DHS Acquisitions: Additional Practices Could Help Components Better Develop Operational Requirements

Fast Facts

The Department of Homeland Security invests billions of dollars each year in major acquisition programs to assist in executing its many critical missions. We’ve previously found that DHS agencies had acquisition programs that did not meet requirements. Sometimes operational requirements were poorly defined, increasing the risk of not meeting the needs of end users in the field, such as emergency responders.

We looked at seven DHS agencies and found that some meet GAO-identified best practices for defining operational requirements and others do not.

We made 25 recommendations to DHS to improve its agencies’ methods for developing requirements.

The Department of Homeland Security invests billions in major acquisitions, such as equipment for the Transportation Security Administration’s Passenger Screening Program

Photo of people at an airport going through a metal detector and other screening equipment

Highlights

What GAO Found

GAO has identified several best practices to ensure that operational requirements for acquisitions are well-defined and found some Department of Homeland Security's (DHS) components met them while others did not. These practices include a formal policy for developing requirements, an independent requirements organization, and an understanding of workforce needs and training. The table below shows GAO's assessment of seven of DHS's components against these practices.

GAO Assessment of Selected DHS Components Requirements Infrastructure

	Policy	Independent organization	Workforce assessment	Training
Customs and Border Protection	◒	●	◒	◒
Federal Emergency Management Agency	○	○	◒	○
Immigration and Customs Enforcement	○	◒	○	○
National Protection and Programs Directorate	◒	◒	○	○
Transportation Security Administration	◒	●	○	○
U.S. Coast Guard	●	●	○	●
U.S. Citizenship and Immigration Services	◒	◒	○	○

Key: ● Practice is present ◒ Practice is in development or needs updating ○ Practice is not present

Source: GAO assessment of Department of Homeland Security (DHS) data. | GAO-18-550

Establishing a formal policy to guide the process is critical to developing well-defined requirements. However, only the Coast Guard has an approved policy for requirements development among the seven components reviewed. Without well-defined requirements, components are at risk of acquiring capabilities that will not meet mission needs. DHS officials told GAO that components have generally prioritized obtaining funding and starting programs over developing requirements.

Three components have a requirements development organization, separating requirements from acquisition in addressing capability gaps. Officials from components without such organizations told GAO that they have fewer major acquisitions and rely on DHS to assist in requirements development. DHS policy and best practices, however, maintain the importance of this separation regardless of the number of major acquisitions to guard against possible bias by acquisition officials toward a specific materiel solution.

Two components have assessed requirements development workforce needs, but both need to be updated; and one component has provided requirements development training and certification. Other component officials told GAO that they lack the resources necessary to take these steps. Best practices indicate that without an appropriately sized and trained workforce, components remain at risk of acquiring capabilities that fail to meet end user needs.

Why GAO Did This Study

GAO has previously found that DHS's components had acquisition programs that did not meet requirements and that those requirements were, in some cases, poorly defined. Poorly defined requirements increase the risk that acquisitions will not meet the needs of users in the field—for example, border patrol agents or emergency responders.

GAO was asked to examine DHS components' practices for developing requirements. This report addresses the policies, organizations, and workforce that selected DHS components use to develop requirements for their acquisition programs.

GAO selected seven DHS components with significant acquisition programs and a non-generalizable sample of programs—based on cost, component, and acquisition phase—as case studies. GAO analyzed policies and program documentation; and interviewed DHS and component officials, as well as end users of DHS programs. GAO compared components' practices to industry best practices and federal internal control standards.

Recommendations

GAO is making 25 recommendations, including to individual components to establish policies and independent organizations for requirements development, assess workforce needs, and establish training and certifications. DHS concurred with all the recommendations.

Recommendations for Executive Action

Agency Affected	Recommendation	Status
Department of Homeland Security	The Secretary of DHS should ensure that the Commissioner of Customs and Border Protection through the Executive Assistant Commissioner for Operations Support finalizes and promulgates the Customs and Border Protection's draft policy for requirements development. (Recommendation 1)	Closed – Implemented DHS concurred with this recommendation. Customs and Border Protection issued its requirements development directive in December 2019.
Department of Homeland Security	The Secretary of DHS should ensure that the Commissioner of Customs and Border Protection through the Executive Assistant Commissioner for Operations Support updates the 2013 workforce assessment to account for the independent requirements organization's current workforce needs. (Recommendation 2)	Closed – Implemented DHS concurred with this recommendation. Customs and Border Protection completed a workforce assessment for an independent requirements organization in August 2021.
Department of Homeland Security	The Secretary of DHS should ensure that the Commissioner of Customs and Border Protection through the Executive Assistant Commissioner for Operations Support establishes component specific training for requirements development. (Recommendation 3)	Closed – Implemented DHS concurred with this recommendation. As of August 2018, Customs and Border Protection has created its own requirements development training and started delivery of the courses to its workforce.
Department of Homeland Security	The Secretary of DHS should ensure that the Administrator of the Federal Emergency Management Agency establishes a policy for requirements development. (Recommendation 4)	Closed – Implemented DHS concurred with this recommendation. The Federal Emergency Management Agency established a requirements development directive in June 2022 that implements DHS's Joint Requirements Integration and Management System and formalizes the Federal Emergency Management Agency's requirements development process.
Department of Homeland Security	The Secretary of DHS should ensure that the Administrator of the Federal Emergency Management Agency establishes an independent requirements development organization within the Federal Emergency Management Agency. (Recommendation 5)	Closed – Implemented DHS concurred with this recommendation. The Federal Emergency Management Agency contracted with a Federally Funded Research and Development Center, an independent organization, in November 2018 to provide analytic support to develop requirements specifications and documentation.
Department of Homeland Security	The Secretary of DHS should ensure that the Administrator of the Federal Emergency Management Agency updates the 2016 workforce assessment to account for an independent requirements organization's workforce needs. (Recommendation 6)	Closed – Implemented In August 2018, GAO issued a report that examined the operational requirements development practices of seven of the Department of Homeland Security's (DHS) components. We recommended that the Secretary of DHS should ensure that the Administrator of the Federal Emergency Management Agency update the 2016 workforce assessment to account for an independent requirements organization's workforce needs. DHS concurred with our recommendation. The Federal Emergency Management Agency through the Homeland Security Operational Analysis Center completed a workforce needs assessment for an independent requirements organization in July 2020. With such an assessment, the Federal Emergency Management Agency can establish the workforce needed for requirements development, properly mitigate capability gaps, and meet mission and end user needs.
Department of Homeland Security	The Secretary of DHS should ensure that the Administrator of the Federal Emergency Management Agency establishes component specific training for requirements development. (Recommendation 7)	Closed – Implemented DHS concurred with this recommendation. As of November 2018, the Federal Emergency Management Agency has offered its own training for requirements development.
Department of Homeland Security	The Secretary of DHS should ensure that the Director of Immigration and Customs Enforcement establishes a policy for requirements development. (Recommendation 8)	Closed – Implemented DHS concurred with this recommendation. In August 2020, Immigration and Customs Enforcement issued the Operational Requirements Development and Governance directive to implement the recommendation.
Department of Homeland Security	The Secretary of DHS should ensure that the Director of Immigration and Customs Enforcement establishes the planned independent requirements development organization within Immigration and Customs Enforcement. (Recommendation 9)	Closed – Implemented DHS concurred with this recommendation. Immigration and Customs Enforcement established an independent requirements development organization within the Office of Policy and Planning in September 2020.
Department of Homeland Security	The Secretary of DHS should ensure that the Director of Immigration and Customs Enforcement conducts a workforce assessment to account for an independent requirements organization's workforce needs. (Recommendation 10)	Closed – Implemented DHS concurred with this recommendation. Immigration and Customs Enforcement completed a workforce assessment to account for the needs of an independent requirements organization in February 2021.
Department of Homeland Security	The Secretary of DHS should ensure that the Director of Immigration and Customs Enforcement establishes component specific training for requirements development. (Recommendation 11)	Closed – Implemented DHS concurred with this recommendation. Immigration and Customs Enforcement issued a component specific desk reference guide on requirements development in June 2021 to supplement DHS requirements training.
Department of Homeland Security	The Secretary of DHS should ensure that the Under Secretary of Homeland Security for the National Protection and Programs Directorate finalizes and promulgates the National Protection and Programs Directorate's draft policy for requirements development. (Recommendation 12)	Closed – Implemented DHS concurred with this recommendation. The National Protection and Programs Directorate changed its name to the Cybersecurity and Infrastructure Security Agency in January 2018. The Cybersecurity and Infrastructure Security Agency issued an agency-wide integrated planning directive in January 2021 that includes a requirements development policy. With the policy in place, the Cybersecurity and Infrastructure Security Agency can establish the base of knowledge needed for requirements development, properly mitigate capability gaps, and meet mission and end user needs.
Department of Homeland Security	The Secretary of DHS should ensure that the Under Secretary of Homeland Security for the National Protection and Programs Directorate establishes the planned independent requirements development organization within the National Protection and Programs Directorate. (Recommendation 13)	Closed – Implemented DHS concurred with this recommendation. The National Protection and Programs Directorate changed its name to the Cybersecurity and Infrastructure Security Agency in January 2018. The Cybersecurity and Infrastructure Security Agency established an independent requirements development organization as of February 2022. An independent requirements organization ensures requirements are traceable to strategic objectives, and recommended courses of action to address capability gaps are cost informed and assessed for feasibility.
Department of Homeland Security	The Secretary of DHS should ensure that the Under Secretary of Homeland Security for the National Protection and Programs Directorate conducts a workforce assessment to account for an independent requirements organization's workforce needs. (Recommendation 14)	Closed – Implemented DHS concurred with this recommendation. In 2018, the National Protection and Programs Directorate changed its name to the Cybersecurity and Infrastructure Security Agency. The Cybersecurity and Infrastructure Security Agency completed its workforce assessment for an independent requirements organization in August 2023. With such an assessment, the Cybersecurity and Infrastructure Security Agency can establish the workforce needed for requirements development, properly mitigate capability gaps, and meet mission and end user needs.
Department of Homeland Security	The Secretary of DHS should ensure that the Under Secretary of Homeland Security for the National Protection and Programs Directorate establishes component specific training for requirements development. (Recommendation 15)	Closed – Implemented DHS concurred with this recommendation. In January 2018, the National Protection and Programs Directorate changed its name to the Cybersecurity and Infrastructure Security Agency. As of August 2019, the Cybersecurity and Infrastructure Security Agency has offered its own training for requirements development.
Department of Homeland Security	The Secretary of DHS should ensure that the Administrator of the Transportation Security Administration through the Executive Assistant Administrator of Operations Support finalizes and promulgates the Transportation Security Administration's draft policy for requirements development. (Recommendation 16)	Closed – Implemented DHS concurred with this recommendation. In September 2019, the Transportation Security Administration issued documented guidance on requirements development to implement the recommendation.
Department of Homeland Security	The Secretary of DHS should ensure that the Administrator of the Transportation Security Administration through the Executive Assistant Administrator of Operations Support conducts a workforce assessment to account for an independent requirements organization's workforce needs. (Recommendation 17)	Closed – Implemented DHS concurred with this recommendation. The Transportation Security Administration completed a workforce needs assessment for its independent requirements organization in April 2020.
Department of Homeland Security	The Secretary of DHS should ensure that the Administrator of the Transportation Security Administration through the Executive Assistant Administrator of Operations Support establishes component specific training for requirements development. (Recommendation 18)	Closed – Implemented DHS concurred with this recommendation. As of July 2019, the Transportation Security Administration has offered its own training for requirements development.
Department of Homeland Security	The Secretary of DHS should ensure that the Commandant of the U.S. Coast Guard through the Assistant Commandant for Capability conducts a workforce assessment of the U.S. Coast Guard's capabilities directorate. (Recommendation 19)	Closed – Implemented DHS concurred with this recommendation. The U.S. Coast Guard completed a requirements workforce assessment of the capabilities directorate in November 2019.
Department of Homeland Security	The Secretary of DHS should ensure that the Director of the U.S. Citizenship and Immigration Services finalizes and promulgates the U.S. Citizenship and Immigration Services's draft policy for requirements development. (Recommendation 20)	Closed – Implemented DHS concurred with this recommendation. On May 29, 2019, the U.S. Citizenship and Immigration Services issued a management directive, MD 107-001, that established a policy for requirements development.
Department of Homeland Security	The Secretary of DHS should ensure that the Director of the U.S. Citizenship and Immigration Services establishes the planned independent requirements development organization within U.S. Citizenship and Immigration Services. (Recommendation 21)	Closed – Implemented DHS concurred with our recommendation. U.S. Citizenship and Immigration Services established an independent requirements development organization that is separate from the acquisitions function in September 2023. An independent requirements organization ensures requirements and recommended courses of action to address capability gaps are traceable to the agency's strategic goals.
Department of Homeland Security	The Secretary of DHS should ensure that the Director of the U.S. Citizenship and Immigration Services conducts a workforce assessment to account for an independent requirements organization's workforce needs. (Recommendation 22)	Closed – Implemented DHS concurred with this recommendation. U.S. Citizenship and Immigration Services completed a workforce needs assessment for an independent requirements organization in December 2019.
Department of Homeland Security	The Secretary of DHS should ensure that the Director of the U.S. Citizenship and Immigration Services establishes component specific training for requirements development. (Recommendation 23)	Closed – Implemented DHS concurred with this recommendation. As of December 2019, U.S. Citizenship and Immigration Services has created its own requirements development training and started delivery of the courses to its workforce.
Department of Homeland Security	The Secretary of DHS should ensure that the Joint Requirements Council collaborate with components on their requirements development policies and, in partnership with the Under Secretary for Management, provide oversight to promote consistency across the components. (Recommendation 24)	Closed – Implemented DHS concurred with this recommendation. In April 2020, DHS issued a policy directive that, among other actions, requires components' requirements development policies to be consistent with agency-level policy. In addition, components' policies must be shared with the Joint Requirements Council to further ensure alignment with DHS requirements development policy.
Department of Homeland Security	The Secretary of DHS should ensure that training for requirements development is consistent by establishing training and certification standards for DHS and the components' requirements development workforces. (Recommendation 25)	Closed – Implemented DHS concurred with this recommendation. In May 2019, DHS established training standards for the requirements development workforce.

See All 25 Recommendations

Full Report

Highlights Page (1 page)

Full Report (52 pages)

Accessible PDF (66 pages)

GAO Contacts

Marie A. Mak

Director

makm@gao.gov

(202) 512-4841

Office of Public Affairs

Chuck Young

Managing Director

youngc1@gao.gov

(202) 512-4800

Topics

Homeland Security

Acquisition programsBest practicesHomeland securityOperational requirementsPolicies and proceduresRequirements definitionWorkforce needsWorkforce planningBorder controlLabor force