Border Security: DHS's Efforts to Modernize Key Enforcement Systems Could be Strengthened
Highlights
What GAO Found
Customs and Border Protection (CBP) has defined the scope for its TECS (not an acronym) modernization (TECS Mod) program, but its schedule and cost continue to change; while Immigration and Customs Enforcement (ICE) is overhauling the scope, schedule, and cost of its program after discovering that its initial solution is not technically viable. CBP's $724 million program intends to modernize the functionality, data, and aging infrastructure of legacy TECS and move it to DHS's data centers. CBP plans to develop, deploy, and implement these capabilities between 2008 and 2015. To date, CBP has deployed functionality to improve its secondary inspection processes to air and sea ports of entry and, more recently, to land ports of entry in 2013. However, CBP is in the process of revising its schedule baseline for the second time in under a year. Further, portions of CBP's schedule remain undefined and the program does not have a fully developed master schedule. These factors increase the risk of CBP not delivering TECS Mod by its 2015 deadline. Regarding ICE's $818 million TECS Mod program, it is redesigning and replanning its program, having determined in June 2013 that its initial solution was not viable and could not support ICE's needs. As a result, ICE halted development and is now assessing design alternatives and will revise its schedule and cost estimates. Program officials stated the revisions will be complete in December 2013. Until ICE completes the replanning effort, it is unclear what functionality it will deliver, when it will deliver it, or what it will cost to do so, thus putting it in jeopardy of not completing the modernization by its 2015 deadline.
CBP and ICE have managed many risks in accordance with some leading practices, but they have had mixed results in managing requirements for their programs. In particular, neither program identified all known risks and escalated them for timely management review. Further, CBP's guidance defines key practices associated with effectively managing requirements, but important requirements development activities were underway before these practices were established. ICE, meanwhile, operated without requirements management guidance for years, and its requirements activities were mismanaged as a result. For example, ICE did not complete work on 2,600 requirements in its initial release, which caused testing failures and the deferral and deletion of about 70 percent of its original requirements. ICE issued requirements guidance in March 2013 that is consistent with leading practices, but it has not yet been implemented.
The Department of Homeland Security's (DHS) governance bodies have taken actions to oversee the two TECS Mod programs that are generally aligned with leading practices. Specifically, DHS's governance bodies have monitored TECS Mod performance and progress and have ensured that corrective actions have been identified and tracked. However, the governance bodies' oversight has been based on sometimes incomplete or inaccurate data, and therefore the effectiveness of these efforts is limited. For example, one oversight body rated CBP's program as moderately low risk, based partially on the program's use of earned value management, even though program officials stated that neither they nor their contractor had this capability. Until these governance bodies base their performance reviews on timely, complete, and accurate data, they will be constrained in their ability to effectively provide oversight.
Why GAO Did This Study
DHS's border enforcement system, known as TECS, is the primary system available for determining admissibility of persons to the United States. It is used to prevent terrorism, and provide border security and law enforcement, case management, and intelligence functions for multiple federal, state, and local agencies. It has become increasingly difficult and expensive to maintain because of technology obsolescence and its inability to support new mission requirements. Accordingly, in 2008, DHS began an effort to modernize the system. It is being managed as two separate programs working in parallel by CBP and ICE.
GAO's objectives were to (1) determine the scope and status of the two TECS Mod programs, (2) assess selected CBP and ICE program management practices for TECS Mod, and (3) assess the extent to which DHS is executing effective executive oversight and governance of the two TECS Mod programs.
To do so, GAO reviewed requirements documents and cost and schedule estimates, and determined the current scope, completion dates, and life cycle expenditures. GAO also reviewed risk management and requirements management plans, as well as governance bodies' meeting minutes.
Recommendations
GAO is recommending DHS improve its efforts to manage requirement and risk, as well as its governance of the TECS Mod programs. DHS agreed with all but one of GAO's eight recommendations, and described actions planned and underway to address them.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Homeland Security | To improve DHS's efforts to develop and implement its TECS Mod programs, the Secretary of Homeland Security should direct the CBP Commissioner to ensure that the appropriate individuals develop an integrated master schedule that accurately reflects all of the program's work activities, as well as the timing, sequencing, and dependencies between them. |
The Department of Homeland Security (DHS) has taken steps to address this recommendation. Specifically, in August 2016, officials from U.S. Customs and Border Patrol (CBP) shared with us how the TECS Mod master schedule files (developed in MS Project) were integrated with the TECS Mod's system architecture tool, such that both would display the timing of project tasks. Further, in May 2017, the CBP program manager further clarified how the master schedule files showed the activity sequencing and dependencies. For example, the program manager discussed how the main project tasks were linked between MS Project and the system architecture tool, how dependencies were represented, and the conditions required before tasks could be marked as completed. As a result, CBP has greater assurance that it will be able to deliver the planned functionality, on time, and within budget.
|
Department of Homeland Security | To improve DHS's efforts to develop and implement its TECS Mod programs, the Secretary of Homeland Security should direct the CBP Commissioner to ensure that the appropriate individuals ensure that all significant risks associated with the TECS Mod acquisition are documented in the program's risk and issue inventory inventory--including acquisition risks mentioned in this report report-- and are briefed to senior management, as appropriate. |
The Department of Homeland Security (DHS) agreed with and has taken steps to address this recommendation. In August 2016, U.S. Customs and Border Protection (CBP) officials stated that the program had established a new contract to implement earned value management (EVM) and was making progress in implementing it on three TECS Mod projects: Lookout Record Data and Services, Manifest Processing, and Primary Inspection Processes. Further, officials stated that the program has been monitoring cost and schedule performance to ensure alignment of the program life cycle cost estimate and integrated master schedule with the approved program baseline. In May 2017, the CBP TECS Mod program manager stated that the program has transitioned to an operations and maintenance state, thus mitigating the need to focus on acquisition risks. Further, the program manager noted the integration of the TECS Mod master program schedule with a system architecture tool, which, along with the use of EVM and briefing results to senior management, supplement the risk management process and address the recommendation. CBP also provided two examples of project status reports that demonstrate EVM is now being used in the follow-on contract, which directly addresses a finding in our report. As a result, CBP has greater assurance that it will be able to deliver the planned functionality, on time, and within budget.
|
Department of Homeland Security | To improve DHS's efforts to develop and implement its TECS Mod programs, the Secretary of Homeland Security should direct the CBP Commissioner to ensure that the appropriate individuals revise and implement the TECS Mod program's risk management strategy and guidance to include clear thresholds for when to escalate risks to senior management, and implement as appropriate. |
The Department of Homeland Security (DHS) agreed with, and has taken action to address, this recommendation. Specifically, in January 2014, U.S. Customs and Border Protection (CBP) updated its TECS Mod Program Risk Management Plan to include thresholds for when risks should be escalated. For example, the risk management plan states that all risks with a high impact rating will be escalated to the Passenger Systems Program Directorate (PSPD) Executive Director for awareness and decision making in implementing the associated issue action plan. Further, the plans establishes criteria regarding when the PSPD Executive Director and TECS Mod Program Manager will escalate high severity risks to senior leadership at 1) Program Management Reviews, 2) Executive Steering Committee meetings, and 3) the DHS Chief Information Officer Joint Program Review with CBP and Immigration and Customs Enforcement. For example, high severity risks are escalated to the Executive Steering Committee if the program costs increase greater than 10 percent of baseline threshold costs. CBP also provided examples of Executive Steering Committee briefings between April 2015 and April 2016 where the committee was briefed on critical risks and issues, including status updates regarding the TECS Mod program's efforts to mitigate the risks and resolve the issues. As a result, CBP has increased assurance that key decision makers are fully informed regarding critical program risks and better positioned to mitigate them and minimize their impact on program commitments.
|
Department of Homeland Security | To improve DHS's efforts to develop and implement its TECS Mod programs, the Secretary of Homeland Security should direct the CBP Commissioner to ensure that the appropriate individuals revise and implement the TECS Mod program's requirements management guidance to include the validation of requirements to ensure that each is unique, unambiguous, and testable. |
The Department of Homeland Security (DHS) agreed with and has implemented this recommendation. Customs and Border Protection (CBP) officials provided an updated version of its requirements management plan (dated Nov. 23, 2013) that includes specific criteria requiring each requirement to be unique, unambiguous and testable. By revising its plan, CBP should have greater assurance that TECS Mod will perform as intended in the user environments and has reduced the risk of deployment delays as a result.
|
Department of Homeland Security | The Secretary of Homeland Security should direct the Acting Director of ICE to ensure that the appropriate individuals ensure that all significant risks associated with the TECS Mod acquisition are documented in the program's risk and issue inventory--including the acquisition risks mentioned in this report-- and briefed to senior management, as appropriate. |
The Department of Homeland Security (DHS) agreed with and has taken steps to address this recommendation. In February 2014, the department stated in written correspondence that the U.S. Immigration and Customs Enforcement (ICE) TECS Mod program office had created a program-level acquisition risk and added it to its risk inventory. In December 2015, the department provided an IT program health assessment for the ICE TECS Mod program that identifies the assigned risk level for the acquisition and discusses mitigation strategies. A DHS Management and Program analyst from the Enterprise Business Management Office stated that the program's acquisition risk is one of the factors the CIO considers before rating an investment, and noted that the document includes the DHS chief information officer's rating for the program at the end of the assessment. In November 2016, ICE provided two examples of briefing slides, prepared for the TECS Mod executive steering committee, which included information about program risks that were being elevated to senior management attention. By taking these steps, ICE has greater assurance that senior management is aware of any significant TECS Mod acquisition risks when making decisions about the program.
|
Department of Homeland Security | The Secretary of Homeland Security should direct the Acting Director of ICE to ensure that the appropriate individuals revise and implement the TECS Mod program's risk management strategy and guidance to include clear thresholds for when to escalate risks to senior management, and implement as appropriate. |
The Department of Homeland Security (DHS) agreed with and has taken steps to address this recommendation. In February 2014, the department stated in written correspondence that the U.S. Immigration and Customs Enforcement (ICE) TECS Mod program office had refined its criteria for escalating risks and identified 3 risk events that could trigger an escalated status for a given risk: if a risk has a score that exceeds a certain threshold; if a risk meets a trigger date/event; or if the Risk Advisory Board exercises its discretion to escalate a given risk. In addition, ICE's May 2016 TECS Mod risk management plan included the criteria for elevating risks. In November 2016, ICE provided two examples of briefing slides, prepared for the executive steering committee, which included information about program risks that were being elevated to senior management attention. By taking these steps, ICE has greater assurance that senior management can factor in acquisition risks when making decisions about the TECS Mod program.
|
Department of Homeland Security | The Secretary of Homeland Security should direct the Acting Director of ICE to ensure that the appropriate individuals ensure that the newly developed requirements management guidance and recently revised guidance for controlling changes to requirements are fully implemented. |
The Department of Homeland Security (DHS) agreed with and has taken steps to address this recommendation. In February 2014, the department stated in written correspondence that the U.S. Immigration and Customs Enforcement (ICE) TECS Mod program office had updated its requirements management plan, revised its requirements baseline, and approved a change control package that are intended to address this recommendation. In November 2016, ICE provided an updated copy of its requirements management plan, which included details on how changes to requirements are to be managed. The agency also provided the charter for the program's change control board and documentation of its change control process for requirements. With these tools in place, the program has greater assurance that the TECS Mod system will meet mission needs, perform as intended, and avoid the additional costly and time-consuming rework that the program has experienced.
|
Department of Homeland Security | The Secretary of Homeland Security should direct the Under Secretary for Management and acting Chief Information Officer to ensure that data used by the department's governance and oversight bodies to assess the progress and performance of major information technology program acquisition programs are complete, timely, and accurate. |
The Department of Homeland Security (DHS) agreed with and has taken steps to address this recommendation. For example, the department directed use of a decision-making support tool intended to improve governance decisions. It also discussed information available via the Information Technology Dashboard and how that information could be used to support decision-making activities. In April 2015, DHS further described efforts to implement this recommendation for 3 programs. In addition, in December 2015, DHS officials provided examples of how information in the investment tool is used to support decision-making for the program. For example, they provided an investment summary page from the DHS IT investment management system INVEST, which is used to support investment decision-making. The summary page shows links to information about investment reviews, project milestones, and other program management areas such as risk management. The summary page also shows the date of the last update. A DHS Management and Program analyst from the Enterprise Business Management Office explained that the data is updated in real time as changes occur, for example, as a result of program status meetings and decision milestones. Further, in March 2016, CBP's Component Acquisition Executive & Assistant Commissioner, Office of Acquisition, certified the TECS Mod data in the INVEST system As a result, DHS has increased assurance that the information used by the department's oversight bodies to assess TECS Mod progress and performance is complete , timely, and accurate.
|