Homeland Security: DHS Needs to Fully Implement Key Practices in Acquiring Biometric Identity Management System
Fast Facts
The Department of Homeland Security started working on replacing its outdated biometric identity management system (fingerprint matching and facial recognition) in 2016. The new system is 3 years behind schedule due to technical and other challenges.
DHS modified a major contract and took more steps to address the challenges. But when we compared the program to 14 IT acquisition best practices, officials had only fully implemented 7 of them.
For example, officials didn't fully review the contractor's work products—making it harder to ensure that all requested changes were made.
We recommended fully implementing the best practices, and more.
Highlights
What GAO Found
The Department of Homeland Security (DHS) initially expected to implement the entire Homeland Advanced Recognition Technology (HART) by 2021; however, no segments of the program have been deployed to date. Currently estimated to cost $4.3 billion in total, DHS plans to deploy increment 1 of the program in December 2021 and expects to implement later increments in 2022 and 2024. Increment 1 is expected to replace the functionality of the existing system.
Although the multi-billion dollar HART program had suffered continuing delays, until the end of last year, the DHS Chief Information Officer (CIO) had reported the program as low risk on the IT Dashboard, a website showing, among other things, the performance and risks of agency information technology (IT) investments. In May 2020, the Office of the CIO began developing a new assessment process which led to the CIO accurately elevating HART's rating from low to high risk and reporting this rating to the IT Dashboard in November 2020. In addition, consistent with OMB guidance, the CIO fulfilled applicable oversight requirements for high-risk IT programs by, among other things, conducting a review of the program known as a TechStat review. While the CIO complied with applicable oversight requirements in conducting the TechStat review, GAO noted that DHS's associated policy was outdated. Specifically, the 2017 policy does not reflect the revised process DHS started using in 2020. As such, until the guidance is updated, other departmental IT programs deemed high risk would likely not be readily aware of the specific process requirements.
Concurrent with the CIO's actions to conduct oversight, HART program management has also acted to implement important risk management practices. Specifically, GAO found that HART had fully implemented four of seven risk management best practices and partially implemented the remaining three (see table). For example, as of February 2021, the program had identified 49 active risks, including 15 related to cost and schedule and 17 related to technical issues. While DHS has plans under way to fully implement two of the partially implemented practices, until it fully implements the remaining practice its efforts to effectively monitor the status of risks and mitigation plans may be hampered.
Summary of the Homeland Advanced Recognition Technology Program's Implementation of the Seven Risk Management Practices
|
Practice |
GAO assessment |
|
1. Determine risk sources and categories |
● |
|
2. Define parameters to analyze and categorize risks |
● |
|
3. Establish and maintain a risk management strategy |
◑ |
|
4. Identify and document risks |
● |
|
5. Evaluate and categorize each identified risk using defined risk categories and parameters, and determine its relative priority |
● |
|
6. Develop a risk mitigation plan in accordance with the risk management strategy |
◑ |
|
7. Monitor the status of each risk periodically and implement the risk mitigation plan as appropriate |
◑ |
Legend: ● = Fully implemented ◑ = Partially implemented ○ = Not implemented Source: GAO analysis of agency data. | GAO-21-386
Why GAO Did This Study
DHS currently uses an outdated system, implemented over 27 years ago, for providing biometric identity management services (i.e., fingerprint matching and facial recognition technology services), known as the Automated Biometric Identification System, or IDENT. In 2016, DHS initiated a multi-billion dollar program known as HART, which is intended to replace the existing system.
GAO was asked to evaluate the HART program. Its specific objectives, among others, were to (1) determine the status of the program, (2) assess the extent to which the DHS CIO was accurately reporting risk and meeting applicable oversight requirements, and (3) assess the extent to which the program was identifying and managing its risks.
To accomplish these objectives, GAO identified the program's schedule and cost estimates, assessed the CIO's risk ratings and HART oversight documentation and related evidence against OMB guidance, and compared the program's risk management practices to best practices that are essential to identifying and mitigating potential problems. In addition, GAO interviewed appropriate officials.
Recommendations
GAO is making seven recommendations, including that DHS update its policy to reflect the current IT program assessment process, and fully implement the risk management best practice related to monitoring the status of risks and mitigation plans. DHS concurred with all of the recommendations and provided estimated dates for implementing them.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Homeland Security |
Priority Rec.
The Secretary of DHS should direct the Chief Information Officer to update existing policy to reflect the processes that should be used to address each of the TechStat requirements. (Recommendation 1) |
Closed – Implemented
In response to our recommendation, DHS's Office of the Chief Information Officer finalized an updated TechStat process guide in June 2022. The process guide describes specific activities and methods for meeting the five TechStat review requirements. For example, with regard to the requirement for establishing a root cause analysis of performance issues, the process guide includes suggested document requests, questions, and key areas of analysis that can guide the determination of root causes. By taking these actions to specify activities that address TechStat review requirements, other departmental IT programs that are deemed high risk will be more readily aware of specific process requirements that should be taken when undergoing a TechStat review.
|
| Department of Homeland Security | The Secretary of DHS should direct the OBIM Director to ensure that the HART program keeps records of its discussions related to risk mitigation, including the resources needed for risk handling activities. (Recommendation 2) |
Closed – Implemented
In response to our recommendation, in August 2021, OBIM updated its HART risk management plan to require the program to record meeting minutes of its risk related discussions. As a result, in August 2021, the HART program office began documenting and maintaining records of discussions related to risk mitigation. In addition, since August 2021, the HART meeting minutes have included examples of when resources were required for risk handling activities. By documenting the actions and decisions discussed during these meetings, the HART program can now rely on these minutes for future reference and they can serve as a resource for program officials that were unable to attend the meetings. Further, by keeping records of resources needed for risk handling activities, the program is better positioned to provide the necessary resources to successfully execute these mitigation plans.
|
| Department of Homeland Security | The Secretary of DHS should direct the OBIM Director to ensure that the HART program's risk owners maintain accurate and current status updates for each risk mitigation plan in the risk register. (Recommendation 3) |
Closed – Implemented
In response to our recommendation, OBIM updated the HART Risk Management Plan in August 2021 to include a process for ensuring that HART risk mitigation plans are accurate and current. Specifically, the HART Risk Management plan calls for setting aside time each month to review the status of HART risks and progress toward their response plans. The plan clarifies that risk owners are responsible for updating risks at a frequency based on their priority level (e.g. every 30 days for high-priority risks). Further, OBIM officials have been meeting regularly to review risks. In addition, OBIM's risk mitigation reports provided in June 2022 and September 2022 demonstrated that risk mitigation actions are being kept up to date. By taking these steps to ensure that HART program risk owners maintain accurate and current status updates, program management officials are better positioned to make key decisions based on a complete picture of the risks facing the program.
|
| Department of Homeland Security | The Secretary of DHS should direct the OBIM Director to ensure that the HART program office fully reviews and approves or rejects contractor deliverables prior to working on the next system release. (Recommendation 4) |
Open
OBIM and the HART program office have not yet demonstrated that they have fully reviewed and approved or rejected contractor deliverables. In February 2024, OBIM officials stated that they allowed the prime development contract to sunset, and plans to use other contractors for the remainder of the HART program. OBIM officials stated that they reviewed and dispositioned all deliverables required of the original contractor. Since the program has significantly modified its acquisition strategy and the associated process for review and approval of contractor deliverables, this recommendation will remain open until OBIM can demonstrate that the HART program is fully reviewing and approving or rejecting contractor deliverables under its new acquisition approach.
|
| Department of Homeland Security |
Priority Rec.
The Secretary of DHS should direct the OBIM Director to ensure that, moving forward, the HART program tracks and monitors all of its costs, including government labor costs. (Recommendation 5) |
Closed – Implemented
OBIM included government labor costs in the HART program's 2022 life cycle cost estimate (LCCE). In August 2023, OBIM officials demonstrated ongoing updates to the LCCE to include actual program costs, including HART-specific government labor costs. By taking actions to track and monitor all HART program costs, the program and oversight bodies should be able to have an accurate account of program spending and compare actual costs against planned estimates.
|
| Department of Homeland Security | The Secretary of DHS should direct the OBIM Director to ensure that the HART program defines the extent to which it should be interacting with each of its stakeholders throughout the acquisition process, and, once established, monitors stakeholder involvement against that defined level of involvement. (Recommendation 6) |
Open – Partially Addressed
OBIM demonstrated that it had monitored stakeholder involvement for the Executive Stakeholder Board and the Executive Steering Committee. In November 2023, OBIM provided evidence that the Executive Steering Committee charter was updated to fully define its interactions with the program. OBIM also provided evidence that the committee has begun to meet in accordance with the updated charter. However, OBIM is still in the process of updating the charter for the Executive Stakeholder Board to full define its intended interactions with the program. As for February 2024, OBIM officials planned to finalize the Executive Stakeholder Board charter by the third quarter of fiscal year 2024.
|
| Department of Homeland Security |
Priority Rec.
The Secretary of DHS should direct the OBIM Director to ensure that the HART program establishes and maintains a process to ensure bidirectional traceability of its requirements in future development. (Recommendation 7) |
Closed – Implemented
In response to our recommendation, OBIM established and documented a process to help ensure bidirectional traceability of its requirements. This includes using a program support tool to link lower-level requirements to higher-level requirements and holding regular meetings to review traceability. OBIM also provided March 2022 and January 2023 reports that demonstrated the office has implemented this process and was maintaining improved bidirectional traceability for HART requirements. As a result, the HART program is better positioned to develop a system that meets its partner agencies' needs.
|