Biometric Identity System: DHS Needs to Address Significant Shortcomings in Program Management and Privacy

Fast Facts

Since 2016, the Department of Homeland Security has been working to replace its outdated biometric identity management system that matches fingerprints and facial features. DHS expects the new system to store hundreds of millions of identities.

But the system is way behind schedule and costs more than estimated—even after readjusting the schedule and cost estimates twice. And these estimates are unreliable because DHS doesn't follow our best practices for calculating them.

In addition, DHS needs to do much more to protect the privacy of individuals whose information is in this new system. We recommended addressing these issues.

Portraits of people and ID numbers superimposed over a photograph of them walking down a street

Highlights

What GAO Found

Since rebaselining its original cost and schedule commitments in 2019, the Department of Homeland Security's (DHS) Homeland Advanced Recognition Technology (HART) program has further delayed its schedule. Specifically, in 2020 the program declared a second schedule breach and its first cost breach. Accordingly, DHS rebaselined the program again. This extended the schedule for delivering the initial capabilities to replace the legacy system by an additional 33 months beyond the 2019 plan. In addition, the 2022 rebaseline did not include an estimate for completing the program (see table).

Changes in the Homeland Advanced Recognition Technology (HART) Program Schedule from 2019 to 2022

Milestone	Planned completion date^a (as of May 2019)	Planned completion date^a (as of May 2022)
Initial operational capability	December 31, 2020	September 30, 2023
Complete full program	June 30, 2024	Not yet planned

Source: GAO analysis of Department of Homeland Security data. | GAO-23-105959

^aThis represents the schedule threshold dates defined in the HART acquisition program baseline.

Regarding costs, the program's 2022 rebaseline increased its estimated costs by $354 million. In April 2023, program officials stated that they needed to rebaseline HART's schedule a third time due to, among other things, higher than expected software defects and performance issues.

The program's 2022 cost and schedule estimates did not fully follow GAO's identified cost and schedule best practices and were, therefore, unreliable. Specifically, the program's cost estimate did not substantially or fully meet the four characteristics of a reliable cost estimate. Moreover, the program's schedule estimate did not substantially or fully meet three of the four characteristics of a reliable schedule estimate. Until these weaknesses are addressed, the HART cost and schedule estimates will continue to be unreliable. In turn, this will impair the ability of senior leadership to make informed decisions regarding the program's future.

DHS fully implemented five of 12 selected Office of Management and Budget privacy requirements. For example, the program addressed the requirement to appropriately encrypt information by demonstrating encryption settings for information at rest and in transit. However, DHS had gaps in the remaining seven requirements. For example, the program's privacy impact assessment, which is intended to analyze how personal information is collected, shared, and managed, was missing key information. Specifically, the assessment was missing information on (1) individuals whose data will be stored in the system and (2) the partners with whom the system will share information. In addition, the program did not have assurances that partners that provide information to the system will appropriately retain and dispose of personally identifiable information. Until DHS addresses these privacy weaknesses, the department lacks assurance that the hundreds of millions individuals' personally identifiable information that will be stored and shared by HART will be appropriately protected.

Why GAO Did This Study

DHS currently uses an outdated system, implemented over 29 years ago, for providing biometric identity management services (e.g., fingerprint matching). The system stores over 290 million identities. In 2016, DHS initiated a multi-billion dollar program known as HART, which is intended to replace the legacy system. GAO previously reported that due to several challenges, in 2017 the program breached its schedule baseline. In 2019 the program established new cost and schedule commitments with DHS leadership (referred to as a rebaseline). This resulted in delaying the program by 3 years.

GAO was asked to evaluate the HART program. This report's objectives were to (1) determine how the HART program has changed since the 2019 baseline, (2) assess the extent to which the program's cost and schedule estimates followed best practices, and (3) assess the extent to which DHS implemented selected privacy requirements for the program.

GAO reviewed HART planning documentation, evaluated cost and schedule estimates against best practices identified by GAO, and compared privacy documentation to selected Office of Management and Budget privacy requirements. GAO also interviewed appropriate officials.

Recommendations

GAO is making nine recommendations to DHS to follow best practices when preparing HART cost and schedule estimates and implement selected privacy requirements for the system. DHS concurred with the recommendations.

Recommendations for Executive Action

Agency Affected	Recommendation	Status
Department of Homeland Security	The Secretary of DHS should direct the OBIM Director to update the cost estimate for the HART program to account for all costs and incorporate the best practices called for in the GAO Cost Estimating and Assessment Guide. (Recommendation 1)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security	The Secretary of DHS should direct the OBIM Director to revise the schedule estimate for the HART program that incorporates the best practices called for in the GAO Schedule Assessment Guide. (Recommendation 2)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security	The Secretary of DHS should direct the OBIM Director to coordinate with the Privacy Office to establish and implement a timeline for updating the HART PIA to fully describe the categories of individuals whose data will be stored in HART and the partners with whom the system shares information. (Recommendation 3)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security	The Secretary of DHS should direct the Privacy Office to describe planned methodologies for determining that all privacy controls are implemented correctly and operating as intended for future control assessments of the HART program. (Recommendation 4)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security	The Secretary of DHS should direct the Privacy Office to develop a timeline for completing the planned HART privacy compliance review. (Recommendation 5)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security	The Secretary of DHS should direct the OBIM Director to coordinate with the Privacy Office to establish and implement plans for correcting seven remaining privacy deficiencies identified in the HART PIA. (Recommendation 6)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security	The Secretary of DHS should direct the Privacy Office to ensure the complete HART authorization package is reviewed by the office prior to future system authorizations. (Recommendation 7)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security	The Secretary of DHS should direct the OBIM Director to establish and implement a timeline for maintaining a reliable inventory of information sharing and access agreements with partners that share data with HART. (Recommendation 8)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security	The Secretary of DHS should direct the OBIM Director to establish and maintain a process for ensuring that partners that provide data to HART have used the system's services to help to appropriately dispose of PII from the system, in accordance with applicable records retention schedules. (Recommendation 9)	Open When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

See All 9 Recommendations

Full Report

Highlights Page (1 page)

Full Report (65 pages)

Accessible PDF (79 pages)

GAO Contacts

Marisol Cruz Cain

Director

cruzcainm@gao.gov

(202) 512-5017

Office of Public Affairs

Chuck Young

Managing Director

youngc1@gao.gov

(202) 512-4800

Topics

Homeland Security

Acquisition programsBiometric identification systemBiometricsCost and scheduleCost estimatesE-governmentInformation sharingLife cycle costsPerformance measurementPersonally identifiable informationPrivacyPrivacy protectionProgram management