This is the accessible text file for GAO report number GAO-04-569T entitled 'Homeland Security: Risks Facing Key Border and Transportation Security Program Need to Be Addressed' which was released on March 18, 2004. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Testimony: Before the Subcommittee on Immigration, Border Security, and Claims, House Committee on the Judiciary: United States General Accounting Office: GAO: For Release on Delivery Expected at 10:00 a.m. EST: Thursday, March 18, 2004: Homeland Security: Risks Facing Key Border and Transportation Security Program Need to Be Addressed: Statement of Randolph C. Hite, Director, Information Technology Architecture and Systems Issues: GAO-04-569T: GAO Highlights: Highlights of GAO-04-569T, a testimony before the Subcommittee on Immigration, Border Security, and Claims, House Committee on the Judiciary: Why GAO Did This Study: US-VISIT (United States Visitor and Immigrant Status Indicator Technology) is a governmentwide program to enhance national security, facilitate legitimate trade and travel, contribute to the integrity of the U.S. immigration system, and adhere to U.S. privacy laws and policies by collecting, maintaining, and sharing information on certain foreign nationals who enter and exit the United States; identifying foreign nationals who (1) have overstayed or violated the terms of their visit; (2) can receive, extend, or adjust their immigration status; or (3) should be apprehended or detained by law enforcement officials; detecting fraudulent travel documents, verifying traveler identity, and determining traveler admissibility through the use of biometrics; and facilitating information sharing and coordination within the border management community. GAO was asked to testify on its completed work on the nature, status, and management of the US-VISIT program. What GAO Found: The US-VISIT program is inherently risky, both because of the type of program it is and because of the way it is being managed. First, US-VISIT is inherently risky because it is to perform a critical, multifaceted mission, its scope is large and complex, it must meet a demanding implementation schedule, and its potential cost is enormous. That is, one critical aspect of the program's mission is to prevent the entry of persons who pose a threat to the United States; failing in this mission could have serious consequences. To carry out this mission, the program aims to control the pre-entry, entry, status, and exit of millions of travelers--a large and complex process. In addition, through legislative mandate, it has challenging milestones (such as the system being implemented at all U.S. ports of entry by December 31, 2005). Finally, DHS estimated that the program would cost $7.2 billion through fiscal year 2014, but this estimate did not include all costs and underestimated some others. All these factors add risk. Second, several factors related to the program's management increase the risk of not delivering mission valued commensurate with costs or not delivering defined program capabilities on time and within budget. For example, the program is to rely initially on integrating existing systems with reported problems that could limit US-VISIT performance. In addition, the requirements for interim facilities at high-volume land ports of entry are not only demanding, they are based on assumptions that, if altered, could significantly affect facility plans. Further, DHS did not define the benefits versus costs of near- term program increments (that is, the interim versions of the program that are being pursued while the final version is being defined). Addressing these issues is the responsibility of the program office, which however was not adequately staffed, had not clearly defined roles and responsibilities for its staff, and had not established key processes for managing the acquisition and deployment of US-VISIT. Despite the program management challenges confronting US-VISIT, the first increment was deployed at the beginning of this year. However, the program still faces a number of risks, including the ones described above. To address these, GAO has made a series of recommendations regarding the planned scope of US-VISIT and its management. Addressing the identified risks increases the likelihood that the deployment of US-VISIT will be successful--the predictable outcome of sound management of a well-justified and designed program. For more information, contact Randolph C. Hite at (202) 512-3870 or hiter@gao.gov. [End of section] Mr. Chairman and Members of the Subcommittee: We appreciate the opportunity to participate in the Subcommittee's hearing on US-VISIT (the United States Visitor and Immigrant Status Indicator Technology), a large, complex program that is intended to achieve a daunting set of goals: it is to enhance homeland security and the integrity of the U.S. immigration system, and at the same time it is to facilitate legitimate border crossing and protect privacy. To achieve these goals, US-VISIT relies on information technology, as well as people, processes, and facilities. The genesis of US-VISIT was in 1996, when the Congress passed legislation that directed the former Immigration and Naturalization Service (INS) to develop a system to monitor the entry and exit of foreign nationals visiting this country.[Footnote 1] As a result of this and later related legislative direction,[Footnote 2] efforts were begun in 2002 to develop the system now known as US-VISIT. Subsequently, INS was merged into the Department of Homeland Security (DHS), which is now responsible for developing and implementing the US- VISIT program. In the last three appropriations acts governing the development and implementation of US-VISIT,[Footnote 3] the Congress prohibited the INS, and later DHS, from obligating funds until the agency submitted to the Senate and House Committees on Appropriations expenditure plans that met several conditions, including being reviewed by GAO. We have accordingly issued two reports on US-VISIT[Footnote 4] and will shortly be issuing a third to the appropriations committees. All three reports were based on work performed in accordance with generally accepted government auditing standards. My testimony today is based on our two published reports and on more current public information on the program since the reports were issued. Results in Brief: The overall message of our testimony today is that the US-VISIT program is risky, both because of the type of program it is and because of the way it is being managed. US-VISIT is a large, complex, and expensive program aimed at supporting a multifaceted mission-critical area; thus, it is an intrinsically challenging effort. Several aspects of the program increase the risk that it will not meet its goals or its cost, schedule, and performance commitments: * Multifaceted, critical mission. The program aims to prevent the entry of persons who pose a threat to the United States. Besides this critical security mission, the program also aims to achieve law enforcement goals regarding visa violations, while facilitating legitimate trade and travel and adhering to U.S. privacy laws and policies. * Large and complex scope. Controlling the pre-entry, entry, status, and exit of millions of travelers is a large and complex process. * Challenging milestones. Progress and current status of the program make it difficult to satisfy legislatively mandated milestones: for example, that US-VISIT be implemented at all ports of entry by December 31, 2005.[Footnote 5] * Significant potential cost. In February 2003, DHS estimated that the program would cost $7.2 billion through fiscal year 2014, but this estimate did not include all costs and underestimated some others. Additionally, several factors related to the program's management increase the risk of not achieving program goals or not delivering program capabilities on time and within budget. Our imminent report for the appropriations committees will discuss each of these factors, including why each is still an area of risk. Examples of the factors that we have reported on are as follows: * Problems with existing systems. The program is to rely initially on existing systems with reported problems that could limit US-VISIT performance. * Program management capability. The program office was not adequately staffed, roles and responsibilities had not been clearly defined, and acquisition management processes were not yet established. * Near-term facilities solutions. Interim facility planning for high- volume land ports of entry must satisfy requirements that are both demanding and based on assumptions that, if altered, could significantly affect facility plans. * Mission value of increments. The benefits versus costs were not yet known of the interim versions (or increments) of the program that are being implemented while the final version is being developed. Our experience in reviewing large, complex, information-technology- dependent programs in other federal agencies has shown that such program management weaknesses typically result in these programs falling short of expectations. Accordingly, we have made several recommendations regarding the US-VISIT program to address these weaknesses and risks. Background: The US-VISIT program is a governmentwide endeavor intended to enhance national security, facilitate legitimate trade and travel, contribute to the integrity of the U.S. immigration system, and adhere to U.S. privacy laws and policies by: * collecting, maintaining, and sharing information on certain foreign nationals who enter and exit the United States; * identifying foreign nationals who (1) have overstayed or violated the terms of their visit; (2) can receive, extend, or adjust their immigration status; or (3) should be apprehended or detained by law enforcement officials; * detecting fraudulent travel documents, verifying traveler identity, and determining traveler admissibility through the use of biometrics; and: * facilitating information sharing and coordination within the border management community. The program involves interdependencies among people, processes, technology, and facilities, as shown in figure 1. Figure 1: People, Processes, Technology, and Facilities Involved in US- VISIT: [See PDF for image] Note: GAO analysis based on DHS data. [End of figure] Within DHS, organizational responsibility for the US-VISIT program lies with the Border and Transportation Security Directorate. In July 2003, DHS established a US-VISIT program office with responsibility for managing the acquisition, deployment, operation, and sustainment of the US-VISIT system and supporting people (e.g., inspectors), processes (e.g., entry exit policies and procedures), and facilities (e.g., inspection booths). DHS plans to deliver US-VISIT capability incrementally. Currently, it has defined four increments, with Increments 1 through 3 being interim or temporary solutions, and Increment 4 being the yet-to-be-defined end vision for US-VISIT. Increments 1 through 3 include the interfacing and enhancement of existing system capabilities and the deployment of these capabilities to air, sea, and land ports of entry (POE). 1. The first increment includes the electronic collection and matching of biographic and biometric information at all major air and some sea POEs for selected foreign travelers with non-immigrant visas.[Footnote 6] Increment 1 entry capability was deployed to 115 airports and 14 seaports on January 5, 2004. Increment 1 exit capability was deployed as a pilot to two POEs on January 5, 2004--one airport and one seaport.[Footnote 7] 2. The second increment is divided into two parts--2A and 2B. Increment 2A is to include the capability to process machine-readable visas and other travel and entry documents that use biometric identifiers at all POEs. This increment is to be implemented by October 26, 2004. Increment 2B is to expand the Increment 1 solution for entry to secondary inspection[Footnote 8] at the 50 highest volume land POEs by December 31, 2004. According to the US-VISIT Request for Proposal (RFP),[Footnote 9] 2B is also to include radio frequency (RF)[Footnote 10] capability at the 50 busiest land POEs for both entry and exit processes. 3. Increment 3 is to expand the 2B capability to the remaining 115 land POEs. It is to be implemented by December 31, 2005. 4. Increment 4 is the yet-to-be-defined end vision of US-VISIT, which will likely consist of a series of capability releases. DHS plans to award a single, indefinite-delivery/indefinite- quantity[Footnote 11] contract to a prime contractor for integrating existing and new business processes and technologies. DHS plans to award the contract by May 2004. According to the RFP, the prime contractor's scope of work is to include, but is not limited to, Increments 2B, 3, and 4. US-VISIT Is Inherently Risky: By definition, US-VISIT is a risky undertaking because it is to perform a critical mission, its scope is large and complex, it must meet a demanding implementation schedule, and its potential cost is enormous. Program Supports Multifaceted, Critical Mission: In announcing the US-VISIT system, the DHS Under Secretary for Border and Transportation Security stated that the system's goal is to "give America a 21st Century 'smart border'--one that speeds through legitimate trade and travel, but stops terrorists in their tracks." Achieving these goals is daunting: the United States shares over 7,500 miles of land border with Canada and Mexico, and it has approximately 95,000 miles of shoreline and navigable waterways to protect. In fiscal year 2002, there were about 279 million inspections of foreign nationals at U.S. POEs. In these circumstances, preventing the entry of persons who pose a threat to the United States cannot be guaranteed, and the missed entry of just one can have severe consequences. Relatedly, US-VISIT is to achieve the important law enforcement goal of identifying those among these millions of visitors each year who overstay or otherwise violate the terms of their visas. Complicating achievement of these security and law enforcement goals are other key US-VISIT goals: facilitating the movement of legitimate trade and travel through the POEs and providing for enforcement of U.S. privacy laws and regulations. Scope Is Large and Complex: US-VISIT is to provide for the interfacing of a number of existing systems. It is also to support and refine a large and complex governmentwide process involving multiple departments and agencies. This process involves the pre-entry, entry, status, and exit of hundreds of millions of foreign national travelers to and from the United States at over 300 air, sea, and land POEs. The interfaced systems included in Increment 1 are: * Arrival Departure Information System (ADIS), a database that stores traveler arrival and departure data received from air and sea carrier manifests and that provides query and reporting functions; * Advance Passenger Information System (APIS), a system that captures arrival and departure manifest information provided by air and sea carriers; * Interagency Border Inspection System (IBIS), a system that maintains lookout data, interfaces with other agencies' databases, and is currently used by inspectors at POEs to verify traveler information and modify data; * Automated Biometric Identification System (IDENT), a system that collects and stores biometric data about foreign visitors; * Student Exchange Visitor Information System (SEVIS), a system that contains information on foreign students; * Computer Linked Application Information Management System (CLAIMS 3), a system that contains information on foreign nationals who request benefits, such as change of status or extension of stay; and: * Consular Consolidated Database (CCD), a system that includes information on whether a visa applicant has previously applied for a visa or currently has a valid U.S. visa. Figure 2 shows these systems and their relationships. Figure 2: Simplified Diagram of US-VISIT Increment 1 Component Systems and Relationships: [See PDF for image] [1] FIN = Fingerprint Identification Number. [End of figure] In addition to integrating numerous systems, US-VISIT also involves complex processes governing the stages of a traveler's visit to the United States: pre-entry, entry, status management, and exit. These processes for Increment 1 are as follows: Pre-entry process. Pre-entry processing begins with initial petitions for visas. When the Department of State issues the travel documentation, biographic (and in some cases biometric) data are collected and made available to border management agencies. The biometric data are transmitted from State to DHS, where the prints are run against the US-VISIT IDENT biometric database to verify identity and to check the biometric watchlist. The results of the biometric check are transmitted back to State. Commercial air and sea carriers are required by law to transmit crew and passenger manifests to appropriate immigration officers before arriving in the United States.[Footnote 12] These manifests are transmitted through APIS. The APIS lists are run against the biographic lookout system and identify those arrivals who have biometric data available. In addition, POEs review the APIS list in order to identify foreign nationals who need to be scrutinized more closely. Entry process. When a foreign national arrives at a POE's primary inspection booth, biographic information, such as name and date of birth, is displayed on the bottom half of a computer workstation screen, along with a photograph obtained from State's CCD. The inspector at the booth scans the foreign national's fingerprints (left and right index fingers) and takes a digital photograph. This information is forwarded to the IDENT database, where it is checked against stored fingerprints in the IDENT lookout database. If the foreign national's fingerprints are already in IDENT, the system performs a match (a comparison of the fingerprint taken during the primary inspection to the one on file) to confirm that the person submitting the fingerprints is the person on file. During this process, the inspector also questions the foreign national about the purpose of his or her travel and length of stay. Status management process. The status management process manages the foreign national's temporary presence in the United States, including the adjudication of benefits applications and investigations into possible violations of immigration regulations. ADIS matches entry and exit manifest data to ensure that each record showing a foreign national entering the United States is matched with a record showing the foreign national exiting the United States. ADIS receives status information from CLAIMS 3 and SEVIS on foreign nationals. Exit process. The exit process includes the carriers' submission of electronic manifest data to IBIS/APIS. This biographic information is passed to ADIS, where it is matched against entry information. At the two POEs where the exit pilot is being conducted, foreign nationals use a self-serve kiosk where they are prompted to scan their travel documentation and provide their fingerprints (right and left index fingers). This departure record is then stored in ADIS (along with the person's arrival record) and used to verify if a foreign national has complied with the admission terms of his or her visa. Milestones Are Challenging: Key US-VISIT milestones are legislatively mandated. For example, the Immigration and Naturalization Service Data Management Improvement Act of 2000[Footnote 13] requires that US-VISIT be implemented at all air and sea POEs by December 31, 2003; at the 50 highest volume land POEs by December 31, 2004; and at all remaining POEs by December 31, 2005. Because of limited progress during the 7 years following the legislation that originated the entry exit system requirement, DHS acknowledged that it could not complete permanent solutions in these time frames, and thus it planned to implement interim (temporary) solutions. For example, Increments 1 through 3 include the interfacing of existing systems and the design and construction of interim facilities at land POEs. Further, DHS officials have stated that it will be difficult to develop and implement even the interim solutions at some of the highest volume land POEs (such as San Ysidro, California; Otay Mesa, California; and Laredo, Texas) by December 31, 2004, because even minor changes in the inspection time can greatly affect the average wait time at these high-volume POEs. Moreover, achievement of interim solutions is based on assumptions that, if changed, could significantly affect facility and staffing plans. Potential Cost Is Significant: Despite DHS's estimate in February 2003, that the total overall cost of the US-VISIT program would be about $7.2 billion through fiscal year 2014, the potential governmentwide cost of US-VISIT over just a 10-year period could be about twice as much. Although the DHS estimate included a wide range of costs, it omitted some costs and may have understated others. The estimate included: * system investment costs, such as information technology hardware and communications infrastructure, software enhancements, and interfaces; * the cost of facilities and additional inspectors; * system and facilities operation and maintenance costs; * the cost of planning, designing, and constructing permanent facilities, which according to DHS was about $2.9 billion[Footnote 14] (this estimate was based on the assumptions that (1) no additional traffic lanes would be required to support the entry processes and (2) exit facilities would mirror entry facilities--i.e., that a land POE with 10 entry traffic lanes would require 10 exit traffic lanes); * costs to design and construct building space to house additional computer equipment and inspectors; and: * costs for highway reconfiguration at land POEs. However, the estimate did not include the costs to design and construct interim facilities at land POEs. DHS officials estimated that the cost of constructing the interim facilities at the 50 highest volume POEs was about $218 million. Moreover, the estimate is based on assumptions that, if changed, could significantly affect, for example, land POE facility and staffing needs. Finally, although the estimate did include the cost of implementing biometrics, these costs are understated, because they did not include, for example, State Department costs. Specifically, in November 2002,[Footnote 15] we reported that a rough order of magnitude estimate of the cost to implement visas with biometrics would be between $1.3 billion and $2.9 billion initially and between $0.7 and $1.5 billion annually thereafter. This estimate is based on certain assumptions, including that all current visa-issuing embassies and consulates will be equipped to collect biometrics from visa applicants. Assuming that biometrics are implemented by December 2004, this means that the recurring cost of having biometric visas through DHS's fiscal year 2014 life cycle period would be between $7 and $15 billion. In contrast, DHS's estimate for the entire program through fiscal year 2014 was about $7.2 billion. Management of US-VISIT System Acquisition: Compounding the risk factors inherent in the scale and significance of the US-VISIT program are a number of others that can be attributed to its state of management and its acquisition approach. As described in our September 2003 report on US-VISIT, these include relying on existing systems to provide the foundation for the first three program increments (and thus having to accept the performance limitations of these existing systems), not having mature program management capabilities, not having fully defined near-term facilities solutions, and not knowing the mission value that is to be derived from US-VISIT increments. Our recently completed audit work for the appropriations committees addressed each of these factors, which our next report will discuss, including why each is still an area of risk. Problems with Existing Systems: The system performance of the interim releases of US-VISIT (Increments 1, 2, and 3) will depend largely on the performance of the existing systems that are to be interfaced to create the overall system. Thus, US-VISIT system availability and associated downtime, for example, will be constrained by the availability of the interfaced systems. In this regard, some of the existing systems have had availability and reliability problems that could limit US-VISIT performance. Two examples are SEVIS and CLAIMS 3. Problems have been identified with the availability and reliability of SEVIS, the system designed to manage and monitor foreign students in the United States. For example, in April 2003, the Justice Inspector General reported that many users had difficulty logging on to the system, and that as the volume of users grew, the system became increasingly sluggish.[Footnote 16] According to other reports, university representatives complained that it was taking hours to log on to the system and to enter a single record, or worse, that the system accepted the record and later deleted it. We are required to report to the House and Senate Appropriations Committees by April 1, 2004, on SEVIS performance, among other things. [Footnote 17] We also reported in May 2001[Footnote 18] that CLAIMS 3 was unreliable. This system contains information on foreign nationals who request benefits and is used to process benefit applications other than naturalization. Specifically, we reported that INS officials stated that the system was frequently unavailable and did not always update and store important case data when field offices transferred data from the local system to the mainframe computer. Program Management Capability: Our experience with major modernization programs, like US-VISIT, shows that they should be managed formally, which includes establishing a program office that (1) is adequately staffed (both in numbers and skill levels), (2) has clearly defined its staff's roles and responsibilities, and (3) is supported by rigorous and disciplined acquisition management processes. DHS established a US-VISIT program office in June 2003[Footnote 19] and determined that this office's staffing needs were, in all, 115 government and 117 contractor personnel to perform key acquisition management functions. These functions fall into categories described by the Software Engineering Institute's Software Acquisition Capability Maturity Model (SA-CMM®),[Footnote 20] which defines a suite of key acquisition process areas that are necessary for rigorous and disciplined management of a system acquisition program. These process areas include acquisition planning, requirements development and management, project management, solicitation, contract tracking and oversight, evaluation, and transition to support. Our latest report stated that the US-VISIT program's staffing levels were far below its stated needs. Moreover, specific roles and responsibilities had not been defined beyond general statements. Further, the program had not yet defined plans and associated time frames for achieving needed staffing levels and defining roles, responsibilities, and relationships. According to the Program Director, positions were being filled with detailees from various DHS component organizations. Additionally, although the approved program office structure provided for positions to perform the SA-CMM" key process areas (including acquisition planning, requirements development and management, project management, and contract tracking and oversight), none of the process areas were defined and implemented. Until they are, the program office must rely on the knowledge and skills of its existing staff to execute these important acquisition functions. According to the Program Director, needed program staffing and key process areas were not in place because the program was just getting off the ground, and it would take considerable time to establish a fully functioning and mature program management capability. Until the program office is adequately staffed, positional roles and responsibilities are clearly defined and understood, and rigorous and disciplined acquisition process controls are defined, understood, and followed, DHS's efforts to acquire, deploy, operate, and maintain system capabilities will be at risk of not producing promised performance levels, functionality, and associated benefits on time and within budget. Near-Term Facilities Solutions: Work by the Data Management Improvement Act Task Force has shown that existing facilities do not adequately support the current entry exit process at land POEs. In particular, more than 100 land POEs have less than 50 percent of the required capacity to support current inspection processes and traffic levels.[Footnote 21] As a result, as part of US- VISIT (Increment 2), DHS plans to construct interim facilities at about 40 of the 50 highest volume land POEs by December 31, 2004, and construct interim facilities at the remaining portion of these 50 POEs by February 2005. According to DHS officials, the department plans to design and construct interim facilities to (1) support the US-VISIT inspection process, technology, and staff requirements and (2) meet current traffic wait time requirements at each land POE. To plan for the design and construction of interim facilities that meet these requirements, DHS modeled various inspection process and facilities scenarios to define what inspection process to follow and what interim facilities to construct. The modeling was based on two key assumptions: (1) the current staffing level and (2) the current number of inspection booths staffed for each POE. According to preliminary DHS modeling exercises, small incremental increases in average inspection times at some high- volume land POEs could significantly increase average wait times. Moreover, any changes to decisions about which foreign travelers are subject to US-VISIT could significantly affect these assumptions and thus near-term facility requirements. Mission Value of Increments: OMB Circular Number A-11, part 7, requires that investments in major systems be implemented incrementally, with each increment delivering tangible and measurable benefits. Incremental investment involves justifying investment in each increment on the basis of benefits, costs, and risks. Although DHS is pursuing US-VISIT incrementally, it has not defined incremental costs and benefits to justify its proposed investments in each increment. In the case of Increment 1, DHS' 2003 expenditure plan stated that this increment would provide "immediate benefits," but it did not describe them. Instead, it described capabilities to be provided, such as the ability to determine whether a foreign national should be admitted and to perform checks against watch lists. It did not describe in meaningful terms the benefits that are to result from implementation of these capabilities (e.g., X percent reduction in inspection times or Y percent reduction in false positive matches against watch lists). Also, DHS did not identify the estimated cost of Increment 1. The Program Director told us that the $375 million requested in the 2003 plan included not only all the funding required for Increment 1, but also funding for later increments. However, the plan did not separate the funds by increment, and program officials did not provide this information. While DHS developed a benefits and cost analysis for the former entry exit program in February 2003, this analysis had limitations, such as an absence of meaningful benefit descriptions. Program officials acknowledged that this analysis is out of date and is not reflective of current US-VISIT plans. According to these officials, an updated analysis will be issued in the very near future. Without a reliable understanding of whether near-term increments will produce mission value justifying its costs and whether known risks can be effectively mitigated, DHS is investing in and implementing near- term solutions that have not been adequately justified. To the credit of the hard-working and dedicated staff working on the program, an initial US-VISIT operating capability was deployed to major air and selected sea POEs at the beginning of this year. However, the US-VISIT program still faces the risk factors described in this testimony, each of which will be discussed in our soon to be released report. To address these risk factors, our published reports presented several recommendations regarding the US-VISIT program, including: * ensure that future expenditure plans fully disclose US-VISIT system capabilities, schedule, cost, and benefits to be delivered; * determine whether proposed US-VISIT increments will produce mission value commensurate with costs and risks; * define performance standards for each increment that are measurable and reflect the limitations imposed by relying on existing systems; * develop a risk management plan and regularly report all high risks; * develop and implement a plan for satisfying key acquisition management controls and implement these in accordance with Software Engineering Institute guidance; * ensure that human capital and financial resources are provided to establish a fully functional and effective US-VISIT program office; * define program office positions, roles, and responsibilities; and: * develop and implement a human capital strategy for the program office that provides for staffing positions with individuals who have the appropriate knowledge, skills, and abilities. Unless DHS addresses the risk factors described in this testimony, successful deployment of US-VISIT increments is doubtful, because achieving success will depend too much on heroic efforts by the people involved, rather than being the predictable outcome of sound investment and acquisition management capabilities. Mr. Chairman, this concludes our statement. We would be happy to answer any questions that you or members of the committee may have at this time. Contacts and Acknowledgement: If you should have any questions about this testimony, please contact Randolph C. Hite at (202) 512-3870 or hiter@gao.gov. Other major contributors to this testimony included Barbara Collier, Deborah Davis, Tamra Goldstein, David Hinchman, and Jessica Waselkow. FOOTNOTES [1] Illegal Immigration Reform and Immigrant Responsibility Act of 1996, Pub. L. 104-208 (Sept. 30, 1996). [2] Immigration and Naturalization Service Data Management Improvement Act of 2000, Pub. L. 106-215 (June 15, 2000); Visa Waiver Permanent Program Act, Pub. L. 106-396 (Oct. 30, 2000). USA PATRIOT ACT, Pub. L. 107-56 (Oct. 26, 2001); Aviation and Transportation Security Act, Pub. L. 107-71 (Nov. 19, 2001); Enhanced Border Security and Visa Entry Reform Act of 2002, Pub. L. 107-173 (May 14, 2002). [3] 2002 Supplemental Appropriations Act for Further Recovery from and Response to Terrorist Attacks on the United States, Pub. L. 107-206 (Aug. 2, 2002); Consolidated Appropriations Resolution, 2003, Pub. L. 108-7 (Feb. 20, 2003); Department of Homeland Security Appropriations Act, 2004 , Pub. L. 108-90 (Oct. 1, 2003). [4] U.S. General Accounting Office, Homeland Security: Risks Facing Key Border and Transportation Security Program Need to Be Addressed, GAO-03-1083 (Washington, D.C.: Sept. 19, 2003); Information Technology: Homeland Security Needs to Improve Entry Exit System Expenditure Planning, GAO-03-563 (Washington, D.C.: June 9, 2003). [5] Immigration and Naturalization Service Data Management Improvement Act, 2000, Pub. L. 106-215 (June 15, 2000). [6] Classes of travelers that are not subject to US-VISIT are foreign nationals admitted on A-1, A-2, C-3 (except for attendants, servants, or personal employees of accredited officials), G-1, G-2, G-3, G-4, NATO-1, NATO-2, NATO-3, NATO-4, NATO-5, or NATO-6 visas, unless the Secretary of State and the Secretary of Homeland Security jointly determine that a class of such aliens should be subject to the rule; children under the age of 14; and persons over the age of 79. [7] The Miami Royal Caribbean seaport and the Baltimore/Washington International Airport. [8] Secondary inspection is used for more detailed inspections that may include checking more databases, conducting more intensive interviews of the individual, or both. [9] In November 2003, DHS issued as planned a Request for Proposal (RFP) for a prime contractor for US-VISIT work beyond Increment 2A. [10] RF technology would require proximity cards and card readers. RF readers read the information contained on the card when the card is passed near the reader, and could be used to verify the identity of the card holder. [11] An indefinite-delivery/indefinite-quantity contract provides for an indefinite quantity, within stated limits, of supplies or services during a fixed period of time. The government schedules deliveries or performance by placing orders with the contractor. [12] Enhanced Border Security and Visa Entry Reform Act of 2002, Pub. L. 107-173 (May 14, 2002). [13] Pub. L. 106-215 (June 15, 2000). [14] The $2.9 billion is a parametric cost estimate. Parametric cost estimating is a technique used in the planning, budgeting, and conceptual stages of projects. This technique expedites the development of order of magnitude benchmark estimates when discrete estimating techniques are not possible or would require inordinate amounts of time and resources to produce similar results. Estimates such as this can vary ±30 to 50 percent. [15] U.S. General Accounting Office, Technology Assessment: Using Biometrics for Border Security, GAO-03-174 (Washington, D.C.: Nov. 15, 2002). [16] Statement of Glenn A. Fine, Inspector General, U.S. Department of Justice, "Implementation of the Student and Exchange Visitor Information System (SEVIS)" (Apr. 2, 2003). [17] H.R. Conf. Rep. No. 108-280, at 32 (2003). [18] U.S. General Accounting Office, Immigration Benefits: Several Factors Impede Timeliness of Application Processing, GAO-01-488 (Washington, D.C.: May 4, 2001). [19] The predecessor program office for the entry exit program was established within the former INS in March 2002. [20] Carnegie Mellon Software Engineering Institute, Software Acquisition Capability Maturity Model, Version 1.03 (March 2002). [21] Data Management Improvement Act Task Force, First Annual Report to Congress (Washington, D.C.: December 2002).