[House Hearing, 113 Congress]
[From the U.S. Government Printing Office]
DHS INFORMATION TECHNOLOGY: HOW EFFECTIVELY HAS DHS HARNESSED IT TO
SECURE OUR BORDERS AND UPHOLD IMMIGRATION LAWS?
=======================================================================
HEARING
before the
SUBCOMMITTEE ON OVERSIGHT
AND MANAGEMENT EFFICIENCY
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
MARCH 19, 2013
__________
Serial No. 113-7
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC] [TIFF OMITTED]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PRINTING OFFICE
82-581 WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Paul C. Broun, Georgia Yvette D. Clarke, New York
Candice S. Miller, Michigan, Vice Brian Higgins, New York
Chair Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania William R. Keating, Massachusetts
Jeff Duncan, South Carolina Ron Barber, Arizona
Tom Marino, Pennsylvania Dondald M. Payne, Jr., New Jersey
Jason Chaffetz, Utah Beto O'Rourke, Texas
Steven M. Palazzo, Mississippi Tulsi Gabbard, Hawaii
Lou Barletta, Pennsylvania Filemon Vela, Texas
Chris Stewart, Utah Steven A. Horsford, Nevada
Keith J. Rothfus, Pennsylvania Eric Swalwell, California
Richard Hudson, North Carolina
Steve Daines, Montana
Susan W. Brooks, Indiana
Scott Perry, Pennsylvania
Greg Hill, Chief of Staff
Michael Geffroy, Deputy Chief of Staff/Chief Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON OVERSIGHT AND MANAGEMENT EFFICIENCY
Jeff Duncan, South Carolina, Chairman
Paul C. Broun, Georgia Ron Barber, Arizona
Keith J. Rothfus, Pennsylvania Donald M. Payne, Jr., New Jersey
Richard Hudson, North Carolina Beto O'Rourke, Texas
Steve Daines, Montana Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (Ex (Ex Officio)
Officio)
Ryan Consaul, Staff Director
Deborah Jordan, Subcommittee Clerk
Tamla Scott, Minority Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable Jeff Duncan, a Representative in Congress From the
State of South Carolina, and Chairman, Subcommittee on
Oversight and Management Efficiency............................ 1
The Honorable Ron Barber, a Representative in Congress From the
State of Arizona, and Ranking Member, Subcommittee on Oversight
and Management Efficiency...................................... 3
Witnesses
Ms. Margaret H. Graves, Deputy Chief Information Officer, U.S.
Department of Homeland Security:
Oral Statement................................................. 6
Prepared Statement............................................. 7
Mr. David A. Powner, Director, Information Technology Management
Issues, Government Accountability Office:
Oral Statement................................................. 14
Prepared Statement............................................. 16
Mr. Charles K. Edwards, Deputy Inspector General, U.S. Department
of Homeland Security:
Oral Statement................................................. 23
Prepared Statement............................................. 24
Appendix
Questions From Chairman Jeff Duncan for Margaret H. Graves....... 39
Question From Honorable Richard Hudson for Margaret H. Graves.... 39
Question From Honorable Beto O'Rourke for Margaret H. Graves..... 39
Questions From Chairman Jeff Duncan for David A. Powner.......... 39
Question From Honorable Richard Hudson for David A. Powner....... 40
Questions From Chairman Jeff Duncan for Charles K. Edwards....... 40
DHS INFORMATION TECHNOLOGY: HOW EFFECTIVELY HAS DHS HARNESSED IT TO
SECURE OUR BORDERS AND UPHOLD IMMIGRATION LAWS?
----------
Tuesday, March 19, 2013
U.S. House of Representatives,
Subcommittee on Oversight and Management
Efficiency,
Committee on Homeland Security,
Washington, DC.
The subcommittee met, pursuant to call, at 2:00 p.m., in
Room 311, Cannon House Office Building, Hon. Jeff Duncan
[Chairman of the subcommittee] presiding.
Present: Representatives Duncan, McCaul, Broun, Rothfus,
Hudson, Daines, Barber, Thompson, Payne, and O'Rourke.
Mr. Duncan. The Committee on Homeland Security Subcommittee
on Oversight and Management Efficiency will come to order. The
purpose of this hearing is to closely examine the Department's
critical information technology systems and their daily
operations protecting the Nation's borders, preventing
terrorists from entering the United States, and facilitating
the legitimate flow of people and trade.
Before I begin my opening statement I would like to express
the subcommittee's frustration with the DHS over not providing
its written testimony on time. This is unfair to the Members
and other witnesses. We expect the Department to provide their
written statement in accordance with the committee rules moving
forward.
I and other subcommittee Members are also disappointed that
DHS's chief information officer, Mr. Richard Spires, was unable
to testify today on these important issues. Mr. Spires has been
outspoken in improving IT within DHS and ensuring transparency
and meaningful oversight. We look forward to hearing from him
on these issues at a future date.
Now I recognize myself for an opening statement. Before I
do, I will mention that we do have votes at 2:15, so we are
going to try to get through as much as we can before Members
are required to leave.
The component agencies that make up the Department of
Homeland Security rely heavily on information technology, or
IT, to perform a wide range of missions. IT is especially
important with regard to border security and immigration
enforcement.
With one of the Federal Government's largest information
technology budgets, DHS's component agencies such as Customs
and Border Protection, Immigration and Customs Enforcement, and
U.S. Citizenship and Immigration Services rely on critical IT
systems and their daily operations to protect the Nation's
borders and prevent terrorists from entering the United States,
and facilitate the legitimate flow of people and trade into and
out of our country.
Having been down on the border at our ports of entry, I
recognize the integral role IT infrastructure plays in the
ability of ICE and CBP agents to carry out their missions. In
fiscal year 2012 the Department of Homeland Security planned to
spend nearly $5.6 billion in IT investments, $1.7 billion of
which is for programs the Department considers to be major
investments in CBP, ICE, and USCIS.
A few of the examples of these mission-critical programs
related to border security and immigration enforcement include
CBP's automated commercial environment and international trade
data system, which will replace existing technology and
increase efficiencies by serving as a central data collection
system for Federal agencies needing access to international
trade data in a secure, paper-free Web environment.
Similarly, both CBP and ICE are working on the respective
portions of the Traveler Enforcement Compliance System, or TECS
Modernization program, which will be an important upgrade to a
legacy system developed in the 1980s by the U.S. Customs
Service to support inspections and investigations. A similar
effort is ICE's Detention and Removal Operations Modernization,
which will significantly upgrade IT capabilities to support the
efficient detention and removal of aliens who are in the
custody of ICE.
Given the size of the Department's investment in IT,
effective management and oversight of IT programs and
expenditures is critical to ensure DHS is using taxpayer money
efficiently and holding programs accountable for agreed-upon
deliverables. Despite some successes by the Department and data
center in network consolidation, as well as cloud-based service
offerings and establishing IT centers of excellence, GAO and
DHS Inspector General have identified numerous cases where the
Department has yet to reduce cost and duplication through
technology-based integration and modernization.
GAO reported in September 2012 that DHS's 68 major IT
investments, roughly one-third, had not fully met their cost or
scheduled targets. These delays can mean border agents will
have to make due with legacy IT systems for longer periods.
Similarly, the DHS Office of Inspector General has identified
information technology management as a major challenge facing
the Department, including attempts to create a unified
information technology infrastructure for effective integration
and agency-wide management of information technology assets and
programs.
At the component level, the DHS Inspector General
identified aging IT infrastructure, interoperability, and
functionality at the CBP as specific challenges creating an
environment difficult to support CBP's responsibility to secure
the border. For instance, the IG reported that in some
instances Border Patrol staff cannot communicate seamlessly
from analog to digital platforms with Federal, State, and local
partners in all sections of the country.
I personally find it alarming that after a decade after the
Department was stood up and billions of dollars poured into
securing our borders, preventing another September 11, that CBP
staff in one location might not be able to reliably share
information not only with local law enforcement officers, but
also with other agencies within the DHS apparatus.
Similarly, a November 2011 DHS IG report details struggles
by USCIS to transform its fragmented paper-based business
process to a flexible, efficient, and electronic adjudication
service. However, this transformation has yet to be fully
implemented because of delays in strategy and system
requirements, which ended up costing American taxpayers
hundreds of millions of dollars. As a result, USCIS missed an
opportunity to process immigration benefits more efficiently,
combat identify fraud, and share critical information necessary
to quickly identify criminals and possible terrorists.
I am happy to welcome our witnesses to the hearing today
and look forward to hearing about the steps taken by the
Department to develop an agile approach to IG development at
these critical agencies and progress in eliminating
duplication, consolidating existing technology, and improving
the overall management of those IT projects of CBP, ICE, and
USCIS, which will enhance DHS's mission of securing the border
while upholding immigration laws.
It is absolutely critical that in a time of financial belt-
tightening, particularly as the Congress begins to look at
addressing the issue of comprehensive immigration reform, the
DHS be able to meet IT investments and capabilities on time and
on budget without posing a risk to the Department's ability to
fulfill its mission of securing homeland.
I will just note that the total cost for the IT systems was
projected at--I am turning to the number here, $5.6 billion.
The complete St. Elizabeths site that we visited last Friday is
budgeted at $4 billion. So, the IT systems is a billion--a
little over a billion and a half more than the complete St.
Elizabeths site. That is alarming to me at the cost. So I
wanted to bring that up.
The Chairman will now recognize the Ranking Minority Member
of the subcommittee, the gentleman from Arizona, Mr. Barber,
for any opening statement he may have.
Mr. Barber. Well, thank you, Mr. Chairman.
Thank you to the witnesses for being with us today.
Each year the Department of Homeland Security spends
approximately 15 percent of its total budget on information
technology systems. As the Chairman noted, in 2012 this was
approximately $6 billion. Given the significance of this
investment, it is critical that we are holding this hearing
today in an effort to carry out our oversight functions and
responsibilities for these very costly systems.
While the GAO and the Department of Homeland Security
Officer of the Inspector General have generally found that most
of the major IT investments by the Department are sound and are
providing DHS the necessary tools to carry out its mission, it
is clear that several IT projects are not going as promised.
This is especially true of the technologies that have been used
or attempted to be used to secure the border.
In my home district in southern Arizona, I have seen first-
hand the extreme waste of taxpayer money on programs like
SBInet, a program that was designed without input from the
people on the ground who know what is best in that community in
that area. It seemed promising at the time. Yet at the ultimate
cost of over $1.5 billion there has been little or no return on
our investment. To my dismay, I would have to say the SBI
successor, according to the GAO, the Arizona Border Technology
Plan, appears to face similar challenges as SBInet and looks
like it might be more of the same.
These are two examples that show that the Department must
do more to improve its IT structure, governance, and the manner
in which it develops IT systems. Hopefully recent changes to
how IT decisions are made at the Department and managed will
yield better results and budgetary savings, especially as it
relates to border security.
Twenty-four hours a day, 365 days a year, as you know, the
men and women of the Customs and Border Patrol and Immigration
and Customs Enforcement put their lives on the line in very
rugged environments to secure our borders and to prevent
illegal trafficking and smuggling from across the line. If
there are technology-based solutions that can help them fulfill
their mission, it is essential that the Department and Congress
provide them with those resources.
However, we must ensure that the technology we deploy is
proven, is cost-effective, trustworthy, and meets the needs of
those on the front line. I will repeat that when the
implemented SBInet contract specifically prohibited the
contractor from talking to agents on the ground, that can't
happen again.
We must ask the end-user, No. 1, is this technology that is
needed? No. 2, is this technology that would actually work in a
border environment? When developing new IT systems I encourage
the Department to utilize the services of its own Science and
Technology Directorate in addition to leveraging the skills and
knowledge that can be found in our Nation's universities.
In 2008 the University of Arizona became the co-lead of a
research university team that have partnered to form the Center
for Excellence of Border Security and Immigration. This
partnership has yielded numerous successful endeavors that can
stem the flow of drugs across the Southwest Border, aiding and
protecting deception and malicious intent by those seeking to
enter the United States and improve the effectiveness of our
checkpoints.
As we seek to improve and harness new border-related IT
systems, I urge the Department to continue to utilize the
University of Arizona Center of Excellence and also engage
ranchers and those living along the border and the working
agents who work the border for first-hand information accounts
of what works and what doesn't work.
I want to echo here the Chairman's comments about
telecommunications. It became painfully clear to me in 2010
when I was district director to Congresswoman Giffords that we
have a long way to go to ensure that the agents can communicate
with each other and other law enforcement departments. The
death of Rob Prince during that time was an example of how poor
the telecommunications is, and I fear they may be not much
better today.
I will encourage the Department to engage with Boeing and
others who have worked on projects to secure the border in what
has worked and what has not. In closing, let me just say this:
That while the use of technology to secure our border is needed
and a sign of the times, nothing can replace actual boots on
the ground.
You know I am very concerned, even though it is not the
subject of our hearing today, that as a result of the budget
sequestration issue we are now going to see less overtime, less
time on the job for Border Patrol agents, the people who
actually secure our border day-in and day-out. We have to make
sure that we do not allow the progress we have made to be
degraded by these budget cuts. As we evaluate technology on the
border, which comes at a high financial cost, I would caution
us to ensure that the Department is not exceeding IT cost
estimates at the risk of putting Border Patrol agents out of
work.
Thank you, Mr. Chairman. I yield back.
Mr. Duncan. Thank the Ranking Member. The other Members of
the subcommittee are reminded that opening statements may be
submitted for the record.
We are pleased to have a very distinguished panel of
witnesses before us today on this important topic. What I will
do is I will introduce each witness and then we will recognize
you.
The first witness is Ms. Margie Graves. She is the deputy
chief information officer for the Department of Homeland
Security. In this capacity, Ms. Graves oversees the
Department's IT portfolio of about $6 billion in IT programs.
Ms. Graves manages the operation of the Office of Chief
Information Officer, which covers functional areas of applied
technology enterprise, architecture, data management, IT,
security infrastructure, operations, IT accessibility, budget,
and acquisition. Prior to her selection as deputy CIO in 2008,
Ms. Graves held numerous senior IT positions in the Department.
Ms. Graves also has 20 years' experience in the management
consulting industry.
Mr. David Powner--am I pronouncing that right, Powner?
Okay--is the director of information technology, IT management
issues at the Government Accountability Office or GAO. At GAO,
Mr. Powner's work focuses on system development and
acquisition, IT governance, IT reform initiatives and major IT
modernization efforts. He also has led work on cyber critical
infrastructure protection. During his time in the private
sector, Mr. Powner held several executive-level positions in
the telecommunications industry.
Mr. Charles Edwards is the deputy inspector general of the
Department of Homeland Security. Mr. Edwards is the head of the
Office of Inspector General, a role he first obtained when
named acting inspector general in February 2011. Mr. Edwards
has over 20 years' experience in the Federal Government, and
has held leadership positions at several Federal agencies
including TSA, the United States Postal Service's Office of
Inspector General, and the United States Postal Service.
So, I thank all of you for being here today. The Chairman
will now recognize Ms. Graves to testify.
STATEMENT OF MARGARET H. GRAVES, DEPUTY CHIEF INFORMATION
OFFICER, U.S. DEPARTMENT OF HOMELAND SECURITY
Ms. Graves. Chairman Duncan, Ranking Member Barber, and
Members of the subcommittee, thank you, and good afternoon. As
deputy CIO at DHS I oversee an IT portfolio $5.4 billion in
programs and manage OCIO operations. This has given me valuable
insight and perspective to share with you on the efforts that
we are making at DHS to ensure effective delivery of IT
programs to support the missions of DHS.
When the DHS OCIO evaluates the health of an IT program we
focus primarily on three areas.
The first area is whether a program has correct management
structure and skilled and experienced individuals to fill key
program management roles. It is critical to ensure that every
large IT program has a qualified program manager or PMO, and
additional core positions based on its level of complexity. The
skills and experience of the staff and the PMO are the most
heavily-weighted criteria in how we evaluate our IT programs.
The second area is proper alignment of key stakeholders and
oversight to help address issues that may arise. Even the best
program manager will have challenges if the governance model
does not effectively support and provide guidance to the
program.
Within DHS we have implemented a three-tiered governance
structure. At the enterprise level we have a governance board
known as the Acquisitions Review Board or ARB, which
adjudicates major acquisitions decisions. In addition,
portfolio steering committees and executive steering
committees, or ESCs are chartered by the ARB and provide
program governance.
The third and final area is whether a program is leveraging
program, project, and technical best practices to minimize
program risk and therefore maximize its chance for success.
Within DHS we are implementing such a model under which we call
our acquisition and program management Centers of Excellence.
These Centers of Excellence provide a number of services to
programs, including sharing best practices and materials,
training programs and mentoring, and expert in subject matter
support.
DHS IT programs are now governed by these principles. As
examples I would like to highlight four of our programs.
First example is CBP's Automated Commercial Environment or
ACE, which is modernizing how CBP secures U.S. borders, speeds
the flow of legitimate shipments and targets illicit goods. In
2010 the program was placed on OMB's list of troubled Federal
IT projects.
Since that time the PMO addressed skill gaps and embedded
business expertise. The governance model has been strengthened,
and the program has worked closely with a number of COEs to
gain expertise. Strong program governance and organizational
changes, active stakeholder engagement and support, and
implementing agile development and sound funding strategies
have placed the program on the right course.
My second example is CBP's TECS Modernization which is a
key border enforcement system supporting the screening of
travelers entering the United States and the screening
requirements at other Federal agencies that use the information
for law enforcement and benefit purposes. TECS Mod, which is
modernized incrementally with five projects that focus on major
functional areas, and is on a schedule to be complete by the
end of fiscal year 2015.
The third program I would like to highlight is CIS's
Electronic Immigration System or ELIS. The program was put in
place to transition the agency from a fragmented, paper-based
operational environment to an integrated, paperless, electronic
environment. Unfortunately there were difficulties on the first
release.
But under the direction of the ARB we set up an ESC to
oversee the program, participate in test stat review in
conjunction with the Federal CIO, created a life-cycle cost
estimate and an integrated master schedule, and facilitated the
program's migration to DHS provided cloud services. Since then,
CIS successfully developed the technology architecture to
better support agile development and has delivered two
additional ELIS projection release, which should enable CIS to
stay within estimated cost and schedule.
The final program I would like to highlight is ICE's
Detention and Removal Operations Modernization or DROM. It was
initiated in late 2006 to improve the operational effectiveness
of enforcement and removal operations, or ERO, and to
strengthen the alignment of the ERO mission with the Secured
Border Initiative. Despite technical and operational
challenges, DROM is targeted to move into full sustainment by
fiscal year 2014, providing full operational capability while
coming in under budget.
At DHS we are working hard to mature our ability to deliver
new capabilities by improving the skills of our staff to manage
programs, effectively overseeing these programs and harnessing
the best practices in how we run those programs, ultimately
increasing our ability to support the homeland security
enterprise. Thank you. I am pleased to address your questions.
[The prepared statement of Ms. Graves follows:]
Prepared Statement of Margaret H. Graves
March 19, 2013
Chairman Duncan, Ranking Member Barber, and Members of the
subcommittee, thank you and good afternoon. Today I will discuss
efforts we are making at headquarters and across the components at the
Department of Homeland Security (DHS) to ensure effective delivery of
IT programs to support the missions of DHS. My experience in public-
sector large-scale IT organizations has given me unique insight in how
to effectively leverage IT to support the mission and business needs of
a large organization.
I will first describe what DHS is doing as an enterprise to support
delivery of mission capabilities, with particular emphasis on how we
are working to systemically improve our acquisition and program
management capabilities to ensure successful delivery of programs.
Second, I will highlight four major programs that support our border
security and immigration missions, namely the United States Custom and
Border Protection's (CBP) TECS Modernization, CBP's Automated
Commercial Environment (ACE), U.S. Citizenship and Immigration
Service's (USCIS) Transformation, and U.S. Immigration and Custom
Enforcement's (ICE) Detention and Removal Operations Modernization
(DROM).
improving dhs's ability to deliver successful it programs
When I evaluate the health of an IT program, I focus on three
areas: Whether a program has the correct management structure and the
proper set of skilled and experienced individuals to fill key program
management roles; proper alignment of key stakeholders and oversight to
help address issues that may arise; and whether the program is
leveraging program, project, and technical best practices to minimize
program risk and therefore maximize its chance for success. It is
important to note during this period of fiscal austerity that all three
contribute directly to a program's ability to deliver as efficiently
and cost-effectively as possible. Below I provide more detail on each
of these three key areas, with particular focus on how DHS is, as an
enterprise, working to mature our institutional capability in each.
Program Management Structure, Skills, and Experience
Programs are not successful when they lack experience and skills in
critical program management positions or a solid program management
office (PMO). For large, complex IT programs, having a program manager
(PM) who has successfully managed and delivered numerous IT programs is
vital.
Large, complex IT programs vary greatly, so there is not one model
that fits every program. While every program should have a qualified
program manager, additional positions vary based on its complexity and
should be considered on a case-by-case basis. The following positions,
however, are typically core, and programs lacking solid individuals
filling these positions at higher risk: Systems architect; data
architect; requirements manager; development and integration manager;
test manager; configuration manager; operations manager; contracting
officer; and contracting officer's representative.
In addition to the above core positions, when organizations embark
on large IT programs, it is critical to ensure the right business or
mission owner involvement. It is necessary to have full-time
representatives of the business who can not only successfully work
within the program to define requirements of the system, but also help
the PMO make the trade-off decisions that are a constant in a program.
In assessing a program, I look for individuals who are steeped in the
current process end-to-end, who have true credibility with senior
management, and who demonstrate flexibility to deal with unending
change as a program unfolds and matures. While we often need strong
contractor teams to help execute large complex programs, successful
PMOs are staffed with strong Government staff who can provide the
leadership and oversight necessary to direct the work. It is essential
that each program find the approximate mix of Federal and contractor
personnel to staff their PMO and ensure the PMO is fully integrated.
DHS is taking aggressive steps to ensure that we can properly staff
our major IT programs with skilled and experienced personnel. We have a
number of training programs, most notably a PM certification course. In
addition to a standard PM certification, we have additional specialty
courses for PMs that run IT programs. Further, we have course tracks in
other key skill areas as outlined above, to include requirements
engineering, systems engineering, and test and evaluation
methodologies. Finally, we have built into our program evaluation
criteria the recognition that the PMO is key to success. The skills and
experience of the staff in the PMO is the most heavily-weighted
criteria in how we evaluate our IT programs.
Program Governance
Even the best program manager will have challenges if the
governance model does not work. Governance drives alignment amongst key
decision makers in an organization. We have heard for decades that IT
programs fail because of ill-defined requirements or poorly-managed
requirements scope throughout the life cycle of a program. While true,
this is a symptom of a more fundamental underlying cause: The inability
for all key stakeholders in a program to be ``on the same page'' in
defining desired outcomes and approaches to meet those outcomes.
Change is inevitable in all IT programs, so achieving such
alignment is not a one-time event occurring at the start of a program.
Alignment is an on-going process that is critical throughout an
investment's strategic planning, design, and development, as well as
its implementation; hence, governance must be viewed as a full life-
cycle process. Sometimes the change is significant, making on-going
alignment even more crucial to successfully driving the promised Return
on Investment (ROI) and ensuring accountability. Further, for complex
IT systems, there are at least a half-dozen stakeholder organizations
that must be aligned, to include the strategy organization, business or
mission owner of the system, IT, finance, procurement, security, and
privacy. Ensuring all key stakeholders are involved in key decisions is
an essential element to assuring genuine alignment.
Based on my experience, establishing a strong, active program
governance board is required to ensure such alignment. Program
governance boards provide guidance, decision making, and oversight of
one or more programs. The function of the program governance board is
not to usurp the authorities of the PM, but rather to provide a forum
by which the PM can bring key issues and trade-off decisions to an
informed, empowered body that has a vested interest in that program's
success and that views the PM as a trusted advisor and true subject-
matter specialist. In today's environment of more modular and agile
development, a program in design or development should have a program
governance board that meets no less than monthly, and in some cases
weekly, depending on the type of program and life-cycle stage of the
investment. Not only does an active program governance board support
accountability, it also fosters transparency.
Within DHS, we have developed a management directive and are
maturing our program governance processes. At the enterprise level, we
have a governance board known as the Acquisition Review Board (ARB),
chaired by the DHS Under Secretary for Management and with all the DHS
Lines-of-Business as members, which has ultimate authority over all DHS
programs. DHS has embarked on a tiered governance model in which
Executive Steering Committees (ESCs) are chartered by the ARB to
provide governance of a program or related set of programs. While not
fully implemented across all programs, the ESC structure is chartered
for programs rated at higher risk. Of the 88 major IT programs, my
office (DHS Office of the Chief Information Officer or OCIO), working
with the DHS Program Accountability and Risk Management Office (PARM),
has identified 16 programs that would immediately benefit from the
governance model of an ESC. I am pleased to write that all 16 of those
programs now have the oversight of an ESC. Further, I am personally
involved or have a senior representative from my office as a member of
each of these ESCs.
In addition to the tiered governance model, DHS OCIO partners with
PARM to monitor all major programs based on monthly status reporting
from each program. If a major IT program is showing negative indicators
in monthly reporting, we will hold a Techstat on the program, which is
a program review to identify the issues affecting the program along
with a set of remediation actions to address the issues. Within the
last 2 weeks, a Techstat on one program resulted in 11 remediation
actions, to include the establishment of an ESC for the program.
IT Program and Technical Best Practices
Even with a solid PMO and proper governance, it is critical that IT
programs leverage the practices and tools that are appropriate for the
work at hand. Using the proper methods to capture requirements,
complete a systems design, implement a configuration management
process, and properly test the system are just a handful of the myriad
practices that must be implemented in a large IT program. Even a
skilled and experienced set of individuals cannot be expected to deeply
understand current best practices in all areas, so it can be greatly
beneficial for programs to acquire guidance and help from subject
matter experts in varied disciplines that cross the program, project,
and technical disciplines.
Within DHS, we are implementing such a model under what we call our
Acquisition and Program Management Centers of Excellence (A&PM COEs).
The COEs provide a number of services to programs to include: (1)
Development or adoption of proven practices, guidance, document
templates, and examples; (2) support program management workforce
development through development of training programs and mentoring; (3)
expert support (support the stand-up of new programs; support program
reviews; and provide subject matter expertise for programs that have
skills gaps or are struggling; (4) identification and development of
enterprise tools to enable more effective program management; and (5)
identification of program health criteria that recognizes what program
success looks like.
To date, DHS has established eight COEs to support programs,
including COEs for program management (to include schedule and risk
management as well as life-cycle logistics), cost estimating and
analysis, enterprise architecture, systems engineering, requirements
engineering, test and evaluation, privacy, and accessibility. A key to
making this work is to draw from expertise across DHS, so individuals
from each component can participate in their particular area of
expertise. Through this federation, we work to create communities of
practice bringing ideas from across DHS that strengthen the work of
each COE. While we have made significant progress in establishing COEs,
we continue to work on maturing our efforts, and plan to review the
need for additional COEs in years to come.
key dhs programs supporting border security and immigration
The remainder of the testimony highlights a number of key IT
programs, both in terms of how they support DHS missions in border
security and immigration, and how we are leveraging the work outlined
above to improve the delivery of these major IT programs.
CBP--Automated Commercial Environment (ACE)
ACE is a multi-year program with sunk costs of $3.2 billion to
modernize the business processes essential to securing U.S. borders,
speeding the flow of legitimate shipments, and targeting illicit goods.
ACE modernizes and enhances trade processes and forms the backbone for
the ``single window'' through which the international trade community
will electronically provide all information needed by Federal agencies
for the import and export of cargo. The ACE program is essential to
improving the ability of CBP's agents and officers and those of 47
Partner Government Agencies (PGAs) to assess cargo for security,
health, and safety risks, while speeding the flow of legitimate trade
and ensuring compliance with U.S. trade laws.
Cost and Schedule Performance
In 2010, the program was placed on the Office of Management and
Budget's (OMB) list of 26 troubled Federal IT projects. In addition,
the DHS ARB placed ACE on a pause status while the program worked to
address its issues. Since that time, CBP, with the support of DHS and
OMB, has worked aggressively to turn the program around. While parts of
ACE are in operations and maintenance, much functionality remains to be
developed. Therefore, working with DHS, CBP has developed a plan for
the completion of core trade processing capabilities in ACE and
decommissioning the legacy system within approximately 3 years. A key
component of this plan is the implementation of an agile software
development methodology which focuses on the production of smaller
pieces of functionality more frequently, resulting in a more flexible
user-focused development process. CBP's plan addresses the priorities
identified by internal system users as well as key trade community and
PGA stakeholders: Cargo release, entry summary edits, and exports.
With respect to the program's funding strategy, CBP has made great
progress in reducing ACE Operations and Maintenance (O&M) costs and
identifying internal sources of CBP funds to support remaining ACE
development and migration.
Challenges
CBP has addressed a number of basic organizational and governance
challenges as it administered the ACE program. Based on direction from
the ARB and with DHS's support, CBP responded with program changes as
documented in the ACE Improvement Plan submitted to OMB. Specifically,
CBP has:
Established an ACE Business Office in the Office of
International Trade to better define business needs through an
enhanced business requirements process.
Increased stakeholder engagement through the establishment
of an Executive Steering Committee (ESC) that includes all
levels of DHS and CBP leadership.
Also increased engagement with all impacted CBP program
offices, volunteer Government field personnel serving as ACE
Ambassadors, the Trade Community, and Partner Government
Agencies.
Defined baseline needs through an enhanced business
requirements process.
Executed a new approach for the development of functionality
by building in modular components that treat each piece of
distinct functionality as a separate project for frequent
delivery of smaller segments of functionality.
Conducted more effective oversight of contractors through
greater internal controls and governance.
Program Outlook
CBP has taken significant steps to reposition ACE for success.
Skills gaps in the ACE PMO were identified and are being addressed; the
PMO is working well and has embedded business expertise. As noted
above, the governance model has been strengthened with the addition of
an ESC chaired by the Deputy Commissioner. Finally, the program has
worked closely with a number of the PM COEs to ensure best practices
are being leveraged across the program. For instance, technical
complexity is being reduced by transitioning the program to a
simplified architecture that relies less on a large stack of complex
proprietary solutions and more on a few well-proven open-source
technologies. This will greatly simplify development, and allow rapid
integration of the solution so that it can be quickly fielded in an
incremental fashion.
The program is also embedding domain knowledge experts in the
development process to help ensure frequent and timely feedback to
developers as the solution is produced, greatly reducing requirements
uncertainty and allowing for the program to adjust to changing
requirements rapidly. The program is using a feature-based approach to
manage requirements to achieve formal software releases every 6 months.
This shorter and iterative release cycle is being mandated to ensure
value is quickly realized by the CBP agents and officers along with
other PGAs in the field on a regular recurring schedule.
The strong program governance and organizational changes, active
stakeholder engagement and support, and sound funding strategy
demonstrate that the program is on the right course.
CBP--TECS Modernization
TECS (no longer an acronym) is a key border enforcement system
supporting the screening of travelers entering the United States and
the screening requirements of other Federal agencies used for law
enforcement and benefit purposes. TECS supports more than 70,000 users
who represent more than 20 Federal agencies responsible for traveler
processing, investigations, vetting, entry/exit, and research
requirements. The TECS Modernization program is primarily focused on
modernizing server infrastructure, databases, and user interfaces to
sustain and improve current screening capabilities well into the
future. The program also provides for highly scalable functionality
that meets constantly emerging screening requirements. Some of the
mission benefits of modernizing TECS include: Enhancing the capability
to protect the Nation from the entry of individuals who may pose a
threat to National security or public safety; ensuring the efficient
flow of lawful people crossing U.S. borders; and enabling effective
decision-making through improved information sharing.
The modernization of the legacy TECS system is being accomplished
through two separate programs, one within CBP and the other within ICE.
Each is funded and being executed separately. While both modernization
programs remain focused on continued support of each agency's unique
mission, each program coordinates common interests regarding planning,
development, and data migration efforts.
cost and schedule performance
TECS Mod began the 8-year modernization effort in 2008, and is on
track to complete the project in 2015 as scheduled. TECS is being
modernized incrementally with five projects that focus on major
functional areas. These projects are: Secondary Inspection (SI); High
Performance Primary Query and Manifest Processing (HPPQ); Travel
Document and Encounter Data (TDED); Lookout Record Data and Services
(LRDS); and Primary Inspection Processes (PIP).
Functionality, such as Secondary Inspection, has already been
delivered and is being used successfully at ports of entry. In 2013,
TECS Mod will deliver additional capabilities that were designed and
developed in previous years. Operational Testing for the High
Performance Primary Query, Travel Documents and Encounter Data, and the
Lookout Records and Data Services Projects will begin in 2014.
program outlook
Currently the TECS Modernization program is on schedule to complete
by the end of fiscal year 2015 as detailed in the Acquisition Program
Baseline. Some of the major accomplishments to date include:
LRDS Watch List Service, which provides terrorist records to
DHS, activated August 2010;
Secondary Inspection to all Air/Sea Ports Of Entry (POEs)
implemented May 2011 and deployed Secondary Inspection to two
Land ports of entry (POEs) in November 2012 for operational
testing;
High Performance Primary Query (HPPQ) Service for Advance
Passenger Information System activated in November 2012;
HPPQ Initial Operation Capability (IOC) met on February 1,
2013.
USCIS--Transformation
In 2008, USCIS embarked on a program to transition the agency from
a fragmented, paper-based operational environment to an integrated,
paperless, electronic operational environment. The new operational
environment, known as USCIS Electronic Immigration System (ELIS),
enables customers to file requests for immigration benefits and USCIS
officers to adjudicate those benefit requests within the same system.
USCIS ELIS heavily leverages proven methods from the Government and the
private sector to meet mission requirements for improved efficiency,
quality, customer service, and features that support our National
security. USCIS ELIS is a person-centric system that is already
improving collaboration and information sharing within DHS and with
other Federal agencies.
USCIS launched the first release of USCIS ELIS in May 2012. This
release delivered the foundational technology components and basic end-
to-end capabilities for applicants for certain benefit types using Form
I-539, ``Application to Extend/Change Nonimmigrant Status.'' This
release included capabilities for on-line account set-up, electronic
filing, security checks, case management, direct electronic
correspondence with customers, and issuance of notices and decisions to
customers. Feedback on USCIS ELIS performance from USCIS staff and
customers has been positive.
Cost and Schedule Performance
The USCIS Transformation, when started in 2008, used a traditional
``waterfall'' approach to development and a single contractor as a lead
systems integrator. The initial requirements development process took
almost 2 years and development for the first release required an
additional 14 months, including 7 months of testing and defect
remediation. Although the initial release included much of the basic
functionality to support the future development of additional benefit
product lines, USCIS determined that such an approach was not
sustainable in the long-term.
After the initial release in May 2012 USCIS decided to temporarily
reduce the size of the contractor team while it transitioned to an
agile development process and put in place improved governance
mechanisms, with the intention of ramping up the program up again once
these were in place. During 2012, as the program improved its agile
approach, the number of agile teams was increased from three to six.
The program intends to eventually scale up to 12 agile teams of
approximately 10 developers and testers each, in order to reach Final
Operating Capability as quickly as possible. A Life-Cycle Cost Estimate
(LCCE) and a roadmap have been completed for the program.
Challenges
The difficulties in delivering the first release prompted USCIS, in
collaboration with the DHS OCIO, PARM, and the Federal Chief
Information Officer (CIO) to conclude that there were fundamental
issues in the USCIS Transformation program management structure and
skills, the role and performance of the lead systems integrator, the
overall governance framework, the technical architecture of the
solution, and the development approach. Under the direction of the ARB,
the DHS CIO's Office worked with USCIS to set up an ESC to oversee the
program, with the DHS CIO as a voting member. DHS also participated in
a Techstat review of the program with the Federal CIO, worked with
USCIS to create a Life-Cycle Cost Estimate (LCCE) and an Integrated
Master Schedule (IMS), and facilitated the program's adoption of
technical best practices by assisting it in migrating to DHS-provided
cloud services.
Since late 2011, USCIS, in conjunction with my office and under the
direction of the ARB, has taken significant steps to address each of
its challenges, including:
Revamped the program management office to take on more of
the program's management and add needed skills.
Modified the role of the lead systems integrator to drive
improved performance.
Modified the governance framework to include establishment
of an Executive Steering Committee, chaired by the Director of
USCIS.
Create a Life-Cycle Cost Estimate (LCCE) and Integrated
Master Schedule (IMS).
Simplified the ELIS architecture to be more modular and to
leverage open source software to the extent possible.
Transitioned to modular framework, with releases delivered
under an agile approach.
Program Outlook
Since May 2012, USCIS has successfully delivered one schedule two
additional USCIS ELIS production releases using the agile development
approach and with all planned functionality completed. The first agile
release was delivered in September 2012 and the second in January 2013.
These releases provided additional enhancements to I-539 functionality
and technology that had been delayed in order to deploy the initial
release in May 2012. The next two agile releases are scheduled for May
and July 2013. Each release will add a new benefit type to USCIS ELIS.
In March 2013, USCIS completed successful development and
modifications to the technology architecture that should better support
agile delivery. In addition to modifying the architecture, USCIS is
also transitioning away from a single large contract to a series of
smaller contracts that will better support agile development and
delivery. In May 2013, USCIS intends to begin agile development of the
first production release under the modified architecture. After the
modified architecture is completed, new capabilities will be released
into USCIS ELIS approximately every 4 months. The modifications to the
architecture and the new contracting approach should enable USCIS to
stay within estimated costs and schedule.
ICE--Detention and Removal Operations Modernization (DROM)
The DROM Program was initiated in late 2006 to improve the
operational effectiveness of Enforcement and Removal Operations (ERO),
formerly Detention and Removal Operations (DRO), and to strengthen the
alignment of the ERO mission with the Secure Border Initiative (SBI).
Through improved interoperability, enhanced and new capabilities,
and an expansion of data exchange and sharing with its enforcement
partners, DROM empowers ERO operations and field agents/officers by
providing the technical tools necessary to execute ERO's primary
mission of upholding U.S. immigration laws through adequate and
appropriate custody management of detainees in a cost-effective manner.
DROM applications produce expected business outcomes to monitor and
support improvements such as:
Reduction in the length of stay for detainees.
Increased bed-space availability.
Faster document processing and transmission.
More accurate, complete, and flexible data reporting.
Elimination of data redundancy.
With its overall primary goal of increasing the throughput of
detainees from apprehension to case adjudication and removal, the DROM
Program and its applications have streamlined ERO operations, resulting
in significant cost and time savings. For example, the electronic
Travel Documents (eTD) project has reduced the time to issue documents
identifying a detainee's country of origin and authorizing his or her
repatriation, from over 14 days to 8 days on average for participating
countries (i.e., Dominican Republic, El Salvador, Guatemala, and
Honduras). Including Mexico, participating countries account for
approximately 90 percent of aliens repatriated.
The electronic Online Bonds System (eBonds), which automates the
posting of surety bonds, allows ERO field personnel to process those
bonds within hours instead of days. The Online Detainee Locator System
(ODLS), an application highlighted in the White House's 2011 Blueprint
to Immigration Reform for its ingenuity in facilitating the proposed
reforms, has significantly reduced phone inquiries to field offices
from family members, attorneys, and other interest parties. Finally,
Operations Management Module 2 (OM2), formerly the Fugitive Case
Management System (FCMS), will be integrated into the ENFORCE Alien
Removal Module (EARM) before the end of fiscal year 2013. This
integration will improve architecture and security compliance and
provide a robust application with a more scalable and flexible design
and greater operational efficiencies.
Cost and Schedule Performance
The DROM Program and its applications are expected to reach its
full sustainment phase by fiscal year 2014. With an adjusted life-cycle
cost estimate of roughly $320 million DROM has achieved most of its
major goals, moving to full sustainment ahead of schedule, and has
produced new and enhanced capabilities that improved the operational
effectiveness of ERO. Additionally, DROM has supported, through data
sharing, the high-priority effort to detain and remove criminal aliens.
Challenges
ERO's implementation of a new series of detention reform
initiatives in 2009 required the program to restructure its schedule
and re-define deliverables. The overarching key objectives remain
intact; however, the reform initiatives changed the program direction,
producing new capabilities and terminating specific projects.
In addition, EARM, the core module of the suite of ERO
applications, has grown exponentially within a short period of time.
The decision was made to use EARM as the framework and portal for all
DROM applications with over 12 interfaces to internal and external
Government entities. As a result of the rapid growth and re-definition,
the build environment of EARM has become very large, making it harder
to manage. Coding, debugging, and testing have become more complex as
developers are required to understand the logic of the entire code base
and the intrinsic dependencies within that logic. These challenges
became more apparent during the test phase of releases, causing minor
schedule shortfalls. ICE OCIO has taken the following steps to mitigate
future potential schedule slippages related to these issues:
Condense schedule to allow testing to occur in parallel with
other activities.
Early involvement of ERO users to ensure that capabilities
meet their business needs.
Daily collaboration with internal stakeholders to ensure
faster resolution to unexpected technical issues.
Prioritization of capabilities for potential de-scoping
effort to meet schedule constraints.
Finally, delays of EARM 3.0 release 2 and EARM 4.0 releases for
higher-priority initiatives as the data center migration consolidation
and the Risk Classification Assessment (RCA) module resulted in ERO
delaying deployment of existing requirements within those packaged
releases. In honoring those requests, some re-work and schedule
slippage were necessary.
Program Outlook
Despite the technical and operational challenges, DROM is targeted
to move into full sustainment by fiscal year 2014, providing full
operating capabilities of the DROM applications while coming in under
budget based on the prior year cost estimate. In addition, the final
software release is estimated to bring down the Operations and
Maintenance cost by integrating most functionality into the core
module, EARM, thus reducing the need to have separate operating support
costs for individual applications. In summary, DROM has accomplished
its mission by streamlining and executing more cost-efficient
operations within ERO.
conclusion
The ability for an IT organization to support its mission and
business customers is highly dependent on its ability to field new
capabilities that are developed in partnership with those customers. At
DHS, we are working hard to mature our ability to deliver such
capabilities, through improving the skills of our staff to manage
programs, through effective oversight of those programs, and through
harnessing of best practices in how we run those programs. We continue
to drive this maturation through harnessing good work and talent across
DHS, and its components, increasing our ability to support the Homeland
Security Enterprise.
Thank you and I am pleased to address your questions.
Mr. Duncan. Thank you so much.
I apologize to the witnesses, but it is my understanding
that we have been interrupted by votes. So without objection,
the subcommittee is in recess as subject to the call. The
Chairman of the committee will reconvene approximately 10
minutes after the conclusion of the last vote. So with that we
will just adjourn subject to the call of the Chairman.
[Recess.]
Mr. Duncan. Committee on Oversight and Management
Efficiency will come back to order. I want to thank the
panelists for their patience during the votes, and the
subcommittee will reconvene now. I must inform you that they
are talking about another round of votes maybe 3:45-ish. So we
are going to get through as much as we can.
So the Chairman will now recognize Mr. Powner to testify.
STATEMENT OF DAVID A. POWNER, DIRECTOR, INFORMATION TECHNOLOGY
MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Powner. Chairman Duncan, Ranking Member Barber, and
Members of the subcommittee, we appreciate the opportunity to
testify on the status of DHS's major IT investments that among
other things are to better secure our borders and enforce
immigration laws.
Late last year we issued two key reports for the
subcommittee that highlighted DHS improvements to its IT
governance and the status of nearly 70 IT acquisitions. This
afternoon I will provide an overview of DHS's IT spending and
the importance of these investments to improve mission
performance, the cost and schedule status of these investments,
steps underway to improve outcomes, and recommendations moving
forward.
DHS spends over $5.5 billion annually on over 350
investments. Of these, 68 are major IT acquisitions that
comprise about $4 billion of the total spend. These 68 systems
are essential to improving DHS missionaries like screening
travelers and cargo entering the country, monitoring our
borders, and sharing information to combat terrorism.
A specific example of how these systems improve mission
performance can be seen with the US-VISIT application. The
portion deployed to date that includes matching fingerprints
against an FBI database has resulted in thousands of
individuals being denied entry and hundreds of arrests.
Therefore, delivering on-time and within budget on these IT
acquisitions is vitally important to securing our homeland.
Last year we reported that 47 of the 68 acquisitions were
meeting cost and schedule goals; 21, or 30 percent were not.
These 21 include important acquisitions that are to improve
cargo screening, the detention of terrorists, and the screening
of travelers.
The four acquisitions highlighted by Ms. Graves are
included in our list of 21 not meeting cost and schedule goals.
My written testimony highlights the specific reasons why each
of these acquisitions are off-course, and these reasons include
poor cost and schedule estimates, undisciplined requirements,
processes, and various technical issues.
To DHS's credit, they have several important improvement
initiatives that I would like to highlight. But I would like to
start by acknowledging their IT leadership, both Mr. Spires and
Ms. Graves. Although not here today, I would like to take the
opportunity to mention that Mr. Spires, that DHS, CIO, we have
worked with him both while he was at IRS and now DHS. Our
Government is fortunate to have his service.
Turning to improved initiatives, DHS has corrective action
plans to address their performance shortfalls, have created
Centers of Excellence where program offices can seek
assistance. Their new tiered governance structure follows best
practices. These initial steps have resulted in a better IT
acquisition performance.
For example, OMB's IT dashboard, which provides
transparency on the performance of about 800 major IT
investments across the Government, shows that DHS is trending
in the right direction. Meaning that recently they have less
projects at risk than they have had in the past.
However, despite this progress, DHS still has too many
critical IT acquisitions where cost and schedule performance is
not cutting it. Our report last year highlighted about a
billion dollars associated with these 20 investments that are
at risk. Therefore, several IT management practices still need
significant improvements.
Specifically, DHS needs to have corrective action plans for
all projects whose cost and schedule variances are
unacceptable. DHS needs to have IT and business executives
partner in aggressively overseeing their IT acquisitions by
implementing more completely their new governance process.
DHS also needs to tackle the core root cause areas
associated why programs are not meeting their cost and schedule
commitments by utilizing and expanding on their Centers of
Excellence. Also DHS needs to mature its program management
disciplines, including areas like requirements management and
risk management. Finally, DHS needs to approach more of these
investments on a smaller, more manageable increment to deploy
key functionality more quickly.
In summary, Mr. Chairman, DHS technology acquisitions play
a vital role in improving the security of our homeland.
Although DHS' ability to deliver on these systems is improving,
there are still ways to go to ensure that this annual
investment of $4 billion is yielding the near-term return our
country needs.
This concludes my statement, and I would be pleased to
respond to questions.
[The prepared statement of Mr. Powner follows:]
Prepared Statement of David A. Powner
March 19, 2013
gao highlights
Highlights of GAO-13-478T, a testimony before the Subcommittee on
Oversight and Management Efficiency, Committee on Homeland Security,
House of Representatives.
Why GAO Did This Study
DHS has responsibility for the development and operation of the IT
systems for the agencies and offices under its jurisdiction that are
key to, among other things, securing the Nation's borders and enforcing
immigration laws. DHS reported having 363 such IT investments. Of these
investments, 68--with budgeted annual costs of about $4 billion--were
under development and classified by DHS as a ``major'' investment
requiring special management attention because of its mission
importance.
GAO was asked to testify on the progress DHS has made and
challenges it faces in meeting cost and schedule commitments for its
major IT investments, including those for Customs and Border
Protection, Immigration and Customs Enforcement, and U.S. Citizenship
and Immigration Services. Specifically, GAO was asked to focus on its
September 2012 report that determined: (1) The extent to which DHS
investments are meeting their cost and schedule commitments, (2) the
primary causes of any commitment shortfalls, and (3) the adequacy of
DHS's efforts to address these shortfalls and their associated causes.
What GAO Recommended
In its report, GAO recommended that the Secretary of Homeland
Security direct the appropriate officials to address guidance
shortcomings and develop corrective actions for all major IT investment
projects having cost and schedule shortfalls. In commenting on a draft
of the report, DHS concurred with GAO's recommendations.
information technology.--dhs needs to enhance management of major
investments
What GAO Found
Approximately two-thirds of the Department of Homeland Security's
(DHS) major IT investments were meeting their cost and schedule
commitments. Specifically, out of 68 major IT investments in
development, 47 were meeting cost and schedule commitments. The
remaining 21--which DHS had estimated to cost about $1 billion--had one
or more subsidiary projects that were not meeting cost and/or schedule
commitments (i.e., they exceeded their goals by at least 10 percent,
which is the level at which the Office of Management and Budget (OMB)
considers projects to be at increased risk of not being able to deliver
planned capabilities on time and within budget.)
The primary causes for the cost and schedule shortfalls were (in
descending order of frequency):
inaccurate preliminary cost and schedule estimates,
technical issues in the development phase,
changes in agency priorities,
lack of understanding of user requirements, and
dependencies on other investments that had schedule
shortfalls.
Eight of the investments had inaccurate cost and schedule
estimates. For example, DHS's Critical Infrastructure Technology
investment had a project where actual costs were about 16 percent over
the estimated cost, due in part to project staff not fully validating
cost estimates before proceeding with the project. In addition, six
investments had technical issues in the development phase that caused
cost or schedule slippages. For example, DHS's Land Border Integration
investment had problems with wireless interference at certain sites
during deployment of hand-held devices used for scanning license
plates, which caused a project to be more than 2 months' late.
DHS often did not adequately address cost and schedule shortfalls
and their causes. GAO's investment management framework calls for
agencies to develop and document corrective efforts to address
underperforming investments and DHS policy requires documented
corrective efforts when investments experience cost or schedule
variances. Although 12 of the 21 investments with shortfalls had
defined and documented corrective efforts, the remaining 9 had not.
Officials responsible for 3 of the 9 investments said they took
corrective efforts but were unable to provide plans or any other
related documentation showing such action had been taken. Officials for
the other 6 investments cited criteria in DHS's policy that excluded
their investments from the requirement to document corrective efforts.
This practice is inconsistent with the direction of OMB guidance and
related best practices that stress developing and documenting
corrective efforts to address problems in such circumstances. Until DHS
addresses its guidance shortcomings and ensures each of these
underperforming investments has defined and documented corrective
efforts, these investments are at risk of continued cost and schedule
shortfalls.
Chairman Duncan, Ranking Member Barber, and Members of the
subcommittee, I am pleased to be here today to discuss our past work
examining the Department of Homeland Security's (DHS) progress and
challenges in acquiring, developing, and managing the information
technology investments and systems used by its agencies and offices,
including those used by U.S. Customs and Border Protection (CBP),
Immigration and Customs Enforcement (ICE), and U.S. Citizenship and
Immigration Services (USCIS). Since its creation in 2002, DHS has spent
billions of dollars on IT infrastructure used to fulfill its mission to
ensure a homeland that is safe, secure, and resilient against terrorism
and other hazards. We recently reported \1\ that, during fiscal year
2012, DHS planned to spend about $5.6 billion on approximately 363 on-
going IT investments. Of these 363 investments, 68 were under
development and were classified by DHS as a ``major'' investment \2\
that required special management attention because of its importance to
the Department's mission. My testimony today focuses on the key
findings of that work, including: (1) The extent to which DHS
investments are meeting their cost and schedule commitments, (2) the
primary causes of any commitment shortfalls, and (3) the adequacy of
DHS's efforts to address these shortfalls and their associated causes.
---------------------------------------------------------------------------
\1\ GAO, Information Technology: DHS Needs to Enhance Management of
Cost and Schedule for Major Investments, GAO-12-904 (Washington, DC:
Sept. 2012).
\2\ DHS defines a major IT investment as one with a cost of $50
million or more and is complex and/or mission-critical.
---------------------------------------------------------------------------
This statement is based on our report of September 2012. In that
report, we discussed how each of the 68 major investments was
performing against its cost and schedule commitments as reported by the
Department to the Office of Management and Budget (OMB). We also
reviewed project plans and related documentation and interviewed
responsible DHS officials to identify the primary causes for the
shortfalls and whether any corrective efforts had been developed and
documented to address the shortfalls. We conducted the performance
audit from October 2011 to September 2012 in accordance with generally
accepted Government auditing standards. Those standards require that we
plan and perform the audit to obtain sufficient, appropriate evidence
to provide a reasonable basis for our findings and conclusions based on
our audit objectives.
background
DHS spends billions of dollars each year on IT investments to
perform both mission-critical and support functions that frequently
must be coordinated among components and external entities. Of the $5.6
billion that DHS planned to spend on 363 IT-related investments in
fiscal year 2012, $4.4 billion was planned for the 83 the agency
considers to be a major investment; namely, costly, complex, and/or
mission-critical.
Of these 83 major IT investments, 68 are under development and were
estimated to cost approximately $4 billion for fiscal year 2012.
Examples of major investments under development that are being
undertaken by DHS and its components include:
CBP.--The Automated Commercial Environment/International
Trade Data System is to incrementally replace existing cargo
processing technology systems with a single system for land,
air, rail, and sea cargo and serve as the central data
collection system for Federal agencies needing access to
international trade data in a secure, paper-free, web-enabled
environment.
ICE and CBP.--TECS Modernization is to replace the legacy
mainframe system developed by the U.S. Customs Service in the
1980s to support its inspections and investigations. Following
the creation of DHS, those activities were assigned to CBP and
ICE, respectively. CBP and ICE are now working to modernize
their respective portions of the system in a coordinated effort
with separate funding and schedules. For example, ICE's portion
of the investment will include modernizing the investigative
case management and related support modules of the legacy
system.
We have previously reported on the cost and schedule challenges
associated with major DHS IT investments, such as those with CBP's
Secure Border Network (SBInet) and NPPD's United States Visitor and
Immigrant Status Indicator Technology (US-VISIT).\3\ In these reports,
we made recommendations to address these challenges and keep these
investments on schedule and within cost.
---------------------------------------------------------------------------
\3\ See, for example, GAO, Secure Border Initiative: SBInet
Expenditure Plan Needs to Better Support Oversight and Accountability,
GAO-07-309 (Washington, DC: Feb. 15, 2007); Secure Border Initiative:
DHS Needs to Reconsider Its Proposed Investment in Key Technology
Program, GAO-10-340 (Washington, DC: May 5, 2010); and Homeland
Security: Key US-VISIT Components at Varying Stages of Completion, but
Integrated and Reliable Schedule Needed, GAO-10-13 (Washington, DC:
Nov. 19, 2009).
---------------------------------------------------------------------------
dhs met cost and schedule commitments for most major it investments
The success of major IT investments are judged by, among other
things, the extent to which they deliver promised system capabilities
and mission benefits on time and within cost. Our research in best
practices and extensive experience working with Federal agencies and
Office of Management and Budget (OMB) guidance stress the importance of
Federal IT investments meeting cost and schedule milestones.
Approximately two-thirds of DHS's IT investments met their cost and
schedule commitments; the remaining one-third had at least one
subsidiary project that was not meeting its commitments. Specifically,
out of the 68 major investments under development, 47 were meeting
their cost and schedule commitments.
The remaining 21 investments--which totaled about $1 billion as of
March 2012--had one or more subsidiary projects that were not meeting
cost and/or schedule commitments (i.e., they had exceeded their goals
by at least 10 percent, which is the level at which OMB considers
projects to be at an increased risk of not being able to deliver
planned capabilities on time and within budget.) Table 1 lists the
major investments with a cost and/or schedule shortfall.
Specifically, of the 21 investments with a shortfall, 5 had one or
more subsidiary project with a cost shortfall, 18 had one or more
project with a schedule shortfall, and 2 had a project with both a cost
and schedule shortfall. These shortfalls place these investments at
increased risk of not delivering promised capabilities on time and
within budget, which, in turn, pose a risk to DHS's ability to fully
meet its mission of securing the homeland.
[GRAPHIC(S)] [NOT AVAILABLE IN TIFF FORMAT]
[GRAPHIC(S)] [NOT AVAILABLE IN TIFF FORMAT]
causes of investment cost and schedule shortfalls varied
The primary causes of the shortfalls in cost and schedule
associated with DHS's 21 major IT investments were (in descending order
of frequency): Inaccurate preliminary cost and schedule estimates,
technical issues in the development phase, changes in agency
priorities, lack of understanding of user requirements, and
dependencies on other investments that had schedule shortfalls. A
summary of these causes by investment and component are shown in table
2.
[GRAPHIC(S)] [NOT AVAILABLE IN TIFF FORMAT]
[GRAPHIC(S)] [NOT AVAILABLE IN TIFF FORMAT]
In our past work on DHS's investments and related IT management
processes, we have identified some of these same causes and made
recommendations to strengthen management in these areas. For example,
with regard to cost estimating, we reported that forming a reliable
estimate of costs provides a sound basis for measuring against actual
cost performance and that the lack of such a basis contributes to
variances.\4\ To help agencies establish such a capability, we issued a
guide in March 2009 \5\ that was based on the practices of leading
organizations. In a July 2012 report \6\ examining how well DHS is
implementing these practices, we reported that the Department had
weaknesses in cost estimating. Accordingly, we made recommendations to
DHS to strengthen its cost estimating capabilities, and the Department
has plans and efforts under way to implement our recommendations.
---------------------------------------------------------------------------
\4\ GAO, Information Technology Cost Estimation: Agencies Need to
Address Significant Weaknesses in Policies and Practices, GAO-12-629
(Washington, DC: July 2012).
\5\ GAO, GAO Cost Estimating and Assessment Guide: Best Practices
for Developing and Managing Capital Program Costs, GAO-09-3SP
(Washington, DC: March 2009).
\6\ GAO-12-629.
---------------------------------------------------------------------------
We have also reported \7\ that developing sufficient requirements
is key to effectively delivering systems on time and within budget and
that DHS has experienced project delays and cost overruns resulting
from initial requirements not being defined properly. To address this
challenge, DHS had begun, as part of defining and implementing a new IT
governance process, to establish Centers of Excellence to provide
investment officials with expert assistance in requirements development
and other essential IT management disciplines.\8\
---------------------------------------------------------------------------
\7\ GAO, Department of Homeland Security: Assessments of Selected
Complex Acquisitions, GAO-10-588SP (Washington, DC: June 2010).
\8\ GAO-12-818.
---------------------------------------------------------------------------
about half of dhs's projects with shortfalls did not have well-
developed corrective efforts
A variety of best practices exist to guide the successful
acquisition of IT investments, including how to develop and document
corrective actions for projects experiencing cost and schedule
shortfalls. In particular, GAO's Information Technology Investment
Management framework \9\ calls for agencies to develop and document
corrective efforts for underperforming projects. It also states that
agencies are to ensure that, as projects develop and costs rise, the
project continues to meet mission needs at the expected levels of cost
and risk; if projects are not meeting expectations or if problems have
arisen, agencies are to quickly take steps to address the deficiencies.
---------------------------------------------------------------------------
\9\ GAO, Information Technology Investment Management: A Framework
for Assessing and Improving Process Maturity (version 1.1), GAO-04-394G
(Washington, DC: March 2004).
---------------------------------------------------------------------------
DHS developed and documented corrective efforts for 12 of the 21
major investments with a shortfall, but the remaining 9 did not have
corrective efforts documented. Table 3 depicts the investments with
shortfalls and whether corrective efforts had been developed and
documented.
[GRAPHIC(S)] [NOT AVAILABLE IN TIFF FORMAT]
With regard to the investments with shortfalls, three were unable
to provide us with documentation, even though project officials stated
that they had developed some corrective efforts, and six did not engage
in corrective efforts to address shortfalls. Of the three investments,
officials from TSA's Federal Air Marshal Service Mission Scheduling and
Notification System investment, for example, reported that they had
addressed the project's schedule shortfall--which was due, in part, to
a support contractor not having adequate staffing--by performing the
work within the agency instead of relying on the contractor. Further,
according to TSA officials, the cost and schedule shortfalls on the Air
Cargo Security investment, which were due to technical complications
and dependencies on other investments, were addressed by establishing a
new cost and schedule baseline. Nonetheless, this lack of documentation
is inconsistent with the direction of DHS's guidance and related best
practices, and it shows a lack of process discipline and attention to
key details, which raises concerns about the thoroughness of corrective
efforts.
Of the six investments without any corrective efforts, officials
from these investments (namely, the Office of the Chief Information
Officer's Human Resources IT investment, NPPD's US-VISIT Automated
Biometric Identification System and Arrival and Departure Information
System investments, USCG's Business Intelligence investment, NPPD's
National Cybersecurity Protection System, and USCIS's Claims 4
investment), stated that they did not develop and document corrective
efforts because they believed DHS's guidance does not call for it in
their circumstances. Specifically, the officials said that although
DHS's guidance \10\ calls for corrective actions to be developed and
documented when an investment experiences a life-cycle cost or schedule
variance, the variances on their project activities thus far were not
large enough to constitute such a variance.
---------------------------------------------------------------------------
\10\ Department of Homeland Security, Acquisition Management
Directive 102-01 and Capital Planning and Investment Control Guide,
version 7.2.
---------------------------------------------------------------------------
The impact of this approach is that multiple projects can continue
to experience shortfalls--which increases the risk that investments
will experience serious life-cycle cost and schedule variances--without
having to develop and document corrective actions to alert top
management about potential problems and associated risks. This is
inconsistent with the direction of OMB, which requires agencies to
report (via the IT Dashboard) on the cost and schedule performance of
their projects and considers those projects with a 10 percent or
greater variance to be at an increased level of risk of not being able
to deliver promised capabilities on time and within budget, and thus
they require special attention from management. It is also inconsistent
with our best practices research and experience at Federal agencies,
which stresses that agencies report to management when projects are not
meeting expectations or when problems arise and quickly develop and
document corrective efforts to address the problems. Further, our
research and work at agencies has shown that waiting to act until
significant life-cycle variances occur can sometimes be risky and
costly, as life-cycle schedules are typically for multi-year periods,
allowing the potential for underperforming projects to continue to vary
from their cost and schedule goals for an extended amount of time
without any requirement for corrective efforts. Consequently, until
these guidance shortcomings have been addressed and each
underperforming project has defined and documented corrective actions,
the Department's major investments these projects support will be at an
increased risk of cost and schedule shortfalls.
dhs needs to address guidance and cost and schedule shortfalls
To help ensure that DHS investments meet their cost and schedule
commitments, we recommended that the Secretary of Homeland Security
direct the appropriate officials to: (1) Establish guidance that
provides for developing corrective efforts for major IT investment
projects that are experiencing cost and schedule shortfalls of 10
percent or greater, similar to those identified in our report, and (2)
ensure that such major projects have defined and documented corrective
efforts.
DHS concurred with our recommendations and estimated that they
would implement the first recommendation by September 30, 2013, and the
second one immediately. We are currently in the process of following up
with DHS to assess the extent to which these recommendations have been
implemented.
In summary, most of the projects comprising DHS's 68 major IT
investments were meeting their cost and schedule commitments, but 21
major investments--integral to DHS's mission and costing approximately
$1 billion--had projects experiencing significant cost and schedule
shortfalls. These shortfalls place these investments at increased risk
of not delivering promised capabilities on time and within budget,
which, in turn, pose a risk to DHS's ability to fully meet its mission
of securing the homeland. DHS guidance does not require projects
experiencing significant cost and schedule shortfalls to develop and
document corrective efforts until they cause a life-cycle cost and
schedule variance. This increases risk and is contrary to effective IT
investment practices. Given that DHS is currently establishing and
implementing new IT governance processes, the Department is positioned
to address the guidance shortfalls.
Chairman Duncan and Ranking Member Barber and Members of the
subcommittee, this completes my prepared statement. I would be pleased
to respond to any questions that you may have at this time.
Mr. Duncan. Thank you, Mr. Powner.
The Chairman will now recognize Inspector General Edwards
for 5 minutes.
STATEMENT OF CHARLES K. EDWARDS, DEPUTY INSPECTOR GENERAL, U.S.
DEPARTMENT OF HOMELAND SECURITY
Mr. Edwards. Chairman Duncan, Ranking Member Barber, and
Members of the subcommittee, thank you for the opportunity to
discuss the Office of Inspector General's work to address the
Department's IT management challenges. Today I will discuss our
work to improve management, oversight, and efficiencies at the
Department level, and to ensure that CBP and USCIS have
adequate management practices and technology to effectively
support mission needs.
The Department relies heavily on IT, spending about $6
billion a year for IT systems on infrastructure. Effective
oversight and management of IT expenditures is critical. In the
past we identified the need for the Department's chief
information officer to have greater authority, to become a more
effective steward of IT funds. The Department has responded by
strengthening the CIO's role of a centralized management of IT
and providing the CIO with authority and oversight of
components IT investments.
With regard to IT systems and operational efficiencies,
component CIOs face challenges to ensure that IT environment
fully meets mission needs. Often we find that limited
interoperability and functionality of components, aging
technology infrastructures hinder personnel from conducting
activities.
For example, in June 2012 we reported that CBP faced
challenges with systems' availability, including periodic
outages of critical security systems. This was due in part to
its aging infrastructure. Furthermore, the interoperability of
the IT infrastructure was not sufficient to support CBP mission
activities.
As a result, staff created workarounds or employed
alternate solutions. In some cases CBP assigned agents to
perform duplicative data entry instead of enforcement duties in
the field. In other instances CBP staff operated stand-alone,
non-approved IT. Such activities may hinder CBP's ability to
safeguard borders and ensure officer safety. We recommended
that CBP CIO develop a funding strategy for the replacement
efforts of outdated IT infrastructure.
USCIS faces similar challenges with an IT environment that
does not effectively support its mission's operations. We
reported in July 2009 and again in November 2011 that USCIS
continues to rely on paper-based processes to support its
mission.
On any given day, USCIS processes about 30,000 applications
for immigration benefits. Yet, USCIS provides nearly all of its
services using paper forms. This hinders USCIS personnel from
processing immigration benefits efficiently, combating identity
fraud and providing partner agencies the information needed to
identify criminals and possible terrorists.
Although the current transformation program is meant to
transition the agency from a paper-based system to an account-
based environment, implementation has been delayed repeatedly
over the past 8 years. We recommended that USCIS complete
business and technology process documentation to provide the
detail necessary to implement the transformation program
effectively.
We also recommended that USCIS revise its governance
structure to enable more streamlined decision making for its
agency-wide IT modernization effort. In November 2011 we
reported that although USCIS establish a transformation
governance structure, this structure has weaknesses that have
contributed to transformation delays.
Transformation leadership told us the Government structure
was too complex, that too many stakeholders and boards involved
in making decisions. USCIS did not have the sufficient
governance mechanism in place to ensure effective acquisition
of IT resources. We are encouraged by the steps taken by USCIS
to address our recommendation.
In conclusion, our audits have identified weaknesses in IT
management functions and widespread IT function limitation
across the Department. Although there remain resource
constraints that limit the Department, progress has been made
in addressing these areas over the past few years.
Mr. Chairman, this concludes my prepared remarks, and I
would be happy to answer any questions that you or the Members
may have. Thank you.
[The prepared statement of Mr. Edwards follows:]
Prepared Statement of Charles K. Edwards
March 19, 2013
Mr. Chairman and Members of the subcommittee: Thank you for the
opportunity to discuss DHS' information technology (IT) issues. My
testimony today will address the predominant IT management issues we
have reported on over the past 2 years.
The majority of information that I will provide is contained in our
reports, Customs and Border Protection Information Technology
Management: Strengths and Challenges (OIG-12-95), DHS Information
Technology Management Has Improved, But Challenges Remain (OIG-12-82),
U.S. Citizenship and Immigration Services' Progress in Transformation
(OIG-12-12), Coast Guard Has Taken Steps To Strengthen Information
Technology Management, but Challenges Remain (OIG-11-108), Federal
Emergency Management Agency Faces Challenges in Modernizing Information
Technology (OIG-11-69), and U.S. Secret Service's Information
Technology Modernization Effort (OIG-11-56). I will also provide an
update on the progress made by DHS on implementing some of the report
recommendations.
DHS budgets over $6 billion a year for its IT. This represents
nearly 15 percent of the DHS overall budget. The 22 component agencies
that currently make up DHS rely extensively on IT to perform a wide
range of mission operations, including counterterrorism, border
security, and immigration benefits processing, among others. Given the
size and significance of DHS' IT investments, effective management of
Department-wide IT expenditures is critical.
dhs' it management oversight
In the past, we identified the need for the Department's Chief
Information Officer (CIO) to have greater authority to become a more
effective steward of IT funds.\1\ The Department has since strengthened
the CIO's responsibilities for oversight and centralized management of
IT, which has helped provide the authority for leading component CIOs
toward a more unified IT direction. Specifically, we reported in May
2012 that the DHS Office of the CIO has improved oversight of IT
programs and key IT management functions, such as acquisition and
portfolio reviews, to improve CIO decision making.\2\ As a result, the
DHS CIO has better visibility of Department-wide IT programs and assets
thus enabling the CIO to identify opportunities for reducing costs and
duplication across the Department's IT environment.
---------------------------------------------------------------------------
\1\ Improvements Needed to DHS' Information Technology Management
Structure (OIG-04-30, July 2004). Progress Made in Strengthening DHS
Information Technology Management, But Challenges Remain (OIG-08-91,
September 2008).
\2\ DHS Information Technology Management Has Improved, But
Challenges Remain (OIG-12-82, May 2012).
---------------------------------------------------------------------------
In the same report, we concluded that DHS had further defined the
CIO's authority and responsibility. For example, the DHS deputy
secretary issued a memorandum in May 2011, which directed the CIO to
take a greater role in the review and execution of all IT
infrastructure investments.\3\ The expansion of DHS CIO authority was
due in part to the Federal CIO's IT reform plan, which requires agency
CIOs to implement initiatives to improve management of large-scale IT
programs.\4\ Additionally, Office of Management and Budget Memorandum
M-11-29, Chief Information Officer Authorities, states that agency CIOs
must drive the investment review process for IT investments. To
formalize this guidance, the DHS under secretary for management began
an effort to update the Delegation of Authority for the DHS CIO, which
included oversight of the Department's IT programs.
---------------------------------------------------------------------------
\3\ DHS Deputy Secretary, Information Technology Efficiency, May 5,
2011.
\4\ The 25 Point Implementation Plan To Reform Federal Information
Technology Management, December 9, 2010.
---------------------------------------------------------------------------
The CIO has increased oversight of Department-wide IT programs and
investments by conducting annual IT program reviews and in-depth
reviews of selected IT programs. These reviews enable the CIO to make
strategic recommendations for reducing costs and duplication across the
Department's IT environment. For example, the DHS CIO issued 90
recommendations to the deputy secretary for the 2013 budget year for 81
IT investments continue as planned, eight investments be continued but
modified, and one be suspended. The CIO also made program-specific
recommendations, such as to reinstate $10 million in funding per year
for the Customs and Border Protection (CBP) Traveler Enforcement
Compliance System Modernization in order to prevent further schedule
delays, as well as a recommendation that the Federal Emergency
Management Agency (FEMA) suspend work on its National Flood Insurance
Program Information Technology Systems and Services until business
requirements were better defined.
In addition, the DHS CIO has increased oversight of IT software,
hardware, and infrastructure purchases through the IT acquisitions
review process. The volume of IT acquisition reviews has increased from
243 in fiscal year 2007 to 387 in fiscal year 2011. The number of
approvals for IT acquisition requests has increased from 129 in fiscal
year 2007 to 311 in fiscal year 2011. These reviews have increased the
DHS CIO's ability to verify compliance with technical standards and to
ensure program and project alignment with Department-wide IT policy,
standards, objectives, and goals.
The Department has also achieved infrastructure integration
milestones through data center and network consolidation. Specifically,
the Office of the CIO (OCIO) continues its efforts to consolidate data
centers across the Department, integrate disparate component networks
into a single DHS network, and create centralized email and
collaboration services to improve information sharing. As of November
2011, DHS headquarters, FEMA, the Transportation Security
Administration (TSA), and CBP had migrated applications from eight
sites to one DHS enterprise data center. Additionally, DHS has
established an enterprise network, OneNet, as well as a primary and
secondary network operations center and security operations center. The
OCIO has also begun offering centralized IT services housed at the two
enterprise data centers, such as email and Microsoft SharePoint, to
achieve economic savings through consolidation. Some components are
already realizing cost savings from the data center consolidation and
DHS enterprise service offerings.
Finally, the Department matured key IT management functions, such
as strategic planning, Capital Planning and Investment Control (CPIC),
enterprise architecture, and portfolio management. For example, the
OCIO developed an IT strategic plan for fiscal year 2011-2015. In
addition, the DHS OCIO has continued to execute its CPIC process
effectively, which is DHS' primary process for making decisions about
the systems in which the Department should invest. The OCIO has also
continued to execute Department-wide enterprise architecture efforts,
such as the development of a Homeland Security Enterprise Architecture
and specific segment architectures, which provide the CIO with a
foundation for making better-informed decisions. Finally, the DHS
Portfolio Management process, which establishes portfolios based on
DHS' mission areas and business functions, helps the OCIO to align IT
investments with portfolios and identify redundancies or gaps. Over the
past 2 years the DHS OCIO has begun conducting an annual portfolio
analysis to align IT investments to its 13 existing portfolios and
identify redundancies or gaps. At the time of our audit, the OCIO had
aligned more than 650 IT investments with the 13 portfolios.
major challenges
Although DHS has made significant progress in improving IT
management functions, challenges remain for CIO involvement in
component IT budget planning. For example, the DHS CIO conducts a
review of all components' IT budgets as part of the DHS IT budget
formulation process, which provides opportunity to confirm that
component plans are in line with Departmental priorities. However, the
CIO is not involved during the component IT budget planning process
when initial planning activities are taking place. As such, the CIO IT
budget reviews do not directly affect the amount of funding components
receive, meaning components can obtain funding for IT investments
regardless of the decisions made during the budget review process. For
example, a review of one component's IT budget revealed a funding
request for approximately $6 million to improve IT infrastructure. Yet,
the OCIO had requested $91 million from the component for data center
migration costs for the same budget year, highlighting a discrepancy in
funding plans.
To address this issue we recommended that the deputy under
secretary for management assign the DHS CIO centralized control over
the Department's IT budget planning process to review, guide, and
approve IT investments. Since this recommendation was made, the DHS CIO
has been delegated the authority to review and approve IT budgets for
delivering and maintaining enterprise IT solutions and mission IT
systems and services throughout the Department in coordination with the
DHS CFO. The recommendation was closed in September 2012.
component-specific challenges
Insufficient IT management practices, need for CIO IT budget
authority, fragmented and aging IT infrastructures, and inadequate
governance mechanisms have been long-standing issues for several DHS
components.
Component IT Management Practices Need Improvement
Although DHS and its components have made progress establishing
effective IT management practices, several DHS components have not
fully implemented key IT management functions needed to guide agency-
wide IT programs. For example, in June 2012 we reported that CBP had
developed an enterprise architecture to align with the Department's
architecture and guide CBP's IT environment.\5\ However, the Office of
IT had not yet developed a target ``To-Be'' business architecture to
analyze business processes. Without a complete view of CBP's target
enterprise architecture, the CIO faces increased risks to efforts to
modernize the way OIT provides support to CBP. We recommended the CBP
OIT provide the necessary resources to complete required enterprise
architecture activities.
---------------------------------------------------------------------------
\5\ CBP Information Technology Management: Strengths and Challenges
(OIG-12-95).
---------------------------------------------------------------------------
Similarly, we reported in April 2011 that FEMA had not yet
completed its enterprise architecture. Specifically, the agency had not
completed efforts to document its business functions, information
resources, and IT systems as part of its baseline enterprise
architecture.\6\ Also, the IT architecture remained undocumented for
many program areas and the standards on the OCIOs website were at least
2 years out-of-date. We also determined that FEMA did not have a
comprehensive IT strategic plan with clearly-defined goals and
objectives or guidance for program office initiatives. Without these
critical elements in place, FEMA is challenged to establish an
effective approach to modernize its information technology
infrastructure and systems. We recommended FEMA complete and implement
an enterprise architecture and develop a comprehensive IT strategic
plan. Each of these recommendations were closed in January 2013 when
FEMA produced evidence of a completed baseline architecture and an
updated IT Strategic Plan.
---------------------------------------------------------------------------
\6\ Federal Emergency Management Agency Faces Challenges in
Modernizing Information Technology (OIG-11-69).
---------------------------------------------------------------------------
Likewise, we reported in March 2011 that the United States Secret
Service (USSS) had not updated its IT Strategic Plan since 2006.\7\ As
a result, its plan was not sufficient to address its system weaknesses
or integrate with DHS' technology direction. For example, the plan did
not describe how the USSS will leverage specific DHS enterprise-wide
solutions such as DHS Consolidated Data Centers and OneNet.
Additionally the IT Strategic Plan did not accurately reflect
Information Integration and Transformation Program activities such as
planned upgrades to technology platforms. We recommended that the
deputy director, USSS create effective planning documentation.
---------------------------------------------------------------------------
\7\ U.S. Secret Service's Information Technology Modernization
Effort (OIG-11-56).
---------------------------------------------------------------------------
Component CIOs Need Additional Budget Authority and Oversight
Most of the major component CIOs lack IT budget authority and
oversight of technology spending across programs and activities within
their agency. For example, in our June 2012 review of CBP we found that
the CIO did not have full oversight of IT spending across all programs
and activities within CBP.\8\ Specifically, CBP component offices
submit IT spending requests that were processed by procurement without
going through the CIO's IT acquisition review process, thus increasing
the risk of security issues or enterprise alignment challenges.
Likewise, in April 2011 we reported that FEMA's program offices and
regional offices continue to develop IT systems independent of the OCIO
due in part to decentralized IT budget and acquisition practices.
Specifically, the manner in which IT programs are funded and developed
within FEMA hindered the OCIO's efforts to establish a complete
inventory and manage IT capital planning and investment. For example,
during fiscal year 2010, FEMA spent $391 million for agency-wide IT
needs, but the OCIO accounted for only 29 percent of total spending. We
recommended the FEMA CIO establish an agency-wide IT budget planning
process to include all FEMA program technology initiatives and
requirements.
---------------------------------------------------------------------------
\8\ CBP Information Technology Management: Strengths and Challenges
(OIG-12-95).
---------------------------------------------------------------------------
In September 2011, we reported that the United States Coast Guard
(USCG) CIO had limited authority over IT assets and spending.\9\
Specifically, the CIO does not have sufficient oversight of IT spending
by field units. Without this authority, the CIO cannot fully ensure
that the Coast Guard IT environment is functioning effectively and
efficiently. We recommended that Coast Guard chief of staff transition
IT personnel and oversight of field IT spending under the CIO.
Likewise, in our March 2011 review of USSS \10\ we determined that the
USSS did not position its CIO with the necessary authority to review
and approve IT investments. Specifically, the CIO was not a member of
the director's management team and therefore does not play a
significant role in overseeing IT systems development and acquisition
efforts. We recommended the deputy director, USSS provide the CIO with
agency-wide IT budget and investment review authority to ensure that IT
initiatives and decisions support accomplishment of the USSS and
Department-wide mission objectives.
---------------------------------------------------------------------------
\9\ Coast Guard Has Taken Steps To Strengthen Information
Technology Management, but Challenges Remain (OIG-11-108).
\10\ U.S. Secret Service's Information Technology Modernization
Effort (OIG-11-56).
---------------------------------------------------------------------------
Outdated IT Does Not Effectively Support Component's Missions
Component CIOs are challenged to ensure that the IT environment
fully supports its agencies mission needs. Commonly, interoperability
and functionality of component's aging technology infrastructures have
not been sufficient to support mission activities. For example, in June
2012 we reported that the CBP Office of IT (OIT) faced challenges with
system availability, including periodic outages of critical security
systems.\11\ Systems outages have occurred in part because of aging
infrastructure, which has not been updated as required because of
funding reductions. In addition, the interoperability and integration
of the IT infrastructure were not sufficient to support CBP mission
activities fully, due to lengthy requirements-gathering and technology
insertion processes. As a result, staff created workarounds and
employed alternative solutions, including assigning agents to perform
duplicative data entry--instead of enforcement duties in the field--and
operating stand-alone, non-approved IT. We recommended the CBP CIO
develop a funding strategy for the replacement of outdated
infrastructure. As of February 2013, the CBP OIT was continuing to
assess the needs across CBP to present additional requirements for
funding consideration and prioritization against all other CBP
priorities.
---------------------------------------------------------------------------
\11\ CBP Information Technology Management: Strengths and
Challenges (OIG-12-95).
---------------------------------------------------------------------------
Also, we reported in September 2011 that Coast Guard systems and
infrastructure did not fully meet mission needs due to aging
infrastructure that is difficult to support, and stove-piped system
development.\12\ Specifically, Coast Guard field personnel do not have
sufficient network availability, the aging financial system is
unreliable, and command center and partner agency systems are not
sufficiently integrated. As a result, field personnel rely on
inefficient work-arounds, such as having to enter the same information
twice, to accomplish their mission. We recommended the Coast Guard CIO
address the IT systems and infrastructure needs by implementing a plan
to ensure system redundancy to meet availability requirements,
implement a strategy to improve ease of use and availability of the
financial systems, and ensure that new tools address requirements for
improved integration. Since that time, the recommendation to ensure
that new tools address requirements for improved integration was closed
in April 2012.
---------------------------------------------------------------------------
\12\ Coast Guard Has Taken Steps To Strengthen Information
Technology Management, but Challenges Remain (OIG-11-108).
---------------------------------------------------------------------------
In April 2011, we reported that FEMA's systems were not integrated,
did not meet user requirements, and did not provide the information
technology capabilities agency personnel and its external partners
needed to carry out disaster response and recovery operations in a
timely or effective manner.\13\ Specifically, limited progress had been
made in modernizing the agency's critical mission support systems due
to uncertainty of Department-wide consolidation plans. As a result,
FEMA's legacy systems were not able to effectively support disaster
response functions in a timely and effective manner. As a result, FEMA
personnel were using paper forms and relying on manual data entry to
process grants. These manual work-arounds may suffice during minor
events; however, they may not sustain the increased workload and level
of information sharing required to support major disasters. We
recommended the FEMA CIO establish a consolidated modernization
approach for FEMA's mission-critical IT systems, to include DHS plans
for integrated asset management, financial, and acquisition solutions.
As of December 2012, FEMA had included modernization plans in its 2012
IT Strategic Operations Plan; however, the recommendation remains open
until the OCIO develops a modernization approach for FEMA's mission-
critical IT systems.
---------------------------------------------------------------------------
\13\ Federal Emergency Management Agency Faces Challenges in
Modernizing Information Technology (OIG-11-69).
---------------------------------------------------------------------------
The United States Citizenship and Immigration Services (USCIS)
faces similar challenges to establish an IT environment that can
effectively support its mission needs. We reported in November 2011
that USCIS continued to rely on paper-based processes to support its
mission, which made it difficult for USCIS to process immigration
benefits efficiently, combat identity fraud, and provide other
Government agencies with the information required to identify criminals
and possible terrorists quickly.\14\ On any given day, USCIS processes
30,000 applications for immigration benefits. Yet, USCIS provides
nearly all of its services using paper forms: Customers submit paper
application forms; USCIS adjudications officers determine whether an
applicant is eligible for benefits by reviewing the paper
documentation; and USCIS issues paper evidence of benefits. USCIS staff
also must use automated and manual methods to conduct background checks
on applicants. An enterprise-wide transformation program is under way
to transition the agency from a paper-based operational environment to
an account-based environment using electronic adjudication. However,
implementation of the transformation has been delayed repeatedly over
the past 8 years. We recommended that the Office of Transformation
Coordination complete business and technology process documentation to
provide the detail necessary to implement the transformation program
effectively. Since that time, USCIS provided process documentation in
July 2012 and the recommendation was closed.
---------------------------------------------------------------------------
\14\ U.S. Citizenship and Immigration Services' Progress in
Transformation (OIG-12-12).
---------------------------------------------------------------------------
Better IT Governance Needed for IT Modernization Efforts
Components implementing transformation efforts are hindered by
insufficient governance and decision-making mechanisms to effectively
direct agency-wide transformation program activities. In our March 2011
report, we found that the USSS did not implement an effective IT
governance approach for its Information Integration and Transformation
Program, which had an estimated cost of $1.5 billion.\15\ Specifically,
the agency did not have a formal Department-level IT governance
mechanism to provide integrated feedback and direction for the
transformation program effort. Without a formal mechanism for
integrated governance, the USSS reached out individually to DHS offices
and received conflicting advice and did not sufficiently consider DHS
enterprise-wide solutions. We recommended that the deputy director,
USSS formalize an Executive Steering Committee and ensure that the
Information Integration and Transformation Program is in alignment with
the USSS and DHS strategic goals and objectives. Since that time, the
USSS has provided updates on its ongoing efforts to implement an
Executive Steering Committee which includes USSS Senior Management and
DHS members from the offices of the CIO, the chief procurement officer,
and the Acquisition, Planning, and Management Directorate.
---------------------------------------------------------------------------
\15\ U.S. Secret Service's Information Technology Modernization
Effort (OIG-11-56).
---------------------------------------------------------------------------
Likewise, our April 2011 review of USCIS Transformation concluded
that USCIS' transformation governance structure did not promote timely
and effective decision making.\16\ Specifically, the governance
structure was overly complex and required too many formal meetings and
checkpoints for review, hindering decision making. We recommended that
the chief, Office of Transformation Coordination revise its current
governance structure to enable more streamlined program decision
making. Since that time, USCIS has continued to revise its governance
structure to include a Transformation Executive Steering Committee and
a Product Management Team.
---------------------------------------------------------------------------
\16\ U.S. Citizenship and Immigration Services' Progress in
Transformation (OIG-12-12).
---------------------------------------------------------------------------
Mr. Chairman, this concludes my prepared statement. I appreciate
your time and attention and welcome any questions from you or Members
of the subcommittee.
Mr. Duncan. Thank you, Mr. Edwards.
Thanks to everyone for their testimony. I will now
recognize myself for 5 minutes of questions.
First thing I want to point out is in the GAO report, Mr.
Powner. I was looking at the primary causes for cost and
schedule shortfalls and inaccurate preliminary cost and
schedule estimates. What attributed to that? Had they changed
the needs? Did they not think through the whole IT process
appropriately? I ask that question in light of going out to St.
Elizabeths and the cost overruns there.
Mr. Powner. A couple things. One is when you look--when we
look at cost and schedule estimating, requirements is a big
area. So if you look at requirements many times, as I know
Ranking Member Barber, you mentioned about getting the user
requirements up front with systems like SBInet. So, getting the
requirements nailed down that definitely affects your cost and
schedule estimate up front.
Also, we look at the complexity where if you have
interdependencies from other systems, and some of these
projects have you know various components that need to work
together. We look for critical pass and how they manage that.
It is a very disciplined process when you look at the
complexity involved with some of these acquisitions, Mr.
Chairman. We find holes in that discipline when it comes to
both the cost and schedule estimating.
But again, requirements is key, making sure you have--
because if you don't have the requirements up front, you could
have discipline processes. You are still going to have a poor
estimate.
Mr. Duncan. Well, I have never built a house, but I was a
banker for 8\1/2\ years, and financed a lot of them, and saw a
lot of wives and husbands make changes to the house as it was
being built. When you change the priorities going forward in
any kind of project you are going to run into cost overrun. So,
you have got changes in agency priorities. Can you elaborate?
Mr. Powner. There are--again, several of those systems,
these are the 21 systems that were not within 10 percent of
cost and schedule estimates. So we saw that again. This is tied
to requirements too. There is a link to requirements. But we
saw some of these systems.
There was a change in priorities for the agency. So, for
instance, when you start looking at you know a good example--I
mean this wasn't, but if you go back to like our US-VISIT work,
you know one time you are focused on exit and entry, you are
focused on a biometric. Then all of a sudden we start going
with a smaller focus.
One of the things I would like to highlight when you look
at these priorities is it is very important to go smaller;
smaller increments on these projects because Mr. Edwards
mentioned many times--many of the past problems had been they
tried to do so much all at once. If you look at the corrective
action plans currently in DHS's statement, there is typically
deliverables within 12 months. So we want to see more of that
incremental approach to things because then it is more
manageable. Then that way we can stick to the priorities if it
is smaller.
Mr. Duncan. Thank you for your work on that. I am going to
shift to yours in just a minute because the TECS system is
something I am very, very interested in, Traveler Enforcement,
and how we are screening the folks that are coming into this
country, the databases we are building on each of those
individuals, but how that information is shared between the
front-line people that are doing visa applications or screening
with the State and ICE and also there at the border,
particularly airports, coming into this country.
So, I will ask Ms. Graves, how did--or how will modernizing
the TECS system benefit those ICE agents? How does ICE
coordinate with the CBP in that effort?
Ms. Graves. Well, luckily, sir, there is a joint program
office effort that works together with ICE and CBP that looks
at the case management aspect of the TECS Modernization, which
is the ICE piece of equation, as well as the modernization of
how the derogatory databases are pulled together to provide
that data to the front-line officers for their adjudication and
for their identification of possible entrants into the country
that have derogatory information against them.
Some of the modernizations that are going on in the TECS--
in the TECS Modernization program are going to provide some
additional functionality, and particularly there are going to
be some improvements made that are going to help with the
efficiencies of the front-line officers. Those include the fact
that when the primary adjudication is done that that
affirmation is going to be packaged and passed in an automated
fashion to the secondary adjudicator.
That adjudicator will be able not only to have that
immediately available, but be able to build upon that by adding
additional datasets from the Department of Agriculture, from
other areas that were not included in the first primary
screening.
So, that would streamline the process. The secondary
adjudicator wouldn't be starting over. It also feeds directly
into once the adjudication is made into the case management
aspect within ICE so that if there is a derogatory finding that
would be the--would enter into the case management process.
Both of those systems are being modernized in an integrated
fashion. The expectation is to exit the mainframe technology
with both of those systems being off the mainframe technology
in concert in 2015.
Mr. Duncan. Yes. I have been down to Nogales to the vehicle
crossing there and stood in the phone booth-type apparatus
where the Customs and Border Patrol Agents are screening those
cars and the occupants. I want to make sure, and I know you do
as well, but that the information they have on those occupants
as they scan their ID cards or their passports is accurate and
we know that they have got every--every bit of information,
even if it is derogatory towards apprehending illegals or
terrorists or others that are coming into this country.
I think the American people would want us to make sure that
those Border Patrol agents have up-to-date and complete
information on suspected terrorists that might be coming in, or
other individuals. So I am looking forward to seeing how TECS
Modernization goes forward. I appreciate your testimony.
With that I will yield to Mr. Barber, the Ranking Member.
Mr. Barber. Well, thank you, Mr. Chairman. I wanted to ask
Ms. Graves a question related to lessons learned and how we
might improve processes going forward.
As you know, I noted that we, unfortunately prohibited the
end-users or the Border Patrol agents from having impact on the
initial SBInet effort. So, given that experience, and knowing
that we spent a billion dollars that really didn't get us too
far, what plans is the Department or steps the Department
taking to include the end-users fairly early on in the future
development of IT? Can you elaborate on what you are doing to
change that approach?
Ms. Graves. Yes, absolutely. I am pleased to be able to
tell you that--I will use the ACE program as an example. We met
last week and what we are doing in implementing the Agile
methodology, the Agile development methodology for IT is we are
creating user stories. The source of that user story, Mr.
Powner spoke about requirements. But in the Agile methodology
the requirements are actually drafted into these user stories
that are actually developed in concert with the embedded
operational entities that will work with the program throughout
its development cycle.
These users are developing along with the developers. They
are sitting with the developer. They are talking through the
use cases. They are testing at appropriate times when
functionality is actually delivered. They are providing
immediate feedback, which is continuously incorporated into the
development cycle so that they are constantly at the table.
There is no separation of church and state. There is no
indication that there is going to be a quick conversation with
a user base and then you develop over in the corner and you
come back later on and you find that you really haven't hit the
mark. It is a continuous process. It is continuous integration,
continuous user stories. What they also do by having the users
at the table is to understand how those priorities change.
We talked about one of the things that drives cost overruns
in the changing requirement landscape and the shift in
priorities. With the users constantly at the table we have the
opportunity to have the business mission side of the equation
adjudicate what is going to be the next user story that is
actually developed. In that case it allows us to shift or
transfer workload accordingly, driven by the business
imperative.
Mr. Barber. I appreciate the steps. Hopefully they will
ensure that we go forward with a full understanding of what the
end-users need and can actually help us design.
This is a question specific to one of the--Ms. Graves, for
you, specific to one of the 21 projects that are problematic. I
am focusing here on the National Cybersecurity Protection
System. This committee, the overall Committee on Homeland
Security, I know the Chairman and I am also very concerned
about where we are going with this.
The President issued an Executive Order recently putting
some priority on this for DHS. But, this is one of the 21 that
is not doing so well. What steps are being taken subsequent to
the President's Executive Order to give priority to the
cybersecurity IT system?
Ms. Graves. We have an executive steering committee. As I
spoke earlier about our tiered governance process, we have an
executive steering committee which has actually got the
leadership of NPPD, the component that owns that system at the
table.
Also, there has a lot of what I would consider to be
stakeholder involvement from the ISPs, the internet service
providers out in the commercial sector because that particular
system has to be developed in concert with them. There has to
be a full understanding of the requirements base as well as the
expectation of what the capability is going to be at the end of
delivery.
So, I think what we are going through now is that ESC is
looking at those requirements bases and they are making the
appropriate adjustments along with the ISPs. Some of the
conversations for the ISPs are on-going and still have to be
concluded. So I would put for the record that we could come
back and speak to that when that has occurred.
Mr. Barber. You just have a few seconds left, but I just
want to elaborate on that question as we look at sequestration
and what is happening to the Department's budget. How are you
going to--or how are you prioritizing projects, given what you
are facing with sequestration?
Ms. Graves. With sequestration the Department will
prioritize the requirements based on the Secretary's goal
priorities. That of course, as she has stated repeatedly in
public forums is front-line mission. Many of those front-line
missions are the ones that we have discussed today.
So I have no doubt that those will be prioritized. It
really is about the law enforcement officer on the ground and
about fully outfitting that officer with the communications
capability and the IT information capability in order to
effectively do their job.
Mr. Barber. Thank you, Mr. Chairman.
Mr. Duncan. Thank you.
The Chairman now recognizes the gentleman from Big Sky
Country, Mr. Daines, for questioning.
[Off mike.]
Mr. Daines. We will try this one. That is better.
There has been a lot of discussion here about cost and
schedule, which I completely appreciate and respect. I spent 28
years in the private sector, in fact 12 years of a cloud
computing company delivering projects. So I have seen it from
both sides.
There has been--you know the discussion has been on cost
and on schedule, an important role certainly of the CIO of an
organization in project management and delivery. But a project
is still a means to a greater end. I would--as a taxpayer and
representative of taxpayers of America, there has been
investments made. But I want to talk to you about the return on
that investment, assuming for a moment that we do hit projects
on schedule and at or below budget.
Let me talk, Ms. Graves, about the two or three best
examples where we have really seen a return on investment for
the taxpayer on completed projects.
Ms. Graves. Again, I will go back to--I will start with ACE
and then I will segue into a couple of the other programs that
we have talked about today.
Particularly for ACE what we have seen in terms of real
metrics and measurable outcomes that are associated with the
improvements that have been made in that program would include
faster border crossings. The ACE truck manifest capability
today provides 30 percent faster processing time. Industry cash
savings, of course here with ACE we are dealing primarily with
the trade community.
So today ACE provides for monthly interest-free duty
payments accounting for over 60 percent of all duty and fee
payments. So that is a savings to the trade industry. Single
window of capability for the ACE partners in trade to come into
the system and get all of the services that are provided by the
unified system. So, those are just a few with ACE.
When we look at CIS transformation what we are talking
about there is an instantaneous improvement with the ability to
do automated benefits approaches. In the sense of the customer,
the person asking for adjudication of either benefits or
citizenship, it provides an automatic account setup.
It provides an ability to take what they input into that
automated account setup in terms of their name, date of birth,
other personal information. That information will flow to other
transactions that they might have with CIS in the future, which
makes it more customer-friendly. It allows them to look up the
status of their application. It also provides a customer
interface that is--has been--the tires have been kicked, it is
very user-friendly.
CIS has proved the outcome as being positive by actually
going back to the users that have used the new automated system
and asking them to complete a survey. That survey has indicated
a 94 percent positive response saying that this is much better
than what they have had to deal with in the past.
Mr. Daines. I am glad to hear there is metrics there. What
was the total investment on ACE, roughly?
Ms. Graves. I think it is about--hold on just a moment,
sir, I might have that. If I don't, I will get it back for the
record. But I think it is about $1.2 billion to date----
Mr. Daines. With $1.2 billion, are you able to quantify any
specific monetary savings for that investment?
Ms. Graves. I don't have that information readily
available. But I can certainly get that back for the record.
Mr. Daines. I would appreciate just looking--and I realize
that there may be some more qualitative kind of savings versus
quantitative because you talk about customer satisfaction. But
I think it is just helpful as we think about the investment
around what is quantifiable in terms of return, you know from a
dollar viewpoint. I would appreciate seeing that information.
Ms. Graves. Yes, sir.
Mr. Daines. Any other positive benefits that you maybe
could comment on relating to the adoption of cloud computing,
or move to that platform?
Ms. Graves. I am smiling because this is kind of the
wheelhouse of the OCIO. So I am very happy to talk about that.
We have established at DHS two secure data centers, and we
are consolidating 42 separate data centers into those. We have
completed 18 at this point. The way that we are doing that is
we have adopted a methodology where establishing cloud services
and particularly platform-as-a-service, software-as-a-service
within those two data centers so that we can migrate our
components to those. I will give you two recent examples.
One, we are in the midst of our enterprise consolidation of
our email systems and we have moved four of our primary
components onto that system at this point in time. We have
109,000 users with approximately another 120 to go. In that
process we have saved--we established a service that is
essentially $7.00 a mailbox.
That has been benchmarked against external companies that
are providing the same type of service. But in fact, ours is
enhanced because of the security requirements of DHS. But we
benchmarked that against Google and against Microsoft, et
cetera. From the posture that our components had that have
already moved in, we have documented the savings and I can
provide those to you in, again, in a question for the record.
Also we have--I will give you an example of FEMA. We went
from $24 a mailbox down to $7.00. So these are really
quantifiable savings that we can talk about. We have 12 of
these enterprise cloud services, each one of which has its
story attached to it.
Mr. Daines. Okay. I yield back.
Mr. Duncan. Thank you.
The Chairman will recognize Mr. Payne, from New Jersey.
Mr. Payne. Thank you, Mr. Chairman. Good afternoon.
Mr. Powner and Ms. Graves, I represent the 10th District in
New Jersey, which encompasses the Port of Newark and Port of
Elizabeth, which makes up the New York-New Jersey port system.
So as you know--as you can imagine, I am very concerned
about the safety of the port and whether we are doing
everything we can to make sure that our ports have the most up-
to-date technologies and IT systems that ensures the CBP, as
well as local law enforcement, have the tools to be able to do
their jobs efficiently and effectively to prevent illegal and
dangerous materials from coming into our country, all the while
expediting the flow of commerce.
The--a system is being developed with the goal to
streamline port entry and for legitimate trade, but also to
ensure our safety and our ports. Could you explain the advances
in the ACE technology? I know you alluded to some of it this
morning, Ms. Graves. Include how these advances will achieve
the goal or streamline trade protecting our ports.
Ms. Graves. Certainly. The key here is to provide a
platform that allows us to operate in the information-sharing
environment. It is the whole reason why DHS was warned in the
first place, because the failure to share certain information
may have resulted in 9/11.
When we look across the landscape of what is being provided
by ACE, they are pulling information from not only within DHS
but also from cargo manifests, from the screening that gets
done at the ports themselves. If you are familiar with NIIS,
which is the actual screening for rad/nuclear and other
explosive materials, that gets done at each port.
All of that information feeds into the commercial
environment, the automated commercial environment. What it
allows the individual officers to do is truly develop a risk
profile. So the more information that they have on individual
companies with the longevity of how they have dealt with them
in the past and the myriad of information that they have
collected on those companies, as trade moves in and out of the
port they have a profile of individual transactions.
That helps them develop that risk-based approach to where
they should spend their time, their officers' eyes on the prize
in terms of that risk-based analysis. It allows them to develop
a set of trusted partners, trusted shippers, and then
concentrate on the area where there is not as much information
or where there may be some derogatory information that would
you know be better--time would be better spent there to try to
prevent anything from happening.
Mr. Payne. Okay. Where do the shortfalls in implementing
ACE continue to exist?
Ms. Graves. At this point in time we are in a pilot stage
of doing the first few sprints in the Agile methodology. I
think what this will do is it will solve some of the problems
that we talked about at the very beginning. The ability is to
be flexible in terms of the changing requirements.
One of the things that I believe got ACE into trouble in
the first place was the changing priorities of the trade
organization, some legislative changes that required that the
system be updated and configured in a different fashion to
support those changing legislative requirements. In this
methodology I believe we will be able to address those more
effectively.
Mr. Payne. Okay. Well I will--in the interest of time I
will yield back.
Mr. Duncan. Thank the gentleman for yielding back.
The Chairman will now recognize Mr. O'Rourke from Texas.
Mr. O'Rourke. I wanted to follow up on some of the
questions asked and comments made about return on investment. I
know, Mr. Powner, in your testimony you pointed to arrests made
and entry denied as return on the investment made in I believe
the Century program.
What about--and Ms. Graves, you talked about in terms of
ACE getting more efficiencies in crossings--in legitimate
crossings. That is the subject I am really interested in, how
we increase throughput of legitimate trade, people, and
privately-owned vehicles at our crossings. Do you have any
specific measures for what these investments turned into?
Because we know in El Paso, and I think those of us who are
interested in trade in this country understand that the more we
get through our ports of entry, the more jobs we create here.
There is a number that we can ascribe to that return. Can you
do that against the investment that you have made in these
different platforms and softwares and programs and technologies
that have been adopted?
Ms. Graves. Yes, we do have performance measures that are
in place for each one of these programs. If they are
specifically designed the way you described, I will have to go
back and look. I can certainly do that for the record.
But to the point of the streamlining and the reduction in
the process time and things of that nature, as--you know as
working in the finance arena I believe you could quantify those
back to dollars. I will check into that.
Mr. Powner. If I could add, the discussion about return on
investment, we focus a lot on cost and schedule and stuff. This
is exactly the right focus that is needed. So if you look at
the--we spent--DHS spends $4 billion annually on 68 systems.
CBP, ICE, and CIS, there is 32 investments about $2 billion.
Okay, 32 investments, $2 billion; that is a lot of money for 32
systems.
I think the key question for DHS is those 32 systems, what
are we getting in 2013 for a $2 billion investment in those
three organizations? Or for these 68 systems that we spent $4
billion on, what are we getting?
Mr. O'Rourke. Right.
Mr. Powner. Two-thousand thirteen. What did we get last
year?
So, some of the documentation goes to OMB to justify the
investments. There is some pretty good data in there and some
metrics that DHS provides--that I provided in my oral statement
on the US-VISIT application. But I think one of the things is
DHS moves towards its incremental development. It is great that
we are going incremental, but the bottom line is if we are
going to spend $2 billion on 32, what are we getting in 2013,
what is the plan in 2014?
Then there is follow up that in fact that functionality was
delivered. Very few Federal agencies and departments--we call
that like an integrated deployment plan or an integrated
release plan. That would be very valuable for this committee if
you had something like that. I think they have it by system. I
don't think they have it for the collection of systems.
Ms. Graves. Right----
Mr. O'Rourke. Yes. I was also looking at the numbers
related to ELIS or E-L-I-S. The over $700 million spent and
processed through that system I think 16,000 applicants, and
realized it is not fully implemented yet, but that you know
obviously should concern all of us. I am glad that the Ranking
Member mentioned SBInet and some of the boondoggles that DHS
has been involved in, in the past.
So, my question for the inspector general, or GAO, for Ms.
Graves, is--when do you know when it is time to pull the plug
on something and when you are not achieving that return that
warrants additional money spent, especially in a time of tight
budgets? Especially when we can't get enough CBP officers
manning our ports of entry in El Paso?
Mr. Edwards. Well, basically it is the triple constraint.
If you have the scope and schedule and cost, and if the scope
deviates, naturally the cost and the schedule is going to
deviate.
What DHS in the past has been doing was this big-bang
approach, and not having a complete cost for the--lifetime
costs for the systems in place. But in the last few years, with
Rafael Borras now, the Secretary and Deputy Lute, they have not
looked at IT just as IT, but looked--have a holistic approach.
The IT piece and the acquisition; they want to create a
group program called Accountability and Risk Management. Every
IT requisition or request needs to go through this review
board. They need to come prepared with the entire life-cycle
cost of what it takes, and did they really meet that or not.
So they have a good process in place. It is going to take
some time for them to get where they need to be.
Mr. O'Rourke. I yield back.
Mr. Duncan. Thank you.
Thank you. Unfortunately we do have another vote series,
about 10 minutes left on the clock.
So, Mr. Edwards, I thought you were going to get through
the whole hearing without having to answer a question, but you
got in there at the end.
So I want to thank the witnesses for your valuable
testimony, and the Members for their questions today. It is a
learning process for this committee on how IT is being
integrated for the Department. We want to see some successes
there because it is very important to the safety and security
of this Nation.
Mr. Daines asked some questions that weren't answered. So
if you could provide those in writing. The Members of the
committee may have additional questions for the witnesses, and
we will ask you to respond of these questions in writing.
Without objection, the committee will be adjourned. Thank
you.
[Whereupon, at 3:53 p.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions From Chairman Jeff Duncan for Margaret H. Graves
Question 1. What additional authorities could help the DHS CIO
ensure border security and immigration IT programs are delivered on
time, on budget, and meet/exceed capabilities?
Answer. Response was not received at the time of publication.
Question 2. What steps has DHS taken to ensure that legacy border
and immigration IT systems can effectively share data and ``speak to
one another''? What concerns, if any, do you have on information
sharing between legacy systems and how might these concerns impact
border and immigration officers in the field?
Answer. Response was not received at the time of publication.
Question 3. CBP's Northern Border Remote Video Surveillance System
was delayed by 2 months. How did this affect our security along the
Northern Border? What is the current status of the program?
Answer. Response was not received at the time of publication.
Question 4. The DRO Modernization effort is supposed to make
detention and removal more efficient. What does this mean in plain
English? Should the American people be prepared for a higher number of
detainee releases once this effort is completed in the future?
Answer. Response was not received at the time of publication.
Question 5. What is the status of IT efforts associated with the
Secure Communities program? What have been the key IT challenges as the
program has been deployed across the Nation? Are State and local
infrastructures capable of properly supporting the program?
Answer. Response was not received at the time of publication.
Question From Honorable Richard Hudson for Margaret H. Graves
Question. We frequently read about the inability of newly-deployed
systems to communicate with one another and their predecessors once
deployed. What is DHS doing to ensure that systems like TECS, a system
of records that include temporary and permanent enforcement,
inspection, and operational records relevant to the antiterrorism and
law enforcement mission of numerous Federal agencies, will be able to
interface with the existing systems at DHS as well as other Federal,
State, and local agencies?
Answer. Response was not received at the time of publication.
Question From Honorable Beto O'Rourke for Margaret H. Graves
Question. Although we recognize that RFID requirements for
passports involves addressing globally-accepted standards, I understand
that Ready Lanes used at our ports of entry to increase inspection
efficiencies cannot use readers to scan RFID-enabled passports. The
passport card, the laser visa/border crossing card, and the permanent
resident card, however, all can be scanned at out ports of entry.
What is being done to better coordinate technology acquisition when
used across multiple agency platforms?
How do we best address these inefficiencies?
How is CBP educating the public on the benefits of a U.S. passport
card versus a regular passport book for admissions?
Answer. Response was not received at the time of publication.
Questions From Chairman Jeff Duncan for David A. Powner
Question 1. What grade (A,B,C,D,F) would you give CBP, ICE, and
USCIS in their development and implementation of major IT programs
based on their ability to meet mission needs, cost, and schedule?
How would you rate DHS's performance in delivering IT systems
against other Federal agencies?
Answer. Response was not received at the time of publication.
Question 2. Do DHS and its components (CBP, ICE, USCIS) have a
shared vision and strategy for its IT programs?
If not, what impact does this have on their success?
Answer. Response was not received at the time of publication.
Question 3. IT management was highlighted in GAO's recently-issued
``High-Risk List''. According to GAO, the Department still has only
partially addressed 4 of 6 IT management outcomes. Is DHS heading in
the right direction to fix these deficiencies?
Why hasn't more progress been made on these outcomes?
Answer. Response was not received at the time of publication.
Question From Honorable Richard Hudson for David A. Powner
Question. We frequently read about the inability of newly-deployed
systems to communicate with one another and their predecessors once
deployed. What is DHS doing to ensure that systems like TECS, a system
of records that include temporary and permanent enforcement,
inspection, and operational records relevant to the antiterrorism and
law enforcement mission of numerous Federal agencies, will be able to
interface with the existing systems at DHS as well as other Federal,
State, and local agencies?
Answer. Response was not received at the time of publication.
Questions From Chairman Jeff Duncan for Charles K. Edwards
Question 1. What grade (A,B,C,D,F) would you give CBP, ICE, and
USCIS in their development and implementation of major IT programs
based on their ability to meet mission needs, cost, and schedule?
How would you rate DHS's performance in delivering IT systems
against other Federal agencies?
Answer. Response was not received at the time of publication.
Question 2. What steps does DHS need to take to ensure IT programs
supporting our border agents and immigration officers are efficient and
effective moving forward?
Answer. Response was not received at the time of publication.
|
NEWSLETTER
|
|
Join the GlobalSecurity.org mailing list
|
|
|
