bordered by railroad tracks, 
a parking lot, and industrial or commercial buildings. Further, CBP has 
identified space constraints at selected rural POEs, such as the 
Thousand Islands Bridge POE at Alexandria Bay, New York, which is 
situated in what POE officials described as a "geological bowl," with 
tall rock outcroppings potentially hindering the ability to expand 
facilities at the current location. Officials told us that in order to 
accommodate existing and anticipated traffic volume upon entry, they 
are in the early stages of planning to build an entirely new POE on a 
hill about a half-mile south of the present facility. 

DHS also identified the cost of implementing a biometric exit 
capability as a constraint. In 2003, the program office estimated that 
it would cost approximately $3 billion to implement US-VISIT entry and 
exit capability at land POEs where US-VISIT was likely to be installed, 
and that such an effort would have a major impact on facility 
infrastructure at land POEs. We did not assess the reliability of the 
2003 estimate, but would note that while the estimate did not 
separately break out costs for entry and exit construction, it did 
factor in the cost for building additional exit vehicle lanes and 
booths as well as buildings and other infrastructure that would be 
required to accommodate a mirror image of entry capabilities. Program 
officials told us that they did not move ahead with this option. No 
subsequent cost estimate updates had been prepared, and DHS's annual 
budget requests have not included funds to build the infrastructure 
that would be associated with the required facilities. 

In light of these various constraints, the program office has tested 
nonbiometric technology to record travelers' departure, but testing 
showed numerous performance and reliability problems. Because there is 
at present no biometric technology that can be used to verify a 
traveler's exit from the country at land POEs without also making major 
and costly changes to POE infrastructure and facilities, the program 
office tested radio frequency identification (RFID) technology as a 
nonbiometric means of recording visitors as they exit. RFID technology 
can be used to electronically identify and gather information contained 
on a tag--in this case, a unique identifying number embedded in a tag 
on a visitor's arrival/departure form--which an electronic reader at 
the POE is to detect. 

While RFID technology required few facility and infrastructure changes, 
testing and analysis at five land POEs at the northern and southern 
borders identified numerous performance and reliability problems, such 
as the failure of RFID readers to detect a majority of travelers' tags 
during testing. For example, the program office reported that of 166 
vehicles tested during a one-week period at the Blaine-Pacific Highway, 
readers correctly identified 14 percent--a sizable departure from the 
target read rate of 70 percent.[Footnote 19] 

Another problem that arose were "cross-reads," in which multiple RFID 
readers installed on poles or structures over roads, called gantries, 
picked up information from the same visitor, regardless of whether the 
individual was entering or exiting in a vehicle or on foot. Thus, cross-
reads resulted in inaccurate record-keeping. According to a January 
2006 corrective-action report, remedying cross-reads would require 
changes to equipment and infrastructure on a case-by-case basis at each 
POE, because each has a different physical configuration of buildings, 
roadways, roofs, gantries, poles, and other surfaces against which the 
signals can bounce and cause cross-reads. Each would therefore require 
a different physical solution to avoid the signal interference that 
triggers cross-reads. Although cost estimates or time lines for such 
alterations to facilities and equipment have not been developed, it is 
possible that having to alter each POE's physical configuration in some 
regard and then test each separately to ensure that cross-reads had 
been eliminated would be both time consuming and potentially costly. 

Moreover, even if RFID deficiencies were to be fully addressed and 
deadlines set, the RFID solution does not meet the legislative 
requirement for a biometric exit capability. By design, an RFID tag 
embedded in an I-94 arrival/departure form cannot provide the biometric 
identity-matching capability that is envisioned as part of a 
comprehensive entry/exit border security system that uses biometric 
identifiers for tracking overstays and others entering, exiting, and re-
entering the country. That is, the RFID tag in the I-94 form cannot be 
physically tied to an individual. This situation means that while a 
document may be detected as leaving the country, the person to whom it 
was issued at time of entry may be somewhere else. Thus, the technology 
that had been tested cannot meet a key program goal--ensuring that 
visitors who enter the country are the same ones who leave. 

According to program officials, technological advances over the next 5 
to 10 years will make it possible to utilize alternative technologies 
that provide biometric verification of persons exiting the country 
without major changes to facility infrastructure and without requiring 
those exiting to stop and/or exit their vehicles, thereby mitigating 
traffic backup, congestion, and resulting delays. Further, the program 
reports that although limitations in technology currently preclude the 
use of biometric identification because visitors would have to be 
stopped, the prospect of the as-yet-undeveloped biometric verification 
technology supports the long-term US-VISIT vision.[Footnote 20] 
However, according to program officials, no such technology or device 
currently exists that would not have a major impact on facilities. The 
prospects for its development, manufacture, deployment and reliable 
utilization are thus uncertain, although a prototype device that would 
permit a fingerprint to be read remotely without requiring the visitor 
to come to a full stop is under development. 

By law, DHS was to have reported to Congress by June 2005 on how the 
agency intended to fully implement a biometric entry/exit program. 
According to statute, this plan is to include, among other things, a 
description of the manner in which the program meets the goals of a 
comprehensive entry and exit screening system--including both biometric 
entry and exit--and fulfills statutory obligations imposed on the 
program by several laws enacted between 1996 and 2002.[Footnote 21] 
According to program officials, as of February 2007, this plan has been 
forwarded to the Office of Management and Budget (OMB) for review. 
Until such a plan is finalized and issued, DHS is not able to 
articulate how entry/exit concepts--including any interim nonbiometric 
solutions--will fit together, and is not positioned to identify, 
prioritize, and allocate resources for an exit capability or 
effectively plan for the program's future. Further, given the absence 
of a comprehensive entry and exit system, questions remain about what 
meaningful data may be available to other DHS components, such as 
Immigration and Customs Enforcement, to ensure that DHS can, from an 
interior enforcement perspective, identify and remove foreign nationals 
covered by US-VISIT who may have overstayed their visas. We discuss 
this point further in the following section. 

DHS Continues to Face Longstanding US-VISIT Management Challenges and 
Future Uncertainties: 

Our work and other best practice research have shown that applying 
disciplined and rigorous management practices improves the likelihood 
of delivering expected capabilities on time and within budget. Such 
practices and processes include determining how the program fits within 
the larger context of an agency's strategic plans and related 
operational and technology environments, whether the program will 
produce benefits in excess of costs over its useful life, and whether 
program impacts and options are being fully identified, considered, and 
addressed. To further ensure that programs are managed effectively, it 
is important that they be executed in accordance with acquisition and 
financial management requirements and best practices, and that progress 
against program commitments is defined and measured so that program 
officials can be held accountable for results. 

For almost 4 years, we have reported on fundamental limitations in 
DHS's efforts to define and justify the program's future direction and 
to cost-effectively manage the delivery of promised capabilities on 
time and within budget. To a large degree, what is operating and what 
is not operating today, and what future program changes are underway 
and yet to be defined, are affected by these limitations. DHS needs to 
address these challenges going forward, and the recommendations that we 
made over the last 3 years are aimed at encouraging this. Until these 
recommendations are fully implemented, the program will be at greater 
risk of not optimally meeting mission needs and falling short of 
meeting expectations. 

DHS Has Not Defined and Developed US-VISIT Within a DHS-wide 
Operational and Technological Context: 

As we previously reported, agency programs need to properly fit within 
a common strategic context or frame of reference governing key aspects 
of program operations (such as who is to perform what functions, when 
and where they are to be performed, what information is to be used to 
perform them, and what rules and standards will govern the use of 
technology to support them).[Footnote 22] Without a clear operational 
context to guide and constrain both US-VISIT and other border security 
and immigration enforcement initiatives, DHS risks investing in 
programs and systems that are duplicative, are not interoperable, and 
do not optimize enterprisewide mission operations and produce intended 

For almost 4 years, DHS has continued to pursue US-VISIT (both in terms 
of deploying interfaces between and enhancements to existing systems 
and in defining a longer-term, strategic US-VISIT solution) without 
producing the program's operational context. In September 2003, we 
reported that DHS had not defined key aspects of the larger homeland 
security environment in which US-VISIT would need to operate. In the 
absence of a DHS-wide operational and technological context, program 
officials were making assumptions about certain policy and standards 
decisions that had not been made, such as whether official travel 
documents would be required for all persons who enter and exit the 
country--including U.S. and Canadian citizens--and how many 
fingerprints would be collected for biometric comparisons. We further 
reported that if the program office's assumptions and decisions turned 
out to be inconsistent with subsequent policy or standards decisions, 
it would require US-VISIT rework. 

According to the program's Chief Strategist, an immigration and border 
management strategic plan was drafted in March 2005 to show how US- 
VISIT is aligned with DHS's organizational mission and to define an 
overall vision for immigration and border management. According to this 
official, the vision provides for an immigration and border management 
enterprise that unifies multiple departmental and external stakeholders 
around common objectives, strategies, processes, and infrastructures. 
As of February 2007, about 2 years later, we were told that this 
strategic plan has not yet been approved, although the program's Acting 
Director stated that the plan is currently with OMB and should be 
provided to the House and Senate Appropriations Subcommittees on 
Homeland Security by March 2007. 

However, at the same time, US-VISIT has not taken steps to ensure that 
the direction that it is taking is both operationally and 
technologically aligned with DHS's enterprise architecture (EA). As the 
report that we issued this week states, the DHS Enterprise Architecture 
Board, which is the DHS entity that determines EA compliance, has not 
reviewed the US-VISIT architecture compliance for more than 2 years. 
However, since August 2004, both US-VISIT and the EA have changed. For 
example, additional functionality, such as the interoperability of US- 
VISIT's Automated Biometric Information System (IDENT) and the 
Department of Justice's Integrated Automated Fingerprint Identification 
System (IAFIS), and the expansion of IDENT to collect ten rather than 
two fingerprints, has been added. Also, two versions of the DHS EA have 
been issued since August 2004. 

While the strategic plan has not been approved or disseminated, the 
program office has developed a strategic vision and blueprint and begun 
to implement it. According to program officials, this future vision is 
to be delivered through a number of planned mission capability 
enhancements. Of these, the first enhancement is underway and is to 
provide several new capabilities, including what the program refers to 
as "Unique Identity," which is to include the migration from the 2- 
fingerprint to 10-fingerprint collection at program enrollment. It is 
also to interoperate US-VISIT's IDENT system and the Department of 
Justice's IAFIS system. Currently, the US-VISIT officials plan to 
complete Unique Identity in several phases and have it fully 
operational by December 2009, although these plans have not yet 
approved by DHS. 

At this same time, DHS has launched other major border security 
programs without adequately defining the relationships to US-VISIT and 
each other. For example, the Intelligence Reform and Terrorism 
Prevention Act of 2004 directs DHS and the Department of State to 
develop and implement a plan, no later than June 2009, that requires 
U.S. citizens and foreign nationals of Canada, Bermuda, and Mexico to 
present a passport or other document or combination of documents deemed 
sufficient to show identity and citizenship to enter the United States 
(this is currently not a requirement for these individuals entering the 
United States via sea and land POEs from most countries within the 
western hemisphere).[Footnote 23] This effort, known as the Western 
Hemisphere Travel Initiative, was first announced in 2005. In May 2006, 
we reported that DHS and the Department of State had taken some steps 
to carry out the initiative, but they had a long way to go to implement 
their proposed plans.[Footnote 24] Among other things, key decisions 
had yet to be made about what documents other than a passport would be 
acceptable when U.S. citizens and citizens of Canada enter or return to 
the United States. Further, while DHS and Department of State had 
proposed an alternative form of passport, called a PASS card, that 
would rely on RFID technology to help DHS process U.S. citizens re- 
entering the country, DHS had not made decisions involving a broad set 
of considerations that include (1) utilizing security features to 
protect personal information, (2) ensuring that proper equipment and 
facilities are in place to facilitate crossings at land borders, and 
(3) enhancing compatibility with other border crossing technology 
already in use. 

DHS has also initiated another border security program, known as the 
Secure Border Initiative (SBI)--a multi-year program to secure the 
borders and reduce illegal immigration by installing state-of-the-art 
surveillance technologies along the border, increasing border security 
personnel, and ensuring information access to DHS personnel at and 
between POEs. Under SBI and its component, called SBInet, DHS plans to 
integrate personnel, infrastructures, technologies, and rapid response 
capability into a comprehensive border protection capability. DHS 
reports that, among other things, SBInet is to encompass both the 
northern and southern land borders, including the Great Lakes, under a 
unified border control strategy whereby CBP is to focus on the 
interdiction of cross-border violations between and at the land POEs, 
funneling traffic to the land POEs. As part of SBI, DHS also plans to 
focus on interior enforcement--disrupting and dismantling cross-border 
crime into the interior of the United States while locating and 
removing aliens who are present in the United States in violation of 
law. However, it is unclear how SBInet will be linked, if at all, to US-
VISIT so that the two can share technology, infrastructure, and data. 

Clearly defining the dependencies among US-VISIT and programs like the 
Western Hemisphere Travel Initiative and SBI is important because there 
is commonality among their strategic goals and operational 
environments. For example, both US-VISIT and SBI share the goal of 
securing the POEs. Moreover, there is overlap in the data that each is 
to produce and use. For example, both US-VISIT and the Western 
Hemisphere Travel Initiative will require identification data for 
travelers at POEs. 

Despite these dependencies, DHS has yet to define these relationships 
or how they will be managed. Further, according to a March 6, 2006 memo 
from the DHS Joint Requirements Council, the US-VISIT strategic plan 
did not provide evidence of sufficient coordination between the program 
and the other entities involved in border security and immigration 
efforts. The council's recommendation was that the strategic plan not 
be approved until greater coordination between US-VISIT and other 
components was addressed. 

According to the Acting Program Director, a number of efforts are 
underway to coordinate with other entities, such as with CBP on RFID, 
with the Coast Guard on development of a mobile biometric reader, and 
with State on standards for document readers. Without a clear, 
complete, transparent, and understood definition of how related 
programs and initiatives are to interact, US-VISIT and other border 
security and immigration enforcement programs run the risk of being 
defined and implemented in a way that does not optimize DHS-wide 
performance and results. 

DHS Has Not Economically Justified US-VISIT Increments or Assessed 
Their Operational Impacts: 

The decision to invest in any system or capability should be based on 
reliable analyses of return on investment. That is, an agency should 
have reasonable assurance that a proposed program will produce mission 
value commensurate with expected costs and risks. According to OMB 
guidance, individual increments of major systems should be individually 
supported by analyses of benefits, cost, and risk. Thus far, DHS has 
yet to develop an adequate basis for knowing whether its incrementally 
deployed US-VISIT capabilities represent a good return on investment, 
particularly in light of shortfalls in DHS's assessments of the 
program's operational impacts, including costs of proposed 
capabilities. Without this knowledge, DHS will not know until after the 
fact whether it is investing wisely or pursuing cost-effective and 
affordable solutions. 

DHS Did Not Economically Justify Its Proposed Incremental Investments: 

US-VISIT had not assessed the cost and benefits of its early 
increments. For example, we reported in September 2003 that it had not 
assessed the costs and benefits of Increment 1. Again, in February 
2005, we reported that although the program office developed a cost- 
benefit analysis for its land entry capability, it had not justified 
the investment because the treatment of both benefits and costs were 
unclear and insufficient. Further, we reported that the cost estimates 
on which the cost-benefit analysis was based were of questionable 
reliability because effective cost-estimating practices were not 
followed. Most recently, in February 2006, we reported again that the 
program office had not justified its investment in its air and sea exit 
capability. For example, we reported that while the cost-benefit 
analysis explained why the investment was needed, and considered at 
least two alternatives to the status quo, which is consistent with OMB 
guidance for cost-benefit analyses, it did not include a complete 
uncertainty analysis for the three exit alternatives evaluated. 
Specifically, it did not include a sensitivity analysis[Footnote 25] 
for the three alternatives, which is a major part of an uncertainty 
analysis. A complete analysis of uncertainty is important because it 
provides decision makers with a perspective on the potential 
variability of the cost and benefit estimates should the facts, 
circumstances, and assumptions change. Further, the cost estimate upon 
which the analysis was based did not meet key criteria for reliable 
cost estimating. For example, it did not include a detailed work 
breakdown structure, which serves to organize and define the work to be 
performed so that associated costs can be identified and estimated. 

Further, as we state in the report that we issued earlier this week, 
DHS has devoted considerable time and resources toward establishing an 
operational exit capability at land, air, and sea POEs. For example, 
over the last 4 years, DHS has committed over $160 million to evaluate 
and operate exit pilots at selected air, sea, and land POEs. 
Notwithstanding this considerable investment of time and resources, the 
US-VISIT program still does not have either an operational exit 
capability or a viable exit solution to deploy to all air, sea, and 
land POEs. 

Moreover, US-VISIT exit pilot reports have raised concerns and 
limitations. For example, as we previously stated, land exit pilot 
experienced several performance problems, such as the failure of RFID 
readers to detect a majority of travelers' tags during testing and 
cross-reads, in which multiple RFID readers installed on poles or 
structures over roads, called gantries, picked up information from the 
same visitor. 

Notwithstanding these results, we reported earlier this week that the 
program office planned to invest another $33.5 million to continue its 
air and sea exit pilots. However, neither the fiscal year 2006 
expenditure plan nor other exit-related program documentation 
adequately defined what these efforts entail or what they will 
accomplish. In particular, the plan and other exit-related 
documentation merely state that $33.5 million will be used to continue 
air and sea exit pilots while a comprehensive exit solution is 
developed. They do not adequately describe measurable outcomes 
(benefits and results) from the pilot efforts, or related cost, 
schedule, and capability commitments that will be met. Further, the 
plan does not recognize the challenges revealed from the prior exit 
efforts, nor does it show how proposed exit investments address these 
challenges. In addition, the plan allocates more funding for continuing 
the air and sea exit pilots ($33.5 million) than the prior year's plan 
said would be needed to fully deploy an operational air and sea exit 
solution ($32 million). According to program officials, the air and sea 
exit pilots are being continued to maintain a presence intended to 
provide a deterrent effect at exit locations, and to gather additional 
data that could help support planning for a comprehensive exit 

Moreover, US-VISIT reported in August 2006 that it planned to spend an 
additional $21.5 million to continue its land exit demonstration 
project without adequate justification. However, we reported earlier 
this week that these plans lacked adequate justification in light of 
the problems we discussed earlier in this statement. Accordingly, 
program officials told us that they intend to terminate the land exit 
project until a comprehensive exit strategy can be developed. They have 
also stated that a small portion of the $21.5 million is to be used to 
close out the demonstration project and have requested that the 
remainder of the money be reprogrammed to support Unique Identity. 

DHS Did Not Adequately Assess the Impact of Entry Capabilities on Land 
Ports of Entry Operations and Planned Capability Enhancements Carry 
Potential Cost Implications: 

Knowing how planned US-VISIT capabilities will impact POE operations is 
critical to US-VISIT investment decision makers. In May 2004, we 
reported that the program had not assessed how deploying entry 
capabilities at land POEs would impact the workforce and facilities. We 
questioned the validity of the program's assumptions and plans 
concerning workforce and facilities, since the program lacked a basis 
for determining whether its assumptions were correct and thus whether 
its plans were adequate. Subsequently, the program office evaluated the 
operational performance of the land entry capability with the stated 
purpose of determining the effectiveness of its performance at the 50 
busiest land POEs. For this evaluation, the program office established 
a baseline for comparing the average time it takes to issue and process 
entry/exit forms at 3 of these 50 POEs, and then conducted two 
evaluations of the processing times at the three POEs, one after the 
entry capability was deployed as a pilot, and another one 3 months 
later, after the entry capability was deployed to all 50 POEs. The 
evaluation results showed that the average processing times decreased 
for all three sites. Program officials concluded that these results 
supported their workforce and facility investment assumptions that no 
additional staff was required to support deployment of the entry 
capability and that minimal modifications were required at the 
facilities.[Footnote 26] 

However, the scope of the evaluations was not sufficient to satisfy the 
evaluations' stated purpose for assessing the full impact of the entry 
capability. For example, the selection of the three sites, according to 
program officials, was based on a number of factors, including whether 
the sites already had sufficient staff to support the pilot. Selecting 
sites based on this factor is problematic because it presupposes that 
all not POEs have the staff needed to support the land entry 
capability. In addition, evaluation conditions were not always held 
constant: specifically, fewer workstations were used to process 
travelers in establishing the baseline processing times at two of the 
POEs than were used during the pilot evaluations. 

Moreover, CBP officials from a land port of entry that was not an 
evaluation site (San Ysidro) told us that US-VISIT deployment had not 
reduced but actually lengthened processing times. (San Ysidro processes 
the highest volume of travelers of all land POEs.) Although these 
officials did not provide specific data to support their statement, 
their perception nevertheless raises questions about the potential 
impact of land entry capabilities on the 47 sites that were not 

Exacerbating this situation is the fact that DHS plans to introduce 
changes and enhancements to US-VISIT at land POEs to verify the 
identity of individuals entering the country, including a transition 
from digitally scanning 2 fingerprints to 10. While such changes are 
intended to further enhance border security, deploying them may have an 
impact on aging and spatially-constrained land POEs facilities because 
they could increase inspection times and adversely affect POEs 
operations. Moreover, the increase from 2 to 10 fingerprints can affect 
the capacity of the systems and communications networks processing 
because of the larger data sets being processed and transmitted (10 vs 
2 fingerprints). This need for increased capacity will in turn affect 
program costs. 

US-VISIT Did Not Adequately Evaluate Exit Capability Impacts on 
Operations at Air and Sea Ports of Entry: 

The impact of planned exit capabilities at air and sea POEs has also 
not been adequately analyzed, and is thus not available to inform 
investment decisions. In February 2005, we reported that the program 
office had not adequately planned for evaluating its exit pilot at air 
and sea POEs because the pilot's evaluation scope and timeline were 
compressed. As a result, the US-VISIT program office extended the pilot 
from 5 to 11 POEs (nine airports and two seaports). Notwithstanding the 
expanded scope of the pilot, the exit alternatives were not 
sufficiently evaluated. Specifically, the program office evaluated 
these alternatives against three criteria,[Footnote 27] including 
compliance with the exit process. According to the exit evaluation plan 
report, the average compliance rate across all three alternatives was 
only 24 percent.[Footnote 28] The evaluation report cited several 
reasons for the low compliance rate, including that compliance during 
the pilot was voluntary. As a result, the evaluation report concluded 
that national deployment of the exit solution will not meet the desired 
compliance rate unless the scope of the exit process is expanded to 
incorporate an enforcement mechanism, such as not allowing persons to 
reenter the United States if they do not comply with the exit process 
or not allowing persons to board a carrier until they are processed by 
an airline or the Transportation Security Administration. As of 
February 2006, program officials had not conducted any formal 
evaluation of enforcement mechanisms or their possible effect on 
compliance and cost, and according to the Acting Program Director, they 
do not plan to do so. 

DHS Has Not Adequately Justified Increases in, and Disclosed the Scope 
and Nature of, Program Management-Related Fiscal Year 2006 

Program management is an important and integral aspect of any system 
acquisition program. The importance of program management, however, 
does not by itself justify any level of investment in such activities. 
Rather, investments in program management capabilities should be viewed 
the same as investments in any program capability, meaning the scope, 
nature, size, and value of the investment should be disclosed and 
justified in relation to the size and significance of the acquisition 
activities being performed. 

As the report that we issued earlier this week states, US-VISIT's 
planned investment in program management-related activities has risen 
steadily over the last 4 years, while planned investment in development 
of new program capabilities has declined. Figure 3 shows the breakdown 
of planned expenditures for US-VISIT fiscal year 2002 through 2006 
expenditure plans. 

Figure 3: US-VISIT Breakdown of Planned Expenditures as a Dollar Amount 
for FY2002 Through FY2006: 

[See PDF for image] 

Source: GAO Analysis Based On US-VISIT Data. 

Note: According to US-VISIT program officials, actual cost information 
for program management and operations cannot be readily provided due to 
limitations in their financial management system. 

[End of figure] 

Specifically, The Fiscal year 2003 expenditure plan provided $30 
million for program management and operations and about $325 million 
for new development efforts, whereas the fiscal year 2006 plan provided 
$126 million for program management-related functions--an increase of 
$96 million--and $93 million for new development. This means that the 
fiscal year 2006 plan proposed expending $33 million more for program 
management and operations than it is for new development. 

The increase in planned program management-related expenditures is more 
pronounced if it is viewed as a percentage of planned development 
expenditures. Figure 4 shows planned US-VISIT expenditures for program 
management and operations as a percentage of development for fiscal 
years 2002 thru 2006. 

Figure 4: US-VISIT Planned Expenditures for Program Management and 
Operations as a Percentage of Development for FY2002 through FY2006: 

[See PDF for Image] 

Source: GAO analysis based on US-VISIT data. 

Note: According to US-VISIT program officials, actual cost information 
for program management and operations cannot be readily provided due to 
limitations in their financial management system.  

Specifically, planned program management-related expenditures 
represented about 9 percent of planned development in fiscal year 2003, 
but represented about 135 percent of fiscal year 2006 development, 
meaning that the fiscal year 2006 expenditure plan proposed spending 
about $1.35 on program management-related activities for each dollar 
spent on developing new US-VISIT capability. 

Moreover, the fiscal year 2006 expenditure plan did not explain the 
reasons for this recent growth or otherwise justify the sizeable 
proposed investment in program management and operations on the basis 
of measurable and expected value. Further, the plan did not adequately 
describe the range of planned program management and operations 

Program officials told us that the DHS Acting Undersecretary for 
Management raised similar concerns about the large amount of program 
management and operations funding in the expenditure plan. In January 
2007, DHS submitted a revised expenditure plan to the House and Senate 
Appropriations Subcommittees on Homeland Security, at the committee's 
direction, to address their concerns. The revised plan allocates some 
program management funds to individual increments and to two new 
categories--program services and data integrity and biometric support, 
and program and project support contractor services. However, the 
revised plan still shows a relatively sizeable portion of proposed 
funding going toward program management-related activities. 

DHS Has Not Fully Implemented Key US-VISIT Acquisition and Financial 
Management Controls: 

Managing major programs like US-VISIT requires applying discipline and 
rigor when acquiring and accounting for systems and services. Our work 
and other best practice research have shown that applying such rigorous 
management practices improves the likelihood of delivering expected 
capabilities on time and within budget. In other words, the quality of 
IT systems and services is largely governed by the quality of the 
management processes involved in acquiring and managing them. Some of 
these processes and practices are embodied in the Software Engineering 
Institute's (SEI) Capability Maturity Models®, which define, among 
other things acquisition process management controls that, if 
implemented effectively, can greatly increase the chances of acquiring 
systems that provide promised capabilities on time and within budget. 
Other practices are captured in OMB guidance, which establishes 
policies for planning, budgeting, acquisition, and management of 
federal capital assets. 

Over the last several years, we have made numerous recommendations 
aimed at strengthening US-VISIT program management controls relative to 
acquisition management, including for example configuration management, 
security and privacy management, earned value management (EVM), and 
contract tracking and oversight. 

The program office has taken steps to lay the foundation for 
establishing several of these controls. For example, the program 
adopted the SEI Capability Maturity Model Integration (CMMI®)[Footnote 
29] to guide its efforts to employ effective acquisition management 
practices, and approved an acquisition management process improvement 
plan dated May 16, 2005. The goal, as stated in the plan, was to 
conduct an independent CMMI assessment in October 2006 to affirm that 
requisite process controls were in place and operating. 

In September 2005, the program office completed an initial assessment 
of 13 key acquisition process areas that revealed a number of 
weaknesses. To begin addressing these weaknesses, the program office 
narrowed the scope of the process improvement activities from 13 to 6 
(project planning, project monitoring and control, requirements 
development and management, configuration management, product and 
process quality assurance, and risk management) of the CMMI process 
areas and revised its process improvement plan in April 2006 to reflect 
these changes. In May 2006, the program conducted a second internal 
assessment of the six key process areas, and according to the results 
of this assessment, improvements were made, but weaknesses remained in 
all six process areas. For example, 

* a number of key acquisition management documents were not adequately 
prepared and processes were not sufficiently defined, including those 
related to systems development, budget and finance, facilities, and 
strategic planning (e.g., product work flow among organizational units 
was unclear and not documented); and: 

* roles, responsibilities, work products, expectations, resources, and 
accountability of external stakeholder organizations were not well- 

Notwithstanding these weaknesses, program officials told us that their 
self-assessments show that they have made incremental progress in 
implementing the 113 practices associated with the six key processes. 
(See figure 5 for US-VISIT's progress in implementing these practices.) 
However, they also recently decided to postpone indefinitely the 
planned October 2006 independent appraisal. Instead, the program 
intends to perform quarterly internal assessments until the results 
show that they can pass an independent appraisal. Further, the program 
has not committed to a revised target date for having an external 

Figure 5: US-VISIT Progress in Implementing Key Acquisition Practices 
from August 2005 to November 2006: 

[See PDF for Image] 

Source: GAO analysis based on US-VISIT data. 

[End of figure] 

The acquisition management weaknesses in the six key process areas are 
exacerbated by weaknesses in other areas. For example, we recently 
reported[Footnote 30] that the US-VISIT contract tracking and oversight 
process suffers from a number of weaknesses. Specifically, we reported 
that the program had not effectively overseen US-VISIT-related contract 
work performed on its behalf by other DHS and non-DHS agencies, and 
these agencies did not always establish and implement the full range of 
controls associated with effective management of contractor activities. 
Further, the program office and other agencies did not implement 
effective financial controls.[Footnote 31] In particular, the program 
office and other agencies managing US-VISIT-related work were unable to 
reliably report the scope of contracting expenditures. In addition, 
some agencies improperly paid and accounted for related invoices, 
including making a duplicate payment and making payments for non-US- 
VISIT services from funds designated for US-VISIT. 

Fully and effectively implementing the above discussed key acquisition 
management and related controls takes considerable time. However, 
considerable time has elapsed since we first recommended establishment 
of these controls and they are not yet operational and it is unclear 
when they will be. Therefore, it is important that these improvement 
efforts stay on track. Until these capabilities are in place, the 
program risks not meeting its stated goals and commitments. 

US-VISIT has not yet implemented other key management practices, such 
as developing and implementing a security plan and employing an EVM 
system to help manage and control program cost and schedule. As we 
previously reported, the program's 2004 security plan generally 
satisfied OMB and the National Institute of Standards and Technology 
security guidance. Further, the fiscal year 2006 expenditure plan 
states that all of the US-VISIT component systems have been certified 
and accredited and given full authority to operate. However, the 2004 
security plan preceded the US-VISIT risk assessment, which was not 
completed until December 2005, and the security plan was not updated to 
reflect this risk assessment. According to program officials, they 
intend to develop a security strategy by the end of 2006 that reflects 
the risk assessment. We have ongoing work for the Senate Committee on 
Homeland Security and Governmental Affairs to review the information 
security controls associated with computer systems and networks 
supporting the US-VISIT program. 

Regarding EVM,[Footnote 32] the program is currently relying on the 
prime contractor's EVM system to manage the prime contractor's progress 
against cost and schedule goals. According to the fiscal year 2006 
expenditure plan, the program office has assessed the prime 
contractor's EVM system against relevant standards. However, in 
reality, this EVM system was self-certified by the prime contractor in 
December 2003 as meeting established standards. OMB requires that 
agencies verify contractor self-certifications. The program office has 
yet to do this, although program officials told us that they plan to 
retain the services of another contractor to perform this validation. 
This needs to be done quickly. Our review of the integrated baseline 
review, which agencies are required by OMB to complete to ensure that 
the EVM program baseline is accurate, showed that it did not address 
key baseline considerations, such as cost and schedule risks. Moreover, 
other US-VISIT contractors have not been required to use EVM, although 
program officials told us that this was to change effective October 1, 

DHS Has Yet to Establish Effective Program Accountability Mechanisms: 

To ensure that programs manage their performance effectively, it is 
important that they define and measure progress against program 
commitments and hold themselves accountable for results. Measurements 
of the operational performance, progress, and results are important to 
reasonably ensure that problems and shortfalls can be addressed and 
resolved in a timely fashion and so that responsible parties can be 
held accountable. 

Thus far, effective performance and accountability mechanisms have yet 
to be fully established for US-VISIT. As we reported,[Footnote 33] CBP 
officials at 12 of 21 land POE sites that we visited told us about US- 
VISIT-related computer slowdowns and freezes that adversely affected 
visitor processing and inspection times at 9 of the 12 sites, but noted 
that these problems were not always reported to CBP's computer help 
desk, as required by CBP guidelines. Although various controls are in 
place to alert US-VISIT and CBP officials to problems as they occur, 
these controls did not alert officials to all problems (they had been 
unaware of the problems we identified before we brought them to their 
attention). These computer processing problems have the potential to 
not only inconvenience travelers because of the increased time needed 
to complete the inspection process, but to compromise security, 
particularly if CBP officers are unable to perform biometric checks-- 
one of the critical reasons US-VISIT was installed at POEs. 

In addition, to permit meaningful program oversight, it is important 
that expenditure plans describe how well DHS is progressing against the 
commitments made in prior expenditure plans. However, US-VISIT's 
expenditure plan for fiscal year 2006 (the fifth expenditure plan) 
continued a longstanding pattern of not describing progress against 
commitments made in previous plans. For example, according to the 
fiscal year 2005 expenditure plan, the prime contractor was to begin 
integrating the long-term Increment 4 strategy into the interim US- 
VISIT system's environment and the overall DHS enterprise architecture, 
and that US-VISIT and the prime contractor would work with the 
stakeholder community to identify opportunities for delivery of long- 
term capabilities under Increment 4. However, the fiscal year 2006 plan 
does not discuss progress or accomplishments relative to these 

Additionally, the expenditure plan committed to begin deploying the 
most effective exit alternative for capturing biometrics at air and sea 
POEs during fiscal year 2005. In contrast, the 2006 expenditure plan 
states that the exit pilots will continue throughout fiscal year 2006 
and does not address whether the fiscal year 2005 schedule deployment 
commitment was met. Also, the fiscal year 2006 expenditure plan did not 
address all performance measures cited in the fiscal year 2005 plan. 
Specifically, the 2005 plan included 11 measures. In contrast, the 2006 
plan listed 7 measures, 4 of which are similar, but not identical to, 
some of the 11 measures in the 2005 plan. This means that several of 
the 2005 plan's measures are not addressed in the 2006 plan. Moreover, 
even in cases of similar performance measures, the fiscal year 2006 
plan does not adequately describe progress in meeting commitments. For 
example, the fiscal year 2005 expenditure plan cited a performance 
measurement of "Pre-entry watch list hits on biometrically enabled visa 
applications." The fiscal year 2006 plan cites the performance measure 
of "Number of biometric watch list hits for visa applicants processed 
at consular offices." According to the latter plan, in fiscal year 2005 
there were 897 such hits; however, neither plan cites a performance 
target against which to gauge progress, assuming that the two 
performance measures mean the same thing. Without such measurements, 
program performance and accountability can suffer. 

In closing, we would emphasize that after a considerable investment of 
time and resources, US-VISIT has met some fairly demanding legislative 
requirements for deployment of entry capabilities at most POEs, and 
that this achievement owes largely to the hard work and dedication of 
individuals in the US-VISIT program office and the close oversight of 
the House and Senate Appropriations Committees. Nevertheless, core 
capabilities, such as exit, have not been implemented, and fundamental 
questions about the program's future direction and fit within the 
larger homeland security context as well as its return on investment 
remain unanswered. Moreover, the program is overdue in establishing the 
means to ensure that it is pursuing the right US-VISIT solution, and 
that it is managing it the right way. The longer the program proceeds 
without these, the greater the risk that the program will not optimally 
support mission operations and will fall short of commitments. 
Measuring and disclosing the extent to which these commitments are 
being met are also essential to holding the department accountable. We 
look forward to continuing to work constructively with the US-VISIT 
program to better ensure the program's success. 

Mr. Chairman, this concludes our statement. We would be happy to answer 
any questions that you or members of the committee may have at this 

Contact and Acknowledgement: 

If you should have any questions about this testimony, please contact 
Randolph C. Hite at (202) 512-3439 or, or Richard M. 
Stana at (202) 512-8777 or Other major contributors to 
this testimony included Deborah Davis, David Hinchman, James Houtz, 
Sandra Kerr, John Mortin, Freda Paintsil, and Sushmita Srikanth: 


[1] US-VISIT applies to foreign travelers that enter the United States 
under a nonimmigrant visa or are traveling from a country that has a 
visa waiver agreement with the United States under the Visa Waiver 
Program. The Visa Waiver Program enables foreign nationals of certain 
countries to travel to the United States for tourism or business for 
stays of 90 days or less without obtaining a visa. 

[2] GAO, Information Technology: Homeland Security Needs to Improve 
Entry Exit System Expenditure Planning, GAO-03-563 (Washington, D.C.: 
June 9, 2003); GAO, Homeland Security: Risks Facing Key Border and 
Transportation Security Program Need to Be Addressed, GAO-03-1083 
(Washington, D.C.: Sept. 19, 2003); GAO, Homeland Security: First Phase 
of Visitor and Immigration Status Program Operating, but Improvements 
Needed, GAO-04-586 (Washington, D.C.: May 11, 2004); GAO, Homeland 
Security: Some Progress Made, but Many Challenges Remain on U.S. 
Visitor and Immigrant Status Indicator Technology Program, GAO-05-202 
(Washington, D.C.: Feb. 23, 2005); and GAO, Homeland Security: Planned 
Expenditures for U.S. Visitor and Immigrant Status Program Need to Be 
Adequately Defined and Justified, GAO-07-278 (Washington, D.C.: Feb. 
14, 2007) 

[3] GAO, Homeland Security: Contract Management and Oversight for 
Visitor and Immigrant Status Program Need to Be Strengthened, GAO-06- 
404 (Washington, D.C.: June 9, 2006). 

[4] GAO, Border Security, US-VISIT Program Faces Strategic, 
Operational, and Technological Challenges at Land Ports of Entry, GAO- 
07-248 (Washington, D.C.: December 6, 2006). 

[5] This includes, for example, computers, printers, digital cameras, 
fingerprint scanners, telecommunications upgrades, existing system 
enhancements, and facilities modifications. 

[6] CBP is responsible for, among other things, enforcing U.S. 
immigration laws governing the admissibility of foreign nationals 
entering the United States by air, sea, and land. 

[7] Since the statute governing US-VISIT applies to foreign national 
arrival and departure data only, U.S. citizens do not fall within the 
scope of the program and therefore are exempt from US-VISIT screening. 
Also, in general, regardless of whether they are to be processed into 
US-VISIT, Mexican citizens must present either a passport and visa or a 
border crossing card (BCC) when seeking admission to the United States, 
while Canadian citizens generally do not need such documents. According 
to US-VISIT, when Mexicans receive a BCC, the data on the individual 
entered into U.S. databases at the time of their visa application are 
accessible by US-VISIT--if they are to be processed into it for any 

[8] Under the Enhanced Border Security and Visa Entry Reform Act of 
2002, 8 U.S.C. § 1221, commercial air and sea carriers are to transmit 
crew and passenger manifests to appropriate immigration officials 
before arrival of an aircraft or vessel in the United States. These 
manifests are transmitted to CBP through the Advanced Passenger 
Information System (APIS), which helps officers identify (1) those 
arrivals for which biometric data are available and (2) foreign 
nationals who need to be scrutinized more closely. 

[9] At land border POEs, the Form I-94 issued to foreign nationals 
covered by US-VISIT who are deemed admissible is considered issued for 
multiple entries, unless specifically annotated otherwise. A multiple 
entry I-94 permits them to reenter the country, generally for up to 6 
months, without additional US-VISIT processing during the period 
covered by the I-94. 

[10] 8 U.S.C. §1365a; 6 U.S.C.§ 251 (transferred Immigration and 
Naturalization Service functions to DHS). 

[11] Uniting and Strengthening America by Providing Appropriate Tools 
Required to Intercept and Obstruct Terrorism (USA PATRIOT Act) Act of 
2001, Pub. L. No. 107-56, § 414(b), (Oct. 26, 2001). 

[12] Intelligence Reform and Terrorism Prevention Act of 2004, 8 U.S.C. 

[13] On September 30, 2004, US-VISIT expanded biometric entry 
procedures to include individuals from visa waiver countries applying 
for admission. 

[14] According to CBP, these POEs are classified as Class B ports. 
Under 8 C.F.R. §100.4 (c) (2), only citizens of the United States, 
Canada, and Bermuda, and Lawful Permanent Residents of the United 
States and certain holders of border crossing cards may enter through 
Class B ports. 

[15] Such equipment includes a computer, printer, digital camera, and 
fingerprint scanners. 

[16] CBP based this decision on the high volume of pedestrians entering 
the United States through the Morley Gate POE; the fact that, before 
deployment, I-94s had not been previously issued at the Morley Gate 
POE; and the close proximity of the Morley Gate POE facility to the 
nearby DeConcini POE facility, about 100 yards away. 

[17] CBP officials also dealt with sporadic network outages. In one 
case, on December 2, 2005, the entire network went down for 3 hours 
because of an accident. According to port officials, visitors seeking 
entry into the country at the San Ysidro, California, POE were 
initially asked to wait until the systems came back up or return at 
another time. About an hour after the outage began, CBP officers began 
to manually process I-94s for US-VISIT, in accordance with CBP standard 
operating procedures, but without the benefit of a biometric 
verification of their identity under US-VISIT. 

[18] US-VISIT, Increment 2C Operational Alternatives Assessment--FINAL 
(Rosslyn, Va.: Jan. 31, 2005). 

[19] A US-VISIT program official explained that for vehicles exiting 
during RFID testing, one could "reasonably expect" a read rate of 70 
percent because vehicles are not required to stop upon exit. The 
official also cited vehicle speed, safety, and awareness (of optimal 
positioning of the arrival/departure form; for example, holding the 
form up to the window of the vehicle) as factors that affected RFID 
read rates. 

[20] US-VISIT, Increment 2C Operational Alternatives Assessment--FINAL 
(Rosslyn, Va: Jan. 31, 2005). 

[21] 8 U.S.C. §1365b(c)(2)(E). 

[22] GAO, Homeland Security: Risks Facing Border and Transportation 
Security Program Need to be Addressed, GAO-03-1083 (Washington, D.C.: 
Sept. 19, 2003). 

[23] Pub. L. No. 108-458, § 7209 (Dec. 17, 2004), as amended, Pub. L. 
No. 109-295, § 546 (Oct. 4, 2006). In November 2006, DHS and the 
Department of State issued a final rule announcing that, beginning on 
January 23, 2007, citizens of the United States, Canada, Mexico, and 
Bermuda are required to present a passport to enter the United States 
when arriving by air from any part of the Western Hemisphere (8 C.F.R. 
Parts 212 and 235 and 22 C.F.R. Parts 41 and 53). According to DHS, a 
separate proposed rule addressing land and sea travel will be published 
at a later date with specific requirements for travelers entering the 
United States through land and sea border crossings. 

[24] GAO, Observations on Efforts to Implement the Western Hemisphere 
Travel Initiative on the U.S. Canadian Border, GAO-06-741R (Washington, 
D.C.: May 25, 2006). 

[25] A sensitivity analysis is a quantitative assessment of the effect 
that a change in a given assumption, such as unit labor cost, will have 
on net present value. 

[26] Specifically, they said minimal modifications to interior 
workspace were required to accommodate biometric capture devices and 
printers and to install electrical circuits. These officials stated 
that modifications to existing officer training and interior space were 
the only changes needed. 

[27] The other two evaluation criteria were conduciveness to travel and 

[28] Compliance rates were 23 percent for the kiosk, 36 percent for the 
mobile device, and 26 percent for the validator. 

[29] The CMMI® ranks organizational maturity according to five levels. 
Maturity levels 2 through 5 require verifiable existence and use of 
certain key process areas. 

[30] GAO, Homeland Security: Contract Management and Oversight for 
Visitor and Immigrant Status Program Need to Be Strengthened, GAO-06- 
404 (Washington, D.D.: June 9, 2006). 

[31] Financial controls are practices to provide accurate, reliable, 
and timely accounting for billings and expenditures. 

[32] EVM is a management tool to help ensure that work performed for a 
program or project is consistent with cost and schedule goals. 

[33] GAO, Border Security, US-VISIT Program Faces Strategic, 
Operational, and Technological Challenges at Land Ports of Entry, GAO- 
07-248 (Washington, D.C.: December 6, 2006). 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site ( Each weekday, GAO posts 
newly released reports, testimony, and correspondence on its Web site. 
To have GAO e-mail you a list of newly posted products every afternoon, 
go to and select "Subscribe to Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 441 G Street NW, Room LM 
Washington, D.C. 20548: 

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 

To Report Fraud, Waste, and Abuse in Federal Programs: 


Web site: E-mail: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, (202) 512-4400 U.S. 
Government Accountability Office, 441 G Street NW, Room 7125 
Washington, D.C. 20548: 

Public Affairs: 

Paul Anderson, Managing Director, (202) 512-4800 
U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, D.C. 20548: