This is the accessible text file for GAO report number GAO-10-340 
entitled 'Secure Border Initiative: DHS Needs to Reconsider Its 
Proposed Investment in Key Technology Program' which was released 
on June 17, 2010. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

United States Government Accountability Office: 
GAO: 

May 2010: 

Secure Border Initiative: 

DHS Needs to Reconsider Its Proposed Investment in Key Technology 
Program: 

GAO-10-340: 

GAO Highlights: 

Highlights of GAO-10-340, a report to congressional requesters. 

Why GAO Did This Study: 

The technology component of the Department of Homeland Security’s 
(DHS) Secure Border Initiative (SBI), referred to as SBInet, is to put 
observing systems along our nation’s borders and provide Border Patrol 
command centers with the imagery and related tools and information 
needed in deciding whether to deploy agents. SBInet is being acquired 
and deployed in incremental blocks of capability, with the first block 
to cost about $1.3 billion. Because of the program’s importance, size, 
and challenges, GAO was asked to, among other things, determine the 
extent to which DHS has (1) defined the scope of its proposed SBInet 
solution, (2) developed a reliable schedule for this solution, (3) 
demonstrated the cost-effectiveness of this solution, and (4) acquired 
the solution using key management processes. To do this, GAO compared 
key program documentation to relevant guidance and industry practices. 

What GAO Found: 

DHS has defined the scope of the first incremental block of SBInet 
capabilities; however, these capabilities have continued to shrink 
from what the department previously committed to deliver. For example, 
the geographical “footprint” of the initially deployed capability has 
been reduced from three border sectors spanning about 655 miles to two 
sectors spanning about 387 miles. Further, the stringency of the 
performance capabilities has been relaxed, to the point that, for 
example, system performance will be deemed acceptable if it identifies 
less than 50 percent of items of interest that cross the border. The 
result is a system that is unlikely to live up to expectations. 

DHS has not developed a reliable integrated master schedule for 
delivering the first block of SBInet. Specifically, the schedule does 
not sufficiently comply with seven of nine key practices that relevant 
guidance states are important to having a reliable schedule. For 
example, the schedule does not adequately capture all necessary 
activities, assign resources to them, and reflect schedule risks. As a 
result, it is unclear when the first block will be completed, and 
continued delays are likely. 

DHS has also not demonstrated the cost-effectiveness of this first 
system block. In particular, it has not reliably estimated the costs 
of this block over its entire life cycle. To do so requires DHS to 
ensure that the estimate meets key practices that relevant guidance 
states are important to having an estimate that is comprehensive, well-
documented, accurate, and credible. However, DHS’s cost estimate for 
the initial block does not sufficiently possess any of these 
characteristics. Further, DHS has yet to identify expected benefits 
from the initial block, whether quantitative or qualitative, and 
analyze them relative to costs. As a result, it does not know whether 
its planned investment will produce mission value commensurate with 
costs. 

DHS has also not acquired the initial SBInet block in accordance with 
key life cycle management processes. While processes associated with, 
among other things, requirements development and management and risk 
management, have been adequately defined, they have not been 
adequately implemented. For example, key risks have not been captured 
in the risk management repository and thus have not been proactively 
mitigated. As a result, DHS is at increased risk of delivering a 
system that does not perform as intended. 

SBInet’s decreasing scope, uncertain timing, unclear value 
proposition, and limited life cycle management discipline and rigor 
are due to a range of factors, including limitations in both defined 
requirements and the capabilities of commercially available system 
components, as well as the need to address competing program 
priorities, such as meeting aggressive system deployment milestones. 
As a result, it remains unclear whether the department’s pursuit of 
SBInet is a cost effective course of action, and if it is, that it 
will produce expected results on time and within budget. 

What GAO Recommends: 

GAO is making recommendations to DHS aimed at (1) limiting near-term 
investment in the first incremental block of SBInet, (2) economically 
justifying any longer-term investment in SBInet, and (3) improving key 
program management disciplines. DHS agreed with 10 of GAO’s 12 
recommendations, and partially agreed with the other 2. For all of the 
recommendations, DHS also described planned and ongoing actions to 
address them. 

View [hyperlink, http://www.gao.gov/products/GAO-10-340] or key 
components. For more information, contact Randolph C. Hite at (202) 
512-3439 or hiter@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

Block 1 Capabilities, Geographic Coverage, and Performance Standards 
Continue to Decrease: 

A Reliable Schedule for Completing Block 1 Has Not Been Developed: 

Cost-Effectiveness of Block 1 Has Not Been Demonstrated: 

Block 1 Has Not Been Managed in Accordance with Key Life Cycle 
Management Processes: 

DHS Has Yet to Implement GAO's Recent SBInet Recommendations: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Comments from the Department of Homeland Security: 

Appendix III: Status of Key GAO Recommendations: 

Appendix IV: Detailed Results of GAO Assessment of SBInet Program 
Schedule: 

Appendix V: Detailed Results of GAO Assessment of SBInet Cost Estimate: 

Appendix VI: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Summary of SBInet Task Orders as of December 2009: 

Table 2: SBInet Requirements Types: 

Table 3: Overview of Formal Test Events: 

Table 4: Summary of SBInet Integrated Master Schedule Satisfaction of 
Schedule Estimating Practices: 

Table 5: SBInet Requirements Traceability Results: 

Table 6: Summary of DHS Implementation of GAO's Recent SBInet 
Recommendations: 

Table 7: Status of DHS Implementation of Key GAO Recommendations: 

Table 8: Detailed Results of SBInet Satisfaction of Scheduling Best 
Practices: 

Table 9: Summary of SBInet Satisfaction of Cost Estimating 
Characteristics and Related Practices/Steps: 

Table 10: Detailed Results of SBInet Satisfaction of 12 Cost 
Estimating Practices/Steps: 

Figures: 

Figure 1: Potential Long-Term SBInet Concept of Operations: 

Figure 2: Map of Block 1 Deployments: 

Figure 3: Illustration of Reduction in Block 1 Requirements: 

Figure 4: Projected TUS-1 and AJO-1 Acceptance Dates Presented at 
Monthly Program Review Meetings: 

Abbreviations: 

AJO-1: Ajo Border Patrol Station: 

CBP: Customs and Border Protection: 

CDR: Critical Design Review: 

CMMI: Capability Maturity Model Integration: 

COP: common operating picture: 

COTS: commercial off-the-shelf: 

C3I: command, control, communications, and intelligence: 

DHS: Department of Homeland Security: 

DOORS: Dynamic Object-Oriented Requirements System: 

DT&E: developmental test and evaluation: 

EVM: earned value management: 

IMP: integrated master plan: 

IT: information technology: 

NOC/SOC: Network Operations Center/Security Operations Center: 

OMB: Office of Management and Budget: 

OT&E: operational test and evaluation: 

SEP: Systems Engineering Plan: 

SBI: Secure Border Initiative: 

SBInet: Secure Border Initiative Network: 

SEI: Software Engineering Institute: 

SPO: SBInet System Program Office: 

TEMP: Test and Evaluation Master Plan: 

TUS-1: Tucson Border Patrol Station: 

WBS: work breakdown structure: 

[End of section] 

United States Government Accountability Office:
Washington, DC 20548: 

May 5, 2010: 

The Honorable Bennie G. Thompson: 
Chairman: 
Committee on Homeland Security: 
House of Representatives: 

The Honorable Christopher P. Carney: 
Chairman: 
The Honorable Gus M. Bilirakis: 
Ranking Member: 
Subcommittee on Management, Investigations, and Oversight: 
Committee on Homeland Security: 
House of Representatives: 

The Honorable Mike Rogers: 
Ranking Member: 
Subcommittee on Emergency Communications, Preparedness, and Response: 
Committee on Homeland Security: 
House of Representatives: 

Securing the 6,000 miles of international borders that the contiguous 
United States shares with Canada and Mexico is a challenge and a 
mission imperative to the Department of Homeland Security (DHS). 
Although hundreds of thousands of illegal aliens are prevented from 
entering the country each year, many more are not detected. To enhance 
border security and reduce illegal immigration, DHS launched its 
multiyear, multibillion dollar Secure Border Initiative (SBI) program 
in November 2005. Through SBI, DHS intends to enhance surveillance 
technologies, raise staffing levels, increase domestic enforcement of 
immigration laws, and improve the physical infrastructure along the 
nation's borders. 

Within SBI, Secure Border Initiative Network (SBInet) is a 
multibillion dollar program that includes the acquisition, 
development, integration, deployment, and operation and maintenance of 
surveillance technologies to create a "virtual fence" along the 
border, as well as command, control, communications, and intelligence 
(C3I) technologies to create a picture of the border in command 
centers and vehicles. Managed by DHS's Customs and Border Protection 
(CBP), SBInet is intended to strengthen the ability of CBP to detect, 
identify, classify, track, and respond to illegal breaches at and 
between land ports of entry.[Footnote 1] 

In September 2008, we reported that SBInet was at risk because of a 
number of acquisition management weaknesses, and we made 
recommendations to address them that DHS largely agreed with and 
committed to addressing.[Footnote 2] Because of the importance, high 
cost, and challenges facing SBInet, you subsequently asked us to 
continue to review DHS's management of SBInet. As agreed, our 
objectives were to determine the extent to which DHS has (1) defined 
the scope of its proposed system solution, (2) developed a reliable 
schedule for delivering this solution, (3) demonstrated the cost- 
effectiveness of this solution, (4) acquired this solution in 
accordance with key life cycle management processes, and (5) addressed 
our recent recommendations. 

To accomplish our objectives, we largely focused on the first 
increment of SBInet known as Block 1. In doing so, we reviewed key 
program documentation, including guidance, plans, schedules, cost 
estimates, and artifacts related to system life cycle events, 
requirements, risks, and testing. We also analyzed a random 
probability sample of requirements and their related verification 
methods. In addition, we interviewed program officials about SBInet 
cost and schedule estimates, program commitments, the development and 
implementation of the SBInet system life cycle approach, requirements 
development and management, test management, and risk management. We 
then compared this information to relevant federal guidance, leading 
industry practices, and the recommendations in our September 2008 
report on SBInet to identify any deviations and interviewed program 
officials as to the reasons for any deviations. To assess the 
reliability of the data that we relied on to support the findings in 
the report, we reviewed relevant program documentation to substantiate 
evidence obtained through interviews with knowledgeable agency 
officials, where available. We determined that the data used in this 
report are sufficiently reliable. We have also made appropriate 
attribution indicating the sources of the data used. 

We conducted this performance audit from December 2008 to May 2010 in 
accordance with generally accepted government auditing standards. 
Those standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe 
that the evidence obtained provides a reasonable basis for our 
findings and conclusions based on our audit objectives. Further 
details of our objectives, scope, and methodology are in appendix I. 

Background: 

SBInet includes the acquisition, development, integration, deployment, 
and operations and maintenance of a mix of surveillance technologies, 
such as cameras, radars, sensors, and C3I technologies. The initial 
focus of SBInet has been on addressing the requirements of CBP's 
Office of Border Patrol, which is responsible for securing the borders 
between the land ports of entry. Longer term, SBInet is to address 
requirements of CBP's Office of Field Operations, which controls 
vehicle and pedestrian traffic at the ports of entry, and its Office 
of Air and Marine Operations, which operates helicopters, fixed-wing 
aircraft, and marine vessels used in securing the borders. (See figure 
1 for the potential long-term SBInet concept of operations.) 

Figure 1: Potential Long-Term SBInet Concept of Operations: 

[Refer to PDF for image: illustration] 

The following are depicted on the illustration: 

* U.S. border; 
* Unattended ground sensors; 
* Radar/camera tower; 
* Port of entry; 
* Mobile surveillance system; 
* Agent vehicles (Mobile data terminal); 
* Command center: 
- Border patrol station; 
- Border patrol sector headquarters; 
* Air and marine station; 
* Air support; 
* Marine support; 
* Unmanned aerial surveillance. 

Source: GAO analysis of DHS data, Art Explosion (clip art). 

[End of figure] 

Surveillance technologies are to include a variety of sensor systems. 
Specifically, unattended ground sensors are to be used to detect heat 
and vibrations associated with foot traffic and metal associated with 
vehicles. Radar mounted on fixed and mobile towers is to detect 
movement, and cameras on fixed and mobile towers are to be used by 
operators to identify and classify items of interest detected and 
tracked by ground sensors and radar. Aerial assets are also to be used 
to provide video and infrared imaging to enhance tracking targets. 
These technologies are generally to be acquired through the purchase 
of commercial off-the-shelf (COTS) products. 

C3I technologies (software and hardware) are to produce a common 
operating picture (COP)--a uniform presentation of activities within 
specific areas along the border. Together, the sensors, radar, and 
cameras are to gather information along the border and transmit this 
information to COP terminals located in command centers and agents' 
vehicles, which in turn are to assemble it to provide CBP agents with 
border situational awareness. Among other things, COP hardware and 
software are to allow agents to (1) view data from radar and sensors 
that detect and track movement in the border areas, (2) control 
cameras to help identify and classify illegal entries, (3) correlate 
entries with the positions of nearby agents, and (4) enhance tactical 
decision making regarding the appropriate response to apprehend an 
entry, if necessary. 

Overview of SBInet Management Structure, Acquisition Approach, and 
Status: 

To increase border security and decrease illegal immigration, DHS 
launched SBI more than 4 years ago after canceling its America's 
Shield Initiative program.[Footnote 3] Since fiscal year 2006, DHS has 
received about $4.4 billion in appropriations for SBI, including about 
$2.5 billion for physical fencing and related infrastructure, about 
$1.5 billion for virtual fencing (surveillance systems) and related 
technical infrastructure (towers), and about $300 million for program 
management.[Footnote 4] The SBI Program Executive Office, which is 
organizationally within CBP, is responsible for managing key 
acquisition functions associated with SBInet, including prime 
contractor tracking and oversight.[Footnote 5] It is organized into 
four components: SBInet System Program Office (referred to as the SPO 
in this report), Systems Engineering, Business Management, and 
Operational Integration.[Footnote 6] As of December 31, 2009, the SBI 
Program Executive Office was staffed with 188 people--87 government 
employees, 78 contractor staff, and 13 detailees. 

In September 2006, CBP awarded a 3-year prime contract to the Boeing 
Company, with three additional 1-year options for designing, 
producing, testing, deploying, and sustaining SBI. In 2009, CBP 
exercised the first option year. Under this contract, CBP has issued 
10 task orders that relate to SBInet, covering for example, COP design 
and development, system deployment, and system maintenance and 
logistics support. As of December 2009, 4 of the 10 task orders had 
been completed and 6 were ongoing. (See table 1 for a summary of the 
SBInet task orders.) 

Table 1: Summary of SBInet Task Orders as of December 2009 (Dollars in 
millions): 

Task order: Program Management; 
Description: Mission engineering, facilities and infrastructure, 
systems engineering, test and evaluation, and program management 
services; 
Period of performance: Sep. 2006-Apr. 2008 (completed); 
Approximate contract value: $146.9; 
Approximate contract obligation: $146.9; 
Contract type: Cost-plus-fixed-fee[A]. 

Task order: Project 28; 
Description: Prototype along 28 miles of the border in the Tucson 
Sector; 
Period of performance: Oct. 2006-Feb. 2008 (completed); 
Approximate contract value: $20.7; 
Approximate contract obligation: $20.7; 
Contract type: Firm-fixed-price. 

Task order: Project 28 Contractor Maintenance Logistics and Support; 
Description: Project 28 operational maintenance and logistics support; 
Period of performance: Dec. 2007-Dec. 2009 (completed); 
Approximate contract value: $10.6; 
Approximate contract obligation: $10.6; 
Contract type: Cost-plus-fixed-fee. 

Task order: Design for Buffalo Sector; 
Description: SBInet design of remote video surveillance system 
capability for the Buffalo Sector; 
Period of performance: Feb. 2009- July 2009 (completed); 
Approximate contract value: $0.6; 
Approximate contract obligation: $0.6; 
Contract type: Firm-fixed- price[B]. 

Task order: Design; 
Description: Design of deployment solution, environmental clearance 
support, and other location-related work for the Tucson Sector; 
Period of performance: Aug. 2007-July 2010 (ongoing); 
Approximate contract value: $115.0; 
Approximate contract obligation: $115.0; 
Contract type: Cost- plus-fixed-fee. 

Task order: Command, Control, Communications, and Intelligence (C3I) 
Common Operating Picture (COP); 
Description: Design, development, demonstration, and operations and 
maintenance of a functional C3I/COP system; 
Period of performance: Dec. 2007-Feb. 2010 (ongoing); 
Approximate contract value: $73.0; 
Approximate contract obligation: $71.0; 
Contract type: Cost-plus-award-fee/cost-plus-fixed-fee/firm-fixed-
price[C]. 

Task order: System; 
Description: Program management and system engineering activities 
required to integrate all task orders; 
Period of performance: Apr. 2008-Mar. 2010 (ongoing); 
Approximate contract value: $205.8; 
Approximate contract obligation: $200.8; 
Contract type: Cost-plus-award-fee. 

Task order: Arizona Deployment; 
Description: Deployment to two sites covering approximately 53 miles 
of the southwest border in the Tucson Sector; 
Period of performance: June 2008-May 2010 (ongoing); 
Approximate contract value: $115.0; 
Approximate contract obligation: $90.5; 
Contract type: Cost-plus-incentive-fee/cost-plus-award-fee[D]. 

Task order: Integrated Logistics Support; 
Description: Maintenance logistics and operational support; 
Period of performance: Aug. 2008-Sep. 2010 (ongoing); 
Approximate contract value: $61.6; 
Approximate contract obligation: $61.6; 
Contract type: Cost-plus-fixed-fee[E]. 

Task order: Northern Border Project; 
Description: Design, installation, and deployment of surveillance 
capabilities in the Detroit and Buffalo Sectors; 
Period of performance: Mar. 2009-Mar. 2010 (ongoing); 
Approximate contract value: $22.4; 
Approximate contract obligation: $20.9; 
Contract type: Fixed-price[F]. 

Source: GAO analysis of DHS data. 

Note: Fixed-price types of contracts provide for a firm price or, in 
appropriate cases, an adjustable price; firm-fixed-price contracts 
provide for a price not subject to adjustment on the basis of the 
contractor's experience in performing the contract; cost-plus- 
incentive-fee contracts provide for the reimbursement of allowable 
costs plus an initially negotiated fee, to be adjusted later based on 
the relationship of total allowable costs to total target costs; cost- 
plus-award-fee contracts provide for the reimbursement of allowable 
costs plus a base fee fixed at the contract's inception (which may be 
zero) and an award amount that the government determines to be 
sufficient to motivate excellence in performance; cost-plus-fixed-fee 
contracts provide for the reimbursement of allowable costs plus a 
negotiated fee fixed at the inception of the contract. 

[A] The initial contract type of the task order was a cost-plus-award- 
fee. A final award fee determination did not take place because of 
scope and schedule changes. In lieu of the final award fee 
determination, the contract type was changed to a cost-plus-fixed-fee. 

[B] The travel component of the task order is cost reimbursable. 

[C] The initial contract type of the task order was cost-plus-award- 
fee. On July 31, 2009, additional development work was definitized as 
a cost-plus-fixed-fee structure. Further, on September 30, 2009, the 
software operations and maintenance component of the task order was 
changed to a firm-fixed-price structure. 

[D] The initial contract type of the task order was a cost-plus- 
incentive-fee. On November 20, 2009, the performance and schedule 
incentives component of the task order was changed to a cost-plus- 
award-fee. The cost incentives component remains a cost-plus-
incentive- fee structure. 

[E] The initial contract type of the task order was cost-plus- 
incentive-fee. On November 6, 2009, future work under the task order 
was changed to a cost-plus-fixed-fee structure. 

[F] The travel component of the task order is cost reimbursable. 

[End of table] 

One of the completed task orders is for an effort known as Project 28, 
which is a prototype system that covers 28 miles of the border in 
CBP's Tucson Sector[Footnote 7] in Arizona, and has been operating 
since February 2008. However, its completion took 8 months longer than 
planned because of problems in integrating system components (e.g., 
cameras and radars) with the COP software. As we have reported, 
[Footnote 8] these problems were attributable to, among other things, 
limitations in requirements development and contractor oversight. 

Through the task orders, CBP's strategy is to deliver SBInet 
capabilities incrementally. To accomplish this, the SPO has adopted an 
evolutionary system life cycle management approach in which system 
capabilities are to be delivered to designated locations in a series 
of discrete subsets of system functional and performance capabilities 
that are referred to as blocks. The first block, which has been 
designated as Block 1, includes the purchase of commercially available 
surveillance systems, development of customized COP systems and 
software, and use of existing CBP communications and network 
capabilities. Such an incremental approach is a recognized best 
practice for acquiring large-scale, complex systems because it allows 
users access to new capabilities and tools sooner, and thus permits 
both their early operational use and evaluation. Subsequent increments 
of SBInet capabilities are to be delivered based on feedback and unmet 
requirements, as well as the availability of new technologies. 

In general, the SBInet life cycle management approach consists of four 
primary work flow activities: (1) Planning Activity, (2) System Block 
Activity, (3) Project Laydown Activity, and (4) Sustainment Activity. 
During the Planning Activity, the most critical user needs are to be 
identified and balanced against what is affordable and technologically 
available. The outcome of this process is to be a set of capability 
requirements that are to be acquired, developed, and deployed as a 
specific block. This set of capabilities, once agreed to by all 
stakeholders, is then passed to the System Block Activity, during 
which the baseline system solution to be fielded is designed and 
built. Also as part of this activity, the verification steps are to be 
conducted on the individual system components and the integrated 
system solution to ensure that they meet defined requirements. The 
Project Laydown Activity is performed to configure the block solution 
to a specific geographic area's unique operational characteristics. 
This activity involves assessing the unique threats, terrain, and 
environmental concerns associated with a particular area, 
incorporating these needs into the system configuration to be deployed 
to that area, obtaining any needed environmental permits, and 
constructing the infrastructure and installing the configured system. 
It also involves test and evaluation activities, including system 
acceptance testing, to verify that the installed block system was 
built as designed. The final activity, Sustainment, is focused on the 
operations and maintenance of the deployed block solution and 
supporting the user community. 

Associated with each of these activities are various milestone or gate 
reviews. For example, a key review for the System Block Activity is 
the Critical Design Review (CDR). At this review, the block design and 
requirements are baselined and formally controlled to approve and 
track any changes. Among other things, this review is to verify that 
the block solution will meet the stated requirements within the 
program's cost and schedule commitments. An important review conducted 
during the Project Laydown Activity is the Deployment Design Review. 
At this review, information such as the status of environmental 
reviews and land acquisitions for a specific geographic area is 
assessed, and the location-specific system configuration is 
determined. The Deployment Readiness Review is another key event 
during this activity. During this review, readiness to begin site 
preparation and construction is assessed. 

In addition to the four above described workflow activities are 
various key life cycle management processes, such as requirements 
development and management, risk management, and test management. 

Requirements development and management, among other things, involves 
defining and aligning a hierarchy of five types of SBInet 
requirements. These five types begin with high-level operational 
requirements and are followed by increasingly more detailed lower-
level requirements, to include system, component, C3I/COP software, 
and design requirements. To help it manage the requirements, the SPO 
relies on Boeing's use of a database known as the Dynamic Object-
Oriented Requirements System (DOORS). The various types of SBInet 
requirements are described in table 2. 

Table 2: SBInet Requirements Types: 

Type: Operational requirements; 
Description: Describe the operational capabilities that the resulting 
system must satisfy, and can be viewed as user requirements. 

Type: System requirements; 
Description: Describe the system performance, functional, and 
nonfunctional characteristics, and provide the basis for system 
design, development, integration, verification, and deployment. 

Type: Component requirements; 
Description: Describe required features of various surveillance 
components (e.g., cameras and radars), and infrastructure (e.g., 
communications). 

Type: C3I/COP requirements; 
Description: Describe the functionality and capability of the COP 
software, such as allowing the user to control and view information 
from the sensors. 

Type: Design requirements; 
Description: Describe the operational, behavioral, and physical 
characteristics of hardware and software interfaces. 

Source: GAO analysis of DHS data. 

[End of table] 

Risk management entails taking proactive steps to identify and 
mitigate potential problems before they become actual problems. The 
SPO has defined a "risk" to be an uncertain event or condition that, 
if it occurs, will have a negative effect on at least one program 
objective, such as schedule, cost, scope, or technical performance. 
The SPO has defined an "issue" as a risk that has been realized (i.e., 
a negative event or condition that currently exists or has a 100 
percent future certainty of occurring). According to SBInet's risk 
management process, anyone involved in the program can identify a 
risk. Identified risks are submitted to the Risk Management Team, 
which includes both the SPO Risk Manager and Boeing Risk Manager, for 
preliminary review. If approved for further consideration, the risk is 
entered into the Boeing-owned risk database, which is accessible by 
SPO and Boeing officials. These risks are subsequently reviewed by the 
Joint Risk Review Board, which is composed of approximately 20 SPO and 
Boeing officials. If a risk is approved, it is to be assigned an owner 
who will be responsible for managing its mitigation. 

Test management involves planning, conducting, documenting, and 
reporting on a series of test events that first focus on the 
performance of individual system components, then on the performance 
of integrated system components, followed by system-level tests that 
focus on whether the system (or major system increments) are 
acceptable and operationally suitable. For SBInet, the program's 
formal test events fall into two major phases: developmental test and 
evaluation (DT&E) and operational test and evaluation (OT&E). DT&E is 
to verify and validate the systems engineering process and provide 
confidence that the system design solution satisfies the desired 
capabilities. It consists of four test events--integration testing, 
component qualification testing, system qualification testing, and 
system acceptance testing. OT&E is to ensure that the system is 
effective and suitable in its operational environment with respect to 
key considerations, including reliability, availability, 
compatibility, and maintainability. SBInet defines three operational 
testing events-- User Assessment, Operational Test, and Follow-on 
Operational Test and Evaluation. (See table 3 for each test event's 
purpose, responsible parties, and location.) 

Table 3: Overview of Formal Test Events: 

DT&E events: 

Test: Integration testing; 
Purpose: Demonstrate interoperability among system components, and 
ensure the proper functioning of individual component hardware and 
software interfaces; 
Party responsible: Contractor performs with SPO witnesses; 
Location: Laboratory and field test site. 

Test: Component qualification testing; 
Purpose: Verify the functional performance of individual components 
against component requirements; 
Party responsible: Contractor performs with SPO witnesses; 
Location: Laboratory and field test site. 

Test: System qualification testing; 
Purpose: Verify that the system design satisfies system-level 
requirements; 
Party responsible: Contractor performs with SPO witnesses; 
Location: Field test site and deployment site. 

Test: System acceptance testing; 
Purpose: Verify that the deployed system is built as designed and 
performs as predicted in the deployed environment; 
Party responsible: Contractor performs with SPO witnesses; 
Location: Deployment site. 

OT&E events: 

Test: User assessment; 
Purpose: Identify potential operational problems and progress toward 
meeting requirements using the version of the system tested during 
system qualification testing; 
Party responsible: CBP, SPO, and U.S. Army Independent Test & 
Evaluation Team performs; 
Location: Field test site. 

Test: Operational test; 
Purpose: Determine whether the system meets defined key performance 
parameters in its operational environment; 
Party responsible: CBP and U.S. Army Independent Test & Evaluation 
Team performs; 
Location: Deployment site. 

Test: Follow-on operational test and evaluation; 
Purpose: Refine estimates made during OT&E, evaluate changes, and re-
evaluate the system to ensure that it continues to meet operational 
needs; 
Party responsible: U.S. Army Independent Test & Evaluation Team 
performs; 
Location: Deployment site. 

Source: GAO analysis of DHS data. 

[End of table] 

As of December 2009, the program was in the Project Laydown Activity. 
Specifically, the SBInet CDR was completed in October 2008, and the 
Block 1 design has been configured and is being tested and readied for 
deployment to the Tucson Border Patrol Station (TUS-1), and then to 
the Ajo Border Patrol Station (AJO-1), both of which are located in 
the CBP's Tucson Sector of the southwest border. More specifically, 
the Deployment Design Review covering both TUS-1 and AJO-1 was 
completed in June 2007, the TUS-1 Deployment Readiness Review was 
completed in April 2009, and the AJO-1 Deployment Readiness Review was 
completed in December 2009. Together, these two deployments are to 
cover 53 miles of the 1,989-mile-long southern border[Footnote 9] (see 
figure 2). Once a deployed configuration has been accepted and is 
operational, the program will be in the Sustainment Activity. As of 
November 2009, program documentation showed that TUS-1 and AJO-1 were 
to be accepted in January and July 2010, respectively. However, the 
SBI Executive Director told us in December 2009 that these and other 
SBInet scheduled milestones are currently being re-evaluated. As of 
February 2010, TUS-1 and AJO-1 were proposed to be accepted in 
September 2010 and November 2010, respectively. However, this proposed 
schedule has yet to be approved by CBP. 

Figure 2: Map of Block 1 Deployments: 

[Refer to PDF for image: map of the southwestern U.S.] 

Depicted on the map are the following: 

TUS-1; 
AJO-i; 
Area of deployment for Block 1; 
Tucson sector; 
Yuma sector. 

Sources: GAO analysis of DHS data, MapArt (map). 

[End of figure] 

GAO Has Previously Reported on Numerous SBInet Management Weaknesses 
and Risks: 

Since 2007, we have identified a range of management weaknesses and 
risks facing SBInet and we have made a number of recommendations to 
address them that DHS has largely agreed with and, to varying degrees, 
taken actions to address. For example, in February 2007, we reported 
that DHS had not fully defined activities, milestones, and costs for 
implementing the program; demonstrated how program activities would 
further the strategic goals and objectives of SBI; and reported on the 
costs incurred, activities, and progress made by the program in 
obtaining operational control of the border.[Footnote 10] Further, we 
reported that the program's schedule contained a high level of 
concurrency among related tasks and activities, which introduced 
considerable risk. Accordingly, we recommended that DHS define 
explicit and measurable commitments relative to, among other things, 
program capabilities, schedules, and costs, and re-examine the level 
of concurrency in the schedule and adjust the acquisition strategy 
appropriately. We are currently reviewing DHS's Fiscal Year 2010 SBI 
Expenditure Plan to, among other things, determine the status of DHS's 
actions to address these recommendations. 

In October 2007, we testified that DHS had fallen behind in 
implementing Project 28 due to software integration problems, although 
program officials stated at that time that Boeing was making progress 
in correcting the problems.[Footnote 11] Shortly thereafter, we 
testified that while DHS had accepted Project 28, it did not fully 
meet expectations.[Footnote 12] To benefit from this experience, 
program officials stated that they identified a number of lessons 
learned, including the need to increase input from Border Patrol 
agents and other users in SBInet design and development. 

In September 2008, we reported that important aspects of SBInet were 
ambiguous and in a continued state of flux, making it unclear and 
uncertain what technological capabilities were to be delivered 
when.[Footnote 13] We concluded that the absence of clarity and 
stability in key aspects of SBInet impaired the ability of Congress to 
oversee the program and hold DHS accountable for results, and hampered 
DHS's ability to measure program performance. As a result, we 
recommended that the SPO establish and baseline the specific program 
commitments, including the specific system functional and performance 
capabilities that are to be deployed, and when they were to be 
deployed. 

Also, we reported that the SPO had not effectively performed key 
requirements definition and management practices. For example, it had 
not ensured that different levels of requirements were properly 
aligned, as evidenced by our analysis of a random probability sample 
of component requirements showing that a large percentage of them 
could not be traced to higher-level system and operational 
requirements. Also, some of SBInet's operational requirements, which 
are the basis for all lower-level requirements, were found by an 
independent DHS review to be unaffordable and unverifiable, thus 
casting doubt on the quality of lower-level requirements that were 
derived from them. As a result of these limitations, we concluded that 
the risk of SBInet not meeting mission needs and performing as 
intended was increased, as were the chances of the program needing 
expensive and time-consuming system rework. We recommended that the 
SPO implement key requirements development and management practices to 
include (1) baselining requirements before system design and 
development efforts begin; (2) analyzing requirements prior to being 
baselined to ensure that they are complete, achievable, and 
verifiable; and (3) tracing requirements to higher-level requirements, 
lower-level requirements, and test cases. 

We also reported that SBInet testing was not being effectively 
managed. For example, the SPO had not tested the individual system 
components to be deployed to the initial deployment locations, even 
though the contractor had initiated integration testing of these 
components with other system components and subsystems. Further, while 
a test management strategy was drafted, it had not been finalized and 
approved, and it did not contain, among other things, a clear 
definition of testing roles and responsibilities; a high-level master 
schedule of SBInet test activities; or sufficient detail to 
effectively guide project-specific test planning, such as milestones 
and metrics for specific project testing. We concluded that without a 
structured and disciplined approach to testing, the risk that SBInet 
would not satisfy user needs and operational requirements, thus 
requiring system rework, was increased. We recommended that the SPO 
(1) develop and document test practices prior to the start of testing; 
(2) conduct appropriate component-level testing prior to integrating 
system components; and (3) approve a test management strategy that, at 
a minimum, includes a relevant testing schedule, establishes 
accountability for testing activities by clearly defining testing 
roles and responsibilities, and includes sufficient detail to allow 
for testing and oversight activities to be clearly understood and 
communicated to test stakeholders. 

In light of these weaknesses and risks, we further recommended that 
(1) the risks associated with planned SBInet acquisition, development, 
testing, and deployment activities be immediately assessed and (2) the 
results, including proposed alternative courses of action for 
mitigating the risks, be provided to the CBP Commissioner and DHS's 
senior leadership, as well as to the department's congressional 
authorization and appropriations committees. DHS agreed with all but 
one of the recommendations in our September 2008 report. The status of 
DHS's efforts to implement these recommendations is summarized later 
in this report and discussed in detail in appendix III. 

In September 2009, we reported that SBInet had continued to experience 
delays.[Footnote 14] For example, deployment to the entire southwest 
border had slipped from early 2009 to 2016, and final acceptance of 
TUS-1 and AJO-1 had slipped from November 2009 and March 2010 to 
December 2009 and June 2010, respectively. We did not make additional 
SBInet recommendations at that time. 

Most recently, we reported in January 2010 that SBInet testing was not 
being effectively managed.[Footnote 15] Specifically, while DHS's 
approach to testing appropriately consisted of a series of 
progressively expansive developmental and operational test events, the 
test plans, cases, and procedures for the most recent test events were 
not defined in accordance with important elements of relevant 
guidance. For example, none of the plans adequately described testing 
risks and only two of the plans included quality assurance procedures 
for making changes to test plans during their execution. Further, a 
relatively small percentage of test cases for these events described 
the test inputs and the test environment (e.g., facilities and 
personnel to be used), both of which are essential to effective 
testing. 

In addition, a large percentage of the test cases for these events 
were changed extemporaneously during execution. While some of the 
changes were minor, others were more significant, such as re-writing 
entire procedures and changing the mapping of requirements to test 
cases. Moreover, these changes to procedures were not made in 
accordance with documented quality assurance processes, but rather 
were based on an undocumented understanding that program officials 
said they established with the contractor. Compounding the number and 
significance of changes were questions raised by the SPO and a support 
contractor about the appropriateness of some changes. For example, the 
SPO wrote to the prime contractor that changes made to system 
qualification test cases and procedures appeared to be designed to 
pass the test instead of being designed to qualify the system. 

Further, we reported that from March 2008 through July 2009, that 
about 1,300 SBInet defects had been found, with the number of new 
defects identified during this time generally increasing faster than 
the number being fixed--a trend that is not indicative of a system 
that is maturing and ready for deployment. While the full magnitude of 
these unresolved defects was unclear because the majority were not 
assigned a priority for resolution, some of the defects that had been 
found were significant. Although DHS reported that these defects had 
been resolved, they had nevertheless caused program delays, and 
related problems had surfaced that continued to impact the program's 
schedule. Further, an early user assessment of SBInet had raised 
significant concerns about the performance of key system components 
and the system's operational suitability. 

In light of these weaknesses, we recommended that DHS (1) revise the 
program's overall test plan to include (a) explicit criteria for 
assessing the quality of test documentation, including test plans and 
test cases, and (b) a process for analyzing, prioritizing, and 
resolving program defects; (2) ensure that test schedules, plans, 
cases, and procedures are adequately reviewed and approved consistent 
with the revised test plan; (3) ensure that sufficient time is 
provided for reviewing and approving test documents prior to beginning 
a given test event; and (4) triage the full inventory of unresolved 
system problems, including identified user concerns, and periodically 
report on their status to CBP and DHS leadership. DHS fully agreed 
with the last three recommendations and partially agreed with the 
first. 

Block 1 Capabilities, Geographic Coverage, and Performance Standards 
Continue to Decrease: 

For Block 1, functional and performance capabilities and the number of 
geographic locations to which they are to be deployed have continued 
to decrease. We reported in September 2008 that the capabilities and 
deployment locations of SBInet were decreasing.[Footnote 16] Since 
that time, the number of component-level requirements to be deployed 
to TUS- 1 and AJO-1 has decreased by about 32 percent. In addition, 
the number of sectors that the system is to be deployed to has been 
reduced from three to two, and the stringency of the system 
performance measures that the deployed system is to meet has been 
reduced. According to program officials, the decreases are due to 
poorly defined requirements and limitations in the capabilities of 
commercially available system components. The result will be a 
deployed and operational system that, like Project 28, does not live 
up to user expectations and provides less mission support than was 
envisioned. 

Functional Capabilities Have Been Reduced: 

Since our September 2008 report, the number of requirements that Block 
1 is to meet has dropped considerably. Specifically, in September 
2008, DHS directed the SPO to identify the operational requirements to 
be allocated to Block 1. In response, 106 operational requirements 
were established, such as providing border surveillance, facilitating 
decision support and situational awareness, enabling communications, 
providing operational status and readiness metrics, and enabling 
system audits. Of the 106 requirements, 69 were to be included in the 
initial technology deployments planned for TUS-1 and AJO-1. The 
remaining 37 were to be addressed in future blocks. 

To implement the 69 operational requirements, the SPO developed a 
system-level requirement specification and 12 component-level 
requirements specifications.[Footnote 17] More specifically, as part 
of CDR, which concluded in October 2008, the 69 operational 
requirements for TUS-1 and AJO-1 were associated with 97 system-level 
requirements. Also during CDR, the 97 system-level requirements were 
associated with 1,286 component-level requirements. 

However, between October 2008 and September 2009, the number of 
component-level requirements was reduced from 1,286 to 880, or by 
about 32 percent. First, 281 requirements related to the 
specifications for three components--communications, network 
operations, and network security--were eliminated, leaving 1,005 
baselined requirements.[Footnote 18] 

Examples of the 281 requirements that were eliminated include the 
following: 

* the failure in a single piece of hardware or software would not 
affect mission critical functions which include detection and 
resolution of border incursions; 

* the failure of a Network Operations Center/Security Operations 
Center[Footnote 19] (NOC/SOC) workstation would not prevent the system 
from operating; and: 

* the failure of one network power supply would be compensated for by 
additional backup power supplies. 

In addition, another 125 component-level requirements were granted 
"waivers" or "deviations,"[Footnote 20] further reducing the number of 
Block 1 requirements to be deployed to TUS-1 and AJO-1 to 880 (as of 
September 2009). For example, the unattended ground sensors were 
required to differentiate between human, vehicle, and animal targets. 
However, because the sensors that are to be deployed to TUS-1 and AJO- 
1 are only able to identify potential vehicles and are not able to 
differentiate between humans and animals, this requirement was 
deviated. Similarly, the radar was required to classify targets as 
humans or vehicles. However, the radar also cannot differentiate 
between classes of targets (e.g., humans and vehicles). As a result, 
the requirement in the radar specification was also deviated. 

Figure 3 summarizes the roughly 32 percent drop in requirements that 
has occurred over the last 15 months. 

Figure 3: Illustration of Reduction in Block 1 Requirements: 

[Refer to PDF for image: horizontal bar graph] 

As of October 2008: 1,286; 
As of September 2009: 1,005; 
After waivers and deviations as of September 2009: 880. 

Source: GAO analysis of DHS data. 

[End of figure] 

According to program officials, component requirements were eliminated 
because they were either poorly written or duplicative of other 
requirements, or because the capabilities of commercially available 
products were limited. In addition, they attributed a significant 
number of eliminated requirements to a decision to not use a Boeing 
designed and developed network and instead to use an existing DHS 
network. To the SPO's credit, this decision was made to align SBInet 
with DHS technical standards and to increase the use of COTS products. 

Compounding this reduction in Block 1 requirements is the likelihood 
that further requirements deviations and waivers will be granted based 
on the results of an early user assessment of the system.[Footnote 21] 
According to the July 2009 assessment report, certain SBInet 
components did not meet requirements. For example: 

* The daytime cameras were judged to be operationally ineffective over 
5 kilometers for identifying humans, while the requirement is that the 
cameras be usable to 10 kilometers. 

* The laser range finder[Footnote 22] was determined to have an 
effective range of less than 2 kilometers, while the requirement is 
for the effective range to be 10 kilometers. 

Program officials told us that many of the limitations found during 
the user assessment were previously known, and corrective actions were 
already under way or planned for future technology upgrades to address 
them. However, the officials also stated they plan to issue a waiver 
or deviation for the camera and the laser range finder to address the 
two problems discussed above. In addition, they stated that a 
previously known limitation of the range of the radar will also need 
to be addressed through a deviation. In this case, the radar is 
required to have a range of 20 kilometers, but testing shows a maximum 
range of 10 kilometers. 

Geographic Coverage Has Been Reduced: 

Beyond the requirement reductions, the geographic locations to receive 
the initial SBInet capabilities have also been reduced. As of 
September 2008, the initial Block 1 deployment was to span three 
border patrol sectors: Tucson, Yuma, and El Paso--a total of 655 
miles. According to program officials, deployment to these three areas 
was the expressed priority of the Border Patrol due to the high threat 
levels in these areas. However, the Acquisition Program Baseline, 
[Footnote 23] which was drafted in December 2008, states that initial 
deployment will be to just the Tucson and Yuma Sectors, which will 
cover only 387 miles. 

According to program officials, deployment to the 268 miles of the El 
Paso Sector was dropped from the initial deployment in anticipation 
that the sector will instead receive the capabilities slated for the 
next SBInet increment (i.e., build). However, plans for the next 
increment have not been developed. According to the SBI Executive 
Director in December 2009, the SPO is re-evaluating where and when 
future deployments of SBInet will occur, and a date for when the 
revised deployment plans will be available has not been set. 

Performance Capabilities Have Decreased: 

System performance measures define how well a system is to perform 
certain functions, and thus are important in ensuring that the system 
meets mission and user needs. According to program documentation, 
failure to meet a key performance parameter can limit the value of the 
system and render it unsuccessful. In November 2008, the SPO re- 
evaluated its existing SBInet key performance parameters and 
determined that SBInet must meet three such parameters: (1) the 
probability of detecting items of interest between the border and the 
control boundary; (2) the probability of correctly identifying items 
of interest as human, conveyance, or others; and (3) the operational 
availability of the system.[Footnote 24] According to program 
officials, subject matter experts and CBP staff concluded that these 
three were critical to determining whether the system successfully 
meets mission and user needs. 

Associated with each parameter is a threshold for acceptable 
performance. In November 2008, the SPO re-evaluated the thresholds for 
its three key performance parameters, and it significantly relaxed 
each of the thresholds: 

* The threshold for detecting items of interest dropped from 95 
percent to 70 percent. 

* The threshold for identifying items of interest declined from 95 
percent to 70 percent.[Footnote 25] 

* The threshold for operational availability decreased from 95 to 85 
percent. 

These threshold reductions significantly lower what constitutes 
acceptable system performance. For example, the system will meet its 
detection and identification performance requirements if it identifies 
70 percent of the 70 percent of items that it detects, thus producing 
a 49 percent probability of identifying items of interest that cross 
the border. Furthermore, the reduction in operational availability 
means that the time that the system can be unavailable for use has 
gone from 18.25 days per year to 54.75 days per year--or from 
approximately 2.5 weeks to about 7 weeks per year, excluding downtime 
for planned maintenance. 

The SBI Executive Director attributed the performance reductions to 
program officials' limited understanding of needed operational 
capabilities at the time the parameters and thresholds were set. The 
director further stated that once Block 1 has been deployed and Border 
Patrol personnel gain experience operating it, decisions will be made 
as to what additional changes to make to the key performance 
parameters and associated thresholds. Until then, system performance 
relative to identifying items of interest and operational availability 
will remain as described above, which program officials agreed fall 
short of expectations. 

A Reliable Schedule for Completing Block 1 Has Not Been Developed: 

The success of a large-scale system acquisition program like SBInet 
depends in part on having a reliable schedule of when the program's 
set of work activities and milestone events will occur, how long they 
will take, and how they are related to one another. Among other 
things, a reliable schedule provides a road map for systematic 
execution of a program and the means by which to gauge progress, 
identify and address potential problems, and promote accountability. 
Our research has identified nine best practices associated with 
developing and maintaining a reliable schedule.[Footnote 26] These are 
(1) capturing all activities, (2) sequencing all activities, (3) 
assigning resources to all activities, (4) establishing the duration 
of all activities, (5) integrating activities horizontally and 
vertically, (6) establishing the critical path for all activities, (7) 
identifying reasonable float between activities, (8) conducting a 
schedule risk analysis, and (9) updating the schedule using logic and 
durations. To be considered reliable, a schedule should meet all nine 
practices. 

The August 2009 SBInet integrated master schedule, which was the most 
current version available for our review, is not reliable because it 
substantially complies with only two of the nine key schedule 
estimating practices and it does not comply with, or only partially or 
minimally complies with, the remaining seven practices (see table 4 
for a summary and appendix IV for the detailed results of our analysis 
of the extent to which the schedule meets each of the nine practices). 

Table 4: Summary of SBInet Integrated Master Schedule Satisfaction of 
Schedule Estimating Practices: 

Practice: Capturing all activities; 
Met? Minimally. 

Practice: Sequencing all activities; 
Met? Substantially. 

Practice: Assigning resources to all activities; 
Met? Minimally. 

Practice: Establishing the duration of all activities; 
Met? Substantially. 

Practice: Integrating schedule activities horizontally and vertically; 
Met? Partially. 

Practice: Establishing the critical path for all activities; 
Met? Partially. 

Practice: Identifying reasonable float between activities; 
Met? Partially. 

Practice: Conducting a schedule risk analysis; 
Met? Not. 

Practice: Updating the schedule using logic and durations to determine 
the dates; 
Met? Partially. 

Source: GAO analysis of DHS data. 

Note: "Not" means the program provided no evidence that satisfies any 
portion of the criterion. "Minimally" means the program provided 
evidence that satisfies less than one-half of the criterion. 
"Partially" means the program provided evidence that satisfies about 
one-half of the criterion. "Substantially" means the program provided 
evidence that satisfies more than one-half of the criterion. 

[End of table] 

Examples of practices that were either substantially, partially, 
minimally, or not met are provided below. Without having a reliable 
schedule, it is unlikely that actual program execution will track to 
plans, thus increasing the risk of cost, schedule, and performance 
shortfalls. 

* Capturing all activities: The schedule does not capture all 
activities as defined in the program's work breakdown structure 
[Footnote 27] or integrated master plan.[Footnote 28] First, 57 
percent of the activities listed in the work breakdown structure (71 
of 125) and 67 percent of the activities listed in the integrated 
master plan (46 of 69) were not in the integrated master schedule. For 
example, the schedule is missing efforts associated with systems 
engineering, sensor towers, logistics, system test and evaluation, 
operations support, and program management. Second, the schedule does 
not include key activities to be performed by the government. For 
example, while the schedule shows the final activity in the government 
process for obtaining an environmental permit in order to construct 
towers, it does not include the related government activities needed 
to obtain the permit. 

* Sequencing all activities: The schedule identifies virtually all of 
the predecessor and successor activities. Specifically, only 9 of 
1,512 activities (less than 1 percent) were missing predecessor links. 
Further, only 21 of 1,512 activities (about 1 percent) had improper 
predecessor and successor links. While the number of unlinked 
activities is very small, not linking a given activity can cause 
problems because changes to the durations of these activities will not 
accurately change the dates for related activities. More importantly, 
403 of 1,512 activities (about 27 percent) are constrained by "start 
no earlier than" dates, which is significant because it means that 
these activities are not allowed to start earlier, even if their 
respective predecessor activities have been completed. 

* Establishing the critical path for all activities: The schedule does 
not reflect a valid critical path[Footnote 29] for several reasons. 
First, and as noted above, it is missing government and contractor 
activities, and is thus not complete. Second, as mentioned above, the 
schedule is missing some predecessor links, and improperly establishes 
other predecessor and successor links. Problems with the critical path 
were recognized by the Defense Contract Management Agency[Footnote 30] 
as early as November 2008, when it reported that the contractor could 
not develop a true critical path that incorporates all program 
elements. 

* Conducting a schedule risk analysis: An analysis of the schedule's 
vulnerability to slippages in the completion of tasks has not been 
performed. Further, program officials described the schedule as not 
sufficiently stable to benefit from a risk analysis. 

Reasons that these practices were not fully met vary and include the 
program's use of Boeing to develop and maintain the integrated master 
schedule, even though Boeing's processes and tools do not allow it to 
include in the schedule work that it does not have under contract to 
perform, as well as the constantly changing nature of the work to be 
performed. Without a reliable schedule that includes all activities 
necessary to complete Block 1, the SPO cannot accurately determine the 
amount of time required to complete Block 1, and it does not have an 
adequate basis for guiding the program's execution and measuring 
progress, thus reducing the likelihood of meeting the program's 
completion dates. 

Collectively, the weaknesses in meeting the nine key practices for the 
program's integrated master schedule increase the risk of schedule 
slippages and related cost overruns and make meaningful measurement 
and oversight of program status and progress, as well as 
accountability for results, difficult to achieve. In the case of Block 
1, this risk has continued to be realized. For example, the dates 
presented at the December 2008 to November 2009 monthly program review 
meetings for government acceptance of Block 1 at TUS-1 and AJO-1 
showed a pattern of delays, with TUS-1 and AJO-1 acceptance slipping 
by 4 months and 7 months, respectively. (See figure 4.) Moreover, 
these slipped dates have not been met, and the SBI Executive Director 
told us in December 2009 that when Block 1 will be accepted and 
operational continues to change and remains uncertain. As of February 
2010, TUS-1 and AJO-1 were proposed to be accepted in September 2010 
and November 2010, respectively; however, this proposed schedule has 
yet to be approved by CBP. 

Figure 4: Projected TUS-1 and AJO-1 Acceptance Dates Presented at 
Monthly Program Review Meetings: 

[Refer to PDF for image: illustration] 

Program review date: December 2008; 
TUS-1 acceptance: September 2009; 
AJO-1 acceptance: December 2009. 

Program review date: January 2009; 
TUS-1 acceptance: November 2009; 
AJO-1 acceptance: May 2010. 

Program review date: February 2009; 
TUS-1 acceptance: November 2009; 
AJO-1 acceptance: May 2010. 

Program review date: March 2009; 
TUS-1 acceptance: November 2009; 
AJO-1 acceptance: March 2010. 

Program review date: April 2009; 
TUS-1 acceptance: December 2009; 
AJO-1 acceptance: July 2010. 

Program review date: May 2009; 
TUS-1 acceptance: January 2010; 
AJO-1 acceptance: June 2010. 

Program review date: June 2009; 
TUS-1 acceptance: January 2010; 
AJO-1 acceptance: July 2010; 

Program review date: July 2009; 
TUS-1 acceptance: January 2010; 
AJO-1 acceptance: March 2010. 

Program review date: August 2009; 
TUS-1 acceptance: February 2010; 
AJO-1 acceptance: June 2010. 

Program review date: September 2009; 
TUS-1 acceptance: No report this month; 
AJO-1 acceptance: No report this month. 

Program review date: October 2009; 
TUS-1 acceptance: January 2010; 
AJO-1 acceptance: June 2010. 

Program review date: November 2009; 
TUS-1 acceptance: January 2010; 
AJO-1 acceptance: July 2010. 

Source: GAO analysis of DHS data. 

[End of figure] 

Cost-Effectiveness of Block 1 Has Not Been Demonstrated: 

As we have previously reported,[Footnote 31] the decision to invest in 
any system or major system increment should be based on reliable 
estimates of costs and meaningful forecasts of quantifiable and 
qualitative benefits over the system's useful life. For Block 1, DHS 
does not have a complete and current life cycle cost estimate. 
Moreover, it has not projected the mission benefits expected to accrue 
from Block 1 over the same life cycle. According to program officials, 
it is premature to project such benefits given the uncertainties 
surrounding the role that Block 1 will ultimately play in overall 
border control operations. Without a meaningful understanding of 
SBInet costs and benefits, DHS lacks an adequate basis for knowing 
whether the initial system solution on which it plans to spend at 
least $1.3 billion is cost-effective. Moreover, DHS and congressional 
decision makers continue to lack a basis for deciding what investment 
in SBInet beyond this initial capability is economically prudent. 

Life Cycle Costs Have Not Been Reliably Estimated: 

A reliable cost estimate is critical to successfully delivering large- 
scale information technology (IT) systems, like SBInet, as well as 
major system increments, like Block 1. Such an estimate provides the 
basis for informed investment decision making, realistic budget 
formulation, meaningful progress measurement, and accountability for 
results. According to the Office of Management and Budget (OMB), 
[Footnote 32] federal agencies must maintain current and well- 
documented estimates of program costs, and these estimates must 
encompass the program's full life cycle. Among other things, OMB 
states that a reliable life cycle cost estimate is critical to the 
capital planning and investment control process. Without such an 
estimate, agencies are at increased risk of making poorly informed 
investment decisions and securing insufficient resources to 
effectively execute defined program plans and schedules, and thus 
experiencing program cost, schedule, and performance shortfalls. 

Our research has identified a number of practices that form the basis 
of effective program cost estimating.[Footnote 33] These practices are 
aligned with four characteristics of a reliable cost estimate. To be 
reliable, a cost estimate should possess all four characteristics, 
each of which is summarized below. (See appendix V for the key 
practices associated with each characteristic, including a description 
of each practice and our analysis of the extent to which the SBInet 
cost estimate meets each practice.) 

* Comprehensive: The cost estimate should include all government and 
contractor costs over the program's full life cycle, from program 
inception through design, development, deployment, and operation and 
maintenance to retirement. It should also provide sufficient detail to 
ensure that cost elements are neither omitted nor double counted, and 
it should document all cost-influencing ground rules and assumptions. 

* Well-documented: The cost estimate should capture in writing things 
such as the source and significance of the data used, the calculations 
performed and their results, and the rationale for choosing a 
particular estimating method or reference. Moreover, this information 
should be captured in such a way that the data used to derive the 
estimate can be traced back to, and verified against, their sources. 
Finally, the cost estimate should be reviewed and accepted by 
management to demonstrate confidence in the estimating process and the 
estimate. 

* Accurate: The cost estimate should not be overly conservative or 
optimistic, and should be, among other things, based on an assessment 
of most likely costs, adjusted properly for inflation, and validated 
against an independent cost estimate. In addition, the estimate should 
be updated regularly to reflect material changes in the program and 
actual cost experience on the program. Further, steps should be taken 
to minimize mathematical mistakes and their significance and to ground 
the estimate in documented assumptions and a historical record of 
actual cost and schedule experiences on comparable programs. 

* Credible: The cost estimate should discuss any limitations in the 
analysis due to uncertainty or biases surrounding the data and 
assumptions. Major assumptions should be varied and other outcomes 
computed to determine how sensitive the estimate is to changes in the 
assumptions. Risk and uncertainty inherent in the estimate should be 
assessed and disclosed. Further, the estimate should be properly 
verified by, for example, comparing the results with one or more 
independent cost estimates. 

The SPO's Block 1 life cycle cost estimate includes the costs to 
complete those portions of Block 1 that are to be deployed to the 
Tucson and Yuma Sectors, which together cover about 387 miles of the 
southwest border (53 miles associated with both TUS-1 and AJO-1, which 
are in the Tucson Sector, as well as an additional 209 miles in the 
Tucson Sector and 125 miles in the Yuma Sector). More specifically, 
this estimate, which is dated December 2008, shows the minimum cost to 
acquire and deploy Block 1 to the Tucson and Yuma Sectors to be $758 
million, with another $544 million to operate and maintain this 
initial capability, for a total of about $1.3 billion. 

However, this Block 1 cost estimate is not reliable because it does 
not sufficiently possess any of the above four characteristics. 
Specifically: 

* The estimate is not comprehensive because it does not include all 
relevant costs, such as support contractor costs and costs associated 
with system and software design, development, and testing activities 
that were incurred prior to December 2008. Moreover, it includes only 
1 year of operations and maintenance costs rather than these costs 
over the expected life of the system. Further, the estimate does not 
document and assess the risks associated with all ground rules and 
assumptions, such as known budget constraints, staff and schedule 
variations, and technology maturity. 

* The estimate is not well-documented because, among other things, the 
sources and significance of key data have not been captured and the 
quality of key data, such as historical costs and actual cost reports, 
is limited. For example, instead of identifying and relying on 
historical costs from similar programs, the estimate was based, in 
part, on engineering judgment. Further, the calculations performed and 
their results, while largely documented, did not document contingency 
reserves and the associated confidence level for the risk-adjusted 
cost estimate. Also, as noted above, assumptions integral to the 
estimate, such as those for budget constraints, and staff and schedule 
variances, were not documented. 

* The estimate is not accurate because it was not, for example, 
validated against an independent cost estimate. Further, it has not 
been updated to reflect material program changes since the estimate 
was developed. For example, the estimate does not reflect development 
and testing activities that were added since the estimate was approved 
to correct problems discovered during testing. Further, the estimate 
has not been updated with actual cost data available from the 
contractor. 

* The estimate is not credible because its inherent risk and 
uncertainty were not adequately assessed, and thus the estimate does 
not address limitations associated with the assumptions used to create 
it. For example, the risks associated with software development were 
not examined, even though such risks were known to exist. In fact, the 
only risks considered were those associated with uncertainty in labor 
rates and hardware costs, and instead of being based on historical 
quantitative analyses, these risks were expressed by assigning them 
arbitrary positive or negative percentages. In addition, and for the 
reasons mentioned above, the estimate did not specify contingency 
reserve amounts to mitigate known risks, and an independent cost 
estimate was not used to verify the estimate. 

Program officials attributed these limitations in the cost estimate's 
comprehensiveness, documentation, accuracy, and credibility to a range 
of factors, including competing program office priorities and the 
department's limited cost estimating capabilities. For example, 
program officials stated that the DHS Cost Analysis Division did not 
prepare an independent estimate because it did not have, among other 
things, the people and tools needed to do so. In this regard, this 
division reports that as of July 2009, DHS only had eight cost 
estimators (six in headquarters and two in program offices) for 
departmentwide needs. 

Because the estimate does not adequately display these four 
characteristics, it does not provide a reliable picture of Block 1's 
life cycle costs. As a result, DHS does not have complete information 
on which to base informed investment decision making, understand 
system affordability, and develop justifiable budget requests. 
Moreover, the Block 1 cost estimate does not provide a meaningful 
standard against which to measure cost performance, is likely to show 
large cost overruns, and does not provide a good basis for informing 
future cost estimates. 

Expected Mission Benefits Have Yet to Be Adequately Defined: 

The Clinger-Cohen Act of 1996 and OMB guidance[Footnote 34] emphasize 
the need to ensure that IT investments actually produce tangible, 
observable improvements in mission performance. As we have previously 
reported,[Footnote 35]to accomplish this, benefits that are expected 
to accrue from investments need to be forecast and their actual 
accrual needs to be measured. 

In the case of Block 1, however, expected mission benefits have not 
been defined and measured. For example, while program officials told 
us that system benefits are documented in the SBInet Mission Need 
Statement dated October 2006, this document does not include either 
quantifiable or qualitative benefits. Rather, it provides general 
statements such as "the lack of a program such as SBInet increases the 
risks of terrorist threats and other illegal activities." 

Congress recognized the importance of having a meaningful 
understanding of SBInet's value proposition when it required DHS in 
2008 to provide in its Border Security, Fencing, Infrastructure, and 
Technology Fiscal Year 2009 Expenditure Plan[Footnote 36] a 
description of how the department's planned expenditure of funds would 
be linked to expected SBI mission benefits and outcomes. However, we 
reported that the plan DHS submitted only described links among 
planned activities, expenditures, and outputs. It did not link these 
to outcomes associated with improving operational control of the 
border.[Footnote 37] More recently, we reported that while SBI 
technology and physical infrastructure, along with increases in Border 
Patrol personnel, are intended to allow DHS to gain effective control 
of U.S. borders, CBP's measures of effective control are limited. 
Thus, we recommended that CBP conduct a cost-effectiveness evaluation 
of the SBI tactical infrastructure's impact on effective control of 
the border, and DHS agreed with this recommendation.[Footnote 38] 
Further, program officials noted that uncertainty about SBInet's role 
in and contribution to effective control of the border makes it 
difficult to forecast SBInet benefits. Rather, they said that 
operational experience with Block 1 is first needed in order to 
estimate such benefits. 

While we recognize the value of operationally evaluating an early, 
prototypical version of a system in order to better understand, among 
other things, its mission impact, and thus to better inform investment 
decisions, we question the basis for spending in excess of a billion 
dollars to gain this operational experience. Without a meaningful 
understanding and disclosure of SBInet benefits, to include the extent 
to which expected mission benefits are known and unknown, DHS did not 
have the necessary basis for justifying and making informed decisions 
about its sizeable investment in Block 1, as well as for measuring the 
extent to which the deployed Block 1 will actually deliver mission 
value commensurate with costs. 

Block 1 Has Not Been Managed in Accordance with Key Life Cycle 
Management Processes: 

Successful management of large IT programs, like SBInet, depends in 
large part on having clearly defined and consistently applied life 
cycle management processes. Our evaluations and research show that 
applying system life cycle management rigor and discipline increases 
the likelihood of delivering expected capabilities on time and within 
budget.[Footnote 39] In other words, the quality of a system is 
greatly influenced by the quality of the processes used to manage it. 

To the SPO's credit, it has defined key life cycle management 
processes that are largely consistent with relevant guidance and 
associated best practices. However, it has not effectively implemented 
these processes. Specifically, it has not consistently followed its 
systems engineering plan, requirements development and management 
plan, and risk management approach. Reasons cited by program officials 
for not implementing these processes include the decision by program 
officials to rely on contract task order requirements that were 
developed prior to the systems engineering plan, and competing SPO 
priorities, including meeting an aggressive deployment schedule. Until 
the SPO consistently implements these processes, it will remain 
challenged in its ability to successfully deliver SBInet. 

Key System Life Cycle Management Activities Have Not Been Consistently 
Performed: 

Each of the steps in a life cycle management approach serves an 
important purpose and has inherent dependencies with one or more other 
steps. In addition, the steps used in the approach should be clearly 
defined and repeatable. Thus, if a life cycle management step is 
omitted or not performed effectively, later steps can be affected, 
potentially resulting in costly and time-consuming rework. For 
example, a system can be effectively tested to determine whether it 
meets requirements only if these requirements have been completely and 
correctly defined. To the extent that interdependent life cycle 
management steps or activities are not effectively performed, or are 
performed concurrently, a program will be at increased risk of cost, 
schedule, and performance shortfalls. 

The SPO's Systems Engineering Plan documents its life cycle management 
approach for SBInet definition, development, testing, deployment, and 
sustainment. As noted earlier, we reported in September 2008 on a 
number of weaknesses in the SBInet life cycle management approach and 
made recommendations to improve it.[Footnote 40]In response, the SPO 
revised its Systems Engineering Plan in November 2008, and to its 
credit, the revised plan is largely consistent with DHS and other 
relevant guidance.[Footnote 41] For example, it defines a number of 
key life cycle milestone or "gate" reviews that are important in 
managing the program, such as initial planning reviews, requirements 
reviews, system design reviews, and test reviews. In addition, the 
revised plan requires most of the key artifacts and program documents 
that DHS guidance identified as important to each gate review, such as 
a concept of operations, an operational requirements document, a 
deployment plan, a risk management plan, a life cycle cost estimate, 
requirements documentation, and test plans. To illustrate, the plan 
identifies CDR as the important milestone event where a design 
baseline is to be established, requirements traceability is to be 
demonstrated, and verification and testing plans are to be in place. 

However, the Systems Engineering Plan does not address the content of 
the key artifacts that it requires. For example, it does not provide a 
sample document or content template for the concept of operations, the 
operational requirements document, or the deployment plan. As a 
result, the likelihood of the developers and reviewers of these 
artifacts sharing and applying a consistent and repeatable 
understanding of their content is minimized, thus increasing the risk 
that they will require costly and time-consuming rework. As we 
recently reported,[Footnote 42] the absence of content guidance or 
criteria for assessing the quality of the prime contractor's test-
related deliverables was a primary reason that limitations were found 
in test plans. 

Beyond the content of the Systems Engineering Plan, the SPO has not 
consistently implemented key system life cycle management activities 
for Block 1 that are identified by the plan. For example, the 
following artifacts were not reviewed or considered during the CDR 
that concluded in October 2008: 

* Security Test Plan, which describes the process for assessing the 
robustness of the system's security capabilities (e.g., physical 
facilities, hardware, software, and communications) in light of their 
vulnerabilities. 

* Quality Plan, which documents the process for verifying that the 
contractor deliverables satisfy contractual requirements and meet or 
exceed quality standards. 

* Test Plan, which describes the overall process for the test and 
evaluation, including the development of detailed test event plans, 
test procedure instructions, data collection methods, and evaluation 
reports. 

* Block Training Plan, which outlines the objectives, strategy, and 
curriculum for training that are specific to each block, including the 
activities needed to support the development of training materials, 
coordination of training schedules, and reservation of personnel and 
facilities. 

* Block Maintenance Plan, which lays out the policies and concepts to 
be used to maintain the operational availability of hardware and 
software. 

To the SPO's credit, it reviewed and considered all but one of the key 
artifacts for the TUS-1 Deployment Readiness Review that concluded in 
April 2009. The omitted artifact was the Site Specific Training Plan, 
which outlines the objectives, strategy, and curriculum for training 
that are specific to each geographic site, including the activities 
needed to support the development of training materials, coordination 
of training schedules, and reservation of personnel and facilities. 
According to program officials, even though the Systems Engineering 
Plan cites the training plan as integral to the Deployment Readiness 
Review, this training plan is to be reviewed as part of a later 
milestone review. 

Program officials stated that a reason that the artifacts were omitted 
is that they have yet to begin implementing the Systems Engineering 
Plan. Instead, they have, for example, enforced the CDR requirements 
in the System Task Order that Boeing was contractually required to 
follow. To address this, they added that the SPO intends to bring the 
task orders into alignment with the Systems Engineering Plan, but they 
did not specify when this would occur. As a result, key milestone 
reviews and decisions have not always benefited from life cycle 
management documentation that the SPO has determined to be relevant 
and important to these milestone events. More specifically, the 
Systems Engineering Plan states that the gate reviews are intended to 
identify and address problems early and thus minimize future costs and 
avoid subsequent operational issues. By not fully informing these gate 
reviews and associated decisions with key life cycle management 
documentation, the risk of Block 1 design and deployment problems is 
increased, as is the likelihood of expensive and time-consuming system 
rework. 

Key Block 1 Requirements Have Not Been Adequately Developed and 
Managed: 

Well-defined and managed requirements are essential to successfully 
acquiring large-scale systems, like SBInet. According to relevant 
guidance,[Footnote 43] effective requirements development and 
management include establishing a baseline set of requirements that 
are complete, unambiguous, and testable. It also includes ensuring 
that system-level requirements are traceable backwards to higher-level 
operational requirements and forward to design requirements and the 
methods used to verify that they are met. Among other things, this 
guidance states that such traceability should be used to verify that 
higher-level requirements have been met by first verifying that the 
corresponding lower-level requirements have been satisfied. 

However, not all Block 1 component requirements were sufficiently 
defined at the time that they were baselined, and operational 
requirements continue to be unclear and unverifiable. In addition, 
while requirements are now largely traceable backwards to operational 
requirements and forward to design requirements and verification 
methods, this traceability has not been used until recently to verify 
that higher-level requirements have been satisfied. Program officials 
attributed these limitations to competing SPO priorities, including 
aggressive schedule demands. Without ensuring that requirements are 
adequately defined and managed, the risks of Block 1 not performing as 
intended, not meeting user needs, and costing more and taking longer 
than necessary to complete are increased. 

Not All Requirements Were Adequately Baselined: 

The SBInet Requirements Development and Management Plan states that a 
baseline set of requirements should be established by the time of the 
CDR and that these requirements should be complete, unambiguous, and 
testable. Further, the program's Systems Engineering Plan states that 
the CDR is intended to establish the final allocated requirements 
baseline and ensure that system development, integration, and testing 
can begin. 

To the SPO's credit, it established a baseline set of requirements for 
the TUS-1 and AJO-1 system deployments at CDR. However, the baseline 
requirements associated with the NOC/SOC were not adequately defined 
at this time, as evidenced by the fact that they were significantly 
changed 2 months later. Specifically, about 33 percent of the 
component-level requirements and 43 percent of the design 
specifications for NOC/SOC were eliminated from the Block 1 design 
after CDR. Program officials attributed these changes to the NOC/SOC 
requirements to (1) requirements that were duplicative of another 
specification, and thus were redundant; (2) requirements that were 
poorly written, and thus did not accurately describe needs; and (3) 
requirements that related to the security of a system that SBInet 
would not interface with, and thus were unnecessary. 

According to program officials, the NOC/SOC was a late addition to the 
program, and at the time of CDR, the component's requirements were 
known to need additional work. Further, they stated that while the 
requirements were not adequately baselined at the time of CDR, the 
interface requirements were understood well enough to begin system 
development. 

Without properly baselined requirements, system testing challenges are 
likely to occur, and the risk of system performance shortfalls, and 
thus cost and schedule problems, are increased. In this regard, we 
recently reported that NOC/SOC testing was hampered by incorrect 
mapping of requirements to test cases, failure to test all of the 
requirements, and significant changes to test cases made during the 
testing events.[Footnote 44] This occurred in part because ambiguities 
in requirements caused testers to rewrite test steps during execution 
based on interpretations of what they thought the requirements meant, 
and they required the SPO to conduct multiple events to test NOC/SOC 
requirements. 

Block 1 Operational Requirements Remain Poorly Defined: 

According to the SBInet Requirements Development and Management Plan, 
requirements should be achievable, verifiable, unambiguous, and 
complete. To ensure this, the plan contains a checklist that is to be 
used in verifying that each requirement possesses these 
characteristics. 

However, not all of the SBInet operational requirements that pertain 
to Block 1 possess these characteristics. Specifically, a November 
2007 DHS assessment[Footnote 45]determined that 19 operational 
requirements, which form the basis for the lower-level requirements 
used to design and build the system, were not complete, achievable, 
verifiable, or affordable. Further, our analysis of the 12 Block 1 
requirements that are included in these 19 operational requirements 
shows that they have not been changed to respond to the DHS findings. 
[Footnote 46] According to the assessment, 6 of the 12 were 
unaffordable and unverifiable, and the other 6 were incomplete. 
Examples of these requirements and DHS's assessment follow: 

* A requirement that the system should provide for complete coverage 
of the border was determined to be unverifiable and unaffordable 
because defining what complete coverage meant was too difficult and 
ensuring complete coverage, given the varied and difficult terrain 
along the border, was cost prohibitive. 

* A requirement that the system should be able to detect and identify 
multiple simultaneous events with different individuals or groups was 
determined to be incomplete because the requirement did not specify 
the number of events to be included, the scope of the area to be 
covered, and the system components to be involved. 

As we have previously reported,[Footnote 47]these limitations in the 
operational requirements affect the quality of system, component, and 
software requirements. This is significant because, as of September 
2009, these 12 operational requirements were associated with 16 system-
level requirements, which were associated with 152 component-level 
requirements, or approximately 15 percent of the total number of 
component-level requirements. According to program officials, these 
requirements were not updated because the SPO planned to resolve the 
problems through the testing process. However, we recently reported 
that requirements limitations actually contributed to testing 
challenges.[Footnote 48] Specifically, we reported that about 71 
percent of combined system qualification and component qualification 
[Footnote 49] test cases had to be rewritten extemporaneously during 
test execution. According to program officials, this was partly due to 
ambiguities in requirements, which led to differing opinions among the 
program and contractor staff about what was required to effectively 
demonstrate that the requirements were met. 

Further, program officials stated that a number of requirements have 
been granted deviations or waivers because they were poorly written. 
For example: 

* A requirement for camera equipment to "conform to the capabilities 
and limitations of the users to operate and maintain it in its 
operational environment and not exceed user capabilities" was 
determined to be subjective and unquantifiable and thus was waived. 

* A requirement for the tower design to accommodate the future 
integration of components "without causing impact on cost, schedule, 
and/or technical performance" was determined to have no specific 
criteria to objectively demonstrate closure decision and thus was also 
waived. 

As a result of these deviations and waivers, the system capabilities 
that are to be delivered as part of Block 1 will be less than 
originally envisioned. 

Requirements Traceability Has Improved, but Until Recently Has Not 
Been Used To Determine If Operational Requirements Were Met: 

Consistent with relevant guidance,[Footnote 50]the SBInet Requirements 
Development and Management Plan provides for maintaining bidirectional 
traceability from high-level operational requirements through detailed 
low-level requirements to test plans. More specifically, it states 
that operational requirements should trace to system requirements, 
which in turn should trace to component requirements that trace to 
design requirements, which further trace to verification methods. 

Since September 2008, the SPO has worked with Boeing to manually 
review each requirement and develop a bidirectional traceability 
matrix. Further, it has used this matrix to update the DOORS 
requirements database. Our analysis of the traceability of a random 
sample of Block 1 component-level requirements in the DOORS database 
shows that they are largely traceable backwards to operational 
requirements and forward to design requirements and verification 
methods. For example, we estimate that only 5 percent (with a 95 
percent confidence interval between 1 and 14 percent) of a random 
sample of component requirements cannot be traced to the system 
requirements and then to the operational requirements. In addition, we 
estimate that 0 percent (with a 95 percent confidence interval between 
0 and 5 percent) of the component requirements in the same sample do 
not trace to a verification method. (See table 5 for the results of 
our analysis along with the associated confidence intervals.)[Footnote 
51] 

Table 5: SBInet Requirements Traceability Results: 

Traceability links from component requirements: To system requirement 
then to operational requirement; 
Estimated failure rate: 5%; 
95 percent confidence interval: 1-14%. 

Traceability links from component requirements: To system requirement; 
Estimated failure rate: 3%; 
95 percent confidence interval: 0-11%. 

Traceability links from component requirements: To verification method; 
Estimated failure rate: 0%; 
95 percent confidence interval: 0-5%. 

Source: GAO analysis of DHS data. 

[End of table] 

By establishing this traceability, the SPO is better positioned to 
know the extent to which the acquired and deployed system can meet 
operational requirements. 

However, the SPO has not used its requirements traceability in closing 
higher-level component requirements. According to relevant guidance, 
[Footnote 52]all lower-level requirements (i.e., children) should be 
closed in order to sufficiently demonstrate that the higher- level 
requirements (i.e., parents) have been met. Consistent with this 
guidance, the SBInet Requirements Development and Management Plan 
states that ensuring the traceability of requirements from children to 
their parents is an integral part of ensuring that testing is properly 
planned and conducted. However, 4 of 8 higher-level component 
requirements (parents) in the above cited random sample of system-
level requirements were closed regardless of whether their 
corresponding lower-level design requirements (children) had been 
closed. According to program officials, this is because their standard 
practice in closing parent requirements, until recently, was to 
sometimes close them before their children were closed. Further, they 
said that this was consistent with their verification criteria 
[Footnote 53] for closing higher-level requirements, which did not 
require closure of the corresponding lower-level requirements. They 
also said that the reason parent verification criteria did not always 
reflect children verification criteria was that traceability was still 
being established when the verification criteria were developed and 
thus parent-child relationships were not always available to inform 
the closure criteria. Furthermore, they stated that schedule demands 
did not permit them to ensure that the verification criteria for 
requirements were aligned with the traceability information. 

After we shared our findings on parent requirement closure with the 
SPO, officials stated that they had changed their approach and will no 
longer close parent requirements without ensuring that all of the 
children requirements have first been closed. However, they did not 
commit to reviewing previously closed parents to determine that all of 
the children were closed. Without fully ensuring traceability among 
requirements verification methods, the risks of delivering a system 
solution that does not fully meet user needs or perform as intended, 
and thus requires additional time and resources to deliver, are 
increased. 

Key Risks Have Not Been Effectively Managed and Disclosed: 

Risk management is a continuous, forward-looking process that 
effectively anticipates and mitigates risks that may have a critical 
impact on a program's success. In 2008, the SPO documented a risk 
management approach[Footnote 54] that largely complies with relevant 
guidance. However, it has not effectively implemented this approach 
for all risks. Moreover, available documentation does not demonstrate 
that significant risks were disclosed to DHS and congressional 
decision makers in a timely fashion, as we previously recommended and, 
while risk disclosure to DHS leadership has recently improved, not all 
risks have been formally captured and thus shared. As a result, the 
program will likely continue to experience actual cost, schedule, and 
performance shortfalls, and key decision makers will continue to be 
less than fully informed. 

Risk Management Approach Has Been Adequately Defined: 

According to relevant guidance,[Footnote 55] effective risk management 
includes defining a process that, among other things, proactively 
identifies and analyzes risks on the basis of likelihood of occurrence 
and impact, assigns ownership, provides for mitigation, and monitors 
status. To the SPO's credit, it has developed an approach for risk 
management that is largely consistent with this guidance. For example, 
the approach provides for: 

* continuously identifying risks throughout the program's life cycle 
before they develop into actual problems, including suggested methods 
for doing so, such as conducting brainstorming sessions and 
interviewing subject matter experts; 

* analyzing identified risks to determine their likelihood of 
occurring and potential impact; 

* assigning responsibility for risks; 

* developing a risk mitigation plan, to include a set of discrete, 
measurable actions or events which, if successfully accomplished, can 
avoid or reduce the likelihood of occurrence or severity of impact of 
the risk; and: 

* executing and regularly monitoring risk mitigation plans to ensure 
that they are implemented and to allow for corrective actions if the 
desired results are not being achieved. 

In February 2007, we reported that the program's risk management 
approach was in the process of being established.[Footnote 56] 
Specifically, we noted that at that time the SPO had drafted a risk 
management plan, established a governance structure, developed a risk 
management database, and identified 30 risks. In April 2009, we 
reported that the DHS Chief Information Officer had certified that 
this approach provided for the regular identification, evaluation, 
mitigation, and monitoring of risks throughout the system life cycle, 
and that it provided for communicating high-risk conditions to DHS 
investment decision makers.[Footnote 57] 

Risk Management Approach Has Not Been Fully Implemented, although 
Improvements Are Under Way: 

The SPO has not adhered to key aspects of its defined process for 
managing program risks. In particular, the program's risk management 
repository, which is the tool used for capturing and tracking risks 
and their mitigation, has not included key risks that have been 
identified by stakeholders. For example, our analysis of reports from 
the repository showing all open and closed risks from April 2006 to 
September 2009 shows that the following program risks that have been 
identified by us and others were not captured in the repository: 

* program cost and schedule risks briefed by the SPO to senior SBInet 
officials in January 2009, such as unplanned and unauthorized work 
impacting the credibility of the program cost data, and program costs 
and schedule plans lacking traceability; 

* program schedule and cost estimate risks identified by the Defense 
Contract Management Agency prior to March 2009, such as contractor- 
provided documentation not permitting adequate assessment of critical 
path accuracy, and cost projections not including all applicable 
elements and thus lacking credibility; and: 

* the risk of the SPO's heavy reliance on contractors, reported by the 
DHS Office of Inspector General in June 2009. 

In addition, the SBI Executive Director told us that the program faces 
a number of other risks, all but one of which were also not in the 
repository. These include the lack of well-defined acquisition 
management processes, staff with the appropriate acquisition 
expertise, and agreement on key system performance parameters. 
According to program officials, some of these risks are not in the 
repository because Boeing is responsible for operating and maintaining 
the repository, and the specifics surrounding the risks and their 
mitigation are considered acquisition sensitive, meaning that they 
should not be shared with Boeing. In this regard, the officials 
acknowledged that the SPO needs a risk database independent of the 
contractor to manage these acquisition-sensitive risks. 

Further, the Risk Manager identified other limitations that have 
hindered the SPO's risk management efforts, along with recent actions 
intended to address them. For example: 

* Risk review meetings were only being held once a month, which was 
resulting in lost opportunities to mitigate risks that were to be 
realized as actual problems within 30 days. As a result, the frequency 
of these meetings has been increased to twice a month. 

* Risk information provided to senior SBI managers at monthly Joint 
Program Management Review Meetings[Footnote 58]was not sufficiently 
detailed, and thus has been expanded. 

* Changes were being made to the risk management repository by 
contractor staff without sufficient justification and without the 
approval of the Joint Risk Review Board. For example, program 
officials cited an instance in which a risk's severity was changed 
from medium to high and no board member knew the reason for the 
change. As a result, the number of contractor staff authorized to 
modify data in the repository was reduced. 

* The repository did not include all requisite information for all 
identified risks. For example, some risks were missing the rationale 
for the likelihood of occurrence and the potential impact. As a 
result, the Joint Risk Review Board has adopted a policy of not 
accepting risks that are missing requisite information. 

According to the Risk Manager, competing program priorities have 
resulted in insufficient resources devoted to risk management 
activities, which has contributed to the state of the SPO's risk 
management efforts. However, he added that the SPO is taking steps to 
improve risk management by revising risk management guidance, 
implementing a CBP-approved database tool for managing government-only 
risks, and increasing risk management training and oversight. 

Until the program's risk management is strengthened and effectively 
implemented, the program will continue to be challenged in its ability 
to forestall cost, schedule, and performance problems. 

Risks Have Not Been Fully Disclosed, but Improvement Has Recently 
Occurred: 

As noted earlier, we recommended in September 2008 that the SPO assess 
SBInet risks and that the results of these assessments, along with 
alternative courses of action to address them, be provided to DHS 
leadership and congressional committees.[Footnote 59] According to 
program officials, shortly after receiving our draft report they 
briefed the DHS Acquisition Review Board[Footnote 60] on, among other 
things, SBInet risks. However, the briefing slides used for this 
meeting do not identify individual risks. Instead, the briefing 
contains one slide that only identifies "contributing factors" to 
changes in the program's schedule, including a reallocation SBInet 
funding to SBI physical infrastructure, concurrencies and delays that 
have occurred in testing, and the need for environmental studies. The 
slides do not identify risks and alternative courses of action to 
address or mitigate them. 

In addition, program officials told us that they briefed congressional 
committees during the fall of 2008 on the program's status, which they 
said included disclosure of program risks. However, they did not have 
any documentation of these briefings to show which committees were 
briefed, when the briefings occurred, who was present, and what was 
discussed and disclosed. Further, House Committee on Homeland Security 
staff stated that while program officials briefed them following our 
September 2008 report, specific program risks were not disclosed. As a 
result, it does not appear that either DHS or congressional 
stakeholders received timely information on risks facing the program 
at a crucial juncture in its life cycle. 

To the SPO's credit, it has recently improved its disclosure of risks 
facing the program. In particular, the SBI Executive Director briefed 
the DHS Chief Information Officer in November 2009 on specific program 
risks. However, this briefing states that the risks presented were the 
Block 1 risks as captured in the contractor's risk repository and that 
additional risks have not yet been formalized (see above discussion 
about repository limitations). Until all key risks are formally 
managed and regularly disclosed to department and congressional 
stakeholders, informed SBInet investment decision making will be 
constrained. 

DHS Has Yet to Implement GAO's Recent SBInet Recommendations: 

As noted earlier, we reported on a number of SBInet program management 
weaknesses in September 2008, and we concluded that these weaknesses 
introduced considerable risk that the program would not meet 
expectations and would require time-consuming and expensive rework. 
[Footnote 61] In summary, these problems included a lack of clarity 
and certainty surrounding what technological capabilities would be 
delivered when, and a lack of rigor and discipline around requirements 
definition and management and test management. To address these 
problems and thereby reduce the program's exposure to cost, schedule, 
and performance risks, we made eight recommendations. DHS concurred 
with seven of the recommendations and disagreed with one aspect of the 
remaining one. 

In summary, the department has not implemented two of the 
recommendations and has partially implemented the remaining six. See 
table 6 for a summary and appendix III for a detailed discussion of 
the status of each recommendation. 

Table 6: Summary of DHS Implementation of GAO's Recent SBInet 
Recommendations: 

Recommendation: (1/2) Assess risks associated with the SBInet 
acquisition and provide the results of the risk assessment to DHS 
senior leadership and congressional authorization and appropriation 
committees; 
DHS comment: Concurred; 
Status: Not implemented. 

Recommendation: (3) Establish and baseline the program commitments; 
DHS comment: Concurred; 
Status: Partially implemented. 

Recommendation: (4) Finalize and approve an integrated master schedule; 
DHS comment: Concurred; 
Status: Partially implemented. 

Recommendation: (5) Revise and approve consistent and up-to-date 
versions of the SBInet life cycle management approach that reflect 
relevant federal guidance and leading practices; 
DHS comment: Concurred; 
Status: Partially implemented. 

Recommendation: (6) Implement the revised life cycle management 
approach; 
DHS comment: Concurred; 
Status: Partially implemented. 

Recommendation: (7) Implement key practices for developing and 
managing system requirements; 
DHS comment: Concurred; 
Status: Partially implemented. 

Recommendation: (8) Implement key test management practices; 
DHS comment: Partially disagreed; 
Status: Partially implemented. 

Source: GAO analysis of DHS data. 

Note: "Partially implemented" means that some, but not all, aspects of 
the recommendation have been fully implemented. "Not implemented" 
means that none of the aspects of the recommendation have been fully 
implemented. 

[End of table] 

Conclusions: 

DHS has yet to demonstrate that its proposed SBInet solution is a cost-
effective course of action, and thus whether the considerable time and 
money being invested to acquire and deploy it is a wise and prudent 
use of limited resources. Given that the magnitude of the initial 
investment in SBInet spans more than 3 years of effort and totals 
hundreds of millions of dollars, coupled with the fact that the scope 
of the initial system's capabilities and areas of deployment have 
continued to shrink, the program is fraught with risk and uncertainty. 
As a result, the time is now for DHS to thoughtfully reconsider its 
proposed SBInet solution, and in doing so, to explore ways to both 
limit its near-term investment in an initial set of operational 
capabilities and develop and share with congressional decision makers 
reliable projections of the relative costs and benefits of longer-term 
alternatives for meeting the mission goals and outcomes that SBInet is 
intended to advance, or reasons why such information is not available 
and the uncertainty and risks associated with not having it. 

Compounding the risks and uncertainty surrounding whether the 
department is pursuing the right course of action are a number of 
system life cycle management concerns, including limitations in the 
integrated master schedule; shortcomings in the documentation 
available to inform key milestone decisions; and weaknesses in how 
requirements have been developed and managed, risks have been managed, 
and tests have been conducted. Collectively, these concerns mean that 
the program is not employing the kind of acquisition management rigor 
and discipline needed to reasonably ensure that proposed system 
capabilities and benefits will be delivered on time and on budget. 

Because of SBInet's decreased scope, uncertain timing, unclear costs 
relative to benefits, and limited life cycle management discipline and 
rigor, in combination with its size and mission importance, the 
program represents a risky undertaking. To minimize the program's 
exposure to risk, it is imperative for DHS to move swiftly to first 
ensure that SBInet, as proposed, is the right course of action for 
meeting its stated border security and immigration management goals 
and outcomes, and once this is established, for it to move with equal 
diligence to ensure that it is being managed the right way. To this 
end, our prior recommendations to DHS relative to SBInet provide for 
strengthening a number of life cycle management processes, including 
requirements development and management and test management. 
Accordingly, we are not making additional recommendations that focus 
on these processes at this time. 

Recommendations for Executive Action: 

To address the considerable risks and uncertainties facing DHS on its 
SBInet program, we are making 12 recommendations. Specifically, we 
recommend that the Secretary of Homeland Security direct the 
Commissioner of U.S. Customs and Border Protection to limit future 
investment in the program to only work that meets one or both of the 
following two conditions: (1) is already under contract and supports 
deployment, acceptance, and operational evaluation of only those Block 
1 capabilities (functions and performance levels) that are currently 
targeted for TUS-1 and AJO-1; or (2) provides the analytical basis for 
informing a departmental decision as to what, if any, expanded 
investment in SBInet, both in terms of capabilities (functions and 
performance) and deployment locations, represents a prudent, 
responsible, and affordable use of resources for achieving the 
department's border security and immigration management mission. 

With respect to the first condition, we further recommend that the 
Secretary of Homeland Security direct the Commissioner of U.S. Customs 
and Border Protection to have the SBI Executive Director make it a 
program priority to ensure that: 

* the integrated master schedule for delivering Block 1 capabilities 
to TUS-1 and AJO-1 is revised to address the key schedule estimating 
practices discussed in this report; 

* the currently defined Block 1 requirements, including key 
performance parameters, are independently validated as complete, 
verifiable, and affordable and any limitations found in the 
requirements are addressed; 

* the Systems Engineering Plan is revised to include or reference 
documentation templates for key artifacts required at milestone gate 
reviews; 

* all parent requirements that have been closed are supported by 
evidence of the closure of all corresponding and associated child 
requirements; and: 

* all significant risks facing the program are captured, mitigated, 
tracked, and periodically reported to DHS and congressional decision 
makers. 

Also with respect to the first condition, we reiterate our prior 
recommendations, as stated in our September 2008 report,[Footnote 
62]relative to establishing program commitments, implementing the 
Systems Engineering Plan, defining and managing requirements, and 
testing. 

With respect to the second condition, we further recommend that the 
Secretary of Homeland Security direct the Commissioner of U.S. Customs 
and Border Protection to have the SBI Executive Director make it a 
program priority to ensure that: 

* a life cycle cost estimate for any incremental block of SBInet 
capabilities that is to include capabilities and cover locations 
beyond those associated with the TUS-1 and AJO-1 deployments is 
developed in a manner that reflects the four characteristics of a 
reliable estimate discussed in this report; 

* a forecast of the qualitative and quantitative benefits to be 
derived from any such incremental block of SBInet over its useful 
life, or reasons why such forecasts are not currently possible, are 
developed and documented; 

* the estimated life cycle costs and benefits and associated net 
present value of any such incremental block of SBInet capabilities, or 
reasons why such an economic analysis cannot be performed, are 
prepared and documented; and: 

* the results of these analyses, or the documented reasons why such 
analyses cannot be provided, are provided to the Commissioner of U.S. 
Customs and Border Protection and the DHS Acquisition Review Board. 

Also with respect to this second condition, we recommend that the 
Secretary of Homeland Security direct the Deputy Secretary of Homeland 
Security, as the Chair of the DHS Acquisition Review Board, to (1) 
decide, in consultation with the board and Commissioner of U.S. 
Customs and Border Protection, what, if any, expanded investment in 
SBInet, both in terms of capabilities (functions and performance) and 
deployment locations, represents a prudent, responsible, and 
affordable use of resources for achieving the department's border 
security and immigration management mission; and (2) report the 
decision, and the basis for it, to the department's authorization and 
appropriations committees. 

Agency Comments and Our Evaluation: 

In written comments on a draft of this report, signed by the Director, 
Departmental GAO/Office of Inspector General Liaison, and reprinted in 
appendix II, DHS stated that it agreed with ten of our recommendations 
and partially agreed with the remaining two. In this regard, it 
described ongoing and planned actions to address each, and it provided 
milestones for completing these actions. In addition, DHS provided 
technical comments, which we have incorporated in the report as 
appropriate. 

In agreeing with our first recommendation, however, DHS commented that 
the words "one of" were omitted before the two conditions contained in 
the recommendation. However, this interpretation is not correct. 
Rather, the intent of our recommendation is to limit future investment 
on the program to either of the conditions, meaning "one or both of." 
Notwithstanding DHS's interpretation, we believe that actions that it 
described to address this recommendation, which include freezing 
funding beyond the initial deployments to TUS-1 and AJO-1 until it 
completes a comprehensive reassessment of the program that includes an 
analysis of the cost and mission effectiveness of alternative 
technologies, is consistent with the intent of the recommendation. 
Nevertheless, we have slightly modified the recommendation to avoid 
any further confusion. 

Regarding its partial agreement with our recommendation for revising 
the integrated master schedule in accordance with a range of best 
practices embodied in our cost and schedule estimating guide, DHS 
acknowledged the merits of employing these practices and stated that 
it is committed to adopting and deploying them. However, it added that 
the current contract structure limits its ability to fully implement 
all the practices prior to completing the TUS-1 and AJO-1 deployments. 
We understand that program facts and circumstances create practical 
limitations associated with some of the practices, and believe that 
DHS's planned actions are consistent with the intent of our 
recommendation. 

Regarding its partial agreement with our recommendation that 
reiterated a number of the recommendations that we made in a prior 
report,[Footnote 63] DHS stated that, while these prior 
recommendations reflect program management best practices and it 
continues to make incremental improvements to address each, the scope 
of the program had narrowed since these recommendations were made. As 
a result, DHS stated that these prior recommendations were not fully 
applicable until and unless a decision was made to move the program 
forward and conduct future deployments beyond TUS-1 and AJO-1. We 
acknowledge that the facts and circumstances surrounding the program 
have recently changed and that these changes impact the nature and 
timing of actions appropriate for implementing them. Moreover, we 
believe that DHS's planned actions are consistent with the intent of 
our recommendation. 

DHS also commented that it believed that it had implemented two of our 
recommendations and that these recommendations should be closed. 
Because closure of our recommendations requires evidentiary validation 
of described actions, and because many of the actions that DHS 
described were planned rather than completed, we are not closing any 
of our recommendations at this time. As part of our recurring review 
of the status of all of our open recommendations, we will determine if 
and when the recommendations have been satisfied and thus can be 
closed. 

As agreed with your offices, unless you publicly announce the contents 
of this report earlier, we plan no further distribution until 30 days 
from the report date. At that time, we will send copies of this report 
to interested congressional committees and other parties. We will also 
send copies to the Secretary of Homeland Security, the Commissioner of 
the U.S. Customs and Border Protection, and the Director of the Office 
of Management and Budget. In addition, this report will be available 
at no cost on the GAO Web site at [hyperlink, http://www.gao.gov]. 

Should you or your offices have any questions on matters discussed in 
this report, please contact me at (202) 512-3439 or at hiter@gao.gov. 
Contact points for our Offices of Congressional Relations and Public 
Affairs may be found on the last page of this report. Key contributors 
to this report are listed in appendix VI. 

Signed by: 

Randolph C. Hite: 
Director, Information Technology Architecture and Systems Issues: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

Our objectives were to determine the extent to which the Department of 
Homeland Security (DHS) has (1) defined the scope of its proposed 
Secure Border Initiative Network (SBInet) solution, (2) developed a 
reliable schedule for delivering this solution, (3) demonstrated the 
cost-effectiveness of this solution, (4) acquired this solution in 
accordance with key life cycle management processes, and (5) addressed 
our recent SBInet recommendations. To accomplish our objectives, we 
largely focused on the first increment of SBInet, known as Block 1. 

To determine the extent to which DHS has defined the scope of its 
proposed system solution, we reviewed key program documentation 
related to the Block 1 functional and performance requirements and 
deployment locations, such as the SBInet Acquisition Program Baseline 
and related acquisition decision memorandums, the Operational 
Requirements Document, the Operational Requirements Document Elements 
Applicable to Block 1 System, the Requirements Traceability Matrix, 
the Requirements Verification Matrix, and the SBInet Block 1 User 
Assessment. In addition, we compared Block 1 requirements that were 
baselined in October 2008 as part of the Critical Design Review (CDR) 
to the Block 1 requirements as defined as of September 2009 to 
identify what, if any, changes had occurred, and we interviewed 
program officials as to the reasons for any changes. We also compared 
the locations, including the miles of border associated with these 
locations, that were to receive Block 1 as of September 2008 to the 
locations specified in the program's March 2009 Acquisition Program 
Baseline to identify any changes, and we interviewed program officials 
as to the reasons for any changes. Further, we compared the key 
performance parameters listed in the Operational Requirements 
Document, dated March 2007, to the key performance parameters in the 
program's Acquisition Program Baseline dated March 2009. 

To determine the extent to which DHS has developed a reliable schedule 
for its proposed system solution, we analyzed the SBInet integrated 
master schedule as of June 2009 against the nine key schedule 
estimating practices in our Cost Estimating and Assessment Guide. 
[Footnote 64] In doing so, we used commercially available software 
tools to determine whether it, for example, included all critical 
activities, a logical sequence of activities, and reasonable activity 
durations. Further, we observed a demonstration of the schedule in 
June 2009 provided by contractor officials responsible for maintaining 
the schedule and program officials responsible for overseeing the 
contractor. In July 2009, we observed a demonstration of the program 
office's efforts to reconcile the version of the integrated master 
schedule that is exported for the government's use with the version of 
the schedule that the prime contractor uses to manage the program. 
During this demonstration, we discussed some of our concerns regarding 
the integrated master schedule with program officials and we inquired 
about deviations from some of the key practices. Subsequently, the 
program office provided us with a revised version of the integrated 
master schedule as of August 2009, which we analyzed. In doing so, we 
repeated the above described steps. Further, we characterized the 
extent to which the revised schedule met each of the practices as 
either Not Met, Minimally Met, Partially Met, Substantially Met, or 
Met.[Footnote 65] In addition, we analyzed changes in the scheduled 
Block 1 deployment dates presented at each of the monthly program 
reviews for the 1-year period beginning in December 2008 and ending in 
November 2009. 

To determine the extent to which DHS has demonstrated the cost- 
effectiveness of the proposed solution, we evaluated the reliability 
of the Block 1 life cycle cost estimate and the definition of expected 
system benefits, both of which are addressed below. 

* Cost estimate: We first observed a demonstration of the cost model 
used to develop the estimate, which was provided by the contractor 
officials who are responsible for maintaining it and the program 
officials who are responsible for overseeing the contractor. We then 
analyzed the derivation of the cost estimate relative to 12 key 
practices associated with four characteristics of a reliable estimate. 
As defined in our Cost Estimating and Assessment Guide,[Footnote 66] 
these four characteristics are comprehensive, well-documented, 
accurate, and credible, and the practices address, for example, the 
methodologies, assumptions, and source data used. We also interviewed 
program officials responsible for the cost estimate about the 
estimate's derivation. We then characterized the extent to which each 
of the four characteristics was met as either Not Met, Minimally Met, 
Partially Met, Substantially Met, or Met.[Footnote 67] To do so, we 
scored each of the 12 individual key practices associated with the 
four characteristics on a scale of 1-5 (Not Met = 1, Minimally Met = 
2, Partially Met = 3, Substantially Met = 4, and Met = 5), and then 
averaged the individual practice scores associated with a given 
characteristic to determine the score for that characteristic. 

* Benefits: We interviewed program officials to identify any forecasts 
of qualitative and quantitative benefits that the system was to 
produce. In this regard, we were directed to the SBInet Mission Need 
Statement dated October 2006, which we analyzed. In addition, we 
reviewed our prior reports on the Secure Border Initiative (SBI), 
including a report on the SBI expenditure plan, which is a plan that 
DHS has been required by statute to submit to the House and Senate 
Appropriations Committees to, among other things, identify expected 
system benefits. We also interviewed program officials to determine 
the extent to which the system's life cycle costs and expected 
benefits had been analyzed together to economically justify DHS's 
proposed investment in SBInet. 

To determine the extent to which DHS has acquired its proposed system 
solution in accordance with key life cycle management processes, we 
focused on three key processes: the system engineering approach, 
requirements development and management, and risk management, each of 
which is addressed below. 

* Systems engineering approach: We compared the program's defined 
system engineering approach, as defined in the SBInet Systems Program 
Office's (SPO) Systems Engineering Plan, to DHS and other relevant 
guidance.[Footnote 68] To determine the extent to which the defined 
systems engineering approach had been implemented, we focused on two 
major "gates" (i.e., life cycle milestone reviews)--the CDR and the 
Deployment Readiness Review. For each of these reviews, we compared 
the package of documentation prepared for and used during these 
reviews to the program's defined system engineering approach as 
specified in the Systems Engineering Plan to determine what, if any, 
deviations existed. We also interviewed program officials as to the 
reason for any deviations. 

* Requirements development and management: We compared relevant 
requirements management documentation, such as the Requirements 
Development and Management Plan, the Requirements Management Plan, the 
Configuration and Data Management Plan, the Operational Requirements 
Document, the system-level requirements specification,[Footnote 69] 
and the component-level requirements specifications,[Footnote 70] to 
relevant requirements development and management guidance[Footnote 71] 
to identify any variances, focusing on the extent to which 
requirements were properly baselined, adequately defined, and fully 
traced. With respect to requirements baselining, we compared the 
component and system requirements as of September 2008, which were 
approved during the CDR that concluded in October 2008, to the 
component and system requirements as of November 2008, and identified 
the number and percentage of requirements changes. We also interviewed 
program officials as to the reasons for any changes. For requirements 
definition, we assessed the extent to which operational requirements 
that were identified as poorly defined in November 2007 had been 
clarified in the Operational Requirements Document, Elements 
Applicable to Block 1 System, dated November 2008. In doing so, we 
focused on those operational requirements that are associated with 
Block 1. We also traced these Block 1 operational requirements to the 
lower-level system requirements (i.e., system and component 
requirements) to determine how many of the lower-level requirements 
were associated with any unchanged operational requirements. For 
requirements traceability, we randomly selected a sample of 60 
requirements from 1,008 component requirements in the program's 
requirements management tool, known as the Dynamic Object-Oriented 
Requirements System (DOORS), as of July 2009. Before doing so, we 
reviewed the quality of the access controls for the database, and we 
interviewed program and contractor officials and received a DOORS 
tutorial to understand their respective roles in requirements 
management and development and the use of DOORS. Once satisfied as to 
the reliability of the data in DOORS, we then traced each of the 60 
requirements backwards to the system requirements and then to the 
operational requirements and forward to design requirements and 
verification methods. Because we followed a probability procedure 
based on random selection, we are 95 percent confident that each of 
the confidence intervals in this report will include the true values 
in the study population. We used statistical methods appropriate for 
audit compliance testing to estimate 95 percent confidence intervals 
for the traceability of requirements in our sample. 

* Risk management: We reviewed relevant documentation, such as the 
SBInet Risk/Issue/Opportunity Management Plan, the SBInet SPO Risk/ 
Issue/Opportunity Management Process, and the SBInet Risk Management 
Policy, as well as extracts from the SBInet risk management database 
and minutes of meetings and agendas from the Risk Management Team and 
the Joint Risk Review Board. In doing so, we compared the risk 
management process defined in these documents to relevant guidance 
[Footnote 72] to determine the extent to which the program has defined 
an effective risk management approach. Further, we observed a 
demonstration of the risk database, and we compared SBInet risks 
identified by us and others, including the SBI Executive Director, to 
the risks in the database to determine the extent to which all key 
risks were being actively managed. Further, we discussed actions 
recently taken and planned to improve risk management with the person 
responsible for SBInet risk management. We also reviewed briefings and 
related material provided to DHS leadership during oversight reviews 
of SBInet and interviewed program officials to ascertain the extent to 
which program risks were disclosed at these reviews and at meetings 
with congressional committees. In this regard, we also asked cognizant 
staff with the House Homeland Security Committee about the extent to 
which program risks were disclosed by program officials in status 
briefings. 

To determine the extent to which DHS has addressed our prior SBInet 
recommendations, we focused on the eight recommendations that we made 
in our September 2008 report.[Footnote 73] For each recommendation, we 
leveraged the work described above, augmenting it as necessary to 
determine any plans or actions peculiar to a given recommendation. For 
example, to determine the status of efforts to address our prior 
recommendation related to SBInet testing, we reviewed key testing 
documentation, such as the Test and Evaluation Master Plan; SBInet 
component and system qualification test plans, test procedures, and 
test reports; program management reviews; program office briefings; 
and DHS Acquisition Review Board decision memoranda. We also 
interviewed program officials. 

To support our work across the above objectives, we also interviewed 
officials from the Department of Defense's Defense Contract Management 
Agency, which provides contractor oversight services, to understand 
its reviews of the contractor's integrated master schedule, 
requirements development and management activities, risk management 
practices, and testing activities. We also reviewed Defense Contract 
Management Agency documentation, such as monthly status reports and 
reports pertaining to the integrated master schedule and cost 
reporting. 

To assess the reliability of the data that we relied on to support the 
findings in the report, we reviewed relevant program documentation to 
substantiate evidence obtained through interviews with knowledgeable 
agency officials, where available. We determined that the data used in 
this report are sufficiently reliable. We have also made appropriate 
attribution indicating the sources of the data used. 

We performed our work at the Customs and Border Protection (CBP) 
headquarters and contractor facilities in the Washington, D.C., 
metropolitan area and at a contractor facility and a Defense Contract 
Management Agency office in Huntsville, Alabama. We conducted this 
performance audit from December 2008 to May 2010 in accordance with 
generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings 
and conclusions based on our audit objectives. We believe that the 
evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

[End of section] 

Appendix II: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 
[hyperlink, http://www.dhs.gov] 

April 19, 2010: 

Mr. Randolph C. Hite: 
Director: 
Information Technology Architecture and Systems Issues: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Hite: 

RE: Draft Report GAO-10-340, Secure Border Initiative: DHS Needs to 
Reconsider Its Proposed Investment in Key Technology Program (GAO Job 
Code 310673): 

The Department of Homeland Security (Department/DHS) appreciates the 
opportunity to review and comment on the draft report referenced 
above. The U.S. Government Accountability Office (GAO) makes twelve 
recommendations and, with two partial exceptions, we agree with them. 
The first eleven recommendations are addressed to U.S. Customs and 
Border Protection (CBP) officials and the last one to the Department.
The GAO was asked to determine the extent to which the Department has 
(1) defined the scope of its proposed SBInet solution, (2) developed a 
reliable schedule for this solution, (3) demonstrated the cost 
effectiveness of this solution, and (4) acquired the solution using 
key management processes. 

Over the last several months the Secretary and CBP officials have 
publicly indicated the need to take another, more deliberative look at 
the case for SBInet deployment. The Secretary's recently directed 
assessment (described below) reinforces, strengthens, and expands on 
that need. 

In the September 2008 report ("Secure Border Initiative: DHS Needs to 
Address Significant Risks in Delivering Key Technology Investment" 
(GAO-08-1086)), the GAO identified a range of management weaknesses 
and program risks facing SBInet Block 1 deployment to Arizona. Those 
findings were consistent with CBP's conclusions about the state of the 
SBInet program. Beginning in August 2008, CBP and DHS implemented more 
rigorous oversight of planned SBInet acquisition, development, 
testing, and deployment activities. In this process SBInet was 
required at specified milestones to report its progress to the 
Department's Acquisition Review Board (ARB), and receive approval 
before continuing with the next deployment increment. The ARB 
completed a series of reviews to establish and baseline the technical 
and programmatic way ahead for the SBInet program. Between September 
2008 and May 2009, the ARB issued three Acquisition Decision 
Memorandums (ADM) approving milestone attainment and SBInet deployment 
to portions of Arizona. The next Acquisition Decision Event (ADE-3) 
for SBInet is to occur after Tuscon-1 (TUS-1) and Ajo-1 (AJO-1) 
complete operational testing. 

At the same time, the SBInet program office began taking stronger 
steps to improve the overall management of the effort. Initial focus 
areas included, among others, earned value management, risk 
management, schedule management, requirements management, and test 
discipline. CBP officials have made significant progress but the 
Department including CBP acknowledges that the work is not complete. 
In fact, correcting the weaknesses identified both by the GAO and by 
CBP teams are significant undertakings and will not be completed 
quickly. CBP officials are taking incremental steps based on their 
assessments of which areas are most critical to the program. The 
Department appreciates GAO's acknowledgement in the draft report that 
CBP has initiated many corrective actions. 

Since last year, CBP and the Department have been re-thinking the 
investment strategy not only with respect to SBInet, but other 
alternative technologies as well. In January 2010, the Secretary 
directed a department-wide assessment of the SBInet program that 
includes an analysis of other potential alternatives for addressing 
security on the southwest border. The Secretary's decision was 
motivated by continuing delays in the development and deployment of 
SBInet capabilities, questions about the long-term viability of the 
program and a concern that the SBInet system had not yet been 
adequately justified by a quantitative assessment of cost and benefit. 

The goal of the SBInet assessment is to review and assess near and 
long-term requirements and technology solutions to enhance border 
security. In the near-term assessment, the Department will identify 
areas of the border where deployment of technology is required earlier 
than SBInet deployments could occur. For those areas, the Department 
plans to procure readily available technologies—like individual 
cameras or Mobile Surveillance SyStems to provide needed capability 
relatively quickly. The Department has redeployed $50 million in 
American Recovery and Reinvestment Act of 2009 funds originally 
programmed to support SBInet Block I to these readily available 
technologies. In the longer-term assessment, the Department plans to 
conduct a comprehensive, science-based SBInet Block-1 analysis of 
alternatives (AoA) to evaluate the appropriateness (as it relates to 
cost and mission effectiveness) of SBInet deployment in areas 
identified and prioritized by the Office of the Border Patrol along 
the Southwest border. The results of the AoA will aid in ensuring that 
SBInet is utilizing the most efficient and effective technological and 
operational solutions in all border security efforts. If this analysis 
suggests that the current, proven SBInet capabilities will 
significantly increase border security and are worth the cost relative 
to other alternatives, the Department will aggressively pursue the 
deployment of those capabilities. If the analysis suggests that some 
modifications of the current technology at different sectors of the 
border would enhance security, accelerate deployment, or lower the 
cost, then the Secretary will direct changes as necessary. If the 
analysis suggests that alternative technology options represent the 
best balance of capability and cost-effectiveness, then the Secretary 
will begin the process of 'redirecting resources currently allocated 
to border security efforts to such stronger and more cost-effective 
options. Regardless, the decisions will be based on solid, objective 
analysis. 

The recommendations and planned corrective actions follow. 

Recommendation 1: 

To address the considerable risks and uncertainties facing DHS on its 
SBInet program, GAO recommended that the Secretary direct the 
Commissioner of CBP to limit future investment in the program to only 
work that meets one of (GAO provided clarification on the 
recommendation sentence preceding the conditions. The words "one of 
were inadvertently omitted.) the following two conditions: (1) is 
already under contract and supports deployment, acceptance, and 
operational evaluation of only those Block I capabilities (functions 
and performance levels) that are currently targeted for TUS- I and MO-
I; or (2) provides the analytical basis for informing a Departmental 
decision as to what, if any, expanded investment in SBInet, both in 
terms of capabilities (functions and performance) and deployment 
locations, represents a prudent, responsible, and affordable use of 
resources for achieving the Department's border security and 
immigration management mission. 

CBP Response: 

CBP concurs. An assessment of the SBInet program is being conducted 
and funding for SBInet Block 1 has been frozen beyond the initial 
deployments to TUS- I and AJO-1 until the assessment is completed. The 
assessment has near-term and a long-term phase. The near-term 
assessment will identify areas of the border where deployment of 
technology is required earlier than SBInet could be ready. CBP and the 
Department will consider procurement of already-existing systems—like 
individual cameras or Mobile Surveillance Systems—that could provide 
needed capability relatively quickly. The long-term assessment will 
continue to evaluate the progress of SBInet. The Secretary will 
evaluate SRI/2er initial deployment tests and analysis of alternatives 
to determine if it makes sense to authorize future SBInet deployments, 
and, if so, where. The decision on future deployments would be made at 
Acquisition Decision Event-3 (ADE-3), which will occur after TUS-1 and 
AJO-1 operational testing. 

Department and CBP officials believe the intent of this recommendation 
has been satisfied and the recommendation should be considered closed. 

With respect to the first condition, GAO further recommended [see 
recommendations 2-61 that the Secretary direct the Commissioner of CBP 
to have the SBI Executive Director make it a program priority to 
ensure that: 

Recommendation 2: the integrated master schedule for delivering Block 
1 capabilities to TUS1 and MO-1 is revised to address the key schedule 
estimating practices discussed in this report; 

CBP Response: 

CBP partially concurs. CBP acknowledges the merits of GAO's key 
schedule estimating and management practices described in the draft 
report. CBP is committed to adopting and deploying these practices for 
the full SBI portfolio of projects. In fact, the SB1 program is making 
significant progress in effecting these "best practices" for the 
SBInet program. Challenges with the current contract structure (e.g., 
creating linkages between multiple Task Orders, significant degree of 
Level of Effort tasks) and "legacy" work breakdown structure (e.g., 
work break down structure is not product oriented and has not been 
updated to reflect the program's substantial evolution) will preclude 
CBP from fully implementing this recommendation before completion of 
the remainder of the TUS-1 and AJO-1 deployment effort. Nonetheless, 
CBP is taking the appropriate steps to improve the completeness and 
utility of the TUS-1 and AJO-1 schedules; these improvements will be 
introduced into the schedules over the next several months. The 
estimated completion date is May 2011. 

Recommendation 3: the currently defined Block 1 requirements, 
including key performance parameters, are independently validated as 
complete, verifiable, and affordable and any limitations found in the 
requirements are addressed; 

CBP Response: 

CBP concurs. One of the program "lessons learned" has been that the 
existing SBInet Block 1 requirements were not the most effective 
representation of system needs. Nonetheless, given the fact that they 
are the currently defined requirements, CBP personnel have focused 
efforts on tightening their requirements management process. CBP has 
also recognized the fact that their requirements allocation and flow 
down is incomplete or ambiguous in some areas, and that those gaps 
increase risk to their verification and validation plans. CBP 
management is continuing their effort to improve in this area. Block 1 
requirements are being verified through a number of increasingly 
comprehensive tests such as component qualification tests, functional 
qualification tests, and system qualification tests. Key performance 
parameters have been validated through modeling as well as actual data 
taking with the Playas test facility. Final verification and 
identification of limitations will occur during System Acceptance 
Testing and subsequent Operational Test & Evaluation activities. 
Affordability will be one of the key considerations during the 
Department-wide assessment described above. The estimated completion 
date is June 2011. 

Recommendation 4: the Systems Engineering Plan is revised to include 
or reference documentation templates for key artifacts required at 
milestone gate reviews; 

CBP Response: 

CBP concurs. The GAO was provided a copy of the currently approved 
version of the Systems Engineering Plan (SEP) dated November 24, 2008. 
SBInet is managing Block 1 to the current SEP. As discussed with the 
GAO, the current version was written in anticipation of Block 2 and 
subsequent future Blocks. The next revision of the SEP will occur only 
if the DHS Acquisition Decision Event-3 approves further deployment of 
SBInet technology. Should the SEP be updated it will include or 
reference documentation templates for key artifacts required at 
milestone gate reviews. The completion date will be determined by the 
Secretary's Assessment and/or the ADE-3. 

Recommendation 5: all parent requirements that have been closed are 
supported by evidence of the closure of all corresponding and 
associated child requirements; 

CBP Response: 

CBP concurs. All parent requirements that have been previously closed 
are being reassessed to ensure the proper closure and documentation of 
associated child requirements. The estimated completion date is May 
2010. 

Recommendation 6: all significant risks facing the program are 
captured, mitigated, tracked, and periodically reported to DHS and 
congressional decision makers. 

CBP Response: 

CBP concurs. As noted above, risk management has been an area of 
program focus for the last several months. SBInet's initial efforts 
focused on improving the contractor's risk management processes. These 
risks are captured and tracked, and mitigation strategies and actions 
are discussed at weekly SBInet Risk Review Board meetings. Significant 
SBInet risks are briefed at the monthly Joint Program Review Meeting 
and reported each month to DHS via the Next Generation Program 
Reporting System (nPRS). More recent efforts have focused on adding 
management of SBI program risks that are NOT necessarily within the 
purview or influence of the contractor. These SBI risks and mitigation 
strategies are documented and tracked by the SBI Program Office and 
periodically briefed to DHS and Congressional decision makers.
Department and CBP officials believe the intent of this recommendation 
has been satisfied and request closure of the recommendation. 

Recommendation 7: 

With respect to the first condition, GAO reiterated their prior 
recommendations, as stated in the September 2008 report "Secure Border 
Initiative: DHS Needs to Address Significant Risks in Delivering Key 
Technology Investment" (GAO-08-1086), relative to establishing program 
commitments, implementing the Systems Engineering Plan, defining and 
managing requirements, and testing. 

CBP Response: 

CBP partially concurs. While the GAO recommendations reflect normal 
"best practices" for sound program management, the program commitments 
and plans have changed a great deal since the earlier GAO reports. 
SBInet's immediate scope for initial deployment of Block 1 is now 
narrowed to TUS-1 and AJO-1. As noted above, CBP is making incremental 
improvements in each of the areas highlighted by the GAO. The 
Secretary will make a decision on future SBInet Block 1 deployments 
after the alternative of analysis assessment is completed, and TUS1 
and AJO-1 operational tests results have been reviewed. Consistent 
with DHS Acquisition Decision Memoranda 2, CBP will present 
comprehensive plans and cost estimates at the next ADE-3 as well as an 
updated program baseline for continuing the Block 1 program if that is 
the conclusion of the review. The estimated completion date will be 
determined by the Secretary's Assessment and/or the ADE-3. 

With respect to the second condition, GAO recommended [recommendations 
8-111 that the Secretary direct the Commissioner of CBP to have the 
SBI Executive Director make it a program priority to ensure that: 

Recommendation 8: a life cycle cost estimate for any incremental block 
of SBInet capabilities that is to include capabilities and cover 
locations beyond those associated with the TUS-1 and AJO-1 deployments 
is developed in a manner that reflects the four characteristics of a 
reliable estimate discussed in this report; 

CBP Response: 

CBP concurs. Consistent with prior DHS Acquisition Decision Memoranda 
provided for the SBInet program, CBP will present comprehensive plans 
and cost estimates, as well as an updated program baseline, at the 
next SBInet Block 1 ADE-3 for continuing the Block 1 program beyond 
TUS-1 and AJO-1 deployments. ADE-3 will only occur if the analysis of 
alternatives assessment, and TUS-1 and AJO-1 operational tests 
validate that expanded investment in SBInet Block 1 makes sense and is 
cost efficient. Completion will be determined by the Secretary's 
Assessment and/or the ADE-3. 

Recommendation 9: a forecast of the qualitative and quantitative 
benefits to be derived from any such incremental block of SBInet over 
its useful life, or reasons why such forecasts are not currently 
possible, are developed and documented; 

CBP Response: 

CBP concurs. Consistent with prior DHS Acquisition Decision Memoranda 
provided for the SBInet program, CBP will present comprehensive plans 
and cost estimates, as well as an updated program baseline, at the 
next SBInet Block 1 Acquisition Decision Event-3 for continuing the 
Block 1 program beyond TUS-1 and AJO-1 deployments. The planned AoA 
will represent an initial view of both qualitative and quantitative 
benefits of the program. However, a more complete assessment will 
depend on experience with the system, data gathering, and data 
analysis. The analysis will also change as other factors change—like, 
for example, concepts of operation and migration of cross-border 
traffic. It is not possible to attribute a specific amount of border 
control just to technology—much less to SBInet, which is a subset of 
the larger technology program. Over time, however, it is possible to 
correlate technology with changes in border security, and to use those 
analyses to advise future cost/benefit analyses. CBP intends for these 
types of analyses to continue indefinitely. The completion date will 
be determined by the Secretary's Assessment and/or the ADE-3. 

Recommendation 10: the estimated life cycle costs and benefits and 
associated net present value of any such incremental block of SBInet 
capabilities, or reasons why such an economic analysis cannot be 
performed, are prepared and documented; 

CBP Response: 

CBP concurs. Consistent with prior DHS Acquisition Decision Memoranda 
provided for the SBInet program, CBP will present comprehensive plans 
and cost estimates, as well as an updated program baseline at the next 
SBInet Block 1 ADE-3. Additional deployments of SBInet Block I and 
investments in subsequent blocks will only occur if the assessment 
directed by the Secretary, and TUS-I and AM- l operational tests 
validate that additional investments make sense. The estimated 
completion date will be determined by the Secretary's Assessment 
and/or the ADE-3. 

Recommendations 11: the results of these analyses, or the documented 
reasons why such analyses cannot be provided, are provided to the 
Commissioner of CBP and the DHS Acquisition Review Board. 

CBP Response: 

CBP concurs. Consistent with prior DHS Acquisition Decision Memoranda 
provided for the SBInet program, CBP will, at the next SBInet Block 1 
ADE-3, present comprehensive plans and cost estimates as well as an 
updated program baseline. Additional deployments of SBInet Block I 
will only occur if the assessment directed by the Secretary and TUS-1 
and A30-1 operational tests validate that additional investments make 
sense. The results of ADE-3, including all supporting documentation, 
will be provided to the CBP Commissioner and the DHS Acquisition 
Review Board. The estimated completion date will be determined by the 
Secretary's Assessment and/or the ADE-3. 

Recommendation 12: 

With respect to the second condition, GAO recommended that the 
Secretary direct the Deputy Secretary of Homeland Security, as the 
Chair of the DHS Acquisition Review Board, to (1) decide, in 
consultation with the board and Commissioner of CBP, what, if any, 
expanded investment in SBInet, both in terms of capabilities 
(functions and performance) and deployment locations, represents a 
prudent, responsible, and affordable use of resources for achieving 
the department's border security and immigration management mission; 
and (2) report the decision, and the basis for it, to the department's 
authorization and appropriations committees. 

Response: 

The Secretary became uniquely aware of the promises that had been made 
about SBInet and the shortfalls it has faced during her tenure as the 
Governor of Arizona. Upon her appointment as Secretary of DHS, she 
took a hard look at the Department's progress with SBInet and gave the 
then current team at CBP a fair chance to prove that they were on the 
right track. 

In late 2009 the Secretary directed the then-Acting Commissioner to 
provide his assessment of the path forward for SBInet and based upon 
the results of his review, ordered a Department-wide reassessment of 
the program to determine if there are alternatives that may more 
efficiently, effectively and economically meet our nation's border 
security needs. 

The Department-wide review is motivated by two major considerations. 
The first is that continued and repeated delays in the deployment of 
the first sectors of SBInet raise fundamental questions about SBInet's 
viability and availability to meet the ultimate need for technology 
along the border. 

The second is that the high and growing cost of SBInet obligates this 
administration to conduct a full and comprehensive analysis of 
alternative options to ensure the Department is maximizing the impact 
and effectiveness of the substantial taxpayer resources being devoted 
to border security technology. This type of comprehensive analysis of 
alternatives was not undertaken prior to initiating the program. Since 
the inception of the SBInet program, and since the beginning of the 
Secretary's tenure, DHS has significantly enhanced the review and 
approval processes for its major acquisition programs. The Secretary 
has now directed the application of that process to re-assess the 
value of this program. 

The assessment is being led by the Department's Office of Management 
in conjunction with CBP and the Science and Technology Directorate. 
The assessment has an immediate, near-term and a long-term phase. 

The immediate phase was necessary to address concerns over Recovery 
Act funding. This phase concluded on March 16 when Department 
officials announced that they would be redirecting $50 million in 
Recovery Act funds that were scheduled to be spent on SBInet to 
alternative technology projects that will immediately improve the 
Department's ability to secure the U.S.- Mexico border. 

In the near-term phase, Department and CBP officials will review 
currently available technology options, including SBInet Block I and 
others such as remote-controlled camera systems called Remote Video 
Surveillance Systems truck-mounted systems with cameras and radar 
called Mobile Surveillance Systems, thermal imaging devices, ultra-
light detection, backscatter units, mobile radios, and cameras and 
laptops for pursuit vehicles, to determine if the Department needs to 
redirect already enacted SBInet funds to other proven solutions to 
meet urgent needs, as identified by the Office of Border Patrol (OBP), 
within the Arizona portion of the Southwest Border. 

In the long-term phase, Department and CBP officials will conduct a 
comprehensive, science-based SBInet Block 1 AoA to evaluate the 
appropriateness, as it relates to cost and mission effectiveness, of 
SBInet deployment in areas identified and prioritized by OBP along the 
Southwest Border. The results of the AoA will aid in ensuring 
Department personnel are employing the most efficient and effective 
technological and operational solutions in all border security 
efforts. If this analysis suggests that the current, proven 
capabilities of SBInet will significantly increase border security and 
are worth the cost relative to other alternatives, the Department will 
aggressively pursue its deployment. If the analysis suggests that some 
modifications of the current technology at different sectors of the 
border would enhance security, accelerate deployment or lower cost, 
then the Secretary will direct changes as necessary. If the analysis 
suggests that alternative technology options represent the best 
balance of capability and cost-effectiveness, then the Secretary will 
begin redirecting resources currently allocated for border security 
efforts to such stronger and more cost effective options. Regardless, 
the decisions will be based on solid, objective analysis. Furthermore, 
future deployment decisions will be informed by the Administration's 
continued refinement of border strategies and desired outcomes. The 
alternatives developed for use in the AoA will need to be informed by 
these processes, as available, and be distributed across a sufficient 
range to ensure relevance to these processes to develop greater 
clarity on strategic questions like level of effort and prioritization 
across threats. 

As part of the assessment officials are reaching outside of the 
Department, to ensure that management has a chance to review ideas 
from other sources. We will look forward to continued discussion with 
the Congress as part of that process. 

Sincerely, 

Singed by: 

Jerald E. Levine: 
Director: 
Departmental GAO/01G Liaison Office: 

[End of section] 

Appendix III: Status of Key GAO Recommendations: 

In September 2008, we reported on a number of SBInet program 
management weaknesses and associated risks related to establishing 
program commitments, developing an integrated master schedule, 
defining and implementing a life cycle management approach, developing 
and managing requirements, and testing. To address these weaknesses 
and risks, we made a number of recommendations. Table 7 provides 
details on DHS efforts to address each recommendation.[Footnote 74] 

Table 7: Status of DHS Implementation of Key GAO Recommendations: 

Recommendation: (1/2) Ensure the risks associated with planned SBInet 
acquisition, development, testing, and deployment activities are 
immediately assessed and the results, including proposed alternative 
courses of action for mitigating the risks, are provided to DHS's 
senior leadership, as well as to the department's congressional 
authorization and appropriation committees; 
DHS comment: Concurred; 
Status: Not implemented; 
GAO analysis: The SBInet Program Office (SPO) did not immediately 
assess key risks facing the program and brief key decision makers. 
According to agency documentation, shortly after receiving our draft 
report, the SPO met with the DHS Acquisition Review Board to formally 
discuss program risks and agree on courses of action to best mitigate 
them. However, the briefing slides from the meeting do not identify 
risks and alternative courses of action to mitigate them. Instead, the 
briefing contained one slide that identified factors contributing to 
changes in the program's schedule. Further, the SPO has yet to 
formally capture a number of acquisition risks such as lack of staff 
with appropriate acquisition expertise, lack of formalized acquisition 
processes, problems with the integrated master schedule and earned 
value management (EVM)[A] reporting, and lack of agreement on key 
performance parameters. The SPO also could not demonstrate that it 
briefed the key congressional committees regarding the risks facing 
the program or specific mitigation plans. While program officials 
stated that they briefed congressional committees during the fall of 
2008, which they said included disclosure of risks, these officials 
did not have any documentation to show when these briefings occurred, 
who was present, and whether or not program risk was a topic of 
discussion. Further, House Homeland Security Committee staff told us 
that while they received several briefings on SBInet during the fall 
of 2008, they were not specifically briefed on program risks. 

Recommendation: (3) Establish and baseline the specific program 
commitments, including the specific system functional and performance 
capabilities that are to be deployed to the Tucson, Yuma, and El Paso 
Sectors, and establish when these capabilities are to be deployed and 
are to be operational; 
DHS comment: Concurred; 
Status: Partially implemented; 
GAO analysis: The SPO has established and baselined program 
commitments, including the system's functional and performance 
capabilities to be deployed and the timing of their deployment and 
operational use. However, these commitments have continued to 
decrease. For example, the SPO has defined the capabilities to be 
deployed in the Tucson and Yuma Sectors; 
however, it dropped the El Paso Sector from its Block 1 deployment 
plans. Further, the functional capabilities for Block 1 have also been 
reduced. Specifically, the number of component- level requirements for 
Block 1 has decreased by about 32 percent since they were baselined in 
late 2008. In addition, system performance has been reduced. For 
example, the system is now only required to achieve a 49 percent 
probability of identifying items of interest that cross the border. 
Moreover, a time frame for when these capabilities are to be deployed 
and begin operating continues to be delayed, and is still uncertain. 
To illustrate the extent of changes to schedule commitments, as of 
July 2008, program officials stated that the deployments to the Tucson 
Border Patrol Station (TUS-1) and the Ajo Border Patrol Station (AJO-
1) would be operational "sometime" during 2009. However, August 2009 
documentation shows that TUS-1 and AJO-1 were scheduled for acceptance 
by the government in February 2010 and July 2010, respectively. 
Moreover, the SBI Executive Director stated in December 2009 that the 
entire Block 1 schedule is being reviewed and revised because of 
uncertainties with projected completion dates. Further, as of February 
2010, TUS-1 and AJO-1 are proposed to be accepted in September 2010 
and November 2010, respectively. However, this proposed schedule has 
yet to be approved by CBP. Finally, the program's cost commitments are 
not based on complete, current, or reliable estimates. The Block 1 
life cycle cost estimate does not cover all costs, has not been 
updated to reflect changes to the program, and does not otherwise 
sufficiently address leading best practices for cost estimating, such 
as properly identifying the ground rules and assumptions used to 
estimate costs, using an independent cost estimate to verify the 
estimate's validity, and undergoing risk and uncertainty analysis. 

Recommendation: (4) Finalize and approve an integrated master schedule 
that reflects the timing and sequencing of the work needed to achieve 
these commitments; 
DHS comment: Concurred; 
Status: Partially implemented; 
GAO analysis: The SPO finalized an integrated master schedule for 
SBInet, and DHS approved the schedule in March 2009. However, the 
schedule is not reliable because it does not adequately comply with 
key practices for schedule estimation, as discussed in this report. 
For example, the schedule does not capture all activities as defined 
in the work breakdown structure or integrated master plan. 
Specifically, 57 percent of the activities listed in the work 
breakdown structure (71 of 125) and 67 percent of the activities 
listed in the integrated master plan (46 of 69) were not in the 
integrated master schedule. In particular, the schedule is missing 
efforts associated with systems engineering, sensor towers, logistics, 
system test and evaluation, operations support, and program 
management. Further, the schedule does not include key activities to 
be performed by the government. While the schedule shows the final 
activity in the government process for obtaining an environmental 
permit in order to construct towers, it does not include the related 
government activities needed to obtain the permit. In addition, the 
schedule does not reflect a valid critical path. For example, it is 
missing government and contractor activities, and is thus not 
complete, and it is missing some predecessor links, and improperly 
establishes other predecessor and successor links. 

Recommendation: (5) Revise and approve versions of the SBInet life 
cycle management approach, including the draft Systems Engineering 
Plan (SEP) and draft Test and Evaluation Management Plan (TEMP), and 
in doing so, ensure that these revised and approved versions are; 
(a) consistent with one another; (b) reflect program officials' 
recently described changes to the engineering and testing approaches, 
and; (c) reflect relevant federal guidance and associated leading 
practices; 
DHS comment: Concurred; 
Status: Partially implemented; 
GAO analysis: (a) The SEP and TEMP were revised and approved in 
November 2008, and these documents are largely consistent with one 
another; (b) The SEP and TEMP reflect the program officials' described 
changes to its engineering and testing approaches; (c) The revised SEP 
and TEMP reflect many aspects of relevant guidance and leading 
practices, as discussed in this report. For example, the SEP defines a 
number of gate reviews to guide system development and operations, 
such as initial planning reviews, requirements reviews, system design 
reviews, and test reviews. In addition, it requires key artifacts and 
program documents identified in DHS guidance, such as a concept of 
operations, an operational requirements document, a deployment plan, a 
risk management plan, a life cycle cost estimate, requirements 
documentation, and test plans. However, the SEP does not address the 
content of the key artifacts that it requires. For example, it does 
not provide a sample document or content template for the required 
documents, such as the concept of operations, the operational 
requirements document, or a deployment plan. Furthermore, the TEMP, 
while consistent with some aspects of relevant guidance, still has 
limitations. For example, and as discussed in more detail below, the 
TEMP describes the program's test strategy, scope, and resource 
requirements, but does not adequately define roles and 
responsibilities and provide sufficient detail for key testing and 
management activities. 

Recommendation: (6) Ensure that the revised and approved life cycle 
management approach is fully implemented; 
DHS comment: Concurred; 
Status: Partially implemented; 
GAO analysis: Program officials stated that they have yet to fully 
implement the Systems Engineering Plan. As a result, they have not 
consistently implemented the plan when conducting gate reviews for 
life cycle activities. For example, while the SPO reviewed and 
considered all but one of the key artifacts for the TUS-1 Deployment 
Readiness Review that concluded in April 2009, a number of key 
documents were not reviewed during the CDR, including the quality 
plan, security test plan, and plans for testing, training, and system 
maintenance. According to program officials, this was because the 
contractor is required to follow criteria in the task order, which was 
written prior to the CDR. Program officials stated that they are 
working to bring the task orders into alignment with the revised SEP. 

Recommendation: (7) Implement key requirements development and 
management practices to include; (a) baselining requirements before 
system design and development efforts begin; (b) analyzing 
requirements prior to being baselined to ensure that they are 
complete, achievable, and verifiable; and; (c) tracing requirements to 
higher-level requirements, lower-level requirements, and test cases; 
DHS comment: Concurred; 
Status: Partially implemented; 
GAO analysis: (a) A baseline set of requirements for the TUS-1 and AJO-
1 system deployments were established in October 2008. Baselined 
requirements associated specifically with the Network Operations 
Center/Security Operations Center (NOC/SOC) were not adequately 
defined at this time, as evidenced by the fact that about 43 percent 
of these requirements were significantly changed 2 months later; 
(b) Twelve of Block 1's 69 operational requirements are not yet 
complete, achievable, verifiable, or affordable. The 12 operational 
requirements, which were reported as deficient by DHS in November 
2007, are associated with 16 system-level requirements, which in turn 
are linked to 152 component-level requirements, which represent 
approximately 15 percent of the total number of component-level 
requirements. Program officials stated that they planned to address 
the problems with requirements during testing. However, they also told 
us that unclear and ambiguous requirements contributed to numerous and 
extensive rewriting of test cases. As we recently reported,[B] most 
SBInet system qualification and component qualification test cases had 
to be rewritten extemporaneously during test execution, in part 
because of differing opinions among staff about what was required to 
effectively test and satisfy the requirements; (c) The Block 1 
component-level requirements are now largely traceable backward to 
system and operational requirements, and forward to design 
requirements and verification methods. 

Recommendation: (8) Implement key test management practices to include; 
(a) developing and documenting test plans prior to the start of 
testing; (b) conducting appropriate component-level testing prior to 
integrating system components; and; (c) approving a test management 
strategy that, at a minimum, includes a relevant testing schedule, 
establishes accountability for testing activities by clearly defining 
testing roles and responsibilities, and includes sufficient detail to 
allow for testing and oversight activities to be clearly understood 
and communicated to test stakeholders; 
DHS comment: Partially disagreed; 
Status: Partially implemented; 
GAO analysis: (a) Test plans and procedures were developed for 
component and system qualification testing; however, they were not 
defined in accordance with key aspects of guidance. For example, none 
of the 10 system and component test plans adequately described testing 
risks, and only 2 of the plans included quality assurance procedures 
for making changes to test plans during execution. In addition, a 
large number of test procedures were changed during test execution, 
and these changes were not made in accordance with documented quality 
assurance processes. Rather, changes were made based on an 
undocumented understanding that program officials said they had 
established with the contractor; (b) Qualification testing for 9 
SBInet components occurred prior to qualification testing of the 
entire system; (c) A test management approach has been established 
that is consistent with some, but not all, aspects of relevant 
guidance. For example, the 2008 TEMP describes (1) a test management 
strategy that is consistent with the program's system development 
approach, (2) a progressive sequence of tests to verify that both 
individual system parts, as well as the integrated system, meet 
specified requirements, and (3) the staff, resources (equipment and 
facilities), and funding requirements associated with SBInet testing. 
However, while the TEMP includes high-level descriptions of various 
test documentation and reports associated with developmental and 
operational testing, it does not include sufficient detail to allow 
for key testing and oversight activities. In addition, the TEMP 
defines high-level roles and responsibilities for various entities 
related to program testing, but similar to what we reported in 2008, 
these responsibilities are defined in vague terms and contain errors. 
Further, the TEMP lacks a clear definition for how the program is to 
prioritize and analyze all problems discovered during testing. 
Specifically, while the TEMP requires that test plans include guidance 
for recording anomalies during testing, it does not describe a process 
for analyzing and prioritizing anomalies according to severity, nor 
does it describe a process for resolving them. Finally, although the 
TEMP and related SBInet task orders include descriptions of certain 
metrics, some of those metrics are not associated with desired quality 
outcomes and do not identify how they support specific test objectives. 

Source: GAO analysis of DHS data. 

[A] EVM is a management tool for monitoring a program's cost and 
schedule performance by measuring the value of the work accomplished 
in a given period, compared to the planned value of the work scheduled 
for that period and the actual cost of the work accomplished. 

[B] GAO, Secure Border Initiative: DHS Needs to Address Testing and 
Performance Limitations That Place Key Technology Program at Risk, GAO-
10-158 (Washington, D.C.: Jan. 29, 2010). 

[End of table] 

[End of section] 

Appendix IV: Detailed Results of GAO Assessment of SBInet Program 
Schedule: 

Our research has identified a range of best practices associated with 
effective schedule estimating.[Footnote 75] These are (1) capturing 
all activities, (2) sequencing all activities, (3) assigning resources 
to all activities, (4) establishing the duration of all activities, 
(5) integrating activities horizontally and vertically, (6) 
establishing the critical path for all activities, (7) identifying 
reasonable float time between activities, (8) conducting a schedule 
risk analysis, and (9) updating the schedule using logic and 
durations. We assessed the extent to which the SBInet integrated 
master schedule, dated August 2009, met each of the nine practices as 
either Not Met (the program provided no evidence that satisfies any 
portion of the criterion), Minimally Met (the program provided 
evidence that satisfies less than one-half of the criterion), 
Partially Met (the program provided evidence that satisfies about one-
half of the criterion), Substantially Met (the program provided 
evidence that satisfies more than one-half of the criterion), and Met 
(the program provided evidence that satisfies the entire criterion). 
Table 8 shows the detailed results of our analysis. 

Table 8: Detailed Results of SBInet Satisfaction of Scheduling Best 
Practices: 

Practice: (1) Capturing all activities; 
Description: The schedule should reflect all activities (steps, 
events, outcomes, etc.) as defined in the program's work breakdown 
structure (WBS)[A] to include activities to be performed by both the 
government and its contractors; 
Met? Minimally; 
Results: The schedule does not capture all activities as defined in 
the program's WBS or integrated master plan (IMP).[B] For example, 57 
percent (71 of 125) of the activities listed in the WBS and 67 percent 
(46 of 69) of the activities listed in the IMP were not in the 
integrated master schedule. In particular, the schedule does not 
include key efforts associated with systems engineering, sensor 
towers, logistics, system test and evaluation, operations support, and 
program management. Further, the schedule only includes a few 
activities to be performed by the government. For example, while the 
schedule shows the final activity in the government process for 
obtaining an environmental permit in order to construct towers, it 
does not include the related government activities needed to obtain 
the permit. 

Practice: (2) Sequencing all activities; 
Description: The schedule should sequence activities in the order that 
they are to be implemented. In particular, activities that must finish 
prior to the start of other activities (i.e., predecessor activities) 
as well as activities that cannot begin until other activities are 
completed (i.e., successor activities) should be identified; 
Met? Substantially; 
Results: The schedule identifies virtually all of the predecessor and 
successor activities. Specifically, only 9 of 1,512 activities (less 
than 1 percent) were missing predecessor links. Further, only 21 of 
1,512 activities (about 1 percent) had improper predecessor and 
successor links. While the number of unlinked activities is very 
small, not linking a given activity can cause problems because changes 
to the durations of these activities will not accurately change the 
dates for related activities. More importantly, 403 of 1,512 
activities (about 27 percent) are constrained by "start no earlier 
than" dates, which is significant because it means that these 
activities are not allowed to start earlier, even if their respective 
predecessor activities have been completed. 

Practice: (3) Assigning resources to all activities; 
Description: The schedule should reflect who will do the work 
activities, whether all required resources will be available when they 
are needed, and whether any funding or time constraints exist; 
Met? Minimally; 
Results: The schedule does not assign the resources needed to complete 
the captured activities. Instead, the contractor's resource data are 
maintained separately as part of its EVM system and are available to 
the government upon request. 

Practice: (4) Establishing duration of all activities; 
Description: The schedule should reflect the duration of each 
activity. These durations should be as short as possible and have 
specific start and end dates; 
Met? Substantially; 
Results: The schedule establishes the duration of key activities and 
includes specific start and end dates for most of the activities. For 
example, the schedule establishes reasonable durations for 1,164 of 
the 1,241[C] activities (about 94 percent) in the schedule. However, 
the remaining 77 activities (or 6 percent) are not always of short 
duration, with 15 of the 77 having durations that ranged from 102 to 
177 days. 

Practice: (5) Integrating schedule activities horizontally and 
vertically; 
Description: The schedule should be horizontally integrated, meaning 
that it should link the products and outcomes associated with 
sequenced activities. The schedule should also be vertically 
integrated, meaning that traceability exists among varying levels of 
activities and supporting tasks and subtasks; 
Met? Partially; 
Results: The schedule is not fully integrated horizontally. While 
horizontal integration exists between task orders for work that is 
under contract, the schedule does not capture all key activities in 
the WBS and IMP. Further, as discussed above, the schedule is missing 
some predecessors and improperly establishes other predecessor and 
successor links. The schedule is also not fully integrated vertically. 
While the schedule provides traceability between higher-level and 
lower-level schedule views, it does not capture all of the WBS and IMP 
activities, as noted above, and thus these activities are not 
integrated. 

Practice: (6) Establishing the critical path for all activities; 
Description: The critical path represents the chain of dependent 
activities with the longest total duration in the schedule; 
Met? Partially; 
Results: The schedule does not reflect a valid critical path for 
several reasons. First, it is missing government and contractor 
activities, and is thus not complete. Second, the schedule does not 
include all predecessor links between activities, and in some cases, 
the predecessor and successor links are not correct. Unless all 
activities are included and properly linked, it is not possible to 
generate a true critical path. These problems were recognized by the 
Defense Contract Management Agency[D] as early as November 2008, when 
it reported that the contractor could not develop a true critical path 
that incorporates all program elements. 

Practice: (7) Identifying reasonable float between activities; 
Description: The schedule should identify a reasonable amount of float-
-the time that a predecessor activity can slip before the delay 
affects successor activities--so that schedule flexibility can be 
determined. As a general rule, activities along the critical path 
typically have the least amount of float; 
Met? Partially; 
Results: The schedule identifies float; 
however, the amount of float is excessive. For example, 202 of 1,512 
activities (about 13 percent) show float between 101 and 150 days, or 
about 3 to 5 months. Another 5 of the 1,512 activities (less than 1 
percent) show float between 970 and 1,427 days (about 2.5 to almost 4 
years). This high level of float is being driven by the lack of 
successor relationships among activities, as previously discussed, and 
may be due to incorrect dependencies between activities. Moreover, 138 
of the 208 activities (about 85 percent) on the critical path show 
negative float, meaning that the activities must be completed ahead of 
schedule in order for the overall program to be on time. Much of the 
negative float in the schedule is due to a number of activities with 
start-no-earlier-than constraints, which means that these activities 
cannot start earlier even if the predecessor is complete. Program 
officials stated that they plan to review the need for these 
constraints. 

Practice: (8) Conducting a schedule risk analysis; 
Description: A schedule risk analysis is used to predict the level of 
confidence in the schedule, determine the amount of time contingency 
needed, and identify high-priority schedule risks; 
Met? Not; 
Results: A risk analysis of the schedule's vulnerability to slippages 
in the completion of activities has not been performed. 

Practice: (9) Updating the schedule using logic and durations; 
Description: The schedule should use logic and durations in order to 
reflect realistic start and completion dates, be continually monitored 
to determine differences between forecasted completion dates and 
planned dates, and avoid logic overrides and artificial constraint 
dates; 
Met? Partially; 
Results: The SPO and the contractor review the schedule during the 
weekly Program Management Reviews and discuss updates, confirm status 
and progress of activities, and document any concerns and impacts. 
Further, program officials stated that critical- path and near-
critical-path activities are managed continuously to determine if 
float conditions are worsening or improving and to ensure that changes 
are reported to management as soon as possible. Further, the program 
generates several monthly reports related to the critical path, 
schedule metrics, and diagnostic filters that provide specific 
information about each task order and the program as a whole. 
Moreover, both SPO and contractor officials responsible for updating 
and monitoring the schedule have received the proper training and have 
experience in critical path method scheduling. Nevertheless, the 
schedule does not reflect a valid critical path, as discussed above. 
Further, problems with the predecessor and successor links, and 
durations also previously discussed, as well as other anomalies in the 
schedule, raise questions about the reliability of the activities' 
start and end dates. For example, 37 of 1,512 activities (about 2 
percent) should have started as of August 2009, but did not, yet the 
schedule software did not automatically advance the start date 
accordingly. Further, the schedule showed 95 of 1,512 activities 
(about 6 percent) with actual start dates after the date of the 
schedule (August 2009), and 84 of 1,512 activities (about 6 percent) 
with actual finish dates after these dates, neither of which should be 
the case. In addition, 403 of 1,512 activities (about 27 percent) 
activities have "start no earlier than" constraints, which means that 
the schedule does not allow activities to start earlier, even when the 
predecessor has been completed. 

Source: GAO analysis of DHS data. 

Note: "Not Met" = DHS provided no evidence that satisfies any of the 
criterion. "Minimally Met" = DHS provided evidence that satisfies less 
than one-half of the criterion. "Partially Met" = DHS provided 
evidence that satisfies about one-half of the criterion. 
"Substantially Met" = DHS provided evidence that satisfies more than 
one-half of the criterion. "Met" = DHS provided complete evidence that 
satisfies the entire criterion. 

[A] The WBS is a document that defines in detail the work necessary to 
complete a program's objectives. 

[B] An IMP is an event-based hierarchy of program events that must be 
completed to complete the program. 

[C] This number of activities does not include milestones, which by 
definition have a duration of zero. 

[D] Based on a letter of commitment with CBP, the Defense Contract 
Management Agency is to provide CBP with contract administration 
services for SBInet, including the identification of issues that could 
impact Boeing's ability to perform the requirements in the task orders 
in accordance with established criteria. In this regard, the Defense 
Contract Management Agency provides the SPO with monthly reports that 
include an assessment of Boeing's system engineering processes, the 
current and projected status of operational and technical issues, and 
the results of ongoing internal audits. 

[End of table] 

[End of section] 

Appendix V: Detailed Results of GAO Assessment of SBInet Cost Estimate: 

Our research has identified 12 practices that are integral to 
effective program life cycle cost estimating.[Footnote 76] These 12 
practices in turn relate to four characteristics of a high-quality and 
reliable cost estimate: 

* Comprehensive: The cost estimate should include all government and 
contractor costs over the program's full life cycle, from program 
inception through design, development, deployment, and operation and 
maintenance to retirement. It should also provide sufficient detail to 
ensure that cost elements are neither omitted nor double-counted, and 
it should document all cost-influencing ground rules and assumptions. 

* Well-documented: The cost estimate should capture in writing things 
such as the source and significance of the data used, the calculations 
performed and their results, and the rationale for choosing a 
particular estimating method or reference. Moreover, this information 
should be captured in such a way that the data used to derive the 
estimate can be traced back to, and verified against, their sources. 
Finally, the cost estimate should be reviewed and accepted by 
management to demonstrate confidence in the estimating process and the 
estimate. 

* Accurate: The cost estimate should not be overly conservative or 
optimistic, and should be, among other things, based on an assessment 
of most likely costs, adjusted properly for inflation, and validated 
against an independent cost estimate. In addition, the estimate should 
be updated regularly to reflect material changes in the program and 
actual cost experience with the program. Further, steps should be 
taken to minimize mathematical mistakes and their significance and to 
ground the estimate in documented assumptions and a historical record 
of actual cost and schedule experiences with other comparable programs. 

* Credible: The cost estimate should discuss any limitations in the 
analysis due to uncertainty or biases surrounding data or assumptions. 
Major assumptions should be varied and other outcomes computed to 
determine how sensitive the estimate is to changes in the assumptions. 
Risk and uncertainty inherent in the estimate should be assessed and 
disclosed. Further, the estimate should be properly verified by, for 
example, comparing the results with an independent cost estimate. 

Our analysis of the $1.3 billion SBInet life cycle cost estimate 
relative to each of the 12 best practices, as well as to each of the 
four characteristics, is summarized in table 9. A detailed analysis 
relative to the 12 practices is in table 10. 

Table 9: Summary of SBInet Satisfaction of Cost Estimating 
Characteristics and Related Practices/Steps: 

Characteristic: Comprehensive; 
Met? Partially; 

Practice/step: Did the team develop a well-written study plan? 
(Practice 2); 
Met? Partially.
Practice/step: Was the estimating structure determined? (Practice 4); 
Met? Partially.
Practice/step: Were ground rules and assumptions identified? (Practice 
5); 
Met? Minimally. 

Characteristic: Well-documented; 
Met? Partially; 

Practice/step: Are the cost estimate's purpose and scope defined and 
documented? (Practice 1); 
Met? Partially.
Practice/step: Were program characteristics defined? (Practice 3); 
Met? Substantially.
Practice/step: Were ground rules and assumptions identified? (Practice 
5); 
Met? Minimally.
Practice/step: Were valid and useful historical data collected? 
(Practice 6); 
Met? Partially.
Practice/step: Was the estimate documented? (Practice 10); 
Met? Substantially.
Practice/step: Was the estimate presented to management for approval? 
(Practice 11); 
Met? Minimally. 

Characteristic: Accurate; 
Met? Minimally; 

Practice/step: Was the point estimate developed and compared to an 
independent cost estimate? (Practice 7); 
Met? Minimally.
Practice/step: Is the estimate updated to reflect actual costs and 
changes? (Practice 12); 
Met? Minimally. 

Characteristic: Credible; 
Met? Partially; 

Practice/step: Was a sensitivity analysis conducted? (Practice 8); 
Met? Partially.
Practice/step: Was a risk and uncertainty analysis conducted? 
(Practice 9); 
Met? Partially.
Practice/step: Was the point estimate developed and compared to an 
independent cost estimate? (Practice 7); 
Met? Minimally. 

Source: GAO analysis of DHS data. 

Note: "Not Met" = DHS provided no evidence that satisfies any portion 
of the criterion. "Minimally Met" = DHS provided evidence that 
satisfies less than one-half of the criterion. "Partially Met" = DHS 
provided evidence that satisfies about one-half of the criterion. 
"Substantially Met" = DHS provided evidence that satisfies more than 
one-half of the criterion. "Met" = DHS provided complete evidence that 
satisfies the entire criterion. 

[End of table] 

Table 10: Detailed Results of SBInet Satisfaction of 12 Cost 
Estimating Practices/Steps: 

Practice: (1) Are the cost estimate's purpose and scope defined and 
documented? 
Description: A life cycle cost estimate provides a structured 
accounting of all resources and associated cost elements required to 
develop, produce, deploy, and sustain a program. As such, the estimate 
should include; (a) a level of detail consistent with the level of 
detail available for the program; (b) all applicable costs, including 
all past (or sunk), present, and future costs for every aspect of the 
program, regardless of funding source; and; (c) a defined scope for 
the estimate; 
Met? Partially; 
Results: The Block 1 life cycle cost estimate of $1.3 billion does not 
account for all resources and cost elements associated with Block 1 
development, acquisition, deployment, and sustainment. In particular: 
(a) The cost estimate is generally defined at a level of detail that 
is consistent with the WBS[A] for the program, and thus allows for the 
development of a quality estimate; (b) The cost estimate does not 
include all applicable costs. For example, the estimate excludes sunk 
costs, including design, development, and testing, as well as 
contractor and government program management and support costs. 
Further, it includes only 1 year of operations and maintenance costs; 
(c) Program officials stated that the scope of the cost estimate 
includes the cost to complete Block 1 as of the time of the 
Acquisition Program Baseline, which was approved in March 2009. 
However, this scope is not consistent with the estimate's stated 
purpose, as it excludes sunk costs and operation and maintenance costs 
over the system's useful life. 

Practice: (2) Did the team develop a well-written study plan? 
Description: A cost estimate should be based on a written study plan 
that identifies, among other things; (a) the estimating team's 
composition,; (b) the subject matter experts that the estimating team 
will rely on for information; (c) the estimating approach, and; 
(d) a schedule for completing the estimate that includes adequate time 
to perform the work; 
Met? Partially; 
Results: The cost estimate was not based on a written study plan; 
however, it partially met other aspects of this practice. Specifically: 
(a) A contractor with many years of experience in government cost 
estimating was hired to develop the estimate; (b) The contractor had 
access to government subject matter experts, including program office 
logisticians, engineers, and technicians, as well as Border Patrol 
staff, for key information, such as ground rules, assumptions, and 
requirements for labor and material; (c) Program officials described 
the overall cost estimating approach and this approach largely follows 
relevant estimating procedures, including developing a detailed WBS, 
identifying cost estimating methods, identifying source data and 
subject matter experts for each WBS element, conducting data analysis, 
deriving the estimate, and performing recursive updates as data become 
available; (d) A schedule for completing and updating the estimate 
does not exist. 

Practice: (3) Were program characteristics defined? 
Description: Critical to developing a reliable cost estimate is having 
an adequate understanding of the program's key characteristics (i.e., 
a defined technical program baseline), including documented 
requirements, purpose, technical characteristics, development plan, 
acquisition strategy, operational plan, and risk. The less such 
information is known, the more assumptions must be made, thus 
increasing the risk associated with the estimate; 
Met? Substantially; 
Results: The SPO has defined and documented a technical program 
baseline across various documents that together describe the program's 
requirements, purpose, technical characteristics, development plan, 
acquisition strategy, operational plan, and risks. Examples of the 
source data for this baseline include critical design review and 
deployment readiness review documentation as the basis for the 
requirements and technical characteristics, and the Project Laydown 
Workbook Revision 12 as the basis for the master tower construction 
plan for the location, tower height, and radar and camera type. 

Practice: (4) Was the estimating structure determined? 
Description: A WBS is the cornerstone of every program. It defines the 
detailed work elements needed to accomplish the program's objectives 
and the logical relationship among these elements, and it provides a 
systematic and standardized way for collecting data across the 
program. Thus, it is an essential part of developing a program's life 
cycle cost estimate. As such, a WBS should: (a) decompose product-
oriented elements to an appropriate level of detail (generally to at 
least three levels of decomposition) to ensure that cost elements are 
neither omitted nor double counted; (b) provide a standardized way for 
collecting data across the program; (c) be consistent across the cost 
estimate, integrated master schedule and EVM system;[B]; (d) be 
updated as the program becomes better defined and to reflect changes 
as they occur; and; (e) include a dictionary that defines each element 
and how it is related to others in the hierarchy; 
Met? Partially; 
Results: The SPO has a WBS that defines much, but not all, of the 
detailed work and the relationships among work elements needed to 
accomplish the program's objectives. More specifically: 
(a) The WBS decomposes product-oriented work elements (as well as 
process-oriented work elements). For example, radar, camera, tower, 
and unattended ground sensor products are visible and decomposed to a 
third level of detail, thus ensuring that associated costs are neither 
omitted nor double counted. However, the WBS omits several key 
elements, such as sunk costs for contractor program management; 
overhead; system design, development and testing; and software design, 
development, and testing. Therefore, it does not fully represent all 
work necessary to accomplish the program's objectives; (b) The WBS and 
the cost estimate are standardized to a third level of decomposition. 
The cost estimate is further decomposed to provide greater granularity 
in the estimate; (c) The WBS is consistent with the cost estimate and 
the EVM system to the third level of decomposition. However, the WBS 
is not consistent with the integrated master schedule. In particular, 
the schedule is missing several level-2 WBS elements, including 
Project Sector Deployment, Logistics, Test and Evaluation, Operations 
Support, Program Management, and Transportation; (d) The WBS has been 
modified over time to reflect an updated view of the program. For 
example, while the WBS is decomposed to level 5 for Project Sector 
Acquisitions, the cost estimate further decomposes this work element 
to level 8 based on the availability of more detailed information; 
(e) The WBS includes a dictionary that defines each work element down 
to a third level of decomposition and its relationships with other 
work elements. 

Practice: (5) Were ground rules and assumptions identified? 
Description: Cost estimates are typically based on limited information 
and therefore need to be bound by the constraints that make estimating 
possible. Among other things, these constraints, which include ground 
rules and assumptions, should at a minimum be identified. More 
specifically: (a) risks associated with assumptions should be 
identified and traced to WBS elements; (b) budget constraints should 
be identified; (c) inflation indices and their source should be 
identified; (d) dependencies on other organizational entities, and the 
effect on the estimate if the assumptions fail, should be identified; 
(e) items that have been excluded from the estimate should be 
identified, documented, and explained; (f) the effect on cost and 
schedule if technology maturity assumptions fail should be addressed; 
and; (g) risk distributions for all assumptions should be determined; 
Met? Minimally; 
Results: The ground rules and assumptions affecting the cost estimate 
were largely not identified, documented, and assessed. In particular: 
(a) Risk was estimated and documented for material unit prices and 
labor rates. However, the risk associated with the assumptions that 
drive the cost estimate, such as number of towers and staff and 
schedule variations, were not identified and traced to WBS elements; 
(b) Budget constraints are not identified in the cost estimate 
documentation; (c) The inflation rates were taken from Office of 
Management and Budget Circular A-94.[C] However, they were improperly 
derived. Specifically, the SPO overstated the inflation rate by using 
the projected interest rate rather than the projected inflation rate; 
(d) The estimate includes only contractor costs and does not recognize 
assumptions about, for example, government costs; (e) The estimate 
documents excluded costs, such as government effort, operations and 
maintenance costs beyond the first year of steady state support, 
operations and maintenance costs of legacy equipment, and 
participating agency support costs. Further, other excluded costs were 
documented in a supplemental briefing from program officials, 
including sunk costs, software, government program management and 
support costs, and costs of expected block evolutions. Also, 
explanations as to why these costs were excluded were not documented; 
(f) SBInet is to be largely based on commercial-off-the-shelf (COTS) 
products, and thus the cost estimate depends on assumptions about the 
maturity of these products. However, the estimate does not address the 
effect of the failure of these product maturity assumptions on the 
cost estimate. These assumptions are significant because COTS 
limitations have been identified as a key contributor to Block 1's 
reduced scope and schedule delays; (g) The estimate includes risk 
distributions for some, but not all, of the assumptions. The majority 
of these distributions were based on "industry standards" and opinions 
from subject matter experts (e.g., logisticians, engineers, 
technicians, and Border Patrol staff from various integrated product 
teams). 

Practice: (6) Were valid and useful historical data collected? 
Description: Cost estimates should be rooted in historical data. To 
ensure that these data are applicable and useful, the following 
activities should be performed: 
(a) cost drivers should be identified; (b) data should be collected 
from primary sources, and the data's source, content, time, and units 
should be documented and their accuracy and reliability should be 
assessed; (c) data should be continually collected so that they are 
available for future use; (d) understanding of the data should include 
meeting with parties who are responsible for them; (e) the data should 
be reviewed and benchmarked for reasonableness; and; (f) scatter plots 
and descriptive statistics should be used to analyze the data; 
Met? Partially; 
Results: Cost estimates were, in part, grounded in historical data. 
However, key activities associated with using such data were not 
performed. Specifically: (a) The cost estimate did not specifically 
identify cost drivers. However, a supplemental briefing did identify 
key cost drivers. For example, the top five cost drivers for 
deployment were identified as land tower systems, unattended ground 
systems, vehicle communications upgrades, program management for 
deployment, and microwave transceivers and equipment, and the top five 
cost drivers for operations and maintenance were identified as 
maintenance technicians, vehicle console technicians, depot repair 
(normal wear and tear), camera overhaul, and depot repair (vandalism); 
(b) For hardware and material cost estimates, historical data were 
collected from Boeing primary data sources, such as technical data 
from design reviews, engineering drawings, technical workbooks, bills 
of material data, and purchase agreements. For construction labor cost 
estimates, data were collected from a secondary source--the Davis-
Bacon National Construction estimate labor rates. For nonconstruction 
labor cost estimates, data were collected from Boeing (and General 
Services Administration) labor rates and labor hours that were 
estimated via engineering judgment, which is not a credible primary 
estimating method according to GAO best practices. Further, the 
documentation for these nonconstruction labor estimates did not 
indicate the source of the data. To assess the data's accuracy and 
reliability, officials told us that the estimators met with program 
office subject matter experts and regularly attended program 
management reviews, design reviews, and integrated product team 
meetings; (c) The SPO regularly receives Boeing EVM data. However, 
program officials stated that the data are not used for cost 
estimating; (d) The estimating team met with program office subject 
matter experts and regularly attended program management reviews, 
design reviews, and integrated product team meetings to help 
understand the data collected; (e) The data used were not benchmarked 
against relevant historical data, such as Project 28 deployment and 
logistics costs; (f) Scatter plots or statistical analysis were not 
used. 

Practice: (7) Was the point estimate developed and compared to an 
independent cost estimate? 
Description: A point estimate represents the most likely estimate of 
costs given the underlying data, and thus it should be developed and 
validated. To accomplish this: (a) the WBS cost element estimates 
should be aggregated using a cost estimating method; (b) the estimate 
should be checked for accuracy, double- counting, and omissions, and 
it should be validated against an independent cost estimate; 
and; (c) estimates of software costs should be based on software cost 
estimating best practices; 
Met? Minimally; 
Results: A point estimate of $1.302 billion was developed, but it was 
not adequately validated. Specifically: (a) The point estimate was 
developed using primarily the "engineering build-up" method, with a 
few cost elements estimated using the "analogy" method; (b) While the 
use of cross-checks was limited to only a few hardware elements, no 
instances of double-counting were visible, and the spreadsheet 
calculations were accurate given the input parameters and assumptions. 
However, no independent cost estimate was developed; (c) Software 
costs were not estimated. According to program officials, these costs 
were considered to be outside the scope of the estimate. 

Practice: (8) Was a sensitivity analysis conducted? 
Description: A sensitivity analysis examines the effects of changing 
assumptions and ground rules. To be useful: (a) the analysis should 
identify key cost drivers and their parameters and assumptions should 
be examined; (b) the cost estimate should be redone by varying each 
parameter between its minimum and maximum range; (c) the analysis 
should be documented, and the re-estimate should be repeated for 
parameters associated with key cost drivers; 
Met? Partially; 
Results: A sensitivity analysis was not conducted. Specifically: 
(a) The cost estimate did not identify and vary most major cost 
drivers and their underlying assumptions and parameters. However, a 
supplemental briefing did identify key cost drivers. For example, the 
top five cost drivers for deployment are land tower systems, 
unattended ground systems, vehicle communications upgrades, program 
management for deployment, and microwave transceivers and equipment, 
and the top five cost drivers for operations and maintenance are 
maintenance technicians, vehicle console technicians, depot repair 
(normal wear and tear), camera overhaul, and depot repair (vandalism); 
(b) The cost estimate did not vary key cost driver parameters; 
(c) As noted above, the cost estimate did not vary key cost driver 
parameters. However, program officials described one sensitivity 
excursion that was performed in which tower quantities were varied. 
Specifically, the addition of one tower was shown to increase 
deployment costs by $2.2 million and increase operation and 
maintenance costs by $2.5 million (both then-year dollars). 

Practice: (9) Was a risk and uncertainty analysis conducted? 
Description: A cost estimate is a prediction based on assumptions, 
constraints, and unknowns, and thus the risk exists that actual costs 
will differ from the estimate. To understand this risk and associated 
uncertainty, both should be analyzed. Specifically: (a) a probability 
distribution for each cost element's uncertainty should be modeled to 
identify risk; (b) relationships among cost elements should be 
assessed to capture risk; (c) a Monte Carlo simulation[D] to develop a 
distribution of total possible costs and derive an S curve[E] to show 
alternative cost estimate probabilities should be conducted; (d) a 
probability should be associated with the point estimate; (e) 
contingency reserves should be recommended for achieving the desired 
confidence level; (f) the risk-adjusted estimate should be developed, 
and the associated risks should be identified for mitigation; and; 
(g) a plan should be implemented jointly with the contractor for 
identifying, analyzing, mitigating, and tracking risks; 
Met? Partially; 
Results: A risk and uncertainty analysis was conducted, but it was 
limited. In particular: (a) Probability distributions were modeled for 
each cost element based on engineering judgment, rather than discrete 
analysis. However, since some cost elements, as noted earlier, such as 
those associated with government activities and development of 
software for the common operating picture, were excluded, the 
uncertainty analysis does not capture all risks; (b) Relationships 
among cost element estimates were assessed. However, since, as noted 
earlier, some cost elements were excluded, this assessment does not 
capture all risks; (c) A Monte Carlo simulation model that used the 
Latin Hypercube algorithm was conducted to derive a cumulative density 
function S-curve; (d) A probability was identified for the point 
estimate in the documentation. Specifically, the point estimate of 
$984.5 million (then-year dollars) is at the 37 percent confidence 
level, and is bounded by a low estimate of $895 million (at the 10th 
percentile) and a high estimate of $1,140 million (at the 90th 
percentile). However, the estimate does not specify a target 
confidence level, and it has not been updated to include risk ranges 
and confidence levels for the revised point estimate of $1.302 billion; 
(e) Program officials stated that contingency reserves were estimated, 
but the estimate documentation does not identify either the amount of 
reserves or the desired confidence level; (f) Program officials stated 
that a risk-adjusted budget estimate was developed. However, no 
documentation exists to demonstrate this; (g) The SPO has a risk 
management plan, and its risk database identifies seven cost-related 
risks that were opened in 2008. However, none of these seven risks 
mention the cost estimate or life cycle costs as part of the risk 
description. 

Practice: (10) Was the estimate documented? 
Description: Documentation should describe the cost estimating 
process, data sources, and methods, so that a cost analyst unfamiliar 
with the program could understand how the estimate was derived. Among 
other things: (a) actual costs and program changes should be 
documented and available to update the estimate; (b) narrative and 
cost tables, including an executive summary, introduction, and 
descriptions of methods, should be used to describe the estimate. 
Further, data should be broken out by WBS elements, and sensitivity 
analysis, risk and uncertainty analysis, management approval, and 
updates to reflect actual costs and program changes should be 
documented; (c) the 12 key practices in this table should be cited or 
referenced; (d) contingency reserves and how they were derived from 
risk and uncertainty analysis should be discussed; and; (e) an 
electronic copy of the cost estimate should exist; 
Met? Substantially; 
Results: Most, but not all, aspects of the cost estimate, such as the 
data and calculations associated with the WBS elements, were 
documented in enough detail so that an analyst unfamiliar with the 
program could use the documentation to recreate the estimate and get 
the same results. Specifically: (a) Actual costs and program changes 
were generally not used to regularly update the estimate; (b) The 
document's introductory sections include a program overview, program 
description, program strategy, documentation overview, and program 
cost baseline overview. The body was organized in accordance with the 
WBS, thus providing a logical flow structure, and the narrative was 
supported by cost tables for each major section. The documentation 
also included some analysis of risks, but did not include a 
sensitivity analysis and management approval of the estimate, and it 
did not address how the estimate is updated to reflect actual costs 
and program changes; (c) The documentation does not explicitly 
identify the twelve practices. However, the cost estimate does address 
these practices to varying degrees; (d) Contingency reserves and the 
associated level of confidence for the risk-adjusted cost estimate are 
not documented; (e) An electronic version of the cost estimate exists. 

Practice: (11) Was the estimate presented to, and approved by, 
management? 
Description: A briefing should be prepared for management that 
contains enough detail to show that the estimate is accurate, 
complete, and reliable, and management should approve the estimate. 
More specifically: (a) the briefing should include an overview of the 
program's technical foundation and objectives, the life cycle cost 
estimate in time-phased constant year dollars, a discussion of ground 
rules and assumptions, the method and process for each WBS cost 
element estimate including data sources, the results of sensitivity 
and risk/uncertainty analysis along with a confidence interval, the 
comparison of the point estimate to an independent cost estimate along 
with any differences, an affordability analysis based on funding and 
contingency reserves, a discussion of any concerns or challenges, as 
well as conclusions about the estimate's reasonableness and 
recommendations for approval, and; (b) feedback from management should 
be acted on and documented, along with management's approval of the 
estimate; 
Met? Minimally; 
Results: The cost estimate was briefed to the CBP Investment Review 
Board and was approved by management. However, the briefing was not 
detailed enough to show that the estimate is accurate, complete, and 
reliable. Specifically: (a) The briefing contains information on the 
approach and methods used and the estimate itself. Specifically, the 
briefing included a high-level overview of the program's technical 
foundation, the cost estimating method for each WBS cost element, and 
the results of risk/uncertainty analysis along with a confidence 
interval and a level of confidence for the point estimate, and a 
discussion of affordability. However, the briefing did not include the 
results of a sensitivity analysis, a discussion of ground rules and 
assumptions, the life cycle cost estimate in both time-phased constant 
year dollars and then-year dollars, or identify a level of contingency 
reserve associated with a risk-adjusted cost estimate. In addition, it 
did not include a comparison or reconciliation of the estimate with an 
independent cost estimate; (b) According to program officials, 
feedback was received from various parties to whom the briefing was 
provided, but the feedback was not documented. Among others, the 
briefing was provided to the SBI Executive Director, CBP Investment 
Review Board, the DHS Cost Analysis Division, and the DHS Acquisition 
Review Board on the estimate. The estimate was approved in March 2009 
by the DHS Deputy Secretary as the Acquisition Authority for SBInet. 

Practice: (12) Is the estimate updated to reflect actual costs and 
program changes? 
Description: The cost estimate should be updated to ensure that it is 
current. Specifically: (a) the estimate should be regularly updated to 
reflect relevant changes to the technical and program baseline; 
(b) the estimate should incorporate actual costs when available; 
and; (c) the estimate should address lessons learned for elements 
whose actual costs differed from the estimate; 
Met? Minimally; 
Results: The estimate is not routinely updated and reasons for 
variances between estimated and actual costs are not addressed; 
(a) The cost estimate documentation highlights 10 adjustments that 
were made to reconcile the estimate with the Acquisition Program 
Baseline. However, the estimate has not been updated to reflect 
current information on an ongoing basis. For example, the estimate 
does not reflect development and testing activities that were added 
since the estimate was approved to correct problems discovered during 
testing; (b) Program officials stated that they do not use actual cost 
data from EVM reports to update the estimate; (c) Reasons for cost 
variances, and thus lessons learned, are not addressed. 

Source: GAO analysis of DHS data. 

[A] The WBS is a document that defines in detail the work necessary to 
complete a program's objectives. 

[B] EVM is a management tool for monitoring a program's cost and 
schedule performance by measuring the value of the work accomplished 
in a given period, compared to the planned value of work scheduled for 
that period and the actual cost of work accomplished. 

[C] Office of Management and Budget, Guidelines and Discount Rates for 
Benefit-Cost Analysis of Federal Programs, Circular A-94 Revised, 
(Washington, D.C., Oct. 29, 1992). 

[D] A Monte Carlo simulation involves the use of random numbers and 
probability distributions to examine outcomes. 

[E] An S curve is a cumulative probability distribution, most often 
derived from a simulation, such as Monte Carlo, that is particularly 
useful in portraying the uncertainty implications of various cost 
estimates. 

[End of table] 

[End of section] 

Appendix VI: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Randolph C. Hite, (202) 512-3439 or hiter@gao.gov: 

Staff Acknowledgments: 

In addition to the contact named above, Deborah Davis (Assistant 
Director), David Alexander, Rebecca Alvarez, Carl Barden, Tisha 
Derricotte, Neil Doherty, Nancy Glover, Dan Gordon, Cheryl 
Dottermusch, Thomas J. Johnson, Kaelin P. Kuhn, Jason T. Lee, Lee 
McCracken, Jamelyn Payan, Karen Richey, Karl W.D. Seifert, Matt 
Snyder, Sushmita Srikanth, Jennifer Stavros-Turner, Stacey L. Steele, 
and Karen Talley made key contributions to this report. 

[End of section] 

Footnotes: 

[1] At a port of entry location, CBP officers secure the flow of 
people and cargo into and out of the country, while facilitating 
travel and trade. 

[2] GAO, Secure Border Initiative: DHS Needs to Address Significant 
Risks in Delivering Key Technology Investment, [hyperlink, 
http://www.gao.gov/products/GAO-08-1086] (Washington, D.C.: Sept. 22, 
2008). 

[3] GAO, Border Security: Key Unresolved Issues Justify Reevaluation 
of Border Surveillance Technology Program, [hyperlink, 
http://www.gao.gov/products/GAO-06-295] (Washington, D.C.: Feb. 22, 
2006). 

[4] The remaining $126 million was for upgrading the supporting CBP 
telecommunications links. 

[5] In addition to the SBI Program Office, the SBI Acquisition Office 
is responsible for performing contract administration activities. 

[6] The physical infrastructure (e.g., physical fencing) portion of 
SBI is managed on a day-to-day basis by CBP's Office of Finance 
Facilities Management and Engineering division. 

[7] CBP divides the United States' borders with Mexico and Canada into 
20 sectors responsible for detecting, interdicting, and apprehending 
those who attempt illegal entry or to smuggle contraband across U.S. 
borders. 

[8] GAO, Secure Border Initiative: Observations on Selected Aspects of 
SBInet Program Implementation, [hyperlink, 
http://www.gao.gov/products/GAO-08-131T] (Washington, D.C.: Oct. 24, 
2007) and Secure Border Initiative: Observations on the Importance of 
Applying Lessons Learned to Future Projects, [hyperlink, 
http://www.gao.gov/products/GAO-08-508T] (Washington, D.C.: Feb. 27, 
2008). 

[9] The area that will be covered by TUS-1 covers 23 of the 28 miles 
associated with Project 28. According to the SPO, the Project 28 
capabilities (surveillance systems and COP) will be replaced with 
Block 1 capabilities as part of the TUS-1 deployment. 

[10] GAO, Secure Border Initiative: SBInet Expenditure Plan Needs to 
Better Support Oversight and Accountability, [hyperlink, 
http://www.gao.gov/products/GAO-07-309] (Washington, D.C.: Feb. 15, 
2007). 

[11] [hyperlink, http://www.gao.gov/products/GAO-08-131T]. 

[12] [hyperlink, http://www.gao.gov/products/GAO-08-508T]. 

[13] [hyperlink, http://www.gao.gov/products/GAO-08-1086]. 

[14] GAO, Secure Border Initiative: Technology Deployment Delays 
Persist and the Impact of Border Fencing Has Not Been Addressed, 
[hyperlink, http://www.gao.gov/products/GAO-09-896] (Washington, D.C.: 
Sept. 9, 2009). 

[15] GAO, Secure Border Initiative: DHS Needs to Address Testing and 
Performance Limitations That Place Key Technology Program at Risk, 
[hyperlink, http://www.gao.gov/products/GAO-10-158] (Washington, D.C.: 
Jan. 29, 2010). 

[16] [hyperlink, http://www.gao.gov/products/GAO-08-1086]. 

[17] A specification is the written collection of individual 
requirements for a given hardware component (e.g., camera or radar) or 
a software subsystem (e.g., COP). 

[18] The requirements baseline establishes a set of requirements that 
have been formally reviewed, agreed upon, and placed under formal 
change control. The requirements baseline serves as the basis for 
system design and development. 

[19] The NOC monitors SBInet equipment with network connections and 
provides alerts of network events. The SOC protects SBInet equipment 
with network connections from external and internal network-based 
attacks and provides user authentication services. 

[20] According to program documentation, a deviation is a request from 
the contractor to deliver a product that temporarily departs from a 
specified requirement, with the expectation that the product will 
eventually be modified to meet the requirement. A waiver is a request 
from the contractor to deliver a product that will not meet a 
specified requirement, but is considered suitable for use as 
delivered. In the case of a waiver, there is no expectation that the 
product will ever be changed to meet the requirement. 

[21] The user assessment was conducted from March 27, 2009, to April 
3, 2009, in conjunction with personnel from the Johns Hopkins 
University Applied Physics Laboratory. While the purpose of the 
assessment was to obtain the users' views of the system's operational 
effectiveness, and was not designed to be a test of system performance 
against requirements, the assessment report nonetheless identified 
instances in which requirements were not met. 

[22] The laser range finder is mounted to the cameras to provide 
accurate distance data on targets and thereby allows operators to 
direct Border Patrol agents more effectively. 

[23] The Acquisition Program Baseline formally documents a program's 
critical cost, schedule, and performance parameters, expressed in 
measurable, quantitative terms that must be met in order to accomplish 
the program's goals. By tracking and measuring actual program 
performance against this formal baseline, the program's management is 
alerted to potential problems, such as cost growth or requirements 
creep, and has the ability to take early corrective action. 

[24] System availability is defined as the time the system is 
operating satisfactorily, expressed as a percentage of time that the 
system is required to be operational. 

[25] The original performance parameter called for the system to be 
able to "classify" an item of interest as human, vehicle, or animal. 
Program officials stated that they changed the term to "identify" 
because "classification" involves determining the level of threat that 
an identified item of interest presents. For example, a target could 
be identified as a human, and then classified as a high threat if the 
person appeared to be carrying a weapon. 

[26] GAO, GAO Cost Estimating and Assessment Guide: Best Practices for 
Developing and Managing Capital Program Costs, [hyperlink, 
http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March 
2009), 218-224. 

[27] A work breakdown structure defines in detail the hierarchy of 
work tasks necessary to complete a program's objectives. 

[28] An integrated master plan is an event-based hierarchy of program 
events that must be completed. 

[29] The critical path represents the chain of dependent activities 
with the longest total duration in the schedule. If any activity on 
the critical path slips, the entire program will be delayed. 

[30] Based on a letter of commitment with CBP, the Defense Contract 
Management Agency is to provide CBP with contract administration 
services for SBInet, including the identification of issues that could 
impact Boeing's ability to perform the requirements in the task orders 
in accordance with established criteria. In this regard, the Defense 
Contract Management Agency provides the SPO with monthly reports that 
include an assessment of Boeing's system engineering processes, the 
current and projected status of operational and technical issues, and 
the results of ongoing internal audits. 

[31] [hyperlink, http://www.gao.gov/products/GAO-09-3SP], 31-36. 

[32] OMB, Circular No. A-11, Preparation, Submission, and Execution of 
the Budget (Washington, D.C., Executive Office of the President, June 
2006); Circular No. A-130 Revised, Management of Federal Information 
Resources (Washington, D.C., Executive Office of the President, Nov. 
28, 2000); and Capital Programming Guide: Supplement to Circular A-11, 
Part 7, Preparation, Submission, and Execution of the Budget 
(Washington, D.C., Executive Office of the President, June 2006). 

[33] [hyperlink, http://www.gao.gov/products/GAO-09-3SP], 8-13. 

[34] Clinger-Cohen Act of 1996, 40 U.S.C. sections 11101-11704, and 
OMB, Circular No. A-130, Management of Federal Information Resources 
(Washington, D.C., Nov. 30, 2000). 

[35] GAO, DOD Business Systems Modernization: Planned Investment In 
Navy Program to Create Cashless Shipboard Environment Needs to be 
Justified and Better Managed, [hyperlink, 
http://www.gao.gov/products/GAO-08-922] (Washington, D.C.: Sept. 8, 
2008). 

[36] Pub. L. No. 110-329, 122 Stat. 3574, 3655-57 (2008). 

[37] GAO, U.S. Customs and Border Protection's Secure Border 
Initiative Fiscal Year 2009 Expenditure Plan, [hyperlink, 
http://www.gao.gov/products/GAO-09-274R] (Washington, D.C.: Apr. 30, 
2009). 

[38] [hyperlink, http://www.gao.gov/products/GAO-09-896]. 

[39] See, for example, GAO, Homeland Security: Despite Progress, DHS 
Continues to Be Challenged in Managing Its Multi-Billion Dollar 
Investment in Large-Scale Information Technology Systems, [hyperlink, 
http://www.gao.gov/products/GAO-09-1002T] (Washington, D.C.: Sept. 15, 
2009) and [hyperlink, http://www.gao.gov/products/GAO-08-1086]. 

[40] [hyperlink, http://www.gao.gov/products/GAO-08-1086]. 

[41] Department of Homeland Security, Acquisition Instruction/ 
Guidebook, 102-01-001, Appendix B, Systems Engineering Life Cycle, 
Interim Version 1.9 (Nov. 7, 2008); and IEEE Standard for Application 
and Management of the Systems Engineering Process, IEEE Std. 1220-2005 
(New York, N.Y., Sept. 9, 2005). 

[42] [hyperlink, http://www.gao.gov/products/GAO-10-158]. 

[43] Software Engineering Institute (SEI), Capability Maturity Model 
Integration (CMMI)® for Acquisition, Version 1.2 (Pittsburgh, Penn., 
November 2007). 

[44] [hyperlink, http://www.gao.gov/products/GAO-10-158]. 

[45] SBInet Program Deep Dive Review (Nov. 26, 2007). 

[46] Of the12 requirements, 11 were unchanged, and while the remaining 
requirement was slightly modified, nothing was added to this 
requirement to address the DHS findings. 

[47] [hyperlink, http://www.gao.gov/products/GAO-08-1086]. 

[48] [hyperlink, http://www.gao.gov/products/GAO-10-158]. 

[49] System qualification testing verifies that the system design 
satisfies system-level requirements, and component qualification 
testing verifies that components satisfy performance requirements. 

[50] SEI, CMMI® for Acquisition. 

[51] An insufficient number of design requirements were sampled to 
generalize the results for the entire database. However, all design 
requirements that we sampled traced to a verification method. 

[52] SEI, CMMI® for Acquisition. 

[53] Verification criteria are assigned to each requirement and, 
according to program officials, are used to determine that a 
requirement has been satisfied, and therefore can be considered 
"closed." 

[54] This approach is described in three documents: the SBInet Risk 
Management Plan, dated June 6, 2008; the SBInet SPO Risk/Issue/ 
Opportunity Management Process, dated October 9, 2008; and the SBInet 
Risk Management Policy, dated November 6, 2008. 

[55] SEI, CMMI® for Acquisition. 

[56] [hyperlink, http://www.gao.gov/products/GAO-07-309]. 

[57] [hyperlink, http://www.gao.gov/products/GAO-09-274R]. 

[58] The Joint Program Management Review meetings take place on a 
monthly basis to discuss program status. They are attended by program 
officials, contractor senior staff, and such key stakeholders as 
Border Patrol, Air and Marine, Office of Intelligence, Office of 
Information Technology, and Office of Asset Management. 

[59] [hyperlink, http://www.gao.gov/products/GAO-08-1086]. 

[60] This board is chaired by the Deputy Secretary and includes a 
number of senior DHS leaders. 

[61] [hyperlink, http://www.gao.gov/products/GAO-08-1086]. 

[62] [hyperlink, http://www.gao.gov/products/GAO-08-1086]. 

[63] [hyperlink, http://www.gao.gov/products/GAO-08-1086]. 

[64] GAO, GAO Cost Estimating and Assessment Guide: Best Practices for 
Developing and Managing Capital Program Costs, [hyperlink, 
http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March 
2009), 218-224. 

[65] "Not Met" = DHS provided no evidence that satisfies any portion 
of the criterion. "Minimally Met" = DHS provided evidence that 
satisfies less than one-half of the criterion. "Partially Met" = DHS 
provided evidence that satisfies about one-half of the criterion. 
"Substantially Met" = DHS provided evidence that satisfies more than 
one-half of the criterion. "Met" = DHS provided complete evidence that 
satisfies the entire criterion. 

[66] [hyperlink, http://www.gao.gov/products/GAO-09-3SP], 8-13. 

[67] "Not Met" = DHS provided no evidence that satisfies any portion 
of the criterion. "Minimally Met" = DHS provided evidence that 
satisfies less than one-half of the criterion. "Partially Met" = DHS 
provided evidence that satisfies about one-half of the criterion. 
"Substantially Met" = DHS provided evidence that satisfies more than 
one-half of the criterion. "Met" = DHS provided complete evidence that 
satisfies the entire criterion. 

[68] Department of Homeland Security, DHS Acquisition Instruction/ 
Guidebook #102-01-001, Appendix B, Systems Engineering Life Cycle, 
Interim Version 1.9 (Nov. 7, 2008); and IEEE Standard for Application 
and Management of the Systems Engineering Process, IEEE Std. 1220-2005 
(New York, N.Y., Sept. 9, 2005). 

[69] The SPO refers to the system-level requirements specification as 
the "System of System A-Level Specification." 

[70] The SPO refers to the component-level requirements specifications 
as the "B-2" specifications. 

[71] Software Engineering Institute (SEI), Capability Maturity Model 
Integration (CMMI®) for Acquisition, Version 1.2 (Pittsburgh, Penn., 
November 2007). 

[72] SEI, CMMI® for Acquisition, Version 1.2 (Pittsburgh, Penn., 
November 2007). 

[73] GAO, Secure Border Initiative: DHS Needs to Address Significant 
Risks in Delivering Key Technology Investment, [hyperlink, 
http://www.gao.gov/products/GAO-08-1086] (Washington, D.C.: Sept. 22, 
2008). 

[74] [hyperlink, http://www.gao.gov/products/GAO-08-1086]. 

[75] GAO, GAO Cost Estimating and Assessment Guide: Best Practices for 
Developing and Managing Capital Program Costs, [hyperlink, 
http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March 
2009), 218-224. 

[76] GAO, GAO Cost Estimating and Assessment Guide: Best Practices for 
Developing and Managing Capital Program Costs, [hyperlink, 
http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March 
2009), 8-13. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: