Homeland Security: DHS Needs to Fully Implement Key Practices in Acquiring Biometric Identity Management System
The Department of Homeland Security started working on replacing its outdated biometric identity management system (fingerprint matching and facial recognition) in 2016. The new system is 3 years behind schedule due to technical and other challenges.
DHS modified a major contract and took more steps to address the challenges. But when we compared the program to 14 IT acquisition best practices, officials had only fully implemented 7 of them.
For example, officials didn't fully review the contractor's work products—making it harder to ensure that all requested changes were made.
We recommended fully implementing the best practices, and more.
What GAO Found
The Department of Homeland Security (DHS) initially expected to implement the entire Homeland Advanced Recognition Technology (HART) by 2021; however, no segments of the program have been deployed to date. Currently estimated to cost $4.3 billion in total, DHS plans to deploy increment 1 of the program in December 2021 and expects to implement later increments in 2022 and 2024. Increment 1 is expected to replace the functionality of the existing system.
Although the multi-billion dollar HART program had suffered continuing delays, until the end of last year, the DHS Chief Information Officer (CIO) had reported the program as low risk on the IT Dashboard, a website showing, among other things, the performance and risks of agency information technology (IT) investments. In May 2020, the Office of the CIO began developing a new assessment process which led to the CIO accurately elevating HART's rating from low to high risk and reporting this rating to the IT Dashboard in November 2020. In addition, consistent with OMB guidance, the CIO fulfilled applicable oversight requirements for high-risk IT programs by, among other things, conducting a review of the program known as a TechStat review. While the CIO complied with applicable oversight requirements in conducting the TechStat review, GAO noted that DHS's associated policy was outdated. Specifically, the 2017 policy does not reflect the revised process DHS started using in 2020. As such, until the guidance is updated, other departmental IT programs deemed high risk would likely not be readily aware of the specific process requirements.
Concurrent with the CIO's actions to conduct oversight, HART program management has also acted to implement important risk management practices. Specifically, GAO found that HART had fully implemented four of seven risk management best practices and partially implemented the remaining three (see table). For example, as of February 2021, the program had identified 49 active risks, including 15 related to cost and schedule and 17 related to technical issues. While DHS has plans under way to fully implement two of the partially implemented practices, until it fully implements the remaining practice its efforts to effectively monitor the status of risks and mitigation plans may be hampered.
Summary of the Homeland Advanced Recognition Technology Program's Implementation of the Seven Risk Management Practices
|
Practice |
GAO assessment |
|
1. Determine risk sources and categories |
● |
|
2. Define parameters to analyze and categorize risks |
● |
|
3. Establish and maintain a risk management strategy |
◑ |
|
4. Identify and document risks |
● |
|
5. Evaluate and categorize each identified risk using defined risk categories and parameters, and determine its relative priority |
● |
|
6. Develop a risk mitigation plan in accordance with the risk management strategy |
◑ |
|
7. Monitor the status of each risk periodically and implement the risk mitigation plan as appropriate |
◑ |
Legend: ● = Fully implemented ◑ = Partially implemented ○ = Not implemented Source: GAO analysis of agency data. | GAO-21-386
Why GAO Did This Study
DHS currently uses an outdated system, implemented over 27 years ago, for providing biometric identity management services (i.e., fingerprint matching and facial recognition technology services), known as the Automated Biometric Identification System, or IDENT. In 2016, DHS initiated a multi-billion dollar program known as HART, which is intended to replace the existing system.
GAO was asked to evaluate the HART program. Its specific objectives, among others, were to (1) determine the status of the program, (2) assess the extent to which the DHS CIO was accurately reporting risk and meeting applicable oversight requirements, and (3) assess the extent to which the program was identifying and managing its risks.
To accomplish these objectives, GAO identified the program's schedule and cost estimates, assessed the CIO's risk ratings and HART oversight documentation and related evidence against OMB guidance, and compared the program's risk management practices to best practices that are essential to identifying and mitigating potential problems. In addition, GAO interviewed appropriate officials.
Recommendations
GAO is making seven recommendations, including that DHS update its policy to reflect the current IT program assessment process, and fully implement the risk management best practice related to monitoring the status of risks and mitigation plans. DHS concurred with all of the recommendations and provided estimated dates for implementing them.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Homeland Security |
Priority Rec.
The Secretary of DHS should direct the Chief Information Officer to update existing policy to reflect the processes that should be used to address each of the TechStat requirements. (Recommendation 1) |
In response to our recommendation, DHS's Office of the Chief Information Officer finalized an updated TechStat process guide in June 2022. The process guide describes specific activities and methods for meeting the five TechStat review requirements. For example, with regard to the requirement for establishing a root cause analysis of performance issues, the process guide includes suggested document requests, questions, and key areas of analysis that can guide the determination of root causes. By taking these actions to specify activities that address TechStat review requirements, other departmental IT programs that are deemed high risk will be more readily aware of specific process requirements that should be taken when undergoing a TechStat review.
|
| Department of Homeland Security | The Secretary of DHS should direct the OBIM Director to ensure that the HART program keeps records of its discussions related to risk mitigation, including the resources needed for risk handling activities. (Recommendation 2) |
In response to our recommendation, in August 2021, OBIM updated its HART risk management plan to require the program to record meeting minutes of its risk related discussions. As a result, in August 2021, the HART program office began documenting and maintaining records of discussions related to risk mitigation. In addition, since August 2021, the HART meeting minutes have included examples of when resources were required for risk handling activities. By documenting the actions and decisions discussed during these meetings, the HART program can now rely on these minutes for future reference and they can serve as a resource for program officials that were unable to attend the meetings. Further, by keeping records of resources needed for risk handling activities, the program is better positioned to provide the necessary resources to successfully execute these mitigation plans.
|
| Department of Homeland Security | The Secretary of DHS should direct the OBIM Director to ensure that the HART program's risk owners maintain accurate and current status updates for each risk mitigation plan in the risk register. (Recommendation 3) |
In response to our recommendation, OBIM updated the HART Risk Management Plan in August 2021 to include a process for ensuring that HART risk mitigation plans are accurate and current. Specifically, the HART Risk Management plan calls for setting aside time each month to review the status of HART risks and progress toward their response plans. The plan clarifies that risk owners are responsible for updating risks at a frequency based on their priority level (e.g. every 30 days for high-priority risks). Further, OBIM officials have been meeting regularly to review risks. In addition, OBIM's risk mitigation reports provided in June 2022 and September 2022 demonstrated that risk mitigation actions are being kept up to date. By taking these steps to ensure that HART program risk owners maintain accurate and current status updates, program management officials are better positioned to make key decisions based on a complete picture of the risks facing the program.
|
| Department of Homeland Security | The Secretary of DHS should direct the OBIM Director to ensure that the HART program office fully reviews and approves or rejects contractor deliverables prior to working on the next system release. (Recommendation 4) |
OBIM and the HART program office have not yet demonstrated that they have fully reviewed and approved or rejected contractor deliverables. OBIM officials stated that they expected to assess the final versions of the HART Increment 1 contract deliverables during a major milestone review that occurred in July 2022. Once we obtain these contractor deliverables, we will determine if OBIM and the HART program office have appropriately approved or rejected these deliverables.
|
| Department of Homeland Security |
Priority Rec.
The Secretary of DHS should direct the OBIM Director to ensure that, moving forward, the HART program tracks and monitors all of its costs, including government labor costs. (Recommendation 5) |
OBIM demonstrated that it is including government labor costs in the HART program's 2022 Life Cycle Cost Estimate. However, OBIM has not yet demonstrated that it is tracking and monitoring HART-specific government labor costs on an ongoing basis. OBIM plans to incorporate actual costs from fiscal year 2022 in its HART Life Cycle Cost Estimate in 2023. We will assess this documentation once it is available.
|
| Department of Homeland Security | The Secretary of DHS should direct the OBIM Director to ensure that the HART program defines the extent to which it should be interacting with each of its stakeholders throughout the acquisition process, and, once established, monitors stakeholder involvement against that defined level of involvement. (Recommendation 6) |
OBIM demonstrated that it had monitored stakeholder involvement for the Executive Stakeholder Board and the Executive Steering Committee. However, OBIM has not yet provided evidence that it has fully defined the extent to which it should be interacting with all of its stakeholders. In particular, OBIM has not defined the frequency for how often the HART program should interact with two stakeholders that are identified in its stakeholder register. As such, we will continue to monitor this recommendation to see that OBIM and the HART program office have fully defined the extent of stakeholder interaction and is monitoring against it.
|
| Department of Homeland Security |
Priority Rec.
The Secretary of DHS should direct the OBIM Director to ensure that the HART program establishes and maintains a process to ensure bidirectional traceability of its requirements in future development. (Recommendation 7) |
In response to our recommendation, OBIM established and documented a process to help ensure bidirectional traceability of its requirements. This includes using a program support tool to link lower-level requirements to higher-level requirements and holding regular meetings to review traceability. OBIM also provided March 2022 and January 2023 reports that demonstrated the office has implemented this process and was maintaining improved bidirectional traceability for HART requirements. As a result, the HART program is better positioned to develop a system that meets its partner agencies' needs.
|