This is the accessible text file for GAO report number GAO-09-40 entitled 'Information Technology: Management Improvements Needed on the Department of Homeland Security's Next Generation Information Sharing System' which was released on October 8, 2008. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: October 2008: Information Technology: Management Improvements Needed on the Department of Homeland Security's Next Generation Information Sharing System: GAO-09-40: GAO Highlights: Highlights of GAO-09-40, a report to congressional requesters. Why GAO Did This Study: The Department of Homeland Security (DHS) is responsible for coordinating the federal government’s homeland security communications with all levels of government. In support of this mission, DHS implemented, and has been enhancing, the Homeland Security Information Network (HSIN). It also has proposed a follow-on system, called Next Generation HSIN (HSIN Next Gen). GAO was asked to determine whether (1) DHS has stopped further improvements on HSIN and if so, the department’s rationale for doing so and plans for acquiring its proposed follow-on system HSIN Next Gen and (2) the department is effectively managing the HSIN Next Gen acquisition. To accomplish this, GAO analyzed documentation, interviewed officials, and compared acquisition management processes and practices defined in industry best practices with those planned and underway by DHS. What GAO Found: DHS halted further improvements on the existing HSIN system in September 2007. Since then, the department has continued to operate and maintain the system while a replacement—HSIN Next Gen—is being planned and acquired. DHS decided in large part to pursue this replacement due to: * the existing system has security and information-sharing limitations that do not meet department and other users’ needs, thus impeding the department’s ability to effectively perform its mission; and: * the new system is to be a key part of a departmentwide consolidation effort to, among other things, reduce the number of systems within DHS that share sensitive but unclassified information. DHS has developed an acquisition strategy for HSIN Next Gen, whereby the system is to be implemented in four phases, each providing for an increasing number of users to be transitioned to the system. For example, DHS plans to begin transitioning existing HSIN users beginning in May 2009. Further, in May 2008, DHS issued a task order engaging a contractor to acquire, deploy, operate, and maintain the new system. The total estimated value of the task order’s initial year is $19 million; the order also includes 4 option years that if exercised, are estimated to be worth $62 million. DHS intends to continue to use the existing HSIN with the goal of terminating its use in September 2009 when HSIN Next Gen is to be fully completed. DHS estimates it will cost $3.1 million to operate and maintain HSIN between now and its planned September 2009 termination. DHS is in the process of implementing key acquisition management controls for HSIN Next Gen, but has yet to implement the full set of controls essential to effectively managing information technology system projects in a rigorous and disciplined manner. Specifically, it has not fully implemented key process controls in the areas of: * project and acquisition planning, * requirements development and management, and: * risk management. DHS officials, including the Office of Operations Coordination and Planning’s Chief Information Officer, who is responsible for managing the project, attribute the partial implementation of these key processes in large part to the aggressive schedule for acquiring and deploying HSIN Next Gen. The Chief Information Officer also stated the department plans to address these weaknesses by, for example, tasking its contractor to assist in the development and completion of the risk management process area, but had not yet established dates for when all of these activities will be completed. Until these weaknesses are effectively addressed and DHS implements and institutionalizes the full set of acquisition management controls, the project will be at increased risk of operating in an ad hoc and chaotic manner—potentially resulting in increased project costs, delayed schedules, and performance shortfalls. What GAO Recommends: GAO recommends strengthening acquisition management controls before the department starts to migrate existing users to the new system by, among other things, staffing the program office appropriately, ensuring all user requirements are gathered, and identifying key risks surrounding the project. In written comments on this report, DHS described actions planned and underway to address GAO recommendations. To view the full product, including the scope and methodology, click on [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-09-40]. For more information, contact David A. Powner at (202) 512-9286 or pownerd@gao.gov. [End of section] Contents: Letter1: DHS Has Stopped Current HSIN System Improvements and Is in the Process of Acquiring a Replacement System: DHS Has Yet to Implement the Management Controls Essential to Effectively Manage the HSIN Next Gen Acquisition: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Briefing Slides to Congressional Staff: Appendix II: Comments from the Department of Homeland Security: Appendix III: GAO Contact and Staff Acknowledgments: Abbreviations: DHS: Department of Homeland Security: CIO: Chief Information Officer: HSIN: Homeland Security Information Network: HSIN: Next Gen: Next Generation HSIN: IT: information technology: OPS: Office of Operations Coordination and Planning: [End of section] United States Government Accountability Office: Washington, DC 20548: October 8, 2008: The Honorable Joseph I. Lieberman: Chairman: The Honorable Susan M. Collins: Ranking Member: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Bennie G. Thompson: Chairman: Committee on Homeland Security: House of Representatives: The Department of Homeland Security (DHS) is responsible for coordinating the federal government's homeland security communications with all levels of government--including state and local. In support of this mission, the department deployed, and has been making improvements to, the Homeland Security Information Network (HSIN) as part of its goal to establish an infrastructure for sharing homeland security information. In 2005,[Footnote 1] and more recently in January 2007,[Footnote 2] we designated homeland security information sharing as a high-risk area. Consequently, it is important that federal networks and associated systems, applications, and data facilitate this vital information sharing, and do so in a manner that produces effective information sharing among and between the various levels of government. This is particularly crucial for DHS's HSIN, which is the department's primary information technology (IT) system for sharing terrorism and related information. Recently, DHS proposed a follow-on system to HSIN, which it refers to as Next Generation HSIN (HSIN Next Gen). This report responds to your request that we determine whether (1) DHS has stopped further improvements on HSIN and if so, the department's rationale for doing so and plans for acquiring its proposed follow-on system HSIN Next Gen and (2) the department is effectively managing the HSIN Next Gen acquisition. On July 11, 2008, and July 17, 2008, we provided a briefing to staff of the House Homeland Security Committee and Senate Homeland Security and Governmental Affairs Committee, respectively. Prior to these staff briefings (on July 9, 2008), we provided the briefing to responsible DHS officials, who agreed in large part with our findings, conclusions, and recommendations. This report transmits (1) the slides that we used during the briefings and (2) the recommendations that we made to the Secretary of Homeland Security and the Director, Office of Operations Coordination and Planning, who is responsible for managing HSIN and HSIN Next Gen. The full briefing, including our scope and methodology, is reprinted as appendix I. DHS Has Stopped Current HSIN System Improvements and Is in the Process of Acquiring a Replacement System: In September 2007, the department halted further improvements on the existing HSIN system. Since then, DHS has continued to operate and maintain the system while its replacement--HSIN Next Gen--is being planned and acquired. The department decided to pursue the replacement for two reasons. First, the existing system has security and information-sharing limitations that do not meet department and other users' needs. For example, with regard to security, the current HSIN does not support role-based access controls[Footnote 3] and two-factor authentication.[Footnote 4] These limitations hinder the department's ability to effectively perform its mission. Second, the replacement system is to be used as a key part of a departmentwide consolidation effort aimed at reducing the number of multiple portals or Web-based systems within DHS by consolidating the systems across the department that are to share sensitive but unclassified information. In particular, HSIN Next Gen is to provide secure access to DHS sensitive but unclassified information and services for all department user communities, including those in the law enforcement, intelligence, immigration, and emergency and disaster management communities. With regard to DHS plans to acquire HSIN Next Gen, the department has developed an acquisition strategy for the system and plans to have all users on the new system by September 2009. The system will be implemented in four phases, each addressing a functional portion of the requirements and providing for an increasing number of users to be transitioned to the system. Specifically, during the first phase of implementation, the department plans to bring on board up to 20,000 new users from critical infrastructure sectors such as agriculture and food, and transportation systems. In addition, during the second phase (called Initial Operational Capability) and third phase (called Maturing Operational Capability), DHS plans to transition over 26,000 users that currently use the existing HSIN system; this transition of existing HSIN users is to begin in May 2009. To help carry out the strategy, DHS issued a task order in May 2008 engaging a contractor to acquire, deploy, operate, and maintain the new system. The total estimated value of the base year of this arrangement is $19 million, and the total estimated value, if each of the four options is exercised, is $62 million. DHS intends to continue to use the existing HSIN with the goal of terminating its use in September 2009 when HSIN Next Gen is to be fully implemented. DHS estimates it will cost $3.13 million to operate and maintain HSIN between now and its planned September 2009 termination. DHS Has Yet to Implement the Management Controls Essential to Effectively Manage the HSIN Next Gen Acquisition: As we have previously reported,[Footnote 5] the success of critical projects such as HSIN depends on developing and implementing a full set of acquisition management controls to effectively manage the project. While DHS is in the process of implementing key acquisition management controls for HSIN Next Gen, it has yet to implement the full set of controls essential to managing HSIN Next Gen in a disciplined and rigorous manner. Specifically, it has not implemented key process controls in the areas of: * project and acquisition planning, which includes key processes, such as developing a program office and identifying staff roles and responsibilities; * requirements development and management, which involves key processes, such as gathering, analyzing, and validating user requirements; and: * risk management, which includes key processes, such as identifying and analyzing risks and assigning responsibilities for managing risks. With regard to project and acquisition planning, DHS has established a program office for HSIN Next Gen, including filling the position of project manager. However, it has not adequately staffed the HSIN Next Gen program office and identified staff roles and responsibilities. In addition, in the area of requirements development and management, the department has gathered and analyzed requirements from critical infrastructure sector users. However, it has not gathered requirements from all other HSIN users and developed a change control process for managing change to requirements. Further, regarding risk management, DHS has begun to develop a risk management plan that defines staff roles and responsibilities. However, it has yet to identify all key risks surrounding the project and develop risk mitigation plans and completion milestones. DHS officials, including the Office of Operations Coordination and Planning's (OPS) Chief Information Officer (CIO), who is responsible for managing the project, attribute the partial implementation of these key processes in large part to the aggressive schedule for acquiring and deploying HSIN Next Gen. In our view, engaging a contractor and commencing work before implementing mature controls is not a recipe for success. Specifically, our research and experience at federal agencies have shown that the probability of success is low using this approach. The OPS CIO stated the department plans to address these weaknesses by, for example, tasking its contractor to assist in the development and completion of the risk management process area, but had not yet established dates for when all of these activities will be completed. Consequently, until these weaknesses are effectively addressed and DHS implements and institutionalizes the full set of acquisition management controls, the project will be at increased risk of operating in an ad hoc and chaotic manner--potentially resulting in increased project costs, delayed schedules, and performance shortfalls. Conclusions: DHS has been challenged in its ability to efficiently and effectively manage the department's existing primary information-sharing system. In particular, although DHS has invested upwards of $70 million on the system, it still does not fully meet user needs and as a result, has not been fully utilized. DHS intends to address this performance shortfall by, among other things, acquiring a replacement system. A key challenge for DHS in this effort will be ensuring it develops an information-sharing system that effectively addresses its users' needs and in the process, does not waste or unwisely invest critical department resources. To its credit, DHS has initiated some important steps in establishing sound and capable acquisition controls, but much remains to be accomplished before DHS management efforts can be considered effective and thereby minimize the risks associated with HSIN Next Gen delivering promised capabilities and benefits on time and within budget. Investing money given the current state of management controls puts the project at risk. Given what is at stake, it is extremely important that DHS direct its attention to these management issues, and mitigate the associated risks as soon as possible. Recommendations for Executive Action: To minimize risks to the HSIN Next Gen project, we are making six recommendations to the Secretary of Homeland Security aimed at strengthening management of the project. We recommend that the Secretary direct the Director, Office of Operations Coordination and Planning to strengthen program management controls by: * staffing the program office appropriately; * identifying staff roles and responsibilities; * ensuring all requirements are gathered, analyzed, and validated; * developing and implementing a requirements change control process; and: * ensuring effective risk management by identifying all key risks surrounding the project and developing risk mitigation plans and completion milestones. We also recommend that these controls be implemented before the department starts to migrate users to HSIN Next Gen's Initial Operational Capability. Agency Comments and Our Evaluation: In written comments on a draft of this report, which were in a letter signed by DHS's Director of Operations Coordination and Planning and are reprinted in appendix II, the department described actions planned and underway to address our recommendations. These actions are consistent with those described by DHS in response to our July 9, 2008, briefing to the department in which it largely agreed with our findings, conclusions, and recommendations. We are sending copies of this report to interested congressional committees and the Secretary of Homeland Security. We will also make copies available to others on request. In addition, the report will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. Should you or your staffs have any questions concerning this report, please contact me at 202-512-9286 or by e-mail at pownerd@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix III. Signed by: David A. Powner: Director, Information Technology Management Issues: [End of section] Appendix I: Briefing Slides to Congressional Staff: Information Technology: Management Improvements Needed on the Department of Homeland Security's Next Generation Information Sharing System: Briefing to the Staffs of the Senate Committee on Homeland Security and Governmental Affairs: July 17, 2008: House Committee on Homeland Security: July 11, 2008: Table of Contents: Introduction: Objectives, Scope, and Methodology: Results in Brief: Background: Results: * HSIN Is Currently Operational but Further Improvements Have Been Halted; * Acquisition Management Controls Needed; Conclusions: Recommendations: Agency Comments and Our Evaluation: Attachment I: Scope and Methodology: Introduction: The Department of Homeland Security (DHS) is responsible for coordinating the federal government's homeland security communications with all levels of government-including state and local. In support of this mission, the department implemented, and has been enhancing, the Homeland Security Information Network (HSIN) as part of its goal to establish an infrastructure for sharing homeland security information.[Footnote 6] Recently, DHS proposed a follow-on system to HSIN, which it refers to as Next Generation HSIN (HSIN Next Gen). In 2005,[Footnote 7] and more recently in January 2007,[Footnote 8] we designated homeland security information sharing as a high-risk area. Consequently, it is important that federal networks and associated systems, applications, and data facilitate this vital information sharing, and do so in a manner that produces effective information sharing among and between the various levels of government. This is particularly crucial for DHS's HSIN, which is the department's primary information technology (IT) system for sharing terrorism and related information. Objectives, Scope, and Methodology: As agreed, our objectives were to determine whether: * DHS has stopped further improvements on HSIN and if so, the department's rationale for doing so and plans for acquiring its proposed follow-on system called HSIN Next Gen system, and * the department is effectively managing the HSIN Next Gen acquisition. For our first objective, we analyzed documentation and interviewed DHS officials from the office responsible for managing HSIN and HSIN Next Gen, the Office of Operations Coordination and Planning (OPS), to assess efforts planned and underway to implement HSIN system improvements and acquire HSIN Next Gen. For our second objective, we compared processes and practices defined in the Software Engineering Institute's Capability Maturity Model® Integration for Acquisition (CMMI- ACQ)[Footnote 9] and in our prior work analyzing best practices in industry and government[Footnote 10] with those planned and underway by the department to determine the extent of implementation. In judging implementation, we used the following criteria: the processes were (1) fully implemented if all of the related guidance was addressed; (2) partially implemented if some, but not all, of the related guidance was addressed; and (3) not implemented if none of the related guidance was addressed. Details of our scope and methodology are provided in attachment I. We conducted this performance audit from January 2008 to June 2008, in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Results In Brief: Accountability Integrity Reliability DHS halted further improvements on the existing HSIN system in September 2007. Since then, the department has continued to operate and maintain the system while a replacement- called HSIN Next Gen-is being planned and acquired. DHS decided to pursue this replacement for two reasons. * First, the existing system has security and information sharing limitations that do not meet department and other users' needs, thus impeding the department's ability to effectively perform its mission. * Second, the replacement system is to be used as a key part of a departmentwide consolidation effort to reduce the number of duplicative DHS Web-based systems. DHS has developed an acquisition strategy for the system and plans to have all users on the new system by September 2009. DHS intends to continue to use the existing HSIN with the goal of retiring it once HSIN Next Gen has been completed. DHS estimates it will cost $3.13 million to operate and maintain HSIN between now and retirement. DHS is in the process of implementing key acquisition management controls for HSIN Next Gen. For example, DHS has established a program office for HSIN Next Gen, including filling the position of project manager. In addition, DHS has begun to develop a risk management plan that defines staff roles and responsibilities. However, DHS has yet to implement the full set of controls essential to effectively managing IT system projects in a rigorous and disciplined manner. Specifically, it has not fully implemented key process controls in the areas of: * project and acquisition planning, * requirements development and management, and: * risk management; DHS officials, including the OPS Chief Information Officer (CIO), who is responsible for managing the project, attribute the partial implementation of these key processes in large part to the aggressive schedule for acquiring and deploying HSIN Next Gen. DHS has activities planned and underway to address missing controls, but has not established dates for when all of these activities will be completed. Until DHS has implemented these controls, there is increased risk of the project operating in an ad hoc and chaotic manner-potentially resulting in increased project costs, delayed schedules, and performance shortfalls. Accordingly, we are making recommendations to the Secretary of Homeland Security to (1) strengthen management controls, including project and acquisition planning, requirements development and management, and risk management; and (2) ensure that these controls be implemented before users are transitioned to HSIN Next Gen Initial Operational Capability. In orally commenting on a draft of this briefing, DHS officials stated that they agreed with our findings and recommendations and described actions they have initiated to implement our recommendations. They also generally agreed with our conclusions. However, DHS officials stated that the risk raised in our conclusions was mitigated by their IT experience. While experience is important, key process controls, such as rigorous and disciplined requirements and risk management, are also essential to IT project success. DHS is the lead department involved in securing our nation's homeland. Its mission includes, among other things, leading the unified national effort to secure the United States, preventing and deterring terrorist attacks, and protecting against and responding to threats and hazards to the nation. As part of its mission and as required by the Homeland Security Act of 2002,[Footnote 11] the department is also responsible for coordinating efforts across all levels of government and throughout the nation, including with federal, state, tribal, local, and private sector homeland security resources. This includes coordinating the federal government's networks and other communications systems with state and local governments. In 2004, DHS developed and implemented HSIN as the department's primary IT system for sharing terrorism and related information with federal, state, and local agencies, among others. Specifically, this Web-based communication system is to provide a secure and trusted national IT system for sensitive but unclassified information sharing and collaboration among federal, state, local, tribal, territorial, private sector, and international partners engaged in preventing, protecting from, responding to, and recovering from all threats, hazards, and incidents within DHS's authority. HSIN offers both real-time chat and instant messaging capability, as well as a document library that contains reports from multiple federal, state, and local sources. Available through the system are suspicious incident and pre-incident information and analysis of terrorist threats, tactics, and weapons. Each community of interest has Web pages that are tailored for the community and contain general and community- specific news articles, links, and contact information. HSIN is to support a number of homeland security-related mission areas that cover thousands of users across the United States. These mission areas include over 35 user groups, commonly referred to as communities of interest, including: * emergency management, * law enforcement, * counterterrorism, * individual states, and: * private sector communities. Other DHS component organizations, such as the Office of Infrastructure Protection, the Coast Guard, and Federal Emergency Management Agency, use HSIN as a tool to further their respective missions and therefore have assisted in the development, operations and maintenance, and enhancement of HSIN. For example, according to the Office of Infrastructure Protection, it works with the critical infrastructure sectors-that is, groups of similar private and government entities that operate and maintain systems and assets, whether physical or virtual, so vital to the nation that their incapacity or destruction would have a debilitating impact on national security, national economic security, national public health or safety, or any combination of those matters[Footnote 12]-to gather user requirements and develop business processes in order to integrate HSIN into the critical sectors' information-sharing environment. The Office of Operations Coordination and Planning (OPS) CIO is responsible for ensuring that HSIN supports the needs of the department and its partners. This includes managing HSIN operations and maintenance, making necessary enhancements to the current system, and developing and acquiring HSIN Next Gen. The OPS CIO reports directly to the OPS Director who in turn reports directly to the DHS Secretary and Deputy Secretary. Through fiscal year 2007, the department reports it has expended about $70 million on HSIN, and for fiscal year 2008, the department had budgeted about $21 million for operations, maintenance, and enhancement. In April 2007,[Footnote 13] we reported that when coordinating efforts between HSIN and other state and local information-sharing initiatives, DHS did not fully adhere to key practices aimed at enhancing information sharing, collaboration, and avoiding duplication. For example, in developing the system, the department did not work with two key state and local initiatives, which are major parts of the Regional Information Sharing System program, to fully develop joint strategies to meet mutual needs. In addition, it did not develop compatible policies, procedures, and other means to operate across organizational boundaries. DHS's limited use of these practices was attributable to a number of factors, including the department's expediting its schedule to deploy information-sharing capabilities after the events of September 11, 2001, and in doing so not developing a comprehensive inventory of key state and local information- sharing initiatives. Prior GAO Reviews Have Identified Opportunities for Improvement: As a result, we found there was increased risk that, among other things, effective information sharing is not occurring. Additionally, the department risked duplication of state and local capabilities. We recommended, among other things, that DHS: * identify and develop a comprehensive inventory of state and local initiatives; * assess whether there are opportunities for HSIN to improve information sharing and avoid duplication of effort; and: * where there are opportunities, implement effective coordination and collaboration practices. In response, DHS largely agreed with our recommendations and initiated actions to implement them. Examples include the following: * In October 2007 and in February 2008, the HSIN Advisory Council-a HSIN user group composed of representatives from state, tribal, and local governments and the private sector-met to discuss HSIN information-sharing activities and provided strategic-level recommendations to the OPS Director. * The HSIN Mission Coordinating Committee-a user group composed of representatives from DHS's components (e.g., the Office of Infrastructure Protection, the Coast Guard, and the Federal Emergency Management Agency)-has met five times over the past year to address their respective users' requirements for HSIN. In July 2007,[Footnote 14] we reported on challenges the department faced when using HSIN to share information with critical infrastructure sectors. Examples included: * DHS officials responsible for leading the national effort to reduce critical infrastructure risk stated that although they encouraged critical sector entities to use HSIN, the system did not provide the capabilities that were promised, including providing the level of security expected by certain sectors. * An internal DHS review of HSIN determined that the department had not clearly defined the purpose and scope of the system, and that the system had been developed without sufficient planning and project management. Results: Objective 1: HSIN Is Currently Operational but Further Improvements Have Been Halted: DHS Has Stopped Current HSIN System Improvements and Is in the Process of Acquiring a Replacement System: The department halted further HSIN improvements in September 2007 but it continues to operate and maintain the system while its replacement- HSIN Next Gen-is being planned and acquired. DHS decided to pursue a replacement system based on two reasons. First, the current system has security and information-sharing limitations that do not meet its users' needs and thus impedes the department's ability to effectively perform its mission. Second, the new system is to be used as part of a departmentwide effort-referred to as the portal consolidation program-to consolidate multiple portals or Web-based systems and improve sensitive but unclassified information-sharing capabilities within the department. DHS has developed a HSIN Next Gen acquisition strategy and as part of the strategy, issued a May 2008 task order engaging a contractor to develop the system. DHS plans to have all users on the new system by September 2009. In the interim, DHS plans to continue to operate and maintain HSIN as the new system is acquired and deployed and users are transitioned to it. Once user transition is complete, the department intends to retire HSIN. HSIN Improvements Halted Due to System Limitations: In September 2007, DHS executives, including the Undersecretary for Management, Chief Information Officer, Director of Operations Coordination and Planning, and key system user representatives (e.g., Office of Infrastructure Protection), met to discuss HSIN operations. Key representatives said HSIN was not meeting their needs due to system security and information-sharing limitations. System security limitations cited included the system's inability to support * role-based access controls, which limit system functions based on a user's designated role, and: * two-factor authentication, which is a way of verifying someone's identity by using two of the following: something the user knows (password), something the user has (badge), or something unique to the user (fingerprint). Information-sharing limitations included the system's inability to: * enable users to access HSIN and systems outside of DHS (such as the state and local law enforcement's Regional Information Sharing System) using single sign capability (i.e., requiring only one user name and password); * enable users to send alerts and notifications and receive alerts through e-mail or cell phones; * support online meetings and presentations; and: * upload new users into the system in bulk. HSIN Improvements Halted: According to user representatives, these limitations were hindering their ability to perform the mission of the department. For example, representatives from the Office of Infrastructure Protection (which is part of the National Protection and Programs Directorate) stated that without the security controls, private-sector officials from the critical infrastructure sectors were reluctant to share with DHS sensitive information about sector infrastructure that is essential to protecting the homeland, thus inhibiting the department's ability to adequately build trusted relationships with sector officials. In response, the Office of Infrastructure Protection initiated an effort to obtain requirements from HSIN critical infrastructure sectors users, augmenting the requirements the department had for the existing system. Consequently, the executives at the September 2007 meeting (referenced above) decided the best way to implement the missing security and information-sharing capabilities was via a new system, rather than by enhancing the existing system. According to these officials, they based their decision largely on the view that the existing system could not be enhanced to provide these capabilities in a cost-effective manner. These officials also decided at this time to halt any further HSIN enhancements until the new system (HSIN Next Gen) was implemented, at which point they planned to retire the current HSIN system. HSIN Next Gen's Goal Is to Also Eliminate Duplication: In addition, in October 2007 the Under Secretary for Management issued a memorandum detailing how HSIN Next Gen is to be used as an integral part of the department's portal consolidation program. According to the memorandum, the current DHS Web environment consists of more than 100 Web-based systems, which are mostly duplicative in capabilities. HSIN Next Gen is part of a departmentwide program aimed at reducing the number of duplicative Web-based systems within DHS by consolidating the systems across the department that are used to share sensitive but unclassified information, and by replacing portal technologies that limit its information-sharing capabilities. In particular, according to the memorandum, HSIN Next Gen is to provide secure access to DHS information and services for all DHS user communities, including those in the law enforcement, intelligence, immigration, and emergency and disaster management communities. Homeland Security Information Network Next Generation: As part of the system acquisition and implementation strategy, DHS plans to continue operating and maintaining HSIN until September 2009. The department estimates the cost to operate and maintain the current system through September 2009 will be $3.13 million. DHS reports it will have spent a total of $91 million on HSIN by the end of fiscal year 2008. In parallel, the department plans to begin developing and implementing HSIN Next Gen in four phases; the phases-along with a brief description of their functional purpose-are as follows. * Phase one, referred to as Spiral 1, is to establish an operational platform for the HSIN critical sector users' requirements. * The second phase, Initial Operational Capability, is to (1) deliver requirements currently supported by HSIN, as well as provide additional security controls and (2) begin migrating users of the current system to HSIN Next Gen. * Phase three, Maturing Operational Capability, is to migrate all remaining users of the current system to HSIN Next Gen. * The fourth phase, called the Final Operational Capability, is to provide for improved content management; better information discovery and delivery; and improved alert, notification, and public announcement functions. Each phase is intended to, among other things, address a functional portion of the requirements and provide for an increasing number of users to be transitioned to the system. In addition, DHS plans to draw upon the existing HSIN system and capabilities, rather than developing a complete infrastructure replacement. Specifically, where possible, it plans to re-use existing HSIN hardware and software. The department plans to use the contractor (discussed in detail below) to help them do this. However, it has yet to set a date for when this is to be completed. Further, in terms of users, during the first phase of implementation, the department plans to bring on board up to 20,000 critical sector users. In addition, over the second and third phases, DHS plans to transition over 26,000 users that currently use the existing HSIN system. In May 2008, the department issued a task order to a contractor[Footnote 15] to acquire, deploy, operate, and maintain the new system. The total estimated value of the base year of this arrangement is $19 million, and the total estimated value, if each of the four options is exercised, is $62 million. Accountability Integrity Reliability Results: Objective 1 Homeland Security Information Network Next Generation Each of the HSIN Next Gen phases, the timing of their implementation, the percentage of users to be transitioned, and the date the contractor was issued the task order are depicted in figure 1. Figure 1: HSIN Next Generation Phases and Associated Milestones: This figure is a chart showing HSIN Next Generation phases and associated milestones. [See PDF for image] Source: GAO analysis of DHS data. [End of figure] Key dates are: * May 2008 - issued task order to contractor for HSIN Next Gen. * August 2008 - implement Spiral 1 with the goal of supporting up to 20,000 critical sectors users. * May 2009 - complete Initial Operational Capability with 13,000 current users scheduled to transition. * September 2009 - implement Maturing Operational Capability with the transition of the remaining 13,000 users. * November 2009 - complete Final Operational Capability by delivering new functionality to users. Results: Objective 2: Acquisition Management Controls Needed: DHS Has Yet to Implement the Management Controls Essential to Effectively Manage the HSIN Next Gen Acquisition: DHS is in the process of implementing key acquisition management controls, but it has yet to implement the full set of controls essential to managing HSIN Next Gen in a disciplined and rigorous manner. Specifically, it has not implemented key process controls in the areas of: * project and acquisition planning, * requirements development and management, and: * risk management. Until DHS has fully implemented these controls, it increases the risk of the project operating in an ad hoc and chaotic manner-potentially resulting in increased project costs, delayed schedules, and performance shortfalls. As we have previously reported,"[Footnote 16] the success of critical projects such as HSIN depends on developing and implementing a full set of acquisition management controls to effectively manage the project. Leading organizations, such as the Software Engineering Institute and the Chief Information Officer's Council, and our research and experience at federal agencies have shown that such process controls are significant in successful system acquisition and development projects. In particular, the CMMI-ACQ[Footnote 17] has defined a suite of key acquisition process control areas that are necessary to manage system acquisitions in a rigorous and disciplined fashion. These process areas include: * project and acquisition planning, * requirements development and management, and: * risk management. The following table provides a list of key processes within each process area. Table 1: Key Processes for Effectively Managing IT Projects Process area Key processes: Process area: Project and acquisition planning; Key processes: * developing a program office; * obtaining appropriate staff, and ensuring that staff have the skills and knowledge needed to manage the project; * identifying staff roles and responsibilities; * identifying key deliverables and milestones for the project and acquisition. Process area: Requirements development and management; Key processes: * gathering user requirements; * analyzing and validating user requirements; * managing any changes to the requirements in collaboration with stakeholders. Process area: Risk management; * identifying and analyzing risks; * assigning responsibilities for managing risks; * developing mitigation plans and completion milestones for identified risks. Source: GAO summary of leading practices, including practices identified by the Software Engineering Institute, the Chief Information Officer's Council, and the Office of Management and Budget. [End of table] DHS is currently implementing key acquisition controls for the HSIN Next Gen but it has yet to implement the full set of controls essential to effectively managing the project. Table 2 provides a summary of the status of the project relative to each of the key process areas. Table 2: Summary of the Status of HSIN Next Gen Acquisition Management Controls as of June 2008: Process area: Project and acquisition planning; Key processes: * Establish a program office; Status: Key process area implemented. Process area: Project and acquisition planning; Key processes: * Obtain appropriate staff; Status: Key process area not implemented. Process area: Project and acquisition planning; Key processes: * Identify staff roles and responsibilities; Status: Key process area not implemented. Process area: Project and acquisition planning; Key processes: * Identify key deliverables and milestones for project and acquisition; Status: Key process area implemented. Process area: Requirement development and management; Key processes: * Gather user information; Status: Key process area partially implemented. Process area: Requirement development and management; Key processes: * Analyze and validate user requirements; Status: Key process area partially implemented. Process area: Requirement development and management; Key processes: * Manage change to requirements; Status: Key process area not implemented. Process area: Risk management; Key processes: * Identify and analyze risks; Status: Key process area partially implemented. Process area: Risk management; Key processes: Assign responsibilities for managing risks; Status: Key process area implemented. Process area: Risk management; Key processes: * Develop mitigation plans and completion 0 milestones for identified risks; Status: Key process area not implemented. Source: GAO analysis of agency data. [End of table] With regard to project and acquisition planning, DHS has implemented two of the four key processes. Specifically, it has: * established a program office for HSIN Next Gen, including filling the position of the project manager, and developed an April 2008 mission needs statement for HSIN Next Gen; and: * developed a project schedule, identifying key deliverables and milestones, for the HSIN Next Gen project and acquisition. However, having already issued a task order to the contractor for HSIN Next Gen, the department has not filled two positions that it identified it needed to appropriately staff the program office. According to DHS officials, including the OPS CIO, they are in the process of hiring two full-time employees by the end of fiscal year 2008. In addition, the department is in the process of identifying staff roles and responsibilities, but has yet to finalize the effort. Until the program office is adequately staffed and roles and responsibilities have been defined, DHS will be challenged in its ability to manage the HSIN Next Gen acquisition and project, including overseeing the contractor tasked to develop the system. With regard to requirements development and management, DHS has partially implemented two of the three key processes, and has yet to implement the remaining process. Specifically, for Spiral 1, DHS has: * gathered user requirements from the critical infrastructure sector users, and: * analyzed these requirements through the OPS CIO, HSIN stakeholders, and the HSIN Mission Coordinating Committee. The department used these user requirements, the existing HSIN requirements, and pending change requests for the current system to create the Functional Requirements Document dated March 2008. This document defines and outlines the known user requirements for HSIN Next Gen. The Functional Requirements Document was included as part of the HSIN Next Gen solicitation documentation (i.e., request for proposals) used to award the contractor in May 2008. However, while DHS has gathered and analyzed user requirements from critical infrastructure sector users, it has not gathered requirements from all other HSIN users. Moreover, DHS has yet to validate the requirements. In addition, DHS has not developed a change control process for managing change to requirements in collaboration with stakeholders, including developing criteria for evaluation and acceptance of requirements. DHS has efforts planned and underway to address these weaknesses. For example, the department is in the process of establishing an initiative (called the HSIN Mission Integration Effort) to improve its ability to gather user requirements by having a formal outreach process to communicate with HSIN users. According to the OPS CIO, this is part of the department's effort to improve its capability to gather requirements from HSIN users. In addition, DHS plans to validate requirements for each HSIN Next Gen phase before they are completed, which is to be by August 2008 for Spiral 1. Further, DHS plans to establish a change control board to manage HSIN Next Generation requirements by September 2008. While these are steps in the right direction, until they are completed and DHS has fully gathered, analyzed, and validated all user requirements and implemented effective change management, it faces the risk that HSIN Next Gen will not meet user and mission needs, which is a problem it faced with the existing HSIN and why it is currently working on a replacement system. With regard to risk management, DHS has implemented one of the key processes and part of another, and has yet to implement the remaining process. Specifically, DHS's HSIN Next Gen Acquisition Plan (dated February 2008): * assigns responsibility for managing the risks; and: * partially identifies a list of primary risks both internal and external to the department, such as: - insufficient funding to execute future development, - insufficient government staff to execute the project, and: - changes in HSIN user requirements that could negatively impact cost and schedule. In addition to these efforts, DHS has begun to develop a risk management plan that defines staff roles and responsibilities, including procedures for identifying and tracking risks and assessing the probability and impact of individual risks. However, the department has yet to develop risk mitigation plans and completion milestones, which includes recommended courses of action for each critical risk. The department intends to develop such plans, which are to provide risk mitigation strategies with alternatives and mitigation project plans, including activities, schedules, and resource requirements. However, the department has yet to establish a date for when this is to be completed. In addition, the list of primary risks prepared did not include all key risks. For example, HSIN Next Gen's schedule, which has been identified by the OPS CIO as being aggressive, has not been identified as a risk. Until DHS fully implements and institutionalizes risk management, there is increased probability that unanticipated risks may occur that could have a critical impact on HSIN Next Gen's cost, schedule, and performance. The OPS CIO stated that the reason for the partial implementation of these key processes is attributable in large part to an aggressive schedule for acquiring and deploying HSIN Next Gen. In our view, engaging a contractor and commencing work before implementing mature controls is not a recipe for success. Specifically, our research and experience at federal agencies have shown that the probability of success is low using this approach. A case in fact is the existing HSIN system which was acquired and deployed via an overly aggressive schedule with the result being it did not meet all users' needs, necessitating in part the need for the HSIN Next Gen replacement. The OPS CIO stated the department plans to address these weaknesses by, for example, tasking its contractor to assist in the development and completion of the risk management process area. However, until the processes have been implemented and institutionalized, and the full set of acquisition management controls are implemented, the project will be at increased risk of operating in an ad hoc and chaotic manner- potentially resulting in increased project costs, delayed schedules, and performance shortfalls. Conclusions: DHS has been challenged in its ability to efficiently and effectively manage the department's existing primary information-sharing system. In particular, although DHS has invested upwards of $70 million on the system, it still does not fully meet user needs and as a result, has not been fully utilized. DHS intends to address this performance shortfall by, among other things, acquiring a replacement system. A key challenge for DHS in this effort will be ensuring it develops an information-sharing system that effectively addresses its users' needs and in the process, does not waste or unwisely invest critical department resources. To its credit, DHS has initiated some important steps in establishing sound and capable acquisition controls, but much remains to be accomplished before DHS management efforts can be considered effective and thereby minimize the risks associated with HSIN Next Gen delivering promised capabilities and benefits on time and within budget. Investing money given the current state of management controls puts the project at risk. Given what is at stake, it is extremely important that DHS direct its attention to these management issues, and mitigate the associated risks as soon as possible. Recommendations: To minimize risks to the HSIN Next Gen project, we are making recommendations to the Secretary of Homeland Security aimed at strengthening management of the project. We recommend that the Secretary direct the Director, Office of Operations Coordination and Planning to strengthen program management controls by: * staffing the program office appropriately; * identifying staff roles and responsibilities; * ensuring all requirements are gathered, analyzed, and validated; * developing and implementing a requirements change control process; and: * ensuring effective risk management by identifying all key risks surrounding the project and developing risk mitigation plans and completion milestones. We also recommend that these controls be implemented before the department starts to migrate users to HSIN Next Gen's Initial Operational Capability. Agency Comments and Our Evaluation: In oral comments on a draft of this briefing, DHS officials agreed with our findings and recommendations and described actions that they have underway to address our recommendations. In particular, the OPS CIO stated that they have engaged a contractor to help them organize the HSIN program office, which includes identifying staff roles and responsibilities. DHS officials also generally agreed with our conclusions. However, they took exception with the statement in our conclusions that investing money given the current state of management controls puts the project at risk. According to DHS officials, including the OPS CIO, they believe the risks to the project are mitigated by the IT experience of the HSIN staff, including the knowledge it has gained over the past 4 years in operating, maintaining, and enhancing HSIN. While we agree that IT experience is important, our research and experience at federal agencies have shown that, in addition to people, key processes, such as rigorous and disciplined requirements and risk management, are essential to IT project success. DHS officials also provided technical comments, which we have incorporated into the briefing as appropriate. Attachment I: Scope and Methodology: To address our first objective, we: * assessed department efforts to stop HSIN system improvements by analyzing agency documentation and then discussing with agency officials via interviews. For example, we: - reviewed executive-level correspondence, memos, strategies, and related documentation describing the department's plans for the current system, including ceasing system improvements and the reasons for doing this; - reviewed cost estimates to determine the planned costs of the operations and maintenance, and discussed the costs of enhancing the current system with OPS officials; and: - interviewed OPS officials to clarify our understanding of the documentation and the department's rationale for choosing to develop the follow-on system. * analyzed DHS plans for the proposed follow-on system. Specifically, we: - evaluated the HSIN Next Gen acquisition plan, requirements document, request for proposals, and related documentation to determine what activities were planned and when they were to be accomplished; and: - reviewed independent cost estimates to determine the planned costs for the development, operations, and maintenance of the new system. To address our second objective, we assessed the extent to which the department was managing the acquisition of HSIN Next Gen based on the processes defined in the Software Engineering Institute's Capability Maturity Model® Integration for Acquisition (CMMI-ACQ).[Footnote 18] In particular, we analyzed the department's efforts in acquisition planning, requirements development and management, and risk management. In doing so, we: * assessed HSIN Next Gen acquisition and project planning documentation and interviewed OPS officials to obtain key milestones; * reviewed the HSIN Next Gen system requirements and interviewed officials from OPS and the Office of Infrastructure Protection, and representatives from HSIN governance bodies in order to understand how requirements were gathered and managed; and: * evaluated the HSIN Next Gen risks and risk management plan, and interviewed OPS officials to understand how risks were identified and are to be managed. In making these judgments, we used the following criteria: processes were: * fully implemented if all of the related guidance was addressed; * partially implemented if some, but not all, of the related guidance was addressed; and: * not implemented if none of the related guidance was addressed. We conducted our work at DHS headquarters offices in Washington, D.C., and the Office of Infrastructure Protection in Arlington, Virginia. We conducted this performance audit from January 2008 to June 2008, in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Comments from the Department of Homeland Security: Operations Coordination and Planning: U.S. Department of Homeland Security: Washington, DC 20528: Homeland Security: September 19, 2008: David A. Powner: Director, Information Technology Management Issues: U.S. Government Accountability Office: Dear Mr. Powner: The Office of Operations Coordination and Planning (OPS) appreciates the opportunity to comment on the Government Accountability Office (GAO) report, "Information Technology: Management Improvements Needed on the Department of Homeland Security's Next Generation Information Sharing System." OPS in coordination with the DHS Office of the Chief Information Officer (OCIO) are working to establish a secure and trusted information sharing and collaboration environment for Sensitive but Unclassified (SBU) information for use by DHS and non-DHS partners engaged in preventing, protecting from, responding to, and recovering from all threats, hazards, and incidents within the authority of DHS. The decision to upgrade the Homeland Security Information Network (HSIN) technology platform meets the growing needs of HSIN users. The current technology platform does not provide the necessary capabilities required to provide the necessary trust and interoperability. Upgrading HSIN technology addresses current user needs and provides a robust and trusted foundation adjustable over time to meet arising end user information sharing requirements. The project to upgrade the HSIN technology platform is called HSIN NextGen. It is important to understand that HSIN Next Generation (NextGen) is primarily a software upgrade to the current HSIN technology platform rather than an acquisition of a replacement system. The HSIN NextGen project, along with operations and maintenance of the current HSIN platform, is being done within the existing HSIN investment profile and does not require additional money. The HSIN NextGen project will follow a phased implementation approach based on industry best practices. This approach allows the Department to effectively and efficiently move all current HSIN users onto an enhanced platform, constituting initial operating capability (IOC), by October, 2009. The current HSIN technology platform will remain operational throughout the phased implementation to ensure continued service for all users. Phase 1 of the HSIN NextGen project, driven by the HSIN Critical Sectors (HSIN-CS) priority requirements, was achieved on August 25, 2008. The following responses address the recommendations within the report: Recommendation: Staffing the program office appropriately: OPS has advertised for a HSIN Program Requirements Manager and is working with the DHS Office of the Chief Human Capital Officer to fill this position within 60 days. Two GS-I5 leadership and technical positions have been advertised and we anticipate having personnel onboard within 60 to 90 days. The HSIN Program Manager is assisted by an experienced team of professional contracting firms. The roles filled by the contractors include cost, earned value management, schedule, performance, architecture, change process, and other support functions that are typical of a program management office. The OPS CIO plans to fill ten additional billets beginning in Fiscal Year 2009 (FY09), pending Departmental approval. These billets will support architecture, security, privacy, and other functions. These specialists will ensure HSIN addresses statutory and interoperability requirements with partner tools. These resources will provide more robust requirements management and process control. The HSIN program is not currently staffed to support simultaneous, significant outreach initiatives to our partners. To meet this demand, DHS plans to increase overall OPS CIO Division staffing in FY09 and FYI0, subject to Congressional approval of existing budget requests. The augmented HSIN Outreach Team will build on our diverse partner community relationships to facilitate integrating HSIN into the partner communities' day-to-day operations that map to the DHS mission (Awareness, Prevent, Protect, Respond, and Recover). These new funds will be dedicated entirely to mission integration and focused on our Federal, State, local, and private sector partners. Recommendation: Identifying staff roles and responsibilities: In April 2008, the OPS CIO initiated an effort by an outside team to analyze the current OPS CIO Division, which includes HSIN Program Management. This effort provided recommendations for transforming the OPS CIO Division and enable DHS to more effectively meet its complex, integrated mission requirements, both within DHS and across the larger homeland security community. The team conducted extensive research and performed over thirty-five interviews with OPS CIO staff, OPS stakeholders, and DHS-wide leaders. Then, the team applied proven analytical methods to form strategic and tactical views of organization, examining the CIO functions and capabilities it requires for the future. In addition, the team conducted a detailed, bottom-up assessment of existing capabilities and supporting activities. Four key areas were analyzed: * Process: Develop an understanding of the existing and future processes including functions, tasks and activities needed to perform the mission of the OPS CIO Division; * People: Develop an understanding of the existing and future staff and expertise needed to support the mission and processes of the OPS CIO Division; * Technology: Develop an understanding of the existing and future technologies including applications, data and technology standards needed to perform the mission of the OPS CIO Division; * Physical Infrastructure: Develop an understanding of the existing, future facilities and working environment needed to perform the mission of the OPS CIO Division; The recommendation for the future state of the OPS CIO Division includes a detailed description of the organization model, including the processes, people, technology and infrastructure required, to implement the recommended organization. Recommendation: Ensuring all requirements are gathered, analyzed, and validated: User requirements were the primary driver of the decision to upgrade the HSIN environment. These are not the only driver of the process. Initial phases will not meet every user requirement. The prioritization of certain user requirements is necessary. The Department must set timeline milestones in addition to identifying user requirements. This ensures that the awarded task order is completed in a timely manner, while initially ensuring that the Department meets the most urgent system requirements. Phases I through 3 of the HSIN NextGen project address the user needs to provide a secure and trusted information sharing and collaboration platform. The Department determined that the HSIN NextGen project must first address the security and trust requirements identified through HSIN Community of Interest (COl) owners' input. Based upon input from many of the HSIN Community of Interest (COI) owners, the Department determined that the HSIN NextGen project must first address the security and trust requirements identified by all COIs. State, local and tribal first responders have reached out to the Department by requesting changes and sending requirements through the HSIN Helpdesk and/ or through the HSIN Mission Advocates. These change requests and requirements were recorded in the HSIN Change Request Tracking System (CHARTS). Many change requests were made by HSIN-CS and State, local, or tribal users. All change requests and requirements were examined and where possible incorporated into the HSIN NextGen Functional Requirements Document (FRD). The operational user requirements, which include policy, business process, and governance, will be gathered through identified DHS business leads and the HSIN Outreach Team. Using a best practices approach, the HSIN Mission Integration Effort will gather user requirements and establish on-the-ground relationships through HSIN representatives (Mission Advocates). The HSIN Outreach Team is in the initial phase of an important engagement with the Commonwealth of Virginia, among others. Working closely with operational personnel in Virginia, the Department will further the understanding of the Commonwealth's information sharing needs and aid to support the Department partners' homeland security mission. In the future, the Department will engage with more partners to further examine the needs of our State, local, tribal and Federal partners. The Department further determined that the most time sensitive and pressing needs of the existing HSIN COIs were those of the HSIN Critical Sectors (HSIN-CS). HSIN-CS provides a common environment for the critical infrastructure/key resource (CI/KR) stakeholder partners. NPPD has gathered and validated necessary user requirements for this phase from their stakeholders over a two year period. The critical infrastructure/key resource community is a well governed and defined community. The National Protection and Programs Directorate, Office of Infrastructure Protection (NPPD/IP), has determined that implementing the HSIN-CS priority requirements at the earliest moment was an absolute necessity to avoid mission degradation and loss of the voluntary participation of the I8 infrastructure sectors. Recommendation: Developing and implementing a requirements change control process: There must be one overarching requirements process that brings business, functional and technical architecture products into alignment. This is a complex undertaking, given the necessity for interoperability, as well as the depth, breadth, and volunteer nature of potential HSIN user groups. The phased approach to migrating communities onto the upgraded HSIN environment mitigates many risks. The HSIN NextGen project will make the HSIN environment responsive and flexible to user requirements through a single, well-designed requirements process. The diversity of customer requirements and the need for a more standards-based platform, responsive to changing user requirements, is a driver for the HSIN NextGen project. The use of the maturing governance structure will ensure customer needs are met. The Information Sharing Governance Board (ISGB), along with the Information Sharing Coordinating Council (ISCC) and other mission coordination bodies, will work with the HSIN Program Manager to make certain that the requirements are captured, reviewed, and, if appropriate, implemented into the HSIN program change management process. DHS will adapt its tactics and timeline as needed using the phased deployment strategy and a segment architecture approach. Future phases of HSIN NextGen will create improved versions based upon continued input from HSIN users. Currently, and moving forward in future phases, improvements to HSIN have been and will continue to be driven by the input of Federal, State, local, private sector, and tribal users with each phase improving upon the last. We anticipate that once HSIN users have a chance to understand and use the upgraded HSIN capabilities, they will suggest additional improvements or enhancements. These requests will translate into requirements to be submitted into the HSIN change management process and then incorporated into subsequent phases of the HSIN NextGen project. To ensure success, a governance structure was initiated that integrated a larger segment architecture framework and the phased implementation approach. This structure continues to evolve to ensure that all stakeholders are involved and end user requirements are accurately captured, vetted, managed, and implemented. Key program activities and decisions are guided by DHS policies, processes, and procedures for consistency, repeatability, and compliance. The HSIN governance structure allows HSIN program resources to engage with mission leaders from all segments to determine whether HSIN is an appropriate solution for that target segment. If so, the governance structure allows us to identify mission requirements of that segment community and determine whether HSIN can meet those requirements in a timely, cost effective manner. The Department will move forward with the implementation of additional capabilities for new or existing mission areas based on whether HSIN can meet those requirements in a timely, cost effective manner. Once that determination is made, additional capabilities will be designed, developed, and validated with participation from stakeholders. Recommendation: Ensuring effective risk management by identifying all key risks surrounding the project and developing risk mitigation plans and completion milestones: The HSIN Program Team exercises a proactive approach to risk. OPS identifies and mitigate risks before they manifest as schedule slippage, cost overruns, and unsatisfied requirements. Our risk management approach incorporates a continuing, closed-loop review and analysis of technical, programmatic, cost, and schedule risks throughout the entire program lifecycle. OPS uses proven management toolsets for detailed documentation and tracking of all identified risks/problems from point of discovery through risk resolution (e.g. web portals to facilitate user entry, tracking, reporting and maintenance of a centralized repository for all deliverables and product information). Our risk management approach monitors overall program health to ensure goals are being met. The Risk Management Plan consists of the following key areas: * Risk Identification: Project managers are responsible for proactively identifying and documenting potential problems, issues, risks and dependencies at every program level; * Risk Reporting: Project managers conduct regular issue/risk review meetings to ensure risks are reported appropriately and in a timely manner. Prior to the internal program review (IPR), probability-of- occurrence and consequence-of-failure analyses are conducted to quantify and rank all identified risks; * Risk Mitigation Strategy: In addition to routine risk reporting, project manager are responsible for mitigation strategies for every risk that is identified. Impacted areas and/or systems, resources and skills required, as well as potential level of effort to provide resolution, are captured in the strategy; * Risk Escalation: Risks ranked high and medium may require special attention and/or action plans for mitigation, thus the overall Risk Management plans include an escalation path based on risk category and impacted area; I look forward to working with you to ensure that user communities that depend upon HSIN are able to accomplish their missions. If I may be of further assistance, please contact my office. Sincerely, Signed by: Roger T. Rufe, Jr.: [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: David A. Powner, (202) 512-9286 or pownerd@gao.gov: Staff Acknowledgments: In addition to the contact named above, the following staff also made key contributions to this report: Gary Mountjoy, Assistant Director; Barbara Collier; Kaelin Kuhn; Rebecca LaPaze; and Lori Martinez. [End of section] Footnotes: [1] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: January 2005). [2] GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: January 2007). [3] Role-based access controls limit system functions based on a user's designated role. [4] Two-factor authentication is a way of verifying someone's identity by using two of the following: something the user knows (password), something the user has (badge), or something unique to the user (fingerprint). [5] For example, GAO, Information Technology: Management Improvements Needed on Immigration and Customs Enforcement's Infrastructure Modernization Program, GAO-05-805 (Washington, D.C.: Sept. 7, 2005) and Census Bureau: Important Activities for Improving Management of Key 2010 Decennial Acquisitions Remain to be Done, GAO-06-444T (Washington, D.C.: Mar. 1, 2006). [6] The Homeland Security Act of 2002 directed DHS to establish communications to share homeland security information with federal agencies, state and local governments, and other specified groups. [7] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: January 2005). [8] GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.: January 2007). [9] Carnegie Mellon Software Engineering Institute, Capability Maturity Model® Integration for Acquisition (CMMI-ACQ), Version 1.2 (November 2007). [10] For example, GAO, Information Technology: Management Improvements Needed on Immigration and Customs Enforcement's Infrastructure Modernization Program, GAO-05-805 (Washington, D.C.: Sept. 7, 2005) and Census Bureau: Important Activities for Improving Management of Key 2010 Decennial Acquisitions Remain to be Done, GAO-06-444T (Washington, D.C.: Mar. 1, 2006). [11] Homeland Security Act of 2002, Pub. L. No. 107-296 (Nov. 25, 2002). [12] The critical infrastructure sectors include agriculture and food; banking and finance; chemical; commercial facilities; commercial nuclear reactors, materials, and waste; communications; critical manufacturing; dams; defense industrial base; drinking water and water treatment systems; emergency services; energy; government facilities; information technology; national monuments and icons; postal and shipping; public health and health care; and transportation systems. [13] GAO, Information Technology: Numerous Federal Networks Used to Support Homeland Security Need to Be Better Coordinated with Key State and Local Information-Sharing Initiatives, GAO-07-455 (Washington, D.C.: April 16, 2007). [14] GAO, Critical Infrastructure Protection: Sector Plans and Sector Councils Continue to Evolve, GAO-07-706R (Washington, D.C.: July 10, 2007). [15] The department issued a cost-plus-fixed-fee task order under the Enterprise Acquisition Gateway for Leading Edge Solutions (EAGLE). EAGLE is a DHS multiple award indefinite-delivery/indefinite-quantity contract, under which DHS conducted a competition for the HSIN Next Gen task order. [16] For example, GAO-05-805 and GAO-06-444T. [17] Carnegie Mellon Software Engineering Institute, Capability Maturity Model Integration for Acquisition (CMMI-ACQ), Version 1.2 (November 2007). [18] Carnegie Mellon Software Engineering Institute, Capability Maturity Model® Integration for Acquisition (CMMI-ACQ), Version 1.2 (November 2007).