September 28, 2021

News

News Network

Homeland Security: DHS Needs to Fully Implement Key Practices in Acquiring Biometric Identity Management System

10 min read
<div>What GAO Found The Department of Homeland Security (DHS) initially expected to implement the entire Homeland Advanced Recognition Technology (HART) by 2021; however, no segments of the program have been deployed to date. Currently estimated to cost $4.3 billion in total, DHS plans to deploy increment 1 of the program in December 2021 and expects to implement later increments in 2022 and 2024. Increment 1 is expected to replace the functionality of the existing system. Although the multi-billion dollar HART program had suffered continuing delays, until the end of last year, the DHS Chief Information Officer (CIO) had reported the program as low risk on the IT Dashboard, a website showing, among other things, the performance and risks of agency information technology (IT) investments. In May 2020, the Office of the CIO began developing a new assessment process which led to the CIO accurately elevating HART's rating from low to high risk and reporting this rating to the IT Dashboard in November 2020. In addition, consistent with OMB guidance, the CIO fulfilled applicable oversight requirements for high-risk IT programs by, among other things, conducting a review of the program known as a TechStat review. While the CIO complied with applicable oversight requirements in conducting the TechStat review, GAO noted that DHS's associated policy was outdated. Specifically, the 2017 policy does not reflect the revised process DHS started using in 2020. As such, until the guidance is updated, other departmental IT programs deemed high risk would likely not be readily aware of the specific process requirements. Concurrent with the CIO's actions to conduct oversight, HART program management has also acted to implement important risk management practices. Specifically, GAO found that HART had fully implemented four of seven risk management best practices and partially implemented the remaining three (see table). For example, as of February 2021, the program had identified 49 active risks, including 15 related to cost and schedule and 17 related to technical issues. While DHS has plans under way to fully implement two of the partially implemented practices, until it fully implements the remaining practice its efforts to effectively monitor the status of risks and mitigation plans may be hampered. Summary of the Homeland Advanced Recognition Technology Program's Implementation of the Seven Risk Management Practices Practice GAO assessment 1. Determine risk sources and categories ● 2. Define parameters to analyze and categorize risks ● 3. Establish and maintain a risk management strategy ◑ 4. Identify and document risks ● 5. Evaluate and categorize each identified risk using defined risk categories and parameters, and determine its relative priority ● 6. Develop a risk mitigation plan in accordance with the risk management strategy ◑ 7. Monitor the status of each risk periodically and implement the risk mitigation plan as appropriate ◑ Legend: ● = Fully implemented ◑ = Partially implemented ○ = Not implemented Source: GAO analysis of agency data. | GAO-21-386 Why GAO Did This Study DHS currently uses an outdated system, implemented over 27 years ago, for providing biometric identity management services (i.e., fingerprint matching and facial recognition technology services), known as the Automated Biometric Identification System, or IDENT. In 2016, DHS initiated a multi-billion dollar program known as HART, which is intended to replace the existing system. GAO was asked to evaluate the HART program. Its specific objectives, among others, were to (1) determine the status of the program, (2) assess the extent to which the DHS CIO was accurately reporting risk and meeting applicable oversight requirements, and (3) assess the extent to which the program was identifying and managing its risks. To accomplish these objectives, GAO identified the program's schedule and cost estimates, assessed the CIO's risk ratings and HART oversight documentation and related evidence against OMB guidance, and compared the program's risk management practices to best practices that are essential to identifying and mitigating potential problems. In addition, GAO interviewed appropriate officials.</div>

What GAO Found

The Department of Homeland Security (DHS) initially expected to implement the entire Homeland Advanced Recognition Technology (HART) by 2021; however, no segments of the program have been deployed to date. Currently estimated to cost $4.3 billion in total, DHS plans to deploy increment 1 of the program in December 2021 and expects to implement later increments in 2022 and 2024. Increment 1 is expected to replace the functionality of the existing system.

Although the multi-billion dollar HART program had suffered continuing delays, until the end of last year, the DHS Chief Information Officer (CIO) had reported the program as low risk on the IT Dashboard, a website showing, among other things, the performance and risks of agency information technology (IT) investments. In May 2020, the Office of the CIO began developing a new assessment process which led to the CIO accurately elevating HART’s rating from low to high risk and reporting this rating to the IT Dashboard in November 2020. In addition, consistent with OMB guidance, the CIO fulfilled applicable oversight requirements for high-risk IT programs by, among other things, conducting a review of the program known as a TechStat review. While the CIO complied with applicable oversight requirements in conducting the TechStat review, GAO noted that DHS’s associated policy was outdated. Specifically, the 2017 policy does not reflect the revised process DHS started using in 2020. As such, until the guidance is updated, other departmental IT programs deemed high risk would likely not be readily aware of the specific process requirements.

Concurrent with the CIO’s actions to conduct oversight, HART program management has also acted to implement important risk management practices. Specifically, GAO found that HART had fully implemented four of seven risk management best practices and partially implemented the remaining three (see table). For example, as of February 2021, the program had identified 49 active risks, including 15 related to cost and schedule and 17 related to technical issues. While DHS has plans under way to fully implement two of the partially implemented practices, until it fully implements the remaining practice its efforts to effectively monitor the status of risks and mitigation plans may be hampered.

Summary of the Homeland Advanced Recognition Technology Program’s Implementation of the Seven Risk Management Practices

Practice

GAO assessment

1. Determine risk sources and categories

2. Define parameters to analyze and categorize risks

3. Establish and maintain a risk management strategy

4. Identify and document risks

5. Evaluate and categorize each identified risk using defined risk categories and parameters, and determine its relative priority

6. Develop a risk mitigation plan in accordance with the risk management strategy

7. Monitor the status of each risk periodically and implement the risk mitigation plan as appropriate

Legend: ● = Fully implemented ◑ = Partially implemented ○ = Not implemented Source: GAO analysis of agency data. | GAO-21-386

Why GAO Did This Study

DHS currently uses an outdated system, implemented over 27 years ago, for providing biometric identity management services (i.e., fingerprint matching and facial recognition technology services), known as the Automated Biometric Identification System, or IDENT. In 2016, DHS initiated a multi-billion dollar program known as HART, which is intended to replace the existing system.

GAO was asked to evaluate the HART program. Its specific objectives, among others, were to (1) determine the status of the program, (2) assess the extent to which the DHS CIO was accurately reporting risk and meeting applicable oversight requirements, and (3) assess the extent to which the program was identifying and managing its risks.

To accomplish these objectives, GAO identified the program’s schedule and cost estimates, assessed the CIO’s risk ratings and HART oversight documentation and related evidence against OMB guidance, and compared the program’s risk management practices to best practices that are essential to identifying and mitigating potential problems. In addition, GAO interviewed appropriate officials.

More from:

News Network

  • Information Management: Selected Agencies Need to Fully Address Federal Electronic Recordkeeping Requirements
    In U.S GAO News
    What GAO Found Seventeen agencies GAO selected for review varied in the extent to which their policies and procedures addressed the electronic recordkeeping requirements in the Managing Government Records Directive and the Federal Records Act ( FRA ) and its amendments. More specifically, 14 of the 17 agencies established records management programs, while three agencies did not. Of those 14 agencies with established records management programs, almost all addressed requirements related to incorporating electronic records into their existing programs, but many did not have policies and procedures to fully incorporate recordkeeping functionalities into electronic systems, establish controls and preservation considerations for systems, and issue instructions on email requirements (see table). Assessment of Selected Agencies' Policies and Procedures Addressing Key Electronic Records Requirements NARA provided guidance and assistance to the selected agencies, including guidance on electronic records management and training. All of the agencies stated that the assistance was generally helpful and that they relied on it to some extent for implementing the key requirements discussed in this report. Further, NARA oversaw the selected agencies' implementation of federal records management regulations through their self-assessment progam. However, NARA had not ensured that the selected small or micro agencies that self-assessed to be at high risk of improper records management in calendar year 2017 were taking appropriate actions to make improvements to their records management programs. NARA officials stated they conduct follow-up with the agencies that report poor scores, but they do not proactively require the agencies to address their weaknesses. Until NARA requires these agencies to develop plans to make necessary improvements, these agencies will likely miss important opportunities to improve their record management practices. Why GAO Did This Study The Federal Records Act , a subsequent directive, and NARA regulations establish requirements for agencies to ensure the transparency, efficiency, and accountability of federal records, including those in electronic form. In addition, NARA plays an important role in overseeing and assisting agencies' records management efforts. GAO was asked to evaluate federal agencies' implementation of the aforementioned requirements related to electronic records. The objectives were to determine the extent to which (1) selected agencies' policies and procedures address the electronic recordkeeping requirements in the Managing Government Records Directive and the Presidential and FRA Amendments of 2014 and (2) NARA assisted selected agencies in managing their electronic records. To do so, GAO selected 17 agencies and reviewed their records management policies and procedures. GAO also reviewed laws and requirements pertaining to NARA's roles and responsibilities for assisting agencies in managing their electronic records. Further, GAO analyzed NARA guidance and other documents that discussed NARA's efforts in carrying out these responsibilities.
    [Read More…]
  • Security Force Assistance: More Detailed Planning and Improved Access to Information Needed to Guide Efforts of Advisor Teams in Afghanistan
    In U.S GAO News
    What GAO FoundDOD and the International Security Assistance Force (ISAF) have defined the mission and broad goals for Security Force Assistance (SFA) advisor teams; however, teams varied in the extent to which their approaches for developing their Afghan National Security Force (ANSF) units identified activities based on specific objectives or end states that were clearly linked with established goals. SFA guidance states that to be successful, advisors must have an end or goal in mind, and establish objectives that support higher-command plans. Theater commanders have outlined goals aimed at strengthening specific capabilities such as logistics, and it is largely left to the teams to then develop their approach for working with their counterparts. GAO found some advisor teams had developed structured advising approaches drawing from these goals, such as identifying monthly objectives and milestones for their team. Other teams GAO met with used less structured approaches, such as relying on interactions with ANSF counterparts to identify priorities and using this input to develop activities on an ad hoc basis, rather than as part of a longer-term, more structured approach to achieve broad goals. Officials from several teams stated that the guidance they received lacked specificity regarding desired end states for the development of their ANSF counterpart units. Without a more structured approach with clear linkages between end states, objectives, and milestones that are in support of broad goals for ANSF units, theater commanders cannot be assured that the advisor team activities are making progress toward these goals.The Army and Marine Corps have been able to fill requests for SFA advisor teams, using various approaches such as tasking non-deployed brigades to form advisor teams or creating teams using personnel already deployed in Afghanistan. According to Army and Marine Corps officials, the ability to substitute an individual at one rank above or below the request has helped the services meet rank and skill requirements. The Army's reliance on brigades to provide a portion of their personnel to form advisor teams has enabled them to meet requirements but resulted in leaving large numbers of personnel at the brigades' home stations. To manage these large rear detachments, brigades undertook significant planning to ensure that enough stay-behind leadership existed to maintain a sufficient command structure and provide certain training.The Army and Marine Corps have developed training programs for SFA advisor teams, but teams varied in the extent to which they had specific information to help prepare them for their mission prior to deployment. SFA guidance states that an in-depth understanding of the operational environment and of foreign security force capabilities is critical to planning and conducting effective SFA. Advisor teams may access such information from a variety of sources such as conducting video teleconferences with the teams they will replace, using secure networks to gather information, or sending personnel on predeployment site surveys, although teams varied in the extent to which they were actually able to gain access to these sources. For example, GAO found that while teams had access to a certain secure network at training sites, only some had access at home station, enabling them to shape their training and mission analysis earlier in predeployment training or after training but prior to deploying. Having limited access to this information prior to arriving in Afghanistan may result in advisor teams needing more time after deploying to maximize their impact as advisors.Why GAO Did This StudyISAF's mission in Afghanistan has shifted from a combat role to focus more on preparing ANSF units to assume lead security responsibility by the end of 2014. A key element in advising and assisting the ANSF is SFA advisor teams, provided by the U.S. Army and Marine Corps. A House Armed Services Committee report accompanying its version of the Fiscal Year 2013 National Defense Authorization Act directed GAO to review DOD's establishment and use of SFA advisor teams. Specifically, GAO evaluated the extent to which (1) DOD, in conjunction with ISAF, has defined SFA advisor team missions, goals, and objectives; (2) the Army and Marine Corps have been able to provide teams; and (3) the Army and Marine Corps have developed programs to train teams for their specific missions. GAO reviewed doctrine and guidance, analyzed advisor requirements, reviewed training curricula, and interviewed Army, Marine Corps, theater command, and SFA advisor team officials in the U.S. and Afghanistan.
    [Read More…]
  • Fiscal Year 2022 Performance Plan
    In U.S GAO News
    This report presents the Government Accountability Office's (GAO) Performance Plan for Fiscal Year 2022. In the spirit of the Government Performance and Results Act, this annual plan informs the Congress and the American people about what we expect to accomplish on their behalf in the coming fiscal year. It sets forth our plan to make progress toward achieving our strategic goals for serving the Congress and the American people. This framework not only shows the relationship between our strategic goals and strategic objectives, but also show major themes that could potentially affect our work.
    [Read More…]
  • Statement of Acting Attorney General Jeffrey A. Rosen Regarding Nationwide Safety and Security for Inauguration Day
    In Crime News
    Tomorrow, the Nation and the world will witness an orderly and peaceful transfer of power in the United States, as the Chief Justice of the Supreme Court swears in President-Elect Biden.  Throughout our Nation’s proud history, this ceremony has served as a beacon of democracy and a testament to the enduring strength of our Constitution.
    [Read More…]
  • U.S. Government and the State of Illinois Reach Agreement with Peoria and the Greater Peoria Sanitary District to Reduce Water Pollution from Sewer System
    In Crime News
    The U.S. Environmental Protection Agency (EPA), the U.S. Department of Justice, and the state of Illinois today announced an agreement with the city of Peoria and the Greater Peoria Sanitary District (GPSD) that will yield significant reductions of sewage discharges from Peoria’s wastewater systems into the Illinois River and Peoria Lake.
    [Read More…]
  • Whistleblower Protection: Actions Needed to Strengthen Selected Intelligence Community Offices of Inspector General Programs
    In U.S GAO News
    The six Intelligence Community (IC)-element Offices of Inspectors General (OIG) that GAO reviewed collectively received 5,794 complaints from October 1, 2016, through September 30, 2018, and opened 960 investigations based on those complaints. Of the 960 investigations, IC-element OIGs had closed 873 (about 91 percent) as of August 2019, with an average case time ranging from 113 to 410 days to complete. Eighty-seven cases remained open as of August 2019, with the average open case time being 589 days. The number of investigations at each IC-element OIG varied widely based on factors such as the number of complaints received and each OIG's determination on when to convert a complaint into an investigation. An OIG may decide not to convert a complaint into an investigation if the complaint lacks credibility or sufficient detail, or may refer the complainant to IC-element management or to another OIG if the complaint involves matters that are outside the OIG's authority to investigate. Four of the IC-element OIGs—the Central Intelligence Agency (CIA) OIG, the Defense Intelligence Agency (DIA) OIG, the National Reconnaissance Office (NRO) OIG, and the National Security Agency (NSA) OIG—have a 180-days or fewer timeliness objective for their investigations. The procedures for the remaining two OIGs—the Inspector General of the Intelligence Community (ICIG) and the National Geospatial-Intelligence Agency (NGA) OIG—state that investigations should be conducted and reported in a timely manner. Other than those prescribed by statute, the ICIG and NGA OIG have not established timeliness objectives for their investigations. Establishing timeliness objectives could improve the OIGs' ability to efficiently manage investigation time frames and to inform potential whistleblowers of these time frames. All of the selected IC-element OIG investigations units have implemented some quality assurance standards and processes, such as including codes of conduct and ethical and professional standards in their guidance. However, the extent to which they have implemented processes to maintain guidance, conduct routine quality assurance reviews, and plan investigations varies (see table). Implementation of Quality Assurance Standards and Practices by Selected IC-element OIG Investigations Units   ICIG CIA OIG DIA OIG NGA OIG NRO OIG NSA OIG Regular updates of investigation guidance or procedures — — — ✓ — ✓ Internal quality assurance review routinely conducted — — ✓ — — — External quality assurance review routinely conducted — ✓ — — — — Required use of documented investigative plans ✓ ✓ ✓ ✓ — ✓ Legend: ✓ = standard or practice implemented; — = standard or practice not implemented. Source: GAO analysis of IC-element OIG investigative policies and procedures. | GAO-20-699 The Council of Inspectors General on Integrity and Efficiency's (CIGIE) Quality Standards for Investigations states that organizations should facilitate due professional care by establishing written investigative policies and procedures via handbooks, manuals, or similar mechanisms that are revised regularly according to evolving laws, regulations, and executive orders. By establishing processes to regularly update their procedures, the ICIG, CIA OIG, DIA OIG, and NRO OIG could better ensure that their policies and procedures will remain consistent with evolving laws, regulations, Executive Orders, and CIGIE standards. Additionally, CIGIE's Quality Standards for Federal Offices of Inspector General requires OIGs to establish and maintain a quality assurance program. The standards further state that internal and external quality assurance reviews are the two components of an OIG's quality assurance program, which is an evaluative effort conducted by reviewers independent of the unit being reviewed to ensure that the overall work of the OIG meets appropriate standards. Developing quality assurance programs that incorporate both types of reviews, as appropriate, could help ensure that the IC-element OIGs adhere to OIG procedures and prescribed standards, regulations, and legislation, as well as identify any areas in need of improvement. Further, CIGIE Quality Standards for Investigations states that case-specific priorities must be established and objectives developed to ensure that tasks are performed efficiently and effectively. CIGIE's standards state that this may best be achieved, in part, by preparing case-specific plans and strategies. Establishing a requirement that investigators use documented investigative plans for all investigations could facilitate NRO OIG management's oversight of investigations and help ensure that investigative steps are prioritized and performed efficiently and effectively. CIA OIG, DIA OIG, and NGA OIG have training plans or approaches that are consistent with CIGIE's quality standards for investigator training. However, while ICIG, NRO OIG, and NSA OIG have basic training requirements and tools to manage training, those OIGs have not established training requirements for their investigators that are linked to the requisite knowledge, skills, and abilities, appropriate to their career progression, and part of a documented training plan. Doing so would help the ICIG, NRO OIG, and NSA OIG ensure that their investigators collectively possess a consistent set of professional proficiencies aligned with CIGIE's quality standards throughout their entire career progression. Most of the IC-element OIGs GAO reviewed consistently met congressional reporting requirements for the investigations and semiannual reports GAO reviewed. The ICIG did not fully meet one reporting requirement in seven of the eight semiannual reports that GAO reviewed. However, its most recent report, which covers April through September 2019, met this reporting requirement by including statistics on the total number and type of investigations it conducted. Further, three of the six selected IC-element OIGs—the DIA, NGA, and NRO OIGs—did not consistently document notifications to complainants in the reprisal investigation case files GAO reviewed. Taking steps to ensure that notifications to complainants in such cases occur and are documented in the case files would provide these OIGs with greater assurance that they consistently inform complainants of the status of their investigations and their rights as whistleblowers. Whistleblowers play an important role in safeguarding the federal government against waste, fraud, and abuse. The OIGs across the government oversee investigations of whistleblower complaints, which can include protecting whistleblowers from reprisal. Whistleblowers in the IC face unique challenges due to the sensitive and classified nature of their work. GAO was asked to review whistleblower protection programs managed by selected IC-element OIGs. This report examines (1) the number and time frames of investigations into complaints that selected IC-element OIGs received in fiscal years 2017 and 2018, and the extent to which selected IC-element OIGs have established timeliness objectives for these investigations; (2) the extent to which selected IC-element OIGs have implemented quality standards and processes for their investigation programs; (3) the extent to which selected IC-element OIGs have established training requirements for investigators; and (4) the extent to which selected IC-element OIGs have met notification and reporting requirements for investigative activities. This is a public version of a sensitive report that GAO issued in June 2020. Information that the IC elements deemed sensitive has been omitted. GAO selected the ICIG and the OIGs of five of the largest IC elements for review. GAO analyzed time frames for all closed investigations of complaints received in fiscal years 2017 and 2018; reviewed OIG policies, procedures, training requirements, and semiannual reports to Congress; conducted interviews with 39 OIG investigators; and reviewed a selection of case files for senior leaders and reprisal cases from October 1, 2016, through March 31, 2018. GAO is making 23 recommendations, including that selected IC-element OIGs establish timeliness objectives for investigations, implement or enhance quality assurance programs, establish training plans, and take steps to ensure that notifications to complainants in reprisal cases occur. The selected IC-element OIGs concurred with the recommendations and discussed steps they planned to take to implement them. For more information, contact Brenda S. Farrell at (202) 512-3604, farrellb@gao.gov or Brian M. Mazanec at (202) 512-5130, mazanecb@gao.gov.
    [Read More…]
  • Man Convicted of Receiving, Soliciting, and Promoting Child Pornography
    In Crime News
    A federal jury convicted a Virginia man today for downloading images and videos depicting children as young as four years old being sexually abused and for utilizing the Darknet to solicit and promote child pornography.
    [Read More…]
  • Justice Department Warns About Fake Unemployment Benefit Websites
    In Crime News
    The Department of Justice has received reports that fraudsters are creating websites mimicking unemployment benefit websites, including state workforce agency (SWA) websites, for the purpose of unlawfully capturing consumers’ personal information.
    [Read More…]
  • Department of Energy: Environmental Liability Continues to Grow, but Opportunities May Exist to Reduce Costs and Risks
    In U.S GAO News
    What GAO Found The Department of Energy's (DOE) environmental liability is large and growing. In managing cleanup responsibilities related to this liability, DOE faces challenges in contract and project management, and has opportunities to reduce costs and risks.  Why GAO Did This Study DOE is tasked with cleaning up hazardous and radioactive waste created by nuclear weapons research and production sites across the country dating back to World War II and the Cold War. DOE's cleanup mission includes addressing contaminated soil and groundwater, deactivating and decommissioning contaminated facilities, and building facilities to treat millions of gallons of radioactive waste. DOE's estimate of the probable costs for this future cleanup is known as its environmental and disposal liability (or environmental liability). This report describes the status of DOE's environmental liability, and challenges and opportunities GAO has identified that DOE faces in managing its cleanup responsibilities. GAO reviewed its prior reports and synthesized key findings and recommendations related to DOE's environmental liability. For more information, contact Nathan Anderson at (202) 512-3841 or andersonn@gao.gov.
    [Read More…]
  • Federal Court Orders New York Company and its Operators to Stop Distributing Adulterated Dietary Supplements
    In Crime News
    A federal court permanently enjoined a New York company and its operators from manufacturing or distributing dietary supplements unless and until they comply with the law.
    [Read More…]
  • The Impact of the Pandemic on Pregnancy: A Research Response
    In Human Health, Resources and Services
    Maternal health and [Read More…]
  • Remarks by Attorney General William P. Barr at the Major Cities Chiefs Association Conference
    In Crime News
    I appreciate the invitation to address this group.  I want to start by thanking you, and the men and women you lead, for serving in what I think is the most noble profession in our country – enforcing the law and keeping our communities safe. 
    [Read More…]
  • Secretary Blinken to Deliver Remarks to the Media in the Press Briefing Room
    In Crime Control and Security News
    Office of the [Read More…]
  • Antarctica Travel Advisory
    In Travel
    Exercise increased [Read More…]
  • Native New Yorker convicted in human transporting conspiracy
    In Justice News
    A 53-year-old man has [Read More…]
  • Republic of Maldives Independence Day
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • U.S.-Bulgaria Sign Nuclear Cooperation Memorandum of Understanding
    In Crime Control and Security News
    Office of the [Read More…]
  • Texas Business Owner Pleads Guilty to Tax Fraud
    In Crime News
    A Texas resident pleaded guilty Thursday to filing a false individual income tax return.
    [Read More…]
  • Four Former Minneapolis Police Officers Indicted on Federal Civil Rights Charges for Death of George Floyd; Derek Chauvin Also Charged in Separate Indictment for Violating Civil Rights of a Juvenile
    In Crime News
    A federal grand jury in Minneapolis, Minnesota returned two indictments that were unsealed today. The first indictment charges former Minneapolis Police Department officers Derek Chauvin, 45; Tou Thao, 35; J. Alexander Kueng, 27; and Thomas Lane, 38, with federal civil rights crimes for their roles in the death of George Perry Floyd Jr.
    [Read More…]
  • Secretary Michael R. Pompeo at a Naturalization Ceremony with U.S. Citizenship and Immigration Services
    In Crime Control and Security News
    Michael R. Pompeo, [Read More…]
Network News © 2005 Area.Control.Network™ All rights reserved.