The Department of Homeland Security (DHS) invested more than $6 billion in 2009 on large-scale, information technology (IT) systems to help it achieve mission outcomes and transform departmentwide operations. For DHS to effectively leverage these systems as mission enablers and transformation tools, it needs to employ a number of institutional acquisition and IT management controls and capabilities, such as using an operational and technological blueprint to guide and constrain system investments (enterprise architecture) and following institutional policies, practices, and structures for acquiring and investing in these systems. Other institutional controls and capabilities include employing rigorous and disciplined system life cycle management processes and having capable acquisition and IT management workforces. As GAO has reported, it is critical for the department to implement these controls and capabilities on each of its system acquisition programs. GAO has issued a series of reports on DHS institutional controls for acquiring and managing IT systems, and its implementation of these controls on large-scale systems. GAO was asked to testify on how far the department has come on both of these fronts, including its implementation of GAO's recommendations. To do this, GAO drew from its issued reports on institutional IT controls and IT systems, as well as our recurring work to follow up on the status of our open recommendations.

Since its inception, DHS has made uneven progress in its efforts to institutionalize a framework of interrelated management controls and capabilities associated with effectively and efficiently acquiring large-scale IT systems. To its credit, it has continued to issue annual updates to its enterprise architecture that have added previously missing scope and depth, and further improvements are planned to incorporate the level of content, referred to as segment architectures, needed to effectively introduce new systems and modify existing ones. Also, it has redefined its acquisition and investment management policies, practices, and structures, including establishing a system life cycle management methodology, and it has increased its acquisition workforce. Nevertheless, challenges remain relative to, for example, implementing the department's plan for strengthening its IT human capital, and fully defining key system investment and acquisition management policies and procedures. Moreover, the extent to which DHS has actually implemented these investment and acquisition management policies and practices on major programs has been at best inconsistent, and in many cases, quite limited. For example, recent reviews by GAO show that major acquisition programs have not been subjected to executive level acquisition and investment management reviews at key milestones and have not, among other things, employed reliable cost and schedule estimating practices, effective requirements development and test management practices, meaningful performance measurement, strategic workforce management, proactive identification and mitigation of program risks, and effective contract tracking and oversight, among other things. Because of these weaknesses, major IT programs aimed at delivering important mission capabilities have not lived up to expectations. For example, full deployment of the Rescue 21 "search and rescue" system had to be extended from 2006 to 2017; development and deployment of an "exit" capability under the US-VISIT program has yet to occur; and the timing and scope of an SBInet "virtual border fence" initial operating capability has been delayed and reduced from the entire southwest border to 28 miles of the border. To assist the department in addressing its institutional and system-specific challenges, GAO has made a range of recommendations. While DHS and its components have acted on many of these recommendations, and as a result have arguably made progress and improved the prospects for success on ongoing and future programs, more needs to be done by DHS's new leadership team before the department can ensure that all system acquisitions are managed with the rigor and discipline needed to consistently deliver promised capabilities and benefits on time and on budget.