Strengthening Department of Homeland Security Management Functions

Image

Since our 2019 High-Risk Report, ratings for all five criteria remain unchanged.

The Department of Homeland Security (DHS) has continued its efforts to strengthen and integrate its acquisition, information technology (IT), financial, and human capital management functions. It has continued to meet three out of five criteria from the High-Risk List (leadership commitment, action plan, and monitoring) and partially meet the remaining two criteria (capacity and demonstrated progress).

Leadership commitment: met. DHS’s top leaders have continued to demonstrate commitment and support for addressing the department’s management challenges. They have also taken actions to institutionalize this commitment to help ensure the success of the department’s efforts.

For example, the Deputy Under Secretary for Management issued strategic guidance to DHS’s component agencies encouraging investment in areas critical to DHS management functions, including financial system modernization, human resource training, and career development programs.

Capacity: partially met. DHS has made progress in its coding of IT management positions. In March 2019, we found that DHS had not consistently assigned the appropriate National Initiative for Cybersecurity Education (NICE) framework work categories to its IT management positions, as required by law. We recommended that DHS review the coding for certain IT management positions, assign the appropriate NICE framework work categories, and assess the accuracy of position descriptions.

In November 2020, DHS officials stated that they had taken steps to ensure that at least one NICE code was assigned to active IT management positions. In addition, according to a December 2020 report, DHS had assigned an appropriate work role code to 98 percent of approximately 5,000 IT management positions.

In October 2020, our review of the nomination and designation process for appointing the Component Acquisition Executive (CAE) position identified instances where the acceptance criteria—standards to evaluate whether an individual is qualified for the position—were not met as described in DHS acquisition guidance. Until the DHS Office of Program Accountability and Risk Management and DHS components consistently execute the nomination and designation process, DHS’s Chief Acquisition Officer cannot be assured that oversight of acquisition programs is being conducted by individuals qualified for the CAE position.

With regard to financial management capacity, DHS has continued its efforts to identify and allocate resources for financial management, but additional progress is needed. For example, in fiscal year 2020 DHS’s financial statement auditor reported several capacity-related issues— including manual processes and lack of automated functions, resource limitations, and untimely training—as causes for the material weaknesses in the areas of financial reporting and information technology controls and information systems. In response to the auditor’s report, DHS stated that it is focused on improving IT controls and has put in place an aggressive multiyear strategy to modernize its financial systems.

Action plan: met. In January 2011, DHS produced its first semiannual Integrated Strategy for High-Risk Management and has issued 18 updated versions, most recently in September 2020. The September 2020 strategy describes DHS’s progress to date and planned corrective actions to further strengthen its management functions.

For example, the strategy includes a multiyear plan to achieve an unmodified opinion on its internal control over financial reporting and substantial compliance with the Federal Financial Management Improvement Act of 1996 by fiscal year 2024. DHS’s strategy and approach, if effectively implemented and sustained, provides a path for DHS to be removed from our High-Risk List.

Monitoring: met. In the most recent September 2020 Integrated Strategy for High Risk Management, DHS included status updates and future planned actions for each of the outcomes that are not yet fully addressed.

Demonstrated progress: partially met. In 2010, we identified, and DHS agreed, that achieving 30 specific outcomes would be critical to addressing the challenges within the department’s management areas. As of December 2020, DHS has fully addressed 17 of the 30 needed outcomes, mostly addressed five (a small amount of work remains), partially addressed five (significant work remains), and initiated actions to address the remaining three (activities have been initiated, but it is too early to report progress).

Table 8: GAO Assessment of DHS Progress in Addressing Key Outcomes

Source: GAO analysis of DHS documents, interviews, and prior GAO reports. | GAO-21-119SP

^a”Fully addressed”: Outcome is fully addressed.

^b”Mostly addressed”: Progress is significant and a small amount of work remains.

^c”Partially addressed”: Progress is measurable, but significant work remains.

^d”Initiated”: Activities have been initiated to address the outcome, but it is too early to report progress.

Important progress and work remaining in key areas include:

• Acquisition management. DHS has taken steps to strengthen requirements development across the department, such as re-establishing the Joint Requirements Council in June 2014.

   

  However, DHS continues to face challenges in effectively executing its acquisition portfolio. In May 2018, we found that enhancements to DHS’s acquisition management, resource allocation, and requirements policies largely reflect key portfolio management practices. However, in January 2021, we found that, of the 24 major acquisition programs we assessed with approved schedule and cost baseline goals, 10 failed to meet one of these goals at some point in fiscal year 2020.

  While some of these instances were because of factors outside of a program’s control, such as the Coronavirus Disease 2019, we also found instances where DHS did not implement sound acquisition practices leading to other programs not meeting their schedules or cost goals. For example, two of the 10 programs failed to meet their cost or schedule goals because of an underestimation of the programs’ complexity or requirements.  

• IT management. DHS has continued to sustain and mature its department-wide Enterprise Architecture program over the past 6 years. For example, the DHS Chief Information Officer developed a fiscal year 2020-2023 Enterprise Architecture Strategic Plan to provide strategic direction for delivering IT services and solutions across the department.

  Further, the department has continued to manage its IT investments across the department by using an IT portfolio management approach. For example, in fiscal year 2020, the Office of the Chief Information Officer (OCIO) produced portfolio data and analysis related to each of the Department’s seven IT portfolios. OCIO officials reported that the Chief Information Officer and other DHS leadership used this information to support IT investment oversight and resource allocation recommendations.

  This portfolio management approach should enable DHS to identify potentially duplicative investments and opportunities to consolidate investments, as well as reduce component-specific investments.

  In addition, DHS has made progress in implementing recommendations identified in the fiscal years 2016 to 2018 DHS Office of the Inspector General’s (OIG) reports related to IT security weaknesses. However, much work remains for DHS to enhance its information security program.

  In September 2020, the OIG reported that the department’s information security program was ineffective for fiscal year 2019. Specifically, the OIG identified that DHS did not have an effective strategy or department-wide approach to manage risks for all of its systems, nor did it apply security patches and updates timely to mitigate critical and high-risk security vulnerabilities on selected components’ systems, among others.

  Additionally, in fiscal year 2020, the department’s financial statement auditor identified that DHS had ineffective design and implementation of controls to remediate IT findings, including insufficient corrective action to address deficiencies that have existed for several years in multiple information systems. Further, for the 17th consecutive year, the auditor designated deficiencies in IT systems controls as a material weakness for financial reporting purposes.

  As a result, since our 2019 report, DHS has moved from a mostly addressed to a partially addressed rating for one IT management area outcome on IT security. OCIO officials informed us that they are taking steps to address this outcome, such as conducting an independent verification and validation of plans of actions and milestones and performing configuration audit checks for selected operating systems..

  The December 2020 compromise of an enterprise network management software suite to conduct a cyberattack campaign against U.S. government agencies, including DHS, highlights the urgent need to address these vulnerabilities. In a notification to Congress on December 19, 2020, DHS stated that the DHS OCIO is examining this incident and putting mitigation measures into place. Until DHS adequately mitigates these vulnerabilities, the data maintained on its systems will remain at increased risk of unauthorized modification and disclosure, and systems will remain at risk of disruption.  

• Financial management. DHS received an unmodified audit opinion on its financial statements for 8 consecutive years—fiscal years 2013 to 2020. However, similar to its fiscal year 2019 financial statement audit, DHS’s auditor again reported two material weaknesses in the areas of (1) financial reporting, and (2) IT controls and information systems, as well as instances of noncompliance with laws and regulations. According to the auditor, these two material weaknesses led to an adverse opinion on internal controls over financial reporting.

  These deficiencies hamper DHS’s ability to provide reasonable assurance that its financial reporting is reliable and the department is in compliance with applicable laws and regulations. For DHS to obtain and sustain an unmodified audit opinion on its internal controls over financial reporting, and to achieve substantial compliance with the Federal Financial Management Improvement Act of 1996, DHS needs to continue to strengthen its financial management controls and ensure that key controls are in place to address the auditor’s findings related to the two material weaknesses.

  In addition, much work remains to modernize components' financial management systems and business processes. Specifically, DHS needs to effectively implement its long-term financial systems modernization efforts at the U.S. Coast Guard, the Federal Emergency Management Agency, and U.S. Immigration and Customs Enforcement. DHS also needs to ensure that key controls are in place to address the auditor’s findings

• Human capital management. Since our 2019 High-Risk Report, DHS has taken steps to move from a partially to mostly addressed rating on one outcome in the human capital management area.

  DHS made continued improvements in employee engagement as measured by the Office of Personnel Management’s Federal Employee Viewpoint Survey (FEVS). Starting in 2015, DHS reversed a 5-year downward trend in its scores on the FEVS Employee Engagement Index (EEI). After 4 consecutive years of improvements and a 2019 EEI of 62, DHS surpassed its 2010 benchmark.

  However, DHS has additional work ahead to improve its employee engagement as its 2019 Employee Engagement Index remained 6 percentage points below the government-wide average and ranked 20th among 20 large and very large federal agencies. Specifically, as we recommended in January 2021, DHS should monitor component employee engagement action planning efforts to ensure the components use performance outcomes to assess the results of their actions and to adjust, reprioritize, and identify new actions to improve employee engagement. DHS agreed with our recommendations and expects to develop written guidance for the component employee engagement action planning process in 2021.  

• Management integration. Since 2019, DHS has communicated management priorities through the department planning, programming, budgeting, and execution process. Specifically, in fiscal year 2019, the Deputy Under Secretary for Management issued strategic guidance to components encouraging investment in areas critical to DHS management functions.

  To achieve this outcome, DHS must continue to demonstrate sustainable progress integrating its management functions within and across the department, as well as fully address the other 13 outcomes it has not yet fully achieved. Outcomes not yet fully achieved include, among others, obtaining an unmodified opinion on independent audits of internal controls and consistently implementing sound acquisition practices.