This is the accessible text file for GAO report number GAO-06-823 entitled 'Information Technology: Immigration and Customs Enforcement Is Beginning to Address Infrastructure Modernization Program Weakness but Key Improvements Still Needed' which was released on July 28, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: United States Government Accountability Office: GAO: July 2006: Information Technology: Immigration and Customs Enforcement Is Beginning to Address Infrastructure Modernization Program Weaknesses but Key Improvements Still Needed: GAO-06-823: GAO Highlights: Highlights of GAO-06-823, a report to congressional committees Why GAO Did This Study: The Department of Homeland Security’s (DHS) fiscal year 2005 appropriations act provided $39.6 million for Immigration and Customs Enforcement’s (ICE) program to modernize its information technology (IT) infrastructure. The goals of the program—which consists of seven projects and is referred to as Atlas—include improving information sharing and strengthening security. As mandated by the appropriations act, the department is to develop and submit for approval an expenditure plan for Atlas that satisfies certain legislative conditions, including a review by GAO. In performing its review of the Atlas plan, GAO was asked to (1) determine whether the plan satisfies certain legislative conditions, (2) determine the status of our prior recommendations, and (3) provide any other observations about the plan and management of the program. What GAO Found: DHS’s fiscal year 2005 expenditure plan, related documentation, and program officials’ statements and commitments, satisfy or partially satisfy the legislative conditions set forth by Congress, including (1) meeting the capital planning and investment control review requirements established by the Office of Management and Budget (OMB); (2) complying with the DHS enterprise architecture; (3) complying with the acquisition rules, requirements, guidelines, and system acquisition management practices of the federal government; and (4) being reviewed and approved by DHS’s Investment Review Board, the Secretary of DHS, and OMB. A number of steps to address prior GAO recommendations are in progress or have been partially implemented (see table). For example, ICE issued a revised cost-benefit analysis in December 2005. However, this analysis did not address all key ICE mission requirements, such as sharing law enforcement and immigration information with external partners. In addition, it issued an updated security plan in April 2006, but the plan was missing important security management practices, or only partially addressed them. Table: Status of Actions to Implement GAO's Open Recommendation for Atlas: GAO Recommendation: 1. Revise and update cost-benefit analysis; Status: Partially completed. GAO Recommendation: 2. Ensure program office is operational; Status: In progress. GAO Recommendation: 3. Develop and implement updated security plan and privacy impact assessment; Status: Partially completed. GAO recommendation: 4. Develop and implement rigorous performance management practices; Status: In progress. GAO Recommendation: 5. Ensure that future expenditure plans fully disclose Atlas capabilities, schedule, cost and benefits to be delivered, as well as the acquisition strategy; Status: In progress. Source: GAO. [End of Table] GAO also observed that current Atlas project plans do not include essential elements, such as a work breakdown structure of tasks to be performed, identification of project costs, analysis of constraints and risks, and review and approval by management and key stakeholders. Thus, there is much that remains to be accomplished to minimize the risks associated with the Atlas program’s capacity to deliver promised IT infrastructure capabilities and benefits on time and within budget. Given that hundreds of millions of dollars are to be invested, it is essential that DHS follow through on commitments to build the capacity to effectively manage the program. Moreover, expenditure plans need to relay reliable information about program commitments, including the benefits to be produced, the capabilities to be delivered, and the cost and schedule estimates to be met. By not providing this information in its fiscal year 2005 expenditure plan, the department is impeding congressional oversight and not providing a meaningful basis for measuring performance and ensuring accountability. What GAO Recommends: GAO is recommending that DHS minimize Atlas program risks by, among other things, developing and implementing project plans consistent with elements of effective project planning. DHS did not provide additional substantive comments on this report recognizing that ICE had already agreed with the briefing contained in this report. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-823]. To view the full product, including the scope and methodology, click on the link above. For more information, contact Randolph C. Hite at (202) 512-3439 or hiter@gao.gov. [End of Section] Contents: Letter: Compliance with Legislative Conditions: Status of Open Recommendations: Other Observations on the Expenditure Plan and Management of Atlas: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Briefing to Staffs Subcommittees on Homeland Security, Senate and House Committees on Appropriations: Appendix II: GAO Contact and Staff Acknowledgments: Abbreviations: CIO: Chief Information Officer: DHS: Department of Homeland Security: EA: Enterprise Architecture: ICE: Immigration and Customs Enforcement: INS: Immigration and Naturalization Service: IRB: Investment Review Board: IT: information technology: OMB: Office of Management and Budget: PART: Program Assessment Rating Tool: SEI: Software Engineering Institute: United States Government Accountability Office: Washington, DC 20548: July 27, 2006: The Honorable Judd Gregg: Chairman: The Honorable Robert C. Byrd: Ranking Member: Subcommittee on Homeland Security: Committee on Appropriations: United States Senate: The Honorable Harold Rogers Chairman The Honorable Martin Olav Sabo Ranking Member Subcommittee on Homeland Security Committee on Appropriations House of Representatives: The 2005 Department of Homeland Security Appropriations Act[Footnote 1] provided $39.6 million for Immigration and Customs Enforcement's (ICE) program to modernize its information technology (IT) infrastructure. The goals of the program--which consists of seven related IT projects and is referred to by ICE as Atlas--include improving information sharing, strengthening information security, and improving workforce productivity. The act prohibited the Department of Homeland Security (DHS) from obligating the $39.6 million until the department developed a plan that satisfied certain legislative conditions for how the funds are to be spent. The conditions included, among other things, having us review the plan. On March 15, 2006, DHS submitted its fiscal year 2005 expenditure plan to the Senate and House Appropriations Subcommittees on Homeland Security. Pursuant to the act, we reviewed the plan; our objectives were to (1) determine whether the plan satisfies legislative conditions specified in the act, (2) determine the status of prior recommendations, and (3) provide any other observations about the plan and management of the program. On April 27, 2006, we provided DHS officials, including ICE's Deputy Chief Information Officer (CIO), a written briefing on our findings, conclusions, and recommendations. These officials agreed with our briefing. On May 1, 2006, we provided this briefing to the Senate and House Homeland Security Subcommittee staffs.[Footnote 2] This report provides the presentation slides used to brief the staffs and summarizes our findings, conclusions, and recommendations. The full briefing, including our scope and methodology, is reprinted in appendix I. Compliance with Legislative Conditions: DHS has taken actions to address each of the applicable legislative conditions specified in the appropriations act. In particular, the plan, including related program documentation and program officials' stated commitments, satisfied or partially satisfied key aspects of (1) meeting the capital planning and investment control review requirements of the Office of Management and Budget (OMB);[Footnote 3] (2) complying with the DHS enterprise architecture;[Footnote 4] (3) complying with acquisition rules, requirements, guidelines, and systems acquisition management practices of the federal government; and (4) having the plan reviewed and approved by DHS's Investment Review Board, the Secretary of Homeland Security, and OMB. Status of Open Recommendations: ICE is taking steps to address our open recommendations. Each recommendation, along with the status of actions to address it, is summarized as follows: * Recommendation: Revise and update the cost-benefit analysis to identify current mission requirements, determine how they will be met, and develop an estimate of the program's incremental and life-cycle costs, benefits, schedule, and return on investment. Status: ICE has partially completed[Footnote 5] implementation of this recommendation. A revised cost-benefit analysis was issued in December 2005 as part of a business case justification for Atlas mission requirements. The analysis included three alternative solutions for how requirements would be met, as well as each alternative's estimated life- cycle costs, benefits, schedule, and return on investment. However, the analysis does not fully adhere to our recommendation and key federal practices.[Footnote 6] For example, it does not address all key mission requirements, such as sharing law enforcement and immigration information with external partners (such as the Departments of Justice and State, state and local law enforcement). According to the program manager, a long-range strategic plan for information sharing will be developed to identify requirements, and it will be used to update the analysis of costs and benefits related to information sharing and other requirements. * Recommendation: Make the program office operational by (1) developing a staffing needs assessment to determine the positions and the level of staffing needed for all projects to adequately manage the program, including a human capital strategy for acquiring staff and a timetable for bringing them on board; (2) finalizing the roles and responsibilities for the positions identified in the staffing assessment and for the projects; and (3) implementing and institutionalizing key acquisition management controls, including risk management processes where relevant responsibilities are assigned and key risks and their status are reported to an executive body. Status: ICE's implementation of this recommendation is in progress.[Footnote 7] First, in April 2006, program officials completed an organizational and staffing assessment. The assessment identified an organizational structure, functions, and associated positions for the program office as well as the staff needed to fill the positions. To date, ICE has filled most of the positions (and is in the process of filling the others). Second, as part of the aforementioned assessment, program officials finalized staff roles and responsibilities and assigned high-level tasks for each staff member. Third, program officials have begun to implement key acquisition management controls. For example, the Atlas program completed a risk management plan in January 2006 and hired an analyst to manage the risks. However, a complete inventory of risks has not been prepared. * Recommendation: Develop and implement an updated security plan and privacy impact assessment. Status: ICE has partially completed implementing this recommendation. The program issued an updated security plan in April 2006, but it is missing important IT security management practices or only partially addresses them. For example, the program did not have a complete inventory of all information systems or a complete description of the systems. In addition, the program did not define common and system- specific security controls. Regarding privacy, the program issued a draft privacy impact assessment in August 2005, which is being reviewed by the department's Privacy Office. This office has requested additional documentation from ICE but did not provide a date for when its review would be finalized. * Recommendation: Develop and implement rigorous performance management practices for the program that include properly aligned goals, benefits, achievements, and anticipated achievements that are defined in measurable terms. Status: ICE implementation of this recommendation is in progress. The program has taken steps to align its goals and other indicators and is beginning to implement them. For example, as part of the business case (December 2005), the program mapped Atlas's mission and goals to ICE's mission and goals. The program also developed seven performance goals and associated measures for the projects. However, three Atlas projects did not have performance goals and measures; the program manager plans to develop them by June 2006. In addition, the program has yet to implement the seven measures. * Recommendation: Ensure that future expenditure plans fully disclose the system capabilities, schedule, cost, and benefits to be delivered, as well as the acquisition strategy. Status: ICE implementation of this recommendation is in progress. The fiscal year 2005 expenditure plan does not show the level of detail and program scope for congressional stakeholders to understand its plans and commitments relative to system capabilities, cost, benefits, and schedule. In addition, it does not sufficiently describe progress made against program commitment (e.g., expected benefits). Instead, the plan and supporting documentation describe, for example, high-level system capabilities to be delivered under each project. Our prior experience shows that these plans need to disclose a sufficient level and scope of information for Congress to understand what the system capabilities are to be delivered, by when, at what cost, and what progress is being made against the commitments. The program manager stated that the program planned to include this information in future plans. Other Observations on the Expenditure Plan and Management of Atlas: Our observations address (1) Atlas project management planning and (2) an OMB assessment of the program. An overview of these observations follows: Project management planning does not include key elements. Atlas project plans, which are a key aspect of effective project planning, are not fully consistent with relevant guidance. For example, the plans are at a high level and are not based on a detailed work breakdown structure of tasks to be performed, do not include information on project cost or budget, and do not identify constraints or risks. Further, the plans have not been reviewed and approved by management and key stakeholders. According to the program manager, missing elements will be incorporated as the plans are reviewed and made final. Efforts are under way to address OMB concerns that Atlas was not demonstrating results. An August 2005 OMB assessment found that Atlas was not demonstrating expected results.[Footnote 8] In response, ICE developed an action plan (dated April 2006) to address the concerns. Examples of steps planned and under way include establishing an Atlas program management office to manage and oversee the program and developing goals and measures that are to be finalized by the end of June 2006. Program officials told us that the program will not be ready to be reassessed (i.e., agency management does not believe that significant improvement could be shown) by OMB until-at the earliest- October 2006. Citing this assessment, the administration's fiscal year 2007 budget stated that no funds were being provided for Atlas until the program weaknesses are addressed. Conclusions: The fiscal year 2005 Atlas expenditure plan, in combination with related program documentation and program officials' statements, satisfies or partially satisfies the legislative conditions set forth by Congress. However, this satisfaction is based on plans and commitments that provide for meeting these conditions, rather than on completed actions to satisfy the conditions. In addition, while steps are being initiated that are intended to address program management weaknesses, a number of improvements, including those recommended in our past report, have yet to be implemented. Thus, there is much that still needs to be accomplished to minimize the risks associated with the program's capacity to deliver promised IT infrastructure capabilities and benefits on time and within budget. Given that hundreds of millions of dollars are to be invested, it is essential that DHS follow through on its commitments to build the capacity to effectively manage the program. Proceeding without this capacity introduces unnecessary risks to the program and potentially jeopardizes its viability for future investment. Moreover, congressional decision makers need reliable information about program commitments that are to be met with the expenditure plan funds, including the benefits to be produced, the capabilities to be delivered, and the cost and schedule estimates to be met. By not providing this information in its fiscal year 2005 expenditure plan, DHS is impeding congressional oversight by not providing a meaningful basis for measuring performance and ensuring accountability. Recommendations for Executive Action: To minimize risks to the Atlas program, we recommend that the Secretary of Homeland Security direct the Assistant Secretary for Immigration and Customs Enforcement to take the following two actions: * Report periodically to Senate and House appropriations subcommittees regarding the program's progress in implementing our recommendations. * Develop and implement Atlas project plans consistent with elements of effective project planning. Agency Comments and Our Evaluation: On June 14, 2006, we provided a draft of this report to DHS for comment. On July 10, 2006, DHS's GAO audit liaison told us that the department did not intend to provide comments, recognizing that DHS officials, including the ICE Deputy CIO, had previously agreed with the briefing that this report summarizes. In addition, the liaison e-mailed us technical comments updating the status of Atlas-related activities of the department's Privacy Office and ICE. We incorporated the comments in the report and briefing as appropriate. We are sending copies of this report to the Chairmen and Ranking Members of other Senate and House committees and subcommittees that have authorization and oversight responsibilities for homeland security. We are also sending copies to the Secretary of Homeland Security, Assistant Secretary for Immigration and Customs Enforcement, and the Director of OMB. Copies of this report will also be available at no charge on our Web site at [Hyperlink, http://www.gao.gov]. Should you or your offices have any questions on matters discussed in this report, please contact me at (202) 512-3439 or at hiter@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributions to this report are listed in appendix II. Signed by: Randolph C. Hite: Director, Information Technology Architecture and Systems Issues: [End of section] Appendix I: Briefing to Staffs Subcommittees on Homeland Security, Senate and House Committees on Appropriations: Information Technology: Immigration and Customs Enforcement Is Beginning to Address Infrastructure Modernization Program Weaknesses but Key Improvements Still Needed: Briefing to the staffs of the Subcommittees on Homeland Security, Senate and House Committees on Appropriations: April 28, 2006: Introduction Objectives Results in Brief Background Results: Legislative Conditions: Status of Open Recommendations Observations: Conclusions: Recommendations Agency Comments Attachment I: Scope and Methodology: Introduction: The Department of Homeland Security's (DHS) Bureau of Immigration and Customs Enforcement (ICE)[Footnote 9] is responsible for enforcing immigration, border security, trade, and other laws by, for example, investigating and collecting intelligence on individuals and groups that act to violate these laws. ICE is also responsible for protecting federal facilities. Atlas is the ICE program developed to modernize the bureau's information technology (IT) infrastructure, which includes the hardware (e.g., servers, routers, storage devices, communication lines) and system software (e.g., database management and operating systems and network management) that provide an environment for operating and maintaining software applications. According to ICE, the goals of Atlas include improving information sharing, strengthening information security, and improving workforce productivity. The fiscal year 2005 Department of Homeland Security Appropriations Act[Footnote 10] appropriated about $39.60 million for Atlas[Footnote 11] and prohibited DHS from obligating these funds until the department submitted a plan for how the funds were to be spent that satisfied the following legislative conditions: meets the capital planning and investment control review requirements established by the Office of Management and Budget (OMB), including OMB Circular A-11, part 7;[Footnote 12]: complies with DHS's enterprise information systems architecture; complies with the acquisition rules, requirements, guidelines, and systems acquisition management practices of the federal government; is reviewed and approved by DHS's Investment Review Board (IRB),[Footnote 13] the Secretary of Homeland Security, and OMB; and: is reviewed by the GAO. DHS submitted its fiscal year 2005 expenditure plan for $39.60 million on March 15, 2006, to the Senate and House Appropriations Subcommittees on Homeland Security. DHS submitted its fiscal year 2004 plan, which was for $9.8 million appropriated in fiscal year 2004, on March 16, 2005. We reviewed the plan, briefed the subcommittees in May 2005, and reported our results in September 2005[Footnote 14]. Objectives: As agreed, our objectives were to: 1. determine whether the Atlas fiscal year 2005 expenditure plan satisfies the legislative conditions, 2. determine the status of our prior recommendations on Atlas, and: 3. provide any other observations about the expenditure plan and DHS's management of the Atlas program. We conducted our work at DHS and ICE headquarters in Washington, D.C., from March 2006 through April 2006 in accordance with generally accepted government auditing standards. Details of our scope and methodology are provided in attachment I. Results in Brief: Objective 1: Satisfaction of legislative conditions: Legislative conditions: 1. Meets the capital planning and investment control review requirements established by OMB, including OMB Circular A-11, part 7. Status: partially satisfied [Footnote 15]. Legislative conditions: 2. Complies with the DHS enterprise information systems architecture. Status: partially satisfied: Legislative conditions: 3. Complies with the acquisition rules, requirements, guidelines, and systems acquisition management practices of the federal government; Status: satisfied [Footnote 16]. Legislative conditions: 4. Is reviewed and approved by the DHS IRB, Secretary of Homeland Security, and OMB. Status: satisfied: Legislative conditions: 5. Is reviewed by GAO; Status: satisfied: Source: GAO. [End of table] Objective 2: Status of actions to implement our open recommendations: GAO Recommendation: 1. Revise and update cost-benefit analysis; Status: Partially completed [Footnote 17]. GAO Recommendation: 2. Ensure program office is operational; Status: In progress [Footnote 18]. GAO Recommendation: 3. Develop and implement updated security plan and privacy impact assessment; Status: Partially completed. GAO recommendation: 4. Develop and implement rigorous performance management practices; Status: In progress. GAO Recommendation: 5. Ensure that future expenditure plans fully disclose Atlas capabilities, schedule, cost and benefits to be delivered, as well as the acquisition strategy; Status: In progress. Source: GAO. [End of Table] Objective 3: Other Observations: Project management planning does not include key elements. Specifically, the project plans developed for each of the seven Atlas projects do not include key elements of effective project planning such as identifying constraints and risks and being reviewed and approved by management and key stakeholders. The program is starting to address an August 2005 OMB assessment that found, among other things, that Atlas was not demonstrating results and had program management weaknesses. As a result, the administration did not provide funding for Atlas in its fiscal year 2007 budget. In April 2006, the program developed a corrective action plan to address assessment findings. Examples of corrective actions planned and under way include establishing a program management office and developing performance goals and measures. Program officials did not request to be reassessed by OMB in fiscal year 2006 because they did not believe significant improvement could be shown during that period. Rather, these officials are planning to be reassessed in fiscal year in 2007. We are making recommendations to the Secretary of Homeland Security to improve Atlas expenditure planning and program management. In commenting on a draft of this briefing, ICE officials, including the deputy chief information officer who is also the Atlas program manager, agreed with our results. Background ICE: ICE was formed as a component agency of DHS in 2003 when the law enforcement functions of the Justice Department's former Immigration and Naturalization Service (INS) and the Treasury Department's former Customs Service and other agencies were merged into DHS. The ICE mission is to ensure the security of the American people and homeland by, among other means, investigating violators of and enforcing the nation's immigration and customs laws; policing and securing federal buildings and other facilities; and collecting, analyzing, and disseminating intelligence to assist in these endeavors. Headed by the Assistant Secretary of Immigration and Customs Enforcement, ICE has approximately 15,000 employees in more than 400 offices domestically and in other countries. The Atlas program was started by INS in 2002. Responsibility for the program was transferred to ICE in 2003 as part of the establishment of DHS. The figure on the following slide shows ICE and Atlas organizational placement within DHS. Background: ICE and Atlas Organizational Placement: Figure: DHS Organizational Structure (simplified): [See PDF for Image] Source: GAO analysis of DHS data. [End of figure] Background Impetus for Atlas: According to ICE officials, Atlas was initiated to address information sharing and security limitations within the former INS caused by, for example, obsolete hardware/software that needed refreshing; incompatible, noninteroperable information systems; and: uneven system security capabilities. These officials stated that these challenges were exacerbated by the formation of ICE because the organizations merged into ICE had different hardware/software environments (e.g., multiple e-mail systems) and different missions and customer needs. Background: Goals of Atlas: The stated goals of Atlas are, among other things, to: promote information sharing and collaboration, strengthen information security, and: enhance workforce productivity. Background Atlas Projects: The fiscal year 2005 expenditure plan states that Atlas consists of these seven[Footnote 19] interrelated projects. Project: Common Computing Environment; Description: * Deploy a common e-mail application to replace multiple and disparate e-mail applications currently in use across ICE organizations. * Implement a single common active directory. * Initiate hardware refresh. Project: Integration[Footnote 20]; Description: * Migrate ICE offices to DHS OneNetwork infrastructure to provide investigators and other staff with faster access to information used to accomplish mission duties. Source: GAO analysis of DHS data. [End of table] Project: ICE Mission Information[Footnote 21]; Description: * Organize information so ICE users can find relevant, timely information from the best sources. * Improve information searching and indexing capabilities and implement tools for integrating legacy applications with Web-enabled front-ends. * Establish ICE-wide content management capability. Project: Information Assurance; Description: * Create information, system/application platform, network, and computer security measures to protect ICE information and systems. Project: Architecture Engineering[Footnote 22]; ; Description: * Provide state-of-the-art engineering facilities and tools to manage, operate, evaluate, and test new technologies to ensure alignment to the DHS enterprise architecture (EA). Source: GAO analysis of DHS data. [End of table] Project: Data Center Migration; Description: * Plan to migrate ICE hardware and applications from the Department of Justice data centers to the common DHS data center solution. Project: Transformation Planning; Description: * Implement program management practices, policies, and processes. * Provide adequate program office staffing. * Manage and oversee Atlas projects and contractors, including developing tools to help in these endeavors. * Ensure compliance with DHS's enterprise architecture. * Monitor adherence to cost, schedule, and performance goals. Source: GAO analysis of DHS data. [End of table] Background Atlas Appropriations: Figure: Atlas Appropriated Funds: [See PDF for Image] Source: GAO analysis based on DHS appropriation laws. [End of Figure] Background Atlas Expenditures: ICE reports that it has expended $61.5 million of the $73.4 million available for Atlas in fiscal years 2002, 2003, and 2004. The following table shows the expenditures by project. Project(millions of dollars): Common Computing Environment; Expenditures in fiscal year 2002[Footnote 27]: $0; Expenditures in fiscal year 2003[Footnote 27]: $10.5; Expenditures in fiscal year 2004[Footnote 28]: $2.2; Total: $12.7. Project(millions of dollars): Integration; Expenditures in fiscal year 2002[Footnote 27]: $6.1; Expenditures in fiscal year 2003[Footnote 27]: $16.9; Expenditures in fiscal year 2004[Footnote 28]: $2.1; Total: $25.1. Project(millions of dollars): ICE Mission Information; Expenditures in fiscal year 2002[Footnote 27]: $1.3; Expenditures in fiscal year 2003[Footnote 27]: $4.6; Expenditures in fiscal year 2004[Footnote 28]: $.8; Total: $6.7. Project(millions of dollars): Information Assurance; Expenditures in fiscal year 2002[Footnote 27]: $10.2; Expenditures in fiscal year 2003[Footnote 27]: $3.9; Expenditures in fiscal year 2004[Footnote 28]: $0; Total: $14.1. Project(millions of dollars): Architecture Engineering; Expenditures in fiscal year 2002[Footnote 27]: $0; Expenditures in fiscal year 2003[Footnote 27]: $0; Expenditures in fiscal year 2004[Footnote 28]: $0; Total: $0. Project(millions of dollars): Transformation Planning; Expenditures in fiscal year 2002[Footnote 27]: $0; Expenditures in fiscal year 2003[Footnote 27]: $0.9; Expenditures in fiscal year 2004[Footnote 28]: $2.0; Total: $2.9. Project(millions of dollars): Total; Expenditures in fiscal year 2002[Footnote 27]: $17.6; Expenditures in fiscal year 2003[Footnote 27]: $36.8; Expenditures in fiscal year 2004[Footnote 28]: $7.1; Total: $61.5. Source: GAO analysis of DHS data. [End of table] Background: Planned Use of Fiscal Year 2005 Funding: According to the fiscal year 2005 expenditure plan, the $39.60 million is to be spent on seven projects. Project: Common Computing Environment; FY 05 funds (in millions): $18.00 Planned use: * Implement active directory and mail exchange system; * Refresh hardware; * Carry out project management activities. * Provide services for the interoperability lab. Project: Integration; FY 05 funds (in millions): $1.60; Planned use: * Integrate ICE network to DHS One network. * Deploy streaming video for field sites. * Upgrade firewall. Project: ICE mission information; FY 05 funds (in millions): $11.40; Planned use: * Implement technology to support Enterprise Interoperability and Enterprise Query. * Upgrade Web farm (replace obsolete hardware and software supporting the Internet and Intranet Web server environment). Project: Information assurance; FY 05 funds (in millions): $1.90; Planned use: * Implement cyber identity management (single sign on) in coordination with DHS. * Perform audit log management. Project: Architecture engineering; FY 05 funds (in millions): $1.30; Planned use: * Plan for the consolidated lab. * Establish an image lab that meets best practices. * Implement technology assessment program. Project: Transformation Planning; FY 05 funds (in millions): $4.00; Planned use: * Continue program management activities. * Improve project management support. * Enhance IT workforce (FTE recruitment). Project: Data center migration; FY 05 funds (in millions): $1.40; Planned use: * Plan to migrate ICE hardware and applications from two Department of Justice data centers to a common DHS data center solution. Total; $39.60. Source: GAO analysis of DHS data. [End of table] Objective 1 Results Legislative Conditions: The Atlas expenditure plan satisfies or partially satisfies each of the legislative conditions. Condition 1 partially satisfied. The expenditure plan, including related program documentation and statements from the program manager, partially satisfies the capital planning and investment control review requirements established by OMB, including Circular A-11, part 7, which establishes policy for planning, budgeting, acquisition, and management of federal capital assets. Examples of our analysis are included in the following table. As the table shows, not all OMB requirements have been satisfied, but oral commitments have been made for doing so. Given that ICE has reportedly already invested $ 61.5 million on Atlas projects and plans to invest another $39.60 million this year, it is important for ICE to follow through on these commitments. Examples of OMB Circular A-11 requirements: Indicate whether the investment was approved by an investment review committee; Results of our findings: The plan was approved on December 21, 2005, by DHS's Deputy Secretary, who chairs the DHS Investment Review Board. Examples of OMB Circular A-11 requirements: Provide justification and describe acquisition strategy; Results of our findings: A business case, including a cost-benefit analysis, was issued in December 2005 to provide economic justification for the program. In addition, the expenditure plan identifies the ICE contracts that are being used, and to be used, to acquire hardware and software products and program support services. An acquisition plan was approved in February 2006 which includes a statement of need and the capabilities to be delivered through these contracts. While the program currently relies on ICE contracting support, the program manager plans to hire a contracting officer's technical representative to help ensure compliance with contract criteria and Atlas program objectives, but no target date has been established for hiring this official. Examples of OMB Circular A-11 requirements: Summarize life-cycle costs and cost-benefit analysis, including the return on investment; Results of our findings: The December 2005 cost-benefit analysis (discussed above) provides costs and benefits for the life cycle of Atlas, which is through the year 2024. The analysis also includes an estimated return on investment for three alternative approaches. While the analysis was in large part, consistent with OMB and best practices guidance, it did omit key practices. For example, the analysis did not include all key mission requirements. According to the program manager, the analysis is considered to be a "living document" and the program plans to update it in the near future to, among other things, address these requirements. A specific plan and schedule for the update was not provided. This area is more fully discussed in the open recommendations section of the briefing. Examples of OMB Circular A-11 requirements: Provide performance goals and measures; Results of our findings: Supporting documentation identifies seven proposed goals and measures, but three projects do not have measures. According to the program manager, the program is beginning to use the measures it has but has not yet institutionalized their use. In addition, as part of updating the Atlas business case (in December 2005), the program mapped Atlas's goals to ICE's mission and goals. According to the program, it is the program's intent to develop measures for the three projects. However, a plan and timetable was not provided for when this would be done. Our analysis of Atlas's performance management is discussed in more detail in the open recommendations section of the briefing. Examples of OMB Circular A-11 requirements: Address security and privacy; Results of our findings: The plan and supporting documentation state the importance of security and privacy and provide high-level information on intended security measures, including one proposed project-Information Assurance-that is intended to implement an ICE security program. The plan allocates $1.9 million to this project. In addition, ICE issued an Atlas system security plan, as well as a security test and evaluation plan in April 2006. ICE also developed a draft Atlas privacy impact assessment in August 2005. The security plan, however, did not include key practices called for by federal IT security guidance. This area is more fully discussed in the open recommendation section of the briefing. Examples of OMB Circular A-11 requirements: Provide for managing risk; Results of our findings: ICE issued a risk management plan on January 23, 2006. The risk plan provides guidance for identifying, analyzing, and resolving program risks before they occur. In addition, the program manager stated that the program recently hired a risk analyst to help identify and monitor risks. However, Atlas does not have, among other things, a complete inventory of all risks to the program. Program officials stated they plan on acquiring an automated tool by June 2006 to help them complete the inventory and manage risks. Our complete findings related to risk management are addressed in our open recommendations section. [End of Table] Condition 2 partially satisfied. The plan, including related program documentation and DHS officials' statements, partially satisfies the condition that the department ensure Atlas is compliant with DHS's enterprise architecture (EA). An EA provides a clear and comprehensive picture of an organization's operations and its supporting systems and infrastructure. It is an essential tool for effectively and efficiently engineering business processes and for implementing and evolving supporting systems in a manner that maximizes interoperability, minimizes overlap and duplication, and optimizes performance. We have worked with the Congress, OMB, and the federal Chief Information Officers Council to highlight the importance of architectures for both organizational transformation and IT management. An important element of EA management is ensuring that IT investments are compliant with EA, including basing such assessments on documented analysis. On August 6, 2004, we reported on version 1.0 of DHS's EA, stating that DHS's initial EA provides a partial foundation but was missing key elements expected to be found in a well-defined architecture[Footnote 29]. DHS has since developed version 2.0, and more recently version 2006, of its EA. We have not reviewed these versions of D H S's EA. The DHS Enterprise Architecture Board, supported by the Enterprise Architecture Center of Excellence,[Footnote 30] is responsible for ensuring that projects demonstrate adequate technical and strategic compliance with the department's EA. To this end, the board conducts compliance reviews at key decision points in an investment's life cycle. Specifically, DHS guidance[Footnote 31] directs the board prior to an investment's acquisition milestone (referred to by DHS as key decision point 2) to assess the investment against the transition strategy, data architecture, application component and technology architecture. In May 2005, the Atlas program manager in preparation for Atlas's key decision point 2, requested that the center assess the program's compliance with the EA and in doing so, provided supporting documentation, such as the expenditure plan and the business case. Using this information, center staff compared Atlas to version 2.0 of the EA. In June 2005, the center reported the results of its assessment to the board, stating that Atlas was in compliance; however, it also stipulated conditions to be addressed by the program. The conditions included providing additional documentation (e.g., a list of proposed infrastructure and IT systems that are to be funded by Atlas). In July 2005, the board approved this compliance determination subject to the same conditions specified by the center. According to board and center officials, including DHS's chief architect, Atlas program officials later satisfied the conditions by providing the information. According to the DHS chief architect, the Center for Excellence based its determination on documentation submitted by the Atlas program manager and discussions among center members, which include subject matter experts and representatives from the component agencies and DHS's Offices of Compliance and Computer Information Security. However, the determination was not based on documented analysis mapping Atlas's infrastructure architecture to the EA. Specifically, the DHS chief architect told us that the department does not have a documented methodology for evaluating programs for compliance with the DHS EA, other than relying on the expertise of the Center for Excellence members. In addition, no analysis or documentation was produced or given to us by the center staff that could be used to verify their Atlas alignment decision. Furthermore, center officials indicated that programs such as Atlas are not identified in the DHS EA version 2.0. Performing and documenting the analysis, based on a documented methodology, of how a project maps to its EA, is necessary to make informed, fact-based alignment determinations. Given the critical role that Atlas is to play in contributing to DHS's strategic information sharing and interoperability goals, it is important for ICE and DHS to follow through on stated commitments to base Atlas compliance determinations on documented and verifiable analysis. Condition 3 Satisfied. The plan, including related program documentation and statements from the Atlas program manager, either satisfies or provides for satisfying the condition to comply with the acquisition rules, requirements, guidelines, and systems acquisition management practices of the federal government. These practices provide a management framework based on the use of rigorous and disciplined processes for planning, managing, and controlling the acquisition of IT resources, including: acquisition planning, which ensures, among other things, that reasonable plans, milestones, and schedules are developed and that all aspects of the acquisition effort are included in these plans; solicitation, which involves making sure that (1) a request for proposals delineating a project's requirements is prepared and (2) consistent with relevant solicitation laws and regulations, a contractor is selected that can most cost-effectively satisfy these requirements; requirements development and management, which includes establishing and maintaining a common and unambiguous definition of requirements among the acquisition team, the system users, and the development contractor; project management provides for management of the activities within the project office and supporting contractors to ensure a timely, efficient, and cost-effective acquisition; contract tracking and oversight, which ensures that the development contractor performs according to the terms of the contract; needed contract changes are identified, negotiated, and incorporated into the contract; and contractor performance issues are identified early, when they are easier to address; and: evaluation, which determines whether the acquired products and services satisfy contract requirements before acceptance. These acquisition management processes are also embodied in published best practices models, such as the Software Engineering Institute's (SEI) Software Acquisition Capability Maturity Model.[Footnote 32] Examples of our analysis of ICE performance of these processes and practices are shown on the following table. They show that not all aspects of the processes and practices have been implemented, but that oral commitments have been made for doing so. Given that ICE has already invested $ 61.5 million on Atlas projects and plans to invest another $39.60 million this year, it is important for ICE to follow through on these commitments. Examples of practices: Acquisition planning Ensures that reasonable plans, milestones, and schedules are developed and that all aspects of the acquisition effort are included in these plans; Results of our analysis: The expenditure plan and supporting documents (e.g., the fiscal year 2005 Atlas budget submission to OMB known as an Exhibit 300) provide aspects of a high-level acquisition strategy, such as identifying the ICE contracts that are being used, and are to be used, to acquire products and program support services. An acquisition plan was issued in February 2006 which includes a statement of program needs and the capabilities to be delivered through these contracts. While the program currently relies on ICE contracting support, the program manager plans to hire a contracting officer's technical representative to help ensure compliance with contract criteria and Atlas program objectives, but no target date has been established for hiring this official. In addition, the business case issued in December 2005, provides details on alternatives, cost, and schedule. A risk management plan for the program was issued on January 23, 2006, and contains guidance for assessing risk, and also contains a partial inventory of risks. According to the program manager, Atlas is currently following the February 2005, ICE System Lifecycle Management Handbook [Footnote 33].The handbook addresses a number of key process areas such as project management and requirements development and management; however, it does not address certain key acquisition management activities, such as solicitation and contract tracking and oversight. Atlas program officials recognize this problem and plan to confer with the ICE acquisition officials, but did not offer a plan or date of when this will be completed. Project management Provides for the management of activities within the project office and supporting contractors to ensure a timely, efficient, and cost-effective acquisition; Results of our analysis: ICE has begun to establish a program office with responsibility for managing the acquisition, deployment, operation, and sustainment of Atlas. The Atlas program management office is allocating funding of $4 million via the Transformation Planning project in the expenditure plan. The current staffing of the program office consists of a program manager, who is also the deputy Chief Information Officer (CIO), six project managers, and other contracting support personnel (e.g., EA specialist, business analyst, risk analyst). According to the program manager, he is currently in the process of hiring a deputy program manager and plans to hire a project manager for Data Center Migration once fiscal year 2005 expenditure plan funds become available. Although staff have been hired, the program office is still not fully operational since according to the program manager, it will take a time for the new staff to obtain security clearances and pass other DHS personnel requirements. Condition 4 Satisfied. DHS and OMB satisfied the legislative condition requiring that the plan be reviewed and approved by the DHS I RB, Secretary of Homeland Security, and OMB. The DHS Deputy Secretary, who chairs the DHS IRB, approved the plan on December 21, 2005. OMB approved the plan on March 10, 2006. Condition 5 Satisfied. GAO satisfied the condition that it review the plan. Our review was completed on April 28, 2006. Objective 2 Results Open Recommendations: Open recommendation 1: Revise and update the cost-benefit analysis to identify current mission requirements, determine how they will be met, and develop an estimate of the program's incremental and life-cycle costs, benefits, schedule, and return on investment. This should also include establishing plans, associated tasks, and milestones for accomplishing this effort. Status: Partially complete: The program developed a cost-benefit analysis, but in doing so, did not fully adhere to our recommendation and key practices called for by OMB[Footnote 34]. To its credit, the program established a plan, including associated tasks and milestones, for this effort and executed it, which resulted in issuance of a revised and updated cost-benefit analysis in December 2005 as part of an overall business case justification for Atlas mission requirements. The cost-benefit analysis included three alternative solutions for how the requirements would be met as well as estimates of each alternative's life-cycle costs, benefits, schedule, and return on investment[Footnote 35]. Further, the analysis also identifies net present value[Footnote 36] for each alternative. However, there are several areas where the study is not consistent with our recommendation and OMB guidance on cost-benefit analyses and IT incremental investment. First, the study does not identify all key mission requirements. For example, while it addressed requirements related to Atlas's support of information sharing within ICE and with other DHS components, it did not include requirements-stated in ICE's July 2005 strategic plan-to support the sharing of law enforcement and immigration information with external partners such as the Departments of Justice and State as well as state and local law enforcement entities. Other examples of omitted requirements include the program's intent to (1) reengineer business processes as part of its IT infrastructure transformation and (2) develop business applications. According to the program manager, the study did not include these requirements because the former CIO did not envision them being part of Atlas; however, the new CIO has a broader vision of Atlas that includes these requirements. Consequently, the program manager stated he has been tasked to develop an Atlas long-range strategic plan for information sharing with the goal of defining a comprehensive set of requirements that can be used to update the cost-benefit analysis; at that time, the business case and its analysis of costs and benefits are to be updated to include any other outstanding requirements such as those for the reengineering and business applications. Including known requirements is important because it potentially affects, among other things, the alternatives considered and their estimated costs and benefits. Second, a complete analysis of uncertainty (i.e., both a sensitivity analysis and a Monte Carlo simulation [Footnote 37]) for each of the alternatives was not performed, although OMB and DHS guidance call for it. That is, the cost-benefit analysis did not include a Monte Carlo simulation. According to the program officials, this simulation was performed but was not included in the study. However, the results of the simulation, including supporting documentation, have yet to be provided to us. Such an analysis of uncertainty is key because it provides decision makers with a perspective on potential variability of costs and benefits should circumstances change. This is particularly critical in Atlas's case because each of the competing alternatives involve large estimated costs and benefits that were close in comparison. Third, OMB guidance calls for dividing projects into a series of smaller, incremental subprojects or releases so that investment decisions can be made on each increment. Among other things, this reduces the risk of associated with investing large sums over many years in anticipation of delivering capabilities and expected business value far into the future. However, the cost-benefit analysis, and the alternative selected, shows that the program is being justified and will be measured on a monolithic basis, rather than in a series of increments. It is important for Atlas to comply with this practice to enable informed incremental decision making and reduce the risk associated with the current approach. Open recommendation 2: Make the Atlas program office operational by (1) developing a staffing needs assessment to determine the positions and the level of staffing needed for all projects to adequately manage the program, including a human capital strategy for acquiring the staff and a timetable for bringing them on board; (2) finalizing the roles and responsibilities for the positions identified in the staffing assessment and for the projects; and (3) implementing and institutionalizing key acquisition management controls, including risk management processes where relevant responsibilities are assigned and key risks and their status are reported to an executive body. Status: In progress: Atlas program officials have taken some, but not all, of the steps essential to make the program office operational. First, in April 2006, the program officials completed an organizational structure and staffing assessment. The assessment identified, among other things, an organizational structure, functions, and associated positions for the program office as well as the staff needed to fill the positions. According to the assessment, a total of 11 full-time equivalents is needed to staff the office. To date, ICE has hired most staff and is in the process of hiring others. Staff currently in place include a program manager, who is also the Deputy CIO, six project managers, and contracting support personnel (e.g., EA specialist, business analyst, risk analyst, documentation specialist). ICE is in the process of hiring a deputy program manager and plans to hire a project manager for Data Center Migration once fiscal year 2005 expenditure plan funds become available. Program officials stated that these hires need to obtain security clearances and pass other ICE personnel requirements before they can be brought on board to work. The program office's organization structure, functions, and staffing status are shown on the following page. Second, as part of the organizational structure and staffing assessment, the program office also finalized staff roles and responsibilities, including providing high-level tasks for each of the staff. In addition, the office drafted in April 2005, project charters which also further described roles and responsibilities for staff serving on projects. Atlas Program Management Office: [See PDF for Image] Source: GAO analysis of DHS data. Third, the program office has begun to implement key acquisition management controls, such as risk management and acquisition management. For example, as previously discussed, the program has developed and issued acquisition and risk management plans. The Atlas acquisition plan was completed in February 2006, and the risk management plan was completed in January 2006. In addition, the Atlas program has defined and implemented key risk management processes. For example, they have developed a risk management process that guides program office staff on how to, among other things, identify, report, and manage risks throughout an investment's life cycle. They also hired an analyst to manage the Atlas risks. However, because the risk management process has just been recently implemented, a complete inventory of risks has not been prepared. According to program officials, risks associated with each of the individual projects that comprise Atlas are currently being identified and will be added to the inventory, and mitigation plans will be developed for each risk. Further, they plan to review all risks at monthly program management meetings. Program officials stated that they expect to complete these actions by June 2006. Until the program management office is fully staffed and key capabilities are in place and functioning, ICE faces the increased likelihood that Atlas will not meet its objectives on schedule and within budget. Open recommendation 3: Develop and implement an updated Atlas security plan and privacy impact assessment. This should also include establishing plans, associated tasks, and milestones for accomplishing this effort. Status: Partially complete: The program has partially completed implementation of this recommendation. Specifically, the program issued an updated Atlas security plan in April 2006. While the plan does include key practices called for by federal IT security guidance, [Footnote 38] it also is missing important ones as well. Examples of missing or partially addressed practices include the following: Inventory of all information systems is incomplete, Description of all the systems covered by the plan is not yet complete, System interconnections and information sharing between each system are not defined, and: Common and system-specific security controls are not defined. With regard to the privacy impact assessment, the program issued a draft assessment in August 2005 for management review. According to the program manager, the draft has been approved by ICE management and is currently under review by the department's Privacy Office. Privacy officials told us they have reviewed the draft and requested additional documentation from ICE but did not provide a date for when its review would be finalized. The program manager stated that the program would not begin using the assessment to guide decisions on project privacy until the department-level review is completed. Having a completed and approved security plan and privacy assessment are important because they provide system and privacy requirements that are used to guide further Atlas definition and acquisition. The security plan also describes the controls that are in place or planned for meeting the requirements. Proceeding without such information in a documented and approved fashion increases the risk that Atlas security and privacy requirements will not be effectively and efficiently addressed. Open recommendation 4: Develop and implement rigorous performance management practices for the Atlas program that include properly aligned goals, benefits, achievements, and anticipated achievements that are defined in measurable terms. This should also include establishing plans, associated tasks, and milestones for accomplishing this effort. Status: In progress: Atlas is in the process of (1) aligning Atlas goals, benefits, and other performance indicators and (2) expressing achievements in terms of measurable outcomes. Specifically, the program has taken steps to align its goals and other indicators and is beginning to implement their use; however, the program has not addressed our recommendation about reporting achievements as measurable outcomes. Since our last report, ICE's CIO assigned the responsibility for addressing our recommendations to the Atlas program manager. The program manager's approach to achieving goal alignment was to perform the necessary analysis as part of updating the business case and finalizing the fiscal year 2005 expenditure plan. As part of updating the Atlas business case (December 2005), the program mapped Atlas's mission and six goals to ICE's mission and goals and then showed the link between these and the department's overall mission and goals. The business case also maps Atlas's goals to each of the Atlas projects. Further, in completing the current expenditure plan, the program identified nine performance goals, which the program recently reduced to seven. The program also developed a measure to gauge progress on each performance goal. Examples include: For the Common Computing Environment, the goal is to have 100 percent of ICE personnel using the target common e-mail system by the end of fiscal year 2006; the measurement is the percent of ICE personnel using the target e-mail system. * For the Program Management project, the goal is to have in fiscal year 2008, a 50 percent reduction in the current cost of operations and maintenance; the measurement is the percent reduction in operations and maintenance costs. However, three of the projects did not have performance goals and measures. They are: Architecture Engineering, Transformation Planning, and Data Center Migration. According to the program manager, he plans to develop goals and measures for these projects by June 2006. In addition, the program has not yet implemented and institutionalized the seven measures. According to the program manager, the program is currently beginning to collect data to do this but added that there is not much to measure until they get expenditure plan funds and begin making progress on projects. Once the measurement process starts, he stated the program is to report the results to ICE's CIO at the monthly Atlas program management reviews and include the result in future expenditure plans as well. With regard to reported achievements in the current expenditure plan, they are not expressed in terms of measurable outcomes or results, but rather as activities completed. Examples of this include: Initiated activities toward establishing an environment to support the development and demonstration of enterprise query and interoperability capabilities, Completed high-level planning and preliminary analysis related to architecture engineering, and: Designed and implemented limited operation of network and host-based vulnerability scanning capabilities. Until planned actions are implemented and being used to manage the program, managers will still not have the necessary information for measuring progress and making well-informed investment decisions. Open recommendation 5: Ensure that future expenditure plans fully disclose the system capabilities, schedule, cost, and benefits to be delivered, as well as the acquisition strategy for Atlas. Status: In progress: The fiscal year 2005 Atlas expenditure plan does not show the level of detail and scope of the program for Congress to understand its plans and commitments relative to system capabilities, cost, benefits, and schedule. It does not sufficiently describe progress made against program commitments (e.g., expected benefits). Instead, the expenditure plan and supporting documentation describe, for example, high-level system capabilities to be delivered under each project, planned expenditure aggregated by project (not linked to system capabilities), and high-level benefits of Atlas. It does not link planned expenditures to system capabilities, set milestones for delivery of system capabilities, provide schedule estimates, or discuss benefits to be realized as a result of planned system investments. Our prior experience in working with Congress and other agencies on developing and implementing expenditure plans shows that these plans need to disclose a sufficient level and scope of information in order for Congress to understand what the system capabilities and benefits are to be delivered, by when, at what cost, and what progress is being made against the commitments. The program manager stated he agreed and that the program planned to include this information in future plans. Without the level of detail needed in the expenditure plans, Congress will not have the essential information needed to oversee progress and make informed decisions about expenditure plan approval. Objective 3 Results Observations: Project Plans: Observation 1: Project management planning does not include key elements. According to the SEI's Capability Maturity Model Integration, [Footnote 39] a key process area essential to effectively managing IT projects is planning. IT project planning ensures, among other things, that the project team establishes and maintains written plans that define the scope and breath of project activities. According to SEI, such project plans also provide the basis for performing and controlling project activities and are to be developed before initiating a project. Having project information documented in a written plan among other things (1) ensures commitment among project team members and between the team and its stakeholders and (2) provides a consistent understanding of the project across the organization. Project plans can also help to identify potential problems so that they can be addressed early on in the project, when changes are less disruptive and cheaper to make. According to the maturity model, project plans are to include major milestones, constraints, risks, tasks to be accomplished, resources, skills requirements, stakeholder identification, stakeholder review and approval, budget, and schedule. However, Atlas's current project plans are not fully consistent with this criteria. In lieu of such plans, Atlas managers are to use project charters (issued in draft in April 2006) and project schedules with associated work tasks to manage their projects. Collectively, the charters and schedule include some key elements of effective project planning. Specifically, they identify the key stakeholders, key team members, mission statement, roles and responsibilities, major milestones, and high-level work tasks to be accomplished. However, other key elements are missing. For example, the charters have not been reviewed and approved by management and key stakeholders. In addition, the charters and schedules: are high-level in nature in that they were not based on a detailed work breakdown structure of task to be performed, do not include any discussion of the project's cost and budget that would be necessary to execute the project, and: do not identify constraints and risks. The program manager stated that missing elements are to be incorporated as the plans are received and made final. Given that Atlas is reportedly currently spending on three projects and plans to spend more on all projects, it is important that the Atlas program develop more rigorous project plans to guide and control the management of these projects. Without such plans, the program faces the increased likelihood its projects will not meet its expectations on time and within budget. Objective 3 Results: Observations: Program Assessment Rating Tool: Observation 2: Efforts underway to address OMB concerns that Atlas was not demonstrating results. OMB uses a Program Assessment Rating Tool (PART) to assess how well government programs are performing. OMB reviewed the Atlas program and reported in August 2005 that the program was not demonstrating expected results. Specifically, OMB reported that there was insufficient evidence of program results and accountability. For example, it stated that the program had not demonstrated adequate progress in achieving its long-term performance goals. It also noted that the program was focused on short-term agency integration goals and lacked a long-term strategy to help the agency share information with its law enforcement partners. OMB also reported that the program has weak program management structure. Citing this assessment, the Administration's fiscal year 2007 budget stated that no funds were not being provided for Atlas until the program's weaknesses were addressed. To address OMB's findings, Atlas developed an action plan (dated April 2006) citing steps planned and under way. Examples of steps planned and under way include the following: Establishing an Atlas program management office to manage and oversee the program, including plans to acquire a project management tool to report cost, schedule, and performance data. Developing performance goals and measures for the program. According to the program officials, these goals and measures are being revised with the goal of being final by June 2006. Developing a long-range strategy to help ICE share information with its law enforcement and immigration enforcement partners. According to OMB, programs that receive a "results not demonstrated" assessment can request an abbreviated reassessment if they believe there is evidence of significant change. Program officials told us that a reassessment was not requested for fiscal year 2006 because agency management did not believe that significant improvement could be shown. They also stated that the program plans to be reassessed in fiscal year 2007. Until Atlas addresses management weaknesses, shows it is demonstrating results, and is reassessed by OMB, it is unclear whether funding will be budgeted for further investment in Atlas. Conclusions: The fiscal year 2005 Atlas expenditure plan, in combination with related program documentation and program officials' statements, satisfies or partially satisfies the legislative conditions set forth by Congress. However, this satisfaction is based on plans and commitments that provide for meeting these conditions, rather than on completed actions to satisfy the conditions. In addition, while steps are being initiated that are intended to address program management weaknesses, a number of improvements, including those recommended in our past report, have yet to be implemented. Thus, there is much that still needs to be accomplished to minimize the risks associated with the program's capacity to deliver promised IT infrastructure capabilities and benefits on time and within budget. Given that hundreds of millions of dollars are to be invested, it is essential that DHS follow through on its commitments to build the capacity to effectively manage the program. Proceeding without this capacity introduces unnecessary risks to the program and potentially jeopardizes its viability for future investment. Moreover, congressional decision makers need reliable information about program commitments that are to be met with the expenditure plan funds, including the benefits to be produced, the capabilities to be delivered, and the cost and schedule estimates to be met. By not providing this information in its fiscal year 2005 expenditure plan, DHS is impeding congressional oversight by not providing a meaningful basis for measuring performance and ensuring accountability. Recommendations for Executive Action: To minimize risks to the Atlas program, we recommend that the Secretary of Homeland Security, direct the Assistant Secretary for Immigration and Customs Enforcement to take the following two actions: Report periodically to Senate and House appropriations subcommittees regarding the program's progress in implementing our recommendations. Develop and implement Atlas project plans consistent with elements of effective project planning. Agency Comments: In their April 27, 2006, oral comments on a draft of this briefing, ICE officials, including the Deputy CIO and Atlas program manager, agreed with our results. These officials also provided technical comments, which we incorporated in the briefing as appropriate. Attachment I Scope and Methodology: To accomplish our objectives, we: analyzed the fiscal year 2005 Atlas expenditure plan and supporting documents against legislative conditions and other relevant federal requirements, guidance, and best practices to determine whether the conditions were met. In doing so, we considered the conditions met when the expenditure plan, including supporting program documentation and program officials' representations, either satisfied or provided for satisfying the conditions, and: assessed supporting documentation and interviewed program and other involved ICE and DHS officials to determine progress in implementing our recommendations and establishing capabilities in program management areas, such as: * acquisition planning, * enterprise architecture, * project management, * human capital planning, * risk management, * security, and: * privacy. For DHS and ICE data that we did not substantiate, we made appropriate attribution indicating the data source. We conducted our work at ICE and DHS headquarters in Washington, D.C., from March 2006 through April 2006 in accordance with generally accepted government auditing standards. [End of section] Appendix II: GAO Contact and Staff Acknowledgments: GAO Contact: Randolph C. Hite (202) 512-3439: Staff Acknowledgments: In addition to the individual named above, Gary Mountjoy, Assistant Director; Harold Brumm; Neil Doherty; Nancy Glover; James Houtz; Tom Mills; and Tammi Nguyen made key contributions to this report. FOOTNOTES [1] Pub. L. No. 108-334 (Oct. 18, 2004). [2] We transmitted the briefing to the staffs on April 28, 2006. [3] OMB Circular A-11, part 7, establishes policy for planning, budgeting, acquiring, and managing federal capital assets. [4] An enterprise architecture provides a clear and comprehensive picture of an organization's operations and its supporting systems and infrastructure. It is an essential tool for effectively and efficiently engineering business processes and for implementing and evolving supporting systems in a manner that maximizes interoperability, minimizes overlap and duplication, and optimizes performance. [5] Partially complete means actions are under way to implement the recommendation. [6] OMB, Guidelines and Discount Rates for Benefits-Cost Analysis of Federal Programs, Circular A-94. (Washington, D.C.: Oct. 29, 1992). [7] In progress means that actions have been initiated to implement the recommendation. [8] OMB made this assessment using its Program Assessment Rating Tool, which is used to assess how well government programs are performing. [9] ICE was formed from the former Immigration and Naturalization Service (INS), U.S. Customs Service, and other entities. Atlas began in 2002 under the former INS. [10] Pub. L. No. 108-334 (Oct. 18, 2004). [11] 1n the Act, Atlas is called Automation Modernization. [12] OMB Circular A-11 establishes policy for planning, budgeting, acquisition, and management of federal capital assets. [13] The purpose of the IRB is to integrate capital planning and investment control, budgeting, and acquisition. It is also to ensure that spending on investments directly supports and furthers the mission and that this spending provides optimal benefits and capabilities to stakeholders and customers. [14] GAO, Information Technology. Management Improvements Needed on Immigration and Customs Enforcement's Infrastructure Modernization Program, GAO-05-805, (Washington, D.C.: Sept. 7, 2005). [15] Partially satisfied means that the plan, in combination with supporting documentation, and stated commitments by program officials, either satisfied or provides for satisfying many, but not all, key aspects of the condition that we reviewed. [16] Satisfied means that the plan, in combination with supporting documentation, and stated commitments by program officials, either satisfied or provided for satisfying every aspect of the condition that we reviewed. [17] Partially complete means actions are under way to implement the recommendation. [18] In progress means that actions have been initiated to implement the recommendation. [19] Since the FY 2004 expenditure plan, Atlas program officials merged Electronic Access/E-Government with Enterprise Information and more recently renamed the project ICE Mission Information. In addition, Atlas added a new project called Data Center Migration. [20] In the FY 2004 expenditure plan, Atlas called this project Connectivity. [21] This project used to be called Enterprise Information. [22] In the FY 2004 expenditure plan, Atlas called this project Infrastructure Engineering. [23] Counterterrorism funding came from the Department of Defense and Emergency Supplemental Appropriations for Recovery from and Response to Terrorist Attacks on the United States Act, 2002. Pub. L. No. 107-117 (Jan. 10, 2002); H.R. Report 107-350 (Dec. 19, 2001). [24] Pub. L. No. 108-90 (Oct. 1, 2003). [25] Pub. L. No. 108-334 (Oct. 18, 2004). [26] DHS's fiscal year 2006 appropriations (Pub. L. No. 109-90, Oct. 18, 2005) provided $40.15 million for Atlas. In December 2005, this amount was reduced to $39.7 million via a 1 percent government- wide rescission in Pub. L. No 109-148 (Dec. 30, 2005), Emergency Supplemental Appropriations to Address Hurricanes in the Gulf of Mexico and Pandemic Influenza, 2006. [27] As of March 15, 2006. [28] As of April 6, 2006. [29] GAO, Homeland Security. Efforts Under Way to Develop Enterprise Architecture, but Much Work Remains, GAO-04-777 (Washington, D.C.: Aug. 6, 2004). [30] A review group made up of subject manner experts that recommends EA compliance to the DHS Enterprise Architecture Board and ultimately to the DHS IRB. [31] Department of Homeland Security Enterprise Architecture Board: EAB Governance Process Guide, August 9, 2004. Draft Version 2.0. [32] Developed by Carnegie Mellon Software Engineering Institute (SEI), Software Acquisition Capability Maturity Model (SA-CMM), Version 1.03 (March 2002). [33] U.S. Immigration and Customs Enforcement: System Lifecycle Management, The Systems Development Lifecycle of Immigration and Customs 33 Enforcement, February 2005, Version 1.0. [34] 0MB, Guidelines and Discount Rates for Benefits-Cost Analysis of Federal Programs, Circular A-94. (Washington, D.C.: Oct. 29, 1992). [35] The scope our work did not include assessing the reliability of the cost, benefit, and schedule estimates developed as part of the analysis. [36] The discounted monetized value of expected net benefits (i.e., benefits minus costs). [37] Uncertainty analyses generally include both a sensitivity analysis and a Monte Carlo simulation. A sensitivity analysis is a quantitative assessment of the effect that a change in an assumption- the numerical value of a single parameter (such as unit labor cost)- will have on net present value. A Monte Carlo simulation allows all of the model's parameters to vary simultaneously according to their associated probability distribution. The result is a set of estimated probabilities of achieving alternative outcomes (costs, benefits, and/ or net benefits) given the uncertainty in the underlying parameters. [38] National Institute of Standards and Technology, Guide for Developing Security Plans for Federal Information Systems, Special Publication 800- 46 18 Revision 1: February 2006. [39] For example, see Carnegie Mellon Software Engineering Institute, Capability Maturity Model Integration (CMMIsm), Version 1.1 (March 2002). GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: