This is the accessible text file for GAO report number GAO-11-276 entitled 'Defense Biometrics: DOD Can Better Conform to Standards and Share Biometric Information with Federal Agencies' which was released on May 2, 2011. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Congressional Requesters: March 2011: Defense Biometrics: DOD Can Better Conform to Standards and Share Biometric Information with Federal Agencies: GAO-11-276: GAO Highlights: Highlights of GAO-11-276, a report to congressional requesters. Why GAO Did This Study: Biometrics technologies that collect and facilitate the sharing of fingerprint records, and other identity data, are important to national security and federal agencies recognize the need to share such information. The Department of Defense (DOD) plans to spend $3.5 billion for fiscal years 2007 to 2015 on biometrics. GAO was asked to examine the extent to which DOD has (1) adopted standards and taken actions to facilitate the collection of biometrics that are interoperable with other key federal agencies, and (2) shares biometric information across key federal agencies. To address these objectives, GAO reviewed documents including those related to standards for collection, storage, and sharing of biometrics; visited selected facilities that analyze and store such information; and interviewed key federal officials. What GAO Found: DOD has adopted a standard for the collection of biometric information to facilitate sharing of that information with other federal agencies. DOD recognized the importance of interoperability and directed adherence to internationally accepted biometric standards. DOD applied adopted standards in some but not all of its collection devices. Specifically, a collection device used primarily by the Army does not meet DOD adopted standards. As a result, DOD is unable to automatically transmit biometric information collected to federal agencies, such as the Federal Bureau of Investigation (FBI). For example, this device is responsible for 13 percent of the records maintained by DOD—the largest number of submissions collected by a handheld device, according to DOD. Further, this constitutes approximately 630,000 DOD biometric records that cannot be searched automatically against FBI's approximately 94 million. DOD has not taken certain actions that would likely improve its adherence to standards, all of which are based on criteria from the Standard for Program Management, the National Science and Technology Council, and the Office of Management and Budget guidance, respectively. First, DOD does not have an effective process, procedure, or timeline for implementing updated standards. Second, DOD does not routinely test at sufficient levels of detail for conformance to these standards. Third, DOD has not fully defined roles and responsibilities specifying accountability needed to ensure its collection devices meet new and updated standards. DOD is sharing its biometric information and has an agreement to share biometric information with the Department of Justice, which allows for direct connectivity and the automated sharing of biometric information between their biometric systems. DOD’s ability to optimize sharing is limited by not having a finalized sharing agreement with DHS, and its capacity to process biometric information. Currently, DOD and DHS do not have a finalized agreement in place to allow direct connectivity between their biometric systems. DOD is working with DHS to develop a memorandum of understanding to share biometric information now scheduled for completion in May 2011; however, without the agreement, it is unclear whether direct connectivity will be established between DOD and DHS, which affects response times to search queries. Further, agencies’ biometric systems have varying system capacities based on their mission needs, which affects their ability to similarly process each other’s queries for biometric information. As a result, DOD and other agency officials have expressed concern that DOD’s biometric system may be unable to meet the search demands from their other biometric systems over the long-term. DOD officials do not believe that they need to match other agencies’ biometric system capacities because they do not anticipate receiving the same number of queries given differences in mission. However, the advancements other agencies make in their biometric systems may continue to overwhelm DOD’s efforts as it works to identify its long-term biometric system capability needs and associated costs. What GAO Recommends: To improve DOD’s ability to collect and share information, GAO recommends that DOD implement processes for updating and testing biometric collection devices to adopted standards; fully define and clarify the roles and responsibilities for all biometric stakeholders; finalize an agreement with the Department of Homeland Security (DHS); and identify its long-term biometric system capability needs. DOD agreed with all of GAO’s recommendations. View [hyperlink, http://www.gao.gov/products/GAO-11-276] or key components. For more information, contact Davi M. D'Agostino, (202) 512-5431 or dagostinod@gao.gov. [End of section] Contents: Letter: Background: DOD Has Adopted Biometric Collection Standards to Enhance Interoperability, but Taking Certain Actions Could Better Ensure Adherence to Standards: DOD Is Sharing Biometric Information but Sharing Is Limited by the Absence of an Agreement with DHS and DOD's System Capacity: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Scope and Methodology: Appendix II: Funding for DOD's Biometric Program: Appendix III: Comments from the Department of Defense: Appendix IV: GAO Contact and Staff Acknowledgments: Related GAO Products: Tables: Table 1: Agencies Where GAO Obtained Documentary Evidence and Officials' Views on the Collection, Use, Storage, and Sharing of Biometric Information: Table 2: Biometric Program Funding, Fiscal Year 2007 through Fiscal Year 2011: Table 3: Biometric Program Funding Fiscal Year 2012 through Fiscal Year 2015: Figures: Figure 1: DOD Collects Biometric Information from Persons Seeking Access to U.S. Installations in Iraq and Afghanistan and Persons Encountered by U.S. Forces during Military Operations: Figure 2: Timeline of DOD's Biometric Standard: Figure 3: Current Biometric Information-Sharing Connectivity between DOD, DOJ/FBI, and DHS/State: Figure 4: Desired Biometric Information-Sharing Connectivity between DOD, DOJ/FBI, and DHS/State: Abbreviations: ABIS: Automated Biometric Identification System: BIMA: Biometric Identity Management Agency: DHS: Department of Homeland Security: DOD: Department of Defense: DOD EBTS: Department of Defense Electronic Biometric Transmission Specification: DOJ: Department of Justice: FBI: Federal Bureau of Investigation: HIIDE: Handheld Interagency Identity Detection Equipment: IAFIS: Integrated Automated Fingerprint Identification System: IDENT: Automated Biometric Identification System: [End of section] United States Government Accountability Office: Washington, DC 20548: March 31, 2011: Congressional Requesters: The U.S. government continues in its efforts to positively identify those individuals who may do harm to its citizens, whether discovered at the border, airports, military installations, and during operations around the world, or as a result of criminal investigations. Biometrics technologies that collect and facilitate the sharing of fingerprint records, iris scans, and other data, play an important role as a tool to protect national security, and federal agencies increasingly recognize the need to share terrorism-related biometric information. Challenges to national security arise from multiple sources, which make it difficult, if not impossible, for any single agency to effectively address these new threats alone. In that sense, effective collaboration among multiple agencies and across federal, state, and local governments is critical. On June 5, 2008, the President issued a new national security directive establishing a governmentwide framework for the sharing of biometric information.[Footnote 1] This directive requires federal agencies to use compatible methods and procedures in the collection, storage, use, analysis, and sharing of biometric information, among other things. In November 2008, as a response to the Presidential directive, the Department of Justice (DOJ) in coordination with the Department of State (State), the Department of Homeland Security (DHS), and the Department of Defense (DOD), among others, developed an action plan to recommend actions and timelines for enhancing the existing identification and screening processes by expanding the use of biometrics. DOD, DOJ (including the Federal Bureau of Investigation (FBI)), DHS, and State collect biometric information to meet their missions. Prior to the issuance of National Security Presidential Directive- 59/Homeland Security Presidential Directive-24, these agencies had established formal and informal arrangements regarding the sharing of information among three major biometric systems: (1) the FBI's Integrated Automated Fingerprint Identification System (IAFIS), which is used for law enforcement purposes; (2) DHS's Automated Biometric Identification System, known as IDENT, which is used by the department in cooperation with its components for several missions and functions including border security, naturalization, and counterterrorism activities, as well as State as part of its visa approval process; and (3) DOD's Automated Biometric Identification System, known as ABIS, which stores biometric information collected on non-U.S. persons. [Footnote 2] These agencies have implemented policies that use standards to facilitate the sharing of information among the three systems.[Footnote 3] According to officials at DOD, DHS, and FBI, efforts continue to ensure that biometric information is captured so it can be shared by these three biometric systems, and efforts continue to ensure that National Security Presidential Directive- 59/Homeland Security Presidential Directive-24 is implemented. DOD's Biometric Identity Management Agency (BIMA) is responsible for DOD's activities to program, integrate, and synchronize biometric technologies and capabilities, including the operation and maintenance of ABIS. The Handheld Interagency Identity Detection Equipment (HIIDE) is one of several biometric collection devices that feed ABIS with collected biometric information, including that from enemy combatants. According to funding figures provided by DOD, about $3.5 billion has been or will be spent to fund its biometrics programs from fiscal year 2007 through fiscal year 2015. More detailed information on funding for DOD's biometric program appears in appendix II. We have previously reported on DOD's management of its biometrics activities, its efforts to collect and share biometrics information to support military activities, and gaps in the interagency information sharing effort.[Footnote 4] In light of the continued importance of biometrics, and its impact on DOD's and other federal agencies' abilities to protect the homeland, you asked us to examine several matters related to biometrics, including standards and interagency processes for sharing biometric information. Accordingly, our objectives were to assess the extent to which DOD (1) adopted standards and has taken actions to facilitate the collection of biometrics that are interoperable with other key federal agencies and (2) shares biometric information across key federal agencies. DOD, DOJ, State, and DHS rely on three major federal biometric systems as part of preventing terrorists and criminals from harming national security. Our review, therefore, obtained information from these four agencies, with special focus on DOD. We also confined our review to biometric information related to non-U.S. persons, including enemy combatants, and foreign persons of interest as national security threats as well as persons who are local nationals, third-country nationals or contractors, or coalition forces. In addition, we did not evaluate the technical performance of collection devices used to gather identity information. To conduct this review, we analyzed Presidential directives related to biometrics information, DOD's biometric capability documents, standards for the collection, storage, and sharing of biometrics issued by standards organizations such as the National Institute for Standards and Technology, and interviewed officials from DOD, DHS, DOJ, and State that collect and share biometric information. We conducted site visits to a selection of facilities that gather, analyze, and store biometric information, including the Army's National Ground Intelligence Center, the Army's Biometric Identity Management Agency, and the FBI's Criminal Justice Information Services complex. We also met with U.S. Central Command and U.S. Special Operations Command officials to obtain their views on how these two combatant commands had operationalized the collection of biometric information. More detailed information on our scope and methodology appears in appendix I. We conducted this performance audit from December 2009 through March 2011, in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: The FBI, DHS, and DOD are responsible for managing and maintaining the following major biometric systems: (1) FBI's Integrated Automated Fingerprint Identification System (IAFIS). Established in July 1999 and managed by the FBI's Criminal Justice Information Services division, IAFIS is a national fingerprint and criminal history system that stores, searches, matches, and shares fingerprints. The FBI is currently in the process of transitioning from IAFIS to the Next Generation Identification system, which will include an expansion to biometrics storage and search capabilities for fingerprints; scars, marks, and tattoos; faces; irises; and palms. The Next Generation Identification system is a multiyear effort with six increments that is expected to be completed by 2014. (2) DHS's Automated Biometric Identification System (IDENT). Established in 1994 and managed by the United States Visitor and Immigrant Status Indicator Technology program, which falls under the purview of the National Protection and Programs Directorate within DHS, IDENT is used by DHS and State for many purposes including border security, information on persons undergoing naturalization and visa processes, and in the agencies' counterterrorism efforts. IDENT stores, searches, matches, and shares fingerprints.[Footnote 5] According to DHS officials, the department is beginning to look at the collection of irises and has a goal to begin collecting iris images and facial biometrics by 2013. (3) DOD's Automated Biometric Identification System (ABIS). Established in July 2004 and managed by the Biometrics Identity Management Agency (BIMA, formerly the Biometric Task Force)--which falls under the purview of the Army--ABIS information is used by DOD to identify and verify non-U.S. persons as friend, foe, or neutral, and to help determine if the individual poses a threat or potential threat to national security. BIMA updated ABIS to the Next Generation ABIS in January 2009, which stores, searches, matches, and shares face, fingerprint, iris, palm, and latent fingerprint biometrics. Several DOD organizations are involved in the management of the biometrics program and in developing guidance on the collection and sharing of biometric information. In July 2000, Congress designated the Secretary of the Army as the Executive Agent for Defense Biometrics. Subsequently, the Secretary of the Army designated the Director of the Army's Biometrics Task Force as the Executive Manager for Biometrics making this office responsible for developing guidance for collecting and processing biometric information. In March 2010, the Biometric Task Force's name was changed and it became the Biometrics Identity Management Agency. Additionally, DOD appointed the Director, Defense Research and Engineering, as the Principal Staff Assistant for Biometrics. In February 2008, DOD issued a biometrics directive identifying organizational roles and authorities for managing biometrics.[Footnote 6] Within DOD, biometric capabilities were initially used in the late 1990s as a tool to protect U.S. forces in Korea, and in Kosovo as an intelligence tool. Since the September 11, 2001, terrorist attacks, DOD's mission has included military operations in both Iraq and Afghanistan--where a biometric system was used to protect U.S. soldiers and allies from an unidentified enemy by screening and vetting non-U.S. persons. DOD collects biometric information from persons seeking access to U.S. installations in Iraq and Afghanistan, detainees, and persons encountered by U.S. forces during military operations. (See figure 1 below.) In January 2007, DOD issued a memorandum stating that DOD would immediately adopt the practice of sharing unclassified DOD biometric information collected from non-U.S. persons[Footnote 7] with other U.S. departments and agencies having a counter-terrorism mission.[Footnote 8] DOD considers the variety of mission-needs for collecting biometric information, such as counterintelligence screening, and detainee management and interrogation, and in business operations, such as base access control to verify Common Access Card credentials, which take place in a combat environment.[Footnote 9] However, DOD's reasons to collect biometric data continuously change as DOD's role evolves wherever military operations are under way; whether in a desert environment fighting insurgents or on the high-seas fighting piracy. Figure 1: DOD Collects Biometric Information from Persons Seeking Access to U.S. Installations in Iraq and Afghanistan and Persons Encountered by U.S. Forces during Military Operations: [Refer to PDF for image: 3 photographs] DOD servicemembers collect biometrics from a non-U.S. engineer for access purposes. DOD servicemembers collect an Iraqi man's biometrics during a mission to prevent smuggling. DOD servicemembers collect biometrics on volunteers in Iraq for security purposes. Source: BIMA (photos). [End of figure] DOD's directive that describes the purpose, scope, policy, and responsibilities for the biometrics program uses terms defined by the National Science and Technology Council Subcommittee on Biometrics Glossary.[Footnote 10] Included in the list of terms and their respective definitions are the following. * Collect--capture biometric and related contextual data from an individual, with or without his or her knowledge. Create and transmit a standardized, high-quality biometric file consisting of a biometric sample and contextual data to a data source for matching. * Match--for the purpose of DOD's Directive on biometrics, the process of accurately identifying or verifying the identity of an individual by comparing a standardized biometric file to an existing source of standardized biometric data. Matching consists of either one to one (verification) or one to many (identification) searches. * Share--exchange standardized biometric files and match results among approved DOD, interagency, and multinational partners in accordance with applicable law and policy. * Store--the process of enrolling, maintaining, and updating biometric files to make available standardized, current biometric information on individuals when and where required. To achieve interoperability, policies and implementation guidance on the collection, storage, and sharing of information should be created to ensure compatible implementation of systems based on standards. Standards are developed by Standards Development Organizations, including the National Institute of Standards and Technology, to provide rules and guidelines to promote interoperability among various systems, including biometric systems. Standards Development Organizations also provide rules and guidelines for testing biometrics and for testing conformance to biometric standards. Standards are generally developed through a consensus process that includes the input of various stakeholders from various sectors such as government, academia, and industry. Federal agencies, such as DOD, adopt standards developed by Standards Development Organizations. For example, DOD used standards recommended by the American National Standards Institute and the National Institute of Standards and Technology as a basis to develop DOD's Electronic Biometric Transmission Specification (DOD EBTS). DOD Has Adopted Biometric Collection Standards to Enhance Interoperability, but Taking Certain Actions Could Better Ensure Adherence to Standards: DOD has adopted standards for collection of biometric information to facilitate sharing of that information with other federal agencies. DOD recognized the importance of such interoperability and directed adherence to internationally accepted biometric standards. Moreover, DOD has applied the standards to some of its collection devices. However, DOD has not applied the adopted standards to the Army's primary handheld collection device used in Iraq and Afghanistan. As a result, DOD is unable to automatically transmit information collected by this device, which is about 13 percent of approximately 4.8 million biometric records maintained by DOD, to federal agencies, such as the FBI. Further, DOD has not taken certain actions that would help ensure its collection devices meet new and updated standards. First, DOD does not have an effective process, procedure, or timeline for implementing updated standards. Second, DOD does not routinely test devices at sufficient levels of detail for conformance to these standards. Third, DOD has not fully defined roles and responsibilities that specify accountability needed to ensure its collection devices meet new or updated standards. DOD Has Adopted Standards to Enhance Interoperability with Other Federal Agencies: DOD adopted a standard--DOD EBTS--to facilitate the collection of biometrics and to enhance interoperability of biometrics collected by DOD with other federal agencies' biometric systems.[Footnote 11] The first version, DOD EBTS version 1.0, was published on August 19, 2005, and the standard has since been updated three times, with the most recent update, DOD EBTS version 2.0, adopted for use by DOD in April 2010.[Footnote 12] (See figure 2 for timeline of DOD's biometric standard.) These DOD standards are based on recommended standards from the American National Standards Institute and the National Institute of Standards and Technology; these standards are also used by the FBI as the basis for its mission-specific requirements.[Footnote 13] The conformance of biometric collection devices to standards promotes their interoperability with biometric systems within DOD and with other federal agencies, though it does not guarantee interoperability. Figure 2: Timeline of DOD's Biometric Standard: [Refer to PDF for image: illustrated timeline] February 2, 2004: DOD’s Chief Information Officer issued a memorandum entitled "DOD Compliance with the Internationally Accepted Standard for Electronic Transmission and Storage of Fingerprint Data from 'Red Force' Personnel." August 19, 2005: The DOD Electronic Biometric Transmission Specification version 1.0 was issued. August 23, 2005: The DOD Electronic Biometric Transmission Specification version 1.1 was issued. November 29, 2005: The U.S. Army’s Chief Information Officer issued a memorandum entitled “Department of Defense Compliance with the Electronic Biometric Transmission Specification.” November 8, 2006: The DOD Electronic Biometric Transmission Specification version 1.2 was issued. February 21, 2008: DOD Undersecretary of Defense for Acquisition, Technology, and Logistics published DOD Directive 8521.01E, “Department of Defense Biometrics.” March 27, 2009: The DOD Electronic Biometric Transmission Specification version 2.0 was issued. Source: GAO analysis of DOD documents. [End of figure] Prior to adopting DOD EBTS in 2005, DOD had recognized the importance of interoperability and directed adherence to internationally accepted biometric standards. According to a February 2004 DOD's Chief Information Officer memorandum on DOD compliance with international standards, standardization and interoperability are important for success in fighting terrorism. Success, the memorandum continued, could be enhanced with systems that communicate and share fingerprint data on "red force" personnel, such as detainees, enemy combatants, and foreign persons of interest as national security threats, with other U.S. government systems.[Footnote 14] Further, DOD's Chief Information Officer directed that all new and upgraded DOD biometric collection devices used to collect certain data[Footnote 15] must conform to the FBI's mission-specific requirement and the devices must be certified as interoperable with the FBI's biometric systems. In November 2005, the Army's Chief Information Officer reiterated the importance of standardization and interoperability of DOD's biometric systems in fighting terrorism and stated that conformance to standards strengthens DOD's abilities to fulfill its missions.[Footnote 16] The memorandum further stated that all new or updated DOD collection devices must meet the DOD EBTS standard and be interoperable with DOD's biometric system ABIS. Consistent with the Army's position on interoperability, the DOD Directive on Biometrics, issued in February 2008, stated that collection and transmission of biometric information shall be controlled through the use of DOD adopted standards to enhance consistency and interoperability of biometric information. [Footnote 17] A 2009 Joint Interoperability report, which reviewed selected biometric systems that interfaced with DOD's ABIS and analyzed data collected by these systems for conformance issues that have an impact on interoperability, stated that several DOD biometric collection devices meet DOD adopted standards.[Footnote 18] For example, the Guardian, Fusion, and Secure Electronic Enrollment Kit for Identification all meet the EBTS standard current at the time of the report, specifically, EBTS version 1.2. DOD Has Not Taken Certain Actions Needed to Help Ensure New and Updated Standards Are Implemented: DOD has not taken certain actions necessary to help ensure that its collection devices adhere to new and updated standards, including not having an effective process, procedure, or timeline for implementing updated standards, not routinely testing collection devices at sufficient levels of detail for conformance to these standards, and not fully defining roles and responsibilities to ensure accountability. For example, a collection device used by the Army to meet an urgent need in 2005 and currently still in use in Iraq and Afghanistan, did not meet the standard current at the time of the 2009 Joint Interoperability report, and according to DOD officials, continues to not adhere to DOD EBTS version 1.2 or the more current version 2.0. As of late 2009, this collection device, known as the Handheld Interagency Identity Detection Equipment or HIIDE, continued to be purchased by DOD. According to DOD officials, DOD continues to use the HIIDE because it meets DOD's mission needs and since it was developed as an urgent mission need for Central Command to collect and authenticate the identity of individuals, it does not have to adhere to DOD's information technology standards. Those standards are included in the DOD Information Technology Standards Registry, the central repository for DOD-approved information technology standards, and are mandated for programs of record for biometric technologies, which are considered permanent capabilities. Therefore urgent needs do not have to adhere to DOD adopted standards. According to information provided by BIMA about the composition of ABIS as of September 2010, the HIIDE device is responsible for the collection of 13 percent of the biometric records in ABIS, the largest number of submissions by a handheld device. Because the HIIDE device does not conform to standards, DOD cannot seamlessly share biometric information from this device with other federal agencies. For example, of the approximately 4.8 million biometric records maintained by DOD, approximately 630,000 HIIDE biometric records cannot be searched automatically against the approximately 94 million biometric records in the FBI's system. Further, if the biometric information collected by the HIIDE is not stored in the FBI IAFIS system, DHS loses the benefit of searching its 119 million biometric records against HIIDE information as well. Both DOD and DHS access FBI's IAFIS in order to share information. Therefore, if FBI does not have access to DOD information, for example, HIIDE biometric records, then neither does DHS when they search against IAFIS. However, according to DHS and DOD officials, DOD manually provides biometric records of individuals on its watch list, which can include HIIDE-collected biometric information. These records are then manually added to DHS's IDENT. Without biometric collection devices that conform to DOD adopted standards, DOD limits its and federal partners' ability to identify potential criminals or terrorists who have biometric records in other federal agency's biometric systems. DOD Does Not Have an Effective Process, Procedure, or Timeline for Implementing Updated Standards: DOD would benefit from establishing or communicating a process, procedure, or timeline for implementing updated standards for biometric collection devices that are in the acquisition process. Although DOD has updated its EBTS standard several times, most recently from DOD EBTS version 1.2 to DOD EBTS version 2.0 in April 2010, it has not established or communicated to biometric stakeholders a process, procedure, or timeline for implementing the updated standard for biometric collection devices that are in the acquisition process. The Standard for Program Management states a program should adhere to technical standards, and should be managed as these technical standards are updated.[Footnote 19] However, DOD did not provide the date that the most recently updated DOD EBTS standard would be mandated in a clear and timely way to ensure that military services responsible for acquiring biometric capabilities could plan to implement the updated standard on collection devices that were already in DOD's acquisition process.[Footnote 20] For example, the Navy's acquisition of a collection device has been disrupted by late and conflicting information about when to conform to the new or updated standard. Prior to the adoption of DOD EBTS 2.0, the Navy, in November 2009, requested that BIMA provide information on which version of the EBTS standard to implement in its collection device that was already in the acquisition process. The Navy specifically requested in a letter that this information be provided by February 26, 2010, prior to major development milestones for the collection device, occurring in March 2010, to ensure that the device would meet the correct version of the standard. However, BIMA did not provide information to the Navy on the effective date of the updated standard or which version of the standard to implement in the device until a month after the device had reached the development milestones. In addition, DOD provided contradicting information to the Navy. On April 2, 2010, BIMA recommended the Navy use DOD EBTS version 1.2 for the standard for the collection device, but on the same day, the new DOD EBTS version 2.0 standard was adopted through the DOD Information Technology Standards Registry, the central repository for DOD-approved information technology standards, as the biometric standard for use in all collection devices. According to BIMA, additional guidance was not necessary for the current update to the DOD EBTS 2.0 standard because biometric stakeholders knew about the update since DOD EBTS version 2.0 was an emerging standard. BIMA also stated that emerging standards are provided to help military services plan for updates to DOD adopted standards, and an emerging standard should become a DOD adopted standard within 3 years. However, without timely guidance that documents and communicates a process, procedure, or timeline for updating biometric capabilities from one version of a standard to another, the military services may continue to lack accurate information that is necessary to implement new or updated standards during the acquisition process. Specifically, military services may not have information on when an emerging DOD standard will become mandated[Footnote 21] within the 3-year time frame, but must ensure that collection devices being developed conform to the DOD mandated standard, not the emerging standard. The Army established the Biometrics Standards Working Group based on the 2008 biometric directive that, among other activities, it should provide guidance for consistent standards implementation, however, the 2009 DOD joint interoperability assessment found that DOD lacked a process beyond the Working Group to address the impact of changes to the DOD adopted standards. Further, absent such a process, procedure, or timeline to manage the update to new standards, the military services may also face increased costs in developing biometric collection devices when time frames for the update of standards are not documented or managed. Service officials said that the Navy's collection device would have to be updated to the new version of EBTS at the next major development milestone, incurring an additional cost for the development of the collection device. Navy officials estimate that the service will incur $3.4 million in additional costs because of the delay. DOD Does Not Routinely Test Devices at Sufficient Levels of Detail for Conformance to These Standards: DOD tests collection devices for conformance to adopted standards, but testing efforts have not always been at a sufficient level of detail or integrated to facilitate interoperability across DOD and federal agencies.[Footnote 22] The National Science & Technology Council's policy for enabling the development, adoption, and use of biometric standards acknowledges that the capability to share biometric information will be dependent on rigorous conformance testing. [Footnote 23] BIMA conducts standards conformance testing to evaluate conformance of collection devices to DOD adopted standards, but the 2009 joint interoperability assessment found that conformance testing efforts have not been integrated and formalized into the biometric enterprise's processes and procedures that are necessary to facilitate interoperability across DOD and with interagency partners. In addition, a BIMA official told us that the conformance testing done at BIMA is not sufficiently detailed to ensure that collection devices conform to DOD adopted standards. Since certain DOD collection devices were acquired to meet urgent needs, DOD may have relied on vendors to provide devices that purport to, but may not, conform to DOD adopted standards. Without an integrated and formalized process for sufficiently detailed conformance testing, DOD has no mechanism to hold vendors accountable for ensuring that biometric collection devices meet DOD adopted standards. DOD issued a biometrics program directive in February 2008, and a companion draft instruction could provide some guidelines, including on the testing of biometric collection devices for conformance to standards and interoperability.[Footnote 24] Based on our review of the draft instruction though, it is unclear that it will provide guidance on a process that holds DOD biometric stakeholders accountable for collection devices that conform to standards. Without a process that ensures collection devices are tested at a sufficiently detailed level to conform to DOD adopted standards and that holds DOD biometric stakeholders accountable for device conformance, DOD limits its ability to collect biometric information that is interoperable with other federal agency systems. DOD Has Not Fully Defined Roles and Responsibilities Specifying Accountability Needed to Ensure Its Collection Devices Meet New and Updated Standards: DOD has a biometric program directive, but could more fully define the roles and responsibilities of DOD entities with the intention of instilling accountability for ensuring its collection devices meet new or updated standards. The Office of Management and Budget guidance on establishing internal controls emphasizes that agencies should ensure accountability for results, and our work on internal controls states that defined roles and responsibilities are needed to achieve an organization's mission.[Footnote 25] DOD's February 2008 biometric program directive assigned some roles and responsibilities to DOD biometric stakeholders, such as designating the Office of the Director for Defense, Research and Engineering, as the Principal Staff Assistant responsible for oversight of DOD biometrics programs and policies.[Footnote 26] However, based on our review of the directive and according to agency officials, DOD has not fully clarified the differing responsibilities that each DOD biometric stakeholder has in ensuring that collection devices conform to adopted standards. In addition, according to DOD officials, DOD has not clarified roles and responsibilities for DOD biometrics and this has caused confusion related to overlapping responsibilities and accountability within Army entities, such as whether BIMA can send requirements for acquiring biometrics capabilities directly to the program manager or whether such requirements should be provided by Army officers and staff responsible for operational requirements. The Office of Management and Budget's guidance on establishing internal controls emphasizes that agencies should design management structures for programs to help ensure accountability for results.[Footnote 27] Moreover, GAO's Standards for Internal Control in Federal Government states that management structures should establish and document roles and responsibilities needed to achieve an organization's mission and objectives, and that such documentation should be approved, current, and binding on all appropriate stakeholders.[Footnote 28] DOD recognized that further guidance may be needed to implement the biometrics directive and began developing a draft instruction that would clarify the roles and responsibilities of DOD biometric stakeholders. However, the instruction has been in draft since 2008, and continues to be in draft as of February 2011. A DOD official told us that the instruction is being updated to include a larger oversight role for the Office of the Director for Defense, Research and Engineering, especially for oversight of the Army's role as DOD's biometrics Executive Agent. It is not clear that DOD's draft instruction, when completed, will improve stakeholders' understanding of roles and responsibilities for DOD biometric activities. For example, with the March 2010 DOD change of the Biometrics Task Force to BIMA it is unclear if the new instruction would include redefined roles and responsibilities associated with BIMA. DOD officials told us that the only documentation they received about the change of the Biometrics Task Force to BIMA was a memorandum in March 2010 that simply stated the name change, but contained no additional information on roles and responsibilities. Further, DOD documents that could provide some clarity to roles and responsibilities by assigning specific actions to DOD biometric stakeholders have not been updated to reflect the change, such as the Biometric Enterprise Strategic Plan 2008-2015 and the corresponding Implementation Plan. According to BIMA officials, both the Biometric Enterprise Strategic Plan and its corresponding Implementation Plan are currently being revised. DOD has an opportunity to further clarify roles and responsibilities through its implementing instruction to help ensure that collection devices are interoperable with other federal agencies. DOD Is Sharing Biometric Information but Sharing Is Limited by the Absence of an Agreement with DHS and DOD's System Capacity: DOD is sharing its biometric information and has an agreement to share biometric information with DOJ, which allows for direct connectivity and the automated sharing of biometric information between their biometric systems. However, DOD's ability to optimize sharing is limited by not having a finalized sharing agreement with DHS,[Footnote 29] and its capacity to process biometric information. Currently, DOD and DHS do not have a finalized agreement in place to allow direct connectivity between their biometric systems, due to the need for additional reviews of the proposed agreement by certain DHS officials, among others. DOD is working with DHS to develop a memorandum of understanding to share biometric information now scheduled for completion in May 2011; however, without the agreement, it is unclear whether direct connectivity will be established between DOD and DHS, which affects response times to search queries. In addition, agencies' biometric systems have varying system capacities based on their mission needs, which affects their ability to similarly process each other's queries for biometric information. Moreover, the advancements other agencies make in their biometric systems may continue to overwhelm DOD's efforts as it works to identify its long-term biometric system capability needs and associated costs. DOD Has an Agreement with DOJ, Which Allows for Direct Connectivity and Automated Sharing of Biometric Information: DOD is sharing its biometric information and has an agreement to share biometric information with DOJ, which allows for direct connectivity and the automated sharing of biometric information between their biometric systems. DOD and the FBI (a component of DOJ) have an agreement in place that allows for direct connectivity and the automated sharing of unclassified biometric information between their biometric systems. Until DOD and DHS establish direct connectivity between their two biometric systems, they have the option to use the FBI's biometric system as an indirect link to share limited biometric information (see figure 3 below).[Footnote 30] Additionally, as mentioned earlier, according to DOD and DHS officials, DOD manually provides DHS with biometric records on watch listed individuals. In support of national directives and laws directing federal agencies to share information, the DOD directive on biometrics directs the development of interagency agreements for biometrics activities, as appropriate, to maximize effectiveness. According to officials from the Office of the Under Secretary of Defense for Policy,[Footnote 31] in 2003 the FBI formally requested that DOD share biometric information, and from that point, the agencies established data sharing with each other. DOD and the FBI finalized the memorandum of understanding in 2009 to provide for the sharing of, among other things, unclassified biometric information, as part of the agencies' efforts to comply with the National Security Presidential Directive- 59/Homeland Security Presidential Directive-24. As part of the memorandum, DOD and the FBI agree to share their biometric information with each other in a timely manner when their respective missions require access to such data. Figure 3: Current Biometric Information-Sharing Connectivity between DOD, DOJ/FBI, and DHS/State: [Refer to PDF for image: illustration] Automated Biometric Identification System (ABIS): Department of Defense: Stores biometrics from: * Foreign nationals requesting access to U.S. installations overseas; * Latent prints from improvised explosive devices and other hostile actions; * Enemy combatants; * Detainees. Connectivity with: Integrated Automated Fingerprint Identification System (IAFIS): Department of Justice/Federal Bureau of Investigation: Stores biometrics from: * Arrested individuals; * Criminals and criminal history; * Latent prints from crime scenes. FBI’s system serves as a pass through for ABIS and IDENT matches. Connectivity with: Automated Biometric Identification System (IDENT): Department of Homeland Security/Department of State: Stores biometrics from: * Visa applicants; * Visitors to the U.S. * Illegal border crossers; * Immigration violators; * Lawful permanent residents; * Applications for naturalization; * Refugees, asylees. Source: GAO analysis of information provided by DOD. [End of figure] In addition to DOD and the FBI's agreement to share biometric information, DHS, State, and DOJ have agreements in place that allow for direct connectivity and the automated sharing of biometric information among their biometric systems--capabilities that support the collection, storage, use, and sharing of biometric data. Specifically, DHS and State established a memorandum of understanding in 2005 to facilitate interagency cooperation and sharing of, among other things, biometric information on visa applicants and biometric information stored on DHS's biometric system, to enhance border security and facilitate legitimate travel.[Footnote 32] State uses DHS's biometric system for storing and sharing copies of their biometric information.[Footnote 33] Additionally, DHS, DOJ, and State established a memorandum of understanding in July 2008 to improve information sharing among the three agencies for the purposes of such missions as national security, law enforcement, immigration, and border management.[Footnote 34] The July 2008 memorandum included an agreement to share, among other things, biometric information through interoperability between the agencies' biometric systems. According to FBI officials, the FBI initiated the interoperability agreement in 2005 to exchange biometric information between DOJ's and DHS's biometric systems and gained access to DHS's full biometric system in 2008. However, according to DHS officials, initial sharing of DHS high priority biometric information with DOJ's biometric system began in 2006, such as information on individuals expedited for removal and those denied visas. DOD Does Not Have an Agreement with DHS or with State, Which Limits Its Ability to Efficiently Share Biometric Information: DOD and DHS currently do not have an agreement in place that allows for direct connectivity between their biometric systems; however, DOD is currently in the process of working with DHS to develop a memorandum of agreement to share biometric information. DOD also does not have an agreement in place to directly share information with State; however, according to DOD officials, State sharing requirements will be covered in the agreement between DOD and DHS.[Footnote 35] According to the draft memorandum, the intent of the document is to formalize the ongoing relationship between DOD and DHS and to clarify their commitment to permitting the maximum amount of biometric information sharing permitted by law. Among other delays, in July 2010, DOD officials informed us that the draft memorandum was undergoing a subsequent review at DHS because some individuals at DHS had been inadvertently left off the initial review. As of January 2011, DOD and DHS have not signed an agreement that allows for direct connectivity between their biometric systems. We reported in 2008 that DHS officials acknowledged that establishing a sharing agreement with DOD would increase sharing of biometric information between the agencies and close any gaps.[Footnote 36] According to DHS officials, having such an agreement in place would allow DOD and DHS to access each other's biometric systems when needed for reasons such as detainee screening and airport passenger screening. Direct access would reduce response times to search queries because currently DOD and DHS biometric systems do not have direct connectivity and therefore do not have automated search capabilities so the response times vary. We recognize that developing an agreement to share information takes time; for example, it took over 5 years to develop the memorandum of understanding between DOD and the FBI. DOD and DHS officials stated they had hoped to have the memorandum completed by the end of 2010; however, as of January 2011 the agreement had not yet been completed. Several dates of completion and reasons for delay of the memorandum between DOD and DHS were provided to us by DOD officials throughout our review. In December 2010, DOD anticipated completing a signed agreement with DHS no later than May 31, 2011. According to DOD and DHS officials, some sharing of information is occurring between DOD, DHS, and State, even though DOD and DHS do not have a finalized sharing agreement. We reported in 2008 that DOD and DHS had not established direct connectivity between their two biometric systems and relied on the FBI's biometric system as an indirect link between DOD and DHS. At the time, while limited occasional sharing of DOD and DHS biometrics occurred, it did not happen on a regular basis. According to DOD, DHS, and FBI officials, the indirect sharing arrangement through the FBI's biometric system is still in place, as shown in figure 3. The FBI maintains an Interim Data Sharing Model, which consists of two parts--the FBI provides a set of data to DHS for DHS stakeholders to access and DHS provides a set of data to the FBI for FBI stakeholders to access, to include DOD, which includes biometric information on individuals with expedited removals and individuals who were denied visas. Furthermore, the FBI retains on its IAFIS some biometric information from DOD on non-U.S. persons, such as those who have criminal records, which allows DHS and State to access limited information from DOD through the FBI biometric system. However, both DOD and FBI officials noted that the FBI may be terminating its Interim Data Sharing Model as the FBI transitions to its new biometric system. In March 2011, FBI officials reported that DOD searches of the portion of the Interim Data Sharing Model containing information on expedited removals and individuals who were denied visas were discontinued on January 20, 2011. However, FBI's IAFIS will continue to facilitate searches of DHS information for DOD until a direct connection has been established between DHS and DOD's biometric systems, according to FBI officials. Since we reported in 2008, DOD and DHS have established a manual process for sharing information on at least a daily basis--once every 24 hours--through the use of a secured Web site. DOD manually inputs to this web site copies of critical DOD biometric information that DHS can manually access to place onto its own biometric system. The State Department can access this information once it is stored on DHS's biometric system. However, DHS and State may not be able to take immediate action should they have a query prior to DOD's once-a-day update. In addition, as noted in our 2008 report,[Footnote 37] if DHS and State do not have access to DOD biometric information on individuals trying to enter the United States, then they may not be able to determine whether those individuals should be denied entry, and potential harm could come to U.S. interests from individuals inadvertently allowed into the United States. Officials from DOD, DHS, and the FBI have discussed the goal for direct connectivity among their biometric systems to better enable automated sharing of biometric information (see figure 4). However, as noted earlier, without a finalized agreement between DOD and DHS, it remains unclear when or whether direct connectivity will be established between DOD's and DHS's biometric systems. Figure 4: Desired Biometric Information-Sharing Connectivity between DOD, DOJ/FBI, and DHS/State: [Refer to PDF for image: illustration] Each system is connected to all others: Automated Biometric Identification System (ABIS): Department of Defense: Stores biometrics from: * Foreign nationals requesting access to U.S. installations overseas; * Latent prints from improvised explosive devices and other hostile actions; * Enemy combatants; * Detainees. Connectivity with: Integrated Automated Fingerprint Identification System (IAFIS): Department of Justice/Federal Bureau of Investigation: Stores biometrics from: * Arrested individuals; * Criminals and criminal history; * Latent prints from crime scenes. FBI’s system serves as a pass through for ABIS and IDENT matches. Connectivity with: Automated Biometric Identification System (IDENT): Department of Homeland Security/Department of State: Stores biometrics from: * Visa applicants; * Visitors to the U.S. * Illegal border crossers; * Immigration violators; * Lawful permanent residents; * Applications for naturalization; * Refugees, asylees. Connectivity with: Automated Biometric Identification System (ABIS): Department of Defense. Source: GAO analysis of information provided by DOD. [End of figure] DOD's Biometric System Is Limited in Meeting Demands from Key Federal Agencies' Biometric Systems: To enable agencies to meet the demand for searching stored biometric information on their systems, agencies' biometric systems have varying system capacities based on their mission needs, which affects their ability to similarly process each other's queries for biometric information. As noted previously, the FBI's IAFIS is a national fingerprint and criminal history system, while DHS's IDENT is used for many purposes, including border security and visa and naturalization processing. DOD's Next Generation ABIS is used to identify and verify non-U.S. persons and helps determine if the individual poses a threat or potential threat to national security. DOD's Next Generation ABIS is currently capable of handling 8,000 transactions per day. In contrast, according to FBI officials, the FBI's IAFIS system currently performs over 100,000 to 200,000 search queries a day, while DHS manages over 160,000 search queries a day, according to DHS officials. DOD has plans to increase the capacity to 22,000 transactions per day in the third quarter of fiscal year 2011 and upgrades to later bring capacity up to 45,000 transactions per day, according to DOD officials. DOD officials do not believe that they need to match other agencies' biometric system capacities because they do not anticipate receiving the same number of queries given differences in mission. However, DOD and other agency officials have expressed concern that DOD's biometric system is limited in its ability to maximize sharing of biometric information. The FBI has reported that DOD is currently meeting their needs by supporting a capacity of 3,000-4,000 transactions per day, for which the FBI could query DOD's Next Generation ABIS to search against. However, FBI officials told us that they are concerned with DOD's capacity as the Next Generation ABIS is not capable of handling all of the queries that the FBI receives. FBI officials noted that DOD does not want the FBI to send every search query it receives through DOD's biometric system. At this time, the FBI and DOD are working to target and define a set of search queries for the FBI to send through Next Generation ABIS, according to FBI officials. However, a maximum transaction capacity has not yet been set for FBI submissions to DOD. Additionally, DHS officials believe DOD will need more capacity to handle search queries in order for direct interoperability between DOD and DHS to occur. DHS reported in November 2010 that when it establishes direct interconnectivity with DOD, DHS plans to send 13,000 search queries in 2011 and 14,000 search queries in 2012 to DOD's Next Generation ABIS for searching per day. DHS noted in January 2011 that transaction volumes for search queries from DHS to DOD's biometric system are currently in flux and have not been finalized. However, DOD officials have acknowledged that their current system's transaction capacity is limited for sharing because the number of queries from other federal agencies currently exceeds their biometric system capacity of 8,000 transactions per day. The advancements other agencies continue to make in their biometric systems may overwhelm DOD's efforts as it works to identify its long- term biometric system capability needs and associated costs. At the same time that DOD carries out these expansion efforts, other agencies continue to make advancements in their biometric systems and will continue to do so in the future for various reasons, including the addition of new technology and biometric modalities as emerging technologies and modalities are identified and matured. For example, as previously mentioned, DHS is considering iris and facial biometrics for future incorporation into its biometric system. In addition, the FBI is moving to an enhanced biometric system that will incorporate scars, marks, tattoos, face, iris, and palm biometrics. Such agency biometric system advancements could exceed DOD's biometric system's capability to respond. In light of this, DOD may not be able to facilitate sharing of biometric information across federal agencies in a timely and efficient manner, in accordance with DOD policies. Specifically, DOD's biometric directive requires that biometric systems be interoperable with other identity management capabilities and systems both internal and external to DOD, to maximize effectiveness, as well as information-sharing efforts.[Footnote 38] Furthermore, DOD's biometrics strategic plan outlines as a primary objective that DOD operate and maintain biometric systems that enable sharing with other biometric systems as part of DOD's goal to meet the warfighters' needs in a timely manner.[Footnote 39] Conclusions: National security challenges from multiple sources continue to increase, therefore making it critical that federal agencies find effective ways to collaborate and share information--particularly biometric information--on those who would threaten the United States. DOD has taken steps to adopt biometric standards that could improve the quality of biometric information collected and has increased its efforts to share biometric information with key federal agencies. However, DOD could take certain actions to help improve its ability to collect and share biometric information with other federal agencies. For example, DOD has adopted standards for the collection of biometrics to enhance interoperability with other key federal agencies' biometric systems, but at least one DOD device responsible for the collection of over 600,000 biometric records, does not meet DOD adopted standards, such as a handheld biometric collection device used by the Army. DOD can take steps to improve conformance to DOD adopted standards with a process for implementing updated standards for biometric collection devices that are in the acquisition process, more sufficient testing of devices for conformance to adopted standards to better facilitate interoperability with federal agencies, and more fully defining the roles and responsibilities of DOD entities to ensure its collection devices meet DOD adopted standards. Without these steps, DOD limits its ability to identify potential criminals or terrorists who have biometric records in other federal agency's biometric systems, and may result in the military services incurring delays and additional costs if they find they have acquired a device that is no longer acceptable to DOD. In addition, DOD has agreements in place with key federal agencies such as DOJ to help facilitate direct connectivity between their biometric systems, but it has not finalized an agreement with DHS and by extension the State Department. This has an impact on timely interoperability. Finally, the varying system capacities at these key federal agencies exceeds that of DOD to the extent that agencies have expressed concern that DOD's biometric system may be unable to meet the search demands from their own biometric systems within useful response time frames. Without efforts to address these issues, the quality and process of collecting and sharing biometrics may continue to limit DOD's ability to identify potential criminals or terrorists who have biometric records in other federal agency's biometric systems in a timely manner, and ultimately these challenges to interoperability may place U.S. national security at greater risk. Recommendations for Executive Action: To improve DOD's ability to collect and help ensure that federal agencies are sharing biometric information on individuals who pose a threat to national security to the fullest extent possible, we recommend that the Secretary of Defense direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, to take the following five actions in collaboration with other key federal agencies and internal DOD stakeholders, including BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force: * Implement a process for updating collection devices to adopted standards to help ensure that all DOD systems related to biometrics, including collection devices, conform to adopted standards. * Implement a process for testing collection devices at a sufficiently detailed level to help ensure that all DOD systems related to biometrics, including collection devices, conform to adopted standards. * More fully define and further clarify the roles and responsibilities needed to achieve DOD's biometric program and objectives for all stakeholders that include ensuring collection devices conform to adopted standards. * Complete the memorandum of agreement with the Department of Homeland Security regarding the sharing of biometric information as appropriate and consistent with U.S. laws and regulations and international agreements, as well as information-sharing environment efforts. * Identify its long-term biometric system capability needs, including the technological capacity and associated costs needed to support both the warfighter and to facilitate sharing of biometric information across federal agencies, and take steps to meet those capability needs, as appropriate and consistent with U.S. laws and regulations, international agreements, and available resources. Agency Comments and Our Evaluation: In written comments on a draft of this report, DOD agreed with all of our recommendations. DOD's comments appear in their entirety in appendix III. DHS DOJ, State, and the Department of Commerce/National Institute of Standards and Technology also reviewed a draft of this report. We received technical comments from DHS and DOJ, which we have incorporated as appropriate. DOD agreed with our recommendation to implement a process for updating collection devices to adopted standards to help ensure that all DOD systems related to biometrics, including collection devices, conform to adopted standards. In its response, DOD noted that the legacy HIIDE devices are near the end of their service life and are being retired. DOD intends to procure an updated handheld device compliant with the mandated data standard to replace the HIIDE, which was EBTS 1.2 at the time the solicitation was developed and published, and as required by DOD Directive 8521.01E for all new acquisitions. DOD expects to award this contract in April 2011, with fielding in August 2011. DOD further stated that DOD's Biometrics Standards Conformity Assessment Test Program plans to verify compliance of the updated handheld devices before deployment, and DOD plans additional engineering efforts to update devices to the recently adopted EBTS 2.0 standard to ensure compatibility with interagency partners. DOD agreed with our recommendation to implement a process for testing collection devices at a sufficiently detailed level to help ensure that all DOD systems related to biometrics, including collection devices, conform to adopted standards. In its response, DOD stated that it has established a Biometrics Standards Conformity Assessment Test Program, accredited in January 2011 as part of the National Institute of Standards and Technology's (NIST) National Voluntary Laboratory Accreditation Program (NVLAP) for biometric testing. Relevant tests include conformance tests to DOD EBTS and FBI Electronic Fingerprint Transmission Specification, as well as evaluations and assessments of biometric-enabled devices and systems that interoperate with the authoritative biometrics database and other repositories of biometric data. DOD added that the current DODD 8521.01E already requires such compliance testing for new biometrics acquisitions, but DOD noted and we agree that the directive does not fully address quick reaction capabilities such as the HIIDE. DOD further added that it plans to work with the FBI to develop a co- sharing arrangement to leverage existing standards compliance testing at the FBI Biometric Center of Excellence to strengthen interagency interoperability. DOD stated that it plans to include these requirements in the biometric DOD directive no later than September 2011. We agree that incorporating into the biometric DOD directive the requirements of conformance testing of biometric systems through the newly established Biometrics Standards Conformity Assessment Test Program, conformance testing for all biometric devices, and co-sharing arrangements with FBI Biometric Center of Excellence would be beneficial. DOD agreed with our recommendation to more fully define and further clarify the roles and responsibilities needed to achieve DOD's biometric program and objectives for all stakeholders that include ensuring collection devices conform to adopted standards. In its response, DOD indicated that it is updating DOD Directive 8521.01E "Defense Biometrics," which establishes policy, assigns responsibilities, and describes procedures for DOD biometrics. DOD further noted that the update to the DOD biometrics directive will more fully define and clarify the roles and responsibilities of biometrics stakeholders, including responsibilities for testing collection devices for compliance with adopted standards. According to DOD, the biometric directive will be completed by September 2011. DOD agreed with our recommendation to complete the memorandum of agreement with the Department of Homeland Security regarding the sharing of biometric information as appropriate and consistent with U.S. laws and regulations and international agreements, as well as information-sharing environment efforts. On February 14, 2011, we provided DOD a draft of this report for review and comment. In response to our draft recommendation, and while the report was under review, DOD finalized an agreement with DHS regarding biometric sharing on March 3, 2011. DOD agreed with our recommendation to identify its long-term biometric system capability needs, including the technological capacity and associated costs needed to support both the warfighter and to facilitate sharing of biometric information across federal agencies, and take steps to meet those capability needs, as appropriate and consistent with U.S. laws and regulations, international agreements, and available resources. In its response, DOD noted that ABIS is currently meeting all the sharing transactions required by DHS and FBI, and DOD has expansion plans in place to increase ABIS's capability to over 40,000 daily transactions, which according to DOD will continue to meet the 14,000 daily biometrics transaction rate articulated by DHS for 2012. Further, DOD stated that it continues to work closely with the interagency Interoperability Executive Steering Committee to ensure DOD has visibility as new interagency requirements coalesce, and can modify ABIS expansion plans to be responsive to our interagency sharing responsibilities. According to DOD, it expects to have an updated ABIS sizing plan to support the projected future DOD and interagency transaction requirements by July 2011. As agreed with your office, unless you publicly announce its contents earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies to the appropriate congressional committees; the Secretary of Defense; the Secretary of State; the Attorney General; Secretary of Commerce; the Secretary of Homeland Security, and other interested parties. In addition, the report will be available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. If you or your staff has any questions about this report, please contact me at (202) 512-5431 or at dagostinod@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be founds on the last page of this report. Key contributors to this report are listed in appendix IV. Signed by: Davi M. D'Agostino: Director: Defense Capabilities and Management: List of Requesters: The Honorable Adam Smith: Ranking Member: Committee on Armed Services: House of Representatives: The Honorable W. "Mac" Thornberry: Chairman: Subcommittee on Emerging Threats and Capabilities: Committee on Armed Services: House of Representatives: The Honorable Jim Langevin: Ranking Member: Subcommittee on Emerging Threats and Capabilities: Committee on Armed Services: House of Representatives: The Honorable Jeff Miller: House of Representatives: [End of section] Appendix I: Scope and Methodology: This report addresses the extent to which DOD (1) adopted standards and has taken actions to facilitate the collection of biometrics that are interoperable with other key federal agencies, and (2) shares biometric information across key federal agencies. Scope and Methodology: To address our objectives, we reviewed prior GAO reports related to the collection, storage, use, sharing, and management of biometric information and interagency sharing of information for national security purposes. We also analyzed a number of Presidential Directives, Executive Orders and Memorandums, and laws that affect the collection and sharing of biometric and biographic information. For example, we analyzed the National Security Presidential Directive-59/ Homeland Security Presidential Directive-24 and the companion action plan for Biometrics for Identification and Screening to Enhance National Security, which establish a framework to ensure that federal executive departments and agencies use compatible methods and procedures for the collection and sharing of identity information across federal departments and agencies. In addition, we reviewed national strategies focused on information sharing and national security to gain an understanding of how biometrics collection and sharing plays a part in achieving national goals of gathering and sharing information to protect the United States. We contacted and obtained information from officials and entities associated with the collection, storage, use, and sharing of biometric information across the Department of Defense (DOD), as well as other key federal agencies,[Footnote 40] including the Department of Justice (DOJ)/Federal Bureau of Investigation (FBI), Department of State (State), and the Department of Homeland Security (DHS). Further, we conducted an interview with officials of the National Science and Technology Council to determine the role and interests that the White House has in biometrics.[Footnote 41] We conducted site visits to a selection of facilities that analyze, store, and share biometric information, including the Army's National Ground Intelligence Center, in Charlottesville, Virginia; the Army's Biometric Identity Management Agency; and the FBI's Criminal Justice Information Services complex, both located in Clarksburg, West Virginia; to discuss the use of applicable standards, federal agency biometric systems interoperability, and to gain perspective on the sharing of biometric information between federal agencies. We met with U.S. Central Command and U.S. Special Operations Command officials to obtain their views on how these two combatant commands had operationalized the collection of biometric information. More detailed information on the federal agencies and officials we obtained information from on the collection, use, storage, and sharing of biometric information during our review appears below in table 1. Table 1: Agencies Where GAO Obtained Documentary Evidence and Officials' Views on the Collection, Use, Storage, and Sharing of Biometric Information: Federal agency: Executive Office of the President; Entities visited or contacted during our review: * Office of Science and Technology Policy, National Science and Technology Council, Committee on Technology, Subcommittee on Biometrics and Identity Management. Federal agency: Department of Commerce; Entities visited or contacted during our review: * National Institute of Standards and Technology. Federal agency: Department of Defense; Entities visited or contacted during our review: * Under Secretary of Defense for Acquisitions, Technology, and Logistics; Director, Defense Research and Engineering; * Assistant Secretary of Defense for Networks and Information Integration; * Under Secretary of Defense for Policy; * Department of the Army, Biometric Identity Management Agency; * Department of the Army, National Ground Intelligence Center; * Headquarters, Department of the Army, G-3/5/7, Capability Integration Division; * Department of the Army, Program Executive Office, Enterprise Information Systems, Program Manager, Biometrics; * Department of the Air Force, Office of the Secretary of the Air Force, Communications Directorate; * United States Marine Corps, Plans, Policies & Operations; * Department of the Navy, Deputy Assistant Secretary of the Navy, Expeditionary Warfare; * U.S. Africa Command; * U.S. Central Command; * U.S. European Command; * U.S. Northern Command; * U.S. Pacific Command; * U.S. Special Operations Command; * U.S. Southern Command. Federal agency: Department of Homeland Security; Entities visited or contacted during our review: * United States Visitor and Immigrant Status Indicator Technology Office; * Immigration and Customs Enforcement; * Customs and Border Protection; * Screening and Coordination Office; * U.S. Coast Guard. Federal agency: Department of Justice; Entities visited or contacted during our review: * Federal Bureau of Investigation, Criminal Justice Information Services; * Office of the Deputy Attorney General. Federal agency: Department of State; Entities visited or contacted during our review: * Consular Affairs. Source: GAO. [End of table] To determine the extent to which DOD adopted standards and has taken actions to facilitate the collection of biometrics that are interoperable with other key federal agencies, we interviewed DOD officials and reviewed key DOD memoranda, directives, and guidance, such as the DOD Directive on Biometrics. In addition, we interviewed officials from DHS, State, and DOJ/FBI to gain their perspective on the collection and sharing of comparable biometric information among federal agencies. We reviewed national standards and requirements for the electronic formatting of biometric information to see whether key federal agencies follow a common set of standards for the collection of biometric information. For example, we reviewed DOD's Electronic Biometric Transmission Specification, which is based on recommended standards from the American National Standards Institute and the National Institute of Standards and Technology. We interviewed officials from the National Institute for Standards and Technology in order to obtain their perspective on the use of standards for the consistent collection of biometric information and how these standards are adopted by federal agencies to help ensure interoperability of the devices used to collect biometric information. We reviewed a DOD interoperability assessment report of its Automated Biometric Identification System and Army evaluations of the Handheld Interagency Identity Detection Equipment to identify DOD's interoperability and conformance to standards within these systems. We did not evaluate the technical performance of collection devices used to gather identity information. We discussed with federal agency officials the potential impact of collection devices and systems that do not conform to adopted standards on their ability to collect comparable biometric information. In addition, we reviewed key DOD biometric documentation to determine DOD management practices related to the collection of biometrics and interviewed key officials from DOD responsible for the management of the collection of biometrics. (See above table 1). Specifically, using criteria on internal control and program management from the Office of Management and Budget and the Project Management Institute's The Standard for Program Management, we analyzed DOD guidance on the collection of biometrics to determine whether any internal control or program management weakness may reduce its ability to collect biometric information and meet biometric mission objectives. To gather the perspective of DOD biometric program management, we interviewed DOD biometric stakeholders such as the military services, Biometric Identity Management Agency, and combatant commands. In addition, we interviewed agency officials from the FBI and DHS to gather their perspectives on DOD's management practices related to the collection of biometrics. To determine the extent to which biometric information is shared and has the system capacity needed to facilitate biometric sharing across key federal agencies, including DOD, we interviewed officials from DOD, DHS, State, and the FBI on the policies, governance processes, and systems in place for sharing biometric information--DOD's Automated Biometric Identification System (ABIS), DHS's Automated Biometric Identification System (IDENT), and the FBI's Integrated Automated Fingerprint Identification System (IAFIS). We analyzed the formal and draft agreements for sharing biometric information between agencies to better understand the scope of the biometric information shared, as well as any limitations, and the degree to which they help facilitate direct connectivity between the biometric systems to promote automated sharing.[Footnote 42] In addition, we collected and reviewed federal policies, guidance, and other documentation that covered the sharing of biometric information and the current and planned systems that support biometric information sharing. For example, we reviewed DHS's IDENT Data Response Sharing Policy, which reinforces the DHS agreement with State and DOJ/FBI on sharing biometric information. We reviewed information provided by the FBI on IAFIS and their planned changes to the Next Generation Identification system that would expand their biometric capabilities from fingerprints to include the collection, matching, storage, and sharing of other biometrics such as facial and iris images. In order to confirm information provided by agency officials in interviews on the three primary biometric systems, we developed a structured questionnaire that was pre-tested and provided to key agency officials responsible for each of the three biometric systems. We conducted this performance audit from December 2009 through March 2011, in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Funding for DOD's Biometric Program: Based on the figures provided by DOD as of November 2010, about $3.5 billion has been or will be spent to fund its biometrics programs from fiscal year 2007 through fiscal year 2015. DOD reports that almost two- thirds of the funding for its biometric program from fiscal year 2007 through fiscal year 2015 is drawn from the supplemental budget, which is in excess of DOD's base defense budget. Specifically, DOD reports that for fiscal years 2007 through 2011, supplemental funding accounts for over $2.0 billion for DOD's biometric programs with less than $500 million from defense base funding (see table 2). Table 2: Biometric Program Funding, Fiscal Year 2007 through Fiscal Year 2011: Funding type (in millions): Base; FY 2007: $29.1; FY 2008: $52.0; FY 2009: $87.8; FY 2010: $134.3; FY 2011: $163.7; Total funding FY 2007 through FY 2011: $466.9. Funding type (in millions): Supplemental; FY 2007: $347.7; FY 2008: $442.3; FY 2009: $499.2; FY 2010: $528.7; FY 2011: $606.0; Total funding FY 2007 through FY 2011: $2,423.9. Funding type (in millions): Total; FY 2007: $376.8; FY 2008: $494.3; FY 2009: $587.0; FY 2010: $663.0; FY 2011: $769.7; Total funding FY 2007 through FY 2011: $2,890.8. Source: GAO analysis of DOD documentation. Note: This table reflects budget information provided as of November 2010 for DOD's biometrics program. [End of table] In contrast, in fiscal years 2012 through 2015 DOD is estimating base funding at more than $600 million, with no funding from supplements (see table 3). The change in funding, from supplemental support to base funding, is due in part to efforts to make a permanent program of record of DOD's biometric systems. DOD has begun to establish a more formal biometric program by identifying the requirements needed by the warfighter, assessing gaps in warfighting capabilities, and recommending solutions to resolve those gaps. DOD officials explain that as biometric technologies and systems become programs of records, funding should be built into base defense funding, rather than supplemental funding. Table 3: Biometric Program Funding Fiscal Year 2012 through Fiscal Year 2015: Funding type (in millions): Base; FY 2012: $149.9; FY 2013: $178.2; FY 2014: $161.9; FY 2015: $175.9; Total funding FY 2012 through FY 2015: $665.9. Funding type (in millions): Supplemental; FY 2012: 0.0; FY 2013: 0.0; FY 2014: 0.0; FY 2015: 0.0; Total funding FY 2012 through FY 2015: 0.0. Funding type (in millions): Total; FY 2012: $149.9; FY 2013: $178.2; FY 2014: $161.9; FY 2015: $175.9; Total funding FY 2012 through FY 2015: $665.9. Source: GAO analysis of DOD documentation. Note: This table reflects budget information provided as of November 2010 for DOD's biometrics program. Potential supplemental budget amounts for future years are not reflected in this table. [End of table] As shown, table 2 includes fiscal year 2007 through and including fiscal year 2011, and identifies biometric program base and supplemental funding while table 3 sets out fiscal year 2012 through fiscal year 2015, where it is currently unknown whether supplemental funding for the biometrics program will be requested. We have previously recommended that DOD shift certain contingency costs into the annual base budget to allow for prioritization and trade-offs among its needs and to enhance visibility in defense spending.[Footnote 43] With regard to its biometric program, DOD fiscal year 2012 through fiscal year 2015 budget plans shift funding into the base defense budget; however, DOD officials told us they anticipate continued need for supplemental funding to support the war efforts, but were unable to provide an estimate. As DOD identifies the warfighter needs related to developing future biometric capabilities, these requirements will likely affect its future budget requests. [End of section] Appendix III: Comments from the Department of Defense: Assistant Secretary Of Defense: Research And Engineering: 3030 Defense Pentagon: Washington, DC 20301-3030: March 24, 2011: Ms. Davi M. D'Agostino: Director, Acquisition and Sourcing Management: U.S. Government Accountability Office: 441 G Street, N.W. Washington, DC 20548: Dear Ms. D'Agostino: This is the Department of Defense (DoD) response to the GAO draft report 11-276, "Defense Biometrics: DoD Can Better Conform to Standards and Share Biometric Information with Federal Agencies," dated February 14, 2011 (GAO Code 351424). Detailed comments on the report recommendations are enclosed. The Department concurs that adherence to technical interoperability standards for all biometric equipment, including verification devices, contributes to successful data sharing within the DoD and across the interagency. Additionally, the DoD remains committed to establishing and enforcing biometric data standards; and, since the time of the research for this GAO report, DoD has taken further steps to improve standards compliance testing. These steps have included the establishment of a Biometrics Standards Conformity Assessment Test Program that was accredited in January 2011 by the National Institute of Standards and Technology (NIST). The Department is also updating the existing authorities and responsibilities for standards testing in the DoD Directive 8521.01E, "Department of Defense Biometrics" to further strengthen our interoperability. The Department also concurs with the need to look forward to the future data sharing requirements of our interagency partners, and to continually update our biometric database's ability to keep pace with those requirements as they evolve. DoD is actively engaged with the Department of Homeland Security, the Federal Bureau of Investigation, and other government departments and agencies on the steps required to achieve and maintain full interoperability. Sincerely, Signed by: Zachary J. Lemnois: Enclosure: As stated. [End of letter] GAO Draft Report Dated February 14, 2011: GA0-11-276 (GAO CODE 351424): "Defense Biometrics: DOD Can Better Conform To Standards And Share Biometric Information With Federal Agencies." Department Of Defense Comments To The GAO Recommendations: Recommendation 1: The GAO recommends that the Secretary of Defense direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, to take action in collaboration with other key federal agencies and internal DOD stakeholders, including BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force to implement a process for updating collection devices to adopted standards to help ensure that all DOD systems related to biometrics, including collection devices, conform to adopted standards. (See page 28/GAO Draft Report.) DOD Response: Concur. The legacy HIIDE verification devices are approaching the end of their service life and are being retired, and DoD is in the process of procuring an updated handheld device to replace the HIIDE. The solicitation requires the replacement device to be compliant with the mandated data standard, which was EBTS 1.2 at the time the solicitation was developed and published, as required by DOD Directive 8521.01E for all new acquisitions. The Department expects to award this contract in April 2011, with fielding in August 2011. The Department's Biometrics Standards Conformity Assessment Test Program will verify compliance before deployment, and a separate engineering contract is already in place to upgrade devices to the recently-adopted EBTS 2.0 to ensure compatibility with interagency partners. Recommendation 2: The GAO recommends that the Secretary of Defense direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, to take action in collaboration with other key federal agencies and internal DOD stakeholders, including BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force to implement a process for testing collection devices at a sufficiently detailed level to help ensure that all DOD systems related to biometrics, including collection devices, conform to adopted standards. (See page 28/GAO Draft Report.) DOD RESPONSE: Concur. The Department has established a Biometrics Standards Conformity Assessment Test Program, accredited in January 2011 as part of the National Institute of Standards and Technology's (NIST) National Voluntary Laboratory Accreditation Program (NVLAP) for biometric testing. Relevant tests include conformance tests to DoD EBTS and FBI Electronic Fingerprint Transmission Specification, as well as evaluations and assessments of biometric-enabled devices and systems that interoperate with the authoritative biometrics database and other repositories of biometric data. While the current DoDD 8521.01E already requires such compliance testing for new biometrics acquisitions, the directive does not fully address quick reaction capabilities such as the HIIDE. Additionally, the Department will work with the Federal Bureau of Investigation to develop a co-sharing arrangement to leverage existing standards compliance testing at the FBI Biometric Center of Excellence to further strengthen interagency interoperability. The Department will update the Biometrics DoDD to include these requirements no later than September 2011. Recommendation 3: The GAO recommends that the Secretary of Defense direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, to take action in collaboration with other key federal agencies and internal DOD stakeholders, including BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force to more fully define and further clarify the roles and responsibilities needed to achieve DOD's biometric program and objectives for all stakeholders that include ensuring collection devices conform to adopted standards. (See page 28/GAO Draft Report.) DOD Response: Concur. The Department is updating DoD Directive 8521.01E "Defense Biometrics," which establishes policy, assigns responsibilities, and describes procedures for DoD biometrics. This update will more fully define and clarify the roles and responsibilities of biometrics stakeholders, including responsibilities for testing collection devices for compliance with adopted standards. This update will be completed by September 2011. Recommendation 4: The GAO recommends that the Secretary of Defense direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, to take action in collaboration with other key federal agencies and internal DOD stakeholders, including BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force to complete the memorandum of agreement with the Department of Homeland Security regarding the sharing of biometric information as appropriate and consistent with U.S. laws and regulations and international agreements, as well as information sharing environment efforts. (See page 28/GAO Draft Report.) DOD Response: Concur. The Memorandum of Agreement between DoD and DHS regarding biometric sharing was signed into effect on 03 March 2011. Recommendation 5: The GAO recommends that the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, to take action in collaboration with other key federal agencies and internal DOD stakeholders, including BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force to identify its long-term biometric system capability needs, including the technological capacity and associated costs needed to support both the warfighter and to facilitate sharing of biometric information across federal agencies, and to take steps to meet those capability needs, as appropriate and consistent with U.S. laws and regulations, international agreements, and available resources. (See page 28/GAO Draft Report.) DOD Response: Concur. DoD ABIS is currently meeting all the sharing transactions required by DHS and FBI, and the Department has expansion plans in place to grow ABIS's capability to over 40,000 daily transactions. This growth will meet the 14,000 daily biometrics transaction rate articulated by DHS for 2012. DoD continues to work closely with the interagency Interoperability Executive Steering Committee to ensure the DoD has visibility as new interagency requirements coalesce, and can modify ABIS expansion plans to be responsive to our interagency sharing responsibilities. The Department expects to have an updated ABIS sizing plan to support the projected future DoD and interagency transaction requirements by July 2011. [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: Davi M. D'Agostino, (202) 512-5431 or dagostinod@gao.gov: Acknowledgments: In addition to the contact named above, Penney Harwell Caramia, Assistant Director; Rebekah Boone; John Clary; Grace Coleman; Michele Fejfar; Lori Kmetz; Katherine Lenane; Amber Lopez Roberts; Greg Marchand; Jennifer Neer; Maria Stattel; Amie Steele; and Sonja Ware made key contributions to this report. [End of section] Related GAO Products: Homeland Security: Key US-VISIT Components at Varying Stages of Completion, but Integrated and Reliable Schedule Needed. [hyperlink, http://www.gao.gov/products/GAO-10-13]. Washington, D.C.: November 19, 2009. Defense Management: DOD Can Establish More Guidance for Biometrics Collection and Explore Broader Data Sharing. [hyperlink, http://www.gao.gov/products/GAO-09-49]. Washington, D.C.: October 15, 2008. Defense Management: DOD Needs to Establish Clear Goals and Objectives, Guidance, and a Designated Budget to Manage Its Biometrics Activities. [hyperlink, http://www.gao.gov/products/GAO-08-1065]. Washington, D.C.: September 26, 2008. Information Sharing Environment: Definition of the Results to Be Achieved in Improving Terrorism-Related Information Sharing Is Needed to Guide Implementation and Assess Progress. [hyperlink, http://www.gao.gov/products/GAO-08-492]. Washington, D.C.: June 25, 2008. Homeland Security: Strategic Solution for US-VISIT Program Needs to be Better Defined, Justified, and Coordinated. [hyperlink, http://www.gao.gov/products/GAO-08-361]. Washington, D.C.: February 29, 2008. GAO Management Letter to the Secretary of Defense. Washington, D.C.: December 13, 2007. Terrorist Watch List Screening: Opportunities Exist to Enhance Management Oversight, Reduce Vulnerabilities in Agency Screening Processes, and Expand Use of the List. [hyperlink, http://www.gao.gov/products/GAO-08-110]. Washington, D.C.: October 11, 2007. Border Security: Security of New Passports and Visas Enhanced, but More Needs to Be Done to Prevent Their Fraudulent Use. [hyperlink, http://www.gao.gov/products/GAO-07-1006]. Washington, D.C.: July 31, 2007. Border Security: Strengthened Visa Process Would Benefit from Improvements in Staffing and Information Sharing. [hyperlink, http://www.gao.gov/products/GAO-05-859]. Washington, D.C.: September 13, 2005. Port Security: Better Planning Needed to Develop and Operate Maritime Worker Identification Card Program. [hyperlink, http://www.gao.gov/products/GAO-05-106]. Washington D.C.: December 10, 2004. Border Security: Joint, Coordinated Actions by State and DHS Needed to Guide Biometric Visas and Related Programs. [hyperlink, http://www.gao.gov/products/GAO-04-1080T]. Washington, D.C.: September 9, 2004. Border Security: State Department Rollout of Biometric Visas on Schedule, but Guidance is Lagging. [hyperlink, http://www.gao.gov/products/GAO-04-1001]. Washington, D.C.: September 9, 2004. Technology Assessment: Using Biometrics for Border Security. [hyperlink, http://www.gao.gov/products/GAO-03-174]. Washington, D.C.: November 15, 2002. [End of section] Footnotes: [1] The White House, National Security Presidential Directive/NSPD-59 and Homeland Security Presidential Directive/HSPD-24, Biometrics for Identification and Screening to Enhance National Security (Washington, D.C.: June 5, 2008). [2] A more complete definition of biometric systems is found in DOD's Biometrics Glossary. As defined in the Glossary, a biometric system contains multiple individual components (such as sensor, matching algorithm, and result display) that combine to make a fully operational system. A biometric system is an automated system capable of: (1) capturing a biometric sample for a biometric subject; (2) extracting and processing the biometric data from that sample; (3) storing the extracted information in a database; (4) comparing the biometric data with data contained in one or more references; and (5) deciding how well they match and indicating whether or not an identification or verification of identity has been achieved. A biometric system may be a component of a larger system. [3] Standards provide rules and guidelines to promote interoperability among various systems and are developed through consensus by Standards Development Organizations, such as the National Institute of Standards and Technology and InterNational Committee for Information Technology Standards. [4] GAO, Defense Management: DOD Needs to Establish Clear Goals and Objectives, Guidance, and a Designated Budget to Manage Its Biometric Activities, [hyperlink, http://www.gao.gov/products/GAO-08-1065] (Washington, D.C.: Sept. 26, 2008) and GAO, Defense Management: DOD Can Establish More Guidance for Biometrics Collection and Explore Broader Data Sharing, [hyperlink, http://www.gao.gov/products/GAO-09-49] (Washington, D.C.: Oct. 15, 2008). [5] IDENT also currently stores facial images, but does not have a search and match capability for facial images at this time. [6] DOD Directive 8521.01E, Department of Defense Biometrics (Feb. 21, 2008). [7] The January 2007 memorandum defined the term U.S. persons as U.S. citizens and aliens lawfully admitted for permanent residence. [8] The memorandum states that such unclassified biometric information includes data related to terrorism information defined in the Intelligence Reform and Terrorism Prevention Act (Pub. L. No. 108-458) regarding terrorists, detainees, and those individuals/groups posing a threat to the U.S., but excludes data pertaining to U.S. persons, and any sharing of unclassified biometric information unrelated to terrorism information will be determined based upon relevant law and directives and require, at a minimum, a written memorandum from the requesting agency stating the official need for the records, the intended use of the records, the protections and safeguards that will be afforded the records, and the nature or extent of possible further distribution of the records to other organizations or agencies. Memorandum from Deputy Secretary of Defense on the Sharing of DOD Biometric Data and Associated Unclassified Information from Non-U.S. Persons with Interagency Entities (Jan. 10, 2007). [9] In 1999, the Deputy Secretary of Defense issued a memorandum directing the implementation of a standard smart-card-based identification system for all active duty military personnel, DOD civilian employees, and eligible contractor personnel, to be called the Common Access Card. [10] DOD Directive 8521.01E, Department of Defense Biometrics § 3 (Feb. 21, 2008). [11] The adoption of standards does not guarantee interoperability, but is an important step in promoting interoperability. According to the Office of Management and Budget (OMB) Circular A-119, Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformance Assessment Activities (Washington, D.C.: February 1998), a standard may include a common and repeated use of rules, conditions, guidelines, or characteristics for products, among other things. In addition, a standard may include a specification of dimensions, materials, performance, designs, or operations. DOD Directive 8521.01E, Department of Defense Biometrics (Feb. 21, 2008), states, "Biometric collection, transmission, storage, caching, tagging, and use shall be controlled through the use of DOD-approved national, international, and other consensus-based standards, protocols, best practices, and equipment to ensure consistency and support interoperability." [12] The DOD Information Technology Standards Registry is the central repository for DOD-approved information technology standards, including biometric standards. Each standard accepted to the DOD Information Technology Standards Registry is assigned a status as "emerging" or "mandated." "Mandated standards" are mandated for the management, development, and acquisition of new or improving systems throughout DOD. "Information guidance" is also provided in the DOD Information Technology Standards Registry. Updates included DOD EBTS version 1.1 issued on August 23, 2005; DOD EBTS version 1.2 issued on November 8, 2006; and DOD EBTS version 2.0 issued on March 27, 2009. DOD EBTS version 2.0 is currently included in the DOD Information Technology Standards Registry as a "Mandated" standard. [13] DOD EBTS v.1.1 and v.1.2 were based on ANSI/NIST ITL 1-2000 and EFTS v.7. The most recent, DOD EBTS v. 2.0 is based on ANSI/NIST ITL 1- 2007. FBI's requirements include its Electronic Fingerprint Transmission Specification and its Electronic Biometric Transmission Specification. [14] On February 2, 2004, DOD's Chief Information Officer issued a memorandum, entitled "Department of Defense Compliance with Internationally Accepted Standard for Electronic Transmission and Storage of Fingerprint Data from 'Red Force' Personnel." [15] The February 2004 memorandum directed that all new and upgraded DOD biometric collection devices used to collect "red force" fingerprint data must be certified as interoperable with the FBI's biometric systems. DOD officials told us that the HIIDE device may be used to collect such "red force" data. [16] On November 29, 2005, the U.S. Army's Chief Information Officer issued a memorandum, entitled "Department of Defense Compliance with the Electronic Biometric Transmission Specification." [17] DOD Directive 8521.01E, Department of Defense Biometrics § 4.3 (Feb. 21, 2008). [18] Joint Interoperability Test Command, Baseline Interoperability Assessment Report of the Department of Defense Automated Biometric Identification System, version 1.0.13, (November 2009). [19] The Project Management Institute, The Standard for Program Management © (2006). For the purposes of this report, we are referring to DOD's biometric program in its entirety, not the acquisition program for one particular biometric collection device. [20] DOD standards are adopted through updates to the DOD Information Technology Standards Registry. [21] Each standard accepted to the DOD Information Technology Standards Registry is assigned a status. One such status is referred to as "mandated standards." The DOD Information Technology Standards Registry defines "mandated standards" as "the minimum set of essential standards for implementation in the acquisition of all DOD systems that produce, use, or exchange information and, when implemented, facilitate the flow of information in support of the warfighter. These standards are mandated for the management, development, and acquisition of new or improving systems throughout the DOD." Department of Army, Biometrics Task Force, Biometrics Collection, Transmission and Storage Standards Technical Reference (July 24, 2006). In this report, the terms mandated and mandated DOD standards refer to the status assigned to such standards as defined in Biometrics Collection, Transmission and Storage Standards Technical Reference. [22] Chairman of the Joint Chiefs of Staff, Instruction (CJCSI) 6212.01E requires results from standards conformance testing to be part of the interoperability evaluation. The Joint Interoperability Test Command has conducted interoperability evaluations on its biometrics systems, though it was a limited assessment due to a lack of conformance testing by DOD. [23] National Science & Technology Council, Subcommittee on Biometrics and Identity Management, NSTC Policy for Enabling the Development, Adoption and Use of Biometric Standards (Sept. 7, 2007). [24] DOD Directive 8521.01E, Department of Defense Biometrics (Feb. 21, 2008). [25] OMB Circular No. A-123, Management's Responsibility for Internal Control (Washington, D.C., December 2004), and GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). OMB issued Circular A-123, revised December 21, 2004, to provide the specific requirements for assessing the reporting on internal controls. Internal control standards and the definition of internal control in Circular A-123 are based on GAO's Standards for Internal Control in the Federal Government. [26] DOD Directive 8521.01E, Department of Defense Biometrics § 1.2 (Feb. 21, 2008). [27] OMB Circular No. A-123. [28] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [29] DOD does not have an agreement in place to directly share information with State, and there are no plans to establish direct connectivity between DOD and State. State utilizes DHS's biometric system for sharing State's biometric information with other key federal agencies. [30] Memorandum of Understanding Between the Federal Bureau of Investigation and the Department of Defense for Sharing of Biometric and Other Identity Management Information, September 2009. The FBI is a component of DOJ. [31] DOD Directive 8521.01E, Department of Defense Biometrics § 5.2.2 (Feb. 21, 2008), designates responsibility to the Under Secretary of Defense for Policy to prepare and issue interagency agreements, among other things, for biometrics activities, as appropriate. [32] Memorandum of Understanding Between the Department of State and the Department of Homeland Security for Cooperation in: Enhanced Border Security - the US-VISIT Program, the Biometric Visa Program, and the Visa Datashare Program, January 2005. [33] There are no plans to establish direct connectivity between State and DOJ, according to State officials. [34] Memorandum of Understanding Among the Department of Homeland Security, the Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Division; and the Department of State, Bureau of Consular Affairs for Improved Information Sharing Services, July 1, 2008. [35] There are no plans to establish direct connectivity between DOD and State, according to State officials. [36] GAO, Defense Management: DOD Can Establish More Guidance for Biometrics Collection and Explore Broader Data Sharing, [hyperlink, http://www.gao.gov/products/GAO-09-49] (Washington, D.C.: Oct. 15, 2008). [37] [hyperlink, http://www.gao.gov/products/GAO-09-49]. [38] DOD, Directive 8521.01E, Department of Defense Biometrics § 4.4 and § 4.11 (Feb. 21, 2008). The Intelligence Reform and Terrorism Prevention Act created an Information Sharing Environment, defined as an approach that facilitates the sharing of terrorism and homeland security information, with a Program Manager responsible for information sharing across the federal government. The Intelligence Reform and Terrorism Prevention Act (IRTPA) of 2004, Pub. L. No. 108- 458, § 1016 (2004). [39] Department of Defense Biometrics Enterprise Strategic Plan, 2008 - 2015 (Aug. 27, 2008). [40] We identified DOD, DHS, DOJ/FBI, and State as key federal agencies in the collection and sharing of biometric information. DOD, DOJ, and DHS have responsibility for our nation's security and maintain three major federal biometric systems that are used to prevent harm to our nation's security, and State helps protect our national security through the use of vital information from these systems to screen potential foreign visitors who may want to harm our nation. [41] The National Science and Technology Council is responsible for the Committee on Technology, which has a Subcommittee on Biometrics and Identity Management. The National Science and Technology Council falls under the purview of the Office of Science and Technology Policy in the Executive Office of the President. [42] Memorandum of Understanding Between the Department of State and the Department of Homeland Security for Cooperation in: Enhanced Border Security – the US-VISIT Program, the Biometric Visa Program, and the Visa Datashare Program, January 2005; Memorandum of Understanding Among the Department of Homeland Security; the Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Division; and the Department of State, Bureau of Consular Affairs for Improved Information Sharing Services (July 1, 2008); and Memorandum of Understanding Between the Federal Bureau of Investigation and the Department of Defense for Sharing of Biometric and Other Identity Management Information (Sept. 2009). [43] GAO, Global War on Terrorism: DOD Needs to Take Action to Encourage Fiscal Discipline and Optimize the Use of Tools Intended to Improve GWOT Cost Reporting, [hyperlink, http://www.gao.gov/products/GAO-08-68] (Washington, D.C.: Nov. 6, 2007). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: