This is the accessible text file for GAO report number GAO-06-295 entitled 'Border Security: Key Unresolved Issues Justify Reevaluation of Border Surveillance Technology Program' which was released on February 23, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: February 2006: Border Security: Key Unresolved Issues Justify Reevaluation of Border Surveillance Technology Program: GAO-06-295: GAO Highlights: Highlights of GAO-06-295, a report to the House and Senate Subcommittees on Homeland Security, Committees on Appropriations: Why GAO Did This Study: In September 2004, the Department of Homeland Security (DHS) established America’s Shield Initiative (ASI)—a program that included a system of sensors, cameras, and databases formerly known as the Integrated Surveillance Intelligence System (ISIS)—to detect, characterize, and deter illegal breaches to the northern and southern U.S. borders. The goals of the ASI program were to address ISIS capability limitations and support the department’s antiterrorism mission. In April 2005, department officials told GAO that ISIS was subsumed within ASI. By congressional mandate, GAO reviewed the program to determine (1) the operational needs that ASI was intended to address and DHS’s plans for ASI, (2) the steps that DHS had taken to ensure that ASI was aligned with the department’s enterprise architecture, and (3) the actions that DHS had taken to establish the capability to effectively manage ASI. In written comments, DHS agreed with a draft of this report, stating that it was factually correct in virtually all aspects. DHS also commented that it has ceased work on ASI and redirected resources to its Secure Border Initiative. It also described program management corrective actions that it plans to implement. What GAO Found: The ASI program defined the operational needs it expected ASI to meet, including addressing both known limitations in the ISIS and supporting counterterrorism efforts. The program also developed key planning documents for approval by the DHS Investment Review Board that were intended to meet these needs, including a program management plan, acquisition plan, and preliminary operational requirements document. However, these plans were not approved. The Review Board recently reviewed the ASI program and found, among other things, that it was aligned with the department’s enterprise architecture. However, the reviews also determined that the program had not adequately defined its relationships and dependencies with other department programs. Subsequently, the DHS Deputy Secretary directed that the program be reevaluated within the department’s broader border and interior enforcement strategy, now referred to as the Secure Border Initiative. The ASI program had not established the people and process capabilities required for effective program management. As of August 2005, it had filled 30 of its 47 program office positions, and it had defined roles and responsibilities for only 3 of them. In addition, while the program had defined and begun implementing a plan to manage program risks, it had not yet defined key acquisition management processes, such as effective project planning, and contract tracking and oversight. As a result, the program risked repeating the inadequate contract management oversight that led to a number of problems in deploying, and operating and maintaining ISIS technology. DHS’s decision to reevaluate ASI was justified by the existence of unresolved key issues cited above (addressing its impact on other programs, and establishing people and process capabilities required for effective program management). These issues, if not addressed, would have introduced unnecessary risk. It is important that the department’s reevaluation consider all such issues that could affect program success. www.gao.gov/cgi-bin/getrpt?GAO-06-295. To view the full product, including the scope and methodology, click on the link above. For more information, contact Randolph C. Hite, (202) 512-3439, hiter@gao.gov. [End of section] Contents: Letter: Conclusions: Agency Comments: Appendixes: Appendix I: Briefing to Staffs of Subcommittees on Homeland Security, House and Senate Committees on Appropriations: Appendix II: Comments from the U.S. Department of Homeland Security: Appendix III: GAO Contact and Staff Acknowledgments: Abbreviations: ASI: America's Shield Initiative: CBP: Customs and Border Protection: DHS: Department of Homeland Security: EA: Enterprise Architecture: EAB: Enterprise Architecture Board: FTS: Federal Technology Service: GSA: General Services Administration: ICAD: Intelligent Computer-Assisted Detection: IG: Inspector General: INS: Immigration and Naturalization Service: IRB: Investment Review Board: ISIS: Integrated Surveillance Intelligence System: PMO: Program Management Office: RVS: Remote Video Surveillance: Letter February 21, 2006: The Honorable Judd Gregg: Chairman: The Honorable Robert C. Byrd: Ranking Minority Member: Subcommittee on Homeland Security: Committee on Appropriations: United States Senate: The Honorable Harold Rogers: Chairman: The Honorable Martin Olav Sabo: Ranking Minority Member: Subcommittee on Homeland Security: Committee on Appropriations: The House of Representatives: In 1997, the Immigration and Naturalization Service (INS) deployed the Integrated Surveillance Intelligence System (ISIS)--a system of sensors, cameras, and databases designed to prevent smugglers and illegal aliens from entering the United States along its northern and southern borders. Pursuant to the Homeland Security Act of 2002,[Footnote 1]INS was absorbed into the Department of Homeland Security (DHS), and the ISIS program was subsequently moved into the department's Customs and Border Protection (CBP) component. In September 2004, CBP established the America's Shield Initiative (ASI) program. The goals of the program were to address ISIS capability limitations and support the department's antiterrorism mission. In April 2005, DHS officials told us that ISIS was subsumed within ASI. In September 2005, we were told that the Deputy Secretary of Homeland Security directed that proposed plans for the program be reevaluated. The conference report for the Department of Homeland Security Appropriations Act, 2005, directed us to review ISIS.[Footnote 2]Since ISIS was subsequently subsumed into ASI, we agreed to the following objectives: (1) determine the operational needs that ASI is intended to address and the department's plans for ASI, (2) determine the steps that the department has taken to ensure that ASI is aligned with the department's enterprise architecture, and (3) determine the actions that the department has taken to establish the capability to effectively manage ASI. On October 27, 2005, we briefed your staff on the results of our review. This report transmits these results. The full briefing, including our scope and methodology, is reprinted as appendix I. In summary, we made three major points: * First, the program had defined ASI operational needs and developed planning documents for approval by DHS's Investment Review Board. Operational needs included both addressing known limitations in ISIS capabilities and supporting CBP counterterrorism efforts through enhanced border surveillance capabilities. Planning documents included a program management plan, acquisition plan, and a preliminary operational requirements document. The review board did not approve these planning documents. * Second, while DHS's Investment Review Board found that the ASI program was aligned with the department's enterprise architecture, it also found that the program had not adequately identified its dependencies and relationships with other department components. The board also determined that the program needed to be integrated into the department's broader border and interior enforcement strategy. As a result, the Deputy Secretary directed that ASI be reevaluated within the context of this broader strategy, now called the Secure Border Initiative. * Third, the program had not established key management capabilities (people and process controls). As of August 2005, it had filled 30 of 47 program office positions and had defined roles and responsibilities for only 3 of the 47 positions. Further, the program had not defined key acquisition management processes, such as those for tracking and overseeing contractors and for developing and implementing project plans. Contract tracking and oversight is important because inadequate contract management oversight led to a number of problems in deploying, operating, and maintaining ISIS technology. Program officials told us they planned to develop key acquisition processes, however plans and timeframes for doing so had not been set. To its credit, the program office had defined and begun implementing a risk management process, which is one key acquisition process. Conclusions: DHS's decision to reevaluate the ASI program demonstrates that its investment review process is based on relevant considerations, such as dependencies with and impacts on related border security programs that the department's enterprise architecture should explicitly define and the architecture alignment analysis should demonstrate. The limitations in the program office's people and process capabilities are another issue supporting the department's decision to reevaluate the program. Accordingly, the department's decision to reevaluate the program was justified by the existence of unresolved key issues that, if not addressed, would have introduced unnecessary and unacceptable risk. It is thus important that this reevaluation include consideration of all issues that could affect program success. Agency Comments: In written comments on a draft of this report, signed by the Director, Department GAO/OIG Liaison Office, DHS stated that it agreed with the overall thrust and that the report is factually correct in virtually all aspects. The department also stated that it had decided to cease work on ASI and that it has dismantled the ASI program office and a subset of its personnel has been assigned to the SBI program. Further, the department stated that in establishing SBI, it intends to implement corrective program management measures to address the problems that occurred on ISIS. The DHS comments are reprinted in their entirety in appendix II. We are sending copies of this report to the Chair and Ranking Minority Members of other Senate and House committees that have authorization and oversight responsibilities for homeland security. We are also sending a copy to the Director of the Office of Management and Budget. Copies of this report will also be available at no charge on our Web site at [Hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (202) 512-3439 or [Hyperlink, hiter@gao.gov]. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix III. Sincerely yours, Signed by: Randolph C. Hite: Director, Information Technology Architecture and Systems Issues: [End of section] Appendixes: Appendix I: Briefing to Staffs of Subcommittees on Homeland Security, House and Senate Committees on Appropriations: Key Unresolved Issues Justify Reevaluation of Border Surveillance Technology Program: Briefing to staffs of Subcommittees on Homeland Security, House and Senate Committees on Appropriations: October 27, 2005: Briefing Overview: * Introduction: * Objectives: * Results in Brief: * Background: * Observation 1: Needs Were Defined and Plans Were Developed: * Observation 2: Enterprise Architecture Alignment Was Unclear: * Observation 3: Program Management Capability Was Lacking: * Conclusions: * Attachment 1: Scope and Methodology: Introduction: In 1997, the former Immigration and Naturalization Service (INS) deployed the Integrated Surveillance Intelligence System (ISIS) to provide visibility and protection of the U.S. northern and southern borders. The goal of ISIS was to prevent the entry of smugglers, illegal aliens, contraband, and illegal narcotics into the country. In March 2003, pursuant to the Homeland Security Act of 2002, [NOTE] INS was absorbed into the Department of Homeland Security (DHS). INS's Border Patrol is now in DHS's Customs and Border Protection (CBP) component. In September 2004, CBP established the America's Shield Initiative (ASI) program. The goals of ASI were to address known ISIS capability limitations and to support DHS's antiterrorism mission, including its need to exchange information with state, local, and federal law enforcement organizations. In April 2005, DHS officials told us that ISIS was subsumed within ASI. By June 2004, the House Appropriations Committee had recommended that DHS use approximately $87 million of its CBP appropriations for ISIS and ASI in fiscal year 2005. [NOTE 2] In September 2005, we were told that the Deputy Secretary of Homeland Security directed that ASI be reevaluated. NOTES: [1] Public Law 107-296 (November 25, 2002). [2] H.R. Report 108-541 (2004). Objectives: The conference report for the Department of Homeland Security Appropriations Act, 2005, [NOTE 1] directed GAO to review DHS's ISIS program. [NOTE 2] Since ISIS had subsequently been subsumed into ASI, we agreed to the following objectives: 1. determine the operational needs that ASI was intended to address and DHS's plans for ASI, 2. determine the steps that DHS had taken to ensure that ASI was aligned with the DHS enterprise architecture, and: 3. determine the actions that DHS had taken to establish the capability to effectively manage ASI. In September 2005, we were told that the DHS Deputy Secretary decided to reevaluate ASI in conjunction with development of its border and interior enforcement strategy. This decision is reflected in the scope of our review and this briefing. NOTES: [1] H.R. Conf. Report 108-774 (2004). [2] House Report 108-541. We performed our work at ASI offices in Washington, D.C., from April 2005 through September 2005, in accordance with generally accepted government auditing standards. Details of our scope and methodology are described in attachment 1 of this briefing. Results in Brief: Consistent with its acquisition guidance, CBP defined the operational needs that it expects ASI to address in terms of both addressing known limitations in ISIS capabilities and supporting CBP counterterrorism efforts through enhanced border surveillance capabilities. During the last 6 months, CBP told us that it had been developing plans and documentation that DHS required for ASI to pass its next major acquisition milestone. CBP also told us that these plans and documentation would be made available to us after the program passed this milestone. ASI was to be one of many DHS programs supporting its border and transportation security mission, and thus it was critical that ASI be pursued within the context of a departmental enterprise architecture that defined the interrelationships and interdependencies among these border security programs and their supporting systems environments. However, steps taken by DHS to ensure ASI's alignment within this context raised questions that became more significant as the program moved beyond program initiation. Such questions were a critical factor in DHS's recent decision to reevaluate ASI in conjunction with development of its border and interior enforcement strategy. Further, CBP had yet to establish the kind of people-and process- related program management capabilities needed to effectively execute a program like ASI. For example, specific roles and responsibilities had not been defined for the program staff, beyond generic position descriptions. In addition, key acquisition processes, such as acquisition management and contractor tracking and oversight, had yet to be defined and implemented. Given CBP's challenges in managing its ISIS contract, as reported by the General Services Administration's Inspector General, [NOTE 1] the absence of such process controls was another key open issue at the time the decision was made to reevaluate the program. NOTE: [1] General Services Administration, Compendium of Audits of the Federal Technology Service Regional Client Support Center (2004). Background: Within DHS, organizational responsibility for ISIS/ASI is within the Border Patrol, which is a component of CBP. * The Border Patrol is responsible for preventing the entry of terrorists and their instruments of terror, illegal immigrants, and contraband, while facilitating the legitimate flow of people, goods, and services on which the economy depends. * The Border Patrol is divided into 20 sectors: 17 of the sectors are along the northern and southern borders; the remaining 3 are along the coastal borders. * During fiscal year 2005, CBP's ASI Program Management Office (PMO) was responsible for the acquisition, deployment, and operations and maintenance of ISIS legacy technology, as well as ASI planning. Organizational Placement of ASI Program (partial DHS organization chart): [See PDF for image] [End of figure] ISIS: A Brief Description: ISIS was initiated in 1997 to provide surveillance and protection of the U.S. northern and southern borders. The goal of ISIS was to help prevent the entry of smugglers, illegal aliens, contraband, and illegal narcotics into the country. During fiscal year 2005, ISIS deployment continued, and ISIS was subsumed into the ASI program. System Components: ISIS is composed of three components: sensors, databases, and cameras: * Ground sensors detect attempts by people or vehicles to illegally cross the U.S. borders. - Several sensor technologies are used: radar (detect objects), motion, infrared (heat), seismic (vibration), and magnetic (metal). - As of August 2005, the Border Patrol reports that approximately 11,200 sensors were deployed. As of October 2005, it reports that about 10,500 sensors were operational. * The Intelligent Computer-Assisted Detection (ICAD) databases record information from the sensors, document the results of investigations of border activities, and support analyses of border migration patterns. - There is a separate ICAD database located in each sector at a Border Patrol control center, where officials monitor the ICAD information. - Each of the Border Patrol's 20 sectors has at least one control center. According to ASI officials, the ICAD databases at the centers are not integrated, and therefore, information cannot be effectively and efficiently shared between sectors. * Remote Video Surveillance (RVS) cameras are used to capture information on the number and description of individuals and vehicles attempting illegal entry. - The cameras are remotely manipulated; current capabilities do not enable cameras to focus automatically in response to sensor alarms. As of September 2005, the Border Patrol reports that 255 RVS camera sites are operational, with 2 to 4 cameras per site. - RVS images are communicated to the control centers by microwave, fiber optic, or terrestrial cable. - RVS cameras are mounted either on 60-to 80-foot poles or on mounting structures (e.g., buildings). Some mounting sites also have communications relays. According to ASI officials, as of August 2005, ISIS technology covered about 4 percent of the combined northern and southern borders. Overview of ISIS Role in Border Surveillance, Dispatch, and Reporting Process: When ISIS sensors detect movement (people or vehicles) crossing the border, alarms are triggered and transmitted to the ICAD database in the control center. Border Patrol officials are then to direct the RVS cameras at the alarm sites to assess the images shown on the ICAD monitor. Using the images, the Border Patrol officials are to provide information on the number of individuals and vehicles and the location of the incident to Border Patrol agents, who are dispatched to the site. The event is recorded in ICAD as a "ticket" for tracking purposes. The agents are to report back on the resolution of the ticket, including whether an apprehension took place. This information is then to be recorded in the ICAD database. ICAD information from each sector is to be transmitted to Border Patrol headquarters, where it is to be summarized and reported. The information is also to be analyzed to ascertain migration patterns in each sector. Simplified Diagram of ISIS Role in Border Process: [See PDF for image] [End of figure] ISIS Contracting Issues: In 1999, INS entered into an agreement with the General Services Administration's (GSA) Federal Technology Service (FTS) [NOTE 1] to manage the acquisition and deployment of the RVS program, a major component of ISIS. In December 2004, GSA's Inspector General (IG) found numerous problems with GSA's administration of the RVS contract, including inadequate contractor oversight, insufficient competition, and improper contracting actions. [NOTE 2] More specifically, the GSA's IG identified the following problems. Inadequate contractor oversight: * Of 30 task orders reviewed, 18 included construction or other work that was outside the scope of the contract. * Costs of over $6 million were incurred for operations and maintenance when little or no work was actually performed. NOTES: [1] FTS, among other things, assists federal agencies in acquiring, deploying, and managing information technology. [2] General Services Administration, Compendium of Audits of the Federal Technology Service Regional Client Support Center (Dec. 14, 2004). Insufficient competition: * Task orders were placed without benefit of competition. * Documentation was inadequate for the original solicitation, evaluation, and selection. * Costs were not reviewed for reasonableness. Improper contracting actions: * Modifications were made to contracts without adequate justification. In June 2005, the GSA Deputy IG testified that many of the problems identified with the RVS contract were attributable, in part, to GSA's and the Border Patrol's chronic inattention to contract administration and project management. ASI: A Brief Description: ASI was intended to detect, characterize, and deter illegal breaches of the border, while providing necessary decision support information to assist Border Patrol agents. According to the ASI Preliminary Operational Requirements document, ASI's goals were to: * maintain legacy systems operations, * provide surveillance of the entire land border between ports of entry, * integrate surveillance capabilities with agent operations, * provide decision support capabilities, * support rapid and flexible deployment of surveillance assets, * provide reliable, all-environment, 24-hour surveillance capability, * improve collaboration and interoperability with mission partners and state, local, tribal, and federal enforcement officials, * use state-of-the-market technology to create a cost-effective system, and: * provide open architecture solutions. ISIS/ASI Costs: According to the ASI program manager, the budgeted amount for ISIS and ASI related efforts for fiscal years 1997 through 2005 was $452.4 million. As of September 2005, ASI officials report expended funds of $340.3 million [NOTE 1] for: * acquisition and deployment of ISIS equipment (RVS cameras, ICAD database, sensors, and agent support equipment), * operations and maintenance of ISIS equipment, and: * planning for ASI. NOTE: [1] ASI officials stated that about $51.6 million of the fiscal year 2005 appropriated funds was still available. Observation 1: Needs Were Defined and Plans Were Developed: Observation 1: ASI operational needs were defined, and plans were being developed to justify ASI alternative solutions. Effectively managing an acquisition generally includes, among other things, identifying a business need/opportunity or a missing capability required to satisfy an agency mission. Once a need or capability is identified and defined, effective planning is important to ensure that the need is adequately addressed and the project is effectively managed. This generally includes the development of plans and related documentation that, among other things, describe commitments to be met (e.g., cost, schedule, capabilities, and benefits) and how resources will be applied to meet them. These plans also serve as the basis for monitoring progress and taking corrective actions, as appropriate. CBP's acquisition guidance requires that mission needs be defined. CBP met this requirement in developing the ASI Mission Needs Statement, dated September 8, 2004, which states that ASI is to support the Border Patrol's operational functions, including its expanded mission of detecting and preventing the entry of terrorists and their associated means of terrorism, and to address the shortfalls of ISIS. According to DHS documents, the Border Patrol's operational functions are as follows: 1. Detect, prevent, and characterize illegal border breaches. 2. Respond to and apprehend individuals, groups, and items of interest. 3. Process individuals in custody and items as accurately, efficiently, and effectively as possible. 4. Transport individuals in custody and items of interest. 5. Deploy agents using effective decision support and rapid response systems. 6. Assess threats and determine likely illegal border crossing scenarios, methods, and locations. 7. Deter illegal entrance of individuals and items of interest. 8. Maintain continuity of operations. 9. Collaborate internally and with external organizations (international, federal, state, local, and tribal). The Mission Needs Statement also identified the following ISIS shortfalls that ASI was to address: 1. limited border coverage, 2. difficult and expensive maintenance, 3. inability to provide an all-weather, all-environment 24-hour capability, 4. inadequate mobile capability, 5. limited command, control, and situational awareness to ensure that all mission partners have access to required information, 6. lack of integration among system components (RVS cameras, sensors, and ICAD), and: 7. lack of automated interoperability with other law enforcement entities. DHS identified ASI's key capabilities and mapped them to the Border Patrol's operational functions. As can be seen in the following table, each of the capabilities maps to one or more of the operational functions. Comparison of ASI's Capabilities and Border Patrol's Operational Functions: [See PDF for image] 1. Detect, prevent, and characterize illegal border breaches. 2. Respond to and apprehend individuals, groups, and items of interest. 3. Process individuals in custody and items as accurately, efficiently, and effectively as possible. 4 Transport individuals in custody and items of interest. 5. Deploy agents using effective decision support systems and solutions facilitating rapid response. 6. Assess threats and determine likely illegal border crossing scenarios, methods, and locations. 7. Deter illegal entrance of individuals and items of interest. 8. Maintain continuity of operations. 9. Collaborate internally and with external organizations (international, federal, state, local, and tribal). Source: DHS. [End of table] We compared the ASI planned capabilities to the ISIS shortfalls and found, as shown on the following slide, that the capabilities address all but one of the shortfalls. The capabilities do not explicitly address the ISIS shortfall pertaining to the difficulty and expense of maintaining ISIS. According to ASI officials, they plan to modify the ASI requirements document to address this omission. Comparison of ASI Capabilities and ISIS Shortfalls: [See PDF for image] Source: GAO based on DHS data. [End of table] ASI officials told us that, during the last 6 months, they were developing key planning documents for approval by the DHS Investment Review Board (IRB). Among others, these documents include the following: * program management plan-documents the activities, tasks, and responsibilities for the program; * acquisition plan-documents the technical, business, and management approach for acquiring the system; * test and evaluation plan-documents the approach for verifying that the system meets the user's needs and system specifications; * risk management plan-documents formal processes for identifying, classifying, assessing, and mitigating risks; and: * preliminary operational requirements document-describes the mission, capabilities, and operating condition that competing solutions must satisfy. ASI program officials told us that their plans and related documentation would be made available to us after the program passed its next milestone. According to DHS officials, a milestone review for evaluating and selecting a system solution was held before the DHS Investment Review Board in June 2005; however, the board did not approve milestone passage, and thus we did not receive these plans and documents. In September 2005, the DHS Director of Program Analysis and Evaluation told us that the DHS Deputy Secretary directed that the ASI program be reevaluated. According to the Director, an investment decision memorandum directing and explaining the basis for this reevaluation has been drafted, but has yet to be approved. Further, he said that a plan for carrying out the reevaluation is being developed. Observation 2: Enterprise Architecture Alignment Was Unclear: Observation 2: Steps taken to ensure ASI's alignment with DHS's enterprise architecture raised questions that became more pressing as ASI moved beyond program initiation. To effectively define, establish, and implement a program, it is essential that the program be aligned with a corporate blueprint, or enterprisewide frame of reference, that governs key aspects of the program's operations. Such a frame of reference is referred to as an enterprise architecture (EA). An EA is an authoritative description of an entity's operations, including how operations are performed, what information and technology are used to perform these operations, where the operations are performed, who performs them, and when and why they are performed. The architecture describes the entity in both logical terms (e.g., the business functions and information flows) and technical terms (e.g., hardware, software, communications, and security standards). Accordingly, an EA can help to clarify and optimize the interdependencies and relationships among an organization's business operations and the underlying IT infrastructure and applications that support these operations. As a program like ASI progresses through its life cycle, ensuring that it is explicitly aligned with an EA, and thus with other programs with which it must interact, becomes more demanding. Since its introduction in 2004, ASI's relationship to other programs has continued to be an open issue. * In August 2004, the DHS Enterprise Architecture Board (EAB) [NOTE 1] found that the ASI program was aligned with the DHS enterprise architecture. In August 2004, the Joint Requirements Council [NOTE 2] review found that it was likely that ASI would impact other programs, such as Immigration and Customs Enforcement's Office of Detention and Removal, [NOTE 3] and that this impact should be considered in reviewing ASI. NOTES: [1] DHS's Enterprise Architecture Board reviews programs for alignment with the DHS enterprise architecture. [2] The Joint Requirements Council supports DHS's IRB process by identifying cross-cutting opportunities and common requirements among DHS organizational elements. [3] The Office of Detention and Removal is responsible for removing unauthorized aliens from the United States. * As a result, the IRB, in a memo dated October 5, 2004, approved the authorization of the ASI program, but noted several issues that the program was to address before passing the next milestone. For example, the program was to address its impact on other DHS components, such as US-VISIT [NOTE 1] and the Office of Detention and Removal. * In July 2005, the DHS EAB again found that the ASI program was aligned with the DHS enterprise architecture and recommended program alignment approval for the alternative solution milestone. However, during its review, the EAB raised several issues about the ASI program, including whether the program had adequately identified other DHS components with which it may need to share information. ASI agreed with the EAB's issues and planned to address them. As a result, the EAB stated that it considered the issues to be resolved. NOTE: [1] The United States Visitor and Immigrant Status Indicator Technology (US-VISIT) is a governmentwide program intended to enhance the security of U.S. citizens and visitors, facilitate 31 legitimate travel and trade, ensure the integrity of the U.S. immigration system, and protect the privacy of our visitors. * On September 8, 2005, the DHS's Director of Program Analysis and Evaluation, whose organization supports the DHS I RB, stated that the board found that ASI, as currently defined, did not adequately identify its dependencies and relationships within CBP and with other DHS components, such as the Office of Detention and Removal. Further, the Director stated that the board determined that CBP needs to integrate ASI into the department's border and interior enforcement strategy, and the broader departmental structure. The Director stated that as a result the DHS Deputy Secretary, who chairs the IRB, directed that ASI be reevaluated within the context of this broader border and interior enforcement strategy. As mentioned earlier, an investment decision memorandum directing the reevaluation has been drafted but has not yet been approved, and a plan for executing the reevaluation is being developed. Observation 3: Program Management Capability Was Lacking: Observation 3: ASI program management capability (people and processes) had not yet been established. Our prior work and relevant guidance and leading practices show that for program acquisitions like ASI to be successful they need to, among other things, have (1) adequate staff to fill positions that have clearly defined roles and responsibilities and (2) well-defined and implemented acquisition management processes. [NOTE 1] The ASI program office was established in September 2004. See next slide for the ASI program office structure. NOTE: [1] GAO, Risks Facing Key Border and Transportation Security Program Need to be Addressed, GAO-03-1083 (Washington, D.C.: Sept. 16, 2003). ASI Program Office Structure: [See PDF for image] [End of figure] People: DHS had not fully staffed the ASI program office. * According to the ASI Program Manager, the office's staffing needs totaled 47 full-time positions (29 government and 18 contractor personnel). * As of August, ASI had filled 30 of the 47 positions (see table). Personnel Government Contractor Total: [See PDF for image] Source: GAO based on ASI PMO data. [End of table] ASI has defined roles and responsibilities for only 3 of the 47 staff positions. The roles and responsibilities for the program manager and deputy program managers are as follows: * ASI Program Manager-Responsibilities are to (1) manage the ASI program and serve as its sole spokesperson, (2) secure and approve funding, (3) obtain resources, (4) lead the program team, (5) provide strategic direction and decisions, (6) ensure that project and program plans are consistent, (7) ensure that solutions are defined and accepted, (8) manage and support contract management efforts, (9) review and approve program/project plans, (10) provide input on technical and cost proposals, and (11) participate in cost proposal negotiations with contractors. * Deputy Program Manager for Technology Management-Responsibilities are to (1) prepare documentation required to complete milestone for alternatives analysis (e.g., operational requirements document, analysis of alternatives), (2) develop program master schedule, and (3) oversee contract evaluation and source selection. * Deputy Program Manager for Acquisition Management-Responsibilities are to (1) develop the acquisition plan, (2) develop source selection procedures in coordination with Program Management and Technology Management, and (3) oversee contract award and administration. The PMO had yet to clearly define roles and responsibilities for its other 44 staff positions. Specifically, the PMO provided us with six position descriptions, but none of these addressed specific ASI roles and responsibilities. For example, one position description (for a telecommunications manager) is a generic description designed to cover any such position within DHS. Also, a position description for a border patrol agent described the position as a staff advisor to the Chief, Border Patrol, and his or her assistants. Processes: A suite of key acquisition process areas are necessary to effectively manage a system acquisition program. [NOTE 1] These process areas include, among others, acquisition planning, project management, requirements management, contract tracking and oversight, and risk management. The PMO had not defined and implemented these key acquisition management processes. For example, a key practice in project management is developing and implementing a project plan. However, the program manager told us that ongoing ISIS acquisition and deployment activities, which were subsumed into ASI, were not being guided by a project plan. According to the Deputy Program Manager for Acquisition Management, the PMO planned to develop key acquisition processes, including processes for managing contractors, but time frames for doing so had not been set. As previously noted, inadequate contract management oversight processes led to a number of problems in deploying, operating, and maintaining ISIS technology. NOTE: [1] Carnegie Mellon Software Engineering Institute, Software Acquisition Capability Maturity Model(R), version 1.03 (March 2002). To the PMO's credit, it had defined and begun implementing a risk management process. * The ASI program office developed a draft risk management plan, dated May 10, 2005. The plan addressed, among other things, a governance structure and process for identifying, analyzing, mitigating, tracking, and controlling risks. The governance structure included a risk owner, management team, and risk database coordinator. As part of its process, ASI had also developed a risk database that included a description of each risk, its priority and severity, the individual responsible for mitigating the risk, and a strategy for mitigating the risk. Conclusions: DHS's decision to reevaluate the ASI program demonstrates that its investment review process is based on relevant considerations, such as dependencies with and impacts on related border security programs that the DHS enterprise architecture should explicitly define and the architecture alignment analysis should demonstrate. The limitations in the program office's people and process capabilities are another issue supporting the department's decision to reevaluate the program. Accordingly, DHS's decision to reevaluate the program was justified by the existence of unresolved key issues that, if not addressed, would have introduced unnecessary and unacceptable risk. It is thus important that DHS's reevaluation include consideration of all issues that could affect program success. Attachment 1: Scope and Methodology: To accomplish our objectives, we performed the following tasks: * analyzed supporting documentation, including ASI's mission needs statement; interviewed program officials to identify the operational needs and DHS's plans for ASI; and performed a comparative analysis of the plans and best practices; * analyzed supporting documentation and interviewed DHS and program officials to assess DHS's actions to determine ASI's alignment with the department's enterprise architecture; * assessed DHS's plans and ongoing efforts to establish and implement the ASI program, including roles and responsibilities and such key management processes as risk, requirements, and acquisition management; and: * analyzed ASI's risk management plan and interviewed program and contractor officials to determine ASI's risk management process. We performed our audit work from April to September 2005, in accordance with generally accepted government auditing standards. [End of slide presentation] [End of section] Appendix II: Comments from the U.S. Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: January 11, 2006: Mr. Randolph C. Hite: Director, Information Technology Architecture and Systems Issues: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Hite: RE: Draft Report GAO-06-295, Border Security: Key Unresolved Issues Justify Reevaluation of Border Surveillance Technology Program (GAO Job Code 310611): The Department of Homeland Security (DHS) appreciates the opportunity to comment on the Government Accountability Office's (GAO) draft report and respond to issues raised therein. We agree with the overall thrust of the report which supports the DHS decision to reevaluate the proposed plans for America's Shield Initiative (ASI) within the broad context of the Department's border and interior enforcement strategy. The ASI will be incorporated into the Secure Border Initiative (SBI), the Department's comprehensive strategy to achieve border security and interior enforcement goals. Although the report contains no recommendations, it identifies key issues regarding effective program management of ASI, along with the measures taken by U.S. Customs and Border Protection (CBP), the DHS Enterprise Architecture Board, and the DHS Joint Requirements Council to address many of these issues. CBP has implemented an effective process for program management, as described below, that will provide a solid foundation as SBI planning proceeds toward achieving the goal of preventing illegal entry into the United States. The SBI is a comprehensive multi-year plan to secure our nation's borders by taking a systematic approach to gaining operational control of the border and improving interior enforcement. DHS has created the SBI Program Executive Office to ensure the program is properly aligned with DHS enterprise architecture. CBP has created a SBI Program Management Office (PMO) in the Office of Policy and Planning, a component of the Commissioner's Office with direct reporting responsibility to the Commissioner. Secretary Chertoff's emphasis on the priority of SBI is reflected in the level of daily supervision of this effort by the CBP Acting Commissioner, and the direct management of the relevant activities by senior CBP leaders including the Chief of the Border Patrol, Assistant Commissioners for Information and Technology, Finance, Field Operations, CBP Air, Human Resources Management, Training and other offices. The Acting Commissioner and several of these senior managers attend the weekly "War Room" meetings, where the Secretary and other senior DHS leadership review the progress of the SBI. This same group of CBP senior managers are members of the SBI Executive Steering Committee, chaired by the Commissioner, which meets monthly or more often if necessary, to discuss the overall SBI effort and issues of cross-agency concern. This organizational structure provides the SBI PMO with the advantage of drawing on the full range of relevant expertise and capabilities within CBP to ensure fully successful management of the effort. Leaders from the operational side of the agency provide overall project management, while the acquisition process for SBI technology and infrastructure is supervised by highly trained and certified program managers from the Office of Information and Technology with extensive experience implementing major federal systems. The initial task for the acquisition team is to draft a request for proposal (RFP) for the private sector to provide the comprehensive solution to the challenge of gaining operational control of the border. We hope to have this RFP published by March 2006 with the goal of awarding a contract by September 2006 to the successful bidder, who will be the SBI Systems Integrator. This process will be an open competition in full compliance with the Federal Acquisition Regulation. Independent oversight will be provided by procurement experts on a contract basis. We expect the private sector to provide a solution that: * Fully integrates and balances the tradeoffs of personnel, technology and infrastructure requirements. * Addresses the need to coordinate operations and share information among all relevant DHS agencies and other federal, state, local and tribal law enforcement, defense, legal and intelligence agencies. * Evaluates the illegal entry threat against the current level of resources, prioritizes the shortfalls based on areas of greatest operational need, and provides a comprehensive road map for achieving full operational control of the border in the shortest possible time. * Includes a detailed and comprehensive set of performance measures to ensure we have a robust ability to view and understand the impact of adding resources to ensure that the expected improvements in operational capabilities actually are occurring. As the SBI concept evolved during the latter months of 2005, it became clear that continuing ASI, a technology-driven approach, would provide only a partial solution. DHS therefore decided to cease work on ASI per se and fold ASI resources into the SBI. The ASI PMO has been dismantled and a subset of the personnel has been assigned to the SBI PMO. The ASI PMO over the past year was moving toward creating an effective structure for providing the people and process capabilities to manage the project planning, acquisition, procurement, oversight, risk management and other tasks associated with a complex effort like improving operational control of the border. This work will contribute directly to accelerating the start of SBI, and, as described above, the process to provide senior level management and oversight of the SBI effort is already in place. Through its alignment with the DHS Enterprise Architecture, the ASI program was beginning to address the need to coordinate with other DHS components and relevant agencies outside the Department. Such cross-Department and cross-government coordination is a core concept of SBI. We found the GAO report factually correct in virtually all respects. However, in reviewing the problems associated with the Integrated Surveillance Intelligence System (ISIS), an earlier program to provide border surveillance technology, the report notes on page 16 that: "In June 2005, the GSA [General Services Administration] Deputy IG [Inspector General] testified that many of the problems identified with the RVS contract were attributable, in part, to GSA's and the Border Patrol's chronic inattention to contract administration and project management." RVS is the Remote Video Surveillance system, a core part of ISIS. The Office of Border Patrol (OBP) had the responsibility to ensure the RVS contract was meeting operational needs, and made numerous efforts to highlight problems with the RVS contract for GSA's attention, as outlined below. To briefly recap the history of this issue, in November 2000, the Office of Information Resources Management (OIRM) within the Department of Justice's former Immigration and Naturalization Service (INS) requested that GSA enter into a Blanket Purchase Agreement (BPA) with the International Microwave Corporation to provide surveillance and protection of the U.S. northern and southern borders, which resulted in the RVS contract. OIRM transferred its role in providing operational requirements for the BPA to OBP through a Memorandum of Understanding signed by OIRM and OBP in April 2001. At this point the contract had already been awarded by GSA, and in 2001 as OBP assumed an overall project management role, they learned that the contract was experiencing many problems, such as inadequate contractor oversight, insufficient competition, improper contracting actions, and poor recordkeeping. GSA functioned as the Contracting Officer (CO) and the Contracting Officer's Technical Representative (COTR) throughout the BPA. Starting in 2001, OBP questioned GSA regarding numerous invoices, but often did not receive a response to those inquiries, and invoices were often paid by GSA without attempts to resolve these questions prior to payment. Some of the issues identified by OBP included concerns over installation delays, defective or damaged cameras, poor performance of cameras, and unacceptable repair time for cameras returned for repair. OBP wrote letters directly to GSA and the contractor in attempts to resolve the issues. Because of the continuously unresolved issues with the contract, OBP directed that the contract be terminated in September 2004. In the meantime OBP had been incorporated into CBP in 2003, as part of the creation of DHS and the concurrent abolishment of INS. As the draft GAO report notes: "In September 2004, CBP established the America's Shield Initiative (ASI) program to address ISIS capability limitations and support the Department's antiterrorism mission." In establishing any major future program, like SBI, CBP intends to implement corrective program management measures to address the problems that occurred with the earlier ISIS effort. These measures are likely to include: * For major programs, oversight provided by the DHS Program Executive Office and Central Procurement Office, as well as CBP Senior Management. * An Independent Verification and Validation (IV&V) function within the PMO to ensure an independent, objective assessment of acquisition and implementation activities. * A contractor requirement to provide a quality management plan within 60 days of contract award. CBP and the development and integration contractor efforts to identify, assess, track, and mitigate all risks that can potentially impact contract cost, schedule, and performance. * The program manager, CO, COTR, and support staff held to the highest standards of accountability for program performance. * Contract performance managed through the application of Earned Value Management, program management reviews, and design and milestone reviews. * A CO assigned to CBP Acquisition Project Management Offices for the duration of the program to provide effective oversight for acquisition planning, solicitation, and contract administration activities. * A government point of contact for the contract and associated task orders. The point of contact will periodically audit the contractor's implementation of its quality management plan. * A CBP established deliverables review system to ensure timely delivery and government inspection and acceptance of deliverables required in the contract. * Acceptance of each line item only after successful completion of acceptance testing. * The COTR review of invoices to ensure that the contractor has met all the acceptance criteria before the approval and payment of each invoice. The draft report further describes very accurately the DHS decision- making process that resulted in ASI being subsumed into the more comprehensive SBI strategy. As previously stated, the ASI program office has been dismantled and a subset of the personnel has joined the CBP SBI Office. The work the ASI PMO completed on defining operational requirements and assessing resource needs to improve operational control of the border will be highly valuable for the SBI project. Ongoing and planned actions are designed to address unresolved key issues and thereby reduce unnecessary and unacceptable risk. Sincerely, Signed by: Steven J. Pecinovsky: Director: Departmental GAO/OIG Liaison Office: [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Randolph C. Hite (202) 512-3439 or [Hyperlink, hiter@gao.gov]: Staff Acknowledgments: In addition to the contact named above, Deborah A. Davis, Assistant Director; Barbara S. Collier; Neil J. Doherty; Sairah R. Ijaz; B. Scott Pettis; Amos A. Tevelow; and Daniel K. Wexler made key contributions to this report. (310611): FOOTNOTES [1] Public Law 107-296 (November 2002). [2] H.R. Conf. Report 108-774 at 40 (2004). GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: