This is the accessible text file for GAO report number GAO-07-1065 entitled 'Homeland Security: U.S. Visitor and Immigrant Status Program's Long-standing Lack of Strategic Direction and Management Controls Needs to Be Addressed' which was released on September 4, 2007. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: August 2007: Homeland Security: U.S. Visitor and Immigrant Status Program's Long-standing Lack of Strategic Direction and Management Controls Needs to Be Addressed: GAO-07-1065: GAO Highlights: Highlights of GAO-07-1065, a report to congressional committees. Why GAO Did This Study: The Department of Homeland Security (DHS) has established a program known as U.S. Visitor and Immigrant Status Indicator Technology (US- VISIT) to collect, maintain, and share information, including biometric identifiers, on certain foreign nationals who travel to the United States. By congressional mandate, DHS is to develop and submit an expenditure plan for US-VISIT that satisfies certain conditions, including being reviewed by GAO. GAO reviewed the plan to (1) determine if the plan satisfied these conditions, (2) follow up on certain recommendations related to the program, and (3) provide any other observations. To address the mandate, GAO assessed plans and related documentation against federal guidelines and industry standards and interviewed the appropriate DHS officials. What GAO Found: The US-VISIT expenditure plan, including related program documentation and program officials’ statements, satisfies or partially satisfies some but not all of the legislative conditions required by the Department of Homeland Security Appropriations Act, 2007. For example, the department satisfied the condition that it provide certification that an independent verification and validation agent is currently under contract for the program and partially satisfied the condition that US-VISIT comply with DHS’s enterprise architecture. However, the department did not satisfy the conditions that the plan include a comprehensive US-VISIT strategic plan and a complete schedule for biometric exit implementation. DHS partially implemented GAO’s oldest open recommendations pertaining to US-VISIT. For example, while the department partially completed the recommendation that it develop and begin implementing a US-VISIT system security plan, the scope of the plan does not extend to all the systems that comprise US-VISIT. In addition, while the expenditure plan provides some information on US-VISIT’s cost, schedule, and benefits associated with planned capabilities, the information provided is not sufficiently defined and detailed to address GAO’s recommendation and provide a reasonable basis for measuring progress and holding the department accountable for results. GAO identified several additional observations. On the positive side, DHS data show that the US-VISIT prime contract is being executed according to cost and schedule expectations. However, DHS continues to propose disproportionately heavy investment in US-VISIT program management-related activities without adequate justification or full disclosure. Further, DHS continues to propose spending tens of millions of dollars on US-VISIT exit projects that are not well-defined, planned, or justified on the basis of costs, benefits, and risks. Overall, the US-VISIT fiscal year 2007 expenditure plan and other available program documentation do not provide a sufficient basis for effective program oversight and accountability. Both the legislative conditions and GAO’s open recommendations are aimed at accomplishing both, and thus they need to be addressed quickly and completely. However, despite ample opportunity to do so, DHS has not done so and the reasons why are unclear. Until these recommendations are addressed, GAO does not believe that the program’s disproportionate investment in management-related activities represents a prudent and warranted course of action or to expect that the newly launched exit endeavor will produce results different from past results—namely, no operational exit solution despite expenditure plans allocating about a quarter of a billion dollars to various exit activities. What GAO Recommends: Because outstanding recommendations already address all of the management weaknesses discussed in this report, GAO is reiterating prior recommendations and recommending that the Secretary of DHS report to the department’s authorization and appropriations committees on its reasons for not fully addressing the legislative conditions and prior GAO recommendations. DHS largely agreed with the report and provided additional information and views that GAO has incorporated and addressed in the report as appropriate. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-1065]. To view the full product, including the scope and methodology, click on the link above. For more information, contact Randolph C. Hite at (202) 512-3439 or hiter@gao.gov. [End of section] Contents: Letter: Compliance with Legislative Conditions: Status of Open Recommendations: Observations on the Expenditure Plan and Management of US-VISIT: Conclusions: Recommendation for Executive Action: Agency Comments and Our Evaluation: Appendixes: Appendix I: Briefing Slides: Appendix II: Comments from the Department of Homeland Security: Appendix III: GAO Contact and Staff Acknowledgments: DHS: Department of Homeland Security: EA: enterprise architecture: EVM: earned value management: HLS: Homeland Security: OMB: Office of Management and Budget: POE: port of entry: SEI: Software Engineering Institute: TECS: Treasury Enforcement Communications System: US-VISIT: U.S. Visitor and Immigrant Status Indicator Technology: Letter: August 31, 2007: The Honorable Robert C. Byrd: Chairman: The Honorable Thad Cochran: Ranking Member: Subcommittee on Homeland Security: Committee on Appropriations: United States Senate: The Honorable David E. Price: Chairman: The Honorable Harold Rogers: Ranking Member: Subcommittee on Homeland Security: Committee on Appropriations: House of Representatives: The Department of Homeland Security (DHS) submitted to Congress in March 2007 its fiscal year 2007 expenditure plan for the U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) program pursuant to the Department of Homeland Security Appropriations Act, 2007.[Footnote 1] US-VISIT is a governmentwide program to collect, maintain, and share information on foreign nationals who enter and exit the United States. The program's goals are to enhance the security of U.S. citizens and visitors, facilitate legitimate trade and travel, ensure the integrity of the U.S. immigration system, and protect the privacy of visitors to the United States. As required by the appropriations act, we reviewed US-VISIT's fiscal year 2007 expenditure plan. Our objectives were to (1) determine whether the expenditure plan satisfies legislative conditions specified in the appropriations act, (2) determine the status of our oldest open recommendations pertaining to US-VISIT,[Footnote 2] and (3) provide observations about the expenditure plan and DHS' management of US-VISIT. On June 15, 2007, and on June 20, 2007, we briefed the staffs of the Senate and House Appropriations Subcommittees on Homeland Security, respectively, on the results of our review. This report transmits these results. The full briefing, including our scope and methodology, is reprinted in appendix I. Compliance with Legislative Conditions: The US-VISIT expenditure plan, including related program documentation and program officials' statements, satisfies or partially satisfies some, but not all, of the legislative conditions. Specifically, the legislative conditions that DHS certify that an independent verification and validation agent is currently under contract for the program and that the DHS Investment Review Board, the Secretary of Homeland Security, and the Office of Management and Budget (OMB) review and approve the plan were satisfied.[Footnote 3] However, DHS only partially satisfied the legislative conditions that it (1) meet the capital planning and investment control review requirements established by OMB, including OMB Circular A-11, part 7; (2) comply with DHS' enterprise architecture; and (3) comply with federal acquisition rules, requirements, guidelines, and systems acquisition management practices. In addition, DHS did not satisfy the legislative conditions that the plan include (1) a comprehensive US-VISIT strategic plan and (2) a complete schedule for biometric exit implementation. Status of Open Recommendations: DHS has partially implemented our recommendations pertaining to US- VISIT that have been open for 4 years. These recommendations, along with their status, are summarized here. * Recommendation: Develop and begin implementing a system security plan and perform a privacy impact analysis and use the results of this analysis in near term and subsequent system acquisition decision making. DHS has partially implemented this recommendation. In December 2006, the program office developed a US-VISIT security strategy and has since begun implementing it. However, the scope of this strategy does not extend to all the systems that comprise US-VISIT, such as the Treasury: Enforcement Communications System (TECS). We recently testified[Footnote 4] that TECS has neither the security controls and defensive perimeters in place for preventing an intrusion, nor the capability to detect an intrusion should one occur. Until a more comprehensive security strategy is developed, the systems that comprise US-VISIT could place it at increased risk. * Recommendation: Develop and implement a plan for satisfying key acquisition management controls, including acquisition planning, solicitation, requirements management, project management, contract tracking and oversight, evaluation, and transition to support, and implement the controls in accordance with Software Engineering Institute (SEI) guidance.[Footnote 5] DHS has partially implemented this recommendation. Since 2005, the program office reports progress in implementing 113 practices associated with six SEI key process areas. However, the six areas of focus do not include all of the management controls that our recommendations cover, such as solicitation and transition to support. As long as the program office does not address all of the management controls that we have recommended, it will unnecessarily increase program risks. * Recommendation: Ensure that expenditure plans fully disclose what system capabilities and benefits are to be delivered, by when, and at what cost, as well as how the program is being managed. DHS has partially implemented this recommendation. The fiscal year 2007 expenditure plan discloses planned system capabilities, estimated schedules and costs, and expected benefits. However, schedules, costs, and benefits are not always defined in sufficient detail to be measurable and to permit oversight. Finally, the plan does not fully disclose challenges or changes associated with program management. Without such information, the expenditure plan may not provide Congress with enough information to exercise effective oversight and to hold the department accountable. * Recommendation: Ensure that the human capital and financial resources provided are sufficient to establish a fully functional and effective program office and associated management capability. DHS has partially implemented this recommendation. At one point in 2006, all of the program office's 115 government positions were filled. However, 21 positions have since become vacant. Without adequate human capital, particularly in key positions and for extended periods, program risks will increase. * Recommendation: Clarify the operational context within which US-VISIT must operate. DHS has partially implemented this recommendation. DHS has yet to define the operational context in which US-VISIT is to operate, such as having a departmentally approved strategic plan or a well-defined department enterprise architecture (EA). While the expenditure plan includes a departmentally approved US-VISIT strategic plan, it does not address key elements of relevant federal strategic planning guidance. Moreover, we recently reported[Footnote 6] that the version of the department's EA[Footnote 7] that DHS has been using for US-VISIT alignment purposes was missing architecture content and was developed with limited stakeholder input. Finally, although program officials have met with related programs to coordinate their respective efforts, specific coordination efforts have not been assigned to any DHS entity. Until a well-defined operational context exists, the department will be challenged in its ability to define and implement US-VISIT and related border security and immigration management programs in a manner that promotes interoperability, minimizes duplication, and optimizes departmental capabilities and performance. * Recommendation: Determine whether proposed US-VISIT increments will produce mission value commensurate with costs and risks and disclose to its executive bodies and Congress the results of these business cases and planned actions. DHS has partially implemented this recommendation. We recently reported that, while a business case was prepared for Increment 1B,[Footnote 8] the analysis performed met only four of the eight criteria in OMB guidance. Since then, the program office has developed business cases for two projects: Unique Identity and U.S. Travel Documents-ePassports (formerly Increment 2A), and we have ongoing work to address, among other things, these business cases. Further, the program office has yet to develop a business case for another project that it plans to begin implementing this year--biometric exit at air ports of entry (POE). Until the program office has reliable business cases for each US-VISIT project in which alternative solutions for meeting mission needs are evaluated on the basis of costs, benefits, and risks, it will not be able to adequately inform its executive bodies and Congress about its plans and will not provide the basis for prudent investment decision making. * Recommendation: Develop and implement a human capital strategy that provides for staffing open positions with individuals who have the requisite core competencies (knowledge, skills, and abilities). DHS has partially implemented this recommendation. In February 2006, we reported[Footnote 9] that the program office issued a human capital plan and had begun implementing it. However, DHS stopped doing so during 2006 pending departmental approval of a DHS-wide human capital initiative and because all program office positions were filled. However, as noted earlier, the program office now reports that it has 21 government positions--including critical leadership positions--that are now vacant. Moreover, it has stated that it developed a new human capital plan but we did not review this plan because it is still undergoing departmental review. Until the department approves the human capital plan and the program office begins to implement it, the program will continue to be at risk. * Recommendation: Develop and implement a risk management plan and ensure that all high risks and their status are reported regularly to the appropriate executives. DHS has partially implemented this recommendation. US-VISIT has approved a risk management plan and has begun implementing it. However, the current risk management plan does not address when risks should be elevated beyond the level of the US-VISIT Program Director. According to program officials, elevation of US-VISIT risks is at the discretion of the Program Director, and no risks have been elevated to DHS executives since December 2005. Until the program office ensures that high risks are appropriately elevated, department executives will not have the information they need to make informed investment decisions. * Recommendation: Define performance standards for US-VISIT that are measurable and reflect the limitations imposed on US-VISIT capabilities by relying on existing systems. DHS has partially implemented this recommendation. The program office has defined technical performance standards for several increments, but these standards do not contain sufficient information to determine whether they reflect the limitations imposed by relying on existing systems. As a result, the ability of these increments to meet performance requirements remains uncertain and the ability to identify and effectively address performance shortfalls is missing. Observations on the Expenditure Plan and Management of US-VISIT: While available data show that prime contract cost and schedule expectations are being met, aspects of the US-VISIT program continue to lack definition and justification. Each of our observations in this regard are summarized here. * Earned value management (EVM) data on ongoing prime contract task orders show that cost and schedule baselines are being met. EVM is a program management tool for measuring progress by comparing the value of work accomplished with the amount of work expected to be accomplished.[Footnote 10] Data provided by the program office show that the cumulative cost and schedule variances for the overall prime contract and all 12 ongoing task orders are within an acceptable range of performance. * DHS continues to propose a heavy investment in program management- related activities without adequate justification or full disclosure. Program management is an important and integral aspect of any system acquisition program and should be justified in relation to the size and significance of the acquisition activities being performed. In 2006, program management costs represented 135 percent of planned development. This means that for every dollar spent on new capabilities, $1.35 was spent on management. The fiscal year 2007 expenditure plan similarly proposed investing $1.25 on management- related activities for every dollar invested in new development. However, the plan does not explain the reasons for the sizable investment in management-related activities or otherwise justify it on the basis of measurable expected value. Without disclosing and justifying its proposed investment and program management-related efforts, it is unclear that such a large amount of funding for these activities represents the best use of resources. * Lack of a well-defined and justified exit solution introduces the risk of repeating failed and costly past exit efforts. DHS has issued a high-level schedule for air exit, but information supporting that schedule is not yet available. In addition, there are no other exit program plans available that define what will be done, by what entities, and at what cost in order to define, acquire, deliver, deploy, and operate this capability. This includes developing plans describing expected system capabilities, identifying key stakeholder roles/responsibilities and buy-in, coordinating and aligning with related programs, and allocating funding to activities. Furthermore, DHS has not performed an analysis comparing the life cycle costs of the air exit solution to its expected benefits and risks. Since 2004, we have reported on a similar lack of definition and justification of prior US-VISIT exit efforts, even though prior expenditure plans have allocated funding of $250 million to completing these efforts. As of today, these prior efforts have not produced an operational exit solution. Without better definition and justification of its future exit efforts, the department runs the serious risk of repeating its past failures. Conclusions: US-VISIT's prime contract cost and schedule metrics show that expectations are being met, according to available data, although the EVM system that the metrics are based on has yet to be independently certified. Notwithstanding this, such performance is a positive sign. However, most of the many management weaknesses raised in this report have been the subject of our prior US-VISIT reports and testimonies and, thus, are not new. Accordingly, we have already made a litany of recommendations to correct each weakness, as well as follow-on recommendations to increase DHS attention to and accountability for doing so. Despite this, recurring legislative conditions associated with US-VISIT expenditure plans continue to be less than fully satisfied and recommendations that we made 4 years ago have still not been fully implemented. Exacerbating this situation is the fact that DHS did not satisfy two new legislative conditions associated with the fiscal year 2007 expenditure plan, and serious questions continue to exist about DHS' justification for and readiness to invest current, and potentially future, fiscal year funding relative to an exit solution and program management-related activities. DHS has had ample opportunity to address these many issues, but it has not. As a result, there is no reason to expect that its newly launched exit endeavor, for example, will produce results different from past endeavors--namely, DHS will not have an operational exit solution despite expenditure plans allocating about a quarter of a billion dollars to various exit activities. Similarly, on the basis of past efforts, there is no reason to believe that the program's disproportionate investment in management-related activities represents a prudent and warranted course of action. All told, this means that needed improvements in US-VISIT program management practices are long overdue. Both the legislative conditions and our open recommendations are aimed at accomplishing these improvements, and they need to be addressed quickly and completely. Thus far, they have not been, and the reasons that they have not are unclear. Recommendation for Executive Action: Because our outstanding US-VISIT recommendations already address all of the management weaknesses discussed in this report, we are reiterating our prior recommendations and recommending that the Secretary of DHS report to the department's authorization and appropriations committees on its reasons for not fully addressing its expenditure plan legislative conditions and our prior recommendations. Agency Comments and Our Evaluation: We received written comments on a draft of this report from DHS, which were signed by the Director, Departmental GAO/IG Liaison Office, and are reprinted in appendix II. In its comments, DHS stated that it agreed with the majority of our findings, adding that the department realizes, and our report supports the fact, that improvements to US-VISIT's management controls, operational context, and human capital are needed. DHS also stated that the US-VISIT program office would aggressively engage with us to address our open recommendations, noting that it appreciates the guidance provided by our reports. In this regard, DHS's comments described efforts completed, underway, and planned to address our recommendations, most of which were already reflected in the draft report. New information in DHS's comments covered its intentions relative to the next US-VISIT expenditure plan and the next US-VISIT strategic plan, both of which are to be issued in fiscal year 2008. This new information is consistent with the intent of our open recommendations. New information also included the US-VISIT Director's intention to communicate high-priority risks to the Under Secretary of the National Protection and Programs Directorate, which is also in line with our open recommendations. However, DHS also stated that it disagreed with the "partially complete" status that we assigned to one of our open recommendations. It also stated that our observation characterizing past US-VISIT exit efforts as failed and costly implicitly devalued the experience and empirical data that the department gained from these proof-of-concept efforts, and this observation did not recognize relevant information about the program's use of biographic exit procedures. We do not agree with either of these comments, as discussed below. * With the respect to the "partially complete" status that our report assigns to the open recommendation for the program to develop and begin implementing a system security plan, and to perform a privacy impact analysis and use the results of this analysis in near term and subsequent system acquisition decision making, DHS stated that it considers this recommendation satisfied. In this regard, the department describes a number of actions that the program has taken with respect to US-VISIT security and privacy. We do not take issue with the actions that DHS described, and would note that our draft report already recognizes them. Moreover, we too consider the privacy component of our recommendation satisfied. However, we do not agree with the department's position relative to the scope of US-VISIT's security strategy in that it does not address known vulnerabilities associated with a US-VISIT component system--TECS.[Footnote 11] As we state in our report, TECS is an integral component of US-VISIT and, according to federal security standards, a system security plan, or in US-VISIT's case the system security strategy, typically covers such component systems. Therefore, we believe that the US-VISIT security risk assessment and security strategy need to explicitly address such vulnerabilities, and thus we do not consider the entire recommendation as being fully satisfied. * With respect to our characterization of past US-VISIT exit efforts, the department stated that we incorrectly viewed these past efforts as "ends in themselves" and as "failed and costly" because they did not immediately conclude with operational systems. According to DHS, the program never intended for these efforts to be more than proof-of- concept learning experiences that would form the basis for more workable future system solutions. We do not agree with these comments. As we state in our report, the program first committed to full deployment of a biometric exit capability in 2003, and it has continued to make similar deployment commitments in subsequent years. At the same time, we have chronicled a pattern of inadequate analysis surrounding the expected costs, benefits, and risks of these exit efforts since 2004, and thus an absence of reliable information upon which to view their expected value and base informed exit-related investment decisions. Nevertheless, the program continued to invest each year in these biometric exit efforts, thus far having allocated about $250 million in funding to them. At no time, however, was any analysis produced to justify investing a quarter of a billion dollars to gain "experiences and empirical data" for such a sizeable investment. Rather, commitments were repeatedly made in expenditure plans for deploying an operational exit solution. While we recognize the value and role of demonstration and pilot efforts as a means for learning and informing future development efforts, our point is that exit-related efforts have been inadequately defined and justified over the last 4 years, despite being allocated $250 million, and the fiscal year 2007 expenditure proposes more of the same. With respect to not recognizing the program's use of biographic exit procedures in the above described observation, the department is correct that we describe these procedures in other sections of our report but not as part of this observation. We do not include this information under this observation because its focus is on the 4 years and $250 million that has been devoted to biometric-based exit efforts, and the lack of definition and justification in the fiscal year 2007 expenditure plan for these biometric efforts going forward. We are sending copies of this report to the Chairmen and Ranking Members of other Senate and House committees and subcommittees that have authorization and oversight responsibilities for homeland security. We are also sending copies to the Secretary of Homeland Security, Secretary of State, and the Director of OMB. We will also make copies available to others on request. In addition, the report will be available at no charge on GAO's Web site at [Hyperlink, http://www.gao.gov]. If you or your staffs have any questions on matters discussed in this report, please contact me at (202) 512-3439 or at hiter@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who have made significant contributions to this report are listed in appendix III. Signed by: Randolph C. Hite: Director: Information Technology Architecture and Systems Issues: [End of section] Appendix I: Briefing Slides: Homeland Security: U.S. Visitor and Immigrant Status Program's Long- standing Lack of Strategic Direction and Management Controls Needed to be Addressed: Briefing to the Staffs of the Subcommittee on Homeland Security Senate and House Committees on Appropriations: June 15, 2007: Briefing Overview: Introduction: Objectives: Results in Brief: Background: Results: * Legislative Conditions: * Status of Open Recommendations: * Observations: Conclusions: Recommendations for Executive Action: Agency Comments: Attachment 1. Scope and Methodology: Attachment 2. Related Products List: Attachment 3. Description of US-VISIT Program: Attachment 4. Description of Increments and Component Systems: Introduction: The U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) program of the Department of Homeland Security (DHS) is a governmentwide program to collect, maintain, and share information on foreign nationals who enter and exit the U.S. The goals of US-VISIT are to: enhance the security of U.S. citizens and visitors, facilitate legitimate travel and trade, ensure the integrity of the U.S. immigration system, and: protect the privacy of our visitors. The Department of Homeland Security Appropriations Act, 2007,[Footnote 12] states that DHS may not obligate $200 million of the $362.494 million appropriated for the US-VISIT project until the Senate and House Committees on Appropriations receive a plan for expenditure that: meets the capital planning and investment control review requirements established by the Office of Management and Budget (OMB), including Circular A-11, part 7;[Footnote 13] complies with DHS’s enterprise architecture; complies with the acquisition rules, requirements, guidelines, and systems acquisition management practices of the federal government; includes a certification by the DHS Chief Information Officer (CIO) that an independent verification and validation (IV&V) agent is currently under contract for the project; is reviewed and approved by the DHS Investment Review Board (IRB), the Secretary of Homeland Security, and OMB; is reviewed by GAO; includes a comprehensive US-VISIT strategic plan; and: includes a complete schedule for biometric exit implementation. On March 20, 2007, DHS submitted its fiscal year 2007 expenditure plan for $362.494 million to the House and Senate Appropriations Subcommittees on Homeland Security. Objectives: As agreed, our objectives were to: 1. determine whether the US-VISIT fiscal year 2007 expenditure plan satisfies the legislative conditions, 2. determine the status of our oldest open recommendations pertaining to US- VISIT,[Footnote 14] and: 3. provide observations about the expenditure plan and management of the program. We conducted our work at US-VISIT offices in Arlington, Virginia, from March 2007 through June 2007 in accordance with generally accepted government auditing standards. Details of our scope and methodology are described in attachment 1. Results in Brief: Objective 1: Legislative Conditions: Table: Summary of Fiscal Year 2007 US-VISIT Expenditure Plan’s Satisfaction of Legislative Conditions: Legislative conditions: Meets the capital planning and investment control review requirements established by OMB, including OMB A-11, part 7; Does not satisfy[A]: [Empty]; Partially satisfies[B]: [Check]; Satisfies[C]: [Empty]. Legislative conditions: Complies with the DHS enterprise architecture; Does not satisfy[A]: [Empty]; Partially satisfies[B]: [Check]; Satisfies[C]: [Empty]. Legislative conditions: Complies with the acquisition rules, requirements, guidelines, and systems; Does not satisfy[A]: [Empty]; Partially satisfies[B]: [Check]; Satisfies[C]: [Empty]. Legislative conditions: Includes a certification by the DHS CIO that an IV&V agent is currently under contract for the program; Does not satisfy[A]: [Empty]; Partially satisfies[B]: [Empty]; Satisfies[C]: [Check]. Legislative conditions: Is reviewed and approved by the DHS IRB, the DHS Secretary, and OMB; Does not satisfy[A]: [Empty]; Partially satisfies[B]: [Empty]; Satisfies[C]: [Check]. Legislative conditions: Is reviewed by GAO; Does not satisfy[A]: [Empty]; Partially satisfies[B]: [Empty]; Satisfies[C]: [Check]. Legislative conditions: Includes a comprehensive US-VISIT strategic plan; Does not satisfy[A]: [Check]; Partially satisfies[B]: [Empty]; Satisfies[C]: [Empty]. Legislative conditions: Includes a complete schedule for biometric exit implementation; Does not satisfy[A]: [Check]; Partially satisfies[B]: [Empty]; Satisfies[C]: [Empty]. Source: GAO. [A] Does not satisfy or provide for satisfying all key aspects of the condition we reviewed. [B] Satisfies or provides for satisfying some, but not all, key aspects of the condition that we reviewed. [C] Satisfies or provides for satisfying every aspect of the condition that we reviewed. [End of figure] Results in Brief: Objective 2: Open Recommendations: Table: Summary of Status of Open Recommendations: Open recommendations: 1. Develop and begin implementing a system security plan and perform a privacy impact analysis and use the results of this analysis in near term and subsequent system acquisition decision making; Partially complete[D]: [Check]; Complete[E]: [Empty]; Open recommendations: 2. Develop and implement a plan for satisfying key acquisition management controls, including acquisition planning, solicitation, requirements management, project management, contract tracking and oversight, evaluation, and transition to support, and implement the controls in accordance with Software Engineering Institute (SEI) guidance[F]; Partially complete[D]: [Check]; Complete[E]: [Empty]; Open recommendations: 3. Ensure that expenditure plans fully disclose what system capabilities and benefits are to be delivered, by when, and at what cost, as well as how the program is being managed; Partially complete[D]: [Check]; Complete[E]: [Empty]; Open recommendations: 4. Ensure that the human capital and financial resources are provided to establish a fully functional and effective program office and associated management capability; Partially complete[D]: [Check]; Complete[E]: [Empty]; Open recommendations: 5. Clarify the operational context within which US-VISIT must operate; Partially complete[D]: [Check]; Complete[E]: [Empty]; Open recommendations: 6. Determine whether proposed US-VISIT increments will produce mission value commensurate with costs and risks and disclose to its executive bodies and the Congress the results of these business cases and planned actions;[G] Partially complete[D]: [Check]; Complete[E]: [Empty]; Open recommendations: 7. Develop and implement a human capital strategy that provides for staffing open positions with individuals who have the requisite core competencies (knowledge, skills, and abilities); Partially complete[D]: [Check]; Complete[E]: [Empty]; Open recommendations: 8. Develop and implement a risk management plan and ensure that all high risks and their status are reported regularly to the appropriate executives; Partially complete[D]: [Check]; Complete[E]: [Empty]; Open recommendations: 9. Define performance standards for US-VISIT that are measurable and reflect the limitations imposed by relying on existing systems; Partially complete[D]: [Check]; Complete[E]: [Empty]; Source: GAO. [D] A recommendation is partially complete when documentation indicates that some, but not all, actions needed to implement it have been taken. E] A recommendation is complete when documentation demonstrates that it has been fully addressed. [F] This recommendation is the merger of two of our prior recommendations. [G] This recommendation is the merger of three of our prior recommendations. [End of figure] Results in Brief: Objective 3: Observations: Observation Summaries: DHS data show that the US-VISIT prime contract is being executed according to cost and schedule expectations, as defined and measured by a well- accepted progress measurement technique known as earned value management. DHS continues to propose disproportionately heavy investment in US- VISIT program management-related activities without adequate justification or full disclosure, to the point of spending $1.25 on management for every dollar invested in new development. Without justifying and fully disclosing such a large investment in program management, questions persist as to whether this represents the best use of DHS resources. DHS continues to propose spending tens of millions of dollars on exit projects that are not well-defined, planned, or justified on the basis of costs, benefits and risks. Without properly positioning itself for effectively and efficiently investing in an exit solution, DHS risks repeating its prior failed and costly exit efforts. Results in Brief: Recommendations: and Agency Comments: Because our outstanding US-VISIT recommendations already address all of the management weaknesses discussed in this briefing, we are reiterating our prior recommendations, and recommending that DHS report to its congressional authorization and appropriations committees the reasons for it not fully satisfying its US-VISIT expenditure plan legislative requirements and our prior recommendations. In comments on a draft of this briefing, DHS stated that the briefing was factually correct, that GAO's guidance provided value to the program, and that it would continue to address our recommendations. 12 Background: US-VISIT Overview: The goals of the US-VISIT program are to enhance the security of U.S. citizens and visitors, facilitate legitimate travel and trade, ensure the integrity of the U.S. immigration system, and protect the privacy of our visitors. US-VISIT is to accomplish these things by: collecting, maintaining, and sharing biometric and other information on certain foreign nationals who enter and exit the United States; identifying foreign nationals who (1) have overstayed or violated the terms of their admission; (2) can receive, extend, or adjust their immigration status; or (3) should be apprehended or detained by law enforcement officials; detecting fraudulent travel documents, verifying traveler identity, and determining traveler admissibility through the use of biometrics; and: facilitating information sharing and coordination within the immigration and border management community. Background: US-VISIT Program Office: Figure: Organizational Structure and Functional Responsibilities[Footnote 15] [See PDF for image] Source: US-VISIT. [End of figure] Background: Acquisition Strategy: DHS originally planned to deliver biometric entry and exit capability in for major increments: Increments 1 through 3 were to be interim, or temporary, solutions that focus on building interfaces among existing (legacy) systems; enhancing the capabilities of these systems; and deploying these systems to air, sea, and land ports of entry (POEs). Increment 4 was to be a series of incremental releases, or mission capability enhancements, that were to deliver long-term strategic capabilities for meeting program goals. In May 2004, DHS awarded an indefinite-delivery/indefinite- quantity[Footnote 16] prime contract to Accenture and its partners for delivering future US-VISIT capabilities.[Footnote 17] Background: Description and History of Increments: Increment 1: Increment 1 was intended to establish entry and exit capabilities at air and sea POEs. Increment 1 air and sea entry capabilities were deployed on January 5, 2004, at 115 airports and 14 seaports for individuals requiring nonimmigrant visas to enter the United States.[Footnote 18] These capabilities include collecting and matching biographic information, biometric data (two digital index finger scans) and a digital photograph for selected foreign nationals. In addition, several types of increment 1 air and sea exit devices for collecting biometric data were piloted at 12 airports and 2 seaports. This 3-year pilot focused on the technical feasibility of a biometric exit solution at air and sea POEs. The pilot ended in May 2007. Increment 2: Increment 2 was originally to extend US-VISIT entry and exit capabilities to the 50 busiest land POEs by December 31, 2004. Subsequently, the increment was divided into three parts—2A, 2B, and 2C. Increment 2A established entry capabilities at land, sea, and air POEs to biometrically authenticate machine-readable visas and other travel and entry documents issued by Department of State (State) and DHS to foreign nationals.[Footnote 19] These capabilities were deployed to all POEs by October 23, 2005, except for e-Passports, which were deployed to 33 POEs by November 14, 2006. These 33 POEs account for 97 percent of all travelers entering with e- Passports. Increment 2B extended the increment 1 entry solution to the 50 busiest land POEs and included redesigning the process for issuing a handwritten form I- 94[Footnote 20] to enable the electronic capture of biographic, biometric (unless the traveler is exempt),[Footnote 21] and related travel documentation for travelers arriving in secondary inspection. This capability was deployed to the 50 busiest land POEs as of December 29, 2004. Increment 2C was a proof-of-concept demonstration of the feasibility of using passive radio frequency identification (RFID) technology[Footnote 22] to record travelers’ entry and exit via a unique ID number tag embedded in the form I-94. It was originally deployed at five land POEs. The demonstration was terminated in November 2006. Increment 3: Increment 3 was to extend increment 2B entry capabilities to 104 land POEs by December 31, 2005. It was essentially completed as of December 19, 2005.[Footnote 23] Increment 4 – Unique Identity: All expenditure plans prior to fiscal year 2006 have described increment 4 as a yet- to-be-defined, strategic solution. The fiscal year 2006 plan described increment 4 as the combination of two projects: (1) Transition to 10 fingerprints in the Automated Biometric Identification System (IDENT) and (2) Interoperability between IDENT and the Federal Bureau of Investigation’s Integrated Automated Fingerprint Identification System (IAFIS). The fiscal year 2007 expenditure plan combines the two projects, with a third called enumeration (developing a single identifier for each individual), into a single project referred to as Unique Identity. Background: Entry Systems Overview:[Footnote 24] Figure: Systems Diagram of Entry Capability [See PDF for image] Source: GAO analysis of US-VISIT data. [End of figure] Background: Chronology of Expenditure Plans: Table: Chronology of Expenditure Plans: Fiscal year: 2002; Date submitted: 11/15/2002; Funds appropriated (in thousands): $13,300; Funds requested (in thousands): $13,300; Funds released to date (in thousands): $13,300. Fiscal year: 2003; Date submitted: 06/05/2003; Funds appropriated (in thousands): $362,000; Funds requested (in thousands): $375,000; Funds released to date (in thousands): $367,00014[Footnote 25]. Fiscal year: 2004; Date submitted: 01/27/2004; Funds appropriated (in thousands): $330,000; Funds requested (in thousands): $330,000; Funds released to date (in thousands): $330,000. Fiscal year: 2005; Date submitted: 10/19/2004; Funds appropriated (in thousands): $340,000; Funds requested (in thousands): $340,000 ; Funds released to date (in thousands): $340,000. Fiscal year: 2006; Date submitted: 08/10/2006; Funds appropriated (in thousands): $336,600; Funds requested (in thousands): $336,600 ; Funds released to date (in thousands): $336,600. Fiscal year: 2007 ; Date submitted: 03/20/2007; Funds appropriated (in thousands): $362,494; Funds requested (in thousands): $362,494; Funds released to date (in thousands): $162,494. Total; Funds appropriated (in thousands): $1,744,394; Funds requested (in thousands): $1,757,394; Funds released to date (in thousands): $1,557,394. Source: GAO, based on an analysis of DHS data. [End of figure] Background: 2007 Expenditure Plan Funding Allocation: Table: 2007 Expenditure Plan Funding Allocation: Areas of expenditure/Projects (see next slides for descriptions): Exit (air and sea); Government program management (costs in thousands): 0; Contractor program management support: 2,300; Development: 5,000; Operations and Maintenance: [Empty]; Other: [Empty]; Total: $7,300. Areas of expenditure/Projects (see next slides for descriptions): U.S. travel documents and e-Passports (2A PKD); Government program management (costs in thousands): 0; Contractor program management support: 2,700; Development: 8,100; Operations and Maintenance: [Empty]; Other: [Empty]; Total: 10,800. Areas of expenditure/Projects (see next slides for descriptions): Unique Identity (10-print, enumeration, and IDENT/IAFIS interoperability; Government program management (costs in thousands): 0; Contractor program management support: 17,400; Development: 76,500; Operations and Maintenance: [Empty]; Other: [Empty]; Total: 93,900. Areas of expenditure/Projects (see next slides for descriptions): Data integrity and biometric support services; Government program management (costs in thousands): 0; Contractor program management support: 1,400; Development: 14,100; Operations and Maintenance: [Empty]; Other: [Empty]; Total: 15,500. Areas of expenditure/Projects (see next slides for descriptions): Program management and operations; Government program management (costs in thousands): 25,700; Contractor program management support: 0; Development: 0; Operations and Maintenance: [Empty]; Other: [Empty]; Total: 25,700. Areas of expenditure/Projects (see next slides for descriptions): Contractor program management support; Government program management (costs in thousands): 0; Contractor program management support: 62,500; Development: 0; Operations and Maintenance: [Empty]; Other: [Empty]; Total: 62,500. Areas of expenditure/Projects (see next slides for descriptions): Operations and maintenance; Government program management (costs in thousands): 0; Contractor program management support: 0; Development: 0; Operations and Maintenance: 138,800; Other: [Empty]; Total: [Empty]. Areas of expenditure/Projects (see next slides for descriptions): Management reserve; Government program management (costs in thousands): 0; Contractor program management support: 0; Development: 0; Operations and Maintenance: [Empty]; Other: 8,000; Total: 8,000. Total; Government program management (costs in thousands): 25,700; Contractor program management support: 86,300; Development: 103,700; Operations and Maintenance: 138,800; Other: 8,000; Total: $362,500. Source: GAO, based on an analysis of DHS data. [End of table] Background: Summary of 2007 US-VISIT Expenditure Plan: Exit: Includes planning and implementation of the chosen deployment option for the implementation of an exit screening program at air and sea ports. U.S. travel documents and e-Passports: Includes development, testing, and deployment of public key directory (PKD) validation services[Footnote 26] for e-Passport readers. Unique Identity: Includes implementing the 10-fingerprint scanners and the interim data sharing model (iDSM);[Footnote 27] related systems interoperability; associated facilities and engineering support; and systems architecture, engineering and integration, and design. Data Integrity and Biometric Support Services: Includes providing qualified leads and actionable information to the U.S. Customs and Border Protection Service and U.S. Immigration and Customs Enforcement; establishment of lookout records for visa denials and adverse actions by border officials. Program management and operations: Includes the government salaries and benefits for 115 government program office positions necessary to manage and operate the program, including relocation costs, personnel security checks, and training. Contractor services-program management: Includes the program office support contractors. Operations and maintenance: Includes operations and maintenance of Increment 1, 2, and 3 systems, including technical, application, system, network, and infrastructure support costs. Program management reserve: Includes funds allocated to accommodate unknown timing and magnitude of risks. Background: US-VISIT Project Life Cycle Management: US-VISIT has adopted its own methodology for managing its projects throughout their respective life cycles. This methodology is known as the US-VISIT Enterprise Life Cycle Methodology (ELCM). Within the ELCM is a component methodology for managing software-based system projects known as the US-VISIT Delivery Methodology (UDM). According to version 4.3 of UDM (April 2007), it: Applies to new development projects and existing, operational projects. Specifies the documentation and reviews that should take place within each of the methodology’s six phases: plan, analyze, design, build, test, and deploy. Allows for tailoring to meet the needs and requirements of individual projects, in which specific activities, deliverables, and milestone reviews that are appropriate for the scope, risk, and context of the project can be set for each phase of the project. The chart on the following page shows where US-VISIT projects are in terms of the life cycle methodology. Background: US-VISIT Project Status: (New Development and Operational): Figure: New Development and Operational: [See PDF for image] Source: GAO, based on an analysis of DHS data. * Exit project in pre-planning; not within the UDM Technology Workstream. *** IOC: Initial Operational Capability. [End of figure] Background: US-VISIT Task Orders: Area of Expenditure: Exit; Task Order Name: Exit Pilot beta survey data collection; Start: August 2004; Status/Completion Date: Completed May 2005; Description: Pilot, test, and evaluate three exit alternatives (kiosk, mobile, hybrid) at selected international ports of departure. Area of Expenditure: Exit; Task Order Name: Increment 1B; Start: February 2005; Status/Completion Date: Completed Dec. 2006; Description: Air and Sea Exit Deployment-provide services for national deployment of the 1B exit solution as determined from results of 1B pilots. Area of Expenditure: Exit; Task Order Name: Increment 2C; Start: September 2004; Status/Completion Date: Ongoing[H]; Description: Planning and implementation of the US-VISIT Increment 2C Proof of Concept Project. Area of Expenditure: U.S. Travel Documents and e-Passports; Task Order Name: International Registered Traveler IPT; Start: February 2005; Status/Completion Date: Completed Aug 2005; Description: Support for SecurePass IPT, and integrated international registered program designed to enhance national security and improve efficiency. Area of Expenditure: U.S. Travel Documents and e-Passports; Task Order Name: Increment 2A-PKD; Start: March 2005; Status/Completion Date: Ongoing; Description: Development and implementation of PKD Validation service to allow for biometric comparison and authentication of US visas and other travel documents. Area of Expenditure: U.S. Travel Documents and e-Passports; Task Order Name: Material support to Increment 2A-PKD; Start: March 2007; Status/Completion Date: Ongoing; Description: Purchase of materials, including hardware and software, to meet requirements of the PKD validation services project. Area of Expenditure: Unique Identity; Task Order Name: IT solutions delivery; Start: October 2004; Status/Completion Date: Ongoing; Description: Planning, development, and implementation of the Biometric identification Systems Project, now referred to as Unique Identity (IDENT/IAFIS integration and IDENT 10-print). Area of Expenditure: Unique Identity; Task Order Name: Integration support to the Unique ID project office; Start: November 2006; Status/Completion Date: Ongoing; Description: Program and technical integration support services. Area of Expenditure: Unique Identity; Task Order Name: Material support to task order 007; Start: April 2007; Status/Completion Date: Ongoing; Description: Material, maintenance licenses, warrant, etc. in support of task 007 IT solutions. Area of Expenditure: Data Integrity and Biometric Support; Task Order Name: Data Management support; Start: August 2004; Status/Completion Date: Ongoing; Description: Support Program Office Data Management Branch-identity errors, omissions, and trends in data; recommend corrective actions; provide refined data to other offices (e.g. U.S. Immigration and Customs Enforcement) to support criminal investigations, lookout creation, and informed material/operational decision making. Area of Expenditure: Contractor Support-Program Management; Task Order Name: Program level management; Start: July 2004; Status/Completion Date: Ongoing; Description: Comprehensive program and project management methodology, policies, processes, procedures, and support to program office. Area of Expenditure: Contractor Support-Program Management; Task Order Name: Strategic Plan; Start: October 2004; Status/Completion Date: Completed March 2005; Description: Create and document a comprehensive strategic plan that describes necessary activities to integrate US- VISIT processes and systems. Area of Expenditure: Contractor Support-Program Management; Task Order Name: Blueprint; Start: May 2005; Status/Completion Date: Completed Nov 2006; Description: Create a US-VISIT blueprint that describes a comprehensive approach to achieving the overall vision for US-VISIT's immigration and border management enterprise. Area of Expenditure: Contractor Support-Program Management; Task Order Name: Program level engineering; Start: September 2004; Status/Completion Date: Ongoing; Description: Develop and maintain standards, guidance, architectures, performance models, and other engineering processes necessary to support the development of functionality. Area of Expenditure: Contractor Support-Program Management; Task Order Name: Development; Start: November 2006; Status/Completion Date: Ongoing; Description: Support the development and maintenance of program planning artifacts and analyze phases of project execution and planning, updating, and implementing the US-VISIT Strategic Plan. Area of Expenditure: Operations and Maintenance; Task Order Name: Facilities and infrastructure; Start: March 2005; Status/Completion Date: Ongoing; Description: Provisioning of office/faculty space, furniture, workstations, telecommunications, and other infrastructure to support contractor activities. Area of Expenditure: Operations and Maintenance; Task Order Name: Operations and Maintenance; Start: August 2006; Status/Completion Date: Ongoing; Description: Management of operations and maintenance activities for deployed capabilities. Source: GAO, based on analysis of DHS data. [H] Increment 2C was terminated in November 2006. This task order will closer once shutdown activities are complete. [End of table] Background: Overview of DHS Investment Management Process: DHS recently changed its investment management process. Prior to 2006, DHS IT programs, including US-VISIT, were subject to key decision point reviews. According to DHS, this approach was adopted from the Department of Defense’s investment management process, and while well- suited for the acquisition of fighter jets, ships, etc., was not well- suited for acquisition of IT systems. Accordingly, DHS drafted an Investment Review Process guide that adopts an approach using milestone decision points (MDP) linking five life cycle phases: (1) project initiation, (2) concept and technology development, (3) capability development and demonstration, (4) production and deployment, and (5) operations and support. According to DHS, this guide provides more flexibility, allowing DHS to tailor the number of phases and milestone reviews based on risk and visibility. MDP reviews can be performed concurrently with an expenditure plan review. The draft guide was issued in March 2006; as of May 2007, the draft guide had not been approved. Under the draft guide, a program sends an investment review request to the Integrated Project Review Team (IPRT) prior to the initial MDP. The IPRT assigns the program to a portfolio, and schedules the program for a Joint Requirements Council and/or IRB review. According to the official from DHS’s Program Analysis and Evaluation Directorate who is responsible for overseeing program adherence to the investment control process, it is being used for all DHS programs. Objective 1: Legislative Conditions: Condition 1: This fiscal year 2007 US-VISIT expenditure plan, related program documentation, and program officials' statements satisfy (in part or total) most, but not all, of the legislative conditions. Condition 1. The plan, including related program documentation and program officials' statements, satisfies or partially satisfies all aspects of the capital planning and investment control review requirements established by OMB, including OMB Circular A-11, part 7.[Footnote 28] The table that follows provides examples of the results of our analysis, including areas in which the A-11 requirements have been and have not been fully satisfied. Given that the A-11 requirements are intended to minimize a program's exposure to risk, permit performance measurement and oversight, and promote accountability, any areas in which the program falls short of the requirements reduce the chances of delivering cost-effective capabilities and measurable results of time and within budget. Table: Legislative Conditions: Condition 1: Examples of A-11 Conditions: Provide a brief description of the investment and its status in the capital planning and investment control review, including major assumptions made about the investment; Results of our analysis: The expenditure plan and fiscal year 2007 Exhibit 300 provide a description of investment and its status in the capital US-VISIT but do not include its status in the DHS capital planning and planning and investment control review, investment control process. According to program officials, the program was re- including major assumptions made evaluated under the MDP process defined in the draft DHS investment review about the investment process guide. On February 7, 2007, it passed its first MDP and is now undergoing its second MDP review. Also, the expenditure plan and related program documents identify a number of program assumptions. Examples of assumptions cited in the fiscal year 2007 Exhibit 300 submission include (1) existing facilities at land POEs will not support the proposed incorporation of biometric devices without investment in equipment and infrastructure, and (2) improved exit processes are needed to collect accurate data on departures. Examples of A-11 Conditions: Provide a summary of the investment’s risk assessment, including how 19 OMB- identified risk elements are being addressed; Results of our analysis: The US-VISIT enterprise risk assessment was completed in December 2005. It identified a number of risks, their likelihood of occurrence, their potential impact, and recommended controls to address each risk. The most recent version of the risk management plan was approved February 2007. Under the processes defined in this plan, risks are to be monitored and reviewed by program management and stakeholders through integrated project teams. All identified risks are to be logged in the risk database and are to be individually reviewed by the Director. Both the Exhibit 300 and the Risk Management Plan address the 19 OMB-identified risk elements. Examples of A-11 Conditions: Demonstrate that the investment is included in the agency's enterprise architecture and capital planning and investment control process. Illustrate agency's capability to align the investment to the Federal Enterprise Architecture (FEA); Results of our analysis: The plan does not describe US-VISIT relative to the DHS enterprise architecture (EA) or the capital planning and investment control process. Moreover, the last review of program compliance with the DHS EA was in August 2004, and since then US-VISIT and the DHS architecture have changed significantly. With regard to the FEA, the fiscal year 2007 OMB Exhibit 300 budget submission contains tables that satisfy OMB's requirement for listing the various aspects of the FEA that the program supports. In February 2007, the program completed a MDP1 review, which program officials told us revalidated the program. The program has since submitted to the Enterprise Architecture Center for Excellence its MDP2 review package. US-VISIT's architecture alignment is further discussed under the legislative condition 2 section of this briefing. Examples of A-11 Conditions: Provide a description of an investment's security and privacy issues. Summarize the agenda's ability to manage security at the system or application level. Demonstrate compliance with the certification and accreditation processes as well as the mitigation of IT security weaknesses; Results of our analysis: As we previously reported, US-VISIT's 2004 security plan and privacy impact assessments generally satisfied IMB and the National Institutes of Standards and Technology (NIST) security guidance. Further, the expenditure plan states that all of the US-VISIT component systems have been certified and accredited and given authority to operate. Also, the program office developed a security strategy in December 2006 that was based on the 2005 risk assessment. However, this security strategy was limited to the systems under US-VISIT control and does not mention, for example, the Treasury Enforcement Communications System (TECS) which provides biographic information to US-VISIT and is owned by Customs and Border Protection. According to NIST Special Publication 800-18, a comprehensive security strategy should include all component systems. We have ongoing work to evaluate the quality of US-VISIT security documents and practices. Examples of A-11 Conditions: Provide a summary of the investment's status in accomplishing baseline cost and schedule goals through the use of an earned value management (EVM) system or operational analysis, depending on the life-cycle stage; Results of our analysis: The program is currently relying on the prime contractor's EVM system to manage the prime contractor's progress against cost and schedule goals. This EVM system was self-certified by the prime contractor in December 2003 as meeting established standards, but has yet to be verified by the agency or an independent representative of the agency as required by OMB. In December 2006, the program office contracted with the Defense Contract Management Agency to conduct this investigation, but it will not be completed until August 2008. Finally, while the fiscal year 2006 expenditure plan stated that all US-VISIT contractors will perform EVM and program officials stated that this will be performed in accordance with the DHS guidelines for all contracts after October 1, 2006, the fiscal year 2007 expenditure plan does not continue to make this commitment. Source: OMB criteria and GAO analysis of DHS documentation. [End of table] Objective 1: Legislative Conditions: Condition 2: Condition 2. The plan, including related program documentation and program officials’ statements, partially provides for satisfying the condition that it comply with DHS’s EA. According to federal guidelines and best practices, investment compliance with an EA is essential for ensuring that an organization’s investment in new and existing systems is defined, designed, and implemented in a way that promotes integration and interoperability and minimizes overlap and redundancy, thus optimizing enterprise wide efficiency and effectiveness. A compliance determination is not a one- time event that occurs when an investment begins, but is, rather, a series of determinations that occurs throughout an investment’s life cycle as changes to both the EA and the investment’s architecture are made. The DHS Enterprise Architecture Board, supported by the Enterprise Architecture Center of Excellence, is responsible for ensuring that projects demonstrate adequate technical and strategic compliance with the department’s EA. The DHS Enterprise Architecture Board has not conducted a detailed review of US- VISIT architecture compliance in more than 2 years. In August 2004, the board reviewed US-VISIT’s architectural alignment with some aspects of the DHS EA, and it recommended that US-VISIT be given conditional approval to proceed.[Footnote 29] However, we reported [Footnote 30] in February 2005 that this architectural compliance was limited because: DHS’ determination was based on version 1.0 of the EA, which was missing, in part or in whole, all the key elements expected in a well- defined architecture, such as a description of business processes, information flows among these processes, and security rules associated with these information flows. DHS did not provide sufficient documentation to allow us to understand the methodology and criteria for architecture compliance or to verify analysis justifying the conditional approval. Moreover, the next architecture alignment review did not occur until more than 2 years later, in November 2006. This review was part of US- VISIT’s MDP1 revalidation review, and it focused on compliance with 2 components of the DHS EA 2006. In February 2007 US-VISIT received MDP1 approval with the stipulation that the program undergo a MDP2 review within 60 days. This February 2007 MDP1 alignment determination does not fully satisfy the legislative condition for several reasons. The review was based on US-VISIT documentation that was not current. In particular, the US-VISIT Mission Needs Statement[Footnote 31] did not reflect recent changes to the program, such as the IDENT/IAFIS interoperability and expansion of IDENT to collect 10, rather than 2, prints. The review assessed compliance with only general aspects of the DHS EA, such as the investment portfolio, the architecture principles, and the business model. It did not include US-VISIT’s compliance with other relevant aspects of the EA, such as the data and information security components. The review was based on DHS EA 2006. We reported[Footnote 32] in May 2007 that this version was missing important architectural content and did not address most of the comments made by DHS stakeholders. As a result, we concluded that it was not complete, consistent, understandable, or usable. Program officials told us that they submitted documentation for a more comprehensive MDP2 alignment review to the Enterprise Architecture Centers of Excellence in April 2007. They also stated that they have mitigated the risks of US-VISIT being misaligned with the DHS EA through other means. These included: submitting the technical baseline of existing hardware and software to the Center for Excellence for inclusion in the DHS EA; submitting technology insertion requests for new equipment planned for US-VISIT, such as RFID technology, to the EA Center of Excellence for review and inclusion in the DHS EA, and: relating US-VISIT capabilities with the business and services models of the FEA reference models. Notwithstanding these steps, DHS has yet to demonstrate, through verifiable documentation and methodologically-based analysis, that US- VISIT is aligned with a well-defined DHS EA. As a result, the program will remain at risk of being defined and implemented in a way that does not support optimized department wide operations, performance, and achievement of strategic goals and outcomes. Objective 1: Legislative Conditions: Condition 3: Condition 3. The plan, including related program documentation and program officials’ statements, partially provides for satisfying the condition that it comply with the acquisition rules, requirements, guidelines, and systems acquisition management practices of the federal government.[Footnote 33] Federal IT acquisition requirements, guidelines, and management practices provide an acquisition management framework that is based on the use of rigorous and disciplined processes for planning, managing, and controlling the acquisition of IT resources.[Footnote 34] Effective acquisition management processes are embodied in published best practices models, such as the Software Engineering Institute (SEI) Capability Maturity Models®. These models explicitly define, among other things, acquisition process management controls that are recognized hallmarks of successful organizations and that, if implemented effectively, can greatly increase the chances of acquiring software-intensive systems that provide promised capabilities on time and within budget. We reported in September 2003[Footnote 35] that the program office had not defined key acquisition management controls to support the acquisition of US-VISIT, and therefore its efforts to acquire, deploy, operate, and maintain system capabilities were at risk of not meeting system requirements and benefit expectations on time and within budget. Subsequently, the program adopted SEI Capability Maturity Model Integration[Footnote 36] (CMMI®) to guide its efforts to employ effective acquisition management practices and approved an acquisition management process improvement plan dated May 16, 2005. One of the goals of this plan was to achieve a CMMI® level 2 capability rating from SEI by October 2006. In September 2005, DHS’s initial assessment of 13 US-VISIT key acquisition process areas revealed a number of weaknesses. In light of this, US-VISIT updated its acquisition management process improvement plan, narrowing the scope of the process improvement activities to six of the CMMI process areas--project planning, project monitoring and control, requirements management, risk management, configuration management, and product and process quality assurance—and focusing on two US-VISIT projects—U.S. Travel Documents-ePassports (formerly Increment 2A) and Unique Identity. Under the updated plan, the goal for an external CMMI evaluation remained October 2006. During 2006, the program conducted periodic assessments in the six key process areas and reported that while it had increased the number of fully and largely implemented practices within these six areas, sufficient progress had not been made to pass an external evaluation in October 2006. Some of the weaknesses reported were: Insufficient definition of processes and preparation of supporting documents for areas such as systems development, budget and finance, facilities, and strategic planning (e.g., product work flow among organizational units was unclear and not documented, and roles, responsibilities, and assignments for performing work tasks and activities were not adequately defined and documented). Lack of policies, process descriptions, and templates for requirements development and management. Lack of definition of roles, responsibilities, work products, expectations, resources, and accountability of external stakeholder organizations. The program has since revised its process improvement plan. Among other things, the revised plan delays the date for having an external CMMI evaluation from October 2006 to November 2007. At the same time, it has continued to address the weaknesses discovered during earlier internal assessments. Based on its latest periodic assessment (March 2007), the program office reports that 83 percent of key practices are now either fully or largely implemented, up from 26 percent in August 2005 (see chart on next slide). Figure: State of US-VISIT Implementation of 113 Key Practices Associated with Six CMMI Key Process Areas: [See PDF for image] Source: GAO, based on an analysis of DHS data. [End of figure] In addition, the fiscal year 2007 expenditure plan reported progress in a seventh key process area not included in the program’s CMMI improvement efforts— contract tracking and oversight. In 2006, we reported[Footnote 37] that the program office had not effectively overseen US-VISIT related contract work performed on its behalf by other DHS and non-DHS agencies, and these agencies did not always establish and implement the full range of controls associated with effective management of contractor activities. Further, neither the program office nor the other agencies had implemented effective financial controls.[Footnote 38] Since this report was issued, the program office has instituted the use of oversight plans for new task order and contract awards and is developing a set of requirements for reimbursable contracts that address our recommendations to enhance the probability of successful performance and reduce risks. Notwithstanding this reported progress in implementing acquisition management process areas, the program’s acquisition management improvement efforts are focused on only seven acquisition management process areas. Other areas are also relevant to the program and need to be addressed. The status of the program office’s efforts to implement our recommendations aimed at implementing the full range of acquisition management controls is discussed later in this briefing. Objective 1: Legislative Conditions: Condition 4: Condition 4. The plan satisfies the condition that it include a certification by the DHS CIO that an IV&V agent is currently under contract for the project. On February 21, 2007, the DHS Deputy CIO certified in writing that two independent verification and validation agents[Footnore39] were under contract for US-VISIT and that these agents met the requirements and standards for an IV&V agent. 49 Objective 1: Legislative Conditions: Condition 5: Condition 5. The plan, including related program documentation and program officials’ statements, satisfies the requirement that it be reviewed and approved by the DHS Investment Review Board, the Secretary of Homeland Security, and OMB. The DHS Deputy Secretary, who is also the chair of the Investment Review Board, approved the fiscal year 2007 expenditure plan, and: OMB approved the plan on March 20, 2007. Objective 1: Legislative Conditions: Condition 6: Condition 6. The plan satisfies the requirement that it be reviewed by GAO. Our review was completed on June 15, 2007. Objective 1: Legislative Conditions: Condition 7: Condition 7. The plan does not satisfy the condition that it include a comprehensive US-VISIT strategic plan. Strategic plans are the starting point and basic underpinning for results-oriented management. Such plans articulate the fundamental mission of an organization, or program, and lay out its long-term goals and objectives for implementing that mission, including the resources needed to reach these goals. Federal legislation and guidelines[Footnote 40] require that agencies’ strategic plans include six key elements: (1) a comprehensive mission statement, (2) strategic goals and objectives, (3) strategies and the various resources needed to achieve the goals and objectives, (4) a description of the relationship between the strategic goals and objectives and annual performance goals, (5) an identification of key external factors that could significantly affect the achievement of strategic goals, and (6) a description of how program evaluations were used to develop or revise the goals and a schedule for future evaluations. As we have previously reported,[Footnote 41] strategic plans should also include a discussion of management challenges facing the program that may threaten its ability to meet long-term, strategic goals and efforts to coordinate among cross-cutting programs, activities, or functions. While the US-VISIT program is not required to explicitly follow these guidelines, the guidelines nonetheless provide a framework for effectively developing strategic plans and the basis for program accountability. However, the US-VISIT strategic plan[Footnote 42] does not include any of these key elements associated with effective strategic plans. In summary, the plan describes eight desired program capabilities[Footnote 43] and provides an implementation strategy that describes how each of these capabilities will be delivered over a multi- year investment horizon through three categories of activities – Foundation, Transformation, and Globalization. Foundation activities, which are described as modernization, enhancement, and expansion of capabilities and technologies, as well as leveraging current capabilities and technologies. Transformation activities, which are described as the implementation of processes and technologies that cut across the particular functions and entities that make up the immigration and border management system. Globalization activities, which are described as the coordination and sharing of information with foreign governments to improve the ability to detect and prevent potential threats from either entering the United States or remaining here. However, the plan does not provide time frames for the completion of these broad investment categories. The plan also does not include strategic goals and objectives or strategies for achieving goals and objectives. As a result, it is not clear what program capabilities will be delivered when and whether they are aligned with the program’s goals and objectives. Further, the plan does not include a comprehensive mission statement, describe the relationships between strategic goals and annual performance goals, the external factors that could affect the program, and the program evaluations used to establish or revise the goals. In addition, the US-VISIT strategic plan does not address management challenges facing the program, such as those addressed in our past recommendations. And although the strategic plan identifies the ability to communicate with external stakeholders as a desired capability, the plan does not provide any evidence of such past communication or explain the relationship between US-VISIT and other organizations within the border and immigration management enterprise. For example, it does not describe the relationship between US-VISIT and DHS’s Western Hemisphere Travel Initiative, even though both programs involve the entry of certain foreign individuals at U.S. POEs. While the strategic plan is missing important content, other related program documentation includes some of this content. For example, the fiscal year 2007 expenditure plan and the US-VISIT Mission Needs Statement state the program’s mission and goals. In addition, the US- VISIT Program Blueprint describes eight core capabilities, which are very similar to those described in the strategic plan, and maps those capabilities to four business outcomes. However, the Blueprint does not include strategic goals, so it is not clear whether the business outcomes are aligned with US-VISIT’s goals. Further, the outcomes are not described in the strategic plan. The Program Blueprint also notes that responsibilities for immigration and border management are spread across multiple agencies and departments. However, it does not provide clear delineations of these organizations’ respective tasks, services, or efforts. Further, the strategic plan does not cite or describe any coordination efforts to address this situation. Additionally, the Blueprint identifies border and immigration management enterprise stakeholders and identifies, for each stakeholder, needs and priorities, challenges, how the business outcomes will benefit the stakeholder, and stakeholder constraints that will affect business outcomes. This means that while some of the content of a US-VISIT strategic plan is captured in a fragmented fashion across a range of documents, the full range of content needed to define an authoritative strategic direction, focus, and roadmap for the program that is approved by departmental leadership is missing. Without it, DHS reduces the chances that the US-VISIT program will achieve desired results and succeed in achieving the program’s goals and objectives. Objective 1: Legislative Conditions: Condition 8: Condition 8. The plan, including related program documentation and program officials’ statements, does not satisfy the condition that it include a complete schedule for biometric exit implementation. The fiscal year 2007 expenditure plan addresses DHS’ near-term deployment plans for biometric exit capabilities at air and sea POEs. Further, it notes the absence of near-term biometric options for land POEs and mentions only a possible near-term, interim option that is being considered. In addition, the expenditure plan addresses all three locations of US-VISIT technology (air, sea, and land). However, the expenditure plan’s discussion of exit capabilities is conceptual and general and does not contain a schedule for the full implementation of US-VISIT exit capabilities at air, sea and land POEs. Air: The plan states that DHS plans to incorporate air exit into the airline check-in process. However, the plan does not provide any details as to what capabilities will be acquired and deployed when and at what cost. Instead, it states that DHS plans to integrate US-VISIT’s efforts with CBP’s pre-departure Advance Passenger Information System[Footnote 44] and TSA’s Secure Flight[Footnote 45] for purposes of partnering with the airline industry. Further, the plan does not include any schedule of air exit implementation activities, but rather, simply states that DHS plans to initiate efforts on its air exit solution at an unspecified time during the third quarter of fiscal year 2007, and will fully deploy the air exit solution by an unspecified time during calendar year 2008. On June 11, 2007, DHS provided us with a schedule for air exit, which the department characterized as high-level. For example, it does not include the underlying details supporting the timelines for such areas of activity as system design, system testing, and system development. However, program officials told us that greater detail existed to support the schedule, but that because this had not been approved by DHS, could not be provided. The schedule provided indicates that the air exit solution will be fully deployed by June 2009, which is at least six months after the deployment date provided in the expenditure plan. Sea: The plan states that DHS will initiate planning efforts on the sea exit deployment at an unspecified time during fiscal year 2007, and that it will emulate the technology and operational plans used for the air exit solution. However, the plan does not provide any details about how, when, and at what cost the sea exit solution will be accomplished, or provide a completion date or any interim dates. Land: Consistent with our December 2006 report,[Footnote 46] the plan states that implementing a biometric exit solution at land POEs is significantly more complicated and costly than air or sea exit because it would require a costly expansion of existing exit capacity, including physical infrastructure, land acquisition, and staffing. Because of this, the plan concludes that land exit cannot be practically based on biometric validation in the short term. In lieu of biometric-based exit at land POEs in the near term, the plan states that DHS will initially seek to match entry and exit records using biographic information in instances where departure information is not collected from an individual who leaves the country, as in the case of an individual who does not submit their Form I-94[Footnote 47] upon departure. However, the plan does not specify what this near-term focus entails and how, when, and at what cost it will be accomplished. Rather, it says that DHS has not yet determined a time frame or any cost estimates for the initiation of a land exit solution. Objective 2: Open Recommendations: Recommendation 1: Recommendation 1: Develop and begin implementing a system security plan and perform a privacy impact analysis and use the results of this analysis in near-term and subsequent system acquisition decision- making. Status: Partially complete: A system security plan and privacy impact assessment are important to understanding system requirements and ensuring that the proper safeguards are in place to protect system data, resources, and individuals’ privacy. Both best practices and federal guidance advocate their development and use. System Security Plan: The purpose of a system security plan is to define the steps that will be taken (i.e., security controls that will be implemented) to cost- effectively address known security risks. We reported[Footnote 48] in 2005 that the program office developed a US-VISIT system security plan that was generally consistent with federal practice. However, we also reported at that time that the plan was not based on a security risk assessment. In December 2005, the program office developed a US-VISIT risk assessment that addressed the risk elements required by OMB, including having an inventory of known risks, their probability of occurrence and impact, and recommended controls to address them. At that time, program officials told us that they intended to develop a US-VISIT security strategy that reflected the results of this risk assessment. In December 2006, the program office developed a US-VISIT security strategy and has since begun implementing it. For example, it has conducted security evaluations of commercial off-the-shelf software products before adding them to the program’s technical baseline. However, the scope of this strategy does not extend to all the systems that comprise US-VISIT. For example, the Treasury Enforcement Communications System (TECS), an integral component of US- VISIT, is not under the US-VISIT inventory of systems because it is owned by Customs and Border Protection. The fact that the US-VISIT security strategy’s scope is limited to only systems that the program office owns is not consistent with our recommendation. We have ongoing work to evaluate the quality of US- VISIT security documents and practices, including TECS implementation of security controls. Privacy Impact Assessment: The purpose of a privacy impact assessment is to ensure handling of information conforms to applicable legal, regulatory, and policy requirements regarding privacy, determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form[Footnote 49] in an electronic information system, and examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. In February 2006, we reported[Footnote 50] that the program office had developed and periodically updated a privacy impact assessment. However, we also reported that system documentation only partially addressed privacy. Since then, program officials told us that they have taken steps to ensure that the impact assessment’s results are used in deciding and documenting the content of US-VISIT projects. For example, they said that privacy office representatives are included in key project definition, design, and development meetings to ensure that privacy issues are addressed and that key system documentation now reflects privacy-based needs. Furthermore, US-VISIT privacy officials recently conducted an audit of system documentation to ensure that privacy is being addressed. They found only a single instance where privacy should have been addressed in system documentation but was not. Finally, our review of recently issued system documentation shows privacy concerns are being addressed. Objective 2: Open Recommendations: Recommendation 2: Recommendation 2: Develop and implement a plan for satisfying key acquisition management controls, including acquisition planning, solicitation, requirements management, project management, contract tracking and oversight, evaluation, and transition to support, and implement the controls in accordance with Software Engineering Institute (SEI) guidance.[Footnote 51] Status: Partially complete: Effective acquisition management controls are important contributors to the success of programs like US-VISIT. SEI has defined a range of acquisition management controls as part of its capability maturity models, which, when properly implemented, have been shown to increase the chances of delivering promised system capabilities on time and within budget. In June 2003, we first reported[Footnote 52] that the program did not have key acquisition management controls in place, and we reiterated this point in September 2003.[Footnote 53] In May 2005, the program office developed a plan for satisfying SEI acquisition management guidance and began implementing it. Its 2005 assessment addressed 13 SEI key process areas, a number of which were consistent with the seven management controls that we recommended. In April 2006, the program office updated its plan to focus on six key process areas: acquisition project planning, requirements management, project monitoring and control, risk management, configuration management, and product and process quality assurance. Since 2005, the program office reports that it has made progress in implementing the 113 practices associated with these six key process areas, as previously discussed. However, the six areas of focus do not include all of the management controls that we recommended. For example, solicitation, contract tracking and oversight, and transition to support are not included. While the program office reports that it has also addressed contract tracking and oversight as part of responding to a later recommendation that we made (not one of the nine recommendations addressed in this briefing), it also reports that it has yet to address the other two management controls. It is important for the program office to address all of the management controls that we recommended. If it does not, it will unnecessarily increase program risks. Objective 2: Open Recommendations: Recommendation 3: Recommendation 3: Ensure that expenditure plans fully disclose what system capabilities and benefits are to be delivered, by when, and at what cost, as well as how the program is being managed. Status: Partially complete The fiscal year 2007 expenditure plan discloses planned system capabilities, estimated schedules and costs, and expected benefits, but meaningful information about schedules, costs, and benefits is missing. Further, while the plan does provide information on some acquisition activities, it does not adequately describe how the program is being managed in a number of areas and does not disclose the management challenges that it continues to face. Without such information, the expenditure plan does not provide Congress with enough information to exercise effective oversight and hold the department accountable. Schedule: The fiscal year 2007 expenditure plan provides time commitments for some capabilities; however, these are not specific. For example, the plan states the following: Unique Identity: * Deployment of 10-print pilot to 10 air locations to begin in late 2007. * Initial Operating Capability functionality targeted for September 2008. Exit: * Air exit solution deployment will begin in third quarter 2007 and continue through 2008. * Begin work in fiscal year 2007 on sea exit deployment that will emulate technology and operational plans adopted for commercial aviation environment. Moreover, no schedule commitments are made for the development and deployment of PKD validation capabilities. Costs: The fiscal year 2007 expenditure plan identifies each project’s funding. In some cases, this information is provided with meaningful detail that allows for understanding of how the funds will be used. For example: Unique Identity shows the following activities and costs: * Acquisition and Procurement ($21.2 million)—purchase and initial deployment of 10-print capture devices and upgrades in network capabilities (bandwidth and technology refreshes) at 119 airports, 9 seaports, and 155 land ports. * Update DHS Border and Process Technology ($2.0 million)—update device to client biometric interfaces and further 10-print prototype testing and evaluation. However, in other cases, costs are not described at a level that would permit such understanding. For example: Contractor Services (Project Assigned) ($12.1 million) - contractor services and support for the project-related resource planning and management (including the areas of configuration, acquisition, and risk), as well as project performance metrics and reporting in the areas of cost, schedule, scope, and quality management. This exact wording is also used for this category in two other projects with different costs. In addition, unlike prior expenditure plans, carryover funds from prior years that are planned for use in 2007 are not allocated to 2007 activities. For example: Exit - A total of $7.3 million in fiscal year 2007 funds, plus fiscal year 2006 carryover funds of $20 million are mentioned as being allocated to begin the process of deploying DHS’ integrated air exit strategy and initial planning for sea exit. However, only the $7.3 million is allocated among the activities listed. No information is presented regarding the allocation of the $20 million in carryover funds to these activities or any others. Benefits: The fiscal year 2007 expenditure plan cites benefits associated with the projects. However, the benefits are broadly stated. For example, the plan describes exit benefits as “Safer and more secure travel” and Unique Identity benefits as “Facilitation of efficient, yet secure, trade and travel.” Acquisition Management: The 2007 expenditure plan describes a range of key acquisition management activities and control areas. These include: Requirements development and management: Configuration management: Data governance: However, the plan does not fully disclose challenges that the program faces in managing acquisition activities, nor does it discuss key areas in which change is occurring, such as capital planning and investment controls and human capital management. Objective 2: Open Recommendations: Recommendation 4: Recommendation 4: Ensure that the human capital and financial resources are provided to establish a fully functional and effective program office and associated management capability. Status: Partially complete: DHS established the US-VISIT program office in July 2003 and determined the office’s staffing needs to be 115 government and 117 contractor personnel. In September 2003, we reported[Footnote 54] that the program office lacked adequate human capital and financial resources. In August 2004, the program office, in conjunction with OPM developed a draft human capital plan. Agency officials stated that, at one point in 2006, all of the 115 government positions were filled. In addition, the program has received about $1.4 billion in funding, and we recently reported that it has devoted an increasing proportion of its annual appropriation to program office and related management activities. Since then, however, 21 of the government positions have become vacant. According to program officials, they have taken interim steps to address this void in leadership by temporarily assigning other staff to cover them. They added that they plan to fill all the positions through aggressive recruitment and that they do not consider the vacancies to present a risk to the program. However, without adequate human capital, particularly in key positions and for extended periods, program risks will invariably increase. Objective 2: Open Recommendations: Recommendation 5: Recommendation 5: Clarify the operational context within which US-VISIT must operate. Status: Partially complete: As we have previously reported, all programs exist within a larger operational (and technological) context or frame of reference that is captured in such strategically focused instruments as strategic plans and an EA. Additionally, having a strategic plan and an EA are recognized best practices and provided for in federal guidance. In 2003, we reported[Footnote 55] that DHS had yet to define the operational context in which US-VISIT is to operate, such as a well- defined department EA or a departmentally approved strategic plan. In the absence of this operational context, we stated that program officials could make assumptions and decisions that, if they proved inconsistent with subsequent departmental policy decisions, would require US- VISIT rework to make it interoperable with related programs and systems, such as the FBI’s 10-print biometric identity system known as IAFIS. Moreover, we stated that US-VISIT could be defined and implemented in a way that made it duplicative of other programs and systems, such as the Secure Border Initiative or the Western Hemisphere Travel Initiative. Since then, we have continued to report on the absence of this context. Most recently, we reported[Footnote 56]in February 2006 that this operational context was still a work in process. Specifically, we found that although a strategic plan was drafted that program officials said showed how US-VISIT was aligned with DHS’s organizational mission and defined an overall vision for immigration and border management across multiple departments and external stakeholders with common objectives, strategies, processes, and infrastructures, this plan had been awaiting departmental approval at that time for more than 11 months. In February 2007, we reported[Footnote 57] that US-VISIT was still lacking a departmentally approved operational context, and that this was exacerbated by DHS’s recent launching of other major programs without defining their relationships to US-VISIT. Examples of these programs are: Secure Border Initiative (SBI), a multi-year program to secure the borders and reduce illegal immigration by installing state-of-the-art surveillance technologies along the border, increasing border security personnel, and ensuring information access to DHS personnel at and between ports of entry. Western Hemisphere Travel Initiative (WHTI), which is to implement the provisions of the Intelligence Reform and Terrorism Prevention Act of 200448 requiring citizens of the United States, Canada, Bermuda, and Mexico to have a designated document for entry or re-entry into the United States that establishes the bearer’s identity and citizenship. US-VISIT continues to lack a well-defined operational context. As discussed earlier in this briefing, the fiscal year 2007 expenditure plan includes an appendix titled “Comprehensive Strategic Plan for US- VISIT,” which the Program Director told us is the department’s officially approved US- VISIT strategic plan. However, as we discussed in the legislative conditions section of the briefing, key elements of relevant federal guidance for a strategic plan are not addressed in this plan. For example, no specific outcome-related goals for major functions and operations of US-VISIT or specific objectives to meet those goals are provided, nor does it address external factors that could affect achievement of program goals. Finally, this strategic plan does not address the explicit relationships between US-VISIT and either the SBI or WHTI programs. We recently reported [Footnote 59] that DHS’s EA has evolved beyond prior versions. However, the DHS EA 2006[Footnote 60] was not complete for several reasons. For example, it was missing architecture content, such as a transition plan and evidence of a gap analysis between the “as is” and “to be” architectures, and it was developed with limited stakeholder input: support contractors and organizational stakeholders provided a range of comments on completeness, internal consistency, and understandability of a draft of the EA, but the majority of comments were not addressed. Because the EA was not complete, internally consistent and understandable, we concluded that its usefulness was limited, in turn limiting DHS’s ability to guide and constrain IT investments in a way that promotes interoperability and reduces overlap and duplication. Program officials told us that they have met with related programs to coordinate their respective efforts. They stated that DHS’s Office of Screening Coordination and Operations (SCO) has been trying to coordinate and unify the departmental components’ initiatives by bringing border management stakeholders together. However, specific coordination efforts have not been assigned to the SCO or any other DHS entity. The absence of a well-defined operational context within which to define and pursue US-VISIT has been longstanding. Until this context exists, the department will be challenged in its ability to define and implement US-VISIT and related border security and immigration management programs in a manner that promotes interoperability, minimizes duplication, and optimizes departmental capabilities and performance. Objective 2: Open Recommendations: Recommendation 6: Recommendation 6: Determine whether proposed US-VISIT increments will produce mission value commensurate with costs and risks and disclose to its executive bodies and the Congress the results of these business cases and planned actions.[Footnote 61] Status: Partially complete: The decision to invest in any system capability should be based on reliable analysis of return on investment. Moreover, according to relevant guidance, incremental investments in major systems should be individually supported by such analyses of benefits, costs, and risks. Without such analyses, an organization cannot adequately know that a proposed investment is a prudent and justified use of limited resources. In June and September 2003, and in February 2005, we reported[Footnote 62] that proposed investments in the then entry/exit system, US-VISIT Increment 1, and US-VISIT Increment 2B, respectively, were not justified by reliable business cases. Further, in February 2006 we reported[Footnote 63] that while a business case was prepared for Increment 1B, the analysis performed met only four of the eight criteria in OMB guidance. For example, it did not include a complete uncertainty analysis for the alternatives evaluated. More recently, the program office has developed business cases for two projects: Unique Identity and U.S. Travel Documents-ePassports (formerly Increment 2A).[Footnote 64] However, the program office has not developed a business case for another project that it plans to begin implementing this year—biometric exit at air POEs. As discussed later in the observations section of this briefing, the program office has defined very little about its proposed solution to meeting its exit needs at air POEs, including an analysis of alternative solutions to meeting this need on the basis of their relative costs, benefits, and risks. Until the program office has reliable business cases for each US-VISIT project in which alternative solutions for meeting mission needs are evaluated on the basis of costs, benefits, and risks, it will not be able to adequately inform its executive bodies and the Congress about its plans and will not provide the basis for prudent investment decision making. Objective 2: Open Recommendations: Recommendation 7: Objective 7: Open Recommendations Recommendation: Recommendation 7: Develop and implement a human capital strategy that provides for staffing open positions with individuals who have the requisite core competencies (knowledge, skills, and abilities). Status: Partially complete: Strategic management of human capital involves proactive efforts to understand an entity’s future workforce needs, existing workforce capabilities, and the gap between the two and to chart a course of action defining how this gap will be continuously addressed. Such an approach to human capital management is both a best practice and provision in federal guidance. In September 2003, we reported[Footnote 65] that US-VISIT did not have a human capital strategy. In February 2006, we reported[Footnote 66] that the program office issued a human capital plan and began implementing it. However, it stopped doing so during 2006 pending a departmental approval of a DHS-wide human capital initiative, known as MAXHR, and because all program office positions were filled. However, as noted earlier, the program office now reports that it has 21 government positions, including critical leadership positions, vacant. According to program officials, US-VISIT recently developed a new human capital plan as part of their Organizational Improvement Initiative and this plan is now being reviewed by the department. Because its approval is pending, we were not provided a copy. Objective 2: Open Recommendations: Recommendation 8: Recommendation 8: Develop and implement a risk management plan and ensure that all high risks and their status are reported regularly to the appropriate executives. Status: Partially complete: In September 2003, we reported[Footnote 67] that US-VISIT was a risky undertaking due to several factors, including its large scope and complexity and various program weaknesses. We concluded that these risks, if not effectively managed, would likely cause program cost, schedule, and performance problems. Since then, US-VISIT approved a risk management plan and began to put into place a risk management process that included, among other things, subprocesses for identifying, analyzing, managing, and monitoring risk. It also defined and began implementing a governance structure to oversee and manage the process, and it maintains a risk database that is available to program management and staff. In February 2006,[Footnote 68] we reported that the risk management process detailed in the risk management plan was not being consistently applied across the program. In addition, we reported that thresholds for elevating risks to department executives were not being applied and risk elevation was being left to the discretion of the Program Director. Since then, the program has provided training to its employees to ensure that they understood how to apply the risk management process. However, program officials told us that they have eliminated the thresholds for elevating risks beyond the US-VISIT Program Office. Further, no risks have been elevated to department executives since December 2005, and no specific guidance on when risks should be elevated beyond the US-VISIT Program Director is provided in the current risk management plan. Until the program office ensures that high risks are appropriately elevated, department executives will not have the information they need to make informed investment decisions. Objective 2: Open Recommendations: Recommendation 9: Recommendation 9: Define performance standards for US-VISIT that are measurable and reflect the limitations imposed on US-VISIT capabilities by relying on existing systems. Status: Partially complete: The operational performance of US-VISIT depends largely on the performance of the existing systems that have been integrated to form it. This means that, for example, the availability of US-VISIT is constrained by the downtime of existing systems. In February 2006, we reported[Footnote 69] that the program office had defined technical performance standards for several increments (e.g., Increments 1, 2B, and 2C), but these standards did not contain sufficient information to determine whether or not they reflected the limitations imposed by reliance on existing systems. Since then, program officials told us that they have not updated the performance standards for Increments 1-3 to reflect limitations imposed by relying on existing systems. As a result, the ability of these increments to meet performance requirements remains uncertain. Recently, the program office has developed requirements-related documentation on Unique Identity elements, including the iDSM. While this documentation specifies a requirement that the model be able to exchange information with external systems, and refers to this as a system constraint, it does not assess the quantitative impact that these changes would impose on the system. In order to determine such impacts, it is necessary to assess such factors as the response time and throughput of US-VISIT feeder systems on US-VISIT. Until the program defines performance standards that reflect the limitations of the existing systems upon which US-VISIT relies, the program lacks the ability to identify and effectively address performance shortfalls. Objective 3: Observation 1: Earned Value Data Show Favorable Variances: Observation 1: Earned value management data on ongoing prime contract task orders show that cost and schedule baselines are being met. Earned value management (EVM) is a program management tool for measuring progress by comparing, during a given period of time, the value of work accomplished with the amount of work expected to be accomplished. This comparison permits performance to be evaluated based on calculated variances from the planned (baselined) cost and schedule. EVM is both an industry accepted practice and an OMB requirement. The program office requires its prime contractor to use EVM,[Footnote 70] and the data provided by the program office show that the cumulative cost and schedule variances for the overall prime contract and all 12 ongoing task orders are within an acceptable range of performance. Our analysis of baseline and actual performance data using generally accepted earned value analysis techniques show that as of February 2007, the prime contractor had an overall: Positive cost variance for all task orders combined (i.e., was under budget) by about $17.1 million (about 7 percent of the $ 238.9 million worth of work to be completed). Negative schedule variance for all task orders combined (i.e., had a schedule slip) of only about $1.3 million worth of work (less than 1 percent of the work scheduled for the period). The six-month (September 2006-February 2007) trend in cost and schedule variances for the prime contract are shown on the next two pages. Figure: Cumulative Cost Variance: [See PDF for image] Source: GAO, based on an analysis of DHS data. [End of figure] Figure: Cumulative Cost Variance: [See PDF for image] Source: GAO, based on an analysis of DHS data. [End of figure] Our analysis of these data for two specific task orders showed similar results. Specifically, Task order 4: Program Level Engineering. This task order includes the development and maintenance of the US-VISIT target architecture, related standards, engineering plans, and guidance as well as performance modeling and technology assessments. As of February 2007, it: * Showed a positive cost variance (i.e., was under budget) by about $4.1 million (about 9.6 percent of the $ 42.7 million worth of work to be completed). * Showed a negative schedule variance (i.e., had a schedule slip) by about $230,000 worth of work (less than one percent of the work scheduled for the period). Task order 7: IT Solutions Delivery. This task order contains several Unique Identity project subtasks including (1) operation and maintenance of US- VISIT’s IDENT biometric identification system, (2) development and maintenance of the iDSM, (3) IDENT expansion to 10 prints, and (4) development and testing of enumeration functionality for the U.S. Citizenship and Immigration Services. As of February 2007, it: * Showed a positive cost variance (i.e., was under budget) by about $747,000 (less than 2 percent of the $44.5 million worth of work to be completed). * Showed a negative schedule variance (i.e., had a schedule slip) of about $384,000 worth of work (less than one percent of the work scheduled for the period). All of the above cited variances are within the expected range of 10 percent. Objective 3: Observation 2: Management Funding Remains High and Unsatisfied: Observation 2: DHS continues to propose a heavy investment in program management-related activities without adequate justification or full disclosure. Program management is an important and integral aspect of any system acquisition program. Our recommendations to DHS aimed at strengthening US- VISIT program management are grounded in our research, OMB requirements, and recognized best practices relative to the importance of strong program management capabilities. The importance of this area, however, does not in and of itself justify the level of investment in such activities. Rather, investment in program management-related activities, similar to investment in any program capability, should be based on full disclosure of the scope, nature, size, and value of the program and such investments should be justified in relation to the size and significance of the acquisition activities being performed. Earlier this year, we reported,[Footnote 71] that the program’s investment in program management had risen significantly over the past 4 years, particularly in relation to the program’s declining level of new system development. The fiscal year 2007 expenditure plan proposes a level of investment in program management similar to that for 2006. At the same time, no explanation or justification of such a relatively large investment in program management-related funding has been provided. Specifically, The fiscal year 2003 expenditure plan provided $30 million for program management and operations. In contrast, the fiscal year 2006 plan provided $126 million for program management-related functions. At the same time, funds provided for new development fell from $325 million in 2003 to $93 million in 2006. Restated, program management costs represented about 9 percent of planned development costs in 2003 but 135 percent of planned development in 2006. This means that in 2006, for every dollar spent on new capabilities, $1.35 was spent on management. * According to program officials, the fiscal year 2006 plan did not properly categorize proposed program management-related funding according to its intended use. They added that future expenditure plans would provide greater clarity into funds used for management versus development. The fiscal year 2007 expenditure plan proposed investing a comparable percentage of funding on management-related activities vis-a-vis new development. Specifically, our analysis shows that, for every dollar invested in new development, $1.25 is to be spent on management-related activities at either the program or project level. Charts showing this trend in management-related funding in relation to new development funding are on the following two pages. Figure: Development, Operations, and Program/Project Management Cost Trends, FY-2002-FY2007: (Dollars in millions.) [See PDF for image] Source: GAO analysis of DHS data. [End of figure] Figure: Program/Project Management Costs as Percentage of New Development: (Percentage of development) [See PDF for image] Source: GAO analysis of DHS data. [End of figure] The fiscal year 2007 expenditure plan does not explain the reasons for the sizable investment in management-related activities or otherwise justify it on the basis of measurable expected value. Without disclosing and justifying its proposed investment and program management-related efforts, it is unclear that such a large amount of funding for these activities represents the best use of resources. Objective 3: Observation 3: Exit Remains Inadequately Defined and Justified: Observation 3: Lack of a well-defined and justified exit solution introduces the risk of repeating failed and costly past exit efforts. The decision to invest in a system or system component should be based on a clear definition of what capabilities, what stakeholders, and what will be delivered according to what schedule and at what cost. Moreover, it should be economically justified via reliable analysis showing that execution of the plan will produce mission value commensurate with expected costs and risks. According to the fiscal year 2007 expenditure plan, DHS intends to begin deploying an exit capability at air and sea POEs and spend $27.3 million doing so. More specifically, the plan states that: $7.3 million in fiscal year 2007 funding and $20 million in fiscal year 2006 carryover funding will be used, in part, to begin the process of planning and designing an air and sea exit solution; the air exit solution will be fully deployed by an unspecified time during calendar year 2008; the air exit solution will be integrated with commercial airlines’ existing passenger check-in processes; and: the sea exit solution will emulate the technology and operational plans adopted for air exit. However, while US-VISIT has developed a high-level schedule for air exit, information supporting that schedule was not provided to GAO and no other exit program plans are available that define what will be done, by what entities, and at what cost to define, acquire, deliver, deploy, and operate this capability, including plans describing expected system capabilities, identifying key stakeholder (e.g., airlines) roles/responsibilities and buy-in, coordinating and aligning with related programs, and allocating funding to activities. In addition, the exit schedule provided by the program office indicates that the air exit solution is to be fully implemented by June 2009, which is at least 6 months after the full deployment date provided in the expenditure plan. Further, available documentation (e.g., the expenditure plan): does not define what key terms mean, such as “full implementation” and “integrated;” does not specify what the $20 million in fiscal year 2006 carryover funding will be spent on, and only allocates the $7.3 million in fiscal year 2007 funding to such broad categories of activities as project management, contractor services, and planning and design; and: does not describe what has been done and what is planned to engage with commercial airlines, even though the recently-provided air exit schedule states that the department plans to issue a proposed federal regulation requiring airlines to participate in this effort by end of calendar year 2007. Moreover, no analysis comparing the life cycle costs of the air exit solution to its expected benefits and risks is available. In particular, neither the 2007 expenditure plan nor any other program documentation describe measurable outcomes (benefits and results) that will result from an air exit solution. According to the expenditure plan, significant air exit planning and testing has been conducted over the past 3 years and the air exit solution is based in part on these efforts. However, during this time we have continued to report on fundamental limitations in the definition and justification of those efforts. For example, In September 2003,[Footnote 72] we reported that DHS had not economically justified the initial US-VISIT increment (which was to include an exit capability at air and sea POEs) on the basis of benefits, costs, and risks. As result, we recommended that DHS determine whether proposed incremental capabilities will produce value commensurate with program costs and risks. In May 2004,[Footnote 73] we reported that an exit capability (including biometric capture) was not deployed to the 80 air and 14 sea POEs as part of Increment 1 deployment in December 2003, as originally intended. Instead, a pilot exit capability was deployed to only one air and one sea POE on January 5, 2004. At that time, program officials told us that it was being piloted at only two locations because they decided to evaluate other exit alternatives and planned to select an alternative for full deployment by December 31, 2004. In February 2005,[Footnote 74] we reported that DHS had not adequately planned for evaluating the air and sea exit alternatives because the scope and timeline of the pilot evaluations were compressed. We recommended that the program office reassess its plans for deploying an exit capability to ensure that the scope of the pilot provided an adequate evaluation of alternatives. In February 2006,[Footnote 75] we reported that DHS had analyzed the cost, benefits, and risks for its air and sea exit capability, but the analyses did not demonstrate that the program was producing or would produce mission value commensurate with expected costs and benefits, and the costs upon which the analyses were based were not reliable. We also raised questions about the adequacy of the program’s air exit pilot evaluation, noting that the results showed an average compliance of only 24 percent across the three alternatives. We concluded that until exit alternatives were adequately evaluated, the program office would not be in a position to select the best solution. We further noted that without an effective exit capability, the benefits and the mission value of US-VISIT would be greatly diminished. We did not make a recommendation to address this because we had already addressed the situation through a prior recommendation. In December 2006,[Footnote 76] we reported that US-VISIT officials had concluded that a biometric US-VISIT land exit capability could not be implemented without incurring a major impact on land POE facilities. We also reported that the land exit pilots had surfaced several performance problems, such as RFID devices not reading a majority of travelers’ tags during testing and multiple RFID devices installed on poles or structures over roads reading information from the same traveler tag. We recommended that DHS report to Congress information on the costs, benefits, and feasibility of deploying biometric and nonbiometric exit capabilities at land POEs. In February 2007,[Footnote 77] we reported that DHS had not adequately defined and justified its past investment in exit pilots and demonstration projects. We noted that the program had devoted considerable time and resources to exit but still did not have either an operational exit capability or a viable exit solution to deploy. Further, exit-related program documentation did not adequately define what work was to be done or what these efforts would accomplish and did not describe measurable outcomes from the pilot or demonstration efforts, or related cost, schedule, and capability commitments that would be met. We recommended that planned expenditures be limited for exit pilots and demonstration projects until such investments are economically justified and until each investment has a well-defined evaluation plan. Notwithstanding these longstanding limitations in planning for and justifying its exit efforts, and notwithstanding that funding for exit- related efforts in US-VISIT expenditure plans for fiscal years 2003 through 200668 totals about $250 million, no operational exit capability exists. Unless the department better plans and justifies its new exit efforts, it runs the serious risk of repeating this past failure. Conclusions: US-VISIT’s prime contract cost and schedule metrics show that expectations are being met, according to available data, although their earned value management system that the metrics are based on has yet to be independently certified. Nothwithstanding this, such performance is a positive sign. However, the vast majority of the many management weaknesses raised in this briefing have been the subject of our prior US-VISIT reports and testimonies, and thus are not new. Accordingly, we have already made a litany of recommendations to correct each weakness, as well as follow- on recommendations to increase DHS attention to and accountability for doing so. Despite this, recurring legislative conditions associated with US-VISIT expenditure plans continue to be less than fully satisfied, and recommendations that we made 4 years ago are still not fully implemented. Exacerbating this situation is the fact that the DHS did not satisfy two new legislative conditions associated with the fiscal year 2007 expenditure plan, and serious questions continue to exist about DHS’s justification for and readiness to invest current, and potentially future, fiscal year funding relative to an exit solution and program management-related activities. DHS has had ample opportunity to address these many issues, but it has not. As a result, there is no reason to expect its newly launched exit endeavor, for example, to produce results different from its past endeavors—namely, no operational exit solution despite expenditure plans allocating about a quarter of billion dollars to various exit activities. Similarly, there is no reason to believe that the program’s disproportionate investment in management-related activities represents a prudent and warranted course of action. All told, this means that needed improvements in US-VISIT program management practices are long overdue. Both the legislative conditions and our open recommendations are aimed at accomplishing these improvements, and thus they need to be addressed quickly and completely. Thus far, they have not been and the reasons that they have not are unclear. Recommendations for Executive Action: Because our outstanding US-VISIT recommendations already address all of the management weaknesses discussed in this briefing, we are reiterating our prior recommendations, and recommending that the Secretary of DHS report to the department’s authorization and appropriations committees on its reasons for not fully addressing its expenditure plan legislative conditions and our prior recommendations. Agency Comments: We provided a draft of this briefing to DHS and US-VISIT program officials and solicited their comments on it. In response, DHS and US- VISIT program officials, including the program director, stated that the briefing was factually correct and that GAO's continued guidance provided value to the program. They also stated that the program office would continue to address our open recommendations, and would formally comment on a draft of our report that transmits the briefing. Attachment 1: Scope and Methodology: To accomplish our first objective, we reviewed the fiscal year 2007 plan and other available program documentation related to each condition. In doing so, we examined not only completed actions and steps, but also planned actions and steps, including program officials’ stated commitments to perform such activities and steps. More specifically, we: * compared the information in the program’s fiscal year 2007 Exhibit 300 budget submission and related documentation to capital planning guidance (OMB A-11 part 7) to determine whether the information complies with the capital planning and investment controls, * assessed program documents against criteria in DHS’s Investment Review Process to determine whether the program could demonstrate compliance with the DHS enterprise architecture, * assessed the program’s software improvement program to determine the progress made in developing acquisition processes that meet industry standards, * reviewed documentation to determine whether an independent verification and validation agent was currently under contract, reviewed documentation to determine whether the expenditure plan received the required certification and approvals, * reviewed US-VISIT’s strategic plan submission and compared it against federal legislation and guidelines, and GAO strategic planning criteria to determine whether US-VISIT’s strategic plan met best practices, and * reviewed US-VISIT’s exit submission to determine the extent to which it described the exit capabilities to be deployed and included a schedule for deploying these capabilities. To accomplish our second objective, we: * Reviewed and analyzed the fiscal year 2007 expenditure plan, US- VISIT’s most recent status reports on the implementation of our open recommendations, and related key documents, augmented as appropriate by interviews with program officials. Specifically, we reviewed and analyzed: * relevant systems acquisition documentation, including the program’s process improvement plan, risk management plan, and configuration management plan; * the program’s security plan, privacy impact assessment, and related system acquisition documents; * the program’s most recent draft human capital strategy and related documents; We also reviewed the fiscal year 2007 plan to determine whether it - disclosed key aspects of how the acquisition is being managed, including management areas that our prior reports on US-VISIT identified as important but missing (e.g., governance structure, organizational structure, human capital, systems configuration, and system capacity); and: - fully disclosed system capabilities and related benefits as well as cost and schedule information. To accomplish our third objective, we reviewed the fiscal year 2007 plan and other available program documentation related to each of the following areas. In doing so, we examined completed and planned actions and steps, including program officials’ stated commitments to perform them. For earned value, we reported data provided by the contractor to US-VISIT that is verified by US- VISIT. To assess its reliability, we reviewed relevant documentation and interviewed the system owner for the earned value data. More specifically, we addressed US-VISIT efforts to: - track and manage cost and schedule commitments by applying established earned value analysis techniques to baseline and actual performance data from cost performance reports, - define and justify program management costs by reviewing and analyzing data on costs provided as part of the expenditure plan; and: - define and implement an exit strategy for air, sea, and land by reviewing and analyzing information provided as part of the expenditure plan. Additionally, in February 2007,1 we reported that the system that US- VISIT uses to manage its finances (U.S. Immigration and Customs Enforcement’s Federal Financial Management System (FFMS)) has reliability issues. In light of these issues, the US-VISIT Budget Office tracks program obligations and expenditures separately using a spreadsheet and comparing this spreadsheet to the information in FFMS. Based on a review of this spreadsheet, there is reasonable assurance that the US-VISIT budget numbers being reported by FFMS are accurate. For DHS-provided data that our reporting commitments did not permit us to substantiate, we have made appropriate attribution indicating the data’s source. To assess the reliability of US-VISIT’s electronic document repository, we reviewed relevant documentation and talked with an agency official about data quality control procedures. We determined the data were sufficiently reliable for the purposes of this report. We conducted our work at US-VISIT program offices in Arlington, Virginia, from March 2007 through June 2007, in accordance with generally accepted government auditing standards. Attachment 2: Related Products List: Related Products List: * Homeland Security: DHS Enterprise Architecture Continues to Evolve But Improvements Needed. GAO-07-564. Washington D.C.: May 9, 2007 * Homeland Security: US-VISIT Program Faces Operational, Technological, and Management Challenges. GAO-07-632T. Washington D.C.: March 20, 2007. * Homeland Security: US-VISIT Has Not Fully Met Expectations and Longstanding Program Management Challenges Need to Be Addressed. GAO- 07-499T. Washington D.C.: February 16, 2007. * Homeland Security: Planned Expenditures for U.S. Visitor and Immigrant Status Program Need to Be Adequately Defined and Justified. GAO-07-278. Washington D.C.: February 14, 2007. * Border Security: US-VISIT Program Faces Strategic, Operational, and Technological Challenges at Land Ports of Entry. GAO-07-378T. Washington D.C.: January 31, 2007. * Border Security: US-VISIT Program Faces Strategic, Operational, and Technological Challenges at Land Ports of Entry. GAO-07-248. Washington D.C.: December 6, 2006. * Homeland Security: Contract Management and Oversight for Visitor and Immigrant Status Program Need to Be Strengthened. GAO-06-404. Washington, D.C.: June 9, 2006. * Homeland Security: Progress Continues, but Challenges Remain on Department’s Management of Information Technology. GAO-06-598T. Washington, D.C.: March 29, 2006. * Homeland Security: Recommendations to Improve Management of Key Border Security Program Need to Be Implemented. GAO-06-296. Washington, D.C.: February 14, 2006. * Homeland Security: Visitor and Immigrant Status Program Operating, but Management Improvements Are Still Needed. GAO-06-318T. Washington, D.C.: January 25, 2006. * Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program. GAO-05-700. Washington, D.C.: June 17, 2005. * Information Technology: Customs Automated Commercial Environment Program Progressing, but Need for Management Improvements Continues. GAO-05-267. Washington, D.C.: March 14, 2005. * Homeland Security: Some Progress Made, but Many Challenges Remain on U.S. Visitor and Immigrant Status Indicator Technology Program. GAO-05- 202. Washington, D.C.: February 23, 2005. * Border Security: State Department Rollout of Biometric Visas on Schedule, but Guidance Is Lagging. GAO-04-1001. Washington, D.C.: September 9, 2004. * Border Security: Joint, Coordinated Actions by State and DHS Needed to Guide Biometric Visas and Related Programs. GAO-04-1080T. Washington, D.C.: September 9, 2004. * Homeland Security: First Phase of Visitor and Immigration Status Program Operating, but Improvements Needed. GAO-04-586. Washington, D.C.: May 11, 2004. * Homeland Security: Risks Facing Key Border and Transportation Security Program Need to Be Addressed. GAO-04-569T. Washington, D.C.: March 18, 2004. * Homeland Security: Risks Facing Key Border and Transportation Security Program Need to Be Addressed. GAO-03-1083. Washington, D.C.: September 19, 2003. * Information Technology: Homeland Security Needs to Improve Entry Exit System Expenditure Planning. GAO-03-563. Washington, D.C.: June 9, 2003. Attachment 3: Detailed Description of US-VISIT Program: The US-VISIT program consists of nine organizations and uses contractor support services in several areas. The roles and responsibilities of each of the nine organizations include the following: Chief Strategist is responsible for developing and maintaining the strategic vision and related documentation, transition plan, and business case. Budget and Financial Management is responsible for establishing the program’s cost estimates; analysis; and expenditure management policies, processes, and procedures that are required to implement and support the program by ensuring proper fiscal planning and execution of the budget and expenditures. Mission Operations Management is responsible for developing business and operational requirements based on strategic direction provided by the Chief Strategist. Outreach Management is responsible for enhancing awareness of the US- VISIT requirements among foreign nationals, key domestic audiences, and internal stakeholders by coordinating outreach to media, third parties, key influencers, Members of Congress, and the traveling public. Information Technology Management is responsible for developing technical requirements based on strategic direction provided by the Chief Strategist and business requirements developed by Mission Operations Management. Implementation Management is responsible for developing accurate, measurable schedules and cost estimates for the delivery of mission systems and capabilities. Acquisition and Program Management is responsible for establishing and managing the execution of program acquisition and management policies, plans, processes, and procedures. 126 Attachment 3 Detailed Description of US-VISIT Program Administration and Training is responsible for developing and administering a human capital plan that includes recruiting, hiring, training, and retaining a diverse workforce with the competencies necessary to accomplish the mission. Facilities and Engineering Management is responsible for establishing facilities and environmental policies, procedures, processes, and guidance required to implement and support the program office. 127 Attachment 3 Detailed Description of US-VISIT Program The program uses contractor support services in the following six subject matter areas: Facilities and Infrastructure – provides the infrastructure and facilities support necessary for current and anticipated future staff for task orders awarded under the prime contract. Program-Level Management – defines the activities required to support the prime contractor’s program management office, including quality management, task order control, acquisition support, and integrated planning and scheduling. Program-Level Engineering – assures integration across incremental development of US-VISIT systems and maintains interoperability and performance goals. Data Management Support – analyzes data for errors and omissions, corrects data, reports changes to the appropriate system of record owners, and provides reports. Data Management and Governance – provides support in the implementation of data management architecture and transition and sequencing plans, conducts an assessment of the current data governance structure and provides a recommendation for the future data governance structure, including a data governance plan. Mission Operations Data Integrity Improvements – determines possible ways to automate some of the data feeds from legacy systems, making the data more reliable. Attachment 4: Detailed Description of Increments and Component Systems: Below is a discussion of the processes underlying each increment and the systems that provide information to US-VISIT. Increment 1 processes –Increment 1 includes the following five processes at air and sea ports of entry (POE): pre-entry, entry, status management, exit, and analysis, which are depicted in the graphic below. Figure: [See PDF for image] Source: GAO analysis of US-VISIT data, Nova Development Corp. (clipart). [End of figure] Pre-entry process: Pre-entry processing begins with initial petitions for visas, grants of visa status, or the issuance of travel documentation. When a foreign national applies for a visa at a U.S. consulate, biographic and biometric data are collected and shared with border management agencies. The biometric data (i.e., fingerprint scan of the right and left index fingers) are transmitted from the Department of State (State) to the Department of Homeland Security (DHS), where the fingerprints are run against the Automated Biometric Identification System (IDENT) to verify identity and to run a check against the biometric watch list. The results of the biometric check are transmitted back to State. A “hit” response prevents State’s system from printing a visa for the applicant until the information is cleared by a consular officer. Pre-entry also includes transmission by commercial air and sea carriers of crew and passenger manifests before arriving in the United States.[Footnote 80] These manifests are transmitted through the Advance Passenger Information System (APIS). The APIS lists are run against the biographic lookout system and identify those arrivals who have biometric data available. In addition, POEs review the APIS list in order to identify foreign nationals who need to be scrutinized more closely. Entry process: When the foreign national arrives at a primary POE inspection booth, the inspector, using a document reader, scans the machine-readable travel documents. APIS returns any existing records on the foreign national to the US-VISIT workstation screen, including manifest data matches and biographic lookout hits. When a match is found in the manifest data, the foreign national’s name is highlighted and outlined on the manifest data portion of the screen. Biographic information, such as name and date of birth, is displayed on the bottom half of the computer screen, as well as the photograph from State’s Consular Consolidated Database. The inspector at the booth scans the foreign national’s fingerprints (left and right index fingers) and takes a digital photograph. This information is forwarded to the IDENT database, where it is checked against stored fingerprints in the IDENT lookout database. If no prints are currently in IDENT, the foreign national is enrolled in US-VISIT (i.e., biographic and biometric data are entered). If the foreign national’s fingerprints are already in IDENT, the system performs a match (a comparison of the fingerprint taken during the primary inspection to the one on file) to confirm that the person submitting the fingerprints is the person on file. If the system finds a mismatch of fingerprints or a watch list hit, the foreign national is sent to an inspection booth for further screening or processing. While the system is checking the fingerprints, the inspector questions the foreign national about the purpose of his or her travel and length of stay. The inspector adds the class of admission and duration of stay information into the Treasury Enforcement Communications Systems (TECS), and stamps the “admit until” date on the Form I-94. If the foreign national is ultimately determined to be inadmissible, the person is detained, lookouts are posted in the databases, and appropriate actions are taken. Within 2 hours after a flight lands and all passengers have been processed, TECS is to send the Arrival Departure Information System (ADIS) the records showing the class of admission and the “admit until” dates that were modified by the inspector. Status management process: The status management process manages the foreign national’s temporary presence in the United States, including the adjudication of benefits applications and investigations into possible violations of immigration regulations. Commercial air and sea carriers transmit departure manifests electronically for each departing passenger. These manifests are transmitted through APIS and shared with ADIS. ADIS matches entry and exit manifest data to ensure that each record showing a foreign national entering the United States is matched with a record showing the foreign national exiting the United States. ADIS also provides the ability to run queries on foreign nationals who have entry information but no corresponding exit information. ADIS receives status information from the Computer Linked Application Information Management System and the Student and Exchange Visitor Information System on foreign nationals. Exit process: The exit process includes the carriers’ electronic submission of departure manifest data to APIS. This biographic information is passed to ADIS, where it is matched against entry information. Analysis: An ongoing analysis capability is to provide for the continuous screening against watch lists of individuals enrolled in US-VISIT for appropriate reporting and action. As more entry and exit information becomes available, it is to be used to analyze traffic volume and patterns as well as to perform risk assessments. The analysis is to be used to support resource and staffing projections across the POEs, strategic planning for integrated border management analysis performed by the intelligence community, and determination of travel use levels and expedited traveler programs. Increment 2B and Increment 3 processes –: Increments 2B and 3 deployed US-VISIT entry processing capabilities to land POEs. These two increments are similar to Increment 1 (air and sea POEs), with several noteworthy differences. No advance passenger information is available to the inspector before the traveler arrives for inspection. Travelers subject to US-VISIT are processed at secondary inspection, rather than at primary inspection. Inspectors’ workstations use a single screen, which eliminates the need to switch between the TECS and IDENT screens. Form I-94 data are captured electronically. The form is populated by data obtained when the machine-readable zone of the travel document is swiped. If visa information about the traveler exists in the Datashare database,[Footnote 81] it is used to populate the form. Fields that cannot be populated electronically are manually entered. A copy of the completed form is printed and given to the traveler for use upon exit. No electronic exit information is captured. 2Datashare includes a data extract from State’s Consular Consolidated Database system and includes the visa photograph, biographical data, and the fingerprint identification number assigned when a nonimmigrant applies for a visa. Component Systems: US-VISIT Increments 1 through 3 include the interfacing and integration of existing systems and, with Increment 2C, the creation of a new system. The three main existing systems are as follows: Arrival Departure Information System (ADIS) stores; * non-citizen traveler arrival and departure data received from air and sea carrier manifests, * arrival data captured by CBP officers at air and sea POEs, * Form I-94 issuance data captured by CBP officers at Increment 2B land POEs, and: * status update information provided by the Student and Exchange Visitor Information System (SEVIS) and the Computer Linked Application Information Management System (CLAIMS 3) (described below). ADIS provides record matching, query, and reporting functions. The passenger processing component of the Treasury Enforcement Communications Systems (TECS) includes two systems: * Advance Passenger Information System (APIS) captures arrival and departure manifest information provided by air and sea carriers, and: * Interagency Border Inspection System (IBIS) maintains lookout data and interfaces with other agencies’ databases. CBP officers use these data as part of the admission process. The results of the admission decision are recorded in TECS and ADIS. The Automated Biometric Identification System (IDENT) collects and stores biometric data on foreign visitors, including data such as * Federal Bureau of Investigation information[Footnote 82] on all known and suspected terrorists, selected wanted persons (foreign-born, unknown place of birth,previously arrested by DHS), and previous criminal histories for high-risk countries; * DHS Immigration and Customs Enforcement information on deported felons and sexual registrants; and * DHS information on previous criminal histories and previous IDENT enrollments. US-VISIT also exchanges biographic information with other DHS systems, including SEVIS and CLAIMS 3: * SEVIS is a system that contains information on foreign students and: * CLAIMS 3 is a system that contains information on foreign nationals who request benefits, such as change of status or extension of stay. Some of the systems involved in US-VISIT, such as IDENT and AIDMS, are managed by the program office, while some systems are managed by other organizational entities within DHS. For example: * TECS is managed by CBP, * SEVIS is managed by Immigration and Customs Enforcement, * CLAIMS 3 is under United States Citizenship and Immigration Services, and: * ADIS is owned by US-VISIT, but is managed by CBP. US-VISIT also interfaces with other, non-DHS systems for relevant purposes, including watch list[Footnote 83] (i.e. lookout) updates and checks to determine whether a visa applicant has previously applied for a visa or currently has a valid U.S. visa. In particular, US-VISIT receives biographic and biometric information from State’s Consular Consolidated Database as part of the visa application process, and returns fingerscan information and watch list changes. [End of section] Appendix II: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: August 13, 2007: Mr. Randolph C. Hite: Director, Information Technology Architecture: and Systems Issues: 441 G Street, NW: U.S. Government Accountability Office: Washington, DC 20548: Re: Draft Report GAO-07-1065, Homeland Security: U.S. Visitor and Immigrant Status Program's Longstanding Lack of Strategic Direction and Management Controls Needs to be Addressed (GAO Job Code 310650) Dear Mr. Hite: The Department of Homeland Security (DHS) appreciates the opportunity to review and comment on the draft report referenced above. We agree with the majority of the findings. However, there are some findings with which DH-S officials disagree, and on which we provide comments below. Other comments are intended to provide either additional information or clarification. As you know, US-VISIT represents the greatest advancement in border technology in three decades. The Department of Homeland Security established US-VISIT to achieve the following goals: (1) enhance the security of our citizens and visitors; (2) facilitate legitimate travel and trade; (3) ensure the integrity of our immigration system; and (4) protect the privacy of visitors. For all the successes of US-VISIT, the Department realizes, and your report supports the fact, that we need to improve the core areas of the report that focus on management controls, operational context, and human capital. We have already established much of the foundation for meeting future challenges and will continue to improve the necessary disciplines for excellent program management. We realize that much needs to be done, and we appreciate the guidance provided by reports such as this. US-VISIT officials are establishing an Integrated Project Team to engage the U.S. Government Accountability Office (GAO) staff to aggressively review the open recommendations and satisfy and close each of them. DHS will appreciate consideration of our comments and their inclusion in any revision in this draft report or any future related audit report. We will engage with GAO on any questions or concerns you have with US-VISIT's comments. GAO notes that DHS has partially implemented recommendations pertaining to US-VISIT that have been open for four years and provides a summary of the status. 1. Recommendation: Develop and begin implementing a system security plan and perform a privacy impact analysis and use the results of this analysis in near term and subsequent system acquisition decision making. DHS Response: US-VISIT officials do not agree with this recommendation and consider it satisfied based on security activities undertaken in response to previous GAO recommendations. GAO reported in 2005 that the US-VISIT program office completed a security plan largely consistent with federal practice. However, this plan did not properly consider a security risk assessment. Since that time, US-VISIT has communicated to GAO that it was replacing the security plan with an enterprise security strategy and enterprise risk assessment. Officials noted that all individual systems comprising the US-VISIT program that were under US- VISIT control had been certified and accredited in accordance with Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) policy, to include security plans and risk assessments for each system. US-VISIT completed the enterprise risk assessment in 2005 and, based on that assessment, an enterprise security strategy was completed in 2006. US-VISIT delivered an IT Security Strategy Plan to GAO in January 2007. As part of GAO's results of analysis on page 35, GAO states that the program office's security strategy developed in December 2006 ".was limited to the systems under US-VISIT control and does not mention, for example, the Treasury Enforcement Communications System (TECS) which provides biographic information to US- VISIT and is owned by Customs and I3order Protection (CBP). According to NIST Special Publication 800- 18, a comprehensive security strategy should include all component systems." In actuality, NIST publication 800-18 provides guidance for completing system security plans and not enterprise security strategies. Furthermore, it notes that systems should have the following characteristics when determining system boundaries for complex systems: (1) have the same function or mission objective and essentially the same operating characteristics and security needs, and (2) reside in the same general operating environment (or in the case of a distributed information system, reside in various locations with similar operating environments). TECS is a mainframe environment owned by CBP and located in a CBP data center that serves many other program needs besides US-VISIT. US-VISIT and CBP have developed and signed Interconnection Security Agreements (ISAs) which detail the security controls that must be in place prior to the exchange of any data. These ISAs are consistent with federal policy in general and DHS policy in particular for sharing data in a secure manner. The US-VISIT program remains current with all certification and accreditation documents for systems within its control. As part of its commitment to security, the program is also updating the enterprise security strategy and enterprise risk assessment on a regular basis. In addition, the options available to US- VISIT to address this risk--developing ISAs and collaborating with CBP on development efforts to ensure security--are already in place. In discussing the privacy impact assessment aspect of the recommendation, GAO notes (pp. 65-66) that "US-VISIT privacy officials recently conducted an audit of system documentation to ensure that privacy is being addressed. They found only a single instance where privacy should have been addressed in system documentation but was not. Finally, our review of recently issued system documentation shows privacy concerns are being addressed." US-VISIT considers this part of the recommendation as satisfied based on privacy activities undertaken in response to previous GAO recommendations. The US-VISIT privacy team review identified 250 documents prepared for the Automated Biometric Identification System (IDENT) since January 1, 2006. Of these, 66 of the more recently created documents were selected for review. Of the 66 documents reviewed, seven were determined to be relevant system documents. It was determined that the remaining documents were not relevant system documents for including privacy assessments based on the type of system document or based on the fact that the documents were for system updates that did not have a privacy impact. Of these seven relevant system documents, six were determined to have satisfactory discussions of privacy. One document, the Enumeration Data Management Plan, did not have a satisfactory discussion of privacy, and that document is being revised to include the privacy requirements. 2. Recommendation: Develop and implement a plan for satisfying key acquisition management controls, including acquisition planning, solicitation, requirements management, project management, contract tracking, oversight, evaluation, and transition to support, and implement the controls in accordance with Software Engineering Institute (SEI) guidance. DHS Response: US-VISIT officials agree with this recommendation and have demonstrated efforts to satisfy this recommendation. US-VISIT has focused on the implementation of six Capability Maturity Model Integration (CMMI) process areas as a result of the 2005 internal appraisal. As reflected in the 2006 Process Improvement Plan, the six process areas are being implemented in two pilot US- VISIT projects as well as internal program office functional groups that are responsible for these process areas. An appraisal conducted in May 2006 reported progress against the US-VISIT 2006 Process Improvement goals. Another internal appraisal was completed in November 2006, and the results were briefed to the Management Steering Group (MSG) in December 2006. The appraisal results showed that the participating projects and program office functions progressed from 29 fully or largely implemented practices assessed in 2005 to 55 in November 2006; in addition all 29 practices `not implemented' in 2005 were reduced to zero in November 2006. Follow-up quarterly internal appraisals are planned, and the results will be reported to the Enterprise Process Group (EPG) and MSG. US-VISIT has updated the Process Improvement Plan for 2007 to re- establish goals and define activities to undertake in 2007 to continue to address strengthening processes. A copy of this document was provided to the GAO audit team for review. 3. Recommendation: Ensure that expenditure plans fully disclose what system capabilities and benefits are to be delivered, by when, and at what cost, as well as how the program is being managed. DHS Response: US-VISIT officials agree with this recommendation and have demonstrated efforts to satisfy this recommendation. In developing the FY 2008 Expenditure Plan, US-VISIT has incorporated into its data call templates, requirements to: articulate results against prior year commitments; report project performance against cost and schedule estimates; link discussions of project capabilities, benefits, and performance indicators; and provide a clearer explanation of operations & maintenance and program management costs and results. The draft FY 2008 Expenditure Plan is to be provided to National Protection and Programs Directorate (NPPD) to begin DHS review and approval at the beginning of September 2007. This will provide the first evidence of efforts to address this recommendation. Addressing Recommendations 4 and 7: 4. Recommendation: Ensure that the human capital and financial resources are provided to establish a fully functional and effective program office and associated management capability. Recommendation 7: Develop and implement a human capital strategy that provides for staffing open positions with individuals who have the requisite core competencies (knowledge, skills and abilities). DHS Response: US-VISIT officials agree with this recommendation and have demonstrated efforts to satisfy this recommendation. As of 31 December 2006, all 115 Federal positions designated for US-VISIT had been filled, with recruitment actions in process for 10 vacancies that resulted from expected turnover. In FY 2006, US-VISIT experienced a 10 percent turnover rate. The current US-VISIT Human Capital Plan, developed in 2004 to guide strategic human capital initiatives through 2008, is expected to be superseded by a 2007 revision following approval of US- VISIT's Organizational Improvement Initiative (011). Currently, 90 of 115 authorized US-VISIT positions are filled. The 25 vacancies are a result of attrition. The attrition was mitigated by a successful intern program and recruitment and retention program that was implemented in July 2007, with executive management sponsorship and dedicated resources from the human capital planning project team. Further, US-VISIT is fully budgeted to hire its complement of employees. 5. Recommendation: Clarify the operational context within which US- VISIT must operate. DHS Response: US-VISIT officials agree with this recommendation and have demonstrated efforts to satisfy this recommendation. US-VISIT continues to incorporate elements of the vision, goals, and objectives into ongoing activities. US- VISIT has developed a strategic framework that contains US-VISIT's core purpose and capabilities moving into the future and its key objectives for the next five years with associated activities. This document provides the framework for future operations and other documentation to include (currently in draft and being reviewed): Mission Needs Statement (MNS) - addresses core mission and capabilities; Operational Requirements Document (ORD) - contains performance and operational information; Acquisition Program Baseline (APB) - presents critical data affecting and supporting the performance, cost and schedule of the US-VISIT Program's investment operations for Fiscal Years 2008-2013. The strategic framework will also be used to update US-VISIT's strategic plan that will reflect: US-VISIT's transition to NPPD; its designation as the biometric repository for all of DHS; management services being provided to immigration and border management; world- wide trans-border travel security efforts to include adopting compatible biometric capture and comparison and allowing for international sharing of pertinent watch list data; and relationships with other DHS components and programs and other federal agencies. US-VISIT expects to have its strategic plan, to include those key elements required by GPRA, updated, reviewed, and approved in FY08. US- VISIT has been diligently working on the FY08 Expenditure Plan to ensure projects are mapped to the mission, strategic goals, and objectives; and provide for traceability of expenditures. 6. Recommendation: Determine whether proposed US-VISIT increments will produce mission value commensurate with costs and risks and disclose to its executive bodies and Congress the results of these business cases and planned actions. DHS Response: US-VISIT officials agree with this recommendation and have demonstrated efforts to satisfy this recommendation. In accordance with capital investment best practices, US-VISIT follows a practice of incremental program development through a series of increments, or mission capability enhancements (MCEs), intended to deliver discrete functional capabilities. Each proposed incremental investment is subjected to a cost-benefit analysis (CBA) to ensure that the investment is justified in terms of operational and/or economic value delivered. CBAs are performed in accordance with a cost-benefit process that conforms to the requirements of OMB Circular A-94, the DHS CBA Workbook, and DHS MD-1400. Specifically, where feasible, benefits are monetized and compared to correlated costs to derive the investment's net present value. To ensure uncertainties related to the investment are fully factored in the analysis, the estimates for both monetized benefits and costs are subjected to uncertainty analysis, yielding a risk-adjusted return on investment for each alternative considered. Recognizing that the quality and precision of the CBA plays a key role in any investment decision, US-VISIT continues efforts to strengthen its capabilities in this area through such actions as establishment of a Cost Process Action Team to assist in refining the program's cost analysis policies and procedures, the creation of a US- VISIT cost estimation and analysis process document, and the acquisition of professional services in the areas of life cycle cost modeling and independent cost analysis. CBAs underway are currently monitored and reviewed for compliance with OMB and Software Engineering Institute cost and cost-benefit guidelines. 7. Recommendation: Develop and implement a human capital strategy that provides for staffing open positions with individuals who have the requisite core competencies (knowledge, skills and abilities). Please see response #4. 8. Recommendation: Develop and implement a risk management plan and ensure that all high risks and their status are reported regularly to the appropriate executives. DHS Response: US-VISIT officials agree with this recommendation and have demonstrated efforts to satisfy this recommendation. The US-VISIT Program published a revised Risk Management Plan in 2nd Quarter FY07. As the risk management program continues to mature, US-VISIT has observed that the risk management processes (as detailed in the Risk Management Plan) are being applied throughout the program. Utilization of the US-VOICE risk database, bi-monthly meetings of the Risk Review Council (RRC), periodic Risk Review Board (RRB) meetings, vertical and horizontal communications to stakeholders, monthly Risk Status Reports provided to the RRC and RRB, and frequent training help to ensure that risk management is part of the US-VISIT culture. In the area of training, US-VISIT provided risk management training classes to US- VISIT personnel (government and contractors) in accordance with the US-VISIT Risk Management Plan–classes covered the theory of risk management and the five risk management processes. Since March 2006, risk management training has included the application of the US-VOICE risk management database and scenarios to instruct students in the planning, identification, analysis, handling, monitoring, and control of risks and issues. High priority risks will be communicated from the US- VISIT Director to the Under Secretary of NPPD. In addition to RRBs, high priority risks are briefed to the US- VISIT Senior Leadership and US-VISIT staff at quarterly Program Management Reviews (PMRs). US-VISIT provided GAO officials with the most recent Risk Management Plan dated February 2007. 9. Recommendation: Define performance standards for US-VISIT that are measurable and reflect the limitations imposed on US-VISIT Capabilities by relying on existing systems. DHS Response: US-VISIT officials agree with this recommendation and have demonstrated efforts to satisfy this recommendation. US-VISIT completed the selection process for tools to support database management, application management, enterprise management console, event/fault management, and performance management. US-VISIT has formalized an enterprise modeling process to provide decision support and alternatives analysis for meeting business process performance expectations by analyzing the end-to-end effects of the physical environment, network capacity, and performance requirements and back- end system performance. The models have been used for simulation and analysis to provide the Unique Identity (UI) Project with the right set of decision-making elements for the implementation of the right combination of inspection processes, technical architecture, and supporting infrastructure. US-VISIT has negotiated Interface Control Documents/Agreements (ICD/ICA) with those organizations with whom information is to be generated or shared. Included in these agreements generally are Service Level Agreements regarding timeliness, reliability and availability. To ensure that US-VISIT systems meet internal performance commitments, an Architecture Improvement Design and Prototype Team has been established to engineer and build prototypes to verify or clarify the various enhancements and changes to the current IDENT system during the modernization phase of the Unique Identity Program. The specific goals of the prototypes include: * determining the viability of specific Commercial Off the Shelf Technology (COTS) products (e.g., biometric middleware, reporting architectures, and non-incumbent matcher solutions) to reduce costs of matching and reporting results; * identifying the most viable architectural alternative for the given feature; * evaluating, where possible, the performance of the architecture; * assessing the reliability, maintainability, and availability of the architecture; * assessing and prototype implementation alternatives to enhance security features; * estimating required architecture sizing to meet long-term scale; and * determining the optimal tuning to enhance matching accuracy while reducing costs. In discussing its observations on the expenditure plan and management of US-VISIT, GAO correctly comments that prime contract cost and schedule expectations are being met. GAO then states that aspects of the program continue to lack definition and justification. Specifically, GAO observed (page 9) a "lack of a well-defined and justified exit solution introduces the risk of repeating failed and costly past exit efforts." The overall impression created by this language is that the proofs of concept for exit operations at the air ports of entry (POEs) and I-94 Radio Frequency Identification test operations at the land POEs were a failure because they did not immediately conclude with operational systems. GAO presents the proof of concepts as ends in themselves and implies that the experiences and empirical data gained from the proofs of concept were not worth their costs. In omitting any discussion of, and implicitly devaluing, the operational experience gained from the proofs. of concept and how that data can or will be used in developing a more workable future system, the undertaking may, unfortunately, be considered a failure by GAO. We would draw a different conclusion. US- VISIT had always intended to end the proofs of concept and use what was learned. GAO did not include biographic exit procedures (as later described at pp. 134-135 of the draft report) in the June 2007 briefing material provided to the staffs of the Subcommittees on Homeland Security, Senate and House Committees on Appropriations (page 16, Acquisition Strategy, Description and History of Increments, Increment 1), notwithstanding its important historical and current use as part of the exit process. GAO informed the staffs of the subcommittees (page 33) that the fiscal year 2007 US-VISIT expenditure plan, related program documentation, and program officials' statements satisfied (in part or total) most, but not all, of the legislative conditions. Specifically, GAO discussed whether the plan, related program documentation and program officials' statements satisfied or partially satisfied all aspects of the capital planning and investment control review requirements established by OMB, including OMB Circular A-1 1, part 7. We appreciate the opportunity to comment on this draft report. Sincerely, Signed by: Steven J. Pecinovsky: Director: Departmental GAO/OIG Liaison Office: [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Randolph C. Hite, (202) 512-3439 or h [Hyperlink, hiter@gao.gov] iter@gao.gov: Staff Acknowledgments: In addition to the contact named above, Tonia Johnson (Assistant Director), Eric Costello, Deborah Davis, Neil Doherty, Nancy Glover, Joshua Hammerstein, David Hinchman, Scott Pettis, Karl Seifert, Teresa Smith, Daniel Wexler, and Charles Youman made key contributions to this report. [End of section] Footnotes: [1] Pub. L. No. 109-295 (Oct. 4, 2006). [2] Our reports on US-VISIT expenditure plans have resulted in 28 recommendations, 6 of which pertain to the US-VISIT expenditure plan and 22 of which pertain to the US-VISIT program. The recommendations that we focused on are those that have been open for 4 years. For a full list of US-VISIT-related GAO reports, see appendix I, attachment 2. [3] One additional legislative condition--that the plan be reviewed by us--was also satisfied. [4] House Committee on Homeland Security, Hacking the Homeland: Investigating Cybersecurity Vulnerabilities at the Department of Homeland Security: Hearing before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, 110th Cong., 1st sess., 2007. [5] This recommendation merges two of our prior recommendations. [6] GAO, Homeland Security: DHS Enterprise Architecture Continues to Evolve, but Improvements Needed, GAO-07-564 (Washington D.C.: May 9, 2007). [7] The focus of our review was DHS EA 2006. In March 2007, DHS issued HLS EA 2007. [8] Air and Sea Exit Deployment. [9] GAO, Homeland Security: Recommendations to Improve Management of Key Border Security Program Need to Be Implemented, GAO-06-296 (Washington, D.C.: Feb. 14, 2006). [10] The EVM system used by the prime contractor has yet to be certified by an outside agent (see briefing slide 36 in app. I for details). [11] GAO, Information Security: Homeland Security Needs to Immediately Address Significant Weaknesses in Systems Supporting the US-VISIT Program, GAO-07-870 (Washington, D.C.: July 13, 2007). [12] 1Pub. L. No. 109-295 (Oct. 4, 2006). [13] OMB Circular A-11 establishes policy for planning, budgeting, acquisition, and management of federal capital assets. [14] Our reports on US-VISIT expenditure plans have resulted in 28 recommendations, six of which pertain to the US-VISIT expenditure plan and 22 of which pertain to the US-VISIT program. The recommendations that we focused on are those that have been open for 4 years. For a full list of US-VISIT related GAO reports, see attachment 2. [15] See attachment 3 for more details on the current organization structure. A proposed program office reorganization is currently being reviewed by DHS. [16] An indefinite-delivery/indefinite-quantity contract provides for an indefinite quantity, within stated limits, of supplies or services during a fixed period of time. The government schedules deliveries or performance by placing orders with the contractor. [17] Accenture's partners in this contract include, among others, Raytheon Company, the Titan Corporation, and SRA International, Inc. [18] On September 30, 2004, US-VISIT expanded biometric entry procedures to include individuals from visa waiver countries applying for admission. [19] Legislation requiring the installation of software and equipment at POEs to authenticate machine-readable visas and travel documents and to have visa waiver countries issue e-Passports established a deadline of October 26, 2004 (Pub. L. No. 107-173, (May 14, 2002)), but this date was subsequently changed (Pub. L. No. 108-299 (Aug. 9, 2004)) to October 26, 2005, before DHS and State requested an extension from the congressional committee providing oversight to change the date to October 26, 2006. [20] Form I-94s are used to record a foreign national's entry into the United States. The form as two parts-arrival and departure-containing a unique number for the purposes of recording and matching the arrival and departure records of nonimmigrants. [21] For example, dimplomats and persons under the age of 14 or over the age of 70 are exempt from US-VISIT. [22] Radio frequency technology relies on proximity cards and card readers. Radio frequency devices read the information contained on the card when the card is passed near the device. The information can contain personal identification of the cardholder. [23] At one POE, these capabilities were deployed by December 19, 2005, but were not fully operational until January 7, 2006, because of a telephone company strike that prevented the installation of a high- capacity communications line. [24] For details on the processes underlying each increment and systems supplying information to US-VISIT, see attachment 4. [25] In fiscal year 2003, the expenditure plan called for $375 million, but the appropriated amount was for $362 million. The difference of $13 million was to have been made up through authorized user fees collected by U.S. Immigration and Customs Enforcement. However, only $5 million in user fees was provided to the program, for a total of $367 million. [26] These services verify and authenticate the origins of e-passports and traveler's identities. [27] The iDSM is a prototype of new functionality allowing US-VISIT and Federal Bureau of Investigation to share biometric and associated biographic information. It was deployed in September 2006. [28] OMB Circular A-11, part 7 establishes policy for planning, budgeting, acquisition, and management of federal capital assets. [29] The condition was that the program office resubmit documentation upon approval of the US-VISIT strategic plan, which at the time was to be January 2005. [30] GAO, Homeland Security: Some Progress Made, but Many Challenges Remain on U.S. Visitor and Immigrant Status Indicator Technology Program, GAO-05-202 (Washington D.C.: Feb. 23, 2005). [31] Department of Homeland Security, US-VISIT Mission Needs Statement (Washington, D.C.: Nov. 20, 2003). [32] GAO, Homeland Security: DHS Enterprise Architecture Continues to Evolve, But Improvements Needed, GAO-07-564 (Washington D.C.: May 9, 2007). [33] We did not review the program’s compliance with the Federal Acquisition Regulation. [34] See, for example, the Clinger-Cohen Act of 1996, Pub. L. No. 104- 106, (Feb. 10, 1996) and OMB Circular A-130. [35] GAO, Homeland Security: Risks Facing Key Border and Transportation Security Program Need to be Addressed, GAO-03-1083 (Washington D.C.: Sept. 19, 2003). [36] The CMMI® ranks organizational maturity according to five levels. Maturity levels 2 through 5 require verifiable existence and use of certain key process areas. [37] GAO, Homeland Security: Contract Management and Oversight for Visitor and Immigrant Status Program Need to Be Strengthened, GAO-06- 404 (Washington, D.C.: June 9, 2006). [38] Financial controls include practices to provide accurate, reliable, and timely accounting for billings and expenditures. [39] One IV&V contractor was obtained to assess organizational program risk. The second IV&V contractor was obtained to independently assess system testing activities. [40] Government Performance and Results Act of 1993, Pub. L. No. 103-62 (Aug. 3, 1993) and OMB Circular A-11, Preparation, Submission, and Execution of the Budget, (June 30, 2006) provide guidance in this instance since the US-VISIT strategic plan is not an agencywide strategic plan. [41] GAO, Managing for Results: Critical Issues for Improving Federal Agencies’ Strategic Plans, GAO/GGD-97-180 (Washington, D.C.: Sep. 16, 1997). [42] The fiscal year 2007 expenditure plan contains an appendix titled “Comprehensive Strategic Plan for US-VISIT,” which the US-VISIT Program Director told us is the program’s approved strategic plan. [43] The eight capabilities are: (1) identify a person, (2) assess risk and eligibility, (3) record entry, exit, and status, (4) take law enforcement actions, (5) communicate with external entities, (6) manage knowledge, information, and intelligence, (7) manage the immigration and border management enterprise and (8) infrastructure development. In an earlier section of the strategic plan, only seven of the capabilities are discussed, omitting “infrastructure development.” [44] The Advanced Passenger Information System captures arrival and departure manifest information provided by air and sea carriers. [45] Secure Flight is a program being developed by TSA to prescreen passengers – or match passenger information against terrorist watch lists to identify individuals who should undergo additional security scrutiny – for domestic flights. [46] GAO, Border Security: US-VISIT Program Faces Strategic, Operational, and Technological Challenges at Land Ports of Entry, GAO- 07-248 (Washington, D.C.: Dec. 6, 2006). [47] I-94 forms are used to track foreign nationals’ arrivals and departures. Each form is divided into two parts: an entry portion and an exit portion. Each form contains a unique number printed on both portions of the form for the purposes of subsequent recording and matching the arrival and departure records for nonimmigrants. [48] GAO-05-202. [49] Information in a form that permits individuals to be identified. [50] GAO, Homeland Security: Recommendations to Improve Management of Key Border Security Program Need to Be Implemented, GAO-06-296 (Washington, D.C.: February 14, 2006). [51] This recommendation is the merger of two of our prior recommendations. [52] GAO, Information Technology: Homeland Security Needs to Improve Entry Exit System Expenditure Planning, GAO-03-563 (Washington, D.C.:June 9, 2003). [53] GAO-03-1083. [54] GAO-03-1083. [55] GAO-03-1083. [56] GAO-06-296. [57] GAO-07-278. [58] Pub. L. No. 108-458, § 7209, 118 Stat. 3638, 3823 (Dec. 17, 2004). [59] GAO-07-564. [60] The focus of our review was the DHS EA 2006. In March 2007, DHS issued HLS 2007. [61] This recommendation is the merger of three recommendations. [62] GAO-03-563, GAO-03-1083, and GAO-05-202. [63] GAO-06-296. [64] We have ongoing work to address, among other things, these business cases. [65] GAO-03-1083. [66] GAO-06-296. [67] GAO-03-1083. [68] GAO-06-296. [69] GAO-06-296. [70] The EVM system used by the prime contractor has yet to be certified by an outside agent (see page 36 for details). [71] GAO-07-278. [72] GAO-03-1083. [73] GAO, Homeland Security: First Phase of Visitor and Immigrant Status Program Operating, but Improvements Needed, GAO-04-586 (Washington, D.C.: May 11, 2004). [74] GAO-05-202. [75] GAO-06-296. [76] GAO-07-248. [77] GAO-07-278. [78] As reported in the fiscal year 2005 and revised 2006 expenditure plans. The fiscal year 2007 plan reported that of this amount, $53.1 million was still available as prior year carryover ($17.7 million from land and $35.4 million from air and sea). Our assessment of these reported numbers is detailed in the Scope and Methodology discussion found in Attachment 1. [79] GAO-07-278. [80] Pub. L. 107-173 (May 14, 2002). [81] Datashare includes a data extract from State’s Consular Consolidated Database system and includes the visa photograph, biographical data, and the fingerprint identification number assigned when a nonimmigrant applies for a visa. [82] Information from the Federal Bureau of Investigation includes fingerprints from the Integrated Automated Fingerprint Identification System. [83] Watch list data sources include DHS’s Customs and Border Protection and Immigration and Customs Enforcement; the Federal Bureau of Investigation; legacy DHS systems; the U.S. Secret Service; the U.S. Coast Guard; the Internal Revenue Service; the Drug Enforcement Agency; the Bureau of Alcohol, Tobacco, & Firearms; the U.S. Marshals Service; the U.S. Office of Foreign Asset Control; the National Guard; the Treasury Inspector General; the U.S. Department of Agriculture; the Department of Defense Inspector General; the Royal Canadian Mounted Police; the U.S. State Department; Interpol; the Food and Drug Administration; the Financial Crimes Enforcement Network; the Bureau of Engraving and Printing; and the Department of Justice Office of Special Investigations. GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "Subscribe to Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E- mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Susan Becker,Acting Manager, Beckers@gao.gov (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: