This is the accessible text file for GAO report number GAO-06-598T entitled 'Homeland Security: Progress Continues, but Challenges Remain on Department's Management of Information Technology' which was released on March 30, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Testimony: Before Congressional Subcommittees: For Release on Delivery: Expected at 3:00 p.m. EST Wednesday, March 29, 2006: Homeland Security: Progress Continues, but Challenges Remain on Department's Management of Information Technology: Statement of Randolph C. Hite, Director: Information Technology Architecture and Systems Issues: GAO-06-598T: GAO Highlights: Highlights of GAO-06-598T, a testimony before congressional subcommittees: Why GAO Did This Study: Information technology (IT) is a critical tool for the Department of Homeland Security (DHS), not only in performing its mission today, but also in transforming how it will do so in the future. In light of the importance of this transformation and the magnitude of the associated challenges, GAO has designated the implementation of the department and its transformation as high risk. GAO has reported that in order to effectively leverage IT as a transformation tool, DHS needs to establish certain institutional management controls and capabilities, such as having an enterprise architecture and making informed portfolio-based decisions across competing IT investments. GAO has also reported that it is critical for the department to implement these controls and associated best practices on its many IT investments. In its past work, GAO has made numerous recommendations on DHS institutional controls and on individual IT investment projects. The testimony is based on GAO’s body of work in these areas, covering the state of DHS IT management both on the institutional level and the individual program level. What GAO Found: DHS continues to work to institutionalize IT management controls and capabilities (disciplines) across the department. Among these are * having and using an enterprise architecture, or corporate blueprint, as an authoritative frame of reference to guide and constrain IT investments; * defining and following a corporate process for informed decision making by senior leadership about competing IT investment options; * applying system and software development and acquisition discipline and rigor when defining, designing, developing, testing, deploying, and maintaining systems; * establishing a comprehensive information security program to protect its information and systems; * having sufficient people with the right knowledge, skills, and abilities to execute each of these areas now and in the future; and * centralizing leadership for extending these disciplines throughout the organization with an empowered Chief Information Officer. Over the last 3 years, the department has made efforts to establish and implement these IT management disciplines, but it has more to do. Despite progress, for instance, in developing its enterprise architecture and its investment management processes, much work remains before these and the other disciplines are fully mature and institutionalized. For example, although the department recently completed a comprehensive inventory of its major information systems—a prerequisite for effective security management—it has not fully implemented a comprehensive information security program, and its other institutional IT disciplines are still evolving. The department also has more to do in deploying and operating IT systems and infrastructure in support of core mission operations, such as border and aviation security. For example, a system to identify and screen visitors entering the country has been deployed and is operating, but a related exit capability largely is not. Also, a government-run system to prescreen domestic airline passengers is not yet in place. Similarly, some infrastructure has been delivered, but goals related to consolidating networks and e-mail systems, for example, remain to be fully accomplished. Similarly, GAO’s review of key nonfinancial systems show that DHS has more to do before the IT disciplines discussed above are consistently employed. For example, these programs have not consistently employed reliable cost estimating practices, effective requirements development and test management, meaningful performance measurement, strategic workforce management, and proactive risk management, among other recognized program management best practices. Until the department fully establishes and consistently implements the full range of IT management disciplines embodied in best practices and federal guidance, it will be challenged in its ability to manage and deliver programs. www.gao.gov/cgi-bin/getrpt?GAO-06-598T. To view the full product, including the scope and methodology, click on the link above. For more information, contact Randolph C. Hite at (202) 512-3439 or hiter@gao.gov. [End of section] Mr. Chairmen and Members of the Subcommittees, I appreciate the opportunity to participate in today's joint oversight hearing on Department of Homeland Security (DHS) efforts to effectively manage information technology (IT). As you know, IT is a critical tool in DHS's quest to transform 22 diverse and distinct agencies--some with longstanding management weaknesses--into a single, integrated, high- performing department. In light of the importance of this transformation and the magnitude of the associated challenges, in 2003 we designated the implementation of the department and its transformation as a high-risk undertaking.[Footnote 1] For DHS to effectively leverage IT as a transformation enabler, we reported in 2004 that it needed to put firmly in place certain institutional management controls and capabilities, such as having an enterprise architecture and a process for making informed portfolio- based decisions across competing IT investments.[Footnote 2] These controls and capabilities are interrelated management disciplines that collectively help an organization to deliver IT systems and infrastructure on time and on budget, and to do so in a way that minimizes risk and maximizes value to the organization as a whole. My testimony today addresses the state of DHS IT management on two levels: the institutional level and the individual program level. At the department level, it addresses efforts to establish corporate management controls, such as enterprise architecture, IT investment management, and the empowerment of the Chief Information Officer (CIO) to lead the department's IT activities. At the program level, it addresses the extent to which the institutional management controls are actually being implemented on key nonfinancial systems (such as those related to border and aviation security), pointing out the pitfalls to avoid and best practices to employ in managing these IT investments. In summary, DHS continues to work to institutionalize the range of IT management controls and capabilities that our research and past work have shown are fundamental to any organization's ability to use technology effectively to transform itself and accomplish mission goals.[Footnote 3] Among these IT management controls and capabilities are: * having and using an enterprise architecture, or corporate blueprint, as an authoritative frame of reference to guide and constrain system investments; * defining and following a corporate process for informed decision making by senior leadership about competing IT investment options; * applying system and software development and acquisition discipline and rigor when defining, designing, developing, testing, deploying, and maintaining systems; * establishing a comprehensive, departmentwide information security program to protect information and systems; * having sufficient people with the right knowledge, skills, and abilities to execute each of these areas now and in the future; and: * centralizing leadership for extending these disciplines throughout the organization with an empowered Chief Information Officer. Despite its efforts over the last 3 years, the department has more to do before each of these management controls and capabilities is fully in place and is integral to how each system investment is managed. In this regard, our reviews of key nonfinancial systems show that, for example, DHS IT programs have not consistently employed reliable cost estimating practices, effective requirements development and test management, meaningful performance measurement, strategic workforce management, and proactive management of risks, among other recognized program management best practices. The department also has more to do with respect to deploying and operating the mix of IT systems and infrastructure that are needed to support core mission operations, such as border and aviation security. For example, although a system to identify and screen visitors entering the country has been deployed and is operating, a related exit capability largely is not. Also, a government-run capability to prescreen domestic airline passengers is not yet in place. Similarly, while certain system and infrastructure capabilities have been delivered, goals related to consolidating data centers and networks and employing a common e-mail system, for example, remain to be fully accomplished. To assist the department in addressing its IT needs and management challenges, we have made a series of recommendations for both institutional and program-specific improvements. Spanning these recommendations is one for ensuring that the CIO is sufficiently empowered to extend management discipline and implement common IT solutions across the department. We look forward to working with DHS leadership as it implements these recommendations. In preparing this testimony, we drew extensively from our previous work on DHS's IT management controls and capabilities and their application on key department programs and projects. In addition, we reviewed documentation and interviewed responsible DHS officials, including the CIO. All the work on which this testimony is based was performed in accordance with generally accepted government auditing standards. Background: DHS's mission is to lead the unified national effort to secure America by preventing and deterring terrorist attacks and protecting against and responding to threats and hazards to the nation. DHS also is to ensure safe and secure borders, welcome lawful immigrants and visitors, and promote the free flow of commerce. Created in March 2003, DHS has assumed operational control of about 209,000 civilian and military positions from 22 agencies and offices specializing in one or more aspects of homeland security.[Footnote 4] The intent behind DHS's merger and transformation was to improve coordination, communication, and information sharing among the multiple federal agencies responsible for protecting the homeland. Not since the creation of the Department of Defense in 1947 has the federal government undertaken a transformation of this magnitude. As we reported before the department was created,[Footnote 5] such a transformation is critically important and poses significant management and leadership challenges. For these reasons, we designated the implementation of the department and its transformation as high risk; we also pointed out that failure to effectively address DHS's management challenges and program risks could have serious consequences for our national security. Among DHS's transformation challenges, we highlighted the formidable hurdle of integrating numerous mission-critical and mission support systems and associated IT infrastructure. For the department to overcome this hurdle, we emphasized the need for DHS to establish an effective IT governance framework, including controls aimed at effectively managing IT-related people, processes, and tools. DHS Components and IT Spending: To accomplish its mission, the department is organized into various components, each of which is responsible for specific homeland security missions and for coordinating related efforts with its sibling components, as well as external entities. Table 1 shows DHS's principal organizations and their missions. An organizational structure is shown in figure 1. Table 1: DHS's Principal Organizations and Their Missions: Principal organizations[A]: Citizenship and Immigration Services; Missions: Responsible for the administration of immigration and naturalization adjudication functions and establishing immigration services policies and priorities. Principal organizations[A]: Coast Guard; Missions: Protects the public, the environment, and U.S. economic interests in the nation's ports and waterways, along the coast, on international waters, and in any maritime region as required to support national security. Principal organizations[A]: Customs and Border Protection; Missions: Responsible for protecting the nation's borders in order to prevent terrorists and terrorist weapons from entering the United States, while facilitating the flow of legitimate trade and travel. Principal organizations[A]: Federal Emergency Management Agency; Missions: Prepares the nation for hazards, manages federal response and recovery efforts following any national incident, and administers the National Flood Insurance Program. Principal organizations[A]: Immigration and Customs Enforcement; Missions: The largest investigative arm of the department, responsible for identifying and shutting down vulnerabilities in the nation's border, economic, transportation, and infrastructure security. Principal organizations[A]: Management Directorate; Missions: Responsible for department budgets and appropriations, expenditure of funds, accounting and finance, procurement, human resources, information technology systems, facilities and equipment, and the identification and tracking of performance measurements. This directorate includes the offices of the Chief Financial Officer and the Chief Information Officer. Principal organizations[A]: Preparedness Directorate; Missions: Works with state, local, and private sector partners to identify threats, determine vulnerabilities, and target resources where risk is greatest, thereby safeguarding borders, seaports, bridges and highways, and critical information systems. Principal organizations[A]: Science and Technology Directorate; Missions: Serves as the primary research and development arm of the department, responsible for providing federal, state, and local officials with the technology and capabilities to protect the homeland. Principal organizations[A]: Secret Service; Missions: Protects the President and other high-level officials and investigates counterfeiting and other financial crimes (including financial institution fraud, identity theft, and computer fraud) and computer-based attacks on the nation's financial, banking, and telecommunications infrastructure. Principal organizations[A]: Transportation Security Administration; Missions: Protects the nation's transportation systems to ensure freedom of movement for people and commerce. Principal organizations[A]: US-VISIT; Missions: Responsible for developing and implementing a governmentwide program to record the entry into and exit from the United States of selected individuals, verify their identity, and confirm their compliance with the terms of their admission into and stay in this country. Sources: DHS (data); GAO (analysis). [A] This table does not show the organizations that fall under each of the directorates. This table also does not show all organizations that report directly to the DHS Secretary and Deputy Secretary, such as executive secretary, legislative and intergovernmental affairs, public affairs, chief of staff, inspector general, and general counsel. [End of table] Figure 1: DHS Organizational Structure (Simplified and Partial): [See PDF for image] [End of figure] Within the Management Directorate is the Office of the CIO, which is expected to leverage best available technologies and IT management practices, provide shared services, coordinate acquisition strategies, maintain an enterprise architecture that is fully integrated with other management processes, and advocate and enable business transformation. Other DHS entities also are responsible or share responsibility for critical IT management activities. For example, DHS's major organizational components (e.g., directorates, offices, and agencies) have their own CIOs and IT organizations. Control over the department's IT funding is vested primarily with the components' CIOs, who are accountable to the heads of their respective components.[Footnote 6] To promote IT coordination across DHS component boundaries, the DHS CIO established a CIO Council, chaired by the CIO and composed of component- level CIOs. According to its charter, the specific functions of the council include establishing a strategic plan, setting priorities for departmentwide IT, identifying opportunities for sharing resources, coordinating multibureau projects and programs, and consolidating activities. To accomplish their respective missions, DHS and its component organizations rely extensively on IT. For example, in fiscal year 2006 DHS IT funding totaled about $3.64 billion, and in fiscal year 2007 DHS has requested about $4.16 billion. For fiscal year 2006, DHS reported that this funding supported 279 major IT programs. Table 2 shows the fiscal year 2006 IT funding that was provided to key DHS components. Table 2: IT Funding for Fiscal Year 2006: Dollars in millions: DHS components and investments: Citizenship and Immigration Services; Funding: $388.8. DHS components and investments: Coast Guard; Funding: $201.3. DHS components and investments: Customs and Border Protection; Funding: $$423.7. DHS components and investments: Federal Emergency and Management Agency; Funding: $93.5. DHS components and investments: Immigration and Customs Enforcement; Funding: $166.8. DHS components and investments: Management Directorate: eMerge2[A]; Funding: $17.8. DHS components and investments: Management Directorate: Enterprise Application Delivery[B]; Funding: $20.3. DHS components and investments: Management Directorate: Enterprise Architecture and Investment Management Program[C]; Funding: $34.6. DHS components and investments: Management Directorate: Enterprise- Geospatial System[D]; Funding: $13.1. DHS components and investments: Management Directorate: Homeland Secure Data Network[E]; Funding: $32.7. DHS components and investments: Management Directorate: Human Resources IT[F]; Funding: $20.8. DHS components and investments: Management Directorate: Information Security Program[G]; Funding: $54.1. DHS components and investments: Management Directorate: Integrated Wireless Network[I]; Funding: $261.7. DHS components and investments: Management Directorate: Watch List and Technical Integration[J]; Funding: $9.9. DHS components and investments: Management Directorate: OCIO salaries and expenses; Funding: $15.5. DHS components and investments: Management Directorate: Other IT infrastructure[H]; Funding: $887.2. DHS components and investments: Management Directorate: Other; Funding: $31.6. DHS components and investments: Preparedness Directorate; Funding: $215.4. DHS components and investments: Science and Technology Directorate; Funding: $33.2. DHS components and investments: Secret Service; Funding: $3.8. DHS components and investments: Transportation Security Administration; Funding: $333.2. DHS components and investments: US-VISIT; Funding: $341.0. DHS components and investments: Other DHS components; Funding: $40.2. DHS components and investments: Total; Funding: $3,640.2. Source: GAO analysis of DHS data. [A] eMerge2 is an initiative planned to integrate the business and financial management policies, processes and systems of DHS into a single solution with the goal of meeting the department's financial management, acquisition, and asset management needs. [B] Enterprise Application Delivery is intended to consolidate existing and planned Web pages and platforms of the DHS component organizations. [C] Enterprise Architecture and Investment Management Program is intended to develop the department's enterprise architecture and implement the transition strategy through the department's investment management process. [D] Enterprise-Geospatial System is planned to establish a framework, organizational structure, and requisite resources to enable departmentwide use of geographic information systems. [E] Homeland Secure Data Network is an effort to merge disparate classified networks into a single, integrated network to enable, among other things, the secure sharing of intelligence and other information. [F] HR IT includes the set of DHS enterprisewide systems to support the personnel regulations such as Max.R. [G] Information Security Program is intended to establish information security policies and procedures throughout the department to protect the confidentiality, integrity, and availability of information. [H] Other infrastructure includes initiatives with the goal of creating a single, consolidated, and secure infrastructure to ensure connectivity among the department's 22 component organizations. [I] The Integrated Wireless Network is to deliver the wireless communications services required by agents and officers of DHS, Justice, and Treasury. [J] Watch List and Technical Integration is to increase effective information sharing by consolidating, re-using, and retiring applications that develop multiple terrorist watch lists being used by multiple operating entities within the government. [End of table] GAO Has Reviewed Several of DHS's Mission-Critical IT Programs: In view of the importance of major IT programs to the department's mission, the Congress has taken a close interest in certain mission- critical programs, often directing us to review and evaluate program management, progress, and spending. Among the programs that we have reviewed are the following: * US-VISIT (the United States Visitor and Immigrant Status Indicator Technology) has several major goals: to enhance the security of our citizens and visitors and ensure the integrity of the U.S. immigration system, and at the same time to facilitate legitimate trade and travel and protect privacy. To achieve these goals, US-VISIT is to record the entry into and exit from the United States of selected travelers, verify their identity, and determine their compliance with the terms of their admission and stay. As of October 2005, US-VISIT officials reported that about $1.4 billion had been appropriated for the program. The Automated Commercial Environment (ACE) is a Customs and Border Protection (CBP) program to modernize trade processing systems and support border security. Its goals include enhancing analysis and information sharing with other government agencies; providing an integrated, fully automated information system for commercial import and export data; and reducing costs for the government and the trade community though streamlining. To date, CBP reports that the program has received almost $1.7 billion in funding. The America's Shield Initiative (ASI) program (now cancelled) was to enhance DHS's ability to provide surveillance and protection of the U.S. northern and southern borders through a system of sensors, databases, and cameras. The program was also to address known limitations of the current Integrated Surveillance Intelligence System (ISIS) and to support DHS's antiterrorism mission, including its need to exchange information with state, local, and federal law enforcement organizations. As of September 2005, ASI officials reported that about $340.3 million had been spent on the program. As of December 2005, the program was subsumed within the Secure Border Initiative, the department's broader border and interior enforcement strategy. The Secure Flight program is developing a system to perform passenger prescreening for domestic flights: that is, the matching of passenger information against terrorist watch lists to identify persons who should undergo additional security scrutiny. The goal is to prevent people suspected of posing a threat to aviation from boarding commercial aircraft in the United States, while protecting passengers' privacy and civil liberties. The program also aims to reduce the number of people unnecessarily selected for secondary screening. To date, TSA officials report that about $144 million has been spent on the program. The Atlas program is intended to modernize the IT infrastructure of Immigration and Customs Enforcement (ICE). The goals of the program are to, among other things, improve information sharing, strengthen information security, and improve workforce productivity. ICE estimates the life cycle cost of Atlas to be roughly $1 billion. The Student and Exchange Visitor Information System (SEVIS) is an Internet-based system that is to collect and record information on foreign students, exchange visitors, and their dependents--before they enter the United States, when they enter, and during their stay. Through fiscal year 2006, the department expects to have spent, in total, about $133.5 million on this program. The Rescue 21 program is to replace and modernize the Coast Guard's 30- year-old search and rescue communication system, the National Distress and Response System. The modernization is to, among other things, increase the Coast Guard's communication coverage area in the United States; allow electronic tracking of department vessels and other mobile assets; enable better communication with other federal and state systems; and provide for secure communication of sensitive information. The Coast Guard reports that it plans to spend about $373.1 million on the program by the end of fiscal year 2006. It also estimates program's life cycle cost to be $710 million. IT Management Controls and Capabilities Are Important: Our research on leading private and public sector organizations, as well as our past work at federal departments and agencies, shows that successful organizations embrace the central role of IT as an enabler for enterprisewide transformation.[Footnote 7] These leading organizations develop and implement institutional or agencywide IT management controls and capabilities (people, processes, and tools) that help ensure that the vast potential of technology is applied effectively to achieve desired mission outcomes. Among these IT management controls and capabilities are: * enterprise architecture development and use, * IT investment management, * system development and acquisition process discipline, * information security management, and: * IT human capital management.[Footnote 8] In addition, these organizations establish these controls and capabilities within a governance structure that centralizes leadership in an empowered CIO. These controls and capabilities are interdependent and interrelated IT management disciplines, as shown in figure 2. If effectively established and implemented, they can go a long way in determining how successfully an organization leverages IT to achieve mission goals and outcomes. Figure 2: Interrelated Keys to Successful IT Management: [See PDF for image] Note: Figure shows topics addressed in this testimony; other key IT management areas include IT strategic planning and information management. [End of figure] DHS Is Making Progress but Has Yet to Fully Institutionalize IT Management Controls and Capabilities: Over the last 3 years, our work has shown that the department has continued to work to establish effective corporate governance and associated IT management controls and capabilities, but progress in each of the key areas has been uneven, and more remains to be accomplished. Until it fully institutionalizes effective governance controls and capabilities, it will be challenged in its ability to leverage IT to support transformation and mission results. Enterprise Architecture: Leading organizations recognize the importance of having and using an enterprise architecture, or corporate blueprint, as an authoritative operational and technical frame of reference to guide and constrain IT investments. In brief, an enterprise architecture provides systematic structural descriptions--in useful models, diagrams, tables, and narrative--of how a given entity operates today and how it plans to operate in the future, and it includes a road map for transitioning from today to tomorrow. Our experience with federal agencies has shown that attempting to modernize systems without having an enterprise architecture often results in systems that are duplicative, not well integrated, unnecessarily costly to maintain, and limited in terms of optimizing mission performance.[Footnote 9] To assist agencies in effectively developing, maintaining, and implementing an enterprise architecture, we published a framework for architecture management, grounded in federal guidance and recognized best practices.[Footnote 10] The underpinning of this framework is a five-stage maturity framework outlining steps toward achieving a stable and mature enterprise architecture program. The framework describes 31 practices or conditions, referred to as core elements, that are needed for effective architecture management. We have previously reported on DHS's effort to develop its enterprise architecture from two perspectives. First, in November 2003, we reported on DHS's architecture management program relative to the framework described above.[Footnote 11] At that time, we found that the department had implemented many of the practices described in our framework. For example, the department had, among other things, assigned architecture development, maintenance, program management, and approval responsibilities; created policies governing architecture development and maintenance; and formulated plans to develop architecture products and begun developing them. Second, in August 2004, we reported on DHS's effort to develop enterprise architecture products, relative to well-established, publicly available criteria on the content of enterprise architectures.[Footnote 12] At that time, we concluded that the department's initial enterprise architecture provided a foundation upon which to build, but that it was nevertheless missing important content that limited its utility. Thus, it could not be considered a well-defined architecture. In particular, the content of this initial version was not systematically derived from a DHS or national corporate business strategy; rather, it was more the result of an amalgamation of the existing architectures that several of DHS's predecessor agencies already had, along with their respective portfolios of system investment projects. To its credit, the department recognized the limitations of the initial architecture and has developed a new version. To assist DHS in evolving its architecture, we recommended 41 actions aimed at having DHS add needed architecture content and ensure that architecture development best practices are employed. Since then, DHS reported that it had taken steps in response to our recommendations. For example, the department issued version 2 of its enterprise architecture in October 2004. According to DHS, this version contained additional business/mission, service, and technical descriptions. Also, this version was submitted to a group of CIOs of major corporations and an enterprise architecture consulting firm, both of which found the architecture meritorious. Earlier this month (March 2006), the department issued another new version of its enterprise architecture, which it calls HLS EA 2006. Our analysis of version 2 of the department's architecture indicates that DHS has made progress toward development of its architecture products, particularly descriptions of both the "as-is" and "to-be" environments. Specifically, the scope of the "as-is" and "to-be" environments extends to descriptions of business operations, information and data needs and definitions, application and service delivery vehicles, and technology profiles and standards. With respect to the depth and detail of these descriptions (which are the focus of most of our 41 prior recommendations), the department has reported progress, such as (1) completing its first inventory of information technology systems, a key input to its description of the "as-is" environment; (2) establishing departmentwide technology standards; (3) developing and beginning to implement a plan for introducing a shared services orientation to the architecture, particularly with regard to information services (e.g., network, data center, e-mail, help desk, and video operations); and (4) finalizing content for the portion of its architecture that relates to certain border security functions (e.g., the alien detention and removal process that is a major facet of the department's new Strategic Border Initiative). IT Investment Management: Through IT investment management, organizations define and follow a corporate process to help senior leadership make informed decisions on competing options for investing in IT. Such investments, if managed effectively, can have a dramatic impact on performance and accountability. If mismanaged, they can result in wasteful spending and lost opportunities for improving delivery of services. Based on our research, we have issued an IT investment management framework[Footnote 13] that encompasses the best practices of successful public and private sector organizations, including investment selection and control policies and procedures. Our framework identifies, among other things, effective policies and procedures for developing and using an enterprisewide collection--or portfolio--of investments; using such portfolios enables an organization to determine priorities and make decisions among competing options across investment categories based on analyses of the relative organizational value and risks of all investments.[Footnote 14] A central tenet of the federal approach to IT investment management is the select/control/evaluate model. During the select phase, the organization (1) identifies and analyzes each project's risks and returns before committing significant funds and (2) selects those projects that will best support its mission needs. In the control phase, the organization ensures that the project continues to meet mission needs at the expected levels of cost and risks. If the project is not meeting expectations or if problems have arisen, steps are quickly taken to address the deficiencies. During the evaluate phase, actual versus expected results are compared after a project has been fully implemented. In August 2004, we reported[Footnote 15] that DHS had established an investment management process that included departmental oversight of major IT programs. However, this process was not yet institutionalized: for example, most programs (about 75 percent) had not undergone the departmental oversight process, and resources were limited for completing control reviews in a timely manner. At that time, the CIO and other DHS officials attributed these shortfalls, in part, to the fact that the department's process was maturing and needed to improve. Based on our findings, we made recommendations aimed at strengthening the process. In March 2005,[Footnote 16] we again reported on this investment review process, noting that it incorporated many best practices and provided its senior leaders with the information required to make well-informed investment decisions at key points in the investment life cycle. However, we also concluded that at some key investment decision points, DHS's process did not require senior management attention and oversight. For example, management reviews are not required at key system and subsystem decision points, although such reviews (especially with complex systems that incorporate new technology like US-VISIT) are critical to ensuring that risk is reduced before the organization commits to the next phase of investment. Accordingly, we made further recommendations to improve the process. Further, the CIO recently reported additional steps being taken to strengthen IT investment management. According to the CIO, DHS has: * established an acquisition project performance reporting system, which requires periodic reporting of cost, schedule, and performance measures as well as earned value metrics, as means to monitor and control major acquisitions; * aligned the investment management cycle and associated milestones with the department's annual budget preparation process to allow business cases for major investments to be submitted to department headquarters at the same time as the budget, rather than as a follow- on; * linked investment management systems to standardize and make consistent the financial data used to make investment decisions; * verified alignment of approximately $2 billion worth of investments via the department's portfolio management framework; and: * completed investment oversight reviews (by total dollar value) of over 75 percent of the department's major investments. The department has also developed a standard template for capturing information about a given IT program to be used in determining the investment's alignment with the enterprise architecture. Such alignment is important because it ensures that programs will be defined, designed, and developed in a way that avoids duplication and promotes interoperability and integration. However, the department has yet to document a methodology, with explicit criteria, for making its judgments about the degree of alignment. Instead, it relies on the undocumented and subjective determinations of individuals in its Enterprise Architecture Center of Excellence. Systems Development and Acquisition Management: Managing systems development and acquisition effectively requires applying engineering and acquisition discipline and rigor when defining, designing, developing and acquiring, testing, deploying, and maintaining IT systems and services. Our work and other best practice research have shown that applying such rigorous management practices improves the likelihood of delivering expected capabilities on time and within budget. In other words, the quality of IT systems and services is largely governed by the quality of the management processes involved in developing and acquiring them. Best practices in systems development and acquisition include following a disciplined life cycle management process, in which key activities and phases of the project are conducted in a logical and orderly process and are fully documented. Such a life cycle process begins with initial concept definition and continues through requirements determination to design, development, various phases of testing, implementation, and maintenance. For example, expected system capabilities should be defined in terms of requirements for functionality (what the system is to do), performance (how well the system is to execute functions), data (what data are needed by what functions, when, and in what form), interface (what interactions with related and dependent systems are needed), and security. Further, system requirements should be unambiguous, consistent with one another, linked (that is, traceable from one source level to another),[Footnote 17] verifiable, understood by stakeholders, and fully documented. The steps in the life cycle process each have important purposes, and they have inherent dependencies among themselves. Thus, if earlier steps are omitted or deficient, later steps will be affected, resulting in costly and time-consuming rework. For example, a system can be effectively tested to determine whether it meets requirements only if these requirements have already been completely and correctly defined. Concurrent, incomplete, and omitted activities in life cycle management exacerbate the program risks. Life cycle management weaknesses become even more critical as the program continues, because the size and complexity of the program will likely only increase, and the later problems are found, the harder and more costly they will likely be to fix. These steps, practices, and processes are embedded in an effective systems development life cycle (SDLC) methodology, which sets forth the multistep process of developing information systems from investigation of initial requirements through analysis, design, implementation, maintenance, and disposal. Organizations generally formalize their SDLC in policies, procedures, and guidance. Currently, many of the major DHS components are following the processes established under their predecessor organizations. For example, both the Transportation Security Administration and CBP have their own SDLCs. As part of our reviews of DHS IT management and specific IT programs, we have not raised any issues or identified any shortcomings with these SDLCs. DHS is currently drafting policies and procedures to establish a departmentwide SDLC methodology and thus provide a common management approach to systems development and acquisition. According to DHS, the goals of the SDLC are to help: * align projects to mission and business needs and requirements; * incorporate accepted industry and government standards, best practices, and disciplined engineering methods, including IT maturity model concepts; * ensure that formal reviews and approvals required by the process are consistent with DHS's investment management process; and: * institute disciplined life cycle management practices, including planning and evaluation in each phase of the information system life cycle. The department's SDLC, currently in draft form, is to apply to DHS's IT portfolio as well as other capital asset acquisitions. Under the SDLC, each program will be expected to, among other things, * follow disciplined project planning and management processes balanced by effective management controls; * have a comprehensive project management plan; * base project plans on user requirements that are clearly articulated, testable, and traceable to the work products produced; and: * integrate information security activities throughout the SDLC. Information Security Management: Effective information security management depends on establishing a comprehensive program to protect the information and information systems that support an organization's operations and assets.The overall framework for ensuring the effectiveness of federal information security controls is provided by the Federal Information Security Management Act of 2002.[Footnote 18] In addition, OMB Circular No. A- 130 requires agencies to provide information and systems with protection that is commensurate with the risk and magnitude of the harm that would result from unauthorized access to these assets or their loss, misuse, or modification. Because of continuing evidence indicating significant, pervasive weaknesses in the controls over computerized federal operations, we have designated information security as a governmentwide high-risk issue since 1997.[Footnote 19] Moreover, related risks continue to escalate, in part because the government is increasingly relying on the Internet and on commercially available IT products. Concerns are increasing regarding attacks for the purpose of crime, terrorism, foreign intelligence gathering, and acts of war, as well as by the disgruntled insider, who may not need particular expertise to gain unrestricted access and inflict damage or steal assets. Without an effective security management program, an organization has no assurance that it can withstand these and other threats. Since it was established, both we and the department's inspector general (IG) have reported that although the department continues to improve its IT security, it remains a major management challenge. For example, within its first year the department had appointed a chief information security officer and developed and disseminated information system security policies and procedures, but it had not completed a comprehensive inventory of its major IT systems--a prerequisite for effective security management. In June 2005, we reported that DHS had yet to effectively implement a comprehensive, departmentwide information security program to protect the information and information systems that support its operations and assets.[Footnote 20] In particular, although it had developed and documented departmental policies and procedures that could provide a framework for implementing such a program, certain departmental components had not yet fully implemented key information security practices and controls. Examples of weaknesses in components' implementation included incomplete or missing elements in risk assessments, security plans, and remedial action plans, as well as incomplete, nonexistent, or untested continuity of operations plans. To address these weaknesses, we made recommendations aimed at ensuring that DHS fully implement the key information security practices and controls. More recently, the DHS IG reported that DHS's components have not completely aligned their respective information security programs with DHS's overall policies, procedures, and practices.[Footnote 21] However, the IG also reported progress. According to the IG, DHS completed actions to eliminate two obstacles that had significantly impeded the department in establishing its security program: First, it completed the comprehensive system inventory mentioned earlier, including major applications and general support systems for all DHS components. Second, it implemented a departmentwide tool that incorporates the guidance required to adequately complete security certification and accreditation for all systems. The IG also reported that the CIO had developed a plan to accredit all systems by September 2006. The DHS CIO testified earlier this month (March 2006) on progress in implementing the department's certification and accreditation plan, stating that the department is well on its way to achieving its September 2006 target for full system accreditation.[Footnote 22] The CIO also stated that by the end of February 2006, more than 60 percent of the over 700 systems in its inventory were fully accredited, up from about 26 percent 5 months earlier. IT Human Capital Management: A strategic approach to human capital management includes viewing people as assets whose value to an organization can be enhanced by investing in them,[Footnote 23] and thus increasing both their value and the performance capacity of the organization. Based on our experience with leading organizations, we issued a model[Footnote 24] encompassing strategic human capital management, in which strategic human capital planning was one cornerstone.[Footnote 25] Strategic human capital planning enables organizations to remain aware of and be prepared for current and future needs as an organization, ensuring that they have the knowledge, skills, and abilities needed to pursue their missions. We have also issued a set of key practices for effective strategic human capital planning.[Footnote 26] These practices are generic, applying to any organization or component, such as an agency's IT organization. They include: * involving top management, employees, and other stakeholders in developing, communicating, and implementing a strategic workforce plan; * determining the critical skills and competencies needed to achieve current and future programmatic results; * developing strategies tailored to address gaps between the current workforce and future needs; * building the capability to support workforce strategies; and: * monitoring and evaluating an agency's progress toward its human capital goals and the contribution that human capital results have made to achieving programmatic goals. In June 2004, we reported that DHS had begun strategic planning for IT human capital at the headquarters level, but it had not yet systematically gathered baseline data about its existing workforce. Moreover, the DHS CIO expressed concern over staffing and acknowledged that progress in this area had been slow.[Footnote 27] In our report, we recommended that the department analyze whether it had appropriately allocated and deployed IT staff with the relevant skills to obtain its institutional and program-related goals. In response, DHS stated that on July 30, 2004, the CIO approved funding for an IT human capital Center of Excellence. This center was tasked with delivering plans, processes, and procedures to execute an IT human capital strategy and to conduct an analysis of the skill sets of DHS IT professionals. Since that time, DHS has undertaken a departmentwide human capital initiative, MAXHR, which is to provide greater flexibility and accountability in the way employees are paid, developed, evaluated, afforded due process, and represented by labor organizations. Part of this initiative involves the development of departmentwide workforce competencies. According to the DHS IG, the department intended to implement MAXHR in the summer of 2005, but federal district court decisions have delayed the department's plans. However, the IG stated that the classification, pay, and performance management provisions of the new program are moving forward, with implementation of the new performance management system beginning in October 2005. According to the IG, the new pay system is planned for implementation by January 2007 for some DHS components. CIO Leadership: According to our research on leading private and public sector organizations and experience at federal agencies, leading organizations adopt and use an enterprisewide approach to IT governance under the leadership of a CIO or comparable senior executive, who has responsibility and authority, including budgetary and spending control, for IT across the entity.[Footnote 28] In May 2004, we reported that the DHS CIO did not have authority and control over departmentwide IT spending.[Footnote 29] Control over the department's IT budget was vested primarily with the CIO organizations within each DHS component, and the components' CIO organizations were accountable to the heads of the components. As a result, DHS's CIO did not have authority to manage IT assets across the department. Accordingly, we recommended that the Secretary examine the sufficiency of spending authority vested in the CIO and take appropriate steps to correct any limitations in authority that constrain the CIO's ability to effectively integrate IT investments in support of departmentwide mission goals. Since then, the DHS IG has reported that the DHS CIO is not well positioned to accomplish IT integration objectives.[Footnote 30] According to the IG, despite federal laws and requirements, the CIO is not a member of the senior management team with authority to strategically manage departmentwide technology assets and programs. The IG reported that steps were taken to formalize reporting relationships between the DHS CIO and the CIOs of major component organizations, but that the CIO still does not have sufficient staff resources to assist in carrying out the planning, policy formation, and other IT management activities needed to support departmental units. The IG expressed the view that although the CIO currently participates as an integral member at each level of the investment review process, the department would benefit from following the successful examples of other federal agencies in positioning their CIOs with the authority and influence needed to guide executive decisions on departmentwide IT investments and strategies. In response to the IG's comments, the DHS CIO stated that his office is properly positioned and has the authority it needs to accomplish its mission. According to the CIO, the office is the principal IT authority to the Secretary and Deputy Secretary, and it will continue to hold that leadership role within the department. DHS Is Making Some Progress in Implementing IT Systems and Infrastructure: A gauge of DHS's progress in managing its IT investments is the extent to which it has deployed and is currently operating more modern IT systems and infrastructure. To the department's credit, our reviews have shown progress in these areas, and DHS has reported other progress. However, our reviews have also shown that IT programs have not met stated goals for deployed capabilities, and DHS's own reporting shows that infrastructure goals have yet to be fully met. To expedite the implementation of IT systems, the department has developed and deployed system capabilities incrementally, which we support, as this is a best practice and consistent with our recommendations.[Footnote 31] For example, the department has successfully delivered visitor entry identification and screening capabilities with the first three increments of its US-VISIT program, and it is currently implementing release four of its ACE program. At the same time, however, US-VISIT exit capabilities are not in place, and release four of ACE does not include needed functionality. Further, some IT programs that either were or have been under way for years have not delivered any functionality, such as the canceled ASI program and the Secure Flight program. In addition, the department has recently reported a number of accomplishments relative to IT infrastructure; however, what has been reported also shows that much remains to be accomplished before infrastructure-related efforts produce deployed and operational capabilities. For example, the department reports that it has begun its Infrastructure Transformation Program (ITP), which is its approach to moving to a consolidated, integrated, and services-oriented IT infrastructure. According to the department, the CIO developed and has begun implementing the ITP plan, which is to be centrally managed but executed in a distributed manner, with various DHS components taking the lead for different areas of infrastructure transformation.[Footnote 32] The ITP is to create a highly secure and survivable communications network (OneNet) for Sensitive but Unclassified data across the department, and it is also to establish a common and reliable e-mail system across the department. The department reported that it had deployed the initial core of the DHS OneNet and built the primary Network Operation Center to monitor OneNet performance. Among the other goals of the program are consolidated data centers to reduce costs and provide a highly survivable and reliable computing environment. In this regard, the department reported that it has now established an interim data center. In addition, the department stated that it has extended its classified networking capabilities by fielding 56 Secret sites on the department's Homeland Secure Data Network and by completing the connection of this network to SIPRNet (the Defense Department's Secret Internet Protocol Routed Network). DHS also reported that it has established an Integrated Wireless Program Plan, which provides a program management framework to ensure the on-time cost and schedule performance of wireless programs and projects. Key IT Programs Reflect Mixed Use of Effective IT Management Practices: A key measure of how well an organization is managing IT is the degree to which its IT-dependent programs actually implement corporate management controls and employ associated best practices. In this regard, our reviews of several nonfinancial DHS IT programs provide examples of both strengths and weaknesses in program management. In summary, they show that DHS IT programs are not being managed consistently: some programs are at least partially implementing certain program management best practices, but others are largely disregarding most of the practices. Further, they show that most of the programs are considerably challenged in certain key areas, such as measuring progress and performance against program commitments and establishing human capital capabilities. IT investment alignment with the enterprise architecture. An important element of enterprise architecture management is ensuring that IT investments comply with the architecture. However, in several of the programs that we have reviewed, investments have been approved without documented analysis to support these judgments and to permit the judgments to be independently verified. For example, DHS approved the ACE program's alignment with the department's architecture on the recommendation of its Enterprise Architecture Center of Excellence and Enterprise Architecture Board. However, the Center's evaluators did not provide a documented analysis that would allow independent verification. According to DHS officials, they do not have a documented methodology for evaluating programs' architecture compliance, and instead rely on the professional expertise of Center staff. In contrast, the ASI program provides an example of an instance in which the reviews required to ensure architecture alignment resulted in the discovery of a significant problem: the program had not adequately defined its relationships and dependencies with other department programs.[Footnote 33] As a result, the program was reconsidered and later subsumed within the new Secure Border Initiative, the department's broader strategy for border and interior enforcement. Reliable cost estimates. Reliable cost estimates are prerequisites both for developing an economic justification for a program and for establishing cost baselines against which to measure progress. DHS IT programs that we reviewed have demonstrated mixed results in this regard. For example, the ACE program has made considerable progress in implementing our recommendation to ensure that its development contractor's cost estimates are reconciled with independent cost estimates, and that the derivation of both estimates is consistent with published best practices. However, cost estimating remains a major challenge for other DHS IT programs. For example, Secure Flight did not have cost estimates for either initial or full operating capability, nor did it have a life-cycle cost estimate (estimated costs over the expected life of a program, including direct and indirect costs and costs of operation and maintenance). Also, for the US-VISIT program's analysis of proposed alternatives for monitoring the exit of travelers, cost estimates did not meet key criteria for reliable cost estimating as established in the published best practices mentioned above. For example, they did not include detailed work breakdown structures defining the work to be performed, so that associated costs could be identified and estimated. Such a work breakdown structure provides a reliable basis for ensuring that estimates include all relevant costs. Without reasonable cost estimates, it is not possible to produce an adequate economic justification for choosing among alternatives, and program performance cannot be adequately measured. Earned value management. To help ensure that reliable processes are used to measure progress against cost and schedule commitments, OMB requires agencies to manage and measure major IT projects[Footnote 34] through use of an earned value management (EVM) system that is compliant with specified standards.[Footnote 35] On programs we reviewed, however, the use of EVM was as yet limited. For example, although the ACE program had instituted the use of EVM on recent releases, its use for one release was suspended in June 2005, because staff assigned to the release were unfamiliar with the technique. For another release, EVM was not used because, according to program officials, the release had not established the necessary cost and schedule baseline estimates against which earned value could be measured. ACE officials told us that they plan to establish baselines and use EVM for future work. With regard to the US-VISIT program, although EVM is to be used in managing the prime integration contract, it has not been used in a number of US-VISIT related contracts over the last 3 years. According to DHS, in fiscal year 2005, 30 percent of departmental programs were using EVM. Performance management and accountability. To ensure that programs manage their performance effectively, it is important that they define and measure progress against program commitments and hold themselves accountable for results. These program commitments include expected or estimated (1) capabilities and associated use and quality; (2) benefits and mission value; (3) costs; and (4) milestones and schedules. To be accountable, projects need first to develop and maintain reliable and current expectations and then to define and select metrics to measure progress against these. However, in our reviews of DHS programs (such as those that are required to prepare expenditure plans for Senate and House appropriations subcommittees before obligating funding), we have reported that program performance and accountability has been a challenge. For example, the fiscal year 2004 expenditure plan for the Atlas program did not provide sufficient information on program commitments to allow the Congress to perform effective oversight. On the other hand, although the ACE program office is still not where it needs to be in this regard, it has made progress in this area: it has now prepared an initial version of a program accountability framework that includes measuring progress against costs, milestones and schedules, and risks for select releases. However, ACE benefit commitments are still not well defined, and the performance targets being used were not always realistic. On other programs, such as SEVIS, we found that while some performance aspects of the system were being measured, others were not such as network usage. Disciplined acquisition and development processes. Our reviews of DHS programs have disclosed numerous weaknesses in key process areas related to system acquisition and management, such as requirements development and management, test management, project planning, validation and verification, and contract management oversight. For example, we reported that the Atlas program office, which had been recently established, had not yet implemented any of these key process areas.[Footnote 36] For the ACE program, weaknesses in requirements definition were a major reason for recent problems and delays, including the realization during pilot testing that key functionality had not been defined and built into the latest release. For US-VISIT, test plans were incomplete in that they did not, among other things, adequately demonstrate traceability between test cases and the requirement to be verified by testing. Also, both ASI and Secure Flight were proceeding without complete and up-to-date program management plans, and Secure Flight's requirements were not well developed. In addition, key ASI acquisition controls, such as contract management oversight, were not yet defined. This led to a number of problems in ASI deploying, operating, and maintaining ISIS technology. Further, ACE and US-VISIT projects have not always effectively employed independent verification and validation. Risk management. Effective risk management is vital to the success of any system acquisition. Accordingly, best practices[Footnote 37] advocate establishing management structures and processes to proactively identify facts and circumstances that can increase the probability of an acquisition's failing to meet cost, schedule, and performance commitments and then taking steps to reduce the probability of their occurrence and impact. Our work on the ACE, US-VISIT, and ASI programs, for example, showed that risk management programs were in place, but not all risks were being effectively addressed. In particular, key risks on the ACE program were not being effectively addressed. Specifically, the ACE program schedule had introduced significant concurrency in the development and deployment of releases; as both prior experience on the ACE program and best practices show, such concurrency causes contention for common resources, which in turn produces schedule slips and cost overruns. Also, the ACE program was passing key milestones with known severe system defects--that is, allowing development to proceed to the next stage even though significant problems remained to be solved. This led to a recurring pattern of addressing quality problems with earlier releases by borrowing resources from future releases, which led to schedule delays and cost overruns. Moreover, it led the program to deploy one release prematurely with the intention of gaining user acceptance sooner. However, this premature deployment actually produced a groundswell of user complaints and poor user satisfaction scores with the release. Similar risks were experienced on the Coast Guard's Rescue 21 program. For example, we reported that the Coast Guard's plan to compress and overlap key tests introduced risks, and subsequently the Coast Guard decided to postpone several tests.[Footnote 38] Security. The selection and employment of appropriate security and privacy controls for an information system are important tasks that can have major implications for the operations and assets and for the protection of personal information that is collected and maintained in the system. Security controls are the management, operational, and technical safeguards prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. Privacy controls limit the collection, use, and disclosure of personal information. For several IT programs, security and privacy has been a challenge. For example, we reported[Footnote 39] in September 2003 and again in May 2004 that the US-VISIT program office had yet to develop a security plan as required by OMB and other federal guidance, although the program later developed a plan that was generally consistent with applicable guidance. However, the program office had not conducted a security risk assessment or included in the plan when such an assessment would be completed. OMB and other federal guidance specifies that security plans should describe the methodology that is used to identify system threats and vulnerabilities and to assess the risks, and include the date the assessment was completed. In addition, we reported that the Atlas program was relying on a bureauwide security plan that did not address Atlas infrastructure requirements. Further, Atlas had yet to develop a privacy impact assessment to determine what effect, if any, the system would have on individual privacy, the privacy consequences of processing certain information, and alternatives considered to collect and handle the information. On TSA's Secure Flight program, although the agency had taken steps to implement security to protect system information and assets, we recently reported that these steps were individually incomplete and collectively fell short of a comprehensive program consistent with federal guidance and associated best practices. More specifically, OMB and other federal guidance and relevant best practices call for agencies to, among other things, (1) conduct a systemwide risk assessment that is based on system threats and vulnerabilities and (2) then develop system security requirements and related policies and procedures that govern the operation and use of the system and address identified risks. Although TSA developed two system security plans--one for the underlying infrastructure (hardware and software) and another for the Secure Flight system application--neither was complete. Specifically, the infrastructure plan only partially defined the requirements to address the risks, and the application plan did not include any requirements addressing risks. Furthermore, we also recently reported[Footnote 40] that TSA did not fully disclose to the public, as required by privacy guidance, its use of personal information during the testing phase of Secure Flight until after many of the tests had been completed. Establishing and maintaining adequate staffing. Implementing the IT management processes that I have been describing requires that programs have the right people--not only people who have the right knowledge, skills, and abilities, but also enough of them to do the job. Generally, all the programs we reviewed were challenged, particularly in their initial stages, to assemble sufficient staff with the right skill mix and to treat workforce (human capital) planning as a management imperative. For example, we reported that both the Atlas and the ASI programs were initiated without being adequately staffed. In addition, in September 2003 we reported that the US-VISIT program office had assessed its staffing needs for acquisition management at 115 government and 117 contractor personnel, but that at the time the program had 10 staff within the program office and another 6 staff working closely with them.[Footnote 41] Since then, US-VISIT has filled 102 of its 115 planned government positions (with plans in place to fill the remaining positions) and all of its planned 117 contractor positions.[Footnote 42] However, to ensure that staffing needs continue to be met, organizations need to manage human capital strategically, which entails identifying the program functions that need to be performed and the associated numbers and skill sets (core competencies) needed to perform them, assessing the on-board workforce relative to these needs, identifying gaps, and developing and implementing strategies (i.e., hiring, retention, training, contracting) for filling these gaps over the long-term. In this regard, the US-VISIT program has made considerable progress. Specifically, we recently reported that it has analyzed the program office's workforce to determine diversity trends, retirement and attrition rates, and mission-critical and leadership competency gaps, and it has updated the program's core competency requirements to ensure alignment between the program's human capital and business needs. In contrast, although the ACE program has taken various informal steps to bolster its workforce (such as providing training), it has been slow to document and implement a human capital strategy that compares competency-based staffing needs to on-board capabilities and includes plans for closing shortfalls. In closing, let me reiterate that we have made a series of recommendations to the department aimed at addressing both the department's institutional IT management challenges and its IT program- specific weaknesses. To the department's credit, it has largely agreed with these recommendations. Although some of these have been implemented, most are still works in process. In my view, these recommendations provide a comprehensive framework for strengthening DHS's management of IT and increasing the chances of delivering promised system capabilities and benefits on time and within budget. We look forward to working constructively with the department in implementing these recommendations and thereby maximizing the role that IT can play in DHS's transformation efforts. Mr. Chairmen, this concludes my statement. I would be happy to answer any questions at this time. Contacts and Acknowledgments: For future information regarding this testimony, please contact Randy Hite, Director, Information Technology Architecture and Systems Issues, at (202) 512-3439, or hiter@gao.gov. Other individuals who made key contributions to this testimony were Mathew Bader, Mark Bird, Justin Booth, Barbara Collier, Deborah Davis, Michael Holland, Ash Huda, Gary Mountjoy, and Scott Pettis. FOOTNOTES [1] GAO, High-Risk Series: An Update, GAO-03-119 (Washington, D.C.: January 2003); High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: January 2005). [2] GAO, Department of Homeland Security: Formidable Information and Technology Management Challenge Requires Institutional Approach, GAO-04- 702 (Washington, D.C.: Aug. 27, 2004). [3] GAO, Maximizing the Success of Chief Information Officers: Learning from Leading Organizations, GAO-01-376G (Washington, D.C.: February 2001); Architect of the Capitol: Management and Accountability Framework Needed for Organizational Transformation, GAO-03-231 (Washington, D.C.: Jan. 17, 2003). [4] Some of those specialties are intelligence analysis, law enforcement, border security, transportation security, biological research, critical infrastructure protection, and disaster recovery. [5] For example, see GAO, Major Management Challenges and Program Risks: Department of Homeland Security, GAO-03-102 (Washington, D.C.: January 2003) and Homeland Security: Proposal for Cabinet Agency Has Merit, but Implementation Will be Pivotal to Success, GAO-02-886T (Washington, D.C.: June 25, 2002). [6] GAO, Homeland Security: Information Sharing Responsibilities, Challenges, and Key Management Issues, GAO-03-715T (Washington, D.C.: May 8, 2003). [7] GAO, Maximizing the Success of Chief Information Officers: Learning from Leading Organizations, GAO-01-376G (Washington, D.C.: February 2001); Architect of the Capitol: Management and Accountability Framework Needed for Organizational Transformation, GAO-03-231 (Washington, D.C.: Jan. 17, 2003). [8] Other important IT management controls and capabilities are not addressed in this testimony, such as IT strategic planning and information management. [9] See for example, GAO, DOD Business Systems Modernization: Improvements to Enterprise Architecture Development and Implementation Efforts Needed, GAO-03-458, (Washington, D.C.: Feb. 28, 2003); Information Technology: DLA Should Strengthen Business Systems Modernization Architecture and Investment Activities, GAO-01-631 (Washington, D.C.: June 29, 2001); and Information Technology: INS Needs to Better Manage the Development of Its Enterprise Architecture, AIMD-00-212 (Washington, D.C.: Aug. 1, 2000). [10] GAO, Information Technology: A Framework for Assessing and Improving Enterprise Architecture Management (Version 1.1), GAO-03-584G (Washington, D.C.: April 2003). [11] GAO, Information Technology: Leadership Remains Key to Agencies Making Progress on Enterprise Architecture Efforts, GAO-04-40 (Washington, D.C.: Nov. 17, 2003). [12] GAO, Homeland Security: Efforts Under Way to Develop Enterprise Architecture, but Much Work Remains, GAO-04-777 (Washington, D.C.: Aug. 6, 2004). [13] GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, Exposure Draft, GAO/AIMD- 10.1.23 (Washington, D.C.: May 2000); Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, version 1.1, GAO-04-394G (Washington, D.C.: March 2004). [14] Our ITIM framework is also consistent with the Clinger-Cohen Act of 1996 (40 U.S.C. §§ 11101-11703), in which Congress enacted provisions requiring federal agencies to focus on results achieved through IT investments and to improve their IT acquisition processes. The act also introduces more rigor and structure into how agencies select and manage IT projects. [15] GAO, Department of Homeland Security: Formidable Information and Technology Management Challenge Requires Institutional Approach, GAO-04- 702 (Washington, D.C.: Aug. 27, 2004). [16] GAO, Homeland Security: Successes and Challenges in DHS's Efforts to Create an Effective Acquisition Organization, GAO-05-179 (Washington, D.C.: Mar. 29, 2005). [17] Examples of higher order sources include legislation, which may dictate certain requirements, and other system documentation, such as the operational concept. When requirements are managed well, traceability can be established from the source requirements to lower level requirements and from the lower level back to their source. Such bidirectional traceability helps determine that all source requirements have been addressed completely and that all lower level requirements can be verified as derived from a valid source. [18] Pub. L. No. 107-347, tit. III, § 301, 116 Stat. 2946, 2946-55 (Dec. 17, 2002) (codified at 44 U.S.C. §§ 3541-3549). [19] See GAO, High-Risk Series: Protecting Information Systems Supporting the Federal Government and the Nation's Critical Infrastructures, GAO-03-121 (Washington, D.C.: January 2003). [20] GAO, Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program, GAO-05-700 (Washington, D.C.: June 17, 2005). [21] DHS Office of Inspector General, Major Management Challenges Facing the Department of Homeland Security, OIG-06-14 (Washington, D.C.: December 2005). [22] Statement by Scott Charbo, DHS CIO, before the House Committee on Government Reform (Washington, D.C.: Mar. 16, 2006). [23] See GAO, Human Capital: Attracting and Retaining a High-Quality Information Technology Workforce, GAO-02-113T (Washington, D.C.: Oct. 4, 2001); A Model of Strategic Human Capital Management, GAO-02-373SP (Washington, D.C.: Mar. 15, 2002); Key Principles for Effective Strategic Workforce Planning, GAO-04-39 (Washington, D.C.: Dec. 11, 2003). [24] GAO-02-373SP. [25] The other three are leadership; acquiring, developing, and retaining talent; and results-oriented organizational culture. [26] GAO-04-39. [27] GAO, Human Capital: DHS Faces Challenges In Implementing Its New Personnel System, GAO-04-790 (Washington, D.C.: June 18, 2004). [28] For example, see GAO, Architect of the Capitol: Management and Accountability Framework Needed for Organizational Transformation, GAO- 03-231 (Washington, D.C.: Jan. 17, 2003) and Maximizing the Success of Chief Information Officers: Learning from Leading Organizations, GAO-01- 376G (Washington, D.C.: February 2001). [29] GAO, Information Technology: Homeland Security Should Better Balance Need for System Integration Strategy with Spending for New and Enhanced Systems, GAO-04-509 (Washington, D.C.: May 21, 2004). [30] DHS Office of Inspector General, Major Management Challenges Facing the Department of Homeland Security, OIG-06-14 (Washington, D.C.: December 2005). [31] Clinger-Cohen Act of 1996, Pub. L. 104-106; OMB, Management of Federal Information Resources, Circular A-130 (Nov. 28, 2000). [32] For instance, CBP is the lead for network services and data centers; the Coast Guard is the lead for e-mail and help desk services; and the Federal Emergency Management Agency is the lead on video operations services. [33] In February 2006, we reported that the DHS Deputy Secretary had directed that the program be reevaluated within the department's broader border and interior enforcement strategy, now referred to as the Secure Border Initiative. See GAO, Border Security: Key Unresolved Issues Justify Reevaluation of Border Surveillance Technology Program, GAO-06-295 (Washington, D.C.: Feb. 22, 2006). [34] Specifically, OMB requires agencies to use this method on all new major IT projects, ongoing major IT developmental projects, and high- risk projects. [35] EVM is a project management tool that integrates the investment scope of work with schedule and cost elements for investment planning and control. This method compares the value of work accomplished during a given period with that of the work expected in the period. Differences in expectations are measured in both cost and schedule variances. [36] GAO, Information Technology: Management Improvements Needed on Immigration and Customs Enforcement's Infrastructure Modernization Program, GAO-05-805 (Washington, D.C.: Sept. 7, 2005). [37] Software Engineering Institute, Software Acquisition Capability Maturity Model® version 1.03, CMU/SEI-2002-TR-010 (Pittsburgh, PA: March 2002). [38] GAO, Coast Guard: New Communication System to Support Search and Rescue Faces Challenges, GAO-03-1111 (Washington, D.C.: Sept. 30, 2003). [39] Homeland Security: First Phase of Visitor and Immigration Status Program Operating, but Improvements Needed, GAO-04-586 (Washington, D.C.: May 11, 2004); and Homeland Security: Risks Facing Key Border and Transportation Security Program Need to Be Addressed, GAO-03-1083 (Washington, D.C.: Sept. 19, 2003). [40] GAO, Aviation Security: Transportation Security Administration Did Not Fully Disclose Uses of Personal Information during Secure Flight Program Testing in Initial Privacy Notices, but Has Recently Taken Steps to More Fully Inform the Public, GAO-05-864R (Washington, D.C.: July 22, 2005). [41] GAO, Homeland Security: Risks Facing Key Border and Transportation Security Program Need to Be Addressed, GAO-03-1083 (Washington, D.C.: Sept. 19, 2003); [42] GAO, Homeland Security: Recommendations to Improve Management of Key Border Security Program Need to Be Implemented, GAO-06-296 (Washington, D.C.: Feb. 14, 2006).