Strengthening Department of Homeland Security Management Functions
In 2003, we designated implementing and transforming DHS as high risk because the department had to transform 22 agencies—several with major management challenges—into one department. Given the significant effort required to build and integrate a department as large and complex as DHS, our initial high-risk designation addressed the department’s implementation and transformation efforts to include associated management and programmatic challenges. Failure to effectively address these challenges could have serious consequences for U.S. national and economic security.
Since 2003, the focus of this high-risk area has evolved in tandem with DHS’s maturation and evolution. In September 2011, we reported in our assessment of DHS’s progress that the department had implemented key homeland security operations and achieved important goals in many areas but continuing weaknesses in DHS’s management functions had been a key theme impacting the department’s implementation efforts.
As a result, in our 2013 high-risk update, we narrowed the scope of the high-risk area to strengthening and integrating DHS management functions (human capital, acquisition, information technology, and financial).
Since our 2017 High-Risk Report, ratings for all five criteria remain unchanged. DHS has continued its efforts to strengthen and integrate its acquisition, information technology, financial, and human capital management functions. It has continued to meet three out of five criteria for removal from the High-Risk List (leadership commitment, action plan, and monitoring) and partially meet the remaining two criteria (capacity and demonstrated progress).
Leadership commitment: met. DHS top leadership, including the Secretary and Deputy Secretary of Homeland Security, has continued to demonstrate exemplary commitment and support for addressing the department’s management challenges. They have also taken actions to institutionalize this commitment to help ensure the long-term success of the department’s efforts. One such effort is the Under Secretary for Management’s Integrated Priorities initiative to strengthen the integration of DHS’s business operations across the department. During monthly leadership meetings with the Under Secretary for Management, the department’s Chief Executive Officers have been providing status updates on their respective actions to address this high-risk designation.
Capacity: partially met. With regard to acquisition staffing, DHS has analyzed components’ acquisition program staffing assessments but has yet to conduct an in-depth analysis across components or develop a plan to address any gaps.
With regard to IT staffing, DHS has not identified or reported to Congress or the Office of Personnel Management (OPM) on its department-wide cybersecurity specialty areas of critical needs, such as cybersecurity management or incident response, as required by law. In February 2018, we recommended that DHS take steps to ensure that (1) its cybersecurity workforce procedures identify position vacancies and responsibilities, (2) cybersecurity workforce data are complete and accurate, and (3) plans for reporting critical needs are developed. DHS concurred and stated it planned to provide further evidence addressing the recommendations by the end of the first quarter of fiscal year 2019, which we will assess upon receipt.
With regard to financial management capacity, DHS has continued its efforts to identify and allocate resources for financial management but additional progress is needed. For example, DHS’s financial statement auditor has identified several capacity-related issues, including resource limitations and inadequate management and staff training, as causes for the material weaknesses reported.
Action plan: met. In January 2011, DHS produced its first Integrated Strategy for High-Risk Management and has issued 14 updated versions, most recently in September 2018. The September 2018 strategy describes DHS’s progress to-date and planned corrective actions to further strengthen its management functions. DHS’s strategy and approach, if effectively implemented and sustained, provides a path for DHS to be removed from our High-Risk List.
Monitoring: met. In the most recent September 2018 Integrated Strategy for High-Risk Management, DHS included performance measures to monitor key management initiatives. For example, DHS monitors the percentage of components demonstrating effective internal controls for significant business processes as a way of gauging progress toward improving financial management. In addition, DHS is also better positioned to monitor its financial system modernization projects since it established a joint program management office in October 2017. This office is to, among other things, centralize program governance and streamline its decision-making processes, and provide DHS management with regular updates on the department’s financial system modernization efforts.
Demonstrated progress: partially met. In 2010, we identified, and DHS agreed, that achieving 30 specific outcomes would be critical to addressing the challenges within the department’s management areas. As of September 2018, DHS has fully addressed 17 of the 30 needed outcomes, mostly addressed 4, partially addressed 6, and initiated actions to address the remaining 3. Since our 2017 High-Risk Report, DHS has taken steps to fully address two human capital outcomes by demonstrating that components are basing hiring decisions and promotions on human capital competencies and strengthening employee engagement efforts. In addition, DHS has fully addressed two IT outcomes by (1) providing ongoing oversight and support to troubled IT investments to help improve their cost, schedule, and performance; and (2) demonstrating significant progress in implementing its IT strategic workforce planning initiative.
Important progress and work remaining in key areas include:
- Acquisition management. DHS continues to face challenges in funding its acquisition portfolio. In May 2018, we found that recent enhancements to DHS’s acquisition management, resource allocation, and requirements policies largely reflect key portfolio management practices. However, we also found that of the 24 major acquisition programs we assessed with approved schedule and cost goals, only 10 were on track to meet those goals during 2017—a decrease from 2016.
- In addition, we found that DHS’s portfolio of major acquisition programs is not affordable from fiscal years 2018 to 2022. DHS has taken steps to strengthen requirements development across the department, such as reestablishing the Joint Requirements Council in June 2014. However, opportunities remain to further strengthen DHS’s acquisition process by using the Joint Requirements Council to impact DHS’s budget. The council could better fulfill its mission by identifying overlapping or common requirements, and by making recommendations to senior leadership to help ensure that DHS uses its finite investment resources wisely, and maintains a balanced portfolio of investments that combine near-term operational improvements with long-term strategic planning.
IT management. DHS has updated its approach for managing its portfolios of IT investments across all components. As part of the revised approach, the department is utilizing its capital planning and investment control process and the Joint Requirements Council to assess IT investments across the department on an ongoing basis. For example, as part of its capital planning process for the fiscal year 2020 budget, the Office of the Chief Information Officer worked with the components to assess each major IT investment to ensure alignment with DHS’s functional portfolios, and to identify opportunities to share capabilities across components. This updated approach should enable DHS to identify potentially duplicative investments and opportunities for consolidating investments, as well as reduce component-specific investments.
Additionally, DHS has continued to take steps to enhance its information security program. In November 2018, the department’s financial statement auditor reported that DHS had made progress in correcting its prior year IT security weaknesses. However, for the 15th consecutive year, the auditor designated deficiencies in IT systems controls as a material weakness for financial reporting purposes. Work also remains in implementing our six open recommendations concerning DHS’s cybersecurity workforce assessment requirements.
- Financial management. DHS received a clean audit opinion on its financial statements for 6 consecutive years—fiscal years 2013 to 2018. However, its auditor reported two material weaknesses in the areas of financial reporting and information technology controls and financial systems, as well as instances of non-compliance with laws and regulations. These deficiencies hamper DHS’s ability to provide reasonable assurance that its financial reporting is reliable and the department is in compliance with applicable laws and regulations. In addition, much work remains to modernize components' financial management systems and business processes.
- Human capital management. DHS has continued to strengthen its employee engagement efforts by implementing our 2012 recommendation to establish metrics of success within components’ action plans for addressing its employee satisfaction problems. Further, DHS has conducted audits to better ensure components are basing hiring decisions and promotions on human capital competencies. In addition, OPM’s 2018 Federal Employee Viewpoint Survey data showed that in the past 2 years, DHS’s score on the Employee Engagement Index (EEI) increased by 4 points—from 56 in 2016 to 60 in 2018—which was 1 point more than the government wide increase over the same period. While this improvement is notable, DHS’s current EEI score is 1 point below its EEI baseline score in 2010, suggesting that DHS is still working to regain lost ground after an 8 point drop between 2010 and 2015. DHS has considerable work ahead to improve its employee engagement as its 2018 EEI score ranked 20th among 20 large and very large federal agencies.
- Management integration. Since 2015, DHS has focused its efforts to address crosscutting management challenges through the establishment and monitoring of Integrated Priorities. The department updated these priorities in September 2017. Each priority includes goals, objectives, and measurable action plans that are monitored at monthly leadership meetings led by senior DHS officials, including the Under Secretary for Management. To achieve this outcome, DHS needs to continue to demonstrate sustainable progress integrating its management functions within and across the department, as well as fully address the other 13 outcomes it has not yet fully achieved.
Over the years, we have made hundreds of recommendations related to DHS management functions and many have been implemented. Continued progress for this high-risk area depends primarily on addressing the remaining outcomes. In the coming years, DHS needs to continue implementing its Integrated Strategy for High-Risk Management to show measurable, sustainable progress in implementing corrective actions and achieving outcomes. In doing so, it remains important for DHS to
- maintain its current level of top leadership support and sustained commitment to ensure continued progress in executing its corrective actions through completion;
- continue to identify the people and resources necessary to make progress towards achieving outcomes, work to mitigate shortfalls and prioritize initiatives as needed, and communicate to senior leadership critical resource gaps;
- continue to implement its plan for addressing this high-risk area and periodically provide assessments of its progress to us and Congress;
- closely track and independently validate the effectiveness and sustainability of its corrective actions, and make midcourse adjustments as needed; and
- make continued progress in achieving the 13 outcomes it has not fully addressed and demonstrate that systems, personnel, and policies are in place to ensure that progress can be sustained over time.
GAO-18-550: Published: Aug 8, 2018. Publicly Released: Aug 8, 2018.
The Department of Homeland Security invests billions of dollars each year in major acquisition programs to assist in executing its many critical missions. We’ve previously found that DHS agencies had acquisition programs that did not meet requirements. Sometimes operational requirements were poorly defined, increasing the risk of not meeting the needs of end users in the field, such as emergency...
GAO-18-339SP: Published: May 17, 2018. Publicly Released: May 17, 2018.
Each year, the Department of Homeland Security invests billions of dollars in major acquisitions such as aircraft and surveillance technology. We reviewed DHS's portfolio of major acquisitions and found that, in 2017, more than half of its programs needed more time and money than initially planned—an increase from 2016. DHS has strengthened its policies for managing acquisitions as a portfolio...
GAO-18-175: Published: Feb 6, 2018. Publicly Released: Feb 6, 2018.
The Department of Homeland Security (DHS) has taken actions to identify, categorize, and assign employment codes to its cybersecurity positions, as required by the Homeland Security Cybersecurity Workforce Assessment Act of 2014; however, its actions have not been timely and complete. For example, DHS did not establish timely and complete procedures to identify, categorize, and code its cybersecu...
GAO-17-799: Published: Sep 26, 2017. Publicly Released: Sep 26, 2017.
The Department of Homeland Security's (DHS) TRIO project represents a key effort to address long-standing financial management system deficiencies. During 2012 and 2013, the TRIO components—U.S. Coast Guard (Coast Guard), Transportation Security Administration (TSA), and Domestic Nuclear Detection Office (DNDO)—each completed an alternatives analysis (AA) to determine a preferred alternative f...
GAO-17-284: Published: May 18, 2017. Publicly Released: May 18, 2017.
The Department of Homeland Security (DHS) has fully implemented 28 of the 31 selected Federal Information Technology (IT) Acquisition Reform Act (FITARA) action plans; however, as of December 2016, DHS did not fulfill all aspects of 3 action plans. For example, one action plan is to use an updated process for reviewing troubled programs to provide support to such programs; however, DHS has not fin...
GAO-17-396: Published: Apr 13, 2017. Publicly Released: Apr 13, 2017.
The Department of Homeland Security purchases many systems—such as for nuclear detection and search and rescue—that help it execute critical missions. And, while it has improved its management of major acquisitions, its non-major acquisitions (generally those that cost less than $300 million) haven't received as much attention—though DHS did make improvements during the course of our audit. ...
GAO-17-346SP: Published: Apr 6, 2017. Publicly Released: Apr 6, 2017.
The Department of Homeland Security planned to spend $7 billion in fiscal year 2016 on major acquisitions—including ships, screening equipment, and surveillance technology. We reviewed 26 of DHS's major acquisition programs and found that, for the first time, they all had approved cost, schedule, and performance baselines to measure progress. DHS has taken steps to strengthen management of its...