This is the accessible text file for GAO report number GAO-07-278 entitled 'Homeland Security: Planned Expenditures for U.S. Visitor and Immigrant Status Program Need to Be Adequately Defined and Justified' which was released on February 14, 2007. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: February 2007: Homeland Security: Planned Expenditures for U.S. Visitor and Immigrant Status Program Need to Be Adequately Defined and Justified: GAO-07-278: GAO Highlights: Highlights of GAO-07-278, a report to congressional committees Why GAO Did This Study: The Department of Homeland Security (DHS) has established a program—the U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT)—to collect, maintain, and share information, including biometric identifiers, on selected foreign nationals who travel to the United States. By congressional mandate, DHS is to develop and submit for approval an expenditure plan for US-VISIT that satisfies certain conditions, including being reviewed by GAO. GAO was required to determine if the plan satisfied these conditions, follow up on recommendations related to the expenditure plan, and provide any other observations. To address the mandate, GAO assessed plans against federal guidelines and industry standards and interviewed the appropriate DHS officials. What GAO Found: The US-VISIT expenditure plan, related program documentation, and program officials’ statements satisfied or partially satisfied each of the legislative conditions required by the Department of Homeland Security Appropriations Act, 2006. For example, they satisfied the condition that the agency provide certification that an independent verification and validation agent is currently under contract for the program and partially satisfied the condition that US-VISIT comply with DHS’s enterprise architecture. DHS also completed or partially completed each of GAO’s prior expenditure plan-related recommendations. For example, the department completed recommendations that it provide an expenditure plan to the Senate and House Appropriations Subcommittees on Homeland Security before obligating restricted fiscal year funds and that it identify and disclose management reserve funding in those plans. However, DHS only partially completed recommendations that the plan fully disclose how the US-VISIT acquisition is being managed and that it fully disclose US- VISIT’s cost, schedule, capabilities, and benefits. GAO identified several additional areas of concern. First, DHS has not adequately defined and justified its proposed fiscal year 2006 expenditures for pilot and demonstration projects aimed at collecting information on persons exiting the country at air, sea, and land borders. Second, DHS has continued to invest in US-VISIT without a clearly defined operational context that includes explicit relationships with related border security and immigration enforcement initiatives. Third, US-VISIT program management costs have risen sharply, while costs for development have decreased, without any accompanying explanation of the reasons. Overall, the US-VISIT fiscal year 2006 expenditure plan and other available program documentation do not provide a sufficient basis for Congress to exercise effective oversight of the program and to hold the department accountable for results. For proper oversight and accountability to occur, it is essential that DHS increase US-VISIT program transparency and accountability by justifying planned investments on the basis of adequate definition and disclosure of planned expenditures, timelines, capabilities, and benefits, and by effectively measuring and reporting progress against each. It is also essential for DHS to fully satisfy each of the conditions legislated by Congress, because doing so will minimize the program’s exposure to risk. What GAO Recommends: GAO is recommending that the Secretary of DHS direct the US-VISIT program director to increase program transparency and accountability by defining and justifying planned investments and effectively measuring and reporting on their progress and to determine and mitigate risks associated with not fully satisfying legislative conditions and report these risks to DHS senior leadership and to the appropriate congressional committees. DHS agreed with GAO’s findings and recommendations. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-278]. To view the full product, including the scope and methodology, click on the link above. For more information, contact Randolph C. Hite at (202) 512-3439 or hiter@gao.gov. [End of section] Contents: Letter: Compliance with Legislative Conditions: Status of Open Recommendations: Observations on the Expenditure Plan and Management of US-VISIT: Conclusions: Recommendations for Executive Action: Agency Comments: Appendixes: Appendix I: Briefing to the Staffs of the Subcommittees on Homeland Security, Senate and House Committees on Appropriations: Appendix II: Comments from the Department of Homeland Security: Appendix III: GAO Contact and Staff Acknowledgments: Abbreviations: a-ID: automated identification: ADIS: Arrival Departure Information System: AIDMS: Automated Identification Management System: APIS: Advance Passenger Information System: CBP: Customs and Border Protection: CLAIMS 3: Computer Linked Application Information Management System 3: CMMI: Capability Maturity Model Integration: DHS: Department of Homeland Security: EA: enterprise architecture: EVM: earned value management: FEA: Federal Enterprise Architecture: FFMS: Federal Financial Management System: IAFIS: Integrated Automated Fingerprint Identification System: IBIS: Interagency Border Inspection System: IDENT: Automated Biometric Identification System: IRB: Investment Review Board: OMB: Office of Management and Budget: POE: port of entry: RFID: radio frequency identification: SEI: Software Engineering Institute: SEVIS: Student and Exchange Visitor Information System: TECS: Treasury Enforcement Communications System: US-VISIT: U.S. Visitor and Immigrant Status Indicator Technology: February 14, 2007: The Honorable Robert C. Byrd: Chairman: The Honorable Thad Cochran: Ranking Minority Member: Subcommittee on Homeland Security: Committee on Appropriations: United States Senate: The Honorable David E. Price: Chairman: The Honorable Harold Rogers: Ranking Minority Member: Subcommittee on Homeland Security: Committee on Appropriations: House of Representatives: The Department of Homeland Security (DHS) submitted to Congress in August 2006 its fiscal year 2006 expenditure plan for the U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) program in compliance with the Department of Homeland Security Appropriations Act, 2006.[Footnote 1] US-VISIT is a governmentwide program to collect, maintain, and share information on foreign nationals who enter and exit the United States. The program's goals are to enhance the security of U.S. citizens and visitors, facilitate legitimate trade and travel, ensure the integrity of the U.S. immigration system, and protect the privacy of visitors to the United States. As required by the appropriations act, we reviewed US-VISIT's fiscal year 2006 expenditure plan. Our objectives were to (1) determine whether the expenditure plan satisfies legislative conditions specified in the appropriations act, (2) determine the status of our open recommendations pertaining to the US-VISIT expenditure plan, and (3) provide observations about the expenditure plan and DHS's management of US-VISIT. On November 13, 2006, we briefed the staffs of the Senate and House Appropriations Subcommittees on Homeland Security on the results of our review. This report transmits these results. The full briefing, including our scope and methodology, is reprinted in appendix I. Compliance with Legislative Conditions: The US-VISIT expenditure plan, including related program documentation and program officials' statements, satisfies or partially satisfies each of the legislative conditions. The expenditure plan partially satisfies the legislative conditions that it (1) meet the capital planning and investment control review requirements established by the Office of Management and Budget (OMB), including OMB Circular A-11, part 7; (2) comply with DHS's enterprise architecture; and (3) comply with federal acquisition rules, requirements, guidelines, and systems acquisition management practices. In addition, the plan and related documentation satisfy the legislative conditions that (1) DHS certify that an independent verification and validation agent is currently under contract for the program; (2) the plan be reviewed and approved by DHS's Investment Review Board, the Secretary of Homeland Security, and OMB; and (3) the plan be reviewed by GAO. Status of Open Recommendations: DHS has completed or has partially completed all of the remaining recommendations contained in our prior reports on expenditure plans. Each recommendation, along with its current status, is summarized in this section. * Ensure that future expenditure plans are provided to DHS's Senate and House Appropriations Subcommittees on Homeland Security in advance of US-VISIT funds being obligated. DHS has completed this recommendation by providing the fiscal year 2006 plan to the Senate and House Appropriations Subcommittees on Homeland Security on August 10, 2006. * Ensure that all future US-VISIT expenditure plans identify and disclose management reserve funding. DHS has completed this recommendation by specifying management reserve funding of $13 million in the fiscal year 2006 plan. * Ensure that future expenditure plans fully disclose how the US-VISIT acquisition is being managed. The department has partially completed this recommendation. The fiscal year 2006 expenditure plan describes a range of key acquisition management activities and control areas, such as configuration management and testing. However, the plan's descriptions do not fully disclose challenges that the US-VISIT program faces in how it is managing acquisition activities. * Develop a plan, including explicit tasks and milestones, for implementing all of our open recommendations and report on this progress, including reasons for delays, in all future US-VISIT expenditure plans. The department has partially completed this recommendation. The fiscal year 2006 expenditure plan lists most of our recommendations and describes DHS efforts to address them. However, the plan does not provide future tasks or milestones for more than half of our recommendations and is missing four recommendations altogether. * Ensure that future expenditure plans fully disclose US-VISIT system capabilities, schedule, cost, and benefits to be delivered. The department has partially completed this recommendation. The fiscal year 2006 expenditure plan discloses some system capabilities, schedule, cost, and benefits. However, capability information is largely described as activities to be performed, rather than capabilities to be delivered. Also, in many cases, cost information is not provided at a sufficient level of detail for oversight. Furthermore, the plan does not explicitly link performance measures to program benefits. Finally, the plan does not include performance measures related to exit processing, even though the plan's stated goals and cited benefits include immigration system integrity, which requires an effective exit processing capability. As a result, the plan does not provide sufficient information on capabilities, schedule, cost, and benefits to fully support congressional oversight and promote department accountability. * Fully and explicitly disclose in all future expenditure plans how well DHS is progressing against the commitments that it made in prior expenditure plans. The department has partially completed this recommendation. The fiscal year 2006 expenditure plan describes progress against some, but not all, commitments in the fiscal year 2005 expenditure plan. As a result, the plan does not provide sufficient disclosure of program performance to support congressional oversight and promote department accountability. Observations on the Expenditure Plan and Management of US-VISIT: Our observations raise concerns about the lack of definition and justification for planned investments in several aspects of the US- VISIT program. An overview of each observation follows. * Observation 1: DHS has not adequately defined and justified its proposed fiscal year 2006 expenditures in exit pilots and demonstration projects. Federal legislation requires that DHS develop the capability to collect information on persons exiting the country at borders.[Footnote 2] Having a cost-effective exit capability is essential for US-VISIT to accomplish its stated strategic goals, such as enhancing the security of U.S. citizens and visitors and ensuring the integrity of the immigration system. Over the last 3 years, DHS has devoted considerable time and resources to establishing an operational exit capability at land, air, and sea ports of entry through several pilot and demonstration efforts. However, these efforts have raised concerns and highlighted limitations, particularly with respect to land ports of entry. For example, successful reading of traveler's information occurred at below-acceptable rates and was based on technologies that are not fully reliable. Notwithstanding these issues, the fiscal year 2006 expenditure plan proposes investing another $33.5 million to continue operation of air and sea exit pilots and allocates carryover of $21.5 million in fiscal year 2005 funds for land exit demonstration activities without adequately justifying continuing these investments. As a result, we concluded that it was unclear whether these investments will produce value that is commensurate with costs and risks. In its comments on a draft of this report, DHS stated that it has since terminated the land exit demonstration. * Observation 2: DHS continues to invest in US-VISIT without a clearly defined operational context that includes explicit relationships with related border security and immigration enforcement initiatives. In 2003, we recommended that DHS clarify the operational context[Footnote 3] in which US-VISIT is to operate, including, among other things, related initiatives.[Footnote 4] However, DHS continues to pursue US- VISIT without having this operational context. Exacerbating this situation is that DHS has recently launched other major programs, including the Secure Border and Western Hemisphere Travel Initiatives, but it has not adequately defined the relationships between US-VISIT and each of these programs. Clearly defining the dependencies among US- VISIT and related programs is important because there is commonality among the strategic goals of these programs and the operational environments in which they are to function. Despite these dependencies, neither the fiscal year 2006 expenditure plan nor any other available program documentation addresses these relationships or how they will be managed. As a result, we concluded that DHS runs the risk of defining and implementing the US-VISIT strategic solution in a way that does not optimize departmentwide performance and results. * Observation 3: DHS has not adequately justified increases in, and disclosed the scope and nature of, program management-related fiscal year 2006 expenditures. US-VISIT's planned investment in program management-related activities has risen steadily over the last 4 years, while planned investment in the development of new program capabilities has correspondingly declined. The fiscal year 2006 expenditure plan proposes spending $126 million on program management-related costs, or $1.35 on program management-related activities for each dollar spent on developing new US-VISIT capabilities. The expenditure plan does not explain the reasons for this recent growth or otherwise justify the sizeable proposed investment in program management and operations on the basis of measurable expected value. Moreover, the plan does not adequately describe the range of program management and operations activities. As a result, we concluded that it was unclear whether the planned investment in program management-related activities represents the best use of limited resources. In its comments on a draft of this report, DHS stated that it has since provided a revised version of the expenditure plan that clarifies program management-related spending to its appropriations committees. Conclusions: The legislatively mandated expenditure plan requirement for US-VISIT is a congressional oversight mechanism aimed at ensuring that planned expenditures are justified, performance against plans is measured, and accountability for results is established. To the extent that the US- VISIT expenditure plan and related program documentation do not adequately disclose program information on what is to be accomplished by when and what it will cost to do so, Congress' ability to make informed US-VISIT investment decisions on the basis of justified expenditures and measured performance is restricted. The fiscal year 2006 expenditure plan, combined with other available program documentation and program officials' statements, does not provide sufficient justification for all planned US-VISIT expenditures, nor does it permit progress against program commitments to be adequately measured and disclosed. Although three of the six stated legislative conditions for the expenditure plan are fully satisfied, the other three have gaps that, while they are intended to be addressed in the future, limit DHS's ability to manage the program today. Moreover, four of our six prior recommendations aimed at fully defining and disclosing program commitments and managing for results have been only partially implemented and completed. Compounding these issues is the lack of definition and disclosure of key aspects of US-VISIT's future. In particular, the program's long- term strategy and vision have remained unknown because DHS has yet to approve the US-VISIT strategic plan. Equally unknown at this time is a viable exit solution and the relationships among US-VISIT and other recent border security and immigration enforcement programs, such as the Secure Border Initiative. The absence of definition and clarity in these areas is significant because US-VISIT's ability to meet its strategic goals depends in large part on these key aspects. Notwithstanding this lack of definition, disclosure, and thus certainty about the justification for planned expenditures and the ability to measure performance and results, US-VISIT program management costs have risen sharply without any accompanying explanation for the reasons. Compounding these problems is that critical areas of program management, such as acquisition management, are also largely undefined in terms of when and at what costs improvements can be expected. Overall, the US-VISIT fiscal year 2006 expenditure plan and other available program documentation do not provide a sufficient basis for Congress to exercise effective oversight of the program and to hold DHS accountable for results. For proper oversight and accountability to occur, it is essential that DHS increase US-VISIT program transparency and accountability by (1) justifying planned investments on the basis of adequate definition and disclosure of planned expenditures, timelines, capabilities, and benefits and (2) effectively measuring and reporting progress against each investment. Recommendations for Executive Action: To ensure that US-VISIT is better defined and justified and that our prior recommendations aimed at instilling greater results-oriented performance management and accountability in the program are fully implemented, we recommend that the Secretary of DHS direct the US-VISIT Acting Program Director to take the following four actions: * Report regularly to the Secretary and to the DHS authorization and appropriations committees on the range of program risks associated with not having fully satisfied all expenditure plan legislative conditions, reasons why they were not satisfied, and steps being taken to mitigate these risks. * Limit planned expenditures for exit pilots and demonstration projects until such investments are economically justified and until each investment has a well-defined evaluation plan. The projects should be justified on the basis of costs, benefits, and risks, and the evaluation plans should define what is to be achieved and should include a plan of action and milestones and measures for demonstrating achievement of pilot and project goals and desired outcomes. * Work with the DHS Enterprise Architecture Board to identify and mitigate program risks associated with investing in new US-VISIT capabilities in the absence of a DHS-wide operational and technological context for the program. These risks should reflect the absence of fully defined relationships and dependencies with related border security and immigration enforcement programs. * Limit planned expenditures for program management-related activities until such investments are economically justified and have well-defined plans detailing what is to be achieved, include a plan of action and milestones, and should include measures for demonstrating progress and achievement of desired outcomes. The investments should be justified on the basis of costs, benefits, and risks. Agency Comments: In written comments on a draft of this report, signed by the Director, Departmental GAO/IG Liaison Office (reprinted in app. II), DHS agreed with our findings and recommendations and described actions taken or under way to address them. DHS also provided technical comments, which we have incorporated into our report as appropriate. We are sending copies of this report to the Chairmen and Ranking Minority Members of other Senate and House committees and subcommittees that have authorization and oversight responsibilities for homeland security. We are also sending copies to the Secretary of Homeland Security, Secretary of State, and the Director of OMB. Copies of this report will also be available at no charge on our Web site at [Hyperlink, http://www.gao.gov]. If you or your staffs have any questions on matters discussed in this report, please contact me at (202) 512-3439 or at hiter@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who have made significant contributions to this report are listed in appendix III. Signed by: Randolph C. Hite: Director, Information Technology Architecture and Systems Issues: [End of section] Appendix I: Briefing to the Staffs of the Subcommittees on Homeland Security, Senate and House Committees on Appropriations: Homeland Security: Planned Expenditures for U.S. Visitor and Immigrant Status Program Need to Be Adequately Defined and Justified: Briefing to the Staffs of the Subcommittees on Homeland Security Senate and House Committees on Appropriations: November 13, 2006: Briefing Overview: Introduction: Objectives: Results in Brief: Background: Results: * Legislative Conditions: * Status of Open Recommendations: * Observations: Conclusions: Recommendations for Executive Action: Attachment 1. Scope and Methodology: Attachment 2. Related Products List: Attachment 3. Detailed Description of US-VISIT Program Office: Attachment 4. Detailed Description of Increments and Component Systems: Introduction: The U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) program of the Department of Homeland Security (DHS) is a governmentwide program to collect, maintain, and share information on foreign nationals. The goals of US-VISIT are to: enhance the security of U.S. citizens and visitors, facilitate legitimate travel and trade, ensure the integrity of the U.S. immigration system, and: protect the privacy of our visitors. The US-VISIT program involves the interdependent application of people, processes, technology, and facilities. [See PDF for image] Sources: GAO analysis of US-VISIT data, Nova Development Corp. (clipart). [End of figure] The Department of Homeland Security Appropriations Act, 2006[Footnote 5], states that DHS may not obligate $159,658,000 of the $340 million[Footnote 6] appropriated for the US-VISIT project until the Senate and House Committees on Appropriations receive and approve a plan for expenditure that: meets the capital planning and investment control review requirements established by the Office of Management and Budget (OMB), including Circular A-11, part 7[Footnote 7]; complies with DHS's enterprise architecture; complies with the acquisition rules, requirements, guidelines, and systems acquisition management practices of the federal government; includes a certification by the DHS Chief Information Officer that an independent verification and validation agent is currently under contract for the project; is reviewed and approved by the DHS Investment Review Board (IRB), the Secretary of Homeland Security, and OMB; and: is reviewed by GAO. On August 10, 2006, DHS submitted its fiscal year 2006 expenditure plan for $336.6 million to the House and Senate Appropriations Subcommittees on Homeland Security. Objectives: Our objectives were to: 1. determine whether the US-VISIT fiscal year 2006 expenditure plan satisfies the legislative conditions, 2. determine the status of the six open recommendations pertaining to the US-VISIT expenditure plan,[Footnote 8] and: 3. provide observations about the expenditure plan and management of the program. We conducted our work at US-VISIT offices in Arlington, Virginia from August 2006 through November 2006 in accordance with generally accepted government auditing standards. Details of our scope and methodology are described in attachment 1. Results in Brief: Objective 1 Legislative Conditions: Fiscal Year 2006 US-VISIT Expenditure Plan's Satisfaction of Legislative Conditions: Legislative conditions: Meets the capital planning and investment control review requirements established by OMB, including OMB A-11, part 7; Partially satisfies[A]: X; Satisfies[B]: Empty]. Legislative conditions: Complies with the DHS enterprise architecture; Partially satisfies[A]: X; Satisfies[B]: [Empty]. Legislative conditions: Complies with the acquisition rules, requirements, guidelines, and systems acquisition management practices of the federal government; Partially satisfies[A]: X; Satisfies[B]: [Empty]. Legislative conditions: Includes a certification by the DHS Chief Information Officer that an independent verification and validation agent is currently under contract for the program; Partially satisfies[A]: [Empty]; Satisfies[B]: X. Legislative conditions: Is reviewed and approved by the DHS IRB, the Secretary of Homeland Security, and OMB; Partially satisfies[A]: [Empty]; Satisfies[B]: X. Legislative conditions: Is reviewed by GAO; Partially satisfies[A]: [Empty]; Satisfies[B]: X. Source: GAO. [A] Satisfies or provides for satisfying some, but not all, key aspects of the condition that we reviewed. [B] Satisfies or provides for satisfying every aspect of the condition that we reviewed. [End of table] Results in Brief: Objective 2 Open Recommendations: Status of Actions to Implement Open Recommendations Specific to the Expenditure Plan: Partially; completed. Open recommendations: Ensure that future expenditure plans are provided to the department's House and Senate Appropriations Subcommittees on Homeland Security in advance of US-VISIT funds being obligated; Partially complete[C]: [Empty]; Complete[D]: x. Open recommendations: Ensure that all future US-VISIT expenditure plans identify and disclose management reserve funding; Partially complete[C]: [Empty]; Complete[D]: x. Open recommendations: Ensure that future expenditure plans fully disclose how the US-VISIT acquisition is being managed; Partially complete[C]: X; Complete[D]: [Empty]. Develop a plan for implementing all our open recommendations and report on this progress, including reasons for delays, in all future US-VISIT expenditure plans; Partially complete[C]: X; Complete[D]: [Empty]. Open recommendations: Ensure that future expenditure plans fully disclose US-VISIT system capabilities, schedule, cost, and benefits to be delivered; Partially complete[C]: X; Complete[D]: [Empty]. Fully and explicitly disclose in all future expenditure plans how well DHS is progressing against the commitments that it made in prior expenditure plans; Partially complete[C]: X; Complete[D]: [Empty]. Source: GAO. [C] A recommendation is partially complete when documentation indicates that some, but not all, actions needed to implement it have been taken. [D] A recommendation is complete when documentation demonstrates that it had been fully addressed. [End of table] Results in Brief: Objective 3: Observation Summary: DHS has not adequately defined and justified its proposed fiscal year 2006 expenditures in exit pilots and demonstration projects. Without adequately defining and justifying exit pilot investments, it is unclear that they will produce value commensurate with costs and risks. DHS has yet to define and justify US-VISIT within an enterprisewide operational and technological context that includes explicitly defined linkages and dependencies with related border security and immigration enforcement initiatives. Without such context, US-VISIT runs the risk of being defined and implemented in a way that suboptimizes DHS-wide performance and results. DHS has not adequately disclosed and justified its investment in and the scope and nature of US-VISIT program management-related fiscal year 2006 expenditures. Without disclosing and justifying its proposed investment in program management-related efforts, it is unclear whether such a large increase in spending represents the best use of limited resources. Results in Brief: Recommendations and Agency Comments: To ensure that US-VISIT is better defined and justified, we made recommendations to the DHS Secretary aimed at increasing satisfaction of the legislative conditions, limiting investment in exit pilots and projects until certain activities have been completed, reducing risks associated with the lack of operational and technological context for the program and limiting investment in program management-related activities until certain steps have been taken. In commenting on a draft of this briefing, US-VISIT program officials including the Acting Director, agreed with our findings, and said that our conclusions and recommendations were fair. Background US-VISIT Overview: The US-VISIT program is a multi-agency effort intended to enhance the security of U.S. citizens and visitors, facilitate legitimate travel and trade, ensure the integrity of the U.S. immigration system, and protect the privacy of our visitors. US-VISIT is to accomplish these things by: collecting, maintaining, and sharing information on certain foreign nationals who enter and exit the United States; identifying foreign nationals who (1) have overstayed or violated the terms of their admission; (2) can receive, extend, or adjust their immigration status; or (3) should be apprehended or detained by law enforcement officials; detecting fraudulent travel documents, verifying traveler identity, and determining traveler admissibility through the use of biometrics; and: facilitating information sharing and coordination within the immigration and border management community. US-VISIT Program Office: Organizational Structure and Functional Responsibilities[Footnote 9] [See PDF for image] Source: US-VISIT. [End of figure] Background: Acquisition Strategy: DHS plans to deliver US-VISIT capability in four major increments. Increments 1 through 3 are interim, or temporary, solutions that focus on building interfaces among existing (legacy) systems; enhancing the capabilities of these systems; deploying these systems to air, sea, and land ports of entry (POEs); and modifying POE facilities. These increments largely involve placing task orders against existing contracts. Increment 4 is to be a series of incremental releases, or mission capability enhancements, that are to deliver long-term strategic capabilities for meeting program goals. In May 2004, DHS awarded an indefinite-delivery/indefinite- quantity[Footnote 10] prime contract to Accenture and its partners for, among other things, delivering Increment 4.[FOOTNOTE 11] Background: Description and Status of Increments: Increment 1: Increment 1 was intended to establish entry and exit capabilities at air and sea POEs by December 31, 2003. Increment 1 air and sea entry capabilities were deployed on January 5, 2004 at 115 airports and 14 seaports for individuals requiring nonimmigrant visas to enter the United States.[Footnote 12] These capabilities include the collection and matching of biographic information, biometric data (two digital index finger scans) and a digital photograph for selected foreign nationals. An Increment 1 air and sea exit device for collecting biometric data was deployed to one airport and one seaport in January 2004 on a pilot basis. Subsequently, this pilot was expanded to 12 airports and 2 seaports and several exit alternatives, including: Enhanced kiosk - A self-service device (includes a multi-lingual, touch- screen interface, document scanner, finger scanner, digital camera, and receipt printer) that captures a digital photograph and fingerprint and prints out an encoded receipt. Mobile device - A hand-held device operated by a workstation attendant[Footnote 13] (includes a document scanner, finger scanner, digital camera, and receipt printer) that captures a digital photograph and fingerprint. Validator - A hand-held device operated by a workstation attendant that captures a digital photograph and fingerprint and then matches the captured photograph and fingerprint to the ones originally captured via the kiosk and encoded in the receipt. This pilot was completed in May 2005; it established the technical feasibility of a biometric exit solution at air and sea POEs. However, it identified issues that limited the operational effectiveness of the solution. The fiscal year 2006 expenditure plan allocated $33.5 million for air and sea exit pilots. According to program officials, they are now developing a plan for deploying a comprehensive, affordable exit solution; no time frame has been established for this plan being approved. Meanwhile, US-VISIT plans to conduct a second pilot phase at air and sea POEs that will involve multiple operational scenarios, such as: * repositioning the kiosks, * integrating biometric exit into airport check-in processes, * integrating biometric exit into existing airline processes, integrating biometric exit into Transportation Security Administration screening checkpoints, and: * enhancing the use of Immigration and Customs Enforcement programs intended for enforcement, such as screening of targeted flights at selected airports. Increment 2: Increment 2 was originally to extend US-VISIT entry and exit capabilities to the 50 busiest land POEs by December 31, 2004. Subsequently, the increment was divided into three parts-2A, 213, and 2C. * Increment 2A was to establish the entry capability at land, sea, and air POEs to biometrically authenticate machine-readable visas and other travel and entry documents issued by Department of State (State) and DHS to foreign nationals by October 26, 2005.[Footnote 14] It was also to enable DHS and State to read biometrically enabled passports from visa waiver countries (e-Passports) by October 26, 2006.[Footnote 15] The capability to authenticate machine-readable visas and other travel and entry documents issued by State and DHS was deployed to all POEs on October 23, 2005. The capability to read e-Passports was deployed to 24 POEs on October 26, 2006, and is to be deployed to an additional 9 POEs by November 14, 2006. According to DHS, these 33 POEs account for about 97 percent of all travelers who enter the country with e-Passports. Remaining POEs are to receive equipment over the subsequent months. The fiscal year 2006 expenditure plan allocates $15.4 million to Increment 2A. * Increment 213 was to include extending the Increment 1 entry solution to the 50 busiest land POEs, including redesigning the process for issuing a handwritten Form I-94[Footnote 16] to enable the electronic capture of biographic, biometric (unless the traveler is exempt),[Footnote 17] and related travel documentation for arriving travelers in secondary inspection. This capability was deployed to the 50 busiest land POEs as of December 29, 2004. Increment 2C was to demonstrate the feasibility of using passive radio frequency identification (RFID) technology[Footnote 18] to record travelers' entry and exit via a unique ID number tag embedded in the Form I-94 and to provide the Customs and Border Protection (CBP) officers in pedestrian lanes with biographic, biometric, and watch list data. The pilot is currently deployed at five land POEs and includes two proof-of-concept phases. * The proof-of-concept was initiated in August 2005, and initial results were reported in January 2006. These results showed that there were problems that would affect the ability to implement an RFID land border solution. This was subsequently termed Phase 1 and is still ongoing, using $21.5 million in funds carried over from fiscal year 2005. * Phase 2 of the proof-of-concept is to begin in April 2007. The plan for Phase 2 states that it will expand Phase 1 by providing CBP officers in both pedestrian and vehicle lanes with additional biographic, biometric, and watch list data to determine a traveler's admissibility. After Phase 2 is completed, next steps in deploying this capability to land POEs are to be determined. According to the US-VISIT Director of Implementation, the schedule for completing Increment 2C has not yet been determined. Increment 3: Increment 3 was to extend Increment 213 entry capabilities to 104 land POEs by December 31, 2005. It was essentially completed as of December 19, 2005.[Footnote 19] Increment 4: The fiscal year 2005 and preceding year expenditure plans have described Increment 4 as the yet-to-be-defined, strategic solution for the US-VISIT program. Program officials stated in 2005 that Increment 4 would likely consist of a series of releases that provided a range of capability enhancements to support an overall DHS vision for immigration and border management operations. The fiscal year 2005 US- VISIT expenditure plan included $21 million for these activities, including improved immigration and border management identity and verification; improved cooperation across federal, state, and local agencies through improved access to foreign national data; and enhanced communications, management, and collaboration across the border management community. The fiscal year 2006 expenditure plan defines Increment 4 to be US- VISIT's migration to the use of 10 fingerprints in identifying an individual and the development of interoperability between US-VISIT's Automated Biometric Identification System (IDENT) and the Federal Bureau of Investigation's Integrated Automated Fingerprint Identification System (IAFIS). The fiscal year 2006 plan allocates $44.5 million to these activities, including evaluation and testing of industry prototypes for a new 10- fingerprint scanner, associated facilities and engineering support, and related modifications to the systems used to store the fingerprint data and conduct fingerprint scan matches. In addition, an interim Data Sharing Model has been deployed as an interim solution to increase the biometric data shared between agencies, establish information sharing processes following a positive biometric identification, and to establish cooperative strategies for full information sharing. According to the Director of Implementation, Increment 4 is further defined in the US-VISIT Strategic Plan. However, the Acting Program Director told us that this plan has not yet been approved and thus has not been released. Background: Increments 1, 2B and 3 Systems Overview[Footnote 20] Systems Diagram of US-VISIT for Increment 1 (air and sea entry) and Increments 213 and 3 (land entry): [See PDF for image] Sources: GAO analysis of US-VISIT data, Nova Development Corp. (clipart). [End of figure] Background: Increments 1 B and 2C Systems Overview[Footnote 21] Systems Diagram of US-VISIT Increment 1 B (air and sea exit) and Increment 2C (land entry and exit): [See PDF for image] Source: GAO analysis of US-VISIT data. [End of figure] Background: Chronology of Expenditure Plans: Fiscal year: 2002; Date submitted: 11/15/2002; Funds appropriated: $13,300,000; Funds requested: $13,300,000; Funds released to date: $13,300,000. Fiscal year: 2003; Date submitted: 06/05/2003; Funds appropriated: $362,000,000; Funds requested: $375,000,000; Funds released to date: $367,000,000[Footnote 22]. Fiscal year: 2004; Date submitted: 01/ 27/2004; Funds appropriated: $330,000,000; Funds requested: $330,000,000; Funds released to date: $330,000,000. Fiscal year: 2005; Date submitted: 10/19/2004; Funds appropriated: $340,000,000; Funds requested: $340,000,000; Funds released to date: $340,000,000. Fiscal year: 2006; Date submitted: 08/10/2006; Funds appropriated: $336,600,000; Funds requested: $336,600,000; Funds released to date: $178,540,000. Fiscal year: 2007; Date submitted: TBD; Funds appropriated: $362,494,000; Funds requested: TBD; Funds released to date: $162,494,000. Total; Funds appropriated: $1,744,394,000; Funds requested: $1,394,900,000; Funds released to date: $1,391,334,000. [End of table] Background: Summary of 2006 Expenditure Plan: Area of expenditure (see next slides for descriptions): Increment 1 - Entry/exit (air and sea POEs); Amount: $33,500,000. Area of expenditure (see next slides for descriptions): Increment 2A - U.S. travel documents issued to non-citizens and e- Passports; Amount: 15,400,000. Area of expenditure (see next slides for descriptions): Increment 2B - Entry/land border - 50 busiest POEs; Amount: 0. Area of expenditure (see next slides for descriptions): Increment 2C - Automated ID (RFID) - land border POEs; Amount: 0. Area of expenditure (see next slides for descriptions): Increment 3 - Entry/remaining land border POEs; Amount: 0. Area of expenditure (see next slides for descriptions): Increment 4 - Modernization and expansion of systems and capabilities; Amount: 44,500,000. Area of expenditure (see next slides for descriptions): Operations and maintenance (increments 1-3); Amount: 104,200,000. Area of expenditure (see next slides for descriptions): Program management and operations - government; Amount: 37,000,000. Area of expenditure (see next slides for descriptions): Program management and operations - contractor support; Amount: 89,000,000. Area of expenditure (see next slides for descriptions): Management reserve; Amount: 13,000,000. Total; Amount: $336,600,000. Source: GAO, based on an analysis of DHS data. [End of table] Increment 1 - Entry/exit: Includes continued testing of deployment options for the implementation of an exit screening program at air, sea, and land ports, as well as supporting the current 14 POEs where the exit pilots are in place. Increment 2A - U.S. travel documents issued to non-citizens and e- Passports: Includes continued systems design, development, testing, procurement, and deployment of e-Passport readers. Increment 4 - Modernization and expansion of systems and capabilities: Includes implementing the 10-fingerprint scanners; related systems interoperability; associated facilities and engineering support; and systems architecture, engineering and integration, and design. Operations and maintenance: Includes operations and maintenance of Increment 1, 2, and 3 systems, including technical, application, system, network, and infrastructure support costs. Program management and operations - government: Includes the government salaries and benefits for 115 government program office positions necessary to manage and operate the program, including relocation costs, personnel security checks, and training. Program management and operations - contractor support: Includes the program office support contractors. Management reserve: Includes funds allocated to accommodate unknown timing and magnitude of risks. Objective 1: Legislative Conditions Condition 1: The US-VISIT expenditure plan, related program documentation, and program officials' statements satisfies or provides for satisfying (in part or total) each of the legislative conditions. Condition 1. The plan, including related program documentation and program officials' statements, partially satisfies or provides for satisfying the capital planning and investment control review requirements established by OMB, including OMB Circular A-11, part 7, which establishes policy for planning, budgeting, acquisition, and management of federal capital assets. The table that follows provides examples of the results of our analysis, including areas in which the A-11 requirements have been and have yet to be fully satisfied, as well as an area in which we have ongoing work to more closely examine the quality of program documentation and practices. Given that the A-11 requirements are intended to minimize a program's exposure to risk, permit performance measurement and oversight, and promote accountability, any areas in which the program falls short of the requirements reduce the chances of delivering cost-effective capabilities and measurable results on time and within budget. Objective 1: Legislative Conditions Condition 1: Examples of A-11 Conditions: Provide a brief description of the investment and its status in the capital planning and investment control review, including major assumptions made about the investment; Results of our analysis: The expenditure plan and other documentation provide a description of the US-VISIT investment and its status in the DHS capital planning and investment control process. In particular, US- VISIT is in the capability development and demonstration phase of the process, having received IRB approval in August 2004 to begin this phase. According to program officials, they have followed DHS’s evolving capital planning and investment control process and will continue to do so. Further, the plan and related documents identify program assumptions. For example, the OMB exhibit 300 submission states that existing systems and processes do not enable a unified entry and exit decision support workflow supported by interoperable systems. Examples of A-11 Conditions: Provide a summary of the investment’s risk assessment, including how 19 OMB-identified risk elements are being addressed; Results of our analysis: The US-VISIT Enterprise Risk Assessment was approved in December 2005. It identified an inventory of risks, including the likelihood of occurrence, and the potential impact and recommended controls for each. The Risk Management Plan, which was approved in September 2005, is being updated and the new plan is due in early 2007. Risks are monitored monthly by program management and stakeholders. Both the OMB exhibit 300 budget submission and the Risk Management Plan address the 19 risk elements required by OMB. Examples of A-11 Conditions: Demonstrates that the investment is included in the agency’s enterprise architecture and capital planning and investment control process. Illustrates agency’s capability to align the investment to the Federal Enterprise Architecture (FEA); Results of our analysis: The plan does not describe US-VISIT’s activities in regard to the DHS enterprise architecture. Moreover, the most recent review of program compliance with the DHS enterprise architecture was in August 2004 and since then, both US-VISIT and the DHS architecture have changed. With regard to the FEA, the US-VISIT Exhibit 300 budget submission states that the US-VISIT program is included in the DHS enterprise architecture, and contains tables that satisfy OMB’s requirement for listing the FEA business areas, lines, and sub-functions supported, FEA service domains, types, and components supported, and FEA technical service areas, categories, and standards supported. US-VISIT’s architecture alignment is discussed further under the legislative condition 2 section of this briefing. With respect to the CPIC process, and as noted above, US-VISIT is in the capability development and demonstration phase in DHS’ capital planning and investment control review process, and we were told that an IRB review, to include architectural alignment, is scheduled for November 2006. Examples of A-11 Conditions: Provides a description of an investment's security and privacy issues. Summarizes the agency's ability to manage security at the system or application level. Demonstrates compliance with the certification and accreditation processes, as well as the mitigation of IT security weaknesses; Results of our analysis: As we previously reported, US-VISIT’s 2004 security plan and privacy impact assessments generally satisfied OMB and the National Institute of Standards and Technology security guidance. Further, the expenditure plan states that all of the US-VISIT component systems have been certified and accredited and given full authority to operate. However, the 2004 security plan preceded the US- VISIT risk assessment, which was not completed until December 2005, and the security plan was not updated to reflect this risk assessment. According to US-VISIT officials, they intend to develop a security strategy by the end of 2006 that reflects the risk assessment. Additionally, we previously reported that issues raised in the privacy impact assessment had not been fully addressed in system documentation. We have ongoing work to evaluate the quality of the US- VISIT security and privacy documents and practices. Examples of A-11 Conditions: Provides a summary of the investment’s status in accomplishing baseline cost and schedule goals through the use of an earned value management (EVM) system or operational analysis, depending on the life-cycle stage; Results of our analysis: The program is currently relying on the prime contractor’s EVM system to manage the prime contractor’s progress against cost and schedule goals and the fiscal year 2006 expenditure plan states that the program office assessed the prime contractor’s EVM system against relevant standards in early fiscal year 2006. However, this EVM system was self-certified by the prime in December 2003 as meeting established standards, and OMB requires that agencies verify contractor self-certifications. The program office has yet to do this, although program officials told us that they plan to retain the services of another contractor to perform this validation. Further, our review of the integrated baseline review, which agencies are required by OMB to complete to ensure that the EVM program baseline is accurate, showed that this baseline review did not address key baseline considerations, such as cost and schedule risks. The fiscal year 2006 expenditure plan also states that all US-VISIT contractors will be required to perform EVM. According to US-VISIT officials, this requirement will be met in accordance with DHS guidelines, for all contracts after October 1, 2006. Source: OMB criteria and GAO analysis of DHS documentation. [End of table] Objective 1: Legislative Conditions Condition 2: Condition 2. The plan, including related program documentation and program officials' statements, partially provides for satisfying the condition that it comply with DHS's enterprise architecture (EA). According to federal guidelines and best practices, investment compliance with an EA is essential for ensuring that an organization's investment in new and existing systems is defined, designed, and implemented in a way that promotes integration and interoperability and minimizes overlap and redundancy, thus optimizing enterprisewide efficiency and effectiveness. A compliance determination is not a one- time event that occurs when an investment begins, but is, rather, a series of determinations that occur throughout an investment's life cycle as changes to both the EA and the investment's architecture are made. The DHS Enterprise Architecture Board, supported by the Enterprise Architecture Center of Excellence, is responsible for ensuring that projects demonstrate adequate technical and strategic compliance with the department's EA. The DHS Enterprise Architecture Board has not reviewed US-VISIT architecture compliance for more than 2 years. Specifically, in August 2004, this board reviewed US-VISIT's architectural alignment with some aspects of the DHS EA, and it recommended that US-VISIT be given conditional approval to proceed.[Footnote 23] As we previously reported,[Footnote 24] this August 2004 architectural compliance determination did not fully satisfy the legislative condition for several reasons. DHS's determination was based on version 1.0 of the EA, which was missing, in part or in whole, all the key elements expected in a well- defined architecture, such as a description of business processes, information flows among these processes, and security rules associated with the information flows. DHS did not provide sufficient documentation to allow us to understand the methodology and criteria for architecture compliance or to verify analysis justifying the conditional approval. Since August 2004, both US-VISIT and the EA have changed. For example, additional functionality, such as the IDENT/IAFIS interoperability and expansion of DENT to collect ten rather than two prints, has been added. Also, two new versions of the DHS EA have been issued since August 2004. In the absence of an architecture compliance review over the past 2 years, US-VISIT officials told us they have taken other steps to maintain compliance. These steps include: submitting their technical baseline of existing hardware and software to the EA Center for Excellence for inclusion in the DHS EA; submitting technology insertion requests for new equipment planned for US-VISIT, such as RFID technology, to the EA Center of Excellence to be reviewed for compliance and inclusion in the DHS EA, and: documenting US-VISIT alignment with the business and services models of the Federal Enterprise Architecture (FEA) reference models. In addition, US-VISIT officials told us that they recently requested an alignment review for November 2006. According to them, 2 years have passed since the last review because they were waiting until changes to DHS's capital planning and investment control process were complete before seeking a review. US-VISIT officials said that key alignment efforts since the last architecture compliance review are documented in the program's fiscal year 2007 Exhibit 300 budget submission. Specifically, it included: tables listing the FEA business, service, and technical reference model components that US-VISIT supports, a discussion of issues regarding data used or planned for use in US- VISIT, including data types, sources, limitations, and privacy concerns, including the recognition that US-VISIT's data have not been fully defined, and: a commitment to develop a strategy for maintaining future alignment with the DHS EA. Until DHS demonstrates, through verifiable documentation and methodologically-based analysis, that US-VISIT is aligned with a well- defined DHS enterprise architecture, the program will remain at risk of being defined and implemented in a way that does not support optimized departmentwide operations, performance, and achievement of strategic goals and outcomes. Objective 1: Legislative Conditions Condition 3: Condition 3. The plan, including related program documentation and program officials' statements, partially provides for satisfying the condition that it comply with the acquisition rules, requirements, guidelines, and systems acquisition management practices of the federal government. Federal acquisition rules, requirements, guidelines, and management practices provide an acquisition management framework that is based on the use of rigorous and disciplined processes for planning, managing, and controlling the acquisition of IT resources.[Footnote 25] These acquisition management processes are embodied in published best practices models, such as the Software Engineering Institute (SEI) Capability Maturity Models®. These models explicitly define, among other things, acquisition process management controls that are recognized hallmarks of successful organizations and that, if implemented effectively, can greatly increase the chances of acquiring software-intensive systems that provide promised capabilities on time and within budget. We reported in September 2003[Footnote 26] that the program office had not defined key acquisition management controls to support the acquisition of US- VISIT, and therefore its efforts to acquire, deploy, operate, and maintain system capabilities were at risk of not meeting system requirements and benefit expectations on time and within budget. Subsequently, the program adopted the SEI Capability Maturity Model Integration[Footnote 27] (CMMI®) to guide its efforts to employ effective acquisition management practices and approved an acquisition management process improvement plan dated May 16, 2005. This plan is divided into two parts: * Phase 1 (2005-2006): The goal for this phase was to achieve a CMMI® level 2 capability rating from SEI by October 2006. To accomplish this, the program was to, among other things, define a strategy to implement acquisition management process improvements, establish a process improvement infrastructure (management steering group, enterprise process group, and process action teams), and conduct an independent CMMI® level 2 appraisal. * Phase 2 (2007-2011): The goals of this phase are to lower program costs and acquisition risks, shorten increment and overall schedules, reduce costs, and deliver better performing, higher quality products. To accomplish this, the program intends to build on the October 2006 appraisal and address improvement opportunities, establish future organizational process improvement goals, and leverage and institutionalize processes and improvement activities across the program. In September 2005, US-VISIT completed an initial assessment of 13 key acquisition process areas, and this assessment revealed a number of weaknesses across the areas. In light of this, US-VISIT updated its acquisition management process improvement plan. According to the update, while the program had implemented some of the required practices, many other practices were not being performed to the extent required by CMMI. Accordingly, the updated plan adopted a 2-year focus as follows. 2006: The update narrows the scope of the process improvement activities in this year to six of the CMMI process areas--project planning, project monitoring and control, requirements management, risk management, configuration management, and product and process quality assurance--and focuses on two US-VISIT projects--Increment 2A and Unique Identity. According to the update, the 2006 goal is to enhance capabilities in those six process areas in order to conduct an independent CMMI assessment in October 2006. 2007: The update provides for addressing the weaknesses found in the October 2006 assessment plus two additional process areas related to CMMI level 2 (supplier agreement management, and measurement and analysis). Further, the update states that the program will look for any additional CMMI level 2 and 3 process areas that would be beneficial and affordable. These efforts are to be complete by October 2007. In May 2006, the program conducted a second internal assessment of the six key process areas. According to the results of this assessment, improvements were made, but weaknesses remained in all six. Among the cited weaknesses are: A number of key acquisition management documents were not adequately prepared and processes were not sufficiently defined, including those related to systems development, budget and finance, facilities, and strategic planning (e.g., product work flow among organizational units was unclear and not documented, and roles, responsibilities, and assignments for performing work tasks and activities were not adequately defined and documented). Policies, process descriptions, and templates were lacking for requirements development and management. Roles, responsibilities, work products, expectations, resources, and accountability of external stakeholder organizations were not well defined. Evidence that the program management plan was used for managing the program was limited. Evidence that dependencies in its Integrated Master Plan/Integrated Master Schedule were complete, accurate, and validated was limited. Measurement controls were under development but were not yet complete. Because of the significance of these weaknesses, program officials recently decided to postpone indefinitely the planned October 2006 independent appraisal. Instead, they told us that they intend to perform quarterly internal assessments until the results show that they can pass an independent appraisal. A revised target date for the program's external appraisal has not been set. The program's readiness for an appraisal is to be reassessed by March 2007. Notwithstanding these weaknesses, program officials told us that their self-assessments show that they have made incremental progress in implementing the 113 practices associated with the six key process (see next slide). U.S. VISIT CMMI Status Number: [See PDF for image] Sources: GAO analysis of DHS data. [End of figure] The acquisition management weaknesses in the six key process areas are exacerbated by weaknesses in other process areas. For example, we recently reported[Footnote 28] that the US-VISIT contract tracking and oversight process suffers from a number of weaknesses. Specifically, the program had not effectively overseen US-VISIT-related contract work performed on its behalf by other DHS and non-DHS agencies, and these agencies did not always establish and implement the full range of controls associated with effective management of contractor activities. Further, neither the program office nor the other agencies had implemented effective financial controls.[Footnote 29] The program agreed with our recommendations for correcting these weaknesses and stated that steps were either under way or planned to implement them. US-VISIT officials attribute their slow progress to the magnitude of the effort needed to achieve CMMI® level 2 capabilities. Further, they said that there is a limit to the amount of change that the program can handle at one time. Until the program addresses these and other acquisition management weaknesses, it will remain at risk of not delivering cost-effective system applications and measurable results on time and on budget. Objective 1: Legislative Conditions Condition 4: Condition 4. The plan satisfies the condition that it include a certification by the DHS Chief Information Officer that an independent verification and validation agent is currently under contract for the project. On June 5, 2006, the DHS Deputy Chief Information Officer certified in writing that an independent verification and validation agent was under contract for US-VISIT. According to the certification memorandum: the agent is fully qualified and has demonstrated experience in conducting independent verification and validation activities for programs of comparable complexity; the agent's statement of work is clear with respect to expected tasks and is in full conformance with the applicable standard; and: the agent's technical approach is consistent with the statement of work. Objective 1: Legislative Conditions Condition 5: Condition 5. The plan, including related program documentation and program officials' statements, satisfies the requirement that it be reviewed and approved by the DHS IRB, the Secretary of Homeland Security, and OMB. * The DHS Deputy Secretary, who is also the chair of the I RB, approved the fiscal year 2006 expenditure plan on June 21, 2006, and: * OMB approved the plan on August 7, 2006. Objective 1: Legislative Conditions Condition 6: Condition 6. The plan satisfies the requirement that it be reviewed by GAO. Our review was completed on November 13, 2006. Objective 2: Open Recommendations Recommendation 1: The US-VISIT expenditure plan, related program documentation, and program officials' statements, address or provide for addressing (in part or total) each of our recommendations. Recommendation: Ensure that future expenditure plans are provided to DHS's House and Senate Appropriations Subcommittees on Homeland Security in advance of US-VISIT restricted funds being obligated. Status: Complete: The fiscal year 2006 Department of Homeland Security Appropriations Act provides $340 million in fiscal year 2006 funds for the US-VISIT program.[Footnote 30] In addition, the act states that $159,658,000 of this amount may not be obligated for US-VISIT until the Appropriations Committees receive and approve a plan that meets each of the previously cited legislative conditions. OMB subsequently instructed US-VISIT to reduce this number to $158,060,000, as part of the governmentwide budget rescission. On August 10, 2006, DHS provided its fiscal year 2006 expenditure plan to the Senate and House Appropriations Subcommittees on Homeland Security. As of September 30, 2006, the US-VISIT program reported that $77,992,260 of fiscal year 2006 funds had been obligated and that $98,741,239 had been expended, leaving an unobligated balance of $159,866,501. After application of the rescission, the unobligated balance is $1,806,501 greater than the original amount restricted from obligation by the appropriations legislation. As we recently reported, the system that US-VISIT uses to manage its finances (U.S. Immigration and Customs Enforcement's Federal Financial Management System (FFMS)) has reliability issues.[Footnote 31] In light of these issues, the US-VISIT Budget Office has begun tracking program obligations and expenditures separately using a spreadsheet and comparing this spreadsheet to the information in the FFMS. Based on a review of this spreadsheet, there is reasonable assurance that the US- VISIT obligations being reported by FFMS are accurate. This is the third consecutive expenditure plan that DHS has provided the House and Senate Appropriations Subcommittees on Homeland Security in advance of obligating restricted US-VISIT funds. Objective 2: Open Recommendations Recommendation 2: Recommendation: Ensure that all future US-VISIT expenditure plans identify and disclose management reserve funding. Status: Complete: The fiscal year 2006 expenditure plan specified management reserve funding of $13 million to accommodate unknown timing and magnitude of risk. This amount is about 3.9 percent of the 2006 plan's total funding. This is the third consecutive expenditure plan in which management reserve funding has been identified and disclosed. Objective 2: Open Recommendations Recommendation 3: Recommendation: Ensure that future expenditure plans fully disclose how the US-VISIT acquisition is being managed. Status: Partially complete: The 2006 expenditure plan describes a range of key acquisition management activities and control areas. These include: * governance and organizational structures, * human capital management, * stakeholder management, * test management, * system capacity management, * configuration management, and: * independent verification and validation. However, the plan's descriptions do not fully disclose challenges that the US-VISIT program faces in how it is managing acquisition activities, for example, it does not disclose the progress in addressing acquisition management weaknesses and achieving process maturity goals that is discussed in the legislative conditions section of this briefing. Objective 2: Open Recommendations Recommendation 4: Recommendation: Develop a plan, including explicit tasks and milestones, for implementing all our open recommendations and report progress against this plan, including reasons for delays, in all future US-VISIT expenditure plans. Status: Partially complete: The fiscal year 2006 expenditure plan lists most of our recommendations and describes DHS efforts to address them. However, the plan does not provide future tasks or milestones for more than half of our recommendations, and is missing four recommendations altogether. The missing recommendations are: Ensure that future expenditure plans are provided to DHS's House and Senate Appropriations Subcommittees on Homeland Security in advance of US-VISIT funds being obligated. Ensure that future expenditure plans fully disclose US-VISIT system capabilities, schedule, cost, and benefits to be delivered. Ensure that all future US-VISIT expenditure plans identify and disclose management reserve funding. Fully and explicitly disclose in all future expenditure plans how well DHS is progressing against the commitments that it made in prior expenditure plans. Objective 2: Open Recommendations Recommendation 5: Recommendation: Ensure that future expenditure plans fully disclose US- VISIT system capabilities, schedule, cost, and benefits to be delivered. Status: Partially complete: The fiscal year 2006 expenditure plan discloses some system capabilities, schedules, costs, and benefits, but important information to fully support congressional oversight and promote department accountability is missing. Capabilities: The fiscal year 2006 expenditure plan provides information relative to each increment. However, this information is largely in terms of general descriptions of activities to be performed, rather than capabilities to be delivered. Examples of such general descriptions are: * Increment 2A - Complete and execute test plans to support an international joint live operational test with Visa Waiver Program countries. * Increment 2C - Continue to develop, test, and integrate the US-VISIT systems that support the proof of concept. * Increment 3 - Upgrade land POE technology, infrastructure, and facilities. * Increment 4 - Continue to assure environmental compliance, traffic, and operational impact modeling, geospatial data development, power utilization studies, and special studies. Schedule: The fiscal year 2006 expenditure plan includes specific dates for some broadly defined planned capabilities. For example, the plan states that: * Increment 2A e-Passport reader deployment is scheduled for October 26, 2006. * The Increment 4 interim data sharing database is scheduled to be deployed on September 3, 2006. For other capabilities, no dates are provided. For example, the plan states that Increment 2C's proof of concept phase will be completed "in this fiscal year." Further, the plan does not provide a commitment date for completing the Increment 1 exit pilot at air and sea POEs, or for beginning deployment of an exit solution to the remaining POEs. Costs: The fiscal year 2006 plan identifies each increment's estimated costs and associates the estimated cost with fiscal year funding. In some cases, meaningful detail is given to understand how the funds will be used. However, in many cases, costs are not decomposed to a level that would permit such understanding and oversight. For example, the plan states that: * $33.5 million of fiscal year 2006 funds will be spent on Increment 1 to support air and sea exit pilots at 14 locations and to develop an exit plan; however, the funds are not allocated between the two activities. * $26.7 million of fiscal year 2006 funds will be spent on Increment 4 for 10-print transition and IDENT/IAFIS interoperability; however, the funds are not allocated between the two activities or to major tasks and products under each activity, such as the iDSM. Benefits: The fiscal year 2006 expenditure plan cites benefits associated with the increments. However, the benefits are very broadly stated. Examples of incremental benefits are as follows: * Increment 2A - Prevent terrorist attacks on the US. * Increment 2A - Ensure the integrity of immigration system. * Increment 2C - Improve the current ability to monitor overstays. * Increment 2C - Protect the privacy of travelers. * Increment 2C - Help to address the Western Hemisphere Travel Initiative. * Increment 4 - Give law enforcement and immigration officials access to crucial information. The plan also separately describes US-VISIT performance measures. Specifically, it cites seven performance measures and provides the actual fiscal year 2005 performance data for each. Examples of performance measures include: ratio of adverse actions to total biometric watch list hits at POEs and: number of biometric watch list hits for visa applicants processed at consular offices. However, the plan does not include fiscal year 2006 performance targets for three of the seven performance measures. Moreover, the plan does not explicitly link these measures to program benefits. Finally, the plan does not include any measures related to exit processing, even though the plan's stated goals and cited benefits include immigration system integrity, which requires an effective exit processing capability. Program officials told us that they face challenges in measuring accrual of benefits. Specifically, Performance measures are limited to items for which they have performance data, and such data is spotty. As a result, not all benefits associated with program increments have performance measures. As additional system capabilities are implemented, such as 10- fingerprint scanning and IDENT/IAFIS interoperability, program officials said that they will develop additional performance measures. Not all US-VISIT performance data are reliable. As a result, the program has created a Data Integrity Group to improve data completeness, accuracy, and currency. Not all performance measures are under the control of the US-VISIT program because US-VISIT is a collection of different systems that are managed by different organizational entities. As a first step towards addressing this problem, US-VISIT recently began working with Customs and Border Protection to develop performance measures that go beyond US- VISIT to include other aspects of the nation's immigration system. According to program officials, this effort was initiated in September 2006; timeframes for completing it have not been established. According to program officials, some US-VISIT performance measures were excluded from the expenditure plan. The US-VISIT program has developed a quarterly performance measures report that includes all externally reported performance measures, the fiscal year 2005 performance baselines, the fiscal year 2006 targets, and the actual performance during fiscal year 2006 by quarter. The program officials also stated that this report has been provided to congressional committees. Objective 2: Open Recommendations Recommendation 6: Recommendation: Fully and explicitly disclose in all future expenditure plans how well DHS is progressing against the commitments that it made in prior expenditure plans. Status: Partially complete: The fiscal year 2006 expenditure plan describes progress against some, but not all, commitments in the fiscal year 2005 expenditure plan, and thus does not provide sufficient disclosure of program performance to support congressional oversight and promote department accountability. Capabilities: The expenditure plan describes progress in achieving some system capabilities. For example, the fiscal year 2005 expenditure plan committed to implementing entry functionality at the remaining 115 land POEs as part of Increment 3. The fiscal year 2006 plan reported that this capability was deployed to 105 POEs, and explained that the remaining 10 POEs did not receive this functionality because they do not process travelers who are subject to US-VISIT, or they are not capable of supporting the necessary US-VISIT infrastructure (e.g., do not have the telecommunications infrastructure needed for US-VISIT). However, progress made against a number of other important capability commitments is not fully and explicitly disclosed. For example, the 2005 expenditure plan stated that the prime contractor would begin integrating the long-term Increment 4 strategy into the interim US- VISIT system's environment and the overall DHS enterprise architecture, and that US-VISIT and the prime contractor would work with the stakeholder community to identify opportunities for delivery of long- term capabilities under Increment 4. However, the fiscal year 2006 plan does not discuss progress or accomplishments relative to these commitments. Schedule: The expenditure plan identifies progress in meeting most of the schedule commitments. For example, the fiscal year 2005 plan committed to providing all POEs with the capability to allow comparison of biometric travel documents (e-Passports) by October 26, 2005. The fiscal year 2006 expenditure plan discusses how this deadline was moved by legislation to October 26, 2006. However, progress against schedule commitments is not addressed in all cases. For example, the 2005 expenditure plan committed to begin deploying the most effective exit alternative for capturing biometrics at air and sea POEs during fiscal year 2005. In contrast, the 2006 expenditure plan states that the exit pilots will continue throughout fiscal year 2006 and does not address whether the fiscal year 2005 schedule deployment commitment was met. Costs: The expenditure plan cites progress against some cost commitments relative to US-VISIT increments. For example, the fiscal year 2006 plan states that: $33.1 million of the $54.8 million estimated cost for Increment 2C in fiscal year 2005 was expended or obligated during that fiscal year, and $21.7 million was carried over to fiscal year 2006 and: all of the $21.4 million cost estimate for Increment 4 in fiscal year 2005 was expended or obligated during that fiscal year. However, the fiscal year 2006 plan did not report progress against fiscal year 2005 cost commitments relative to: operations and maintenance ($86 million estimate), program management and operations ($83 million estimate), and: management reserve ($23 million estimate). Benefits: As we have previously reported,[Footnote 32] the fiscal year 2005 plan identified several generic benefits and associated them with the various increments. The fiscal year 2006 plan describes accomplishments that can be linked to most, but not all, of these benefits. For example, the previous plan cited an Increment 1 benefit as "Prevent entry of high-threat or inadmissible individuals through improved and/ or advanced access to data prior to the foreign national's arrival." In the fiscal year 2006 plan, DHS reports the cumulative number of people who were subject to adverse actions or denied entry to the United States since Increment 1 became operational (about 2,100 persons). However, since the fiscal year 2005 plan did not associate a performance target with this specific performance measure, the degree of progress is not clear. Moreover, the fiscal year 2006 plan does not report any performance data that can be linked to a number of benefit commitments made in the fiscal year 2005 plan. For example, progress against the following benefits is not addressed. Increment 1: Improved enforcement of immigration laws through improved data accuracy and completeness. Increment 2A: Improved accuracy and timeliness of the determination of foreign nationals' admissibility. Increment 2B: Improved facilitation of legitimate travel and trade at land POEs through improved timeliness and accuracy of determination of traveler status. Increment 4: * Improved immigration and border management identity and verification. * Improved cooperation across federal, state, and local agencies through improved access to foreign national data. * Enhanced communication, management, and collaboration across the border management community. The fiscal year 2006 expenditure plan also does not address all performance measures cited in the 2005 plan. Specifically, the 2005 plan included 11 measures. In contrast, the 2006 plan lists 7 measures, 4 of which are similar, but not identical to, some of the 11 measures in the 2005 plan. This means that several of the 2005 plan's measures are not addressed in the 2006 plan. Moreover, and as the following example illustrates, even in cases of similar performance measures, the fiscal year 2006 plan does not adequately describe progress in meeting commitments. The fiscal year 2005 expenditure plan cited a performance measurement of "Pre-entry watch list hits on biometrically enabled visa applications." The fiscal year 2006 plan cites the performance measure of "Number of biometric watch list hits for visa applicants processed at consular offices." According to the latter plan, in fiscal year 2005 there were 897 such hits; however, neither plan cites a performance target against which to gauge progress, assuming that the two performance measures mean the same thing. Objective 3: Observations Exit Definition and Justification: Observation 1: DHS has not adequately defined and justified its proposed fiscal year 2006 investment in exit pilots and demonstration projects. Having a cost effective exit capability is essential for US-VISIT to accomplish its stated strategic goals, such as enhancing the security of U.S. citizens and visitors and ensuring the integrity of the immigration system. This exit capability is also required by law.[Footnote 33] Over the last 3 years, DHS has devoted considerable time and resources toward establishing an operational exit capability at land, air, and sea POEs. For example, in fiscal years 2003 and 2004 the US-VISIT program allocated a total of $79 million to evaluating alternative air and sea exit solutions, and the fiscal year 2005 expenditure plan committed $32 million to conducting air and sea exit pilots and $51 million for conducting a land exit pilot. Notwithstanding this considerable investment of time and resources, the US-VISIT program still does not have either an operational exit capability or a viable exit solution to deploy. Moreover, US-VISIT exit pilot and concept demonstration reports have raised concerns and limitations, particularly with respect to land POEs. According to land exit pilot and demonstration reports: Successful reading of information on the RFID tags occurred at below acceptable levels. High-powered RFID readers could cause RFID tags to be read incorrectly. Other land POE exit solutions rely on leading edge technologies that are inherently risky. Notwithstanding these results, the fiscal year 2006 expenditure plan proposes investing another $33.5 million to continue air and sea exit pilot and demonstration activities, and the program is carrying over $21.5 million from fiscal year 2005 to continue the land exit pilot. However, Neither the plan nor other exit-related program documentation adequately defines what these efforts entail or what they will accomplish. In particular, the plan and other exit-related program documentation merely state that $33.5 million will be used to continue air and sea exit pilots and demonstrations while a comprehensive exit solution is developed. They do not adequately describe measurable outcomes (benefits and results) from the pilot or demonstration efforts, or related cost, schedule, and capability commitments that will be met. Further, while the plan and other exit-related documentation do not allocate any current funding to the land exit demonstration projects using RFID, they allocate carryover from fiscal year 2005 of $21.5 million to continue this effort. The documents do not adequately describe measurable outcomes (benefits and results) from the pilot and demonstration efforts, and related cost, schedule, and capability commitments that will be met. The plan does not recognize the challenges revealed from prior exit efforts, nor does it show how proposed exit investments address these challenges. For example, the plan does not address the low read rates observed in the pilot or the problems with cross reading and system downtime. The plan allocates more funding for continuing the air and sea exit pilot and demonstration efforts ($33.5 million) than the prior year's plan said would be needed to fully deploy an operational air and sea exit solution ($32 million). According to US-VISIT officials, the pilots are being continued to maintain a presence intended to provide a deterrent effect at exit locations. They are also to be used to gather additional data, which officials said could help support planning for a comprehensive exit solution. Without adequately defining and justifying exit pilot investments in the context of what has already been accomplished and learned from past demonstration projects and what new outcomes and results will be accomplished when, and at what cost, it is unclear that planned exit investments will produce value commensurate with costs and risks. As a result, these investments are neither adequately defined nor justified. GAO Objective 3: Observations US-VISIT Defined without Operational Context: Observation 2: DHS continues to invest in US-VISIT without a clearly defined operational context that includes explicit relationships with related border security and immigration enforcement initiatives. As we have previously reported, it is important that US-VISIT be developed and deployed within an operational context (e.g. enterprise architecture) that defines, among other things, applicable policies, rules, standards, and related initiatives.[Footnote 34] Without such a context to provide a common frame of reference to guide and constrain both US- VISIT and other border security and immigration enforcement initiatives, we concluded that DHS risks investing in programs and systems that are duplicative, are not interoperable, and do not optimize enterprisewide mission operations. As a result, we recommended in 2003 that DHS clarify the operational context in which US-VISIT is to operate. Since then, we have reported on weaknesses with the DHS enterprise architecture and have made recommendations for improving it.[Footnote 35] We currently have work under way to examine the latest version of the architecture. Over the last 3 years, DHS has continued to pursue US-VISIT (both in terms of deploying interfaces between and enhancements to existing systems, and in defining a longer-term, strategic US-VISIT solution) without producing the program's operational context. Exacerbating this situation is the fact that DHS has recently launched other major programs, but has not adequately defined the relationships among US- VISIT and each of these programs. For example, Secure Border Initiative, which is a multi-year plan to secure the borders and reduce illegal immigration by installing state-of-the-art surveillance technologies along the border, increasing border security personnel, and ensuring information access to DHS personnel at and between POEs. Western Hemisphere Travel Initiative, which DHS states will provide the means to implement the provisions of the Intelligence Reform and Terrorism Prevention Act of 2004[Footnote 36] requiring citizens of the United States, Canada, Bermuda, and Mexico to have a designated document that establishes the bearer's identity and citizenship to enter or re-enter the United States. Clearly defining the dependencies among US-VISIT and programs like Secure Border Initiative and Western Hemisphere Travel Initiative is important because there is commonality among the strategic goals of these programs and in the operational environments in which they are to function. For example, both US-VISIT and Secure Border Initiative share the goal of securing the ports of entry. Moreover, there is overlap in the data that each is to produce and use. For example, both US-VISIT and Western Hemisphere Travel Initiative will require identification data for travelers at POEs. Despite these dependencies, neither the fiscal year 2006 US-VISIT expenditure plan nor any other available US-VISIT program documentation addresses these relationships or how they will be managed. Further, according to a memo dated March 6, 2006, from the DHS Joint Requirements Council, the US-VISIT strategic plan did not provide evidence of sufficient coordination between US-VISIT and the other entities involved in border security and immigration efforts. The council's recommendation was that the strategic plan not be approved until greater coordination between US-VISIT and other components was addressed. However, according to the acting director, there are a number of efforts under way to coordinate with other entities, such as with CBP on RFID, with the Coast Guard on development of a mobile biometric reader, and with State on standards for document readers. Further, the acting director stated that the strategic plan is to be approved in November 2006 and submitted to Congress in December 2006. Without a clear, complete, transparent, and understood definition around how related programs and initiatives interact, US-VISIT and other border security and immigration enforcement programs run the risk of being defined and implemented in a way that suboptimizes DHS-wide performance and results. Objective 3: Observations Program Management-Related Costs: Observation 3: DHS has not adequately justified increases in, and disclosed the scope and nature of, program management-related fiscal year 2006 expenditures. Program management is an important and integral aspect of any system acquisition program. Our recommendations to DHS aimed at strengthening US-VISIT program management are grounded in our research, OMB requirements, and recognized best practices relative to the importance of strong program management capabilities. The importance of program management, however, does not in and of itself justify any level of investment in such activities. Rather, such investment in program management capabilities should be viewed the same as investment in any program capability, meaning the scope, nature, size, and value of the investment should be disclosed and justified in relation to the size and significance of the acquisition activities being performed. US-VISIT's planned investment in program management-related activities has risen steadily over the last 4 years, while planned investment in development of new program capabilities has correspondingly declined (see chart on next page). Specifically, The fiscal year 2003 expenditure plan provided $30 million for program management and operations. In contrast, the fiscal year 2006 plan provides $126 million for such program management-related functions (an increase of $96 million). This amount includes a $43 million increase (52 percent) over fiscal year 2005 funding levels. The fiscal year 2003 expenditure plan provided about $325 million for new development efforts. In contrast, the fiscal year 2006 plan provides $93 million for new development. This means that the fiscal year 2006 plan is proposing to expend $33 million more for program management and operations than it is for new development. U.S. VISIT Breakdown of Planned Expenditures As a Dollar Amount for FY 2002 thru FY 2006[A]: [See PDF for image] Source: GAO analysis of DHS data. [A] According to US-VISIT program officials, actual cost information for program management and operations cannot be readily provided due to limitations in their financial management system. [End of figure] The increase in planned program management-related expenditures is more pronounced if it is viewed as a percentage of planned development expenditures (see chart on next page). Specifically, Planned program management-related expenditures represented about 9 percent of planned development in fiscal year 2003, but represents about 135 percent of fiscal year 2006 development. Planned program management-related expenditures as a percentage of new development increased sharply between fiscal years 2005 and 2006 (56 percent to 135 percent). This means that the fiscal year 2006 expenditure plan proposes spending about $1.35 on program management-related activities for each dollar spent on developing new US-VISIT capability. U.S.-VISIT Planned Expenditures for Program Management and Operations as a Percentage of Development for FY 2002 thru FY 2006[A]: [See PDF for Image] Source: GAO analysis of DHS data. [A] According to US-VISIT program officials, actual cost information for program management and operations cannot be readily provided due to limitations in their financial management system. [End of figure] The expenditure plan does not explain the reasons for this recent growth or otherwise justify the sizeable proposed investment in program management and operations on the basis of measurable expected value. Moreover, the plan does not adequately describe the range of program management and operations activities. US-VISIT program officials told us that the DHS Acting Undersecretary for Management recently raised concerns about the large amount of program management and operations funding in the expenditure plan. They also said that they plan to address this issue by carefully distinguishing between expenditures that are purely program management and those that are development or operations and maintenance. Without disclosing and justifying its proposed investment in program management-related efforts, it is unclear whether such a large increase in spending represents the best use of limited resources. Conclusions: The legislatively mandated expenditure plan requirement for US-VISIT is a congressional oversight mechanism aimed at ensuring that planned expenditures are justified, performance against plans is measured, and accountability for results is established. To the extent that the US- VISIT expenditure plan and related program documentation do not adequately disclose program information on what is to be accomplished by when, and what it will cost to do so, the Congress's ability to make informed US-VISIT investment decisions based on justified expenditures and measured performance is restricted. The fiscal year 2006 expenditure plan, combined with other available program documentation and program officials' statements, does not provide sufficient justification for all planned US-VISIT expenditures nor does it permit progress against program commitments to be adequately measured and disclosed. While three of the six stated legislative conditions for the expenditure plan are fully satisfied, the other three have gaps that, while they are intended to be addressed at some future point, limit the department's ability to manage the program today. Moreover, four of our six prior recommendations aimed at fully defining and disclosing program commitments and managing for results have been only partially implemented and completed. Compounding the above is the lack of definition and disclosure of key aspects of US-VISIT's future. In particular, the program's long-term strategy and vision have remained unknown as the department has yet to approve the US-VISIT strategic plan. Equally unknown at this time is a viable exit solution and the relationships among US-VISIT and other recent border security and immigration enforcement programs, like Secure Border Initiative. The absence of definition and clarity in these areas is significant because US-VISIT's ability to meet its strategic goals depends in large part on these key aspects. Notwithstanding this lack of definition, disclosure, and thus, certainty about the justification for planned expenditures and the ability to measure performance and results, US-VISIT program management costs have risen sharply without any accompanying explanation for the reasons. Compounding this problem is that critical areas of program management, such as acquisition management, are also largely undefined in terms of when and at what costs improvements can be expected. All told, this means that the US-VISIT fiscal year 2006 expenditure plan and other available program documentation do not provide sufficient basis for the Congress to exercise effective oversight of the program and to hold the department accountable for results. For proper oversight and accountability to occur, it is essential that DHS increase US-VISIT program transparency and accountability by justifying planned investments on the basis of adequate definition and disclosure of planned expenditures, timelines, capabilities, and benefits, and by effectively measuring and reporting progress against each. Recommendations for Executive Action: To ensure that US-VISIT is better defined and justified, and that our prior recommendations aimed at instilling greater results-oriented performance management and accountability in the program are fully implemented, we are making four recommendations. We recommend that the Secretary of DHS direct the US-VISIT Acting Program Director to report regularly to the Secretary and to the DHS authorization and appropriations committees on the range of program risks associated with not having fully satisfied all expenditure plan legislative conditions, reasons why they are not satisfied, and steps being taken to mitigate these risks. In addition, we recommend that the Secretary direct the US-VISIT Acting Director to: Limit planned expenditures for exit pilots and demonstration projects until such investments are economically justified and until each investment has a well-defined evaluation plan. The projects should be justified on the basis of costs, benefits, and risks, and the evaluation plans should define what is to be achieved, include a plan of action and milestones, and measures for demonstrating achievement of pilot and project goals and desired outcomes. Work with the DHS Enterprise Architecture Board to identify and mitigate program risks associated with investing in new US-VISIT capabilities in the absence of a DHS-wide operational and technological context for the program. These risks should reflect the absence of fully defined relationships and dependencies with related border security and immigration enforcement programs. Limit planned expenditures for program management-related activities until such investments are economically justified and have well-defined plans detailing what is to be achieved, include a plan of action and milestones, and should include measures for demonstrating progress and achievement of desired outcomes. The investments should be justified on the basis of costs, benefits, and risks. Agency Comments: We provided this briefing to, and discussed its contents with, US-VISIT program officials, including the Acting Director. In commenting on a draft of this briefing, US-VISIT program officials agreed with our findings, and said that our conclusions and recommendations were fair. They also provided technical comments on the briefing, which we have incorporated into the briefing as appropriate. Attachment 1 Scope and Methodology: To accomplish our first objective, we reviewed the fiscal year 2006 plan and other available program documentation related to each condition. In doing so, we examined not only completed actions and steps, but also planned actions and steps, including program officials' stated commitments to perform such activities and steps. More specifically, we: compared the information in US-VISIT's fiscal year 2006 Exhibit 300 budget submission and related documentation to capital planning guidance (OMB A-11 part 7) to determine whether the information complies with the capital planning and investment controls, assessed US-VISIT against criteria in DHS's Investment Review Process to determine whether the US-VISIT program could demonstrate compliance with the DHS enterprise architecture, assessed US-VISIT's software improvement program to determine the progress made in developing acquisition processes that meet industry standards, reviewed documentation to determine whether an independent verification and validation agent was currently under contract, and: reviewed documentation to determine whether the expenditure plan received the required certification and approvals. To accomplish our second objective, we: * examined funding obligations reports and prior work on US-VISIT financial systems data reliability to assess the reliability of obligation data, and: * interviewed the Budget Director to determine what compensating controls were in place over the US-VISIT budget control document, including what individuals were allowed data entry access to the document, how often the document was reconciled with the financial system, and how discrepancies with the financial system were reconciled to determine whether these procedures provide US-VISIT with reasonable assurance that the obligations reported by the financial system were accurate. We also analyzed the plan to determine if it: * identified and disclosed management reserve funding; * disclosed key aspects of how the acquisition is being managed, including management areas that our prior reports on US-VISIT identified as important but missing (e.g., governance structure, organizational structure, human capital, systems configuration, and system capacity); * discussed steps and timetables for implementing all open GAO recommendations including reasons for any delays encountered in implementing the tasks; * contained measurable descriptions of system capabilities, benefits, costs, and schedule; and: * described actual progress against commitments for system capabilities, benefits, cost, and schedule from the fiscal year 2005 spend plan. To accomplish our third objective, we reviewed the fiscal year 2006 plan and other available program documentation related to each of the following areas. In doing so, we examined completed and planned actions and steps, including program officials' stated commitments to perform them. More specifically, we reviewed efforts to: * define and implement an exit strategy for air, sea, and land, * define the relationships between US-VISIT and other border security initiatives, and: * program management costs. For DHS-provided data that our reporting commitments did not permit us to substantiate, we have made appropriate attribution indicating the data's source. We conducted our work at US-VISIT program offices in Arlington, Virginia, from August 2006 through November 2006, in accordance with generally accepted government auditing standards. Attachment 2 Related Products List: Related Products List: Homeland Security: Contract Management and Oversight for Visitor and Immigrant Status Program Need to Be Strengthened. GAO-06-404. Washington, D.C.: June 9, 2006. Homeland Security: Progress Continues, but Challenges Remain on Department's Management of Information Technology. GAO-06-598T. Washington, D.C.: March 29, 2006. Homeland Security: Recommendations to Improve Management of Key Border Security Program Need to be Implemented. GAO-06-296. Washington, D.C.: February 14, 2006. Homeland Security: Visitor and Immigrant Status Program Operating, but Management Improvements Are Still Needed. GAO-06-318T. Washington, D.C.: January 25, 2006. Information Security. Department of Homeland Security Needs to Fully Implement Its Security Program. GAO-05-700. Washington, D.C.: June 17, 2005. Information Technology. Customs Automated Commercial Environment Program Progressing, but Need for Management Improvements Continues. GAO-05-267. Washington, D.C.: March 14, 2005. Homeland Security: Some Progress Made, but Many Challenges Remain on U.S. Visitor and Immigrant Status Indicator Technology Program. GAO-05- 202. Washington, D.C.: February 23, 2005. Border Security. State Department Rollout of Biometric Visas on Schedule, but Guidance Is Lagging. GAO-04-1001. Washington, D. C.: September 9, 2004. Border Security. Joint, Coordinated Actions by State and DHS Needed to Guide Biometric Visas and Related Programs. GAO-04-1080T. Washington, D.C.: September 9, 2004. Homeland Security: First Phase of Visitor and Immigration Status Program Operating, but Improvements Needed. GAO-04-586. Washington, D.C.: May 11, 2004. Homeland Security: Risks Facing Key Border and Transportation Security Program Need to Be Addressed. GAO-04-569T. Washington, D.C.: March 18, 2004. Homeland Security: Risks Facing Key Border and Transportation Security Program Need to Be Addressed. GAO-03-1083. Washington, D.C.: September 19, 2003. Information Technology. Homeland Security Needs to Improve Entry Exit System Expenditure Planning. GAO-03-563. Washington, D.C.: June 9, 2003. Attachment 3: Detailed Description of US-VISIT Program: The US-VISIT program consists of nine organizations and uses contractor support services in several areas. The roles and responsibilities of each of the nine organizations include the following: Chief Strategist is responsible for developing and maintaining the strategic vision and related documentation, transition plan, and business case. Budget and Financial Management is responsible for establishing the program's cost estimates; analysis; and expenditure management policies, processes, and procedures that are required to implement and support the program by ensuring proper fiscal planning and execution of the budget and expenditures. Mission Operations Management is responsible for developing business and operational requirements based on strategic direction provided by the Chief Strategist. Outreach Management is responsible for enhancing awareness of the US- VISIT requirements among foreign nationals, key domestic audiences, and internal stakeholders by coordinating outreach to media, third parties, key influencers, Members of Congress, and the traveling public. Information Technology Management is responsible for developing technical requirements based on strategic direction provided by the Chief Strategist and business requirements developed by Mission Operations Management. Implementation Management is responsible for developing accurate, measurable schedules and cost estimates for the delivery of mission systems and capabilities. Acquisition and Program Management is responsible for establishing and managing the execution of program acquisition and management policies, plans, processes, and procedures. Administration and Training is responsible for developing and administering a human capital plan that includes recruiting, hiring, training, and retaining a diverse workforce with the competencies necessary to accomplish the mission. Facilities and Engineering Management is responsible for establishing facilities and environmental policies, procedures, processes, and guidance required to implement and support the program office. The program uses contractor support services in the following six subject matter areas: Facilities and Infrastructure - provides the infrastructure and facilities support necessary for current and anticipated future staff for task orders awarded under the prime contract. Program-Level Management-defines the activities required to support the prime contractor's program management office, including quality management, task order control, acquisition support, and integrated planning and scheduling. Program-Level Engineering - assures integration across incremental development of US-VISIT systems and maintains interoperability and performance goals. Data Management Support-analyzes data for errors and omissions, corrects data, reports changes to the appropriate system of record owners, and provides reports. Data Management and Governance - provides support in the implementation of data management architecture and transition and sequencing plans, conducts an assessment of the current data governance structure and provides a recommendation for the future data governance structure, including a data governance plan. Mission Operations Data Integrity Improvements - determines possible ways to automate some of the data feeds from legacy systems, making the data more reliable. Attachment 4: Detailed Description of Increments and Component Systems: Below is a discussion of the processes underlying each increment and the systems that provide information to US-VISIT. Increment 1 processes -Increment 1 includes the following five processes at air and sea ports of entry (POEs): pre-entry, entry, status management, exit, and analysis, which are depicted in the graphic below. [See PDF for image] Sources: GAO analysis of US-VISIT data, Nova Development Corp. (clipart). [End of figure] Pre-entry process: Pre-entry processing begins with initial petitions for visas, grants of visa status, or the issuance of travel documentation. When a foreign national applies for a visa at a U.S. consulate, biographic and biometric data are collected and shared with border management agencies. The biometric data (i.e., fingerprint scan of the right and left index fingers) are transmitted from the Department of State (State) to the Department of Homeland Security (DHS), where the fingerprints are run against the Automated Biometric Identification System (IDENT) to verify identity and to run a check against the biometric watch list. The results of the biometric check are transmitted back to State. A "hit" response prevents State's system from printing a visa for the applicant until the information is cleared by a consular officer. Pre-entry also includes transmission by commercial air and sea carriers of crew and passenger manifests before arriving in the United States.[Footnote 37] These manifests are transmitted through the Advance Passenger Information System (APIS). The APIS lists are run against the biographic lookout system and identify those arrivals who have biometric data available. In addition, POEs review the APIS list in order to identify foreign nationals who need to be scrutinized more closely. Entry process: When the foreign national arrives at a primary POE inspection booth, the inspector, using a document reader, scans the machine-readable travel documents. APIS returns any existing records on the foreign national to the US-VISIT workstation screen, including manifest data matches and biographic lookout hits. When a match is found in the manifest data, the foreign national's name is highlighted and outlined on the manifest data portion of the screen. Biographic information, such as name and date of birth, is displayed on the bottom half of the computer screen, as well as the photograph from State's Consular Consolidated Database. The inspector at the booth scans the foreign national's fingerprints (left and right index fingers) and takes a digital photograph. This information is forwarded to the IDENT database, where it is checked against stored fingerprints in the IDENT lookout database. If no prints are currently in IDENT, the foreign national is enrolled in US-VISIT (i.e., biographic and biometric data are entered). If the foreign national's fingerprints are already in IDENT, the system performs a match (a comparison of the fingerprint taken during the primary inspection to the one on file) to confirm that the person submitting the fingerprints is the person on file. If the system finds a mismatch of fingerprints or a watch list hit, the foreign national is sent to an inspection booth for further screening or processing. While the system is checking the fingerprints, the inspector questions the foreign national about the purpose of his or her travel and length of stay. The inspector adds the class of admission and duration of stay information into the Treasury Enforcement Communications Systems (TECS), and stamps the "admit until" date on the Form I-94. If the foreign national is ultimately determined to be inadmissible, the person is detained, lookouts are posted in the databases, and appropriate actions are taken. Within 2 hours after a flight lands and all passengers have been processed, TECS is to send the Arrival Departure Information System (ADIS) the records showing the class of admission and the "admit until" dates that were modified by the inspector. Status management process: The status management process manages the foreign national's temporary presence in the United States, including the adjudication of benefits applications and investigations into possible violations of immigration regulations. Commercial air and sea carriers transmit departure manifests electronically for each departing passenger. These manifests are transmitted through APIS and shared with ADIS. ADIS matches entry and exit manifest data to ensure that each record showing a foreign national entering the United States is matched with a record showing the foreign national exiting the United States. ADIS also provides the ability to run queries on foreign nationals who have entry information but no corresponding exit information. ADIS receives status information from the Computer Linked Application Information Management System and the Student and Exchange Visitor Information System on foreign nationals. Exit process: The exit process includes the carriers' electronic submission of departure manifest data to APIS. This biographic information is passed to ADIS, where it is matched against entry information. At the 14 POEs where the exit solution is being implemented, the departure is processed by one of three exit methods. Within each port, one or more of three exit methods may be used. The three alternatives are: enhanced kiosk: mobile device: validator: Enhanced kiosk: The traveler approaches a kiosk for departure processing. At the kiosk, the traveler, guided by a workstation attendant if needed, scans the machine-readable travel documents, provides electronic fingerprints, and has a digital photograph taken. An encoded receipt is printed to provide documentation of compliance with the exit process and to assist in compliance on the traveler's next attempted entry to the country. After the receipt prints, the traveler proceeds to his/her departure gate. At the conclusion of the transaction, the collected information is transmitted to IDENT. Mobile device: At the departure gate, and just before the traveler boards the departure craft, a workstation attendant scans the machine- readable travel documents, scans the traveler's fingerprints (right and left index fingers), and takes a digital photograph. A receipt is printed to provide documentation of compliance with the exit process and to assist in compliance on the traveler's next attempted entry into the country. The workstation attendant provides the receipt to the traveler, and the traveler then boards the departure craft. The device wirelessly transmits the captured data in real time to IDENT via the Transportation Security Administration's Data Operations Center. Validator: Using the enhanced kiosk, the traveler, guided by a workstation attendant if needed, scans the machine-readable travel documents, provides electronic fingerprints, and has a digital photograph taken. As with the enhanced kiosk, a receipt is printed to provide documentation of compliance with the exit process and to assist in compliance on the traveler's next attempted entry to the country. However, this receipt has biometrics (i.e., the traveler's fingerprints and photograph) embedded on the receipt. At the conclusion of the transaction, the collected information is transmitted to IDENT. The traveler presents his or her receipt to the workstation attendant at the gate or departure area, who scans the receipt using a mobile device. The traveler's identity is verified against the biometric data embedded on the receipt. Once the traveler's identity is verified, he or she is allowed to board the departure craft. The captured data are not transmitted in real time back to IDENT. Instead, the data collected on the mobile device are periodically uploaded through the kiosk to IDENT. Analysis: An ongoing analysis capability is to provide for the continuous screening against watch lists of individuals enrolled in US-VISIT for appropriate reporting and action. As more entry and exit information becomes available, it is to be used to analyze traffic volume and patterns as well as to perform risk assessments. The analysis is to be used to support resource and staffing projections across the POEs, strategic planning for integrated border management analysis performed by the intelligence community, and determination of travel use levels and expedited traveler programs. [See PDF for image] [End of figure] Increment 2B and Increment 3 processes -: Increments 2B and 3 deployed US-VISIT entry processing capabilities to land POEs. These two increments are similar to Increment 1 (air and sea POEs), with several noteworthy differences. No advance passenger information is available to the inspector before the traveler arrives for inspection. Travelers subject to US-VISIT are processed at secondary inspection, rather than at primary inspection. Inspectors' workstations use a single screen, which eliminates the need to switch between the TECS and IDENT screens. Form I-94 data are captured electronically. The form is populated by data obtained when the machine-readable zone of the travel document is swiped. If visa information about the traveler exists in the Datashare database,[Footnote 38] it is used to populate the form. Fields that cannot be populated electronically are manually entered. A copy of the completed form is printed and given to the traveler for use upon exit. No electronic exit information is captured. Increment 2C process -: Increment 2C enhances operating capabilities at land POEs through the use of Form I-94s, which contain radio frequency chips that are capable of being read automatically, passively, and remotely at land POEs during entry and exit. Increment 2C processes are being piloted at five land POEs in two proof of concept phases. In both phases of the pilot: * travelers receive Form 1-94s upon first entry, which contain radio frequency tags containing a unique number used to identify the tag with the person, known as an automated identification (a-I D); and: * on exit and later re-entries, radio frequency identification readers detect the tag passing through the POE in all vehicle and pedestrian lanes and record the event in the Automated Identification Management System (AIDMS), described below. In Phase 1: * Only in the pedestrian primary inspection lanes: - upon remote reading of the a-ID, a biographic watch list check is automatically performed and presented to the CBP officer and: - upon manual scan of the a-ID, the biographic data, photograph, and information regarding the status of a-ID is presented to the CBP officer. In Phase 2: * In the pedestrian primary inspection lanes: - in addition to capabilities of Phase 1, upon manual scan of the a-ID, the CBP officer will receive additional information regarding the traveler's admissibility. * In the vehicle primary inspection lanes, upon remote reading of the a- ID, the system will automatically: - perform a biographic watch list check and present the results to the CBP officer; - present biographic data, photograph, and information regarding the status of a-I D to the CBP officer; - present additional information regarding the traveler to the CBP officer regarding admissibility; and: - associate the traveler's data with the vehicle's license plate data. * Upon exit from either pedestrian or vehicle lanes: - upon remote reading of the a-ID, a real-time biographic watch list query, including biometric watch list status, will be automatically performed. Component systems: US-VISIT Increments 1 through 3 include the interfacing and integration of existing systems and, with Increment 2C, the creation of a new system. The three main existing systems are as follows: Arrival Departure Information System (ADIS) stores: * noncitizen traveler arrival and departure data received from air and sea carrier manifests, * arrival data captured by CBP officers at air and sea POEs, * Form I-94 issuance data captured by CBP officers at Increment 2B land POEs, * departure information captured at US-VISIT biometric departure pilot (air and sea) locations, * pedestrian arrival information and pedestrian and vehicle departure information captured at Increment 2C POE locations, and: * status update information provided by the Student and Exchange Visitor Information System (SEVIS) and the Computer Linked Application Information Management System (CLAIMS 3) (described below). ADIS provides record matching, query, and reporting functions. The passenger processing component of the Treasury Enforcement Communications Systems (TECS) includes two systems: * Advance Passenger Information System (APIS) captures arrival and departure manifest information provided by air and sea carriers, and: * Interagency Border Inspection System (IBIS) maintains lookout data and interfaces with other agencies' databases. CBP officers use these data as part of the admission process. The results of the admission decision are recorded in TECS and ADIS. The Automated Biometric Identification System (IDENT) collects and stores biometric data on foreign visitors, including data such as: * Federal Bureau of Investigation information[Footnote 39] on all known and suspected terrorists, selected wanted persons (foreign-born, unknown place of birth, previously arrested by DHS), and previous criminal histories for high-risk countries; * DHS Immigration and Customs Enforcement information on deported felons and sexual registrants; and: * DHS information on previous criminal histories and previous IDENT enrollments. The new system developed for Increment 2C, the Automated Identification Management System, is a collection of systems that manages data collected through the automatic scan of radio frequency chips in the Form I-94s through antennas and readers installed at the five land POEs included in the pilot. It maintains four categories of records: Traveler identification information such as the traveler's unique radio frequency identification number and data received from TECS such as the traveler's complete name, date of birth, and travel document type, number, date and country of issuance. Radio frequency identification tag related information such as the tag number and status (e.g. active, returned, seized, lost, stolen, damaged, etc.) Tag read event information such as the date, time and location of a read event and the direction of the border crossing (entry or exit). Border crossing history, which consists of the composition of information from the other three categories of information into a border crossing event that is communicated to other DHS systems such as TECS and ADIS. US-VISIT also exchanges biographic information with other DHS systems, including SEVIS and CLAIMS 3: SEVIS is a system that contains information on foreign students and: CLAIMS 3 is a system that contains information on foreign nationals who request benefits, such as change of status or extension of stay. Some of the systems involved in US-VISIT, such as IDENT and AIDMS, are managed by the program office, while some systems are managed by other organizational entities within DHS. For example: TECS is managed by CBP, SEVIS is managed by Immigration and Customs Enforcement, CLAIMS 3 is under United States Citizenship and Immigration Services, and: ADIS is jointly managed by CBP and US-VISIT. US-VISIT also interfaces with other, non-DHS systems for relevant purposes, including watch list[Footnote 40] (i.e. lookout) updates and checks to determine whether a visa applicant has previously applied for a visa or currently has a valid U.S. visa. In particular, US-VISIT receives biographic and biometric information from State's Consular Consolidated Database as part of the visa application process, and returns fingerscan information and watch list changes. [End of section] Appendix II: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: January 19, 2007: Mr. Randolph C. Hite: Director: Information Technology Architecture and Systems Issues: U.S. Government Accountability Office: 441 G Street, NW: Washington, D.C. 20548: Dear Mr. Hite: Thank you for the opportunity to review the draft report entitled Homeland Security: Planned Expenditures for U.S Visitor and Immigrant Status Program Need to Be Adequately Defined and Justified (GAO-07- 278). As with prior reports that your office has issued regarding US- VISIT, there are many areas with which we agree, and the recommendations have made US-VISIT a stronger program. We concur with the report recommendations and the need for improvement. Overall, the report's findings will help US-VISIT to continue making its already highly successful and valuable contributions to the enhanced security. of the United States. We believe, however, that some of GAO's statements regarding US-VISIT's Fiscal Year 2006 Expenditure Plan need to be modified or otherwise clarified. In the draft report addressed to the Committees on Appropriations, GAO in discussing its first observation (page 5) states that, "Notwithstanding these issues, the fiscal year 2006 expenditure plan proposes investing another $33.5 million to continue air and sea exit pilots and allocates carryover of $21.5 million in fiscal year 2005 funds for land exit demonstration activities, without adequately justifying continuing these investments. " The $33.5 million in funding for air and sea exit pilot operations was initially requested to support the current operations while expanding to additional locations. The GAO report outlines the $33.5 million as an investment, but it is more accurately depicted as continuing operations, as well as an investment. Currently, the Department of Homeland Security (DHS) has determined that portions of the funding will support current pilot operations, while exploring a more comprehensive exit strategy. It should be noted that we are not carrying over $21.5 million from FY 2005 funds for use on Increment 2C (RFID). We are using a small portion of these funds ($1.2 million) for 2C shutdown and closeout, while the remaining funds will be considered for reprogramming. In discussing the third observation (pages 5-6), GAO states that, "DHS has not adequately justified increases in, and disclosed the scope and nature of, program management-related fiscal year 2006 expenditures. US- VISIT's planned investment in program management-related activities has risen steadily over the last 4 years, while planned investment in the development of new program capabilities has similarly declined . The expenditure plan does not explain the reasons for this recent growth or otherwise justify the sizeable proposed investment in program management and operations on the basis of measurable expected value. " US-VISIT officials understand and share the concerns about the appearance of growth in program management and contract support costs, and regret that the initial Fiscal Year 2006 Expenditure Plan submission lacked sufficient detail and clarity. A revised plan signed by the Secretary of the Department of Homeland Security was submitted on January 16, 2007 to the Committees on Appropriations to show how the cost growth is more accurately attributed to operations, program and project activities directly related to implementation of homeland security measures. In Attachment I, Briefing to the Staffs of the Subcommittees on Homeland Security, Committee on Appropriations, page 22 (Background - Description and Status of Increments), GAO states that, "The proof-of- concept was initiated in August 2005, and initial results were reported in January 2006 These results showed that there were problems that would affect the ability to implement an RFID land border solution. This was subsequently termed Phase 1 and is still ongoing, using $21.5 million in funds carried over from fiscal year 2005." Termination of the Increment 2C pilot (RFID) began in November 2006. GAO states in Attachment 1, page 74 (Objective 3: Observations, Exit Definition and Justification) that "Further, while the plan and other exit-related documentation do not allocate any current funding to the land exit demonstration projects using RFID, they allocate carryover from fiscal year 2005 of $21.5 million to continue this effort. " As previously noted, US-VISIT officials will not carry over $21.5 million from Fiscal Year 2005 funds for use on RFID (2C). US-VISIT officials will use $1.2 million of the $21.5 million FY 2005 carryover funds for 2C shutdown and closeout, while the remaining funds will be considered for reprogramming. Sincerely, Signed by: Steven J. Pecinovsky: Director, Departmental GAO/OIG Liaison Office: [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Randolph C. Hite, (202) 512-3439: Staff Acknowledgments: In addition to the individual named above, Tonia Johnson (Assistant Director), Eric Costello, Deborah Davis, Neil Doherty, Nancy Glover, David Hinchman, Jamelyn Payan, Scott Pettis, and Daniel Wexler made key contributions to this report. (310633): FOOTNOTES [1] Pub. L. No. 109-90 (Oct. 18, 2005). [2] Immigration and Naturalization Service Data Management Improvement Act of 2000, Pub. L. No. 106-215, 114 Stat. 337, codified at 8 U.S.C. § 1365a(b). [3] The operational context defines, among other things, applicable policies, rules, standards, and related initiatives. It also provides a common frame of reference to guide and constrain both US-VISIT and other border security and immigration enforcement initiatives. [4] GAO, Homeland Security: Efforts Under Way to Develop Enterprise Architecture, but Much Work Remains, GAO-04-777 (Washington, D.C.: Aug. 6, 2004). [5]Pub. L.109-90 (Oct. 18, 2005). [6] The appropriated amount was subsequently reduced to $336.6 million by a governmentwide 1 percent rescission, Pub. L. 109-148 (Dec. 30, 2005), and OMB instructed US-VISIT to reduce the amount that could not be obligated to $158,060,000. [7] 0 MB Circular A-11 establishes policy for planning, budgeting, acquisition, and management of federal capital assets. [8] Our reports on US-VISIT expenditure plans have resulted in 24 recommendations, six of which pertain to the US-VISIT expenditure plan and 18 of which pertain to the US-VISIT program. Earlier this year, we reported on the status of the 18 recommendations pertaining to the US- VISIT program. See GAO-06-296, Homeland Security. Recommendations to Improve Management of Key Border Security Program Need to Be Implemented, (Washington, D.C.: Feb. 14, 2006). For a full list of US- VISIT related GAO reports, see attachment 2. [9] See attachment 3 for more details. [10] An indefinite-delivery/indefinite-quantity contract provides for an indefinite quantity, within stated limits, of supplies or services during a fixed period of time. The government schedules deliveries or performance by placing orders with the contractor. [11] Accenture's partners include, among others, Raytheon Company, the Titan Corporation, and SRA International, Inc. [12] On September 30, 2004, US-VISIT expanded biometric entry procedures to include individuals from visa waiver countries applying for admission. [13] Workstation attendants also assist travelers in using the kiosk. [14] Legislation requiring the installation of software and equipment at POEs to authenticate machine-readable visas and travel documents established a deadline of October 26, 2004 (Pub. L. 107-173, (May 14, 2002)), but this date was subsequently changed (Pub. L. 108-299 (Aug.9, 2004)). [15] Legislation requiring Visa Waiver Program countries to issue e- Passports originally established a deadline of October 26, 2004 (Pub. L. 107-173, (May 14, 2002)), but this date was subsequently changed (Pub. L. 108-299 (Aug. 9, 2004)). Subsequently, DHS and State obtained an agreement with the appropriate congressional committee to change this date to October 26, 2006. [16] Form I-94s are used to record a foreign national's entry into the United States. The form has two parts-arrival and departure-containing a unique number for the purposes of recording and matching the arrival and departure records of nonimmigrants. [17] For example, diplomats and persons under the age of 14 or over the age of 79 are exempt from US-VISIT requirements. [18] Radio frequency technology relies on proximity cards and card readers. Radio frequency devices read the information contained on the card when the card is passed near the device. The information can contain personal identification of the cardholder. [19] At one POE, these capabilities were deployed by December 19, 2005, but were not fully operational until January 7, 2006, because of a telephone company strike that prevented the installation of a T-1 line. [20] For details on the processes underlying each increment and systems supplying information to US-VISIT, see attachment 4. [21] For details on the processes underlying each increment and systems supplying information to US-VISIT, see attachment 4. [22] In fiscal year 2003, the approved expenditure plan was for $375 million, but the appropriated amount was for $362 million. The difference of $13 million was to have been made up through user fees from Immigration and Customs Enforcement. However, only $5 million in user fees was provided to the US-VISIT program, for a total of $367 million. [23] Provided that the program office resubmit documentation upon approval of the US-VISIT strategic plan, which, at that time, was anticipated to be in January 2005. [24] GAO, Homeland Security. Some Progress Made, but Many Challenges Remain on U.S. Visitor and Immigrant Status Indicator Technology Program, GAO-05-202 (Washington, D.C.: Feb. 23, 2005). [25] See, for example, the Clinger-Cohen Act of 1996 (P.L. 104-106), OMB Circular A-130, and the Federal Acquisition Regulation. [26] GAO, Homeland Security. Risks Facing Border and Transportation Security Program Need to be Addressed, GAO-03-1083 (Washington D.C.: Sept. 19, 2003). [27] The CMMI® ranks organizational maturity according to five levels. Maturity levels 2 through 5 require verifiable existence and use of certain key process areas. [28] GAO, Homeland Security. Contract Management and Oversight for Visitor and Immigrant Status Program Need to Be Strengthened, GAO-06- 404 (Washington, D.C.: June 9, 2006). [29] Financial controls are practices to provide accurate, reliable, and timely accounting for billings and expenditures. [30] The appropriated amount was subsequently reduced to $336.6 million by a governmentwide 1 percent rescission. Pub. L. 109-90 (Oct. 18, 2005) and Pub. L. 109-148 (Dec. 30, 2005). [31] GAO-06-404, June 9, 2006. [32] GAO-05-202. [33] Immigration and Naturalization Service Data Management Improvement Act of 2000, P.L. 106-215, 114 Stat. 337, codified at 8 U.S.C. § 1365a(b); Intelligence Reform and Terrorism Prevention Act of 2004, P.L. 108-458, codified at 8 U.S.C § 1365b(d). [34] GAO-03-1083. [35] GAO, Homeland Security. Efforts Under Way to Develop Enterprise Architecture, but Much Work Remains, GAO-04-777 (Washington, D.C.: Aug. 6, 2004): [36] pub. L. No. 108-458, § 7209, 118 Stat. 3638, 3823 (2004). [37] Pub. L. 107-173 (May 14, 2002). [38] Datashare includes a data extract from State's Consular Consolidated Database system and includes the visa photograph, biographical data, and the fingerprint identification number assigned when a nonimmigrant applies for a visa. [39] Information from the Federal Bureau of Investigation includes fingerprints from the Integrated Automated Fingerprint Identification System. [40] Watch list data sources include DHS's Customs and Border Protection and Immigration and Customs Enforcement; the Federal Bureau of Investigation; legacy DHS systems; the U.S. Secret Service; the U.S. Coast Guard; the Internal Revenue Service; the Drug Enforcement Agency; the Bureau of Alcohol, Tobacco, & Firearms; the U.S. Marshals Service; the U.S. Office of Foreign Asset Control; the National Guard; the Treasury Inspector General; the U.S. Department of Agriculture; the Department of Defense Inspector General; the Royal Canadian Mounted Police; the U.S. State Department; Interpol; the Food and Drug Administration; the Financial Crimes Enforcement Network; the Bureau of Engraving and Printing; and the Department of Justice Office of Special Investigations. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: