GAO-03-1083, Homeland Security: Risks Facing Key Border and Transportation Security Program Need to Be Addressed


This is the accessible text file for GAO report number GAO-03-1083 
entitled 'Homeland Security: Risks Facing Key Border and Transportation 
Security Program Need to Be Addressed' which was released on September 
19, 2003.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

Report to Congressional Committees:

September 2003:

HOMELAND SECURITY:

Risks Facing Key Border and Transportation Security Program Need to Be 
Addressed:

GAO-03-1083:

GAO Highlights:

Highlights of GAO-03-1083, a report to Subcommittees on Homeland 
Security, Senate and House Committees on Appropriations 

Why GAO Did This Study:

The Department of Homeland Security (DHS) plans to establish a program 
to strengthen management of the pre-entry, entry, status, and exit of 
foreign nationals who travel to the United States. The goals of the 
program, known as the United States Visitor and Immigrant Status 
Indicator Technology (US-VISIT), are to facilitate legitimate trade 
and travel, enhance national security, and adhere to U.S. privacy laws 
and policies. By congressional mandate, DHS is to develop and submit 
for approval an expenditure plan for US-VISIT that satisfies certain 
conditions, including being reviewed by GAO. GAO was asked to 
determine, among other things, whether the plan satisfies these 
conditions and to provide observations about the plan and DHS’s 
management of the program.

What GAO Found:

DHS’s fiscal year 2003 US-VISIT expenditure plan and related 
documentation partially satisfied the conditions imposed by the 
Congress, which include meeting the capital planning and investment 
control review requirements of the Office of Management and Budget 
(OMB). For example, DHS fulfilled the OMB requirement that agencies 
state whether projects are approved by investment review boards and 
reviewed by Chief Financial and Procurement Officers; the plan was 
conditionally approved by DHS’s review board, which includes DHS’s 
Chief Financial and Procurement Officers. On the other hand, OMB 
guidance requires that agency plans summarize life cycle costs and 
include a cost/benefit analysis that covers return on investment. DHS 
has not yet established a date and plan for developing these for US-
VISIT, although program officials stated that they intend to do so.

GAO also identified 10 factors (see figure) affecting US-VISIT and 
concluded that the program is a very risky endeavor. Some risk factors 
are inherent to the program, such as its mission criticality, its size 
and complexity, and its enormous potential costs. Others, however, 
arise from the program’s relatively immature state of governance and 
management. For example, although the program has governmentwide 
scope, an accountable governance structure to direct and oversee the 
program that reflects this scope is not yet established. In addition, 
a US-VISIT program management capability has yet to be established, 
important aspects defining the program’s operating environment are not 
decided, facility needs are unclear and challenging, and the mission 
value to be derived from the program’s initial operating capability is 
unknown. Because of the risk factors, GAO concluded that it is 
uncertain that US-VISIT will be able to measurably and appreciably 
achieve DHS’s stated goals for the program. Further, DHS’s near-term 
investment in the program is at risk of not delivering promised 
capabilities on time and within budget and not producing mission value 
commensurate with investment costs. 

What GAO Recommends:

GAO is making a number of recommendations to the Secretary of DHS 
aimed at minimizing the risks facing US-VISIT, including (1) 
establishing an executive body, composed of appropriate stakeholder 
representatives, to guide and direct the program, be held accountable 
for the program’s progress and outcomes, and address key program 
issues and make associated decisions and (2) taking steps to establish 
an effective program management capability. DHS concurred with our 
recommendations and stated that it has made progress toward addressing 
them.

www.gao.gov/cgi-bin/getrpt?GAO-03-1083

To view the full product, including the scope and methodology, click 
on the link above. For more information, contact Randolph C. Hite at 
(202) 512-3439 or hiter@gao.gov.

[End of section]

Contents:

Letter: 

Recommendations for Executive Action: 

Agency Comments: 

Appendixes:

Appendix I: Briefing to the Staffs of the Subcommittees on Homeland 
Security, Senate and House Committees on Appropriations: 

Appendix II: Comments from the Department of Homeland Security: 

Abbreviations: 

ADIS: Arrival Departure Information System: 

APIS: Advance Passenger Information System: 

CCD: Consular Consolidated Database:

CLAIMS 3: Computer Linked Application Information Management: System 
3:

CLASS: Consular Lookout and Support System: 

DHS: Department of Homeland Security:

EA: enterprise architecture:

IBIS: Interagency Border Inspection System: 

IDENT: Automated Biometric Identification System:

INS: Immigration and Naturalization Service:

IRB: Investment Review Board:

IT: information technology: 

NIIS: Non-Immigrant Information System:

NSEERS: National Security Entry-Exit Registration System:

OMB: Office of Management and Budget:

POE: port of entry:

SA-CMM®: Software Acquisition Capability Maturity Model®:

SEI: Software Engineering Institute:

SEVIS: Student Exchange Visitor Information System:

US-VISIT: U.S. Visitor and Immigrant Status Indicator Technology: 

Letter September 19, 2003:

The Honorable Thad Cochran 
Chairman 
The Honorable Robert C. Byrd 
Ranking Minority Member 
Subcommittee on Homeland Security 
Committee on Appropriations 
United States Senate:

The Honorable Harold Rogers 
Chairman 
The Honorable Martin Olav Sabo 
Ranking Minority Member 
Subcommittee on Homeland Security 
Committee on Appropriations 
House of Representatives:

Pursuant to the Consolidated Appropriations Resolution, 2003,[Footnote 
1] the Department of Homeland Security (DHS) submitted to Congress in 
June 2003 its fiscal year 2003 expenditure plan for the United States 
Visitor and Immigrant Status Indicator Technology (US-VISIT) program. 
US-VISIT is a governmentwide program intended to improve the nation's 
capacity for collecting information on foreign nationals who travel to 
the United States, as well as control the pre-entry, entry, status, and 
exit of these travelers. The goals for US-VISIT are to facilitate 
legitimate travel and trade, enhance national security, and adhere to 
U.S. privacy laws and policies. As also required by the Consolidated 
Appropriations Resolution, 2003, we reviewed the expenditure plan. Our 
objectives were to (1) determine whether the US-VISIT fiscal year 2003 
expenditure plan satisfies certain legislative conditions specified in 
the Consolidated Appropriations Resolution, 2003; (2) determine the 
status of our US-VISIT open recommendations; and (3) provide any other 
observations about the expenditure plan and DHS's management of US-
VISIT. The specified legislative conditions are that the plan meet the 
capital planning and investment control review requirements established 
by the Office of Management and Budget (OMB), including OMB Circular A-
11, part 3; that it comply with the acquisition rules, requirements, 
guidelines, and systems acquisition management practices of the federal 
government; and that it be reviewed by GAO.

On July 18, 2003, we provided your offices a written briefing detailing 
the results of our review. This report summarizes and transmits this 
briefing. The full briefing, including our scope and methodology, is 
reprinted as appendix I.

Concerning our first objective, DHS partially satisfied those 
legislative conditions specified in the Consolidated Appropriations 
Resolution, 2003, that are applicable to it. That is, the plan, 
including related program documentation and program officials' 
statements, satisfied or provided for satisfying many, but not all of 
the key aspects of (1) OMB's capital planning and investment control 
review requirements; and (2) federal acquisition rules, requirements, 
guidelines, and systems acquisition management practices. For example, 
DHS fulfilled the OMB requirement that agencies state whether projects 
are approved by investment review boards and reviewed by Chief 
Financial and Procurement Officers; the plan was conditionally approved 
by DHS's review board, which includes DHS's Chief Financial and 
Procurement Officers. On the other hand, OMB guidance requires that 
agency plans summarize life cycle costs and include a cost/benefit 
analysis that covers return on investment. DHS has not yet established 
a date and plan for developing a current life cycle cost and a cost/
benefit analysis for US-VISIT, although program officials stated that 
they intend to do so.

Concerning our second objective, DHS has initiated action to implement 
or has partially implemented most, but not all of the recommendations 
contained in our report on the fiscal year 2002 expenditure 
plan.[Footnote 2] Each recommendation, along with the status of each, 
is summarized below.

* We recommended that DHS develop a system security plan and privacy 
impact assessment. The department has action under way to address this 
recommendation. Specifically, DHS reported that it has defined security 
and privacy requirements and has drafted a security plan and a privacy 
impact assessment.

* We recommended that DHS ensure that controls in the area of 
acquisition planning, solicitation, requirements management, program 
management, contract tracking and oversight, and evaluation are 
implemented in accordance with the Software Engineering Institute's 
(SEI) guidance.[Footnote 3] The department plans to implement this 
recommendation. Specifically, DHS has recently approved a program 
management structure that includes functions consistent with these 
controls; however, it has not yet developed explicit plans or time 
frames for defining and implementing them.

* We recommended that DHS ensure that future expenditure plans are 
provided to the department's House and Senate Appropriations 
Subcommittees in advance of US-VISIT funds being obligated. With 
respect to the fiscal year 2003 expenditure plan, DHS partially 
satisfied this recommendation. Specifically, it provided this plan to 
the Senate and House Appropriations Subcommittees on Homeland Security 
in June 2003. However, following DHS's request for use of $5 to $7 
million in March 2003, the April 2003 House Conference Report[Footnote 
4] recommended that DHS use $5 million for US-VISIT. DHS subsequently 
allocated the $5 million to the US-VISIT program.

* We recommended that DHS ensure that future expenditure plans fully 
disclose US-VISIT system capabilities, schedule, cost, and benefits. 
With respect to the fiscal year 2003 expenditure plan, DHS has 
partially satisfied this recommendation. Specifically, this plan 
describes high-level capabilities by increment, high-level schedule 
estimates, and categories of expenditures. However, the plan does not 
associate these categories of expenditure to incremental capabilities, 
time frames, and benefits. Moreover, the plan does not identify 
expected benefits in tangible, measurable, and meaningful terms, nor 
does it associate benefits with increments.

Finally, we identified 10 factors that make US-VISIT a risky endeavor. 
Some of these risk factors are inherent to the program, and others are 
a product of the program's relatively immature state of governance and 
management. The specific risk factors that we identified are as 
follows:

* US-VISIT is critical to the department's mission in preventing the 
entry of persons who pose a threat to our nation into the United 
States. The missed entry of just one of these persons could have severe 
consequences.

* US-VISIT is large in scope and complex. For example, the program is 
to (1) support a large governmentwide process involving multiple 
departments and agencies, (2) modify and expand facilities at over 150 
land ports of entry, and (3) interconnect about 20 existing systems.

* To meet US-VISIT's daunting milestones,[Footnote 5] DHS has chosen to 
implement temporary solutions, largely because over the last 7 years, 
limited progress has been made in addressing key legislative 
requirements. For example, to meet deadlines at land ports of entry, 
DHS plans to develop and implement interim, or temporary, system and 
facility solutions.

* The program will be a costly undertaking. In February 2003, DHS 
estimated that the program would cost about $7.2 billion through fiscal 
year 2014. However, this estimate is outdated and does not include, for 
example, the State Department's cost to implement visas with 
biometrics, which we previously estimated could add as much as $15 
billion to the program's cost through 2014.[Footnote 6]

* The performance of initial increments of the US-VISIT system depends 
on the performance of existing systems that are to be interfaced. Some 
of these systems, such as the Student and Exchange Visitor Information 
System[Footnote 7] and the Computer Linked Application Information 
Management System 3,[Footnote 8] have known system availability 
problems that could limit US-VISIT system performance.

* US-VISIT is not currently directed and overseen by an accountable 
governance structure that reflects the program's governmentwide scope 
and that includes the appropriate leaders from each stakeholder 
organization, that is, those who can make and enforce decisions and 
commit resources.

* The US-VISIT program office does not have the capabilities (people, 
processes, and tools) to effectively manage the program. For example, 
this office has not yet been adequately staffed, specific roles and 
responsibilities have not been defined, and acquisition management 
process controls have not been developed and implemented. Moreover, DHS 
has not defined specific plans and time frames for doing so.

* Key information about the operational context surrounding US-VISIT 
that is necessary to effectively define, establish, and implement the 
program is not yet available. As a result, DHS is making certain 
assumptions and decisions in order to meet near-term deadlines, such as 
the use of a two-fingerprint biometric; these assumptions and decisions 
would require system rework if they prove inconsistent with subsequent 
operational context policy or standards decisions.

* Construction of US-VISIT facility solutions, both interim and 
permanent, pose serious challenges for a number of reasons. For 
example, existing facilities do not support existing entry and exit 
processes at a number of land ports of entry, border crossing wait 
times are very sensitive to very small increases in processing times at 
certain high-volume land ports of entry, and interim facility solutions 
must satisfy yet-to-be defined program requirements.

* The mission value to be gained from the initial US-VISIT operational 
capability planned for December 31, 2003, is not currently known. In 
particular, DHS has not defined specific, measurable benefits expected 
from this initial operating capability, in large part because it has 
yet to define the processes that will govern how entry and exit 
activities will be performed. This uncertainty is compounded by the 
fact that this initial operating capability is to be constrained by 
existing facilities and personnel and it is not to result in increases 
in border crossing wait times.

In conclusion, US-VISIT is a risky undertaking because it is to support 
a critical mission, its scope is large and complex, it must meet a 
demanding implementation schedule, and its potential cost is enormous. 
Generally, these risk factors are inherent to the program and cannot be 
easily changed. However, compounding these inherent risk factors are a 
number of others that are attributable to the program's current state 
of governance and management and its acquisition approach, as described 
above. Further, DHS did not fully satisfy the legislative conditions 
imposed by the Congress and has yet to fully implement our previous 
recommendations, both of which were aimed at reducing risk. Because of 
all these risk factors, it is uncertain that US-VISIT will be able to 
measurably and appreciably achieve DHS's stated goals of facilitating 
legitimate travel and trade, enhancing national security, and adhering 
to U.S. privacy laws and policies. Moreover, DHS's near-term investment 
in the program is at risk of not delivering promised capabilities on 
time and within budget, and not producing mission value commensurate 
with investment costs. Thus, it is imperative that the factors that 
contribute to this level of risk be addressed thoroughly and 
expeditiously.

Recommendations for Executive Action:

To address US-VISIT as a governmentwide program and to minimize the 
risks facing the program, we recommend that the Secretary of Homeland 
Security, in collaboration with cabinet officials from US-VISIT 
stakeholder departments and agencies,

* establish and charter an executive body, chaired by the Secretary's 
designee, potentially co-chaired by the leadership from key stakeholder 
departments and agencies, and composed of appropriate senior-level 
representatives from DHS and each stakeholder organization, to guide 
and direct the US-VISIT program; and:

* direct this executive body to immediately take steps to (1) ensure 
that the human capital and financial resources are expeditiously 
provided to establish a fully functional and effective US-VISIT program 
office and associated management capability, (2) clarify the 
operational context within which US-VISIT must operate, and (3) decide 
whether proposed US-VISIT increments will produce mission value 
commensurate with costs and risks and disclose to the Congress planned 
actions based on this body's decisions.

Further, we recommend that the Secretary, through the Under Secretary 
for Border and Transportation Security, direct the US-VISIT Program 
Director to expeditiously establish an effective program management 
capability, including immediately:

* defining program office positional roles, responsibilities, and 
relationships;

* developing and implementing a human capital strategy that provides 
for staffing these positions with individuals who have the requisite 
core competencies (knowledge, skills, and abilities);

* developing and implementing a plan for satisfying key SEI acquisition 
management controls, to include acquisition planning, solicitation, 
requirements development and management, project management, 
contractor tracking and oversight, evaluation, and transition to 
support;

* developing and implementing a risk management plan and ensuring that 
all high risks and their status are reported regularly to the executive 
body;

* defining performance standards for each US-VISIT system increment 
that are measurable and reflect the limitations imposed by relying on 
existing systems for these system increments; and:

* developing an analysis of incremental program costs, benefits, and 
risks, and providing this analysis to the executive body, to assist it 
in the body's deliberations and decision making.

Agency Comments:

In written comments on a draft of this report signed by the Director, 
US-VISIT, DHS concurred with our recommendations and stated that it has 
recently made progress toward addressing them. In particular, DHS 
stated that it has approved the proposed US-VISIT organizational 
structure and identified necessary staff positions, and that it is 
working with the Office of Personnel Management to draft position 
descriptions and prepare for recruitment. Also, it stated that the US-
VISIT program office is staffed with 51 detailees from various DHS 
components and agencies. Last, it stated that it has in place an 
Investment Review Board that has twice reviewed US-VISIT, has 
established a DHS framework for addressing policy questions, and has 
plans to establish a US-VISIT Advisory Council. DHS's comments are 
reprinted in appendix II.

:

We are sending copies of this report to the Chairmen and Ranking 
Minority Members of other Senate and House committees and subcommittees 
that have authorization and oversight responsibilities for homeland 
security. We are also sending copies to the Secretary of State and the 
Director of OMB. We also will make copies available to others upon 
request. In addition, the report will be available at no charge on the 
GAO Web site at http://www.gao.gov.

Should you or your staff have any questions on matters discussed in 
this report, please contact me at (202) 512-3439. I can also be reached 
by E-mail at Hiter@gao.gov. Key contributors to this report were Seto 
Bagdoyan, Barbara Collier, Deborah Davis, Neil Doherty, Rebecca 
Gambler, Tamra Goldstein, James Houtz, Richard Hung, Tammi Nguyen, and 
Mark Tremba.

Signed by:

Randolph C. Hite 
Director, Information Technology Architecture and Systems Issues:

[End of section]

Appendixes: 

Appendix I: Briefing to the Staffs of the Subcommittees on Homeland 
Security, Senate and House Committees on Appropriations:

[See PDF for image]

[End of figure]

[End of section]

Appendix II: Comments from the Department of Homeland Security:

U.S. Department of Homeland Security:

September 3, 2003:

Mr. Randolph C. Hite:

Director, Information Technology Architecture And Systems Issues:

U.S. General Accounting Office 441 G Street, NW Washington, DC 20548:

Dear Mr. Hite:

Thank you for the opportunity to review the draft report, Information 
Technology: Risks Facing Key Homeland Security Program Need to Be 
Addressed (GAO-03-1083). We appreciate the time the General Accounting 
office has taken to review the FY 2003 spending plan for the United 
States Visitor and Immigrant Status Technology (US-
VISIT) Program. Overall, we concur with your recommendations to 
establish an effective program management capability and a proper 
governance structure. We are pleased to report that, subsequent to your 
findings, significant progress has been made in both areas. 
Nevertheless, we realize that much needs to be done.

In terms of your specific findings and observations, we believe the US-
VISIT program has made considerable progress, and we recommend that you 
consider adding these updates to your final report.

The proposed organizational structure for US-VISIT has received 
Departmental approval. The necessary staff positions have been 
identified and work has begun with the Office of Personnel Management 
to draft position descriptions and prepare for recruitment. Meanwhile, 
the current staff of 51 includes detailees and dedicated personnel from 
Customs and Border Protection, Immigration and Customs Enforcement, 
other components within the Department of Homeland Security (DHS), and 
other agencies who have been brought on board to ensure that essential 
work is performed pending full staffing with 115 government employees, 
including 8 senior executives. In coordination with the General 
Services Administration, adequate office space has been identified and 
is being secured.

In the area of program governance, a DHS Investment Review Board is 
already in place; US-VISIT was the first program to undergo a review by 
this board, and it has now been reviewed twice. In addition, a DHS 
policy framework is now in place through which important policy 
questions can be addressed. Finally, we are in the process of setting 
up a US-VISIT Advisory Council.

If you have any questions, please contact me, or a member of your staff 
may contact Thomas Hamer at (202) 305-0845.

Sincerely,

James A. Williams:

Director, US-VISIT Program:

[End of section]

(310266):

FOOTNOTES

[1] P.L. 108-7 (Feb. 20, 2003).

[2] U.S. General Accounting Office, Information Technology: Homeland 
Security Needs to Improve Entry Exit System Expenditure Planning, GAO-
03-563 (Washington, D.C.: June 9, 2003).

[3] Carnegie Mellon Software Engineering Institute, Software 
Acquisition Capability Maturity Model", Version 1.03 (March 2002) 
defines acquisition process management controls for planning, managing, 
and controlling software-intensive system acquisitions.

[4] H.R. Conf. Rep. No. 108-76, at 80 (2003).

[5] For example, the Immigration and Naturalization Service Data 
Management Improvement Act of 2000 (P.L. 106-215, June 15, 2000) 
requires that US-VISIT be implemented at all air and sea ports of entry 
by December 31, 2003; at the 50 highest volume land ports of entry by 
December 31, 2004; and at all remaining ports of entry by December 31, 
2005.

[6] U.S. General Accounting Office, Technology Assessment: Using 
Biometrics for Border Security, GAO-03-174 (Washington, D.C.: Nov. 15, 
2002).

[7] The Student and Exchange Visitor Information System contains 
information on foreign students.

[8] The Computer Linked Application Information Management System 3 
contains information on foreign nationals who request benefits, such as 
change of status or extension of stay.

GAO's Mission:

The General Accounting Office, the investigative arm of Congress, 
exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony:

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics.

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading.

Order by Mail or Phone:

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:

U.S. General Accounting Office

441 G Street NW,

Room LM Washington,

D.C. 20548:

To order by Phone: 	

	Voice: (202) 512-6000:

	TDD: (202) 512-2537:

	Fax: (202) 512-6061:

To Report Fraud, Waste, and Abuse in Federal Programs:

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470:

Public Affairs:

Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.

General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.

20548: