This is the accessible text file for GAO report number GAO-09-96 entitled 'Homeland Security: U.S. Visitor and Immigrant Status Indicator Technology Program Planning and Execution Improvements Needed' which was released on December 12, 2008. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: United States Government Accountability Office: GAO: December 2008: Homeland Security: U.S. Visitor and Immigrant Status Indicator Technology Program Planning and Execution Improvements Needed: GAO-09-96: GAO Highlights: Highlights of GAO-09-96, a report to congressional committees. Why GAO Did This Study: The Department of Homeland Security (DHS) has established a program known as U.S. Visitor and Immigrant Status Indicator Technology (US- VISIT) to collect, maintain, and share information, including biometric identifiers, on certain foreign nationals who travel to and from the United States. By congressional mandate, DHS is to develop and submit an expenditure plan for US-VISIT that satisfies certain conditions, including being reviewed by GAO. GAO’s objectives were to (1) determine if the plan satisfies the twelve legislative conditions and (2) provide observations about the plan and management of the program. To accomplish this, GAO assessed the plan and related DHS certification letters against each aspect of each legislative condition and assessed program documentation against federal guidelines and industry standards. What GAO Found: The fiscal year 2008 US-VISIT expenditure plan does not fully satisfy any of the eleven conditions required of DHS by the Consolidated Appropriations Act, 2008, either because the plan does not address key aspects of the condition or because what it does address is not adequately supported or is otherwise not reflective of known program weaknesses. More specifically, of the eleven conditions, the plan partially satisfies eight. For example, while the plan includes a listing of GAO recommendations, it does not provide milestones for addressing these recommendations, as required by the act. Further, although the plan includes a certification by the DHS Chief Procurement Officer that the program has been reviewed and approved in accordance with the department’s investment management process, and that this process fulfills all capital planning and investment control requirements and reviews established by the Office of Management and Budget, the certification is based on information that pertains to the fiscal year 2007 expenditure plan and fiscal year 2009 budget submission, rather than to the fiscal year 2008 expenditure plan. Moreover, even though the plan provides an accounting of operations and maintenance and program management costs, the plan does not separately identify the program’s contractor services costs, as required by the act. With regard to the remaining three legislative conditions, the plan does not satisfy any of them. For example, the plan does not include a certification by the DHS Chief Human Capital Officer that the program’s human capital needs are being strategically and proactively managed and that the program has sufficient human capital capacity to execute the expenditure plan. Further, the plan does not include a detailed schedule for implementing an exit capability or a certification that a biometric exit capability is not possible within 5 years. The twelfth legislative condition was satisfied by our review of the expenditure plan. Beyond the expenditure plan, GAO observed that other program planning and execution limitations and weaknesses also confront DHS in its quest to deliver US-VISIT capabilities and value in a timely and cost- effective manner. Concerning DHS’s proposed biometric air and sea exit solution, for example, the reliability of the cost estimates used to justify the proposed solution is not clear, the proposed solution would provide less security and privacy than other alternatives, and public comments on the proposed solution raise additional concerns, including the impact the solution would have on the industry’s efforts to improve passenger processing and travel. Moreover, the program’s risk management database shows that key risks are not being managed. Finally, frequent rebaselining of one of the program’s task orders has minimized the significance of schedule variances. Collectively, this means that additional management improvements are needed to effectively define, justify, and deliver a US-VISIT system solution that meets program goals, reflects stakeholder input, minimizes exposure to risk, and provides Congress with the means by which to oversee program execution. Until these steps are taken, US-VISIT program performance, transparency, and accountability will suffer. What GAO Recommends: GAO is recommending that the Secretary direct the department’s Investment Review Board to immediately review the program relative to the findings and observations in this report and report the results to Congress. In written comments on a draft of this letter, DHS officials said that they agreed with GAO’s recommendations. To view the full product, including the scope and methodology, click on [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-09-96]. For more information, contact Randolph C. Hite at (202) 512-3439 or hiter@gao.gov. [End of section] Contents: Letter: Compliance with Legislative Conditions: Observations on US-VISIT: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Briefing for Staff Members of the Subcommittees on Homeland Security, Senate and House Committees on Appropriations: Appendix II: Comments from the Department of Homeland Security: Appendix III: GAO Contact and Staff Acknowledgments: Abbreviations: ADIS: Arrival and Departure Information System: APIS: Advance Passenger Information System: CHCO: chief human capital officer: CIO: chief information officer: CPO: chief procurement officer: CLAIMS 3: Computer Linked Application Information Management System: DHS: Department of Homeland Security: DCMA: Defense Contract Management Agency: EA: enterprise architecture: EAB: enterprise architecture board: ELCM: enterprise life cycle methodology: EVM: earned value management: FBI: Federal Bureau of Investigation: IAFIS: Integrated Automated Fingerprint Identification System: IV&V: independent verification and validation: IBIS: Interagency Border Inspection System: IDENT: Automated Biometric Identification System: iDSM: Interim Data Sharing Model: MDP: milestone decision point: NPRM: Notice of Proposed Rule Making: OMB: Office of Management and Budget: OIG: Office of Inspector General: POE: ports of entry: SEVIS: Student and Exchange Visitor Information System: TECS: Treasury Enforcement Communications System: UDM: US-VISIT Delivery Methodology: US-VISIT: U.S. Visitor and Immigrant Status Indicator Technology: [End of section] United States Government Accountability Office: Washington, DC 20548: December 12, 2008: The Honorable Robert C. Byrd: Chairman: The Honorable Thad Cochran: Ranking Member: Subcommittee on Homeland Security: Committee on Appropriations: United States Senate: The Honorable David E. Price: Chairman: The Honorable Harold Rogers: Ranking Member: Subcommittee on Homeland Security: Committee on Appropriations: House of Representatives: The Department of Homeland Security (DHS) submitted to Congress on June 12, 2008, its fiscal year 2008 expenditure plan for the U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) program pursuant to the Consolidated Appropriations Act, 2008.[Footnote 1] US-VISIT is a governmentwide program to collect, maintain, and share information on foreign nationals who enter and exit the United States. The program's goals are to enhance the security of U.S. citizens and visitors, facilitate legitimate trade and travel, ensure the integrity of the U.S. immigration system, and protect the privacy of visitors to the United States. Currently, US-VISIT entry capabilities are operating at over 300 land, sea, and air ports of entry; however, exit capabilities are not yet operating. DHS near-term plans call for enhancing existing biometric collection, identification, and sharing capabilities, as well as introducing an exit capability at airports and seaports. As required by the appropriations act, we reviewed US-VISIT's fiscal year 2008 expenditure plan. Our objectives were to (1) determine whether the plan satisfies the legislative conditions and (2) provide observations about the plan and management of the program. On September 15, 2008, we briefed the staffs of the Senate and House Appropriations Subcommittees on Homeland Security on the results of our review. This letter summarizes and transmits these results, with the exception of information that DHS deemed contractor sensitive. A redacted version of the briefing, including our scope and methodology, is reprinted in appendix I.[Footnote 2] In a separate report designated "For Official Use Only," we summarize and transmit the full briefing. We performed this audit from June 2008 to September 2008 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Compliance with Legislative Conditions: The US-VISIT expenditure plan partially satisfies 8 of the 11 legislative conditions required of DHS.[Footnote 3] For example, the plan partially satisfies the legislative conditions that it: * contain a listing of all open GAO and DHS Office of Inspector General recommendations. Specifically, while the plan did include a listing and status of our recommendations, it did not provide milestones for addressing any of the recommendations, as required by the act. * include a certification by the DHS Chief Procurement Officer that the program was reviewed and approved in accordance with the department's investment management process and that this process fulfilled all capital planning and investment control requirements and reviews established by the Office of Management and Budget (OMB). While the plan did include such a certification, it was based on information that pertains to the fiscal year 2007 expenditure plan and the fiscal year 2009 budget submission, rather than on the fiscal year 2008 expenditure plan, as required by the act. * include an architectural compliance certification by the Chief Information Officer that the system architecture of the program is sufficiently aligned with the information system enterprise architecture of DHS. Specifically, while the plan did include such a certification, the basis for the certification was an assessment against the 2007 DHS enterprise architecture, which is a version that we recently reported to be missing important US-VISIT architectural content.[Footnote 4] * provide a detailed accounting of operations and maintenance, contractor services, and program management costs. While the plan did provide an accounting of operations and maintenance, and program management costs, it did not separately identify the program's contractor costs, as required by the act. The plan does not satisfy the remaining three conditions that apply to DHS. Specifically: * The expenditure plan did not explicitly define how funds are to be obligated to meet future program commitments, including linking the planned expenditure of funds to milestone-based delivery of specific capabilities and services. While the plan linked funding to four broad core capability areas and associated projects, it did not link this planned use of funds to milestones, and it did not consistently decompose projects into specific mission capabilities, services, performance levels, benefits and outcomes, or program management capabilities. * The expenditure plan did not include a certification by the DHS Chief Human Capital Officer that the program's human capital needs are being strategically and proactively managed and that the program has sufficient human capital capacity to execute the expenditure plan. While the plan contained a certification, it only addressed that the human capital plan reviewed by the Chief Human Capital Officer contained specific initiatives to address the hiring, development, and retention of program employees and that a strategy existed to develop indicators to measure the progress and results of these initiatives. It did not address the implementation of this plan or whether the current human capital capabilities were sufficient to execute the expenditure plan. * The expenditure plan did not include a complete schedule for the full implementation of a biometric exit program or certification that a biometric exit program is not possible within 5 years. While the plan contains a very high-level schedule that identifies five broadly defined tasks and high-level milestones, the schedule did not include, among other things, decomposition of the program into a work breakdown structure or sequencing, integrating, or resourcing each work element in the work breakdown structure. Observations on US-VISIT: We are making five observations about US-VISIT relative to its proposed exit solution, its management of program risks, and its use of earned value management. These observations are summarized here. * Reliability of cost estimates for air and sea exit alternatives is not clear. In developing its air and sea exit Notice of Proposed Rule Making (NPRM), DHS is required to prepare a written assessment of the costs, benefits, and other effects of its proposal and a reasonable number of alternatives and to adopt the least costly, most cost-effective, or least burdensome among them. To accomplish this, it is important that DHS have reliable cost estimates for its proposed and alternative solutions. However, the reliability of the estimates that DHS developed is not clear because (1) DHS documents characterize the estimates as being, by definition, rough and imprecise, but DHS officials responsible for developing the estimates stated that this characterization is not accurate; (2) our analysis of the estimates' satisfaction of cost estimating best practices shows that while DHS satisfied some key practices, it did not fully satisfy others or the documentation provided was not sufficient for us to determine whether still other practices were met; and (3) data on certain variables pertaining to airline costs were not available for inclusion in the estimates, and airlines report that these costs were understated in the estimates. * DHS reports that the proposed air and sea exit solution provides less security and privacy than other alternatives. Adequate security and privacy controls are needed to assure that personally identifiable information is secured against unauthorized access, use, disclosure, or retention. Such controls are especially needed for government agencies, where maintaining public trust is essential. In the case of US-VISIT, one of its stated goals is to protect the security and privacy of U.S. citizens and visitors. DHS's proposed air and sea exit solution would require air and vessel carriers to implement and manage the collection of biometric data at the location(s) of their choice. However, the NPRM states that having carriers collect the biometric information is less secure than alternatives where DHS collects the information, regardless of the information collection point. Similarly, the NPRM states that the degree of confidence in compliance with privacy requirements is lower when DHS does not maintain full custody of personally identifiable information. * Public comments on the proposed air and sea exit solution raise a range of additional concerns. Ninety-one entities--including the airline, trade, and travel industries, as well as federal, state, and foreign governments-- commented on the air and sea exit proposal. The comments that were provided raised a number of concerns and questions about the proposed solution. For example, comments stated that (1) technical requirements the carriers must meet in delivering their respective parts of the proposed solution had yet to be provided; (2) the proposed solution conflicts with air and vessel carrier passenger processing improvements; (3) the proposed solution is not fully integrated with other border screening programs involving air carriers; and (4) stakeholders were not involved in this rulemaking process as they had been in previous rulemaking efforts. * Risk management database shows that some program risks have not been effectively managed. Proactively managing program risks is a key acquisition management control and, if defined and implemented properly, it can increase the chances of programs delivering promised capabilities and benefits on time and within budget. To its credit, the US-VISIT program office has defined a risk management plan and related process that is consistent with relevant guidance. However, its own risk database shows that all risks have not been proactively mitigated. As we have previously reported, not proactively mitigating risks increases the chances that risks become actual cost, schedule, and performance problems. * Significance of a task order's schedule variances have been minimized by frequent rebaselining. According to the GAO Cost Assessment Guide,[Footnote 5] rebaselining should occur rarely, as infrequently as once in the life of a program or project. Schedule rebaselining should occur only when a schedule variance is significant enough to limit its utility as a predictor of future schedule performance. For task order 7, the prime contractor's largest task order,[Footnote 6] the program office has rebaselined its schedule twice in the last 2 years--first in October 2006 and again in October 2007. This rebaselining has resulted in the task order showing a $3.5 million variance, rather than a $7.2 million variance that would exist without either of the rebaselinings. Conclusions: DHS has not adequately met the conditions associated with its legislatively mandated fiscal year 2008 US-VISIT expenditure plan. The plan does not fully satisfy any of the conditions that apply to DHS, either because it does not address key aspects of the condition or because what it does address is not adequately supported or is otherwise not reflective of known program weaknesses. Given that the legislative conditions are intended to promote the delivery of promised system capabilities and value, on time and within budget, and to provide Congress with an oversight and accountability tool, these expenditure plan limitations are significant. Beyond the expenditure plan, other program planning and execution limitations and weaknesses also confront DHS in its quest to deliver US- VISIT capabilities and value in a timely and cost-effective manner. Most notably, DHS has proposed a solution for a long-awaited exit capability, but it is not clear if the cost estimates used to justify it are sufficiently reliable to do so. Also, DHS has reported that the proposed solution provides less security and privacy than other alternatives analyzed, and the proposed solution is being challenged by those who would be responsible for implementing it. Further, DHS's ability to measure program performance and progress, and thus be positioned to address cost and schedule shortfalls in a timely manner, is hampered by weaknesses in the prime contractor's implementation of earned value management. Each of these program planning and execution limitations and weaknesses introduce risk to the program. In addition, DHS is not effectively managing the program's risks, as evidenced by the program office's risk database showing that known risks are being allowed to go years without risk mitigation and contingency plans. Overall, while DHS has taken steps to implement a significant percentage of our prior recommendations aimed at improving management of US-VISIT, additional management improvements are needed to effectively define, justify, and deliver a system solution that meets program goals, reflects stakeholder input, minimizes exposure to risk, and provides Congress with the means by which to oversee program execution. Until these steps are taken, US-VISIT program performance, transparency, and accountability will suffer. Recommendations for Executive Action: To assist DHS in planning and executing US-VISIT, we recommend that the Secretary of Homeland Security direct the department's Investment Review Board to review the reasons for the plan's limitations and address the challenges and weaknesses raised by our observations about the proposed air and sea exit solution, risk management, and the implementation of earned value management, and to report the results to Congress. Agency Comments and Our Evaluation: In written comments on a draft of this report, signed by the Director, Departmental Audit Liaison Office, and reprinted in appendix II, DHS concurred with our recommendations and stated that the department's Investment Review Board would meet for the purpose of reviewing US- VISIT and addressing our findings and recommendations. Moreover, DHS commented that our report has prompted the department to modify the fiscal year 2009 US-VISIT expenditure plan to provide greater visibility into operations and maintenance and program management expenditures, and to include milestones and performance targets for planned accomplishments, mitigation plans, milestones for closing open recommendations, and results relative to prior year commitments. DHS also commented that after it received our report for comment, it issued an interim policy for managing investments, such as US-VISIT, and thus it disagreed with one of our findings relative to one of the legislative conditions--namely that DHS's investment management process is not sufficiently mature. However, DHS did not provide the policy itself, thus we were not able to determine whether it addressed our concerns. Further, the memo states that the policy is draft and that implementation of the policy, including training, still needs to occur. Thus, while we have modified our briefing document to reflect the policy's issuance, we have not modified our conclusion that DHS's investment management process is not sufficiently mature. We are sending copies of this report to the Chairmen and Ranking Minority Members of other Senate and House committees and subcommittees that have authorization and oversight responsibilities for homeland security. We are also sending copies to the Secretary of Homeland Security, Secretary of State, and the Director of OMB. Copies of this report will also be available at no charge on our Web site at [hyperlink, http://www.gao.gov]. If you or your staffs have any questions on matters discussed in this report, please contact me at (202) 512-3439 or at hiter@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who have made significant contributions to this report are listed in appendix III. Signed by: Randolph C. Hite: Director, Information Technology Architecture and Systems Issues: [End of section] Appendix I: Briefing for Staff Members of the Subcommittees on Homeland Security, Senate and House Committees on Appropriations: Homeland Security: U.S. Visitor and Immigrant Status Indicator Technology Program Planning and Execution Improvements Needed: Briefing for staff members of the Subcommittees on Homeland Security Senate and House Committees on Appropriations: September 15, 2008*: * This briefing has been amended on page 44 to address DHS comments. Briefing Overview: Introduction: Objectives: Scope and Methodology: Results in Brief: Background: Results: * Legislative Conditions; * Observations: Conclusions: Recommendations for Executive Action: Agency Comments: Attachment 1: Objectives, Scope, and Methodology: Attachment 2: Related Projects List: Attachment 3: Detailed Description of Increments and Component Systems; Attachment 4: Status of Prior GAO Recommendations: [End of Briefing Overview section] Introduction: U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) is a Department of Homeland Security (DHS) program for collecting, maintaining, and sharing information on foreign nationals who enter and exit the United States. The goals of US-VISIT are to: * enhance the security of U.S. citizens and visitors, * facilitate legitimate travel and trade, * ensure the integrity of the U.S. immigration system, and; * protect the privacy of our visitors. Currently, US-VISIT entry capabilities are operating at over 300 land, sea, and air ports of entry; however, exit capabilities are not yet operating. DHS near-term plans call for enhancing existing biometric collection, identification, and sharing capabilities, as well as introducing an exit capability at airports and seaports. [End of Introduction section] Objectives: The Consolidated Appropriations Act, 2008,[Footnote 7] states that DHS may not obligate $125 million of the $475 million appropriated[Footnote 8] for US-VISIT until the Senate and House Committees on Appropriations receive a plan for expenditure[Footnote 9] that includes the following: * a detailed accounting of the program’s progress to date relative to system capabilities or services, system performance levels, mission benefits and outcomes, milestones, cost targets, and program management capabilities; * an explicit plan of action defining how all funds are to be obligated to meet future program commitments, with the planned expenditure of funds linked to the milestone-based delivery of specific capabilities, services, performance levels, mission benefits and outcomes, and program management capabilities; * a listing of all open GAO and DHS Office of the Inspector General (OIG) recommendations related to the program and the status of DHS actions to address the recommendations, including milestones for fully addressing them; * a certification by the DHS Chief Procurement Officer (CPO) that the program has been reviewed and approved in accordance with the department’s investment management process, and that this process fulfills all capital planning and investment control requirements and reviews established by the Office of Management and Budget (OMB), including Circular A-11, part 7; * a certification by the DHS Chief Information Officer (CIO) that an independent verification and validation agent is currently under contract for the project; * a certification by the DHS CIO that the system architecture of the program is sufficiently aligned with the department’s information systems enterprise architecture to minimize future rework, including a description of all aspects of the architectures that were and were not assessed in making the alignment determination, the date of the alignment determination, and any known areas of misalignment, along with the associated risks and corrective actions to address any such areas; * a certification by the DHS CPO that the plans for the program comply with federal acquisition rules, requirements, guidelines, and practices, and a description of the actions being taken to address any areas of noncompliance, the risks associated with them, along with any plans for addressing these risks and the status of their implementation; * a certification by the DHS CIO that the program has a risk management process that regularly identifies, evaluates, mitigates, and monitors risks throughout the system life cycle, and communicates high-risk conditions to agency and DHS investment decision makers, as well as a listing of all the program’s high risks, and a status of efforts to address them; * a certification by the DHS Chief Human Capital Officer (CHCO) that the human capital needs of the program are being strategically and proactively managed, and that current human capital capabilities are sufficient to execute the plans discussed in the report; * a complete schedule for the full implementation of a biometric exit program or a certification that such a program is not possible within 5 years; * a detailed accounting of operations and maintenance, contractor services, and program management costs associated with the program. Footnote 10] The act also requires that we review this plan. DHS submitted its fiscal year 2008 US-VISIT expenditure plan to the House and Senate Appropriations Subcommittees on Homeland Security on June 12, 2008. As agreed, our objectives were to (1) determine whether the plan satisfies the legislative conditions and (2) provide observations about the plan and management of the program. [End of Objectives section] Scope and Methodology: To accomplish the first objective, we compared the information provided in the plan with each aspect of the eleven conditions. Further, for those conditions requiring a DHS certification, we analyzed documentation, interviewed cognizant officials, and leveraged our recent work to determine the basis for each certification. We then determined whether the plan satisfies, partially satisfies, or does not satisfy the conditions based on the extent to which (1) the plan addresses all aspects of the applicable condition, as specified in the act or (2) the applicable certification letter contained in the plan (a) addresses all aspects of each condition, as specified in the act, (b) is sufficiently supported by documented and verifiable analysis, (c) contains significant qualifications, and (d) is otherwise consistent with our related findings. To accomplish the second objective, we analyzed DHS’s Notice of Proposed Rule Making (NPRM) for Air/Sea Exit, the Regulatory Impact Analysis, Privacy Impact Assessment, and US-VISIT’s Exit Pilot Report. We also compared available information on the USVISIT prime contractor’s implementation of earned value management and the program office’s implementation of risk management to relevant guidance. (See attachment 1 for more detailed information on our scope and methodology.) We conducted this performance audit at US-VISIT offices in Arlington, Virginia, and DHS offices in Washington, D.C. from June 2008 to September 2008 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of Scope and Methodology section] Results in Brief: Legislative Conditions: Table: Expenditure Plan’s Satisfaction of Legislative Conditions: Legislative condition: Detailed accounting of the program’s progress to date relative to system capabilities; Expenditure Plan’s Satisfaction of Legislative Conditions: Partially satisfies. Legislative condition: Explicit plan defining how funds are to be obligated to meet future program commitments, linked to the milestone- based delivery of specific capabilities and services; Expenditure Plan’s Satisfaction of Legislative Conditions: Does not satisfy. Legislative condition: Listing of all open GAO and OIG recommendations; Expenditure Plan’s Satisfaction of Legislative Conditions: Partially satisfies. Legislative condition: DHS investment management and OMB capital planning and investment control certification by the CPO; Expenditure Plan’s Satisfaction of Legislative Conditions: Partially satisfies. Legislative condition: Independent verification and validation certification by the CIO; Expenditure Plan’s Satisfaction of Legislative Conditions: Partially satisfies. Legislative condition: Architecture certification by the CIO; Expenditure Plan’s Satisfaction of Legislative Conditions: Partially satisfies. Legislative condition: Acquisition certification by the CPO; Expenditure Plan’s Satisfaction of Legislative Conditions: Partially satisfies. Legislative condition: Risk management certification by the CIO; Expenditure Plan’s Satisfaction of Legislative Conditions: Partially satisfies. Legislative condition: Human Capital certification by the CHCO; Expenditure Plan’s Satisfaction of Legislative Conditions: Does not satisfy. Legislative condition: Exit implementation schedule or certification that not possible within 5 years; Expenditure Plan’s Satisfaction of Legislative Conditions: Does not satisfy. Legislative condition: Detailed accounting of operations and maintenance, contractor services, program management costs; Expenditure Plan’s Satisfaction of Legislative Conditions: Partially satisfies. Legislative condition: Reviewed by GAO; Expenditure Plan’s Satisfaction of Legislative Conditions: Satisfies. Source: GAO analysis based on DHS data. [End of table] Results in Brief: Observations: * The reliability of DHS Air and Sea Exit cost estimates is not clear for various reasons, including program officials’ statements that contradict how the department characterized the estimates in the public documents and supporting documentation about the estimates’ derivation that we have yet to receive. * The proposed Air and Sea Exit solution, according to DHS, would provide less security and privacy than other alternatives, because it relies on private carriers to collect, store, and transmit passenger data. * Comments on the Proposed Air and Sea Exit solution, provided by airlines and others, raised a number of additional stakeholder concerns, such as conflicts with air carrier business models and impact on trade and travel. * The program office’s risk database shows that risk mitigation and contingency plans have not been developed and implemented in a timely fashion for a number of risks, which increases the chances that known risks will become actual problems. * Significant schedule variances are being minimized by frequent redefinition of baselines, thus limiting the use of earned value management as a performance management tool. Results in Brief: Recommendation and Agency Comments: We are recommending that DHS’ Investment Review Board review the reasons for the plan’s limitations and address the challenges and weaknesses raised by our observations about the proposed Air and Sea Exit solution, and the implementation of earned value management and risk management, and to report the results to the Congress. We provided a draft of this briefing to DHS officials, including the Director of US-VISIT. While these officials did not state whether they agreed or not with our findings, conclusions, or recommendations, they did provide a range of technical comments, which we have incorporated into the briefing, as appropriate. They also sought clarification on our scope and methodology, which we have also incorporated into the briefing. [End of Results in Brief section] Background: US-VISIT Strategic Goals: The strategic goals of US-VISIT are to enhance the security of U.S. citizens and visitors, facilitate legitimate travel and trade, ensure the integrity of the U.S. immigration system, and protect the privacy of our visitors. It is to accomplish these things by: * collecting, maintaining, and sharing biometric and other information on certain foreign nationals who enter and exit the United States; * identifying foreign nationals who (1) have overstayed or violated the terms of their admission; (2) can receive, extend, or adjust their immigration status; or (3) should be apprehended or detained by law enforcement officials; * detecting fraudulent travel documents, verifying traveler identity, and determining traveler admissibility through the use of biometrics; and; * facilitating information sharing and coordination within the immigration and border management community. Background: History/Status: Overview of History and Status of US-VISIT Increments: As defined in expenditure plans prior to fiscal year 2006, US-VISIT biometric entry and exit capabilities were to be delivered in four increments. * Increments 1 through 3 were to be interim, or temporary, solutions that would focus on building interfaces among existing (legacy) systems; enhancing the capabilities of these systems; and deploying these systems to air, sea, and land ports of entry (POEs). * Increment 4 was to be a series of yet-to-be-defined releases, or mission capability enhancements, that were to deliver long-term strategic capabilities for meeting program goals. * Increments 1 through 3 have produced an entry capability that began operating at over 300 POEs by 2006. (See the system diagram on the next slide for an overview of this entry capability; attachment 3 provides further details on each of the systems.) Figure: Systems Diagram of Entry Capability Operating at Points of Entry[Footnote 11]: [Refer to PDF for image] This figure is a detailed diagram of Entry Capability Operating at Points of Entry. Included in the diagram are systems/applications which are: * Common to all increments; * Increment 1 only; * Increment 2B and 3 only. Source: GAO analysis of US-VISIT data. [End of figure] Increment 4 has continued to evolve. * The fiscal year 2006 expenditure plan described increment 4 as the combination of two projects: (1) Transition to 10 fingerprints in the Automated Biometric Identification System (IDENT) and (2) interoperability between IDENT and the Federal Bureau of Investigation’s (FBI) Integrated Automated Fingerprint Identification System (IAFIS). * The fiscal year 2007 expenditure plan combines these two projects with a third project called Enumeration (developing a single identifier for each individual) into a larger project referred to as Unique Identity. During fiscal year 2007, the following Unique Identity efforts were completed. - The Interim Data Sharing Model (iDSM) was deployed. It allows sharing of certain biometric information between US-VISIT and the FBI, as well as with the Office of Personnel Management and police departments in Houston, Dallas, and Boston. The next phase of IDENT/IAFIS interoperability (referred to as Initial Operating Capability) is to be deployed in October 2008. - The 10-print scanners were deployed to 10 air locations for pilot testing. Deployment of the scanners to 292 POEs is to begin during fiscal year 2008 and is to be completed by December 2008. * Also in fiscal year 2007, steps were taken relative to a biometric exit solution. Specifically, - Exit pilot projects were halted at 12 airports and 2 seaports in May 2007. - Exit radio frequency identification[Footnote 12] proof-of-concept projects were discontinued at selected land ports in November 2006. - Planning for an air and sea exit solution based on lessons learned from the pilot projects was begun, to include studying the costs, impacts, and privacy concerns of alternative solutions. The fiscal year 2008 expenditure plan provides additional information on these and other projects in the context of the program’s four core mission capabilities: (1) providing identity management and screening services, (2) developing and enhancing biometric identity collection and data sharing, (3) providing information technology support for mission services, and (4) enhancing program management. For example, under developing and enhancing biometric capabilities, the plan allocates $228 million for further development and deployment of Unique Identity and $13 million for development of an Air and Sea Exit solution. (See table on next slide). Table: Summary of Fiscal Year 2008 Expenditure Plan Budget: Core Mission Areas: Provide identity management and screening services: Project: Biometric support; Fiscal Year 2008 Total: $7.9 million. Project: Data integrity; Fiscal Year 2008 Total: $6.4 million. Project: Law enforcement and intelligence; Fiscal Year 2008 Total: $1.5 million. Core Mission Areas: Develop and enhance biometric identity collection and data sharing: Project: Unique Identity; Fiscal Year 2008 Total: $228.0 million. Project: Comprehensive Biometric Exit – Air/Sea; Fiscal Year 2008 Total: $13.0 million. Core Mission Areas: Provide information technology support to mission service: Project: Operations and maintenance; Fiscal Year 2008 Total: $103.0 million. Core Mission Areas: Enhance Program Management: Project: Mission support; Fiscal Year 2008 Total: $109.2 million. Project: Management reserve; Fiscal Year 2008 Total: $6.0 million. Core Mission Areas/Projects: Total; Fiscal Year 2008 Total: $475.0 million. Source: DHS Fiscal Year 2008 Expenditure Plan. [End of table] Background: Projects’ Approach and Status: Life Cycle Approach for and Status of US-VISIT Projects: US-VISIT projects are subject to the program’s Enterprise Life Cycle Methodology (ELCM). Within ELCM is a component methodology for managing software-based system projects, such as Unique Identity and Air/Sea Exit, known as the US-VISIT Delivery Methodology (UDM). According to version 4.3 of UDM (April 2007), it: * applies to both new development and operational projects; * specifies the documentation and reviews that should take place within each of the methodology’s six phases: plan, analyze, design, build, test, and deploy; and; * allows for tailoring to meet the needs and requirements of individual projects, in which specific activities, deliverables, and milestone reviews that are appropriate for the scope, risk, and context of the project can be set for each phase of the project. The chart on the following page shows the status of each US-VISIT project within the life cycle methodology as of August 2008. Table: Project Status: Project: Comprehensive Exit Land; ELCM Gate Review, Plan: [Check]; ELCM Gate Review, Analyze: [Empty]; ELCM Gate Review, Design: [Empty]; ELCM Gate Review, Build: [Empty]; ELCM Gate Review, Test: [Empty]; ELCM Gate Review, Deploy: [Empty]; ELCM Gate Review, Operational: [Empty]. Project: Comprehensive Exit Air/Sea Release 1[A]; ELCM Gate Review, Plan: [Check]; ELCM Gate Review, Analyze: [Check]; ELCM Gate Review, Design: [Check]; ELCM Gate Review, Build: [Check]; ELCM Gate Review, Test: [Check]; ELCM Gate Review, Deploy: [Empty]; ELCM Gate Review, Operational: [Empty]. Project: Comprehensive Exit Air/Sea Release 2[B]: ELCM Gate Review, Plan: [Check]; ELCM Gate Review, Analyze: [Empty]; ELCM Gate Review, Design: [Empty]; ELCM Gate Review, Build: [Empty]; ELCM Gate Review, Test: [Empty]; ELCM Gate Review, Deploy: [Empty]; ELCM Gate Review, Operational: [Empty]. Project: Unique Identity 10-Print Initial Deployment; ELCM Gate Review, Plan: [Check]; ELCM Gate Review, Analyze: [Check]; ELCM Gate Review, Design: [Check]; ELCM Gate Review, Build: [Check]; ELCM Gate Review, Test: [Check]; ELCM Gate Review, Deploy: [Check]; ELCM Gate Review, Operational: [Check]. Project: Unique Identity 10-Print National Deployment; ELCM Gate Review, Plan: [Check]; ELCM Gate Review, Analyze: [Check]; ELCM Gate Review, Design: [Check]; ELCM Gate Review, Build: [Check]; ELCM Gate Review, Test: [Check]; ELCM Gate Review, Deploy: [Check]; ELCM Gate Review, Operational: [Empty]. Project: Increment 1 Air/Sea Entry; ELCM Gate Review, Plan: [Check]; ELCM Gate Review, Analyze: [Check]; ELCM Gate Review, Design: [Check]; ELCM Gate Review, Build: [Check]; ELCM Gate Review, Test: [Check]; ELCM Gate Review, Deploy: [Check]; ELCM Gate Review, Operational: [Check]. Project: Increment 2 Land Entry Top 50; ELCM Gate Review, Plan: [Check]; ELCM Gate Review, Analyze: [Check]; ELCM Gate Review, Design: [Check]; ELCM Gate Review, Build: [Check]; ELCM Gate Review, Test: [Check]; ELCM Gate Review, Deploy: [Check]; ELCM Gate Review, Operational: [Check]. Project: Increment 3 Remaining Land; ELCM Gate Review, Plan: [Check]; ELCM Gate Review, Analyze: [Check]; ELCM Gate Review, Design: [Check]; ELCM Gate Review, Build: [Check]; ELCM Gate Review, Test: [Check]; ELCM Gate Review, Deploy: [Check]; ELCM Gate Review, Operational: [Check]. Project: IDENT/IAFIS iDSM; ELCM Gate Review, Plan: [Check]; ELCM Gate Review, Analyze: [Check]; ELCM Gate Review, Design: [Check]; ELCM Gate Review, Build: [Check]; ELCM Gate Review, Test: [Check]; ELCM Gate Review, Deploy: [Check]; ELCM Gate Review, Operational: [Check]. Project: Unique Identity Interoperability IOC; ELCM Gate Review, Plan: [Check]; ELCM Gate Review, Analyze: [Check]; ELCM Gate Review, Design: [Check]; ELCM Gate Review, Build: [Check]; ELCM Gate Review, Test: [Empty]; ELCM Gate Review, Deploy: [Empty]; ELCM Gate Review, Operational: [Empty]. Project: Unique Identity Interoperability FOC; ELCM Gate Review, Plan: [Check]; ELCM Gate Review, Analyze: [Empty]; ELCM Gate Review, Design: [Empty]; ELCM Gate Review, Build: [Empty]; ELCM Gate Review, Test: [Empty]; ELCM Gate Review, Deploy: [Empty]; ELCM Gate Review, Operational: [Empty]. Project: Enumeration Services; ELCM Gate Review, Plan: [Check]; ELCM Gate Review, Analyze: [Check]; ELCM Gate Review, Design: [Check]; ELCM Gate Review, Build: [Check]; ELCM Gate Review, Test: [Check]; ELCM Gate Review, Deploy: [Check]; ELCM Gate Review, Operational: [Check]. Project: Mobile Biometrics at Sea; ELCM Gate Review, Plan: [Check]; ELCM Gate Review, Analyze: [Check]; ELCM Gate Review, Design: [Check]; ELCM Gate Review, Build: [Check]; ELCM Gate Review, Test: [Check]; ELCM Gate Review, Deploy: [Check]; ELCM Gate Review, Operational: [Check]. [A] Release 1 deploys backend capabilities to receive and process the biometric exit data captured and transmitted in compliance with the Final Rule. [B] Release 2 focuses on exit reporting capabilities. Source GAO based on agency data. [End of table] Contract and Task Order Overview and Status: In May 2004, DHS awarded an indefinite-delivery/indefinite-quantity [Footnote 13] prime contract to Accenture and its partners[Footnote 14] for delivering US-VISIT products and services. Thus far, * 20 task orders have been issued against this contract, and their total value[Footnote 15] is about $501 million. * 11 of these task orders are ongoing, and their total value is about $331 million. The table on the following slides provides additional information about the ongoing task orders organized by the four core mission capabilities and projects. Table: Contract and Task Order Overview and Status: Core Capability: Provide identity management and screening services: Project: Data integrity and biometric support; Task Order Name: Data management support; Start: August 2004; Approximate Value: $3 million; Description: Support Program Office Data Management Branch to identify errors, omissions, and trends in data; recommend corrective actions; provide refined data to other offices (e.g., U.S. Immigration and Customs Enforcement) to support criminal investigations, lookout creation, and informed managerial/operational decision making. Core Capability: Develop and enhance biometric identity collection and data sharing capabilities: Project: Biometric solutions delivery; Task Order Name: Unique Identity; Start: October 2004; Approximate Value: $82.5 million; Description: Planning, development, and implementation of Unique Identity (IDENT/IAFIS integration and IDENT 10-print). Project: Biometric solutions delivery; Task Order Name: Integration support to the Unique Identity ID Project Office; Start: November 2006; Description: Approximate Value: $1.6 million; Program and technical integration support services. Project: Biometric solutions delivery; Task Order Name: Secure Information Management Systems; Start: October 2007; Approximate Value: $2.3 million; Description: Planning, development, and implementation of enumeration functionality for Unique Identity and the US Customs and Immigration Service’s Inter-Country Adoption Pilot. Project: Biometric solutions delivery; Task Order Name: Biometric Solutions Delivery; Start: February 2008; Approximate Value: $18 million; Description: Deployment of solutions—includes installation of scanning equipment for 10-print collection. Core Capability: Provide information technology support mission services: Project: Operations and maintenance; Task Order Name: Facilities and infrastructure; Start: March 2005; Approximate Value: $6.3 million; Description: Provisioning of office/facility space, furniture, workstations, telecommunications, and other infrastructure to support contractor activities. Project: Operations and maintenance; Task Order Name: Operations and maintenance; Start: August 2006; Approximate Value: $27.7 million; Description: Management of operations and maintenance activities for deployed capabilities. Project: Information technology services; Task Order Name: IT services; Start: September 2007; Approximate Value: $10.8 million; Description: Information technology services for implemented functionality, including security upgrades, system changes, etc. Core Capability: Enhance program management: Project: Contractor support/program management; Task Order Name: Program-level engineering; Start: September 2004; Approximate Value: $16 million; Description: Develop and maintain the standards, guidance, architectures, performance models, and other engineering processes necessary to support the development of functionality. Project: Contractor support/program management; Task Order Name: Development and support of program planning activities; Start: November 2006; Description: Approximate Value: $1.8 million; Support the development and maintenance of program planning artifacts and analyze phases of project execution and planning, updating, and implementation of the US-VISIT strategic plan. Source: GAO analysis of DHS data. [End of table] Overview of DHS Investment Management Process: DHS issued a draft Investment Review Process guide in March 2006 that includes milestone decision points (MDP) linking five life cycle phases: project initiation (MDP1), concept and technology development (MDP2), capability development and demonstration (MDP3), production and deployment (MDP4), and operations and support (MDP5).Under the draft guide, a program sends an investment review request prior to the initial milestone date. The program is then to be reviewed by the DHS Enterprise Architecture Board (EAB), Joint Requirements Council and/or Investment Review Board, depending on such factors as the program’s cost and significance. According to the official from DHS’s Program Analysis and Evaluation Directorate who is responsible for overseeing program adherence to the investment control process, the draft guide is being used for all DHS programs, including US-VISIT. This official also stated that milestone reviews can be performed concurrently with an expenditure plan review. In December 2006, the DHS Investment Review Board held an MDP1 review of US-VISIT. Since then, the EAB held an MDP2 review in April 2007, and the EAB is currently performing an MDP3 review. Neither the Joint Requirements Council nor the Investment Review Board have reviewed US- VISIT since MDP1. Overview of DHS Notice of Proposed Rule Making (NPRM) for Air/Sea Exit: On April 24, 2008, DHS published its NPRM for establishing a biometric exit capability at commercial air and sea ports. At the same time, it published an Air/Sea Biometric Exit Regulatory Impact Analysis providing information on the projected costs and benefits of several alternatives discussed in the proposed rule. Key aspects of the NPRM are summarized here. * The proposed rule would require aliens who are subject to US-VISIT biometric requirements on entry at POEs to provide biometric information to commercial carriers before departing air and sea POEs. The rule also proposed that the biometric information collected be submitted to DHS within 24 hours of securing the airplane doors for air travel or departing the seaport. According to the NPRM, these requirements would not apply to persons departing on certain private or small carriers. * The proposed rule discussed nine exit alternatives for collecting biometrics: (1) at the check-in counter by air and vessel carriers, (2) at the check-in counter by DHS, (3) at the security checkpoint by DHS, (4) at the departure gate by air and vessel carriers, (5) at the departure gate by DHS, (6) at the check-in counter by air and vessel carriers with verification at the departure gate, (7) at the check-in counter by DHS with verification at the departure gate, (8) at the security checkpoint by DHS with verification at the departure gate, and (9) within the sterile area (after passing through the Transportation Security Administration checkpoint) by DHS. The following five alternatives were subject to further analysis of costs and benefits. * Proposed Alternative: Air and vessel carriers implement and manage the collection of biometric data at location(s) of their choice. * Alternative 1: Air and vessel carriers implement and manage the collection of biometric data at their check-in counter. * Alternative 2: DHS implements and manages the collection of biometric data at the TSA Security checkpoint.[Footnote 16] * Alternative 3: DHS implements and manages the collection of biometric data at location(s) of the air or vessel carrier’s choice. * Alternative 4: DHS implements and manages the collection of biometric data at kiosks placed in various locations. DHS provided a 60-day comment period for the NPRM. A total of 91 organizations provided 117 comments and supporting documents. These included: 12 air industry associations, 44 air carriers (9 domestic and 35 foreign), 4 vessel industry associations, 1 vessel carrier, 9 commerce associations, 1 congressional committee, 5 foreign governments, and 2 local governments. [End of Background section] Objective 1: Legislative Conditions: Of the 12 legislative conditions pertaining to DHS’s fiscal year 2008 expenditure plan for US-VISIT, the plan partially satisfies 8 and does not satisfy 3 of them. Our review has satisfied the remaining condition. Given that the act’s conditions are designed to help ensure that the program is effectively managed and that congressional oversight of program can occur, a partially or a not satisfied condition should be viewed as introducing risk to the program. Each of the conditions is addressed in detail on the following slides. Condition 1: Condition 1: The plan partially satisfies the legislative condition to include a detailed accounting of the program’s progress to date relative to system capabilities or services, system performance levels, mission benefits and outcomes, milestones, cost targets, and program management capabilities. As we previously reported,[Footnote 17] describing how well DHS is progressing relative to US-VISIT program commitments (e.g., cost, schedule, capabilities, and benefits commitments) that it has made in previous expenditure plans is essential to permitting meaningful program oversight and promoting accountability for results. System Capabilities and Services: The current plan provides information on some US-VISIT capabilities and services that have been completed or delivered. For example, the fiscal year 2007 plan stated that US-VISIT would make IDENT modifications to support the transition to 10-print capability. The fiscal year 2008 plan identifies the modifications that were implemented, such as consolidating several IDENT databases, deploying a watch list demotion capability, introducing improved fingerprint-matching algorithms, and developing new requirements for an enhanced Candidate Verification Tool. However, the information presented is not always sufficient to measure progress. For example, * The fiscal year 2007 plan stated that US-VISIT would begin 10-print pilot deployment in late 2007 to ten air locations, but the fiscal year 2008 plan only states that DHS selected a number of pilot locations and evaluated the performance and operational impacts at those locations. According to program officials, although the plan does not state the number of locations for the pilot, it was in fact deployed to ten locations, and this information has been previously provided to the Congress. System Performance Levels: The fiscal year 2008 plan describes progress in achieving some, but not all, system performance levels. For example, the fiscal year 2007 plan cited a target of 1,850 biometric watch list hits for travelers processed at POEs, and the latest plan reports that the number of these hits was 11,838. However, many of the target measures included in the fiscal year 2007 plan are not described in the current plan. For example, * The fiscal year 2007 plan cited a target of having biometric information on file for 49 percent of foreign nationals prior to their entering the United States (also referred to as the “Unique Identity baseline”). However, this measure is not discussed in the fiscal year 2008 plan. * The fiscal year 2007 plan cited a target of 26 days for resolving requests by visitors to correct their baseline data. However, this measure is not discussed in the fiscal year 2008 plan. * The fiscal year 2007 plan stated that US-VISIT would establish a baseline of the number of individuals who were biometrically verified based on 10-print enrollment. However, this baseline measure is not discussed in the fiscal year 2008 plan. According to program officials, although these measures are not mentioned in the expenditure plan, performance data relative to each is in fact collected and monitored. Cost Targets: The fiscal year 2008 plan identifies estimated costs (i.e., funding levels) for each of the four broad capability areas. In some cases, the broad areas are decomposed and meaningful detail is provided to understand how the funds will be used. However, in many cases, capabilities and costs are not decomposed to a level that permits such understanding and oversight. For example, * The fiscal year 2008 plan states that $7.9 million will be used for the Biometric Support Center. However, allocations for specific support center capabilities and services are not provided. * The fiscal year 2008 plan states that $72.6 million will be used to update DHS border and process technology in support of 10-print and IDENT/IAFIS interoperability. However, the funds are not allocated between the two activities or to major tasks, products, and services under each activity, such as the completion of initial operating capability for IDENT/IAFIS integration. * The fiscal year 2008 plan states that $6.4 million will be used for data integrity efforts. However, the funds are not allocated among specific data integrity activities described in the plan, such as upgrading the integrity of the system and data to meet stakeholder needs. Furthermore, the fiscal year 2007 and 2008 plans use different terminology to describe categories of spending under the broad capability areas. For example, * The fiscal year 2008 plan shows $5.0 million in fiscal year 2007 funds allocated to “Information Technology” under the “Comprehensive Biometric Exit Solution—Air and Sea” project, but the 2007 plan does not identify an “Information Technology” component to this project, but rather shows $5.0 million being allocated to “Planning and Design.” * The fiscal year 2008 plan shows $1.4 million in fiscal year 2007 funds allocated to “Law Enforcement and Intelligence” under Biometric Support Services, but the fiscal year 2007 plan does not identify a Law Enforcement and Intelligence component, but instead shows $1.4 million being allocated to “Management.” Benefits/Outcomes: The fiscal year 2008 plan cites benefits associated with each of the four broad capability areas and in some cases, provides specific and measurable benefits that are linked to specific capabilities. For example, the plan states that 10-print capability would provide several benefits, including facilitating travel by reducing the number of travelers sent to secondary inspection. More specifically, the plan states that the IDENT False Accept Rate fell from 0.093 percent to 0.0034 percent in fiscal year 2007 through the implementation of improved fingerprint matching algorithms, and estimates that this improvement provided operational benefits by reducing the number of individuals sent to secondary processing due to erroneous identification by approximately 25,000 travelers. However, in other cases, the benefits are not specific and measurable and are not linked to specific capabilities and services committed to in the prior plan. For example, * The plan cites the following benefits relative to the Comprehensive Biometric Exit Solution – Air and Sea project: “Provides greater accuracy in recording identity of persons leaving the country, enables improved assessment by DHS of travelers’ compliance with immigration laws, and enables DHS to more easily match records across multiple identities or travel documents.” However, since these benefits/outcomes are not linked to a baseline measure, and the amount of the expected improvement is not specified, the proposed benefits are not meaningful. * The plan cites benefits from sharing biometric data globally, including enabling countries to redirect the course of an immigration claims or enforcement activity, improving the accuracy of records through vetting and validation, identifying patterns of legal and illegal migration, achieving efficiency savings, establishing the identities of individuals who sought benefits among partner agencies and governments, and helping to prevent fraud through identity verification of individuals seeking benefits. However, it does not link any of these benefits to specific baseline measures. Milestones: The fiscal year 2008 plan cites high-level milestones that are traceable to the prior plan. However, neither of the plans provides enough specificity to measure progress. For example: * The fiscal year 2007 plan stated that the first phase of IDENT/IAFIS interoperability was implemented via the iDSM prototype in 2006. It also identified high-level activities to design, build, and deploy the initial operating capability for IDENT/IAFIS interoperability, such as advancing the data sharing architecture and enabling the assignment of a unique number to each individual. While the fiscal year 2008 plan states that some of these efforts were completed, neither plan provided specific milestones to measure progress. * The fiscal year 2007 plan stated that efforts to deploy a biometric exit solution for air and sea environments would be launched. While the fiscal year 2008 plan states that US-VISIT developed a Comprehensive Biometric Exit strategy and began planning to address the air and sea environments, neither plan provided specific milestones to measure progress. Program Management: The fiscal year 2008 plan discusses several initiatives to enhance and leverage key program management capabilities, such as continuing efforts to improve the program’s use of earned value management, the maturity of software acquisition/development processes, and the quality of internal governance. In some cases, the plan cites program management efforts that can be traced to the fiscal year 2007 plan. For example, the fiscal year 2007 plan stated that an assessment of the prime contractor’s earned value management system was to be conducted during fiscal year 2007. According to the fiscal year 2008 plan, an assessment was completed in June 2007 that identified a number of weaknesses, a plan of action and milestones was developed to address the weaknesses, and this plan is to be executed in 2008. (These weaknesses are discussed in detail later in this briefing.) However, the fiscal year 2008 plan also identifies program management capability improvements that are not traceable to prior plan commitments. For example, the fiscal year 2008 plan states that a Planning, Programming, Budgeting, and Execution process was developed during fiscal year 2007. However, this effort was not mentioned in the prior plan as a commitment and thus as a basis for measuring progress. Condition 2: Condition 2: The plan does not satisfy the condition that it include an explicit plan of action defining how all funds are to be obligated to meet future program commitments, with the planned expenditure of funds linked to the milestone-based delivery of specific capabilities, services, performance levels, mission benefits and outcomes, and program management capabilities. As we have previously reported,[Footnote 18] the purpose of the expenditure plan is to provide Congress with sufficient information to exercise effective oversight of US-VISIT and to hold DHS accountable for results. As such, the plan should specify planned system capabilities, schedules, costs, and expected benefits for each of its projects and for its program management activities. While the fiscal year 2008 plan links funding to four broad core capability areas and associated projects, it does not link this planned use of funds to milestones and it does not consistently decompose projects into specific mission capabilities, services, performance levels, benefits and outcomes, or program management capabilities. To illustrate, the expenditure plan allocates funding among the program’s four broad core capability areas. For one of these capability areas, the plan identifies major projects, such as Unique Identity and Comprehensive Biometric Exit Solution—Air and Sea. These projects are then decomposed into general functional activities (e.g., project integration and analysis, and acquisition and procurement), which are then associated with fiscal year 2007 and 2008 funding. However, these functional activities do not constitute specific capabilities, services, performance levels, or benefits. Rather, they represent functions to be performed that presumably will produce such capabilities, services, performance levels, or benefits. Similarly, the remaining three core capability areas are also divided into general functional activities (e.g., biometric support, data integrity, program staffing, data center operations) that do not constitute capabilities, services, performance levels, or benefits. Moreover, the funding associated with the broad core capability areas, projects, or functional activities is not linked to any milestones. For example, the plan states that $72.6 million of fiscal year 2008 funds will be used to update DHS border and process technology for 10-print transition and IDENT/IAFIS, but does not state what updates will be accomplished or by when. The plan also states that $45.1 million will be used to operate and maintain applications, but does not state what maintenance activities will be performed and when they will be performed. Condition 3: Condition 3: The plan, including related program documentation and program officials’ statements,partially satisfies the condition that it include a listing of all open GAO and OIG recommendations related to the program and the status of DHS actions to address them, including milestones. We reported in August 2007[Footnote 19] that US-VISIT’s progress in implementing our prior recommendations had been slow, as indicated by the 4-year-old recommendations that were less than fully implemented. Given that our recommendations focus on fundamental limitations in the management of US-VISIT, they are integral to DHS’s ability to execute its expenditure plans, and thus should be addressed in the plans. Since 2003, GAO has made 44 recommendations to the US-VISIT program. The fiscal year 2008 plan provides a listing and status of our recommendations. However, the plan does not provide milestones for addressing these recommendations. The table on the next slide summarizes our analysis of the status of our recommendations. Table: Status of Recommendations: Status: Implemented; Number of recommendations: 26. Status: Partially Implemented; Number of recommendations: 9. Status: Not Implemented; Number of recommendations: 9. Source: GAO analysis of DHS data. [End of table] In addition, the plan does not include two OIG recommendations. According to program officials, this is because these two recommendations were made the same month that the plan was sent to the appropriations committee. (See attachment 4 for more detailed information on the status of our recommendations.) Condition 4: Condition 4: The plan partially satisfies the condition that it include a certification by the DHS CPO that (1) the program has been reviewed and approved in accordance with the department’s investment management process and (2) the process fulfills all capital planning and investment control requirements and reviews established by the Office of Management and Budget (OMB), including Circular A-11, part 7. [Footnote 20] As we have previously reported,[Footnote 21] it is important for organizations such as DHS, which rely heavily on IT to support strategic outcomes and meet mission needs, to adopt and employ an effective institutional approach to IT investment management. Such an approach provides agency management with the information needed to ensure that IT investments cost-effectively meet strategic mission needs and that projects are meeting cost, schedule, and performance expectations. We have also reported[Footnote 22] that the capital investment control requirements and reviews outlined in the OMB Circular A-11, part 7, are important because they are intended to minimize a program’s exposure to risk, permit performance measurement and oversight, and promote accountability. On March 14, 2008, the DHS CPO certified that (1) US-VISIT was reviewed and approved in accordance with the department’s investment management process and (2) this process fulfills all capital planning and investment control requirements and reviews established by OMB, including Circular A-11, part 7. In support of certifying the first aspect of the condition, the CPO stated that OMB scored US-VISIT’s fiscal year 2009 budget submission (i.e., budget exhibit 300) a 35 out of a possible 50 in November 2007. According to OMB, this score means that the submission has “very few points...but still needs strengthening.” In addition, the CPO stated that the program had been reviewed by the DHS Investment Review Board in December 2006, and that the board had issued a decision memorandum in April 2007 stating that the fiscal year 2007 expenditure plan met, among other things, OMB capital planning and investment review requirements and satisfied that aspect of the DHS investment management process that requires investments to comply with DHS’s enterprise architecture. However, this support is not sufficient to fully satisfy the first aspect of the legislative condition because this condition applies to the fiscal year 2008 expenditure plan, and the support that the CPO cites does not relate to either the fiscal year 2008 budget submission or to the fiscal year 2008 expenditure plan. Rather, it pertains to the following year’s budget submission and the prior year’s plan. In support of certifying the second aspect of the condition, the CPO again cites the fiscal year 2009 budget submission, which DHS documents show underwent a series of reviews and revisions before being sent to OMB that raised the department’s scoring of the submission from a 29 to a 37. According to OMB, a score of 29 means, among other things, that “much work remains to solidify and quantify” the submission. In certifying to this aspect, the CPO also stated that his office will continue to oversee US-VISIT through the department’s emerging investment management process. However, the cited support is not sufficient to satisfy the legislative condition for two reasons. * As previously noted, the cited budget submission is for fiscal year 2009 rather than fiscal year 2008. * DHS’s investment management process is not sufficiently mature. As we reported in April 2007,[Footnote 23] this process does not satisfy the key practices outlined in the Information Technology Investment Management Framework,[Footnote 24] which is a maturity framework based on corporate investment management best practices employed by leading public and private sector organizations and is consistent with OMB capital planning and investment control requirements. In particular, we reported that: - DHS’s process (policies and procedures) for project-level management do not include all key elements, such as specific criteria or steps for prioritizing and selecting new investments. - DHS has not fully implemented the practices needed to control investments—at the project level or at the portfolio level, including regular project-level reviews by the DHS Investment Review Board. - DHS’s process does not identify a methodology with explicit decision- making criteria to determine an investment’s alignment with the DHS enterprise architecture. In its comments on a draft of this report, DHS disagreed that its investment management process is not sufficiently mature, stating that on November 7, 2008 it issued an interim operational policy for investment control that addresses the limitations that we reported in April 2007. However, because DHS’s comments only provided the memo that issued the interim policy, and not the policy itself, we have yet to review it to determine whether it addresses the above limitations. Also, the memo describes the interim policy as a “resulting draft” that is the product of an “informal staffing process” and that changes will be made to “the policy prior to completing this process.” Moreover, implementation of the policy, including training on its implementation, still needs to occur. Therefore, we continue to view DHS’s investment management process as not sufficiently mature. Condition 5: Condition 5: The plan partially satisfies the condition that it include a certification by the DHS CIO that an independent verification and validation (IV&V) agent is currently under contract. As we have previously reported,[Footnote 25] IV&V is a recognized best practice for large and complex system development and acquisition programs, like US-VISIT, as it provides management with objective insight into the program’s processes and associated work products. On February 25, 2008, the former DHS Acting CIO conditionally certified that the program has an IV&V agent under contract. However, this certification was qualified to recognize that the contract only provided for IV&V services relative to testing system applications (i.e., it did not extend to other key program activities). Accordingly, the certification was made conditional on the program office providing an update on its efforts to award a contract for program-level IV&V by April 15, 2008. According to program officials, they are in the process of evaluating a program-wide IV&V contract proposal and plan to award a contract in September 2008. Condition 6: Condition 6: The plan partially satisfies the condition that it include a certification by the DHS CIO that the program’s system architecture is sufficiently aligned with the department’s enterprise architecture (EA), including a description of all aspects of the architectures that were and were not assessed in making the alignment determination, the date of the alignment determination, and any known areas of misalignment, along with the associated risks and corrective actions to address any such areas. According to federal guidelines[Footnote 26] and best practices, [Footnote 27] investment compliance with an EA is essential for ensuring that new and existing systems are defined, designed, and implemented in a way that promotes integration and interoperability and minimizes overlap and redundancy, thus optimizing enterprisewide efficiency and effectiveness. A compliance determination is not a one- time event that occurs when an investment begins, but rather occurs throughout an investment’s life cycle as changes to both the EA and the investment’s architecture are made. Within DHS, the EAB, supported by the Enterprise Architecture Center of Excellence, is responsible for ensuring that system investments demonstrate adequate technical and strategic compliance with the department’s EA. In early 2008, the DHS Acting CIO certified that the US-VISIT system architecture was aligned with the DHS EA based on an assessment of the program’s alignment to the 2007 version of DHS’s EA, which was conducted by the EAB in support of the program’s MDP2 review. Consistent with the legislative condition, the fiscal year 2008 expenditure plan includes the former Acting CIO’s certification, the date of the board’s conditional approval of architectural alignment for MDP2 (September 27, 2007) and the date of the certification (February 25, 2008). It also includes areas of misalignment and corrective actions to address the identified areas. Specifically, it identifies such areas of misalignment as: * US-VISIT requirements and products to support 10-print solution not having been defined and included in the 2007 EA technical reference model, and; * US-VISIT data standards not having been vetted with the DHS Enterprise Data Management Office for compliance. It states that corrective actions to address these areas were completed in September 2007, and that no outstanding MDP2 conditions remain.However, the certification does not fully satisfy the legislative conditions for three reasons. First, the basis for the certification is an assessment against the 2007 EA, which is a version that we recently reported to be missing important US-VISIT architectural content.[Footnote 28] Further, while DHS recently issued a 2008 version of its EA, it does not address these content shortfalls. The following are examples of the missing architecture content: * US-VISIT’s representation in this version’s business model—which associates the department’s business functions with the organizations that support and/or implement them—does not align US-VISIT with certain business functions (e.g., verify identity and establish identity) that the program office has identified as a critical part of its mission. * US-VISIT business rules and requirements are not included in this version’s business model. Business rules are important because they explicitly translate business policies and procedures into specific, unambiguous rules that govern what can and cannot be done. As such, they facilitate the consistent implementation of policies and procedures. * US-VISIT’s baseline and target performance goals (e.g., for transaction volume) are not reflected in this version. * US-VISIT-owned and managed component systems are not all accurately captured in the 2007 EA. For example, it erroneously identifies two US- VISIT component systems as being owned by two other DHS entities. * All US-VISIT system interfaces are not included in the 2007 EA’s system reference model. For example, it does not identify key interfaces between the IDENT, Advance Passenger Information System (APIS), Arrival and Departure Information System (ADIS), and Treasury Enforcement Communications System. Additionally, it does not identify the interface between IDENT and the Global Enrollment System, even though US-VISIT officials confirmed that the interface exists and is operating. Second, the department lacks a defined methodology for determining an investment’s compliance with its EA, including explicit steps and criteria. According to federal guidance,[Footnote 29] such a methodology is important because the benefits of using an EA cannot be fully realized unless individual investments are defined, designed, and developed in a way that avoids duplication and promotes interoperability. However, we reported in April 2007 that DHS does not have such a methodology.[Footnote 30] Without this methodology and verifiable documentation demonstrating its use in making compliance determinations, the basis for concluding that a program sufficiently complies with any version of the 2007 EA will be limited. Third, the certification attachment includes a description of what was assessed to provide the basis for the compliance certification. For example, the attachment states that the board “evaluated the program’s ability to support the Department’s line of business and strategic goals; their alignment to a DHS Office of the CIO portfolio; the data, data objects, and data entity that encompass the investment; the technology leveraged to deliver capabilities and functions by the program; and compliance with information security, Section 508, and screening coordination.” However, the descriptions do not link directly to key 2007 EA artifacts. For example, it aligns US-VISIT’s data entities (e.g., Watch List and Warrants) to the data object “Record”. The 2007 EA, however, does not define that data object. Moreover, those aspects of the architectures that were not assessed are not identified, such as the business rules and enterprise security architecture. Condition 7: Condition 7: The plan partially satisfies the condition that it include a certification by the DHS CPO that the plans for the program comply with federal acquisition rules, requirements, guidelines and practices, and a description of the actions being taken to address any areas of noncompliance, the risks associated with them, along with any plans for addressing these risks, and the status of their implementation. As we have previously reported,[Footnote 31] federal IT acquisition requirements, guidelines, and management practices provide an acquisition management framework that is based on the use of rigorous and disciplined processes for planning, managing, and controlling the acquisition of IT resources. If implemented effectively, these processes can greatly increase the chances of acquiring software- intensive systems that provide promised capabilities on time and within budget. On March 14, 2008, the DHS CPO certified that US-VISIT complied with federal acquisition rules, requirements, guidelines, and practices. In support of this certification, the CPO stated that the program was reviewed by the DHS Investment Review Board in December 2006, and that the board issued a decision memorandum in April 2007 that stated that the fiscal year 2007 expenditure plan met, among other things, federal acquisition rules, requirements, guidelines, and system acquisition management practices. In addition, the CPO stated that DHS's Office of Procurement Operations had conducted self-assessments of US-VISIT- related contracts in fiscal years 2006 and 2007, and that these assessments had not identified any areas of non-compliance that required risk mitigation.However, the cited support is not sufficient to fully satisfy the legislative condition because the condition applies to the fiscal year 2008 expenditure plan, while the support that is cited pertains to the fiscal year 2007 expenditure plan and assessments that were completed in fiscal years 2006 and 2007. Condition 8: Condition 8: The plan partially satisfies the condition that it include (1) a certification by the DHS CIO that the program has a risk management process that regularly identifies, evaluates, mitigates, and monitors risks throughout the system life cycle and communicates high- risk conditions to department investment decision makers, as well as (2) a listing of all the program’s high risks and the status of efforts to address them. As we have previously reported,[Footnote 32] proactively managing program risks is a key acquisition management control, and if defined and implemented properly, it can increase the chances of programs delivering promised capabilities and benefits on time and within budget. On February 25, 2008, the former DHS Acting CIO certified that US-VISIT had a sufficient risk management process in place, adding that this process satisfied all process-related aspects of the legislative condition. In doing so, the then Acting CIO relied on an assessment of a range of US-VISIT risk management documents, including a policy, plan, periodic listings of high risks and related status reports, and communications with department decision makers. However, the certification does not fully satisfy the legislative condition. Our analysis of the same risk management documents that the certification is based on revealed key weaknesses: * The US-VISIT risk management plan is not being effectively implemented, which is also a weakness that we reported in February 2006.[Footnote 33] For example, of the 33 high risks identified as being in or past the handling phase of the risk management process [Footnote 34] in the February 6, 2008 risk inventory, 8 (about 24 percent) did not have a mitigation plan, and 19 (about 58 percent) did not have a contingency plan. Moreover, considerable time has passed without such plans being developed, in some cases more than 3 years. According to the risk management plan, mitigation and contingency plans should be developed for all high and medium risks once they have reached the handling phase of the risk management process. (This weakness is discussed in greater detail later in this briefing.) * The US-VISIT process for managing risk does not contain thresholds for elevating risks beyond the program office. Moreover, program officials told us that an update to this process that is currently in draft does not include such thresholds. Without thresholds, it is unlikely that senior DHS officials will become aware of those risks requiring their attention. In this regard, we reported in February 2006 [Footnote 35] that the thresholds for elevating risks to department executives that were in place were not being applied. In August 2007, [Footnote 36] we reported that these thresholds had been eliminated and that no risks had been elevated to department executives since December 2005. During the following 32 months, only one risk was elevated beyond the program office. Condition 9: Condition 9: The plan does not satisfy the condition that it include a certification by the DHS Chief Human Capital Officer that the human capital needs of the program are being strategically and proactively managed, and that current human capital capabilities are sufficient to execute the plans discussed in the report. As we have previously reported,[Footnote 37] strategic management of human capital is both a best practice and a provision in federal guidance.Among other things, it involves proactive efforts to understand an entity’s future workforce needs, existing workforce capabilities, and the gap between the two and charting a course of action to define how this gap will be continuously addressed. By doing so, agencies and programs can better ensure that they have the requisite human capital capacity to execute agency and program plans. On March 6, 2008, the DHS Chief Human Capital Officer certified that the US-VISIT human capital strategic plan provides specific initiatives to address the hiring, development, and retention of program employees, and that a strategy exists to develop indicators to measure the progress and results of these initiatives.However, this certification does not satisfy the legislative condition for two reasons. * The certification does not address the strategic plan’s implementation, which is important because just having a human capital strategic plan does not constitute strategic and proactive management of the program’s human capital. * The certification does not address whether the current human capital capabilities are sufficient to execute the expenditure plan. For example, it does not recognize that US-VISIT is under staffed. We reported in August 2007[Footnote 38] that the program office had 21 vacancies and had taken the interim step to address this shortfall by temporarily assigning other staff to cover the vacant positions, and planned to fill all the positions through aggressive recruitment. As of July 2008, the program office reported having 23 vacancies, including vacancies in leadership positions, such as the program’s deputy director. Since then, the program office reports that it has filled nine of these vacancies. Condition 10: Condition 10: The plan does not satisfy the condition that it include a complete schedule for the full implementation of a biometric exit program or a certification that such a program is not possible within 5 years. As we stated in our June 2007 testimony,[Footnote 39] a complete schedule for the full deployment of an exit capability would specify, at a minimum, what work will be done, by what entities, and at what cost to define, acquire, deliver, deploy, and operate expected system capabilities. A complete schedule is essential to ensuring that the solution is developed and implemented effectively and efficiently. The fiscal year 2008 plan does not contain either a complete schedule for fully implementing biometric exit capabilities at air, sea, and land POEs, or a statement that this cannot be completed within a 5-year time frame. Rather, the plan contains a very high-level schedule that only identifies five broadly-defined tasks, and a date by which each is to be completed, as shown in the table on the following slide. Table: Air/Sea/Land Biometric Exit Schedule-High Level: Activity: Pilot closeout activities; Date: September 28, 2007. Activity: Air/Sea Exit outreach; Date: December 31, 2008. Activity: Air/Sea Exit planning; Date: April 24, 2008. Activity: Air/Sea Exit design; Date: December 31, 2008. Activity: Land border planning document; Date: December 31,2008. Source: DHS data. [End of table] Such high-level milestones do not constitute a “complete schedule for the full implementation of a biometric exit program,” as requested by the act, because they are not supported by the kind of verifiable analysis and documentation that we have previously reported as necessary for a reliable program schedule.[Footnote 40] For example, these milestones do not include (1) decomposition of the program into a work breakdown structure; (2) sequencing, integration, and resourcing of each work element in the work breakdown structure; and (3) identification of the critical path through the schedule of linked work elements. Condition 11: Condition 11: The plan partially satisfies the condition that it include a detailed accounting of operation and maintenance, contractor services, and program management costs associated with the program. [Footnote 41] As we have previously reported,[Footnote 42] the purpose of the expenditure plan is to provide Congress with sufficient information to exercise effective oversight of US-VISIT and to hold DHS accountable for results. To accomplish this, the act sought specific information relative to planned US-VISIT spending for operations and maintenance, contractor services, and program management. Operations and Maintenance: The fiscal year 2008 plan provides a decomposition of program operations and maintenance costs according to functional areas of activity, such as operations and maintenance of system applications, data center operations, network/data communications, and IT services. While this decomposition does satisfy the condition, it nevertheless could be more informative if the costs were associated with specific capabilities, systems, and services, such as the cost to operate and maintain ADIS, IDENT, and iDSM. Contractor Services: The fiscal year 2008 plan does not separately identify the program’s costs for contractor services. According to program officials, such services are embedded in other cost categories, such as Program Staffing (which is a combination of government and contractor staff), Prime Integrator, and Project Integration and Analysis. The one exception is for the Provide Identity Management and Screening Services broad core capability area, which identifies $15.8 million in contractor services. Program Management Costs: The fiscal year 2008 plan states that program management costs will total $115.2 million, and allocates them to items such as program staffing ($46.2 million), planning and logistics ($14.3 million), prime integrator ($33.5 million), and working capital and management reserve ($ 21.2 million). It also describes a number of program management related initiatives, such as maturing program monitoring and control processes, developing strategic plans and related policies, conducting public information dissemination and outreach, and strengthening human capital management and stakeholder training. However, it does not allocate the $115.2 million to these initiatives. For example, the plan does not describe what portion of the $115.2 million will be used to develop criteria for estimating life cycle costs, which is one effort within the maturing program processes initiative, or to properly align program management staffing to tasks and rewrite position descriptions, which are efforts within strengthening human capital management. In addition, the $115.2 million does not include $11.6 million in contractor program management support provided to specific projects, such as Air and Sea Exit. As a result, total cost allocated to program management in fiscal year 2008 is $126.8 million, which is similar to the program management costs we reported in the fiscal year 2006 and 2007 expenditure plans. As we previously reported,[Footnote 43] these levels of program management costs represented a sizeable portion of the US-VISIT planned spending, but were not adequately justified. Condition 12: Condition 12: We have reviewed the plan, thus satisfying the condition. Our review was completed on September 15, 2008. [End of Legislative Conditions section] Objective 2: Observations: Observation 1: Reliability of DHS Air and Sea Exit cost estimates is not clear: In developing its Air and Sea Exit NPRM, DHS is required to prepare a written assessment of the costs, benefits, and other effects of its proposal and a reasonable number of alternatives, and to adopt the least costly, most cost-effective, or least burdensome among them. To accomplish this, it is important that DHS have reliable cost estimates for its proposed and alternative solutions. However, the reliability of the estimates that DHS developed is not clear because (1) DHS documents characterize the estimates as being by definition rough and imprecise, but DHS officials that were responsible for developing the estimates stated that this characterization is not accurate, (2) our analysis of the estimates’ satisfaction of estimating best practices shows that while DHS satisfied some key practices, it either did not fully satisfy others or it has yet to provide us with documentation to determine whether still other practices were met, and (3) data on certain variables pertaining to airline costs were not available for inclusion in the estimates, and airlines report that these costs were understated in the estimates. DHS Documents and Program Officials Statements Characterizing the Nature of the Estimates Are Not Consistent: As noted earlier in this briefing, the NPRM and regulatory impact analysis cite the estimated costs of each of the five alternatives that were analyzed. For example, the impact analysis states that the estimated cost of the proposed solution is $3.6 billion. Moreover, this analysis states that each of the cost estimates are “rough order of magnitude” estimates, meaning that they are by definition rough and imprecise, to the point of being potentially understated by as much as 100 percent, and overstated by as much as 50 percent. Restated, this means that the estimated cost of the proposed solution could be anywhere from $1.8 billion to $7.2 billion. According to DHS’s analysis, these broad cost risk ranges were used to reflect the degree to which Air and Sea Exit has been defined, including the assumptions that had to be made about airline solution configurations in the absence of airline data. According to GAO’s Cost Estimating Guide, rough order of magnitude estimates are used when few details are available about the alternatives, and they should not be considered budget-quality cost estimates. Accordingly, they should not be viewed as sufficiently credible, accurate, or comprehensive to be considered reliable for making informed choices among competing investment options. Notwithstanding the regulatory impact analysis’ characterization of the cost estimates as rough order of magnitude estimates, program officials responsible for deriving the estimates stated that the estimates were “mislabeled” in the analysis, and thus the risk ranges for the estimates are overstated. They added that the estimates should have been characterized as parametric and partial engineering estimates, which would have produced much smaller risk ranges. Available Documentation Shows Some Estimating Best Practices Were Met, While Others Were Not: GAO’s Cost Estimating Guide identifies four characteristics of reliable cost estimates and associates a number of estimating best practices with each characteristic. The four characteristics of reliable cost estimates are that they are well-documented, credible, comprehensive, and accurate. The cost estimates for the Air and Sea Exit alternatives satisfied a number of the best practices in GAO’s Cost Estimating Guide. For example, the estimate’s purpose and scope are clearly defined, the cost team included experienced cost analysts, and the cost estimate included a description of the cost estimation process, data sources, and methods. However, these cost estimates did not satisfy other best practices in our guide. For example, the cost estimate was not compared to an independent estimate and a technical baseline was not developed to provide the underlying basis for this estimate. These are important because the technical baseline provides a detailed technical, program, and schedule description of the system to be developed, and thus is the basis for the program and independent cost estimates. Additionally, an independent estimate provides an unbiased check on the reliability of the program’s estimate. Moreover, we have yet to receive documentation from DHS relative to other best practices cited in the guide. For example, the guide recognizes the importance of performing risk analyses that allow for risks to be examined across the work breakdown structure so that the uncertainties associated with individual work elements can be determined, and risk levels can be assigned to each. According to the regulatory impact analysis, a standard level 5 risk range (50 percent below to 100 percent above) was used with the cost estimates because a comprehensive risk analysis had not been done. Program officials told us, however, that a risk analysis was performed, but we have yet to receive it. Further, we have yet to receive evidence showing that all relevant costs were addressed, such as the cost of spare, refreshed, and updated equipment and technology. Estimates May Not Include Major Cost Elements: The regulatory impact analysis states that data on several variables were not available for inclusion in the analysis, including estimates for burden to carriers and travelers. Of the 56 airlines and airline associations that provided comments on the NPRM, 21 commented that DHS’s cost estimate for its proposed solution was understated because it did not adequately reflect the burden to carriers. In particular, the International Air Transport Association commented that the proposed solution could cost the air carriers as much as $12.3 billion over 10 years. According to this association, its estimate was developed in collaboration with airlines, network service providers, and hardware manufacturers. The association attributed the understatement of DHS’s estimate to its omission of relevant costs for data transmission, secure networks, and secure data warehouses. Specifically, it stated that: * transmission requirements for biometric data would be between 350 and 800 times greater that what the airlines currently use for the transmission of biographic and manifest text data (between 31 and 128 megabytes of information for each international flight versus about 100 kilobytes currently transferred); * secure networks required for transmission of biometric data would need to be installed between the airports and the airlines’ departure control systems because they currently do not exist (estimated to cost about $150 million over 10 years); and; * secure data warehouses for biometric data storage would need to be installed to store the data prior to transmission to DHS (estimated to cost about $1 billion to operate over 10 years). In addition, United Airlines commented that its start-up costs would be about $21.8 million. It also commented that DHS’s cost estimate does not include the cost of additional traveler burden, which they estimated to be about $30 per hour. According to United Airlines, passenger time is potentially the highest cost element with as many as 50 million persons being affected by queuing, congested space, and flight delays. DHS’s regulatory impact analysis acknowledges the omission of the cost of additional travel burden and the impact on the cost to each carrier’s business processes. Further, Air Canada Jazz, a regional airline, commented that because the requirement for airline personnel to collect biometric data is beyond the scope of duties outlined in current collective agreements, it would have to renegotiate its agreements to add these duties. Observation 2: DHS reports that proposed solution would provide less security and privacy than other alternatives: Adequate security and privacy controls are needed to assure that personally identifiable information is secured against unauthorized access, use, disclosure, or retention. Such controls are especially needed for government agencies, where maintaining public trust is essential. In the case of US-VISIT, one of its stated goals is to protect the security and privacy of U.S. citizens and visitors. However, DHS's proposed solution would have more privacy and security risks than alternative solutions. According to the NPRM, having carriers collect the biometric information is less secure than alternatives where DHS collects the information, regardless of the information collection point. Moreover, it states that information that is in the sole custody of one entity (e.g., DHS) is less likely to be compromised than information passed from private carriers to DHS. Similarly, the NPRM states that the degree of confidence in compliance with privacy requirements is lower when DHS does not maintain full custody of personally identifiable information. Further, the privacy impact assessment that DHS prepared for Air and Sea Exit states that carrier custody of personally identifiable information introduces vulnerabilities, including inadequate information security and data integrity, and it concludes that this could impact travelers in several ways, such as travel inconveniences, subsequent denial of admission to the United States based on faulty data, or misuse of personally identifiable information. In fact, the privacy impact assessment rated misuse of personally identifiable information as a high risk under the proposed solution due to the serious impact that misuse of personally identifiable information would have on both the individual traveler and the integrity of US-VISIT. According to the NPRM, these privacy and security risks will be addressed in two ways. First, DHS will require carriers to ensure that their systems and transmission methods of biometric data meet DHS technical, security and privacy requirements to be established in guidance and issued in conjunction with the final rule. However, it is unclear how DHS will ensure that the guidance is effectively implemented. Second, when the data are received by DHS, the NPRM states that it will be protected in accordance with a robust privacy and security program. However, we recently reported[Footnote 44] that the systems supporting US-VISIT have significant information security weaknesses that place sensitive and personally identifiable information at increased risk of unauthorized and possibly undetected disclosure and modification, misuse, and destruction. Observation 3: Public comments on the NPRM raise a range of additional concerns: As noted earlier, 91 entities, including the airline, trade, and travel industries, and federal, state, and foreign governments, commented on the Air and Sea Exit proposal. In addition to the comments discussed earlier relative to the reliability of the cost estimates and the security and privacy implications of a carrier-implemented solution, a number of other comments were provided that raise further concerns and questions about the proposed solution. Specifically, the entities provided the following comments: * According to some carriers, DHS has yet to provide technical requirements for the carriers to meet in delivering their respective parts of the proposed solution. In particular, the NPRM stated that carriers will be required to comply with the DHS Consolidated User’s Guide. However, they stated that this guide does not define, for example, how biometric images are to be incorporated into the existing message format used for APIS transmissions. Similarly, the NPRM states that all biometric data transmissions would be bound by existing regulations, including the FBI’s Criminal Justice Information Services Electronic Transmission Specifications.However, carriers stated that these specifications had not been made available. * According to some of the carriers, DHS’s proposed solution conflicts with air and vessel carrier passenger processing improvements. Requiring passenger-agent contact goes against recent simplifications to carriers’ business models in which new technologies are being introduced to eliminate time-consuming passenger-agent interactions. For example, most airlines and cruise ships allow passengers to confirm arrival and check-in online prior to entering the airport or sea terminal, or to check in and print a boarding pass at a kiosk. These carriers commented that the passenger-agent contact required under the NPRM is at odds with this evolution in business processes and will slow down the travel process, delay flights, and make air and sea ports more crowded. According to one carrier’s estimates, the proposed solution will add 1 to 2 minutes processing time per passenger, which will collectively add an estimated 3 to 5 hours per flight. While the regulatory impact analysis projected flight delays to be less lengthy, it nevertheless acknowledged that most travelers would be delayed by about 50 minutes. A number of entities said that such significant delays will cause foreign travelers to vacation elsewhere. * According to several airlines and airline associations, DHS’s proposed solution is not fully integrated with other border screening programs involving air carriers. DHS has recently issued proposed or final rules for four DHS programs,[Footnote 45] and each of these require or propose requiring carriers to collect and transmit additional data in 2008 and 2009. As such, these organizations viewed the four as duplicative (require very similar data) and inefficient (use different transmission methods), and claimed that DHS’ sequential introduction of these programs will require carriers to undertake separate and repeated system development and employee training efforts that will impact their operations. * According to several carriers, DHS did not involve the stakeholders in this rulemaking process as it had in previous rulemaking efforts. Carriers stated that for US-VISIT entry and the Advance Passenger Information System-Quick Query, which is about to be deployed, they were involved in developing a solution, but for US-VISIT exit, they were not. Observation 4: US-VISIT risk management database shows that some risks have not been effectively managed: Proactively managing program risks is a key acquisition management control and, if defined and implemented properly, it can increase the chances of programs delivering promised capabilities and benefits on time and within budget. To its credit, the program office has defined a risk management plan and related process that is consistent with relevant guidance. However, its own risk database shows that not all risks have been proactively mitigated. As we have previously reported, [Footnote 46] not proactively mitigating risks increases the chances that risks become actual cost, schedule, and performance problems. Federal guidance and related best practices[Footnote 47] advocate identifying facts and circumstances that can increase the probability of a program failing to meet cost, schedule, and performance commitments and then taking steps to reduce the probability of their occurrence and impact. Among other things, effective risk management includes (1) establishing a written plan for managing risks; (2) designating responsibility for risk management activities; (3) defining and implementing a process that provides for identifying, analyzing, and mitigating risks; and (4) periodically examining the status of identified risks and their mitigation. The US-VISIT Risk Management Plan defines a five-step process for managing program risks, as illustrated in the figure. Figure: Five-step process for managing program risks: [Refer to PDF for image] 1) Prepare for risk management; 2) Risk identification; 3) Risk analysis; 4) Risk handling; 5) Risk monitoring and control. [End of figure] Within each of these steps, the plan defines a number of activities that are consistent with federal guidance and related best practices. For example, * In the preparation phase, each project office is to develop a strategy for managing risk that includes, among other things, the scope of the project risks to be addressed and the risk management tools to be used. * In the risk identification phase, risks are to be identified in as much detail as possible and a risk owner is to be designated. * In the risk analysis phase, the estimated probability of occurrence and impact on the program or project of each risk is to be determined and used to assign a priority (high, medium, or low). * In the risk handling phase, detailed mitigation and contingency plans are to be prepared for all medium-and-high priority risks as early as possible. * In the risk monitoring phase, the status of risk mitigation and contingency plans is to be tracked, and decisions are to be reached as to whether to close a risk or to designate it as a realized issue (i.e., actual problem). However, the program office’s own data show that it is not following its Risk Management Plan. Specifically, of the list of 39 high-priority risks provided to the DHS CIO to support the earlier described risk management-related expenditure plan certification, the program office reported that 6 were in the analysis phase, 9 were in the handling phase, 13 were in the monitoring phase, and 11 were now realized and became program issues. Our analysis shows that of the 13 risks in the monitoring phase, 6 did not have contingency plans and 1 did not have a mitigation plan, even though both plans were to have been developed in the prior phase. Further, of the 11 risks that had been realized, none were included in the list of program issues provided to the DHS CIO. Further, many of these risks had not had mitigation and/or contingency plans developed in a time frame that can be considered either “as early as possible” or timely. In fact, some risks had been open for over 3 years without having such plans. For example, of the six risks in the monitoring phase without at least one of the two required plans, one risk had been open for 1212 days (about 3 years and 3 months) without a mitigation plan, and the median number of days that risks in this phase had gone without one or both of these plans was 178 (about 6 months). The chance of risks becoming actual problems and impacting the program is increased by not having mitigation and contingency plans. This is evident by the fact that of the 11 high risks that the program office reported at the time as having become realized issues (actual problems), all were missing mitigation and/or contingency plans, and the median number of days these 11 had gone without these plans was 299 (see table below). Table: Risks without mitigation and/or contingency plans: Management step: Handle (6 risks); Days the risk has been open (as of February 6, 2008), Minimum: 22; Days the risk has been open (as of February 6, 2008), Maximum: 652; Days the risk has been open (as of February 6, 2008), Median: 230. Management step: Monitor (6 risks); Days the risk has been open (as of February 6, 2008), Minimum: 2; Days the risk has been open (as of February 6, 2008), Maximum: 1212; Days the risk has been open (as of February 6, 2008), Median: 178. Management step: Realized (11 risks); Days the risk has been open (as of February 6, 2008), Minimum: 19; Days the risk has been open (as of February 6, 2008), Maximum: 1204; Days the risk has been open (as of February 6, 2008), Median: 299. [End of table] Our analysis of a more recent risk listing confirmed that this pattern has continued. Specifically, the July 3, 2008, risk listing contained 34 high-priority risks, of which none were in the analysis phase, 10 were in the handling phase, 12 were in the monitoring phase, and 12 were now realized and became program issues. However, 6 of the 12 risks in the monitoring phase, for example, did not have contingency plans and 3 of these 6 did not have mitigation plans. Moreover, some of the risks in either the monitoring phase or the realized phase have not had mitigation and/or contingency plans for more than 3½ years (see table below). Table: Risks without mitigation and/or contingency plans: Management step: Handle (7 risks) 22652230 Days the risk has been open (as of February 6, 2008), Minimum: 114; Days the risk has been open (as of February 6, 2008), Maximum: 800; Days the risk has been open (as of February 6, 2008), Median: 260. Management step: Monitor (6 risks) 21212178 Days the risk has been open (as of February 6, 2008), Minimum: 4; Days the risk has been open (as of February 6, 2008), Maximum: 1360; Days the risk has been open (as of February 6, 2008), Median: 78.5. Management step: Realized (11 risks) 191204299 Days the risk has been open (as of February 6, 2008), Minimum: 77; Days the risk has been open (as of February 6, 2008), Maximum: 1352; Days the risk has been open (as of February 6, 2008), Median: 821. Source: GAO analysis of DHS data. [End of table] The absence of timely risk mitigation and contingency planning is exacerbated by the fact that these are high risks which, according to the Risk Management Plan, means that there is at least a 41 percent chance they will significantly affect critical cost, schedule, and performance baselines. By not effectively managing key program risks, the program office is unnecessarily increasing its chances of experiencing actual cost, schedule, and performance problems, and will be less likely to be able to deliver system capabilities on time and within budget. Observation 5: Significance of task order 7 schedule variances have been minimized by frequent rebaselining: According to the GAO Cost Assessment Guide,[Footnote 48] rebaselining should occur very rarely, as infrequently as once in the life of a program or project and only when a schedule variance is significant enough to limit its utility as a predictor of future schedule performance. For task order 7, the largest task order,[Footnote 49] which provides for development and deployment of new capabilities (e.g., Unique Identity and Biometric Solutions Delivery) the program office has rebaselined its schedule twice in the last 2 years—first in October 2006, when the task order had a negative schedule variance of $958,216, and then in October 2007, when the negative schedule variance for Unique Identity and Biometric Solutions was $4.1 million. Since this last rebaselining, the program office reports a negative variance through May 2008 of $3.5 million. Without the rebaselinings, this would have amounted to a $7.2 million schedule variance. The graphic on the next slide shows the cumulative schedule variance with and without the rebaselining. Figure: Cumulative Schedule Variance, TO7 (Biometric Solutions + Unique ID): [Refer to PDF for image] This figure is a multiple line graph depicting the Cumulative Schedule Variance. The vertical axis of the graph represents Schedule variance in millions of dollars. The horizontal axis of the graph represents a series of dates from July 2006 to June 2008. Date: September 2006; Rebaseline: -$.958; Cumulative Schedule Variance without rebaseline: -$.958. Date: October 2006; Rebaseline: 0.0; Cumulative Schedule Variance without rebaseline: -$.958. Date: November 2006; Rebaseline: -$0.227; Cumulative Schedule Variance without rebaseline: -$1.185. Date: December 2006; Rebaseline: -$0.332; Cumulative Schedule Variance without rebaseline: -$1.290. Date: January 2007; Rebaseline: -$0.369; Cumulative Schedule Variance without rebaseline: -$1.327; Date: February 2007; Rebaseline: -$0.384; Cumulative Schedule Variance without rebaseline: -$1.343. Date: March 2007; Rebaseline: -$0.170 Cumulative Schedule Variance without rebaseline: -$1.128 Date: April 2007; Rebaseline: -$0.220; Cumulative Schedule Variance without rebaseline: -$1.179. Date: May 2007; Rebaseline: -$0.825; Cumulative Schedule Variance without rebaseline: -$1.783. Date: June 2007; Rebaseline: -$1.674; Cumulative Schedule Variance without rebaseline: -$2.632. Date: July 2007; Rebaseline: -$3.052; Cumulative Schedule Variance without rebaseline: -$4.010. Date: August 2007; Rebaseline: -$3.675; Cumulative Schedule Variance without rebaseline: -$4.634. Date: September 2007; Rebaseline: -$4.128; Cumulative Schedule Variance without rebaseline: -$5.086. Date: October 2007; Rebaseline: -$1.390; Cumulative Schedule Variance without rebaseline: -$5.086. Date: November 2007; Rebaseline: -$1.679; Cumulative Schedule Variance without rebaseline: -$5.375. Date: December 2007; Rebaseline: -$1.304; Cumulative Schedule Variance without rebaseline: -$5.001. Date: January 2008; Rebaseline: -$2.081; Cumulative Schedule Variance without rebaseline: -$5.778. Date: February 2008; Rebaseline: -$3.128; Cumulative Schedule Variance without rebaseline: -$6.824. Date: March 2008; Rebaseline: -$3.168; Cumulative Schedule Variance without rebaseline: -$6.865. Date: April 2008; Rebaseline: -$3.554; Cumulative Schedule Variance without rebaseline: -$7.251. Date: May 2008; Rebaseline: -$$3.500; Cumulative Schedule Variance without rebaseline: -$7.197. [End of figure] As the graphic shows, frequent rebaselining does not adequately disclose the potential extent of the shortfall in meeting the baseline. Given that EVM reporting is to alert management to magnitude and significance of potential problems sooner rather than later, this practice does not adequately support informed program decision making. Moreover, it is an indicator of the limitations in the baselines being set. According to program officials, these schedule variances are due to (1) increases in scope of the work, such as the addition of new requirements and (2) underestimating the complexity and difficulty of the work to be completed (i.e., limitations in the schedule baseline). End of Observations section] Conclusions: DHS has not adequately met the conditions associated with its legislatively mandated fiscal year 2008 US-VISIT expenditure plan. The plan does not fully satisfy any of the conditions that apply to DHS, either because it does not address key aspects of the condition or because what it does address is not adequately supported or is otherwise not reflective of known program weaknesses. Given that the legislative conditions are intended to promote the delivery of promised system capabilities and value, on time and within budget, and to provide Congress with an oversight and accountability tool, these expenditure plan limitations are significant. Beyond the expenditure plan, other program planning and execution limitations and weaknesses also confront DHS in its quest to deliver US- VISIT capabilities and value in a timely and cost-effective manner. Most notably, DHS has proposed a solution for a long-awaited exit capability, but it is not clear if the cost estimates used to justify it are sufficiently reliable to do so. DHS has reported itself that the proposed solution provides less security and privacy than other alternatives analyzed, and the proposed solution is being challenged by those responsible for implementing it. Further, DHS’s ability to measure program performance and progress, and thus be positioned to address cost and schedule shortfalls in a timely manner, is hampered by weaknesses in the prime contractor’s implementation of EVM. Each of these program planning and execution limitations and weaknesses introduce risk to the program. In addition, DHS is not effectively managing the program’s risks, as evidenced by the program office’s risk database showing that known risks are being allowed to go years without risk mitigation and contingency plans. Overall, while DHS has taken steps to implement a significant percentage of our prior recommendations aimed at improving management of US-VISIT, additional management improvements are needed to effectively define, justify, and deliver a system solution that meets program goals, reflects stakeholder input, minimizes exposure to risk, and provides Congress with the means by which to oversee program execution. Until these steps are taken, US-VISIT program performance, transparency, and accountability will suffer. [End of conclusions section] Recommendations for Executive Action: To assist DHS in planning and executing US-VISIT, we recommend that the Secretary of Homeland Security direct the department’s Investment Review Board to immediately hold a review of the US-VISIT program that, at a minimum, addresses: * The reasons for the fiscal year 2008 expenditure plan not fully addressing each of the legislative conditions and corrective action to ensure that this does not occur for future expenditure plans; * The adequacy of the basis for any future Air and Sea Exit solution, including the reliability of cost estimates, implication of privacy and security issues, and addressing key concerns raised in comments to the proposed rule; * The weaknesses in the program’s implementation of risk management, and; * The weaknesses in the prime contractor’s implementation of earned value management, including the limitations in the quality of the schedule baselines and the schedule variance measurements. We further recommend that the Secretary of Homeland Security report the results of this Investment Review Board review to Congress. End of Recommendations for Executive Action section] Agency Comments and Our Evaluation: We provided a draft of this briefing to DHS officials, including the Director of US-VISIT. In their oral comments on the draft, these officials did not state whether they agreed or not with our findings, conclusions, or recommendations. They did, however, provide a range of technical comments, which we have incorporated in the briefing, as appropriate. They also sought clarification on our scope and methodology, which we have also incorporated in the briefing. [End of Agency Comments and Our Evaluation] Attachment 1: Objectives, Scope and Methodology: Our objectives were to (1) determine whether the plan satisfies the legislative conditions specified in the fiscal year 2008 Consolidated Appropriations Act, and (2) provide observations about the expenditure plan and management of US-VISIT. Information on scope and methodology for each objective follows: To accomplish conditions 1, 2, 3, 10 and 11 of our first objective, we determined whether the plan[Footnote 50] satisfies, partially satisfies, or does not satisfy the conditions based on the extent to which the plan addresses all aspects of the applicable condition, as specified in the act. Specifically, * For condition 1, we compared information in the fiscal year 2008 expenditure plan to previous expenditure plans to determine whether the current plan provided a detailed accounting of the program’s progress to date related to systems capabilities or services, system performance levels, mission benefits and outcomes, milestones, cost targets, and program management capabilities; * For condition 2, we reviewed the fiscal year 2008 expenditure plan to determine whether it contained an explicit plan of action defining how all funds were to be obligated to meet future commitments, with funds linked to the milestone-based delivery of specific capabilities, services, system performance levels, mission benefits and outcomes, and program management capabilities; * For condition 3, we reviewed and analyzed information in the fiscal year 2008 expenditure plan, US-VISIT's most recent status reports on the implementation of our open recommendations, and related key documents (e.g., the program's product test plans, capacity management plan, configuration management plan, and cost estimation process), augmented as appropriate by interviews with program officials to determine whether the expenditure plan contained a listing of all open GAO and OIG recommendations and the status of DHS actions to address them, including milestones; * For condition 10, we reviewed the fiscal year 2008 expenditure plan to determine whether it contained a schedule for the full implementation of a biometric exit capability that fully defines, at a minimum, what work will be done, by what entities, and at what cost to define, acquire, deliver, deploy, and operate expected system capabilities; and; * For condition 11, we reviewed the fiscal year 2008 expenditure plan to determine whether it contained a detailed accounting of all operation and maintenance, contractor services, and program management costs associated with management of the program. For this condition, we obtained clarification from staff from the House and Senate Appropriations Subcommitees on Homeland Security to ensure that our assessment met their intent. As a result, we have modified the wording slightly from what was in the Act. To accomplish conditions 4, 5, 6, 7, 8, and 9 of objective 1 we determined whether the plan satisfies, partially satisfies, or does not satisfy the conditions based on the extent to which the applicable certification letter contained in the plan (a) addresses all aspects of each condition, as specified in the act, (b) is sufficiently supported by documented and verifiable analysis, (c) contains significant qualifications, and (d) is otherwise consistent with our related findings. * For condition 4, we reviewed the DHS certification and supporting documentation for US-VISIT’s capital planning and investment controls, including US-VISIT’s most recent OMB submission and documents related to the milestone decision point 1 and 2 approvals, to determine whether a sufficient basis existed for the certification; * For condition 5, we reviewed the DHS certification for the independent verification and validation agent and analyzed supporting documentation, such as DHS’s assessment of US-VISIT’s independent verification and validation efforts, to determine whether a sufficient basis existed for the certification; * For condition 6, we reviewed the DHS certification that the US-VISIT architecture is sufficiently aligned with the DHS EA, and assessed supporting documentation, including US-VISIT program documents against the DHS EA 2007, and criteria in DHS’s Investment Review Process and DHS’s EA Governance Process Guide to determine whether a sufficient basis existed for the certification; * For condition 7, we reviewed the DHS certification that the plans for the US-VISIT program comply with federal acquisition rules, guidelines, and practices, and analyzed supporting documentation, such as DHS’s assessment of US-VISITs contracts, to determine whether there was a sufficient basis for the certification; * For condition 8, we reviewed the DHS certification that US-VISIT have a risk management process that identifies, evaluates, mitigates, and monitors risks throughout the life cycle, and communicates high risks to the appropriate managers at the US-VISIT program and DHS levels. We also analyzed the most current US-VISIT risk management plan, risk lists, and risk meeting minutes, to determine whether there was a sufficient basis for the certification; and; * For condition 9, we reviewed the DHS certification that the human capital needs of the US-VISIT program were being strategically and proactively managed, and analyzed supporting documentation, such as US- VISIT’s Human Capital Strategic Plan, to determine whether there was a sufficient basis for the certification. To accomplish our second objective, we reviewed the fiscal year 2008 plan and other available program documentation related to US-VISIT’s plans for deploying an biometric exit capability, US-VISIT’s use of earned value management, and US-VISIT’s implementation of risk management. In doing so, we examined planned and completed actions and steps, including program officials' stated commitments to perform them. For earned value management, we reported data provided by the contractor to US-VISIT that is verified by US-VISIT. To assess its reliability, we reviewed relevant documentation and interviewed the system owner for the earned value data. More specifically, we addressed US-VISIT efforts to: * define and implement an exit strategy for air, sea, and land by reviewing and analyzing information provided as part of the expenditure plan; the notice of proposed rulemaking for air and sea exit; the regulatory impact analysis and privacy impact assessment for air and sea exit; and comments made to the notice of proposed rule for air and sea exit;[Footnote 51] * track and manage cost and schedule commitments by applying established earned value analysis techniques to baseline and actual performance data from cost performance reports;[Footnote 52] and * define and implement a risk management process that addresses the identification, analysis, evaluation, and monitoring of risks by reviewing the risk management policy, risk management plan, active and high risk lists, risk meeting minutes, and a risk elevation memorandum. Additionally, in February 2007, we reported[Footnote 53] that the system that US-VISIT uses to manage its finances (U.S. Immigration and Customs Enforcement’s Federal Financial Management System) has reliability issues. In light of these issues, the US-VISIT Budget Office tracks program obligations and expenditures separately using a spreadsheet and comparing this spreadsheet to the information in Federal Financial Management System. Based on a review of this spreadsheet, there is reasonable assurance that the US-VISIT budget numbers being reported by Federal Financial Management System are accurate. For DHS-provided data that our reporting commitments did not permit us to substantiate, we have made appropriate attribution indicating the data’s source. [End of Attachment 1] Attachment 2: Related GAO Products List: Homeland Security: Strategic Solution for US-VISIT Program Needs to Be Better Defined, Justified, and Coordinated. [hyperlink, http://www.gao.gov/products/GAO-08-361]. Washington, D.C.: February 29, 2008. Homeland Security: U.S. Visitor and Immigrant Status Program’s Long- standing Lack of Strategic Direction and Management Controls Needs to be Addressed. [hyperlink, http://www.gao.gov/products/GAO-07-1065]. Washington, D.C.: August 31, 2007. Homeland Security: DHS Enterprise Architecture Continues to Evolve But Improvements Needed. [hyperlink, http://www.gao.gov/products/GAO-07-564]. Washington, D.C.: May 9, 2007. Homeland Security: US-VISIT Program Faces Operational, Technological, and Management Challenges. [hyperlink, http://www.gao.gov/products/GAO-07-632T]. Washington D.C.: March 20, 2007. Homeland Security: US-VISIT Has Not Fully Met Expectations and Longstanding Program Management Challenges Need to Be Addressed. [hyperlink, http://www.gao.gov/products/GAO-07-499T]. Washington, D.C.: February 16, 2007. Homeland Security: Planned Expenditures for U.S. Visitor and Immigrant Status Program Need to Be Adequately Defined and Justified. [hyperlink, http://www.gao.gov/products/GAO-07-278]. Washington, D.C.: February 14, 2007. Border Security: US-VISIT Program Faces Strategic, Operational, and Technological Challenges at Land Ports of Entry. [hyperlink, http://www.gao.gov/products/GAO-07-378T]. Washington, D.C.: January 31, 2007. Border Security: US-VISIT Program Faces Strategic, Operational, and Technological Challenges at Land Ports of Entry. [hyperlink, http://www.gao.gov/products/GAO-07-248]. Washington, D.C.: December 6, 2006. Homeland Security: Contract Management and Oversight for Visitor and Immigrant Status Program Need to Be Strengthened. [hyperlink, http://www.gao.gov/products/GAO-06-404]. Washington, D.C.: June 9, 2006. Homeland Security: Progress Continues, but Challenges Remain on Department’s Management of Information Technology. [hyperlink, http://www.gao.gov/products/GAO-06-598T]. Washington, D.C.: March 29, 2006. Homeland Security: Recommendations to Improve Management of Key Border Security Program Need to Be Implemented. [hyperlink, http://www.gao.gov/products/GAO-06-296]. Washington, D.C.: February 14, 2006. Homeland Security: Visitor and Immigrant Status Program Operating, but Management Improvements Are Still Needed. [hyperlink, http://www.gao.gov/products/GAO-06-318T]. Washington, D.C.: January 25, 2006. Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program. [hyperlink, http://www.gao.gov/products/GAO-05-700]. Washington, D.C.: June 17, 2005. Information Technology: Customs Automated Commercial Environment Program Progressing, but Need for Management Improvements Continues. [hyperlink, http://www.gao.gov/products/GAO-05-267]. Washington, D.C.: March 14, 2005. Homeland Security: Some Progress Made, but Many Challenges Remain on U.S. Visitor and Immigrant Status Indicator Technology Program. [hyperlink, http://www.gao.gov/products/GAO-05-202]. Washington, D.C.: February 23, 2005. Border Security: State Department Rollout of Biometric Visas on Schedule, but Guidance Is Lagging. [hyperlink, http://www.gao.gov/products/GAO-04-1001]. Washington, D.C.: September 9, 2004. Border Security: Joint, Coordinated Actions by State and DHS Needed to Guide Biometric Visas and Related Programs. [hyperlink, http://www.gao.gov/products/GAO-04-1080T]. Washington, D.C.: September 9, 2004. Homeland Security: First Phase of Visitor and Immigration Status Program Operating, but Improvements Needed. [hyperlink, http://www.gao.gov/products/GAO-04-586]. Washington, D.C.: May 11, 2004. Homeland Security: Risks Facing Key Border and Transportation Security Program Need to Be Addressed. [hyperlink, http://www.gao.gov/products/GAO-04-569T]. Washington, D.C.: March 18, 2004. Homeland Security: Risks Facing Key Border and Transportation Security Program Need to Be Addressed. [hyperlink, http://www.gao.gov/products/GAO-03-1083]. Washington, D.C.: September 19, 2003. Information Technology: Homeland Security Needs to Improve Entry Exit System Expenditure Planning. [hyperlink, http://www.gao.gov/products/GAO-03-563]. Washington, D.C.: June 9, 2003. [End of Attachment 2] Attachment 3: Detailed Description of Increments and Component Systems: Description of the processes underlying each increment and the systems that provide information to US-VISIT. Increment 1 processes—Increment 1 includes the following five processes at air and sea ports of entry (POE): pre-entry, entry, status management, exit, and analysis, which are depicted in the graphic below. Figure: Increment 1 processes: [Refer to PDF for image] The following information is illustrated: Pre-entry: occurs at Embassy or consulate; Entry: via air, sea, automobile, or on foot; Status: monitored throughout the nation; Exit: via air, sea, automobile, or on foot; Analysis: occurs throughout the entire process. Source: GAO analysis of US-VISIT data, NOva Development Corp. (clipart). [End of figure] Pre-entry process: Pre-entry processing begins with initial petitions for visas, grants of visa status, or the issuance of travel documentation. When a foreign national applies for a visa at a U.S. consulate, biographic and biometric data are collected and shared with border management agencies. The biometric data[Footnote 54] are transmitted from the Department of State (State) to the Department of Homeland Security (DHS), where the fingerprints are run against the Automated Biometric Identification System (IDENT) to verify identity and to run a check against the biometric watch list. The results of the biometric check are transmitted back to State. A “hit” response prevents State’s system from printing a visa for the applicant until the information is cleared by a consular officer.Pre-entry also includes transmission by commercial air and sea carriers of crew and passenger manifests before arriving in the United States.[Footnote 55] These manifests are transmitted through the Advance Passenger Information System (APIS). The APIS lists are run against the biographic lookout system and identify those arrivals who have biometric data available. In addition, POEs review the APIS list in order to identify foreign nationals who need to be scrutinized more closely. Entry process: When the foreign national arrives at a primary POE inspection booth, the inspector, using a document reader, scans the machine-readable travel documents. APIS returns any existing records on the foreign national to the CBP primary inspection workstation screen, including manifest data matches and biographic lookout hits. When a match is found in the manifest data, the foreign national’s name is highlighted and outlined on the manifest data portion of the screen.Biographic information, such as name and date of birth, is displayed on the bottom of the computer screen,[Footnote 56] as well as the photograph from State’s Consular Consolidated Database. The inspector at the booth scans the foreign national’s fingerprints and takes a digital photograph. This information is forwarded to the IDENT database, where it is checked against stored fingerprints in the IDENT lookout database. If no prints are currently found in IDENT, the foreign national is enrolled in US-VISIT (i.e., biographic and biometric data are entered). If the foreign national’s fingerprints are already in IDENT, the system performs a match (a comparison of the fingerprints captured during the primary inspection to the ones on file) to verify that the person submitting the fingerprints is the person on file. If the system finds a mismatch of fingerprints or a watch list hit, the foreign national is sent to an inspection booth for further screening or processing. While the system is checking the fingerprints, the inspector questions the foreign national about the purpose of his or her travel and length of stay. The inspector adds the class of admission and duration of stay information into the Treasury Enforcement Communications System (TECS), and stamps the “admit until” date on the Form I-94. If the foreign national is ultimately determined to be inadmissible, the person is detained, lookouts are posted in the databases, and appropriate actions are taken. Within 2 hours after a flight lands and all passengers have been processed, TECS is to send the Arrival and Departure Information System (ADIS) the records showing the class of admission and the “admit until” dates that were modified by the inspector. Status management process: The status management process manages the foreign national’s temporary presence in the United States, including the adjudication of benefits applications and investigations into possible violations of immigration regulations. Commercial air and sea carriers transmit departure manifests electronically for each departing passenger. These manifests are transmitted through APIS and shared with ADIS. ADIS matches entry and exit manifest data to ensure that each record showing a foreign national entering the United States is matched with a record showing the foreign national exiting the United States. ADIS maintains a status indicator for each traveler and computes the number of overstay days a visitor remains beyond their original entry duration. ADIS also provides the ability to run queries on foreign nationals who have entry information but no corresponding exit information. ADIS receives status information from the Computer Linked Application Information Management System and the Student and Exchange Visitor Information System on foreign nationals. Exit process: The exit process includes the carriers’ electronic submission of departure manifest data to APIS. This biographic information is passed to ADIS, where it is matched against entry information. Analysis: An ongoing analysis capability is to provide for the continuous screening against watch lists of individuals enrolled in US-VISIT for appropriate reporting and action. As more entry and exit information becomes available, it is to be used to analyze traffic volume and patterns as well as to perform risk assessments. The analysis is to be used to support resource and staffing projections across the POEs, strategic planning for integrated border management analysis performed by the intelligence community, and determination of travel use levels and expedited traveler programs. Increment 2B and Increment 3 processes: Increments 2B and 3 deployed US-VISIT entry processing capabilities to land POEs. These two increments are similar to Increment 1 (air and sea POEs), with several noteworthy differences. * No advance passenger information is available to the inspector before the traveler arrives for inspection. * Travelers subject to US-VISIT are processed at secondary inspection, rather than at primary inspection. * Inspectors’ workstations use a single screen, which eliminates the need to switch between the TECS and IDENT screens. * Form I-94 data are captured electronically. The form is populated by data obtained when the machine-readable zone of the travel document is swiped. If visa information about the traveler exists in the Datashare database,[Footnote 57] it is used to populate the form. Fields that cannot be populated electronically are manually entered. A copy of the completed form is printed and given to the traveler for use upon exit. * No electronic exit information is captured. Component systems: US-VISIT Increments 1 through 3 include the interfacing and integration of existing systems and, with Increment 2C, the creation of a new system. The three main existing systems are as follows: Arrival and Departure Information System (ADIS) stores: * non-citizen traveler arrival and departure data received from air and sea carrier manifests, * arrival data captured by CBP officers at air and sea POEs, * Form I-94 issuance data captured by CBP officers at Increment 2B land POEs, * Form I-94 data captured at air and sea ports of entry, and, * status update information provided by the Student and Exchange Visitor Information System (SEVIS) and the Computer Linked Application Information Management System (CLAIMS 3) (described on the next slide). ADIS provides biographic identity record matching, query, and reporting functions. The passenger processing component of the Treasury Enforcement Communications System (TECS) includes two systems: * Advance Passenger Information System (APIS) captures arrival and departure manifest information provided by air and sea carriers, and; * Interagency Border Inspection System (IBIS) maintains lookout data and interfaces with other agencies’ databases. CBP officers use these data as part of the admission process. The results of the admission decision are recorded in TECS and ADIS. The Automated Biometric Identification System (IDENT) collects and stores biometric data on foreign visitors, including data such as: * Federal Bureau of Investigation information[Footnote 58] on all known and suspected terrorists, all active wanted persons and warrants, and previous criminal histories for visitors from high-risk countries; * DHS Immigration and Customs Enforcement information on deported felons and sex offender registrants; and; * DHS information on previous criminal histories and previous IDENT enrollments. US-VISIT also exchanges biographic information with other DHS systems, including SEVIS and CLAIMS 3: * SEVIS is a system that contains information on foreign students and; * CLAIMS 3 is a system that contains information on foreign nationals who request benefits, such as change of status or extension of stay. Some of the systems involved in US-VISIT, such as IDENT and ADIS, are managed by the program office, while some systems are managed by other organizational entities within DHS. For example: * TECS is managed by CBP, * SEVIS is managed by Immigration and Customs Enforcement, and, * CLAIMS 3 is under United States Citizenship and Immigration Services. US-VISIT also interfaces with other, non-DHS systems for relevant purposes, including watch list[Footnote 59] (i.e. lookout) updates and checks to determine whether a visa applicant has previously applied for a visa or currently has a valid U.S. visa. In particular, US-VISIT receives biographic and biometric information from State’s Consular Consolidated Database as part of the visa application process, and returns finger scan information and watch list changes. IDENT also receives data from FBI’s IAFIS fingerprint system. [End of Attachment 3] Attachment 4: Status of Prior GAO Recommendations: Recommendation: 1. Develop and approve complete test plans before testing begins. These plans, at a minimum, should (1) specify the test environment, including test equipment, software, material, and necessary training; (2) describe each test to be performed, including test controls, inputs, and expected outputs; (3) define the test procedures to be followed in conducting the tests; and (4) provide traceability between test cases and the requirements to be verified by the testing.(GAO-04-586); Included in plan: Yes; Status: Partially Implemented: The program office has developed and approved test plans for various system components, such as the US- VISIT/IDENT Product Integration and the Unified IDENT Release 2 Component/Assembly. Our analysis of these plans shows that they (1) specified the test environment, including test equipment, software, material, and necessary training; (2) described each test to be performed, including test controls, inputs, and expected outputs; (3) defined test procedures to be followed in conducting tests; and (4) provided traceability between test cases and the requirements to be verified by the testing. However, we were unable to verity that these plans were approved prior to testing. Recommendation: 2. Implement effective configuration management practices, including establishing a US-VISIT change control board to manage and oversee system changes. (GAO-04-586); Included in plan: Yes; Status: Implemented: The program office has developed a configuration control board that is responsible for, among other things, to manage and oversee system changes. The office has also developed a configuration management plan and begun implementing practices specified in the plan. For example, a project level configuration management plan was developed for Unique Identity and a change control request submitted and approved by the board. Recommendation: 3. Develop a plan, including explicit tasks and milestones, for implementing all of our open recommendations, including those provided in this report. The plan should provide for periodic reporting to the Secretary and Under Secretary on progress in implementing this plan. The Secretary should report this progress, including reasons for delays, in all future US-VISIT expenditure plans.(GAO-04-586); Included in plan: Yes; Status: Partially Implemented: US-VISIT audit coordination and resolution is governed by formal audit guidance and coordinated through an Integrated Project Team. The team has developed a plan that includes tasks and milestones for implementing GAO recommendations. The plan also provides for the periodic reporting to the Secretary and Under Secretary. Further, the status of efforts to address a number of GAO recommendations has been included in recent US-VISIT expenditure plans, although reasons for delays in implementing them have not. Recommendation: 4. Fully and explicitly disclose in all future expenditure plans how well DHS is progressing against the commitments that it made in prior expenditure plans. (GAO-05-202); Included in plan: No; Status: Partially Implemented: As discussed earlier in this briefing, while the fiscal year 2008 expenditure plan provides some information on how well DHS is progressing against commitments made in the fiscal year 2007 expenditure plan, it does not fully and explicitly disclose how well it is progressing against all previous commitments, and it describes progress in areas not committed to in the prior year’s plan. Recommendation: 5. Reassess its plans for deploying an exit capability to ensure that the scope of the exit pilot provides for adequate evaluation of alternative solutions and better ensures that the exit solution selected is in the best interest of the program. (GAO-05-202); Included in plan: Yes; Status: Implemented: The program office has reassessed its plans for deploying an exit capability. As a result of that assessment, the program office discontinued the US-VISIT exit pilots in May 2007. Recommendation: 6. Develop and implement processes for managing the capacity of the US-VISIT system. (GAO-05-202); Included in plan: Yes; Status: Implemented: The program has developed a capacity management handbook that provides guidance for managing system capacity and has incorporated the activities to be performed into its Universal Delivery Method. Further, the program office has begun implementing this guidance. For example, it has developed US-VISIT/IDENT business and service capacity baselines. Recommendation: 7. Follow effective practices for estimating the costs of future increments. (GAO-05-202); Included in plan: Yes; Status: Partially Implemented: According to the program office, they have (1) established a Cost Process Action Team, (2) defined cost estimation and analysis practices and processes, (3) developed processes for developing both program life cycle cost estimates and Independent Government Cost Estimates, and (4) conducted a self- assessment of the program’s cost estimating practices against guidelines from the Software Engineering Institute. However, the program office has yet to provide documentation demonstrating that it is implementing its defined cost estimation practices. Recommendation: 8. Make understanding the relationships and dependencies between the US-VISIT and ACE programs a priority matter, and report periodically to the Under Secretary on progress in doing so. (GAO-05-202); Included in plan: Yes; Status: Implemented: The program office has been working with the DHS Screening and Coordination Office to, among other priorities; develop a greater understanding between US-VISIT and other programs, including ACE. Further, because the program is no longer organizationally within the Office of the Under Secretary, reporting on progress to the Under Secretary is no longer warranted. Instead, the Screening and Coordination Office, which reports directly to the Secretary and Deputy Secretary, is aware of progress in this area. Recommendation: 9. Explore alternative means of obtaining an understanding of the full impact of US-VISIT at all land POEs, including its impact on workforce levels and facilities; these alternatives should include surveying the sites that were not part of the previous assessment. (GAO-06-296); Included in plan: Yes; Status: Implemented: The program office reassessed its plans for deploying an exit capability to land POEs, and as a result, discontinued the demonstration project in November 2006. Recommendation: 10. For each US-VISIT contract action that the program manages directly, establish and maintain a plan for performing the contractor oversight process, as appropriate. (GAO-06-404); Included in plan: Yes; Status: Implemented: For contract actions that the program manages directly, and where it is appropriate for the program office to oversee contractor activities, the program office has established and maintains an oversight plan. For example, the program office has developed individual oversight plans for 10-Print, Unique Identity, Interim Data Sharing Model, and Independent Test and Support Evaluation Services. Each individual oversight plan describes the roles, responsibilities, and authorities involved in conducting contract administration and oversight of the contract action. Recommendation: 11. Develop and implement practices for overseeing contractor work managed by other agencies on the program office’s behalf, including (1) clearly defining roles and responsibilities for both the program office and all agencies managing US-VISIT-related contracts; (2) having current, reliable, and timely information on the full scope of contract actions and activities; and (3) defining and implementing steps to verify that deliverables meet requirements. (GAO- 06-404); Included in plan: Yes; Status: Implemented: The program office has developed and implemented practices for overseeing contractor work managed by other agencies on the program office’s behalf. Specifically, it has developed a contractor administration management plan that includes (1) clearly defining roles and responsibilities for both the program office and all agencies managing US-VISIT-related contracts; (2) having current, reliable, and timely information on the full scope of contract actions and activities; and (3) defining and implementing steps to verify that deliverables meet requirements. Recommendation: 12. Require, through agreements, that agencies managing contract actions on the program office’s behalf implement effective contract management practices consistent with acquisition guidance for all US-VISIT contract actions, including at a minimum, (1) establishing and maintaining a plan for performing contract management activities; (2) assigning responsibility and authority for performing contract oversight; (3) training the people performing contract oversight; (4) documenting the contract; (5) verifying that deliverables satisfy requirements; (6) monitoring contractor-related risk; and (7) monitoring contractor performance to ensure that the contractor is meeting schedule, effort, cost, and technical performance requirements. (GAO-06-404); Included in plan: Yes; Status: Implemented: The program office has amended the language used in its interagency agreements (IAA) to require agencies that manage contract actions on the program’s behalf to implement certain practices designed to strengthen contract management and oversight. These requirements are specified in the May 2007 US-VISIT Contracts Administration Management Plan and have been included in each of the IAAs. Specifically, each IAA specifies that the agent agency is to (1) establish and maintain a plan for performing contract management activities; (2) designate a contracting officer and contracting officer’s technical representative to manage all contractual actions; (3) train the people performing contract oversight, (4) document the contract; (5) verify that deliverables satisfy requirements; (6) monitor contractor-related risk; and (7) monitor contractor performance to ensure that the contractor is meeting schedule, effort, cost, and technical performance requirements. Recommendation: 13. Require DHS and non-DHS agencies that manage contracts on behalf of US-VISIT to (1) clearly define and delineate the US-VISIT work from non-US-VISIT work as performed by contractors; (2) record, at the contract level, amounts being billed and expended on US- VISIT-related work so that these can be tracked and reported separately from amounts not for US-VISIT purposes; and (3) determine if they have received reimbursement from the program for payments not related to US- VISIT work by contractors, and, if so, refund to the program any amount received in error. (GAO-06-404); Included in plan: Yes; Status: Partially Implemented: The program office reports that it has begun efforts to establish the processes that are to (1) ensure that both DHS and non-DHS agencies that manage contracts on behalf of the program clearly define and delineate the US-VISIT work from non-US- VISIT work performed by contractors, (2) record, at the contract level, amounts being billed and expended on US-VISIT-related work so that these can be tracked and reported separately from amounts not for US- VISIT purposes; and (3) determine if they have received reimbursement from the program for payments not related to US-VISIT work by contractors, and, if so, refund to the program any amount received in error; however, they have yet to demonstrate that these processes are in place and being used by all DHS and non-DHS agencies. Recommendation: 14. Ensure that payments to contractors are timely and in accordance with the Prompt Payment Act. (GAO-06-404); Included in plan: Yes; Status: Partially Implemented: The program office reports that it has begun efforts to establish the controls needed to ensure that payments to contractors are made timely and in accordance with the Prompt Payment Act. Recommendation: 15. Improve existing management controls for identifying and reporting computer processing and other operational problems as they arise at land POEs and ensure that these controls are consistently administered. (GAO-07-248); Included in plan: Yes; Status: Not Implemented:DHS has yet to implement improved management controls for identifying and reporting computer processing and other operational problems as they arise at land POEs or to implement a method for ensuring that these controls are consistently administered. Recommendation: 16. Develop performance measures for assessing the impact of US-VISIT operations specifically at land POEs. (GAO-07-248); Included in plan: Yes; Status: Not Implemented: DHS has yet to develop performance measures for assessing the impact of US-VISIT operations at land POEs. Recommendation: 17. As DHS finalizes the statutorily mandated report describing a comprehensive biometric entry and exit system for US- VISIT, that it include, among other things, information on the costs, benefits, and feasibility of deploying biometric and nonbiometric exit capabilities at land POEs. (GAO-07-248); Included in plan: No; Status: Not Implemented: DHS reports that it has recently begun to develop the statutorily mandated report, and department officials said that they expect to issue it in early 2009. DHS officials stated that they expect it to include information on costs, benefits, and feasibility of biometric and nonbiometric exit capabilities at land POEs. Recommendation: 18. As DHS finalizes the statutorily mandated report describing a comprehensive biometric entry and exit system for US- VISIT, that it include, among other things, a discussion of how DHS intends to move from a nonbiometric exit capability, such as the technology currently being tested, to a reliable biometric exit capability that meets statutory requirements. (GAO-07-248); Included in plan: No; Status: Not Implemented: DHS has recently begun to develop the statutorily mandated report, and department officials stated that it is to be issued in early 2009. DHS officials stated that they expect it to include a discussion on how it intends to move to a biometric exit capability at land ports of entry. Recommendation: 19. As DHS finalizes the statutorily mandated report describing a comprehensive biometric entry and exit system for US- VISIT, that it include, among other things, a description of how DHS expects to align emerging land border security initiatives with US- VISIT and what facility or facility modifications would be needed to ensure that technology and processes work in harmony. (GAO-07-248); Included in plan: No; Status: Not Implemented: DHS has recently begun to develop the statutorily mandated report, and department officials stated that it is to be issued in early 2009. DHS officials stated that they expect it to show how US-VISIT is to align with emerging land border initiatives as well as what facility modifications would be needed to ensure that technology and processes work in harmony. Recommendation: 20. Report regularly to the Secretary and to the DHS authorization and appropriations committees on the range of program risks associated with not having fully satisfied all expenditure plan legislative conditions, reasons why they were not satisfied, and steps being taken to mitigate these risks. (GAO-07-278); Included in plan: Yes; Status: Not Implemented: Program officials stated that they periodically brief authorization and appropriations committees on a range of program risks, including those associated with not having fully satisfied all expenditure plan legislative conditions, reasons why they were not satisfied, and steps being taken to mitigate these risks. However, they did not provide any verifiable evidence that these matters were discussed, and staff with the House and Senate appropriations committees that focus on US-VISIT told us that they are not aware of such briefings in which these matters were discussed. Recommendation: 21. Limit planned expenditures for exit pilots and demonstration projects until such investments are economically justified and until each investment has a well-defined evaluation plan. The projects should be justified on the basis of costs, benefits, and risks, and the evaluation plans should define what is to be achieved and should include a plan of action and milestones and measures for demonstrating achievement of pilot and project goals and desired outcomes. (GAO-07-278); Included in plan: Yes; Status: Implemented: The program office has limited planned expenditures in exit pilots and demonstration projects by reassessing its plans and discontinuing the exit pilots in May 2007 and the demonstration project in November 2006. Recommendation: 22. Work with the DHS Enterprise Architecture Board to identify and mitigate program risks associated with investing in new US- VISIT capabilities in the absence of a DHS-wide operational and technological context for the program. These risks should reflect the absence of fully defined relationships and dependencies with related border security and immigration enforcement programs. (GAO-07-278); Included in plan: Yes; Status: Not Implemented: The program office provided DHS Enterprise Architecture Board meeting meetings. However, none of the meeting minutes provided contained information on identifying and mitigating program risks associated with investing in new US-VISIT capabilities in the absence of a DHS-wide technological context for the program. Recommendation: 23. Limit planned expenditures for program management- related activities until such investments are economically justified and have well-defined plans detailing what is to be achieved, a plan of action and milestones, and measures for demonstrating progress and achievement of desired outcomes. (GAO-07-278); Included in plan: Yes; Status: Not Implemented: The program office has yet to provide either an economic justification or well-defined plans for its program management-related activities detailing what is to be achieved and including a plan of action and milestones and measures for demonstrating progress and achievement of desired outcomes. Moreover, the amount of funding for program management in FY2008 remains at the level mentioned in FY2006 expenditure plan, which was the basis for this recommendation. Recommendation: 24. The Secretary of DHS report to the department’s authorization and appropriations committees on its reasons for not fully addressing its expenditure plan legislative conditions and our prior recommendations.(GAO-07-1065); Included in plan: Yes; Status: Not Implemented: Program officials stated that they periodically brief authorization and appropriations committees on program-related issues, including reasons for not having fully satisfied all expenditure plan legislative conditions and GAO recommendations. However, they did not provide any verifiable evidence that these matters were discussed, and staff with the House and Senate appropriations committees that focus on US-VISIT told us that they are not aware of such briefings in which these matters were discussed. Recommendation: 25. Develop a plan for a comprehensive exit capability, which includes, at a minimum, a description of the capability to be deployed, the cost of developing, deploying and operating the capability, identification of key stakeholders and their respective roles and responsibilities, key milestones, and measurable performance indicators. (GAO-08-361); Included in plan: No; Status: Partially Implemented: DHS recently issued a notice of proposed rulemaking for implementing an exit capability at air and sea POEs. This notice provides a high-level description of a proposed Air and Sea Exit solution, and an estimate of the cost to develop, deploy, and operate the solution. Further, it describes the roles and responsibilities of key stakeholders, such as air and sea carriers, and sets some performance indicators, such as when passenger biometrics are to be transmitted to DHS. However, as discussed in this briefing, this proposed solution raises a number of questions that need to be resolved. Recommendation: 26. Develop an analysis of costs, benefits, and risks for proposed exit solutions before large sums of money are committed on those solutions, and use the analysis in selecting the final solution. (GAO-08-361); Included in plan: No; Status: Partially Implemented: As noted earlier in this briefing, DHS’s Air and Sea Exit regulatory impact analysis analyzed the costs and benefits of the proposed solution and four alternatives, and DHS used this analysis in proposing its exit solution. However, the cost estimates that were used in this analysis were not sufficiently reliable to justify the proposed solution. Recommendation: 27. Direct the appropriate DHS parties involved in defining, managing, and coordinating relationships across the department’s border and immigration management programs to address the program collaboration shortcomings identified in this report, such as fully defining the relationships between US-VISIT and other immigration and border management programs and, in doing so, to employ the collaboration practices discussed in this report. (GAO-08-361); Included in plan: No; Status: Partially Implemented: DHS has yet to direct all of the appropriate parties involved in defining, managing, and coordinating relationships across the department’s border and immigration management programs to address the program collaboration shortcomings identified in this report and, in doing so, to employ the collaboration practices discussed in this report. Specifically, while US-VISIT has begun to coordinate with specific border and immigration management programs such as the Secure Border Initiative and Western Hemisphere Travel Initiative. [End of Attachment 4] [End of Appendix I] Appendix II: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: November 19, 2008: Randolph C. Hite: Director, Information Technology Architecture and Systems: U.S. Government Accountability Office: 441 G Street, N.W. Washington, D.C. 20548: Dear Mr. Hite: The Department of Homeland Security (DHS) is submitting this written response regarding the Government Accountability Office (GAO) recommendation contained in its report, U.S. Visitor and Immigrant Status indicator Technology Program Planning and Execution Improvements Needed, 09-96. GAO Recommendation: To assist DHS in planning and executing US-VISIT, we recommend that the Secretary of Homeland Security direct the department's Investment Review Board to immediately hold a review of the US-VISIT program that, at a minimum, addresses: * The reasons for the fiscal year 2008 expenditure plan not fully addressing each of the legislative conditions and corrective action to ensure that this does not occur for future expenditure plans; * The adequacy of the basis for any future Air and Sea Exit solution, including the reliability of cost estimates, implication of privacy and security issues, and addressing key concerns raised in comments to the proposed rule; * The weaknesses in the program's implementation of risk management; and; * The weaknesses in the prime contractor's implementation of its earned value management, including the limitations in the quality of the schedule baselines and the schedule variance measurements. Response: DHS concurs with this recommendation. The DHS Investment Review Board will convene on November 17, 2008, for the purpose of reviewing the US- VISIT program. The objectives of this review are to address the recommendation made in GAO-09-96. US-VISIT is prepared to discuss the following: * How the FY09 Spend Plan will address GAO concerns raised in the audit of the FY08 Spend Plan; * How the Air/Sea Exit solution will address GAO concerns regarding cost estimates, security and privacy of the solution and the level of detail for the solution; * How US-VISIT's improvements in risk management will address GAO concerns regarding the currency of the information in the risk management database, risk management plan and the elevation of risks; and; * How US-VISIT will continue its oversight and the Defense Contract Management Agency (DCMA) will perform periodic assessments of the contractor's progress toward compliance of the 32 published standards for earned value management. Additionally, GAO writes that Legislative Condition 4, regarding DHS investment management and OMB capital planning and investment control certification by the CPO, is only partially satisfied: DHS's investment management process is not sufficiently mature. As we reported in April 2007, this process does not satisfy the key practices outlined in the Information Technology Investment Management Framework, which is a maturity framework based on corporate investment management best practices employed by leading public and private sector organizations and is consistent with OMB capital planning and investment control requirements. In particular, we reported that: * DHS's process (policies and procedures) for project level management do not include all key elements, such as specific criteria or steps for prioritizing and selecting new investments. * DHS has not fully implemented the practices needed to control investments - at the project level or at the portfolio level, including regular project-level reviews by the DHS Investment Review Board. * DHS's process does not identify a methodology with explicit decision- making criteria to determine an investment's alignment with the DHS enterprise architecture. DHS nonconcurs with this finding. On November 7, 2008, the DHS Under Secretary for Management signed out the interim operational policy for the investment control requirements. This policy provides for the following: * A DHS process (including policies and procedures) for project level management that includes all key elements, including specific criteria and steps for prioritizing and selecting new investments; * A set of practices to control investments at the project and portfolio level, including regular project-level reviews by the DHS Investment Review Board; and; * Identification of a methodology with explicit decision-making criteria to determine an investment's alignment with the DHS enterprise architecture. Lessons learned from the FY08 expenditure plan have prompted the Department to make adjustments in developing the FY09 spend plan. For example, greater visibility will be provided into operations and maintenance and program management planned expenditures; milestones will be provided and quantitative performance targets will be incorporated into planned accomplishments; mitigation plans for open GAO recommendations will also include milestones and the Department will make every effort to close out GAO's previous recommendations; and FY08 results will be reported for all planned accomplishments from the FY 08 plan. When fully executed it is our aim to fully satisfy the legislative conditions in accordance with the Consolidated Appropriations Act, 2008, Public Law No. 110-161. Sincerely, Signed by: Jerald E. Levine: Director: Departmental Audit Liaison Office: Attachment: U.S. Department of Homeland Security: Washington, DC 20528: November 7, 2008: Memorandum For: Distribution List From: [Signed by] Elaine C. Duke: Under Secretary for Management: Subject: Departmental Acquisition Management: As you know, I tasked the Acquisition Program Management Division (APMD) of the Office of the Chief Procurement Officer to re-engineer the Department's Investment Review Process (Management Directive (MD) 1400). This re-engineering had, as its objective, improvement in acquisition management and oversight across the Department of Homeland Security (DHS) enterprise. APMD. in collaboration with Departmental and Component stakeholders, has developed and informally staffed the attached Directive (102-01). Because of the extensive coordination to date, this Directive is authorized as an interim policy effective today. In parallel with this interim authorization, Directive 102-01 will be formally staffed through the Department's executive correspondence process. Changes resulting from this formal review (along with changes proposed by users as a result of initial implementation) will be incorporated in the policy prior to its completing this process. I appreciate the tremendous collaboration and inputs provided by your organizations throughout the development and informal staffing process - this resulting draft marks another critical milestone toward the integration of DHS. This Directive's overarching goal is to establish an acquisition management system that effectively provides required capability to DHS users in support of DHS missions. The Directive leverages proven management, governance, and oversight practices within the Department, streamlines the acquisition process, and addresses the issues and problems with the previous MD 1400. Specifically, it: * Creates a common acquisition policy across the Department; * Creates the Acquisition Decision Authority position as a single point of accountability; * Establishes a single, but tailorable life cycle framework for all acquisitions; and; * Delegates acquisition decision authority to Components wherever feasible. This Directive supersedes all versions of MD 1400; consequently, all previous versions of MD 1400 are hereby revoked. The Department is required to commence implementing the Directive's policies and align internal policies accordingly. Individual programs should transition to this policy at their next formal decision point, but not later than six months from the date of this memorandum. APMD will work with each Component or Headquarters contingent to establish a collaborative transition schedule for each acquisition portfolio. Training on this policy will be provided by cadres of individuals (trained by APMD) within each Component/Headquarters contingent. "Train- the-Trainers" training began on November S. and will continue until all who need instruction have attended. For further information, please contact John Higbee, Director, APMD at (202) 447-5398 or by e-mail at,john.higbee@adhs.gov, or Page Glennie at (202) 447-5492 or by e-mail at page.glennie@dhs.gov. Attachment: Distribution List: Under Secretary, Science & Technology: Under Secretary, National Protection & Programs Under Secretary, Intelligence & Analysis Assistant Secretary, Policy: Assistant Secretary, Legislative Affairs: Assistant Secretary. Public Affairs: Assistant Secretary, Health Affairs/Chief Medical Officer: Assistant Secretary, Transportation Security Administration: Assistant Secretary, United States Immigration & Customs Enforcement: Commissioner, Customs and Border Protection: Commandant, United States Coast Guard: Administrator, Federal Emergency Management Agency: Director. Operations Coordination Director, Counternarcotics Enforcement: Director, Federal Law Enforcement Training Center: Director, Domestic Nuclear Detection Office: Director, United States Citizenship & Immigration Services: Director, United States Secret Service: Ombudsman Citizenship & Immigration Services: Officer for Civil Rights & Civil Liberties: General Counsel (Acting): Inspector General: Military Advisor's Officer: Gulf Coast Region Office: Chief Financial Officer: Chief Information Officer: Chief Administrative Officer: Chief Procurement Officer: Chief Human Capital Officer: Chief Privacy Officer: Chief Security Officer: Director, Screening Coordination Office: Director, U.S. Visitor and Immigrant Status Indicator Technology: Director, Acquisition & Program Management Support Division, Transportation Security Administration: Director, Investment Management, Office of Finance, Customs and Border Protection: Chief Acquisition Support Office, United States Coast Guard: [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Randolph C. Hite, (202) 512-3439, or hiter@gao.gov: Staff Acknowledgments: In addition to the individual named above, Tonia Johnson (Assistant Director), Bradley Becker, Season Dietrich, Neil Doherty, Jennifer Echard, Elena Epps, Nancy Glover, Rebecca LaPaze, Anjalique Lawrence, Anh Le, Emily Longcore, Lee McCracken, Freda Paintsil, Karl Seifert, and Jeanne Sung made key contributions to this report. [End of section] Footnotes: [1] Pub L. No. 110-161, 121 Stat. 1844, 2059-60 (Dec. 26, 2007). [2] The briefing document includes a few minor editorial changes to clarify certain points. [3] The twelfth legislative condition--that the plan be reviewed by us- -was satisfied. [4] GAO, Homeland Security: Strategic Solution for US-VISIT Program Needs to Be Better Defined, Justified, and Coordinated, [hyperlink, http://www.gao.gov/products/GAO-08-361] (Washington, D.C.: Feb. 29, 2008). [5] GAO, Cost Assessment Guide: Best Practices for Estimating and Managing Program Costs, Exposure Draft, [hyperlink, http://www.gao.gov/products/GAO-07-1134SP] (Washington, D.C.: July 2007), at p. 251. [6] Task order 7 provides for development and deployment of new capabilities. [7] Pub. L. No. 110-161 (Dec. 26, 2007). [8] Since fiscal year 2002, $2.22 billion has been appropriated for US- VISIT. [9] This is the seventh legislatively-mandated US-VISIT expenditure plan. [10] As discussed in the scope and methodology section of this briefing (attachment 1), we sought clarification from staff with the House and Senate Appropriations Committees, Subcommittees on Homeland Security, on this condition. As a result, the wording of this condition has been modified slightly from that in the act. [11] For details on the processes underlying each increment and systems supplying information on US-VISIT, see attachment 3. [12] Radio frequency technology relies on proximity cards and card readers. Radio frequency devices read the information contained on the card when the card is passed near the device. The information can contain personal information of the cardholder. [13] An indefinite delivery/indefinite quantity contract provides for an indefinite quantity, within stated limits, of supplies or services during a fixed period of time. The government schedules deliveries or performance by placing orders with the contractor. [14] Accenture’s partners in this contract include, among others, Raytheon Company, the Titan Corporation, and SRA International, Inc. [15] Total value is the reported budget at completion as of May 2008. [16] This solution would not be applicable to vessel carriers because there are no TSA checkpoints at seaports. [17] GAO, Information Technology: Homeland Security Needs to Improve Entry Exit System Expenditure Planning, [hyperlink, http://www.gao.gov/products/GAO-03-563] (Washington, D.C.: June 9, 2003) and Homeland Security: Some Progress Made, but Many Challenges Remain on U.S. Visitor and Immigrant Status Indicator Technology Program, [hyperlink, http://www.gao.gov/products/GAO-05-202] (Washington, D.C.: Feb. 23, 2005). [18] GAO, Homeland Security: U.S. Visitor and Immigrant Status Program’s Long-standing Lack of Strategic Direction and Management Controls Needs to Be Addressed, [hyperlink, http://www.gao.gov/products/GAO-07-1065] (Washington, D.C.: Aug. 31, 2007). [19] [hyperlink, http://www.gao.gov/products/GAO-07-1065]. [20] Office of Management and Budget Circular A-11, Part 7 establishes policy for planning, budgeting, acquisition, and management of federal capital assets. [21] GAO, Information Technology: DHS Needs to Fully Define and Implement Policies and Procedures for Effectively Managing Investments, [hyperlink, http://www.gao.gov/products/GAO-07-424] (Washington, D.C.: April 27, 2007). [22] [hyperlink, http://www.gao.gov/products/GAO-07-1065]. [23] [hyperlink, http://www.gao.gov/products/GAO-07-424]. [24] GAO, Information Technology Investment: A Framework for Assessing and Improving Process Maturity, [hyperlink, http://www.gao.gov/products/GAO-04-394G] (Washington, D.C.: March 2004). [25] GAO, Homeland Security: First Phase of Visitor and Immigration Status Program Operating, but Improvements Needed, [hyperlink, http://www.gao.gov/products/GAO-04-586] (Washington, D.C.: May 11, 2004). [26] Chief Information Officer Council, A Practical Guide to Federal Enterprise Architecture, Version 1.0, February 2001. [27] GAO, Information Technology: A Framework for Assessing and Improving Enterprise Architecture Management (version 1.1), [hyperlink, http://www.gao.gov/products/GAO-03-584G] (Washington, D.C.: April 2003). [28] GAO, Homeland Security: Strategic Solution for US-VISIT Program Needs to Be Better Defined, Justified, and Coordinated, [hyperlink, http://www.gao.gov/products/GAO-08-361] (Washington, D.C.: Feb. 29, 2008). [29] [hyperlink, http://www.gao.gov/products/GAO-03-584G]. [30] [hyperlink, http://www.gao.gov/products/GAO-07-424]. [31] [hyperlink, http://www.gao.gov/products/GAO-07-1065]. [32] GAO,DOD Business Systems Modernization: Key Marine Corps System Acquisition Needs to Be Better Justified, Defined, and Managed, [hyperlink, http://www.gao.gov/products/GAO-08-22] (Washington, D.C.: July. 28, 2008). [33] GAO, Homeland Security: Recommendations to Improve Management of Key Border Security Program Needs to Be Implemented, [hyperlink, http://www.gao.gov/products/GAO-06-296] (Washington, D.C.: Feb. 14, 2006). [34] The US-VISIT Risk Management Plan separates the risk management process into five steps. The fourth step—risk handling—is the process of selecting and implementing responses to identified and prioritized risks. [35] [hyperlink, http://www.gao.gov/products/GAO-06-296]. [36] [hyperlink, http://www.gao.gov/products/GAO-07-1065]. [37] [hyperlink, http://www.gao.gov/products/GAO-07-1065]. [38] [hyperlink, http://www.gao.gov/products/GAO-07-1065]. [39] GAO, Homeland Security: Prospects for Biometric US-VISIT Exit Capability Remains Unclear, [hyperlink, http://www.gao.gov/products/GAO- 07-1044T (Washington, D.C.: June 28, 2007). [40] [hyperlink, http://www.gao.gov/products/GAO-08-361]. [41] As discussed in the scope and methodology section of this briefing (attachment 1), we sought clarification from staff with the House and Senate Appropriations Committees, Subcommittees on Homeland Security, on this condition. As a result, the wording of this condition has been modified slightly from that in the act. [42] [hyperlink, http://www.gao.gov/products/GAO-07-1065]. [43] GAO, Homeland Security: Planned Expenditures for U.S. Visitor and Immigrant Status Program Need to be Adequately Defined and Justified, [hyperlink, http://www.gao.gov/products/GAO-07-278] (Washington, D.C.: Feb. 14, 2007). [44] GAO, Information Security: Homeland Security Needs to Immediately Address Significant Weaknesses in Systems Supporting the US-VISIT Program, [hyperlink, http://www.gao.gov/products/GAO-07-870] (Washington, D.C.: July 13, 2007). [45] These are the Air/Sea Exit, Secure Flight, the Electronic Travel Authorization System, and the Advance Passenger Information System- Quick Query. [46] [hyperlink, http://www.gao.gov/products/GAO-06-296]. [47] OMB, Circular No. A-11, Part 7 Supplement - Capital Programming Guide, 2006, [hyperlink, http://www.whitehouse.gov/omb/circulars/a11/current_year/a_11_2006.pdf] (accessed June 16, 2008) and Software Engineering Institute, CMMI for Acquisition, Version 1.2, CMU/SEI-2007-TR-017 (Pittsburgh, PA; November 2007). [48] GAO, Cost Assessment Guide: Best Practices for Estimating and Managing Program Costs, Exposure Draft, [hyperlink, http://www.gao.gov/products/GAO-07-1134SP]. (Washington, D.C.: July 2007). [49] Task order 7 has an approximate value of $141 million. [50] As agreed, our scope of work focused on the plan delivered to the House and Senate Appropriations Committees. [51] We did not attempt to validate the comments. [52] For observation 6, we used the Unique ID and Biometric Solutions Delivery subtasks of task order 7. These tasks covered 98 percent of the total value of task order 7 and the remaining 2 percent were related to subtasks issued in fiscal year 2008. [53] [hyperlink, http://www.gao.gov/products/GAO-07-278]. [54] US-VISIT is currently transitioning from scanning only the right and left index fingers to scanning all 10 fingers. [55] 8 U.S.C. § 1221(a). [56] The new 10-print process will also integrate this information with manifest data so that it is all represented on one screen. [57] Datashare includes a data extract from State’s Consular Consolidated Database system and includes the visa photograph, biographical data, and the fingerprint identification number assigned when a nonimmigrant applies for a visa. [58] Information from the Federal Bureau of Investigation includes fingerprints from the Integrated Automated Fingerprint Identification System. [59] Watch list data sources include DHS’s Customs and Border Protection and Immigration and Customs Enforcement; the Federal Bureau of Investigation; legacy DHS systems; the U.S. Secret Service; the U.S. Coast Guard; the Internal Revenue Service; the Drug Enforcement Agency; the Bureau of Alcohol, Tobacco, & Firearms; the U.S. Marshals Service; the U.S. Office of Foreign Asset Control; the National Guard; the Treasury Inspector General; the U.S. Department of Agriculture; the Department of Defense Inspector General; the Royal Canadian Mounted Police; the U.S. State Department; Interpol; the Food and Drug Administration; the Financial Crimes Enforcement Network; the Bureau of Engraving and Printing; and the Department of Justice Office of Special Investigations. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: