Skip to Highlights
Highlights

What GAO Found

The Department of Homeland Security (DHS) has fully implemented 28 of the 31 selected Federal Information Technology (IT) Acquisition Reform Act (FITARA) action plans; however, as of December 2016, DHS did not fulfill all aspects of 3 action plans. For example, one action plan is to use an updated process for reviewing troubled programs to provide support to such programs; however, DHS has not finalized its policy for this process. Until DHS ensures that these 3 plans are implemented, it will lack assurance that it is fulfilling FITARA's goals.

DHS faces challenges in implementing certain FITARA provisions:

Chief Information Officer (CIO) approval of contracts and agreements. FITARA requires, among other things, the agency CIO to review and approve IT contracts and agreements associated with major investments (e.g., high cost) prior to award. However, the CIO did not participate in the approval of any of the 48 contracts in GAO's sample associated with major investments. While DHS has made improvements to its review process, until the Office of the CIO determines how to increase its review of contracts and agreements, the CIO will continue to have limited visibility into planned IT expenditures.

CIO evaluation of risk. DHS's Office of the CIO was conducting risk evaluations of major IT investments and updating the ratings on the Office of Management and Budget's (OMB) public website known as the IT Dashboard, as required by FITARA. However, in October 2016, DHS changed its process for evaluating 30 of DHS's 93 major IT investments and, as a result, the CIO is no longer primarily responsible for the evaluations or associated risk ratings that are publicly reported for these investments. Instead, multiple DHS organizations and officials are to evaluate these investments and the CIO's assessment only accounts for about 18 percent of the total score. Further, while under the old process, DHS's CIO was responsible for assessing these 30 investments against criteria that OMB guidance stated CIOs may use, under the new process, the CIO is only to assess these investments against one of OMB's criteria (see table below). This process change challenges the CIO's ability to publicly report risk ratings.

Change in Responsibility for Conducting Chief Information Officer (CIO) Risk Evaluations that Are Reported to the Information Technology (IT) Dashboard for 30 Major IT Investments

Office of Management and Budget evaluation criteria

Primary office responsible under old process

Primary organization or official responsible under new process

Risk management

CIO

Program Accountability and Risk Management, CIO, Chief Financial Officer, and Director of Test and Evaluation

Requirements management

CIO

Joint Requirements Council; Office of Systems Engineering; Director of Test and Evaluation

Contractor oversight

CIO

Chief Procurement Officer

Historical performance

CIO

Not assessed by DHS under new process

Human capital

CIO

Program Accountability and Risk Management

Other factors

CIO

CIO and any organization or official responsible for assessing any other factor in the evaluation

Source: GAO analysis of DHS documentation. | GAO-17-284.

Until DHS addresses these challenges, the goal of FITARA to elevate the role of the department CIO in acquisition management will not be fully realized.

Why GAO Did This Study

In 2014, Congress enacted IT reform legislation, referred to as FITARA, which includes provisions related to seven areas of IT acquisition management. In 2015, OMB released FITARA implementation guidance that outlined agency CIO responsibilities and required agencies to develop action plans for implementing the guidance.

This report examines, among other things, the extent to which DHS has implemented selected action plans and the key challenges that DHS has faced in implementing selected FITARA provisions.

To do so, GAO analyzed DHS's efforts to implement a sample of 31 of 109 action plans that DHS had reported as complete and that described later-stage implementation steps. To determine challenges, GAO analyzed and compared DHS documentation, including a random sample of IT-related contracts and agreements, to selected FITARA provisions to identify gaps between what was required by FITARA and what DHS had implemented. These provisions required, among other things, significant coordination between DHS headquarters and five components.

Skip to Recommendations

Recommendations

GAO is making 7 recommendations to DHS to ensure that it fully and effectively implements FITARA. Among other things, GAO recommends that DHS fully implement the action plans and address challenges related to CIO contract approval and evaluation of risk. DHS concurred with all 7 recommendations and provided estimated completion dates for implementing each of them.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Homeland Security 1. To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to finalize the department's TechStat policy.
Closed - Implemented
In May 2017, the Acting Under Secretary for Management signed and finalized the department's policy on TechStat sessions, which are face-to-face, evidence-based reviews that are intended to provide support to failing or troubled information technology (IT) programs. As a result, the department is better positioned to consistently provide needed support to troubled IT programs.
Department of Homeland Security 2. To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to update the department's IT Acquisition Review governance process to increase the number of contracts and agreements (associated with both major and non-major investments) that are reviewed by the CIO and appropriate delegates.
Closed - Implemented
DHS updated its Homeland Security Acquisition Manual, as well as its guidance for its IT acquisition review process, to require that IT acquisitions that (1) have total estimated procurement values of $500,000 or more and (2) are associated with a major investment, be submitted to the DHS CIO for review. These updates have increased the number of IT contracts and agreements that are to be reviewed by the CIO. As a result, the DHS CIO should have increased visibility into the department's planned IT expenditures and should have critical data necessary to make investment decisions.
Department of Homeland Security 3. To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the specific staff or positions currently within the department's IT acquisition cadre; and (2) assessing whether these staff and positions address all of the specialized skills and knowledge needed, as outlined in OMB's Office of Federal Procurement Policy's guidance for developing an IT acquisition cadre.
Closed - Implemented
In February 2019, the department completed an assessment that included identifying the specific staff currently within the department's IT acquisition cadre, and determined whether these staff have all of the specialized skills and knowledge needed for their positions. In addition, the department identified certain skills gaps that exist. For example, the department determined that it has gaps related to technical competencies, such as project management and cost-benefit analyses. By completing this assessment and identifying its skills gaps, DHS is better positioned to address these gaps and ensure that its staff have the specialized skills and knowledge needed.
Department of Homeland Security 4. To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the department's future IT skillset needs as a result of DHS's new delivery model, (2) conducting a skills gap analysis, and (3) resolving any skills gaps identified.
Open
In 2018 and 2019, the DHS Office of the Chief Information Officer implemented a Strategic Workforce Planning initiative that included (1) identifying the department's future IT skillset needs, and (2) conducting a skills gap analysis related to these needs. The department is currently working to resolve the skills gaps identified during the initiative. We will continue to monitor and evaluate the Department's efforts to resolve these skills gaps.
Department of Homeland Security 5. To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update the department's acquisition policies and guidance to be consistent in identifying that the DHS CIO is to certify investments' incremental development activities.
Open
In response to our recommendation, DHS updated its agile development policy to specify that the DHS CIO is responsible for certifying investments' incremental development activities, which is consistent with the Department's Acquisition Management Instruction. However, DHS has not yet updated its Systems Engineering Life Cycle Instruction and Guidebook to be consistent in specifying that this certification is the responsibility of the DHS CIO. We will continue to monitor the Department's progress in implementing this recommendation.
Department of Homeland Security 6. To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update DHS headquarters', Customs and Border Protection's, and U.S. Coast Guard's processes to track, for all contracts and agreements, the IT investment with which each is associated (as applicable).
Open
In response to our recommendation, Customs and Border Protection implemented a process to track the IT investments associated with each contract and agreement. The U.S. Coast Guard also implemented a process to track the IT investments associated with its contracts; however, it has not yet demonstrated that it has implemented such a process for tracking the IT investments associated with its agreements. Further, DHS headquarters is still working to establish a process for tracking the IT investments associated with its contracts and agreements. We will continue to monitor and evaluate the Department's progress in implementing this recommendation.
Department of Homeland Security 7. To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update and implement the process DHS uses for assessing the risks of major IT investments to ensure that the CIO rating reported to the Dashboard fully reflects the CIO's assessment of each major IT investment.
Open
DHS concurred with our recommendation. In May 2020, DHS officials stated that the Office of the CIO began piloting a new program health assessment process in the second quarter of fiscal year 2020, and DHS intends to report the program ratings resulting from that process to the IT Dashboard. We will continue to monitor and evaluate the Department's efforts to implement this new process.

Full Report

GAO Contacts