b"<html>\n<title> - DHS INFORMATION TECHNOLOGY: HOW EFFECTIVELY HAS DHS HARNESSED IT TO SECURE OUR BORDERS AND UPHOLD IMMIGRATION LAWS?</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n  DHS INFORMATION TECHNOLOGY: HOW EFFECTIVELY HAS DHS HARNESSED IT TO \n\n            SECURE OUR BORDERS AND UPHOLD IMMIGRATION LAWS?\n=======================================================================\n\n\n                                HEARING\n\n                               before the\n\n                       SUBCOMMITTEE ON OVERSIGHT\n\n                       AND MANAGEMENT EFFICIENCY\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             MARCH 19, 2013\n\n                               __________\n\n                            Serial No. 113-7\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n[GRAPHIC] [TIFF OMITTED] \n\n\n                                     \n\n      Available via the World Wide Web: http://www.gpo.gov/fdsys/\n\n                               __________\n\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n82-581                    WASHINGTON : 2013\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Michael T. McCaul, Texas, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nPeter T. King, New York              Loretta Sanchez, California\nMike Rogers, Alabama                 Sheila Jackson Lee, Texas\nPaul C. Broun, Georgia               Yvette D. Clarke, New York\nCandice S. Miller, Michigan, Vice    Brian Higgins, New York\n    Chair                            Cedric L. Richmond, Louisiana\nPatrick Meehan, Pennsylvania         William R. Keating, Massachusetts\nJeff Duncan, South Carolina          Ron Barber, Arizona\nTom Marino, Pennsylvania             Dondald M. Payne, Jr., New Jersey\nJason Chaffetz, Utah                 Beto O'Rourke, Texas\nSteven M. Palazzo, Mississippi       Tulsi Gabbard, Hawaii\nLou Barletta, Pennsylvania           Filemon Vela, Texas\nChris Stewart, Utah                  Steven A. Horsford, Nevada\nKeith J. Rothfus, Pennsylvania       Eric Swalwell, California\nRichard Hudson, North Carolina\nSteve Daines, Montana\nSusan W. Brooks, Indiana\nScott Perry, Pennsylvania\n                       Greg Hill, Chief of Staff\n          Michael Geffroy, Deputy Chief of Staff/Chief Counsel\n                    Michael S. Twinchek, Chief Clerk\n                I. Lanier Avant, Minority Staff Director\n                                 ------                                \n\n          SUBCOMMITTEE ON OVERSIGHT AND MANAGEMENT EFFICIENCY\n\n                 Jeff Duncan, South Carolina, Chairman\nPaul C. Broun, Georgia               Ron Barber, Arizona\nKeith J. Rothfus, Pennsylvania       Donald M. Payne, Jr., New Jersey\nRichard Hudson, North Carolina       Beto O'Rourke, Texas\nSteve Daines, Montana                Bennie G. Thompson, Mississippi \nMichael T. McCaul, Texas (Ex             (Ex Officio)\n    Officio)\n                      Ryan Consaul, Staff Director\n                   Deborah Jordan, Subcommittee Clerk\n                  Tamla Scott, Minority Staff Director\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Jeff Duncan, a Representative in Congress From the \n  State of South Carolina, and Chairman, Subcommittee on \n  Oversight and Management Efficiency............................     1\nThe Honorable Ron Barber, a Representative in Congress From the \n  State of Arizona, and Ranking Member, Subcommittee on Oversight \n  and Management Efficiency......................................     3\n\n                               Witnesses\n\nMs. Margaret H. Graves, Deputy Chief Information Officer, U.S. \n  Department of Homeland Security:\n  Oral Statement.................................................     6\n  Prepared Statement.............................................     7\nMr. David A. Powner, Director, Information Technology Management \n  Issues, Government Accountability Office:\n  Oral Statement.................................................    14\n  Prepared Statement.............................................    16\nMr. Charles K. Edwards, Deputy Inspector General, U.S. Department \n  of Homeland Security:\n  Oral Statement.................................................    23\n  Prepared Statement.............................................    24\n\n                                Appendix\n\nQuestions From Chairman Jeff Duncan for Margaret H. Graves.......    39\nQuestion From Honorable Richard Hudson for Margaret H. Graves....    39\nQuestion From Honorable Beto O'Rourke for Margaret H. Graves.....    39\nQuestions From Chairman Jeff Duncan for David A. Powner..........    39\nQuestion From Honorable Richard Hudson for David A. Powner.......    40\nQuestions From Chairman Jeff Duncan for Charles K. Edwards.......    40\n\n\n  DHS INFORMATION TECHNOLOGY: HOW EFFECTIVELY HAS DHS HARNESSED IT TO \n            SECURE OUR BORDERS AND UPHOLD IMMIGRATION LAWS?\n\n                              ----------                              \n\n\n                        Tuesday, March 19, 2013\n\n             U.S. House of Representatives,\n          Subcommittee on Oversight and Management \n                                        Efficiency,\n                            Committee on Homeland Security,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 2:00 p.m., in \nRoom 311, Cannon House Office Building, Hon. Jeff Duncan \n[Chairman of the subcommittee] presiding.\n    Present: Representatives Duncan, McCaul, Broun, Rothfus, \nHudson, Daines, Barber, Thompson, Payne, and O'Rourke.\n    Mr. Duncan. The Committee on Homeland Security Subcommittee \non Oversight and Management Efficiency will come to order. The \npurpose of this hearing is to closely examine the Department's \ncritical information technology systems and their daily \noperations protecting the Nation's borders, preventing \nterrorists from entering the United States, and facilitating \nthe legitimate flow of people and trade.\n    Before I begin my opening statement I would like to express \nthe subcommittee's frustration with the DHS over not providing \nits written testimony on time. This is unfair to the Members \nand other witnesses. We expect the Department to provide their \nwritten statement in accordance with the committee rules moving \nforward.\n    I and other subcommittee Members are also disappointed that \nDHS's chief information officer, Mr. Richard Spires, was unable \nto testify today on these important issues. Mr. Spires has been \noutspoken in improving IT within DHS and ensuring transparency \nand meaningful oversight. We look forward to hearing from him \non these issues at a future date.\n    Now I recognize myself for an opening statement. Before I \ndo, I will mention that we do have votes at 2:15, so we are \ngoing to try to get through as much as we can before Members \nare required to leave.\n    The component agencies that make up the Department of \nHomeland Security rely heavily on information technology, or \nIT, to perform a wide range of missions. IT is especially \nimportant with regard to border security and immigration \nenforcement.\n    With one of the Federal Government's largest information \ntechnology budgets, DHS's component agencies such as Customs \nand Border Protection, Immigration and Customs Enforcement, and \nU.S. Citizenship and Immigration Services rely on critical IT \nsystems and their daily operations to protect the Nation's \nborders and prevent terrorists from entering the United States, \nand facilitate the legitimate flow of people and trade into and \nout of our country.\n    Having been down on the border at our ports of entry, I \nrecognize the integral role IT infrastructure plays in the \nability of ICE and CBP agents to carry out their missions. In \nfiscal year 2012 the Department of Homeland Security planned to \nspend nearly $5.6 billion in IT investments, $1.7 billion of \nwhich is for programs the Department considers to be major \ninvestments in CBP, ICE, and USCIS.\n    A few of the examples of these mission-critical programs \nrelated to border security and immigration enforcement include \nCBP's automated commercial environment and international trade \ndata system, which will replace existing technology and \nincrease efficiencies by serving as a central data collection \nsystem for Federal agencies needing access to international \ntrade data in a secure, paper-free Web environment.\n    Similarly, both CBP and ICE are working on the respective \nportions of the Traveler Enforcement Compliance System, or TECS \nModernization program, which will be an important upgrade to a \nlegacy system developed in the 1980s by the U.S. Customs \nService to support inspections and investigations. A similar \neffort is ICE's Detention and Removal Operations Modernization, \nwhich will significantly upgrade IT capabilities to support the \nefficient detention and removal of aliens who are in the \ncustody of ICE.\n    Given the size of the Department's investment in IT, \neffective management and oversight of IT programs and \nexpenditures is critical to ensure DHS is using taxpayer money \nefficiently and holding programs accountable for agreed-upon \ndeliverables. Despite some successes by the Department and data \ncenter in network consolidation, as well as cloud-based service \nofferings and establishing IT centers of excellence, GAO and \nDHS Inspector General have identified numerous cases where the \nDepartment has yet to reduce cost and duplication through \ntechnology-based integration and modernization.\n    GAO reported in September 2012 that DHS's 68 major IT \ninvestments, roughly one-third, had not fully met their cost or \nscheduled targets. These delays can mean border agents will \nhave to make due with legacy IT systems for longer periods. \nSimilarly, the DHS Office of Inspector General has identified \ninformation technology management as a major challenge facing \nthe Department, including attempts to create a unified \ninformation technology infrastructure for effective integration \nand agency-wide management of information technology assets and \nprograms.\n    At the component level, the DHS Inspector General \nidentified aging IT infrastructure, interoperability, and \nfunctionality at the CBP as specific challenges creating an \nenvironment difficult to support CBP's responsibility to secure \nthe border. For instance, the IG reported that in some \ninstances Border Patrol staff cannot communicate seamlessly \nfrom analog to digital platforms with Federal, State, and local \npartners in all sections of the country.\n    I personally find it alarming that after a decade after the \nDepartment was stood up and billions of dollars poured into \nsecuring our borders, preventing another September 11, that CBP \nstaff in one location might not be able to reliably share \ninformation not only with local law enforcement officers, but \nalso with other agencies within the DHS apparatus.\n    Similarly, a November 2011 DHS IG report details struggles \nby USCIS to transform its fragmented paper-based business \nprocess to a flexible, efficient, and electronic adjudication \nservice. However, this transformation has yet to be fully \nimplemented because of delays in strategy and system \nrequirements, which ended up costing American taxpayers \nhundreds of millions of dollars. As a result, USCIS missed an \nopportunity to process immigration benefits more efficiently, \ncombat identify fraud, and share critical information necessary \nto quickly identify criminals and possible terrorists.\n    I am happy to welcome our witnesses to the hearing today \nand look forward to hearing about the steps taken by the \nDepartment to develop an agile approach to IG development at \nthese critical agencies and progress in eliminating \nduplication, consolidating existing technology, and improving \nthe overall management of those IT projects of CBP, ICE, and \nUSCIS, which will enhance DHS's mission of securing the border \nwhile upholding immigration laws.\n    It is absolutely critical that in a time of financial belt-\ntightening, particularly as the Congress begins to look at \naddressing the issue of comprehensive immigration reform, the \nDHS be able to meet IT investments and capabilities on time and \non budget without posing a risk to the Department's ability to \nfulfill its mission of securing homeland.\n    I will just note that the total cost for the IT systems was \nprojected at--I am turning to the number here, $5.6 billion. \nThe complete St. Elizabeths site that we visited last Friday is \nbudgeted at $4 billion. So, the IT systems is a billion--a \nlittle over a billion and a half more than the complete St. \nElizabeths site. That is alarming to me at the cost. So I \nwanted to bring that up.\n    The Chairman will now recognize the Ranking Minority Member \nof the subcommittee, the gentleman from Arizona, Mr. Barber, \nfor any opening statement he may have.\n    Mr. Barber. Well, thank you, Mr. Chairman.\n    Thank you to the witnesses for being with us today.\n    Each year the Department of Homeland Security spends \napproximately 15 percent of its total budget on information \ntechnology systems. As the Chairman noted, in 2012 this was \napproximately $6 billion. Given the significance of this \ninvestment, it is critical that we are holding this hearing \ntoday in an effort to carry out our oversight functions and \nresponsibilities for these very costly systems.\n    While the GAO and the Department of Homeland Security \nOfficer of the Inspector General have generally found that most \nof the major IT investments by the Department are sound and are \nproviding DHS the necessary tools to carry out its mission, it \nis clear that several IT projects are not going as promised. \nThis is especially true of the technologies that have been used \nor attempted to be used to secure the border.\n    In my home district in southern Arizona, I have seen first-\nhand the extreme waste of taxpayer money on programs like \nSBInet, a program that was designed without input from the \npeople on the ground who know what is best in that community in \nthat area. It seemed promising at the time. Yet at the ultimate \ncost of over $1.5 billion there has been little or no return on \nour investment. To my dismay, I would have to say the SBI \nsuccessor, according to the GAO, the Arizona Border Technology \nPlan, appears to face similar challenges as SBInet and looks \nlike it might be more of the same.\n    These are two examples that show that the Department must \ndo more to improve its IT structure, governance, and the manner \nin which it develops IT systems. Hopefully recent changes to \nhow IT decisions are made at the Department and managed will \nyield better results and budgetary savings, especially as it \nrelates to border security.\n    Twenty-four hours a day, 365 days a year, as you know, the \nmen and women of the Customs and Border Patrol and Immigration \nand Customs Enforcement put their lives on the line in very \nrugged environments to secure our borders and to prevent \nillegal trafficking and smuggling from across the line. If \nthere are technology-based solutions that can help them fulfill \ntheir mission, it is essential that the Department and Congress \nprovide them with those resources.\n    However, we must ensure that the technology we deploy is \nproven, is cost-effective, trustworthy, and meets the needs of \nthose on the front line. I will repeat that when the \nimplemented SBInet contract specifically prohibited the \ncontractor from talking to agents on the ground, that can't \nhappen again.\n    We must ask the end-user, No. 1, is this technology that is \nneeded? No. 2, is this technology that would actually work in a \nborder environment? When developing new IT systems I encourage \nthe Department to utilize the services of its own Science and \nTechnology Directorate in addition to leveraging the skills and \nknowledge that can be found in our Nation's universities.\n    In 2008 the University of Arizona became the co-lead of a \nresearch university team that have partnered to form the Center \nfor Excellence of Border Security and Immigration. This \npartnership has yielded numerous successful endeavors that can \nstem the flow of drugs across the Southwest Border, aiding and \nprotecting deception and malicious intent by those seeking to \nenter the United States and improve the effectiveness of our \ncheckpoints.\n    As we seek to improve and harness new border-related IT \nsystems, I urge the Department to continue to utilize the \nUniversity of Arizona Center of Excellence and also engage \nranchers and those living along the border and the working \nagents who work the border for first-hand information accounts \nof what works and what doesn't work.\n    I want to echo here the Chairman's comments about \ntelecommunications. It became painfully clear to me in 2010 \nwhen I was district director to Congresswoman Giffords that we \nhave a long way to go to ensure that the agents can communicate \nwith each other and other law enforcement departments. The \ndeath of Rob Prince during that time was an example of how poor \nthe telecommunications is, and I fear they may be not much \nbetter today.\n    I will encourage the Department to engage with Boeing and \nothers who have worked on projects to secure the border in what \nhas worked and what has not. In closing, let me just say this: \nThat while the use of technology to secure our border is needed \nand a sign of the times, nothing can replace actual boots on \nthe ground.\n    You know I am very concerned, even though it is not the \nsubject of our hearing today, that as a result of the budget \nsequestration issue we are now going to see less overtime, less \ntime on the job for Border Patrol agents, the people who \nactually secure our border day-in and day-out. We have to make \nsure that we do not allow the progress we have made to be \ndegraded by these budget cuts. As we evaluate technology on the \nborder, which comes at a high financial cost, I would caution \nus to ensure that the Department is not exceeding IT cost \nestimates at the risk of putting Border Patrol agents out of \nwork.\n    Thank you, Mr. Chairman. I yield back.\n    Mr. Duncan. Thank the Ranking Member. The other Members of \nthe subcommittee are reminded that opening statements may be \nsubmitted for the record.\n    We are pleased to have a very distinguished panel of \nwitnesses before us today on this important topic. What I will \ndo is I will introduce each witness and then we will recognize \nyou.\n    The first witness is Ms. Margie Graves. She is the deputy \nchief information officer for the Department of Homeland \nSecurity. In this capacity, Ms. Graves oversees the \nDepartment's IT portfolio of about $6 billion in IT programs.\n    Ms. Graves manages the operation of the Office of Chief \nInformation Officer, which covers functional areas of applied \ntechnology enterprise, architecture, data management, IT, \nsecurity infrastructure, operations, IT accessibility, budget, \nand acquisition. Prior to her selection as deputy CIO in 2008, \nMs. Graves held numerous senior IT positions in the Department. \nMs. Graves also has 20 years' experience in the management \nconsulting industry.\n    Mr. David Powner--am I pronouncing that right, Powner? \nOkay--is the director of information technology, IT management \nissues at the Government Accountability Office or GAO. At GAO, \nMr. Powner's work focuses on system development and \nacquisition, IT governance, IT reform initiatives and major IT \nmodernization efforts. He also has led work on cyber critical \ninfrastructure protection. During his time in the private \nsector, Mr. Powner held several executive-level positions in \nthe telecommunications industry.\n    Mr. Charles Edwards is the deputy inspector general of the \nDepartment of Homeland Security. Mr. Edwards is the head of the \nOffice of Inspector General, a role he first obtained when \nnamed acting inspector general in February 2011. Mr. Edwards \nhas over 20 years' experience in the Federal Government, and \nhas held leadership positions at several Federal agencies \nincluding TSA, the United States Postal Service's Office of \nInspector General, and the United States Postal Service.\n    So, I thank all of you for being here today. The Chairman \nwill now recognize Ms. Graves to testify.\n\n   STATEMENT OF MARGARET H. GRAVES, DEPUTY CHIEF INFORMATION \n         OFFICER, U.S. DEPARTMENT OF HOMELAND SECURITY\n\n    Ms. Graves. Chairman Duncan, Ranking Member Barber, and \nMembers of the subcommittee, thank you, and good afternoon. As \ndeputy CIO at DHS I oversee an IT portfolio $5.4 billion in \nprograms and manage OCIO operations. This has given me valuable \ninsight and perspective to share with you on the efforts that \nwe are making at DHS to ensure effective delivery of IT \nprograms to support the missions of DHS.\n    When the DHS OCIO evaluates the health of an IT program we \nfocus primarily on three areas.\n    The first area is whether a program has correct management \nstructure and skilled and experienced individuals to fill key \nprogram management roles. It is critical to ensure that every \nlarge IT program has a qualified program manager or PMO, and \nadditional core positions based on its level of complexity. The \nskills and experience of the staff and the PMO are the most \nheavily-weighted criteria in how we evaluate our IT programs.\n    The second area is proper alignment of key stakeholders and \noversight to help address issues that may arise. Even the best \nprogram manager will have challenges if the governance model \ndoes not effectively support and provide guidance to the \nprogram.\n    Within DHS we have implemented a three-tiered governance \nstructure. At the enterprise level we have a governance board \nknown as the Acquisitions Review Board or ARB, which \nadjudicates major acquisitions decisions. In addition, \nportfolio steering committees and executive steering \ncommittees, or ESCs are chartered by the ARB and provide \nprogram governance.\n    The third and final area is whether a program is leveraging \nprogram, project, and technical best practices to minimize \nprogram risk and therefore maximize its chance for success. \nWithin DHS we are implementing such a model under which we call \nour acquisition and program management Centers of Excellence. \nThese Centers of Excellence provide a number of services to \nprograms, including sharing best practices and materials, \ntraining programs and mentoring, and expert in subject matter \nsupport.\n    DHS IT programs are now governed by these principles. As \nexamples I would like to highlight four of our programs.\n    First example is CBP's Automated Commercial Environment or \nACE, which is modernizing how CBP secures U.S. borders, speeds \nthe flow of legitimate shipments and targets illicit goods. In \n2010 the program was placed on OMB's list of troubled Federal \nIT projects.\n    Since that time the PMO addressed skill gaps and embedded \nbusiness expertise. The governance model has been strengthened, \nand the program has worked closely with a number of COEs to \ngain expertise. Strong program governance and organizational \nchanges, active stakeholder engagement and support, and \nimplementing agile development and sound funding strategies \nhave placed the program on the right course.\n    My second example is CBP's TECS Modernization which is a \nkey border enforcement system supporting the screening of \ntravelers entering the United States and the screening \nrequirements at other Federal agencies that use the information \nfor law enforcement and benefit purposes. TECS Mod, which is \nmodernized incrementally with five projects that focus on major \nfunctional areas, and is on a schedule to be complete by the \nend of fiscal year 2015.\n    The third program I would like to highlight is CIS's \nElectronic Immigration System or ELIS. The program was put in \nplace to transition the agency from a fragmented, paper-based \noperational environment to an integrated, paperless, electronic \nenvironment. Unfortunately there were difficulties on the first \nrelease.\n    But under the direction of the ARB we set up an ESC to \noversee the program, participate in test stat review in \nconjunction with the Federal CIO, created a life-cycle cost \nestimate and an integrated master schedule, and facilitated the \nprogram's migration to DHS provided cloud services. Since then, \nCIS successfully developed the technology architecture to \nbetter support agile development and has delivered two \nadditional ELIS projection release, which should enable CIS to \nstay within estimated cost and schedule.\n    The final program I would like to highlight is ICE's \nDetention and Removal Operations Modernization or DROM. It was \ninitiated in late 2006 to improve the operational effectiveness \nof enforcement and removal operations, or ERO, and to \nstrengthen the alignment of the ERO mission with the Secured \nBorder Initiative. Despite technical and operational \nchallenges, DROM is targeted to move into full sustainment by \nfiscal year 2014, providing full operational capability while \ncoming in under budget.\n    At DHS we are working hard to mature our ability to deliver \nnew capabilities by improving the skills of our staff to manage \nprograms, effectively overseeing these programs and harnessing \nthe best practices in how we run those programs, ultimately \nincreasing our ability to support the homeland security \nenterprise. Thank you. I am pleased to address your questions.\n    [The prepared statement of Ms. Graves follows:]\n                Prepared Statement of Margaret H. Graves\n                             March 19, 2013\n    Chairman Duncan, Ranking Member Barber, and Members of the \nsubcommittee, thank you and good afternoon. Today I will discuss \nefforts we are making at headquarters and across the components at the \nDepartment of Homeland Security (DHS) to ensure effective delivery of \nIT programs to support the missions of DHS. My experience in public-\nsector large-scale IT organizations has given me unique insight in how \nto effectively leverage IT to support the mission and business needs of \na large organization.\n    I will first describe what DHS is doing as an enterprise to support \ndelivery of mission capabilities, with particular emphasis on how we \nare working to systemically improve our acquisition and program \nmanagement capabilities to ensure successful delivery of programs. \nSecond, I will highlight four major programs that support our border \nsecurity and immigration missions, namely the United States Custom and \nBorder Protection's (CBP) TECS Modernization, CBP's Automated \nCommercial Environment (ACE), U.S. Citizenship and Immigration \nService's (USCIS) Transformation, and U.S. Immigration and Custom \nEnforcement's (ICE) Detention and Removal Operations Modernization \n(DROM).\n       improving dhs's ability to deliver successful it programs\n    When I evaluate the health of an IT program, I focus on three \nareas: Whether a program has the correct management structure and the \nproper set of skilled and experienced individuals to fill key program \nmanagement roles; proper alignment of key stakeholders and oversight to \nhelp address issues that may arise; and whether the program is \nleveraging program, project, and technical best practices to minimize \nprogram risk and therefore maximize its chance for success. It is \nimportant to note during this period of fiscal austerity that all three \ncontribute directly to a program's ability to deliver as efficiently \nand cost-effectively as possible. Below I provide more detail on each \nof these three key areas, with particular focus on how DHS is, as an \nenterprise, working to mature our institutional capability in each.\nProgram Management Structure, Skills, and Experience\n    Programs are not successful when they lack experience and skills in \ncritical program management positions or a solid program management \noffice (PMO). For large, complex IT programs, having a program manager \n(PM) who has successfully managed and delivered numerous IT programs is \nvital.\n    Large, complex IT programs vary greatly, so there is not one model \nthat fits every program. While every program should have a qualified \nprogram manager, additional positions vary based on its complexity and \nshould be considered on a case-by-case basis. The following positions, \nhowever, are typically core, and programs lacking solid individuals \nfilling these positions at higher risk: Systems architect; data \narchitect; requirements manager; development and integration manager; \ntest manager; configuration manager; operations manager; contracting \nofficer; and contracting officer's representative.\n    In addition to the above core positions, when organizations embark \non large IT programs, it is critical to ensure the right business or \nmission owner involvement. It is necessary to have full-time \nrepresentatives of the business who can not only successfully work \nwithin the program to define requirements of the system, but also help \nthe PMO make the trade-off decisions that are a constant in a program. \nIn assessing a program, I look for individuals who are steeped in the \ncurrent process end-to-end, who have true credibility with senior \nmanagement, and who demonstrate flexibility to deal with unending \nchange as a program unfolds and matures. While we often need strong \ncontractor teams to help execute large complex programs, successful \nPMOs are staffed with strong Government staff who can provide the \nleadership and oversight necessary to direct the work. It is essential \nthat each program find the approximate mix of Federal and contractor \npersonnel to staff their PMO and ensure the PMO is fully integrated.\n    DHS is taking aggressive steps to ensure that we can properly staff \nour major IT programs with skilled and experienced personnel. We have a \nnumber of training programs, most notably a PM certification course. In \naddition to a standard PM certification, we have additional specialty \ncourses for PMs that run IT programs. Further, we have course tracks in \nother key skill areas as outlined above, to include requirements \nengineering, systems engineering, and test and evaluation \nmethodologies. Finally, we have built into our program evaluation \ncriteria the recognition that the PMO is key to success. The skills and \nexperience of the staff in the PMO is the most heavily-weighted \ncriteria in how we evaluate our IT programs.\nProgram Governance\n    Even the best program manager will have challenges if the \ngovernance model does not work. Governance drives alignment amongst key \ndecision makers in an organization. We have heard for decades that IT \nprograms fail because of ill-defined requirements or poorly-managed \nrequirements scope throughout the life cycle of a program. While true, \nthis is a symptom of a more fundamental underlying cause: The inability \nfor all key stakeholders in a program to be ``on the same page'' in \ndefining desired outcomes and approaches to meet those outcomes.\n    Change is inevitable in all IT programs, so achieving such \nalignment is not a one-time event occurring at the start of a program. \nAlignment is an on-going process that is critical throughout an \ninvestment's strategic planning, design, and development, as well as \nits implementation; hence, governance must be viewed as a full life-\ncycle process. Sometimes the change is significant, making on-going \nalignment even more crucial to successfully driving the promised Return \non Investment (ROI) and ensuring accountability. Further, for complex \nIT systems, there are at least a half-dozen stakeholder organizations \nthat must be aligned, to include the strategy organization, business or \nmission owner of the system, IT, finance, procurement, security, and \nprivacy. Ensuring all key stakeholders are involved in key decisions is \nan essential element to assuring genuine alignment.\n    Based on my experience, establishing a strong, active program \ngovernance board is required to ensure such alignment. Program \ngovernance boards provide guidance, decision making, and oversight of \none or more programs. The function of the program governance board is \nnot to usurp the authorities of the PM, but rather to provide a forum \nby which the PM can bring key issues and trade-off decisions to an \ninformed, empowered body that has a vested interest in that program's \nsuccess and that views the PM as a trusted advisor and true subject-\nmatter specialist. In today's environment of more modular and agile \ndevelopment, a program in design or development should have a program \ngovernance board that meets no less than monthly, and in some cases \nweekly, depending on the type of program and life-cycle stage of the \ninvestment. Not only does an active program governance board support \naccountability, it also fosters transparency.\n    Within DHS, we have developed a management directive and are \nmaturing our program governance processes. At the enterprise level, we \nhave a governance board known as the Acquisition Review Board (ARB), \nchaired by the DHS Under Secretary for Management and with all the DHS \nLines-of-Business as members, which has ultimate authority over all DHS \nprograms. DHS has embarked on a tiered governance model in which \nExecutive Steering Committees (ESCs) are chartered by the ARB to \nprovide governance of a program or related set of programs. While not \nfully implemented across all programs, the ESC structure is chartered \nfor programs rated at higher risk. Of the 88 major IT programs, my \noffice (DHS Office of the Chief Information Officer or OCIO), working \nwith the DHS Program Accountability and Risk Management Office (PARM), \nhas identified 16 programs that would immediately benefit from the \ngovernance model of an ESC. I am pleased to write that all 16 of those \nprograms now have the oversight of an ESC. Further, I am personally \ninvolved or have a senior representative from my office as a member of \neach of these ESCs.\n    In addition to the tiered governance model, DHS OCIO partners with \nPARM to monitor all major programs based on monthly status reporting \nfrom each program. If a major IT program is showing negative indicators \nin monthly reporting, we will hold a Techstat on the program, which is \na program review to identify the issues affecting the program along \nwith a set of remediation actions to address the issues. Within the \nlast 2 weeks, a Techstat on one program resulted in 11 remediation \nactions, to include the establishment of an ESC for the program.\nIT Program and Technical Best Practices\n    Even with a solid PMO and proper governance, it is critical that IT \nprograms leverage the practices and tools that are appropriate for the \nwork at hand. Using the proper methods to capture requirements, \ncomplete a systems design, implement a configuration management \nprocess, and properly test the system are just a handful of the myriad \npractices that must be implemented in a large IT program. Even a \nskilled and experienced set of individuals cannot be expected to deeply \nunderstand current best practices in all areas, so it can be greatly \nbeneficial for programs to acquire guidance and help from subject \nmatter experts in varied disciplines that cross the program, project, \nand technical disciplines.\n    Within DHS, we are implementing such a model under what we call our \nAcquisition and Program Management Centers of Excellence (A&PM COEs). \nThe COEs provide a number of services to programs to include: (1) \nDevelopment or adoption of proven practices, guidance, document \ntemplates, and examples; (2) support program management workforce \ndevelopment through development of training programs and mentoring; (3) \nexpert support (support the stand-up of new programs; support program \nreviews; and provide subject matter expertise for programs that have \nskills gaps or are struggling; (4) identification and development of \nenterprise tools to enable more effective program management; and (5) \nidentification of program health criteria that recognizes what program \nsuccess looks like.\n    To date, DHS has established eight COEs to support programs, \nincluding COEs for program management (to include schedule and risk \nmanagement as well as life-cycle logistics), cost estimating and \nanalysis, enterprise architecture, systems engineering, requirements \nengineering, test and evaluation, privacy, and accessibility. A key to \nmaking this work is to draw from expertise across DHS, so individuals \nfrom each component can participate in their particular area of \nexpertise. Through this federation, we work to create communities of \npractice bringing ideas from across DHS that strengthen the work of \neach COE. While we have made significant progress in establishing COEs, \nwe continue to work on maturing our efforts, and plan to review the \nneed for additional COEs in years to come.\n      key dhs programs supporting border security and immigration\n    The remainder of the testimony highlights a number of key IT \nprograms, both in terms of how they support DHS missions in border \nsecurity and immigration, and how we are leveraging the work outlined \nabove to improve the delivery of these major IT programs.\nCBP--Automated Commercial Environment (ACE)\n    ACE is a multi-year program with sunk costs of $3.2 billion to \nmodernize the business processes essential to securing U.S. borders, \nspeeding the flow of legitimate shipments, and targeting illicit goods. \nACE modernizes and enhances trade processes and forms the backbone for \nthe ``single window'' through which the international trade community \nwill electronically provide all information needed by Federal agencies \nfor the import and export of cargo. The ACE program is essential to \nimproving the ability of CBP's agents and officers and those of 47 \nPartner Government Agencies (PGAs) to assess cargo for security, \nhealth, and safety risks, while speeding the flow of legitimate trade \nand ensuring compliance with U.S. trade laws.\n            Cost and Schedule Performance\n    In 2010, the program was placed on the Office of Management and \nBudget's (OMB) list of 26 troubled Federal IT projects. In addition, \nthe DHS ARB placed ACE on a pause status while the program worked to \naddress its issues. Since that time, CBP, with the support of DHS and \nOMB, has worked aggressively to turn the program around. While parts of \nACE are in operations and maintenance, much functionality remains to be \ndeveloped. Therefore, working with DHS, CBP has developed a plan for \nthe completion of core trade processing capabilities in ACE and \ndecommissioning the legacy system within approximately 3 years. A key \ncomponent of this plan is the implementation of an agile software \ndevelopment methodology which focuses on the production of smaller \npieces of functionality more frequently, resulting in a more flexible \nuser-focused development process. CBP's plan addresses the priorities \nidentified by internal system users as well as key trade community and \nPGA stakeholders: Cargo release, entry summary edits, and exports.\n    With respect to the program's funding strategy, CBP has made great \nprogress in reducing ACE Operations and Maintenance (O&M) costs and \nidentifying internal sources of CBP funds to support remaining ACE \ndevelopment and migration.\n            Challenges\n    CBP has addressed a number of basic organizational and governance \nchallenges as it administered the ACE program. Based on direction from \nthe ARB and with DHS's support, CBP responded with program changes as \ndocumented in the ACE Improvement Plan submitted to OMB. Specifically, \nCBP has:\n  <bullet> Established an ACE Business Office in the Office of \n        International Trade to better define business needs through an \n        enhanced business requirements process.\n  <bullet> Increased stakeholder engagement through the establishment \n        of an Executive Steering Committee (ESC) that includes all \n        levels of DHS and CBP leadership.\n  <bullet> Also increased engagement with all impacted CBP program \n        offices, volunteer Government field personnel serving as ACE \n        Ambassadors, the Trade Community, and Partner Government \n        Agencies.\n  <bullet> Defined baseline needs through an enhanced business \n        requirements process.\n  <bullet> Executed a new approach for the development of functionality \n        by building in modular components that treat each piece of \n        distinct functionality as a separate project for frequent \n        delivery of smaller segments of functionality.\n  <bullet> Conducted more effective oversight of contractors through \n        greater internal controls and governance.\n            Program Outlook\n    CBP has taken significant steps to reposition ACE for success. \nSkills gaps in the ACE PMO were identified and are being addressed; the \nPMO is working well and has embedded business expertise. As noted \nabove, the governance model has been strengthened with the addition of \nan ESC chaired by the Deputy Commissioner. Finally, the program has \nworked closely with a number of the PM COEs to ensure best practices \nare being leveraged across the program. For instance, technical \ncomplexity is being reduced by transitioning the program to a \nsimplified architecture that relies less on a large stack of complex \nproprietary solutions and more on a few well-proven open-source \ntechnologies. This will greatly simplify development, and allow rapid \nintegration of the solution so that it can be quickly fielded in an \nincremental fashion.\n    The program is also embedding domain knowledge experts in the \ndevelopment process to help ensure frequent and timely feedback to \ndevelopers as the solution is produced, greatly reducing requirements \nuncertainty and allowing for the program to adjust to changing \nrequirements rapidly. The program is using a feature-based approach to \nmanage requirements to achieve formal software releases every 6 months. \nThis shorter and iterative release cycle is being mandated to ensure \nvalue is quickly realized by the CBP agents and officers along with \nother PGAs in the field on a regular recurring schedule.\n    The strong program governance and organizational changes, active \nstakeholder engagement and support, and sound funding strategy \ndemonstrate that the program is on the right course.\nCBP--TECS Modernization\n    TECS (no longer an acronym) is a key border enforcement system \nsupporting the screening of travelers entering the United States and \nthe screening requirements of other Federal agencies used for law \nenforcement and benefit purposes. TECS supports more than 70,000 users \nwho represent more than 20 Federal agencies responsible for traveler \nprocessing, investigations, vetting, entry/exit, and research \nrequirements. The TECS Modernization program is primarily focused on \nmodernizing server infrastructure, databases, and user interfaces to \nsustain and improve current screening capabilities well into the \nfuture. The program also provides for highly scalable functionality \nthat meets constantly emerging screening requirements. Some of the \nmission benefits of modernizing TECS include: Enhancing the capability \nto protect the Nation from the entry of individuals who may pose a \nthreat to National security or public safety; ensuring the efficient \nflow of lawful people crossing U.S. borders; and enabling effective \ndecision-making through improved information sharing.\n    The modernization of the legacy TECS system is being accomplished \nthrough two separate programs, one within CBP and the other within ICE. \nEach is funded and being executed separately. While both modernization \nprograms remain focused on continued support of each agency's unique \nmission, each program coordinates common interests regarding planning, \ndevelopment, and data migration efforts.\n                     cost and schedule performance\n    TECS Mod began the 8-year modernization effort in 2008, and is on \ntrack to complete the project in 2015 as scheduled. TECS is being \nmodernized incrementally with five projects that focus on major \nfunctional areas. These projects are: Secondary Inspection (SI); High \nPerformance Primary Query and Manifest Processing (HPPQ); Travel \nDocument and Encounter Data (TDED); Lookout Record Data and Services \n(LRDS); and Primary Inspection Processes (PIP).\n    Functionality, such as Secondary Inspection, has already been \ndelivered and is being used successfully at ports of entry. In 2013, \nTECS Mod will deliver additional capabilities that were designed and \ndeveloped in previous years. Operational Testing for the High \nPerformance Primary Query, Travel Documents and Encounter Data, and the \nLookout Records and Data Services Projects will begin in 2014.\n                            program outlook\n    Currently the TECS Modernization program is on schedule to complete \nby the end of fiscal year 2015 as detailed in the Acquisition Program \nBaseline. Some of the major accomplishments to date include:\n  <bullet> LRDS Watch List Service, which provides terrorist records to \n        DHS, activated August 2010;\n  <bullet> Secondary Inspection to all Air/Sea Ports Of Entry (POEs) \n        implemented May 2011 and deployed Secondary Inspection to two \n        Land ports of entry (POEs) in November 2012 for operational \n        testing;\n  <bullet> High Performance Primary Query (HPPQ) Service for Advance \n        Passenger Information System activated in November 2012;\n  <bullet> HPPQ Initial Operation Capability (IOC) met on February 1, \n        2013.\nUSCIS--Transformation\n    In 2008, USCIS embarked on a program to transition the agency from \na fragmented, paper-based operational environment to an integrated, \npaperless, electronic operational environment. The new operational \nenvironment, known as USCIS Electronic Immigration System (ELIS), \nenables customers to file requests for immigration benefits and USCIS \nofficers to adjudicate those benefit requests within the same system. \nUSCIS ELIS heavily leverages proven methods from the Government and the \nprivate sector to meet mission requirements for improved efficiency, \nquality, customer service, and features that support our National \nsecurity. USCIS ELIS is a person-centric system that is already \nimproving collaboration and information sharing within DHS and with \nother Federal agencies.\n    USCIS launched the first release of USCIS ELIS in May 2012. This \nrelease delivered the foundational technology components and basic end-\nto-end capabilities for applicants for certain benefit types using Form \nI-539, ``Application to Extend/Change Nonimmigrant Status.'' This \nrelease included capabilities for on-line account set-up, electronic \nfiling, security checks, case management, direct electronic \ncorrespondence with customers, and issuance of notices and decisions to \ncustomers. Feedback on USCIS ELIS performance from USCIS staff and \ncustomers has been positive.\n            Cost and Schedule Performance\n    The USCIS Transformation, when started in 2008, used a traditional \n``waterfall'' approach to development and a single contractor as a lead \nsystems integrator. The initial requirements development process took \nalmost 2 years and development for the first release required an \nadditional 14 months, including 7 months of testing and defect \nremediation. Although the initial release included much of the basic \nfunctionality to support the future development of additional benefit \nproduct lines, USCIS determined that such an approach was not \nsustainable in the long-term.\n    After the initial release in May 2012 USCIS decided to temporarily \nreduce the size of the contractor team while it transitioned to an \nagile development process and put in place improved governance \nmechanisms, with the intention of ramping up the program up again once \nthese were in place. During 2012, as the program improved its agile \napproach, the number of agile teams was increased from three to six. \nThe program intends to eventually scale up to 12 agile teams of \napproximately 10 developers and testers each, in order to reach Final \nOperating Capability as quickly as possible. A Life-Cycle Cost Estimate \n(LCCE) and a roadmap have been completed for the program.\n            Challenges\n    The difficulties in delivering the first release prompted USCIS, in \ncollaboration with the DHS OCIO, PARM, and the Federal Chief \nInformation Officer (CIO) to conclude that there were fundamental \nissues in the USCIS Transformation program management structure and \nskills, the role and performance of the lead systems integrator, the \noverall governance framework, the technical architecture of the \nsolution, and the development approach. Under the direction of the ARB, \nthe DHS CIO's Office worked with USCIS to set up an ESC to oversee the \nprogram, with the DHS CIO as a voting member. DHS also participated in \na Techstat review of the program with the Federal CIO, worked with \nUSCIS to create a Life-Cycle Cost Estimate (LCCE) and an Integrated \nMaster Schedule (IMS), and facilitated the program's adoption of \ntechnical best practices by assisting it in migrating to DHS-provided \ncloud services.\n    Since late 2011, USCIS, in conjunction with my office and under the \ndirection of the ARB, has taken significant steps to address each of \nits challenges, including:\n  <bullet> Revamped the program management office to take on more of \n        the program's management and add needed skills.\n  <bullet> Modified the role of the lead systems integrator to drive \n        improved performance.\n  <bullet> Modified the governance framework to include establishment \n        of an Executive Steering Committee, chaired by the Director of \n        USCIS.\n  <bullet> Create a Life-Cycle Cost Estimate (LCCE) and Integrated \n        Master Schedule (IMS).\n  <bullet> Simplified the ELIS architecture to be more modular and to \n        leverage open source software to the extent possible.\n  <bullet> Transitioned to modular framework, with releases delivered \n        under an agile approach.\n            Program Outlook\n    Since May 2012, USCIS has successfully delivered one schedule two \nadditional USCIS ELIS production releases using the agile development \napproach and with all planned functionality completed. The first agile \nrelease was delivered in September 2012 and the second in January 2013. \nThese releases provided additional enhancements to I-539 functionality \nand technology that had been delayed in order to deploy the initial \nrelease in May 2012. The next two agile releases are scheduled for May \nand July 2013. Each release will add a new benefit type to USCIS ELIS.\n    In March 2013, USCIS completed successful development and \nmodifications to the technology architecture that should better support \nagile delivery. In addition to modifying the architecture, USCIS is \nalso transitioning away from a single large contract to a series of \nsmaller contracts that will better support agile development and \ndelivery. In May 2013, USCIS intends to begin agile development of the \nfirst production release under the modified architecture. After the \nmodified architecture is completed, new capabilities will be released \ninto USCIS ELIS approximately every 4 months. The modifications to the \narchitecture and the new contracting approach should enable USCIS to \nstay within estimated costs and schedule.\nICE--Detention and Removal Operations Modernization (DROM)\n    The DROM Program was initiated in late 2006 to improve the \noperational effectiveness of Enforcement and Removal Operations (ERO), \nformerly Detention and Removal Operations (DRO), and to strengthen the \nalignment of the ERO mission with the Secure Border Initiative (SBI).\n    Through improved interoperability, enhanced and new capabilities, \nand an expansion of data exchange and sharing with its enforcement \npartners, DROM empowers ERO operations and field agents/officers by \nproviding the technical tools necessary to execute ERO's primary \nmission of upholding U.S. immigration laws through adequate and \nappropriate custody management of detainees in a cost-effective manner. \nDROM applications produce expected business outcomes to monitor and \nsupport improvements such as:\n  <bullet> Reduction in the length of stay for detainees.\n  <bullet> Increased bed-space availability.\n  <bullet> Faster document processing and transmission.\n  <bullet> More accurate, complete, and flexible data reporting.\n  <bullet> Elimination of data redundancy.\n    With its overall primary goal of increasing the throughput of \ndetainees from apprehension to case adjudication and removal, the DROM \nProgram and its applications have streamlined ERO operations, resulting \nin significant cost and time savings. For example, the electronic \nTravel Documents (eTD) project has reduced the time to issue documents \nidentifying a detainee's country of origin and authorizing his or her \nrepatriation, from over 14 days to 8 days on average for participating \ncountries (i.e., Dominican Republic, El Salvador, Guatemala, and \nHonduras). Including Mexico, participating countries account for \napproximately 90 percent of aliens repatriated.\n    The electronic Online Bonds System (eBonds), which automates the \nposting of surety bonds, allows ERO field personnel to process those \nbonds within hours instead of days. The Online Detainee Locator System \n(ODLS), an application highlighted in the White House's 2011 Blueprint \nto Immigration Reform for its ingenuity in facilitating the proposed \nreforms, has significantly reduced phone inquiries to field offices \nfrom family members, attorneys, and other interest parties. Finally, \nOperations Management Module 2 (OM2), formerly the Fugitive Case \nManagement System (FCMS), will be integrated into the ENFORCE Alien \nRemoval Module (EARM) before the end of fiscal year 2013. This \nintegration will improve architecture and security compliance and \nprovide a robust application with a more scalable and flexible design \nand greater operational efficiencies.\n            Cost and Schedule Performance\n    The DROM Program and its applications are expected to reach its \nfull sustainment phase by fiscal year 2014. With an adjusted life-cycle \ncost estimate of roughly $320 million DROM has achieved most of its \nmajor goals, moving to full sustainment ahead of schedule, and has \nproduced new and enhanced capabilities that improved the operational \neffectiveness of ERO. Additionally, DROM has supported, through data \nsharing, the high-priority effort to detain and remove criminal aliens.\n            Challenges\n    ERO's implementation of a new series of detention reform \ninitiatives in 2009 required the program to restructure its schedule \nand re-define deliverables. The overarching key objectives remain \nintact; however, the reform initiatives changed the program direction, \nproducing new capabilities and terminating specific projects.\n    In addition, EARM, the core module of the suite of ERO \napplications, has grown exponentially within a short period of time. \nThe decision was made to use EARM as the framework and portal for all \nDROM applications with over 12 interfaces to internal and external \nGovernment entities. As a result of the rapid growth and re-definition, \nthe build environment of EARM has become very large, making it harder \nto manage. Coding, debugging, and testing have become more complex as \ndevelopers are required to understand the logic of the entire code base \nand the intrinsic dependencies within that logic. These challenges \nbecame more apparent during the test phase of releases, causing minor \nschedule shortfalls. ICE OCIO has taken the following steps to mitigate \nfuture potential schedule slippages related to these issues:\n  <bullet> Condense schedule to allow testing to occur in parallel with \n        other activities.\n  <bullet> Early involvement of ERO users to ensure that capabilities \n        meet their business needs.\n  <bullet> Daily collaboration with internal stakeholders to ensure \n        faster resolution to unexpected technical issues.\n  <bullet> Prioritization of capabilities for potential de-scoping \n        effort to meet schedule constraints.\n    Finally, delays of EARM 3.0 release 2 and EARM 4.0 releases for \nhigher-priority initiatives as the data center migration consolidation \nand the Risk Classification Assessment (RCA) module resulted in ERO \ndelaying deployment of existing requirements within those packaged \nreleases. In honoring those requests, some re-work and schedule \nslippage were necessary.\n            Program Outlook\n    Despite the technical and operational challenges, DROM is targeted \nto move into full sustainment by fiscal year 2014, providing full \noperating capabilities of the DROM applications while coming in under \nbudget based on the prior year cost estimate. In addition, the final \nsoftware release is estimated to bring down the Operations and \nMaintenance cost by integrating most functionality into the core \nmodule, EARM, thus reducing the need to have separate operating support \ncosts for individual applications. In summary, DROM has accomplished \nits mission by streamlining and executing more cost-efficient \noperations within ERO.\n                               conclusion\n    The ability for an IT organization to support its mission and \nbusiness customers is highly dependent on its ability to field new \ncapabilities that are developed in partnership with those customers. At \nDHS, we are working hard to mature our ability to deliver such \ncapabilities, through improving the skills of our staff to manage \nprograms, through effective oversight of those programs, and through \nharnessing of best practices in how we run those programs. We continue \nto drive this maturation through harnessing good work and talent across \nDHS, and its components, increasing our ability to support the Homeland \nSecurity Enterprise.\n    Thank you and I am pleased to address your questions.\n\n    Mr. Duncan. Thank you so much.\n    I apologize to the witnesses, but it is my understanding \nthat we have been interrupted by votes. So without objection, \nthe subcommittee is in recess as subject to the call. The \nChairman of the committee will reconvene approximately 10 \nminutes after the conclusion of the last vote. So with that we \nwill just adjourn subject to the call of the Chairman.\n    [Recess.]\n    Mr. Duncan. Committee on Oversight and Management \nEfficiency will come back to order. I want to thank the \npanelists for their patience during the votes, and the \nsubcommittee will reconvene now. I must inform you that they \nare talking about another round of votes maybe 3:45-ish. So we \nare going to get through as much as we can.\n    So the Chairman will now recognize Mr. Powner to testify.\n\nSTATEMENT OF DAVID A. POWNER, DIRECTOR, INFORMATION TECHNOLOGY \n      MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Powner. Chairman Duncan, Ranking Member Barber, and \nMembers of the subcommittee, we appreciate the opportunity to \ntestify on the status of DHS's major IT investments that among \nother things are to better secure our borders and enforce \nimmigration laws.\n    Late last year we issued two key reports for the \nsubcommittee that highlighted DHS improvements to its IT \ngovernance and the status of nearly 70 IT acquisitions. This \nafternoon I will provide an overview of DHS's IT spending and \nthe importance of these investments to improve mission \nperformance, the cost and schedule status of these investments, \nsteps underway to improve outcomes, and recommendations moving \nforward.\n    DHS spends over $5.5 billion annually on over 350 \ninvestments. Of these, 68 are major IT acquisitions that \ncomprise about $4 billion of the total spend. These 68 systems \nare essential to improving DHS missionaries like screening \ntravelers and cargo entering the country, monitoring our \nborders, and sharing information to combat terrorism.\n    A specific example of how these systems improve mission \nperformance can be seen with the US-VISIT application. The \nportion deployed to date that includes matching fingerprints \nagainst an FBI database has resulted in thousands of \nindividuals being denied entry and hundreds of arrests. \nTherefore, delivering on-time and within budget on these IT \nacquisitions is vitally important to securing our homeland.\n    Last year we reported that 47 of the 68 acquisitions were \nmeeting cost and schedule goals; 21, or 30 percent were not. \nThese 21 include important acquisitions that are to improve \ncargo screening, the detention of terrorists, and the screening \nof travelers.\n    The four acquisitions highlighted by Ms. Graves are \nincluded in our list of 21 not meeting cost and schedule goals. \nMy written testimony highlights the specific reasons why each \nof these acquisitions are off-course, and these reasons include \npoor cost and schedule estimates, undisciplined requirements, \nprocesses, and various technical issues.\n    To DHS's credit, they have several important improvement \ninitiatives that I would like to highlight. But I would like to \nstart by acknowledging their IT leadership, both Mr. Spires and \nMs. Graves. Although not here today, I would like to take the \nopportunity to mention that Mr. Spires, that DHS, CIO, we have \nworked with him both while he was at IRS and now DHS. Our \nGovernment is fortunate to have his service.\n    Turning to improved initiatives, DHS has corrective action \nplans to address their performance shortfalls, have created \nCenters of Excellence where program offices can seek \nassistance. Their new tiered governance structure follows best \npractices. These initial steps have resulted in a better IT \nacquisition performance.\n    For example, OMB's IT dashboard, which provides \ntransparency on the performance of about 800 major IT \ninvestments across the Government, shows that DHS is trending \nin the right direction. Meaning that recently they have less \nprojects at risk than they have had in the past.\n    However, despite this progress, DHS still has too many \ncritical IT acquisitions where cost and schedule performance is \nnot cutting it. Our report last year highlighted about a \nbillion dollars associated with these 20 investments that are \nat risk. Therefore, several IT management practices still need \nsignificant improvements.\n    Specifically, DHS needs to have corrective action plans for \nall projects whose cost and schedule variances are \nunacceptable. DHS needs to have IT and business executives \npartner in aggressively overseeing their IT acquisitions by \nimplementing more completely their new governance process.\n    DHS also needs to tackle the core root cause areas \nassociated why programs are not meeting their cost and schedule \ncommitments by utilizing and expanding on their Centers of \nExcellence. Also DHS needs to mature its program management \ndisciplines, including areas like requirements management and \nrisk management. Finally, DHS needs to approach more of these \ninvestments on a smaller, more manageable increment to deploy \nkey functionality more quickly.\n    In summary, Mr. Chairman, DHS technology acquisitions play \na vital role in improving the security of our homeland. \nAlthough DHS' ability to deliver on these systems is improving, \nthere are still ways to go to ensure that this annual \ninvestment of $4 billion is yielding the near-term return our \ncountry needs.\n    This concludes my statement, and I would be pleased to \nrespond to questions.\n    [The prepared statement of Mr. Powner follows:]\n                 Prepared Statement of David A. Powner\n                             March 19, 2013\n                             gao highlights\n    Highlights of GAO-13-478T, a testimony before the Subcommittee on \nOversight and Management Efficiency, Committee on Homeland Security, \nHouse of Representatives.\nWhy GAO Did This Study\n    DHS has responsibility for the development and operation of the IT \nsystems for the agencies and offices under its jurisdiction that are \nkey to, among other things, securing the Nation's borders and enforcing \nimmigration laws. DHS reported having 363 such IT investments. Of these \ninvestments, 68--with budgeted annual costs of about $4 billion--were \nunder development and classified by DHS as a ``major'' investment \nrequiring special management attention because of its mission \nimportance.\n    GAO was asked to testify on the progress DHS has made and \nchallenges it faces in meeting cost and schedule commitments for its \nmajor IT investments, including those for Customs and Border \nProtection, Immigration and Customs Enforcement, and U.S. Citizenship \nand Immigration Services. Specifically, GAO was asked to focus on its \nSeptember 2012 report that determined: (1) The extent to which DHS \ninvestments are meeting their cost and schedule commitments, (2) the \nprimary causes of any commitment shortfalls, and (3) the adequacy of \nDHS's efforts to address these shortfalls and their associated causes.\nWhat GAO Recommended\n    In its report, GAO recommended that the Secretary of Homeland \nSecurity direct the appropriate officials to address guidance \nshortcomings and develop corrective actions for all major IT investment \nprojects having cost and schedule shortfalls. In commenting on a draft \nof the report, DHS concurred with GAO's recommendations.\n   information technology.--dhs needs to enhance management of major \n                              investments\nWhat GAO Found\n    Approximately two-thirds of the Department of Homeland Security's \n(DHS) major IT investments were meeting their cost and schedule \ncommitments. Specifically, out of 68 major IT investments in \ndevelopment, 47 were meeting cost and schedule commitments. The \nremaining 21--which DHS had estimated to cost about $1 billion--had one \nor more subsidiary projects that were not meeting cost and/or schedule \ncommitments (i.e., they exceeded their goals by at least 10 percent, \nwhich is the level at which the Office of Management and Budget (OMB) \nconsiders projects to be at increased risk of not being able to deliver \nplanned capabilities on time and within budget.)\n    The primary causes for the cost and schedule shortfalls were (in \ndescending order of frequency):\n  <bullet> inaccurate preliminary cost and schedule estimates,\n  <bullet> technical issues in the development phase,\n  <bullet> changes in agency priorities,\n  <bullet> lack of understanding of user requirements, and\n  <bullet> dependencies on other investments that had schedule \n        shortfalls.\n    Eight of the investments had inaccurate cost and schedule \nestimates. For example, DHS's Critical Infrastructure Technology \ninvestment had a project where actual costs were about 16 percent over \nthe estimated cost, due in part to project staff not fully validating \ncost estimates before proceeding with the project. In addition, six \ninvestments had technical issues in the development phase that caused \ncost or schedule slippages. For example, DHS's Land Border Integration \ninvestment had problems with wireless interference at certain sites \nduring deployment of hand-held devices used for scanning license \nplates, which caused a project to be more than 2 months' late.\n    DHS often did not adequately address cost and schedule shortfalls \nand their causes. GAO's investment management framework calls for \nagencies to develop and document corrective efforts to address \nunderperforming investments and DHS policy requires documented \ncorrective efforts when investments experience cost or schedule \nvariances. Although 12 of the 21 investments with shortfalls had \ndefined and documented corrective efforts, the remaining 9 had not. \nOfficials responsible for 3 of the 9 investments said they took \ncorrective efforts but were unable to provide plans or any other \nrelated documentation showing such action had been taken. Officials for \nthe other 6 investments cited criteria in DHS's policy that excluded \ntheir investments from the requirement to document corrective efforts. \nThis practice is inconsistent with the direction of OMB guidance and \nrelated best practices that stress developing and documenting \ncorrective efforts to address problems in such circumstances. Until DHS \naddresses its guidance shortcomings and ensures each of these \nunderperforming investments has defined and documented corrective \nefforts, these investments are at risk of continued cost and schedule \nshortfalls.\n    Chairman Duncan, Ranking Member Barber, and Members of the \nsubcommittee, I am pleased to be here today to discuss our past work \nexamining the Department of Homeland Security's (DHS) progress and \nchallenges in acquiring, developing, and managing the information \ntechnology investments and systems used by its agencies and offices, \nincluding those used by U.S. Customs and Border Protection (CBP), \nImmigration and Customs Enforcement (ICE), and U.S. Citizenship and \nImmigration Services (USCIS). Since its creation in 2002, DHS has spent \nbillions of dollars on IT infrastructure used to fulfill its mission to \nensure a homeland that is safe, secure, and resilient against terrorism \nand other hazards. We recently reported \\1\\ that, during fiscal year \n2012, DHS planned to spend about $5.6 billion on approximately 363 on-\ngoing IT investments. Of these 363 investments, 68 were under \ndevelopment and were classified by DHS as a ``major'' investment \\2\\ \nthat required special management attention because of its importance to \nthe Department's mission. My testimony today focuses on the key \nfindings of that work, including: (1) The extent to which DHS \ninvestments are meeting their cost and schedule commitments, (2) the \nprimary causes of any commitment shortfalls, and (3) the adequacy of \nDHS's efforts to address these shortfalls and their associated causes.\n---------------------------------------------------------------------------\n    \\1\\ GAO, Information Technology: DHS Needs to Enhance Management of \nCost and Schedule for Major Investments, GAO-12-904 (Washington, DC: \nSept. 2012).\n    \\2\\ DHS defines a major IT investment as one with a cost of $50 \nmillion or more and is complex and/or mission-critical.\n---------------------------------------------------------------------------\n    This statement is based on our report of September 2012. In that \nreport, we discussed how each of the 68 major investments was \nperforming against its cost and schedule commitments as reported by the \nDepartment to the Office of Management and Budget (OMB). We also \nreviewed project plans and related documentation and interviewed \nresponsible DHS officials to identify the primary causes for the \nshortfalls and whether any corrective efforts had been developed and \ndocumented to address the shortfalls. We conducted the performance \naudit from October 2011 to September 2012 in accordance with generally \naccepted Government auditing standards. Those standards require that we \nplan and perform the audit to obtain sufficient, appropriate evidence \nto provide a reasonable basis for our findings and conclusions based on \nour audit objectives.\n                               background\n    DHS spends billions of dollars each year on IT investments to \nperform both mission-critical and support functions that frequently \nmust be coordinated among components and external entities. Of the $5.6 \nbillion that DHS planned to spend on 363 IT-related investments in \nfiscal year 2012, $4.4 billion was planned for the 83 the agency \nconsiders to be a major investment; namely, costly, complex, and/or \nmission-critical.\n    Of these 83 major IT investments, 68 are under development and were \nestimated to cost approximately $4 billion for fiscal year 2012. \nExamples of major investments under development that are being \nundertaken by DHS and its components include:\n  <bullet> CBP.--The Automated Commercial Environment/International \n        Trade Data System is to incrementally replace existing cargo \n        processing technology systems with a single system for land, \n        air, rail, and sea cargo and serve as the central data \n        collection system for Federal agencies needing access to \n        international trade data in a secure, paper-free, web-enabled \n        environment.\n  <bullet> ICE and CBP.--TECS Modernization is to replace the legacy \n        mainframe system developed by the U.S. Customs Service in the \n        1980s to support its inspections and investigations. Following \n        the creation of DHS, those activities were assigned to CBP and \n        ICE, respectively. CBP and ICE are now working to modernize \n        their respective portions of the system in a coordinated effort \n        with separate funding and schedules. For example, ICE's portion \n        of the investment will include modernizing the investigative \n        case management and related support modules of the legacy \n        system.\n    We have previously reported on the cost and schedule challenges \nassociated with major DHS IT investments, such as those with CBP's \nSecure Border Network (SBInet) and NPPD's United States Visitor and \nImmigrant Status Indicator Technology (US-VISIT).\\3\\ In these reports, \nwe made recommendations to address these challenges and keep these \ninvestments on schedule and within cost.\n---------------------------------------------------------------------------\n    \\3\\ See, for example, GAO, Secure Border Initiative: SBInet \nExpenditure Plan Needs to Better Support Oversight and Accountability, \nGAO-07-309 (Washington, DC: Feb. 15, 2007); Secure Border Initiative: \nDHS Needs to Reconsider Its Proposed Investment in Key Technology \nProgram, GAO-10-340 (Washington, DC: May 5, 2010); and Homeland \nSecurity: Key US-VISIT Components at Varying Stages of Completion, but \nIntegrated and Reliable Schedule Needed, GAO-10-13 (Washington, DC: \nNov. 19, 2009).\n---------------------------------------------------------------------------\n  dhs met cost and schedule commitments for most major it investments\n    The success of major IT investments are judged by, among other \nthings, the extent to which they deliver promised system capabilities \nand mission benefits on time and within cost. Our research in best \npractices and extensive experience working with Federal agencies and \nOffice of Management and Budget (OMB) guidance stress the importance of \nFederal IT investments meeting cost and schedule milestones.\n    Approximately two-thirds of DHS's IT investments met their cost and \nschedule commitments; the remaining one-third had at least one \nsubsidiary project that was not meeting its commitments. Specifically, \nout of the 68 major investments under development, 47 were meeting \ntheir cost and schedule commitments.\n    The remaining 21 investments--which totaled about $1 billion as of \nMarch 2012--had one or more subsidiary projects that were not meeting \ncost and/or schedule commitments (i.e., they had exceeded their goals \nby at least 10 percent, which is the level at which OMB considers \nprojects to be at an increased risk of not being able to deliver \nplanned capabilities on time and within budget.) Table 1 lists the \nmajor investments with a cost and/or schedule shortfall.\n    Specifically, of the 21 investments with a shortfall, 5 had one or \nmore subsidiary project with a cost shortfall, 18 had one or more \nproject with a schedule shortfall, and 2 had a project with both a cost \nand schedule shortfall. These shortfalls place these investments at \nincreased risk of not delivering promised capabilities on time and \nwithin budget, which, in turn, pose a risk to DHS's ability to fully \nmeet its mission of securing the homeland. \n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n        causes of investment cost and schedule shortfalls varied\n    The primary causes of the shortfalls in cost and schedule \nassociated with DHS's 21 major IT investments were (in descending order \nof frequency): Inaccurate preliminary cost and schedule estimates, \ntechnical issues in the development phase, changes in agency \npriorities, lack of understanding of user requirements, and \ndependencies on other investments that had schedule shortfalls. A \nsummary of these causes by investment and component are shown in table \n2. \n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    In our past work on DHS's investments and related IT management \nprocesses, we have identified some of these same causes and made \nrecommendations to strengthen management in these areas. For example, \nwith regard to cost estimating, we reported that forming a reliable \nestimate of costs provides a sound basis for measuring against actual \ncost performance and that the lack of such a basis contributes to \nvariances.\\4\\ To help agencies establish such a capability, we issued a \nguide in March 2009 \\5\\ that was based on the practices of leading \norganizations. In a July 2012 report \\6\\ examining how well DHS is \nimplementing these practices, we reported that the Department had \nweaknesses in cost estimating. Accordingly, we made recommendations to \nDHS to strengthen its cost estimating capabilities, and the Department \nhas plans and efforts under way to implement our recommendations.\n---------------------------------------------------------------------------\n    \\4\\ GAO, Information Technology Cost Estimation: Agencies Need to \nAddress Significant Weaknesses in Policies and Practices, GAO-12-629 \n(Washington, DC: July 2012).\n    \\5\\ GAO, GAO Cost Estimating and Assessment Guide: Best Practices \nfor Developing and Managing Capital Program Costs, GAO-09-3SP \n(Washington, DC: March 2009).\n    \\6\\ GAO-12-629.\n---------------------------------------------------------------------------\n    We have also reported \\7\\ that developing sufficient requirements \nis key to effectively delivering systems on time and within budget and \nthat DHS has experienced project delays and cost overruns resulting \nfrom initial requirements not being defined properly. To address this \nchallenge, DHS had begun, as part of defining and implementing a new IT \ngovernance process, to establish Centers of Excellence to provide \ninvestment officials with expert assistance in requirements development \nand other essential IT management disciplines.\\8\\\n---------------------------------------------------------------------------\n    \\7\\ GAO, Department of Homeland Security: Assessments of Selected \nComplex Acquisitions, GAO-10-588SP (Washington, DC: June 2010).\n    \\8\\ GAO-12-818.\n---------------------------------------------------------------------------\n    about half of dhs's projects with shortfalls did not have well-\n                      developed corrective efforts\n    A variety of best practices exist to guide the successful \nacquisition of IT investments, including how to develop and document \ncorrective actions for projects experiencing cost and schedule \nshortfalls. In particular, GAO's Information Technology Investment \nManagement framework \\9\\ calls for agencies to develop and document \ncorrective efforts for underperforming projects. It also states that \nagencies are to ensure that, as projects develop and costs rise, the \nproject continues to meet mission needs at the expected levels of cost \nand risk; if projects are not meeting expectations or if problems have \narisen, agencies are to quickly take steps to address the deficiencies.\n---------------------------------------------------------------------------\n    \\9\\ GAO, Information Technology Investment Management: A Framework \nfor Assessing and Improving Process Maturity (version 1.1), GAO-04-394G \n(Washington, DC: March 2004).\n---------------------------------------------------------------------------\n    DHS developed and documented corrective efforts for 12 of the 21 \nmajor investments with a shortfall, but the remaining 9 did not have \ncorrective efforts documented. Table 3 depicts the investments with \nshortfalls and whether corrective efforts had been developed and \ndocumented. \n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    With regard to the investments with shortfalls, three were unable \nto provide us with documentation, even though project officials stated \nthat they had developed some corrective efforts, and six did not engage \nin corrective efforts to address shortfalls. Of the three investments, \nofficials from TSA's Federal Air Marshal Service Mission Scheduling and \nNotification System investment, for example, reported that they had \naddressed the project's schedule shortfall--which was due, in part, to \na support contractor not having adequate staffing--by performing the \nwork within the agency instead of relying on the contractor. Further, \naccording to TSA officials, the cost and schedule shortfalls on the Air \nCargo Security investment, which were due to technical complications \nand dependencies on other investments, were addressed by establishing a \nnew cost and schedule baseline. Nonetheless, this lack of documentation \nis inconsistent with the direction of DHS's guidance and related best \npractices, and it shows a lack of process discipline and attention to \nkey details, which raises concerns about the thoroughness of corrective \nefforts.\n    Of the six investments without any corrective efforts, officials \nfrom these investments (namely, the Office of the Chief Information \nOfficer's Human Resources IT investment, NPPD's US-VISIT Automated \nBiometric Identification System and Arrival and Departure Information \nSystem investments, USCG's Business Intelligence investment, NPPD's \nNational Cybersecurity Protection System, and USCIS's Claims 4 \ninvestment), stated that they did not develop and document corrective \nefforts because they believed DHS's guidance does not call for it in \ntheir circumstances. Specifically, the officials said that although \nDHS's guidance \\10\\ calls for corrective actions to be developed and \ndocumented when an investment experiences a life-cycle cost or schedule \nvariance, the variances on their project activities thus far were not \nlarge enough to constitute such a variance.\n---------------------------------------------------------------------------\n    \\10\\ Department of Homeland Security, Acquisition Management \nDirective 102-01 and Capital Planning and Investment Control Guide, \nversion 7.2.\n---------------------------------------------------------------------------\n    The impact of this approach is that multiple projects can continue \nto experience shortfalls--which increases the risk that investments \nwill experience serious life-cycle cost and schedule variances--without \nhaving to develop and document corrective actions to alert top \nmanagement about potential problems and associated risks. This is \ninconsistent with the direction of OMB, which requires agencies to \nreport (via the IT Dashboard) on the cost and schedule performance of \ntheir projects and considers those projects with a 10 percent or \ngreater variance to be at an increased level of risk of not being able \nto deliver promised capabilities on time and within budget, and thus \nthey require special attention from management. It is also inconsistent \nwith our best practices research and experience at Federal agencies, \nwhich stresses that agencies report to management when projects are not \nmeeting expectations or when problems arise and quickly develop and \ndocument corrective efforts to address the problems. Further, our \nresearch and work at agencies has shown that waiting to act until \nsignificant life-cycle variances occur can sometimes be risky and \ncostly, as life-cycle schedules are typically for multi-year periods, \nallowing the potential for underperforming projects to continue to vary \nfrom their cost and schedule goals for an extended amount of time \nwithout any requirement for corrective efforts. Consequently, until \nthese guidance shortcomings have been addressed and each \nunderperforming project has defined and documented corrective actions, \nthe Department's major investments these projects support will be at an \nincreased risk of cost and schedule shortfalls.\n     dhs needs to address guidance and cost and schedule shortfalls\n    To help ensure that DHS investments meet their cost and schedule \ncommitments, we recommended that the Secretary of Homeland Security \ndirect the appropriate officials to: (1) Establish guidance that \nprovides for developing corrective efforts for major IT investment \nprojects that are experiencing cost and schedule shortfalls of 10 \npercent or greater, similar to those identified in our report, and (2) \nensure that such major projects have defined and documented corrective \nefforts.\n    DHS concurred with our recommendations and estimated that they \nwould implement the first recommendation by September 30, 2013, and the \nsecond one immediately. We are currently in the process of following up \nwith DHS to assess the extent to which these recommendations have been \nimplemented.\n    In summary, most of the projects comprising DHS's 68 major IT \ninvestments were meeting their cost and schedule commitments, but 21 \nmajor investments--integral to DHS's mission and costing approximately \n$1 billion--had projects experiencing significant cost and schedule \nshortfalls. These shortfalls place these investments at increased risk \nof not delivering promised capabilities on time and within budget, \nwhich, in turn, pose a risk to DHS's ability to fully meet its mission \nof securing the homeland. DHS guidance does not require projects \nexperiencing significant cost and schedule shortfalls to develop and \ndocument corrective efforts until they cause a life-cycle cost and \nschedule variance. This increases risk and is contrary to effective IT \ninvestment practices. Given that DHS is currently establishing and \nimplementing new IT governance processes, the Department is positioned \nto address the guidance shortfalls.\n    Chairman Duncan and Ranking Member Barber and Members of the \nsubcommittee, this completes my prepared statement. I would be pleased \nto respond to any questions that you may have at this time.\n\n    Mr. Duncan. Thank you, Mr. Powner.\n    The Chairman will now recognize Inspector General Edwards \nfor 5 minutes.\n\nSTATEMENT OF CHARLES K. EDWARDS, DEPUTY INSPECTOR GENERAL, U.S. \n                DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. Edwards. Chairman Duncan, Ranking Member Barber, and \nMembers of the subcommittee, thank you for the opportunity to \ndiscuss the Office of Inspector General's work to address the \nDepartment's IT management challenges. Today I will discuss our \nwork to improve management, oversight, and efficiencies at the \nDepartment level, and to ensure that CBP and USCIS have \nadequate management practices and technology to effectively \nsupport mission needs.\n    The Department relies heavily on IT, spending about $6 \nbillion a year for IT systems on infrastructure. Effective \noversight and management of IT expenditures is critical. In the \npast we identified the need for the Department's chief \ninformation officer to have greater authority, to become a more \neffective steward of IT funds. The Department has responded by \nstrengthening the CIO's role of a centralized management of IT \nand providing the CIO with authority and oversight of \ncomponents IT investments.\n    With regard to IT systems and operational efficiencies, \ncomponent CIOs face challenges to ensure that IT environment \nfully meets mission needs. Often we find that limited \ninteroperability and functionality of components, aging \ntechnology infrastructures hinder personnel from conducting \nactivities.\n    For example, in June 2012 we reported that CBP faced \nchallenges with systems' availability, including periodic \noutages of critical security systems. This was due in part to \nits aging infrastructure. Furthermore, the interoperability of \nthe IT infrastructure was not sufficient to support CBP mission \nactivities.\n    As a result, staff created workarounds or employed \nalternate solutions. In some cases CBP assigned agents to \nperform duplicative data entry instead of enforcement duties in \nthe field. In other instances CBP staff operated stand-alone, \nnon-approved IT. Such activities may hinder CBP's ability to \nsafeguard borders and ensure officer safety. We recommended \nthat CBP CIO develop a funding strategy for the replacement \nefforts of outdated IT infrastructure.\n    USCIS faces similar challenges with an IT environment that \ndoes not effectively support its mission's operations. We \nreported in July 2009 and again in November 2011 that USCIS \ncontinues to rely on paper-based processes to support its \nmission.\n    On any given day, USCIS processes about 30,000 applications \nfor immigration benefits. Yet, USCIS provides nearly all of its \nservices using paper forms. This hinders USCIS personnel from \nprocessing immigration benefits efficiently, combating identity \nfraud and providing partner agencies the information needed to \nidentify criminals and possible terrorists.\n    Although the current transformation program is meant to \ntransition the agency from a paper-based system to an account-\nbased environment, implementation has been delayed repeatedly \nover the past 8 years. We recommended that USCIS complete \nbusiness and technology process documentation to provide the \ndetail necessary to implement the transformation program \neffectively.\n    We also recommended that USCIS revise its governance \nstructure to enable more streamlined decision making for its \nagency-wide IT modernization effort. In November 2011 we \nreported that although USCIS establish a transformation \ngovernance structure, this structure has weaknesses that have \ncontributed to transformation delays.\n    Transformation leadership told us the Government structure \nwas too complex, that too many stakeholders and boards involved \nin making decisions. USCIS did not have the sufficient \ngovernance mechanism in place to ensure effective acquisition \nof IT resources. We are encouraged by the steps taken by USCIS \nto address our recommendation.\n    In conclusion, our audits have identified weaknesses in IT \nmanagement functions and widespread IT function limitation \nacross the Department. Although there remain resource \nconstraints that limit the Department, progress has been made \nin addressing these areas over the past few years.\n    Mr. Chairman, this concludes my prepared remarks, and I \nwould be happy to answer any questions that you or the Members \nmay have. Thank you.\n    [The prepared statement of Mr. Edwards follows:]\n                Prepared Statement of Charles K. Edwards\n                             March 19, 2013\n    Mr. Chairman and Members of the subcommittee: Thank you for the \nopportunity to discuss DHS' information technology (IT) issues. My \ntestimony today will address the predominant IT management issues we \nhave reported on over the past 2 years.\n    The majority of information that I will provide is contained in our \nreports, Customs and Border Protection Information Technology \nManagement: Strengths and Challenges (OIG-12-95), DHS Information \nTechnology Management Has Improved, But Challenges Remain (OIG-12-82), \nU.S. Citizenship and Immigration Services' Progress in Transformation \n(OIG-12-12), Coast Guard Has Taken Steps To Strengthen Information \nTechnology Management, but Challenges Remain (OIG-11-108), Federal \nEmergency Management Agency Faces Challenges in Modernizing Information \nTechnology (OIG-11-69), and U.S. Secret Service's Information \nTechnology Modernization Effort (OIG-11-56). I will also provide an \nupdate on the progress made by DHS on implementing some of the report \nrecommendations.\n    DHS budgets over $6 billion a year for its IT. This represents \nnearly 15 percent of the DHS overall budget. The 22 component agencies \nthat currently make up DHS rely extensively on IT to perform a wide \nrange of mission operations, including counterterrorism, border \nsecurity, and immigration benefits processing, among others. Given the \nsize and significance of DHS' IT investments, effective management of \nDepartment-wide IT expenditures is critical.\n                      dhs' it management oversight\n    In the past, we identified the need for the Department's Chief \nInformation Officer (CIO) to have greater authority to become a more \neffective steward of IT funds.\\1\\ The Department has since strengthened \nthe CIO's responsibilities for oversight and centralized management of \nIT, which has helped provide the authority for leading component CIOs \ntoward a more unified IT direction. Specifically, we reported in May \n2012 that the DHS Office of the CIO has improved oversight of IT \nprograms and key IT management functions, such as acquisition and \nportfolio reviews, to improve CIO decision making.\\2\\ As a result, the \nDHS CIO has better visibility of Department-wide IT programs and assets \nthus enabling the CIO to identify opportunities for reducing costs and \nduplication across the Department's IT environment.\n---------------------------------------------------------------------------\n    \\1\\ Improvements Needed to DHS' Information Technology Management \nStructure (OIG-04-30, July 2004). Progress Made in Strengthening DHS \nInformation Technology Management, But Challenges Remain (OIG-08-91, \nSeptember 2008).\n    \\2\\ DHS Information Technology Management Has Improved, But \nChallenges Remain (OIG-12-82, May 2012).\n---------------------------------------------------------------------------\n    In the same report, we concluded that DHS had further defined the \nCIO's authority and responsibility. For example, the DHS deputy \nsecretary issued a memorandum in May 2011, which directed the CIO to \ntake a greater role in the review and execution of all IT \ninfrastructure investments.\\3\\ The expansion of DHS CIO authority was \ndue in part to the Federal CIO's IT reform plan, which requires agency \nCIOs to implement initiatives to improve management of large-scale IT \nprograms.\\4\\ Additionally, Office of Management and Budget Memorandum \nM-11-29, Chief Information Officer Authorities, states that agency CIOs \nmust drive the investment review process for IT investments. To \nformalize this guidance, the DHS under secretary for management began \nan effort to update the Delegation of Authority for the DHS CIO, which \nincluded oversight of the Department's IT programs.\n---------------------------------------------------------------------------\n    \\3\\ DHS Deputy Secretary, Information Technology Efficiency, May 5, \n2011.\n    \\4\\ The 25 Point Implementation Plan To Reform Federal Information \nTechnology Management, December 9, 2010.\n---------------------------------------------------------------------------\n    The CIO has increased oversight of Department-wide IT programs and \ninvestments by conducting annual IT program reviews and in-depth \nreviews of selected IT programs. These reviews enable the CIO to make \nstrategic recommendations for reducing costs and duplication across the \nDepartment's IT environment. For example, the DHS CIO issued 90 \nrecommendations to the deputy secretary for the 2013 budget year for 81 \nIT investments continue as planned, eight investments be continued but \nmodified, and one be suspended. The CIO also made program-specific \nrecommendations, such as to reinstate $10 million in funding per year \nfor the Customs and Border Protection (CBP) Traveler Enforcement \nCompliance System Modernization in order to prevent further schedule \ndelays, as well as a recommendation that the Federal Emergency \nManagement Agency (FEMA) suspend work on its National Flood Insurance \nProgram Information Technology Systems and Services until business \nrequirements were better defined.\n    In addition, the DHS CIO has increased oversight of IT software, \nhardware, and infrastructure purchases through the IT acquisitions \nreview process. The volume of IT acquisition reviews has increased from \n243 in fiscal year 2007 to 387 in fiscal year 2011. The number of \napprovals for IT acquisition requests has increased from 129 in fiscal \nyear 2007 to 311 in fiscal year 2011. These reviews have increased the \nDHS CIO's ability to verify compliance with technical standards and to \nensure program and project alignment with Department-wide IT policy, \nstandards, objectives, and goals.\n    The Department has also achieved infrastructure integration \nmilestones through data center and network consolidation. Specifically, \nthe Office of the CIO (OCIO) continues its efforts to consolidate data \ncenters across the Department, integrate disparate component networks \ninto a single DHS network, and create centralized email and \ncollaboration services to improve information sharing. As of November \n2011, DHS headquarters, FEMA, the Transportation Security \nAdministration (TSA), and CBP had migrated applications from eight \nsites to one DHS enterprise data center. Additionally, DHS has \nestablished an enterprise network, OneNet, as well as a primary and \nsecondary network operations center and security operations center. The \nOCIO has also begun offering centralized IT services housed at the two \nenterprise data centers, such as email and Microsoft SharePoint, to \nachieve economic savings through consolidation. Some components are \nalready realizing cost savings from the data center consolidation and \nDHS enterprise service offerings.\n    Finally, the Department matured key IT management functions, such \nas strategic planning, Capital Planning and Investment Control (CPIC), \nenterprise architecture, and portfolio management. For example, the \nOCIO developed an IT strategic plan for fiscal year 2011-2015. In \naddition, the DHS OCIO has continued to execute its CPIC process \neffectively, which is DHS' primary process for making decisions about \nthe systems in which the Department should invest. The OCIO has also \ncontinued to execute Department-wide enterprise architecture efforts, \nsuch as the development of a Homeland Security Enterprise Architecture \nand specific segment architectures, which provide the CIO with a \nfoundation for making better-informed decisions. Finally, the DHS \nPortfolio Management process, which establishes portfolios based on \nDHS' mission areas and business functions, helps the OCIO to align IT \ninvestments with portfolios and identify redundancies or gaps. Over the \npast 2 years the DHS OCIO has begun conducting an annual portfolio \nanalysis to align IT investments to its 13 existing portfolios and \nidentify redundancies or gaps. At the time of our audit, the OCIO had \naligned more than 650 IT investments with the 13 portfolios.\n                            major challenges\n    Although DHS has made significant progress in improving IT \nmanagement functions, challenges remain for CIO involvement in \ncomponent IT budget planning. For example, the DHS CIO conducts a \nreview of all components' IT budgets as part of the DHS IT budget \nformulation process, which provides opportunity to confirm that \ncomponent plans are in line with Departmental priorities. However, the \nCIO is not involved during the component IT budget planning process \nwhen initial planning activities are taking place. As such, the CIO IT \nbudget reviews do not directly affect the amount of funding components \nreceive, meaning components can obtain funding for IT investments \nregardless of the decisions made during the budget review process. For \nexample, a review of one component's IT budget revealed a funding \nrequest for approximately $6 million to improve IT infrastructure. Yet, \nthe OCIO had requested $91 million from the component for data center \nmigration costs for the same budget year, highlighting a discrepancy in \nfunding plans.\n    To address this issue we recommended that the deputy under \nsecretary for management assign the DHS CIO centralized control over \nthe Department's IT budget planning process to review, guide, and \napprove IT investments. Since this recommendation was made, the DHS CIO \nhas been delegated the authority to review and approve IT budgets for \ndelivering and maintaining enterprise IT solutions and mission IT \nsystems and services throughout the Department in coordination with the \nDHS CFO. The recommendation was closed in September 2012.\n                     component-specific challenges\n    Insufficient IT management practices, need for CIO IT budget \nauthority, fragmented and aging IT infrastructures, and inadequate \ngovernance mechanisms have been long-standing issues for several DHS \ncomponents.\nComponent IT Management Practices Need Improvement\n    Although DHS and its components have made progress establishing \neffective IT management practices, several DHS components have not \nfully implemented key IT management functions needed to guide agency-\nwide IT programs. For example, in June 2012 we reported that CBP had \ndeveloped an enterprise architecture to align with the Department's \narchitecture and guide CBP's IT environment.\\5\\ However, the Office of \nIT had not yet developed a target ``To-Be'' business architecture to \nanalyze business processes. Without a complete view of CBP's target \nenterprise architecture, the CIO faces increased risks to efforts to \nmodernize the way OIT provides support to CBP. We recommended the CBP \nOIT provide the necessary resources to complete required enterprise \narchitecture activities.\n---------------------------------------------------------------------------\n    \\5\\ CBP Information Technology Management: Strengths and Challenges \n(OIG-12-95).\n---------------------------------------------------------------------------\n    Similarly, we reported in April 2011 that FEMA had not yet \ncompleted its enterprise architecture. Specifically, the agency had not \ncompleted efforts to document its business functions, information \nresources, and IT systems as part of its baseline enterprise \narchitecture.\\6\\ Also, the IT architecture remained undocumented for \nmany program areas and the standards on the OCIOs website were at least \n2 years out-of-date. We also determined that FEMA did not have a \ncomprehensive IT strategic plan with clearly-defined goals and \nobjectives or guidance for program office initiatives. Without these \ncritical elements in place, FEMA is challenged to establish an \neffective approach to modernize its information technology \ninfrastructure and systems. We recommended FEMA complete and implement \nan enterprise architecture and develop a comprehensive IT strategic \nplan. Each of these recommendations were closed in January 2013 when \nFEMA produced evidence of a completed baseline architecture and an \nupdated IT Strategic Plan.\n---------------------------------------------------------------------------\n    \\6\\ Federal Emergency Management Agency Faces Challenges in \nModernizing Information Technology (OIG-11-69).\n---------------------------------------------------------------------------\n    Likewise, we reported in March 2011 that the United States Secret \nService (USSS) had not updated its IT Strategic Plan since 2006.\\7\\ As \na result, its plan was not sufficient to address its system weaknesses \nor integrate with DHS' technology direction. For example, the plan did \nnot describe how the USSS will leverage specific DHS enterprise-wide \nsolutions such as DHS Consolidated Data Centers and OneNet. \nAdditionally the IT Strategic Plan did not accurately reflect \nInformation Integration and Transformation Program activities such as \nplanned upgrades to technology platforms. We recommended that the \ndeputy director, USSS create effective planning documentation.\n---------------------------------------------------------------------------\n    \\7\\ U.S. Secret Service's Information Technology Modernization \nEffort (OIG-11-56).\n---------------------------------------------------------------------------\nComponent CIOs Need Additional Budget Authority and Oversight\n    Most of the major component CIOs lack IT budget authority and \noversight of technology spending across programs and activities within \ntheir agency. For example, in our June 2012 review of CBP we found that \nthe CIO did not have full oversight of IT spending across all programs \nand activities within CBP.\\8\\ Specifically, CBP component offices \nsubmit IT spending requests that were processed by procurement without \ngoing through the CIO's IT acquisition review process, thus increasing \nthe risk of security issues or enterprise alignment challenges. \nLikewise, in April 2011 we reported that FEMA's program offices and \nregional offices continue to develop IT systems independent of the OCIO \ndue in part to decentralized IT budget and acquisition practices. \nSpecifically, the manner in which IT programs are funded and developed \nwithin FEMA hindered the OCIO's efforts to establish a complete \ninventory and manage IT capital planning and investment. For example, \nduring fiscal year 2010, FEMA spent $391 million for agency-wide IT \nneeds, but the OCIO accounted for only 29 percent of total spending. We \nrecommended the FEMA CIO establish an agency-wide IT budget planning \nprocess to include all FEMA program technology initiatives and \nrequirements.\n---------------------------------------------------------------------------\n    \\8\\ CBP Information Technology Management: Strengths and Challenges \n(OIG-12-95).\n---------------------------------------------------------------------------\n    In September 2011, we reported that the United States Coast Guard \n(USCG) CIO had limited authority over IT assets and spending.\\9\\ \nSpecifically, the CIO does not have sufficient oversight of IT spending \nby field units. Without this authority, the CIO cannot fully ensure \nthat the Coast Guard IT environment is functioning effectively and \nefficiently. We recommended that Coast Guard chief of staff transition \nIT personnel and oversight of field IT spending under the CIO. \nLikewise, in our March 2011 review of USSS \\10\\ we determined that the \nUSSS did not position its CIO with the necessary authority to review \nand approve IT investments. Specifically, the CIO was not a member of \nthe director's management team and therefore does not play a \nsignificant role in overseeing IT systems development and acquisition \nefforts. We recommended the deputy director, USSS provide the CIO with \nagency-wide IT budget and investment review authority to ensure that IT \ninitiatives and decisions support accomplishment of the USSS and \nDepartment-wide mission objectives.\n---------------------------------------------------------------------------\n    \\9\\ Coast Guard Has Taken Steps To Strengthen Information \nTechnology Management, but Challenges Remain (OIG-11-108).\n    \\10\\ U.S. Secret Service's Information Technology Modernization \nEffort (OIG-11-56).\n---------------------------------------------------------------------------\nOutdated IT Does Not Effectively Support Component's Missions\n    Component CIOs are challenged to ensure that the IT environment \nfully supports its agencies mission needs. Commonly, interoperability \nand functionality of component's aging technology infrastructures have \nnot been sufficient to support mission activities. For example, in June \n2012 we reported that the CBP Office of IT (OIT) faced challenges with \nsystem availability, including periodic outages of critical security \nsystems.\\11\\ Systems outages have occurred in part because of aging \ninfrastructure, which has not been updated as required because of \nfunding reductions. In addition, the interoperability and integration \nof the IT infrastructure were not sufficient to support CBP mission \nactivities fully, due to lengthy requirements-gathering and technology \ninsertion processes. As a result, staff created workarounds and \nemployed alternative solutions, including assigning agents to perform \nduplicative data entry--instead of enforcement duties in the field--and \noperating stand-alone, non-approved IT. We recommended the CBP CIO \ndevelop a funding strategy for the replacement of outdated \ninfrastructure. As of February 2013, the CBP OIT was continuing to \nassess the needs across CBP to present additional requirements for \nfunding consideration and prioritization against all other CBP \npriorities.\n---------------------------------------------------------------------------\n    \\11\\ CBP Information Technology Management: Strengths and \nChallenges (OIG-12-95).\n---------------------------------------------------------------------------\n    Also, we reported in September 2011 that Coast Guard systems and \ninfrastructure did not fully meet mission needs due to aging \ninfrastructure that is difficult to support, and stove-piped system \ndevelopment.\\12\\ Specifically, Coast Guard field personnel do not have \nsufficient network availability, the aging financial system is \nunreliable, and command center and partner agency systems are not \nsufficiently integrated. As a result, field personnel rely on \ninefficient work-arounds, such as having to enter the same information \ntwice, to accomplish their mission. We recommended the Coast Guard CIO \naddress the IT systems and infrastructure needs by implementing a plan \nto ensure system redundancy to meet availability requirements, \nimplement a strategy to improve ease of use and availability of the \nfinancial systems, and ensure that new tools address requirements for \nimproved integration. Since that time, the recommendation to ensure \nthat new tools address requirements for improved integration was closed \nin April 2012.\n---------------------------------------------------------------------------\n    \\12\\ Coast Guard Has Taken Steps To Strengthen Information \nTechnology Management, but Challenges Remain (OIG-11-108).\n---------------------------------------------------------------------------\n    In April 2011, we reported that FEMA's systems were not integrated, \ndid not meet user requirements, and did not provide the information \ntechnology capabilities agency personnel and its external partners \nneeded to carry out disaster response and recovery operations in a \ntimely or effective manner.\\13\\ Specifically, limited progress had been \nmade in modernizing the agency's critical mission support systems due \nto uncertainty of Department-wide consolidation plans. As a result, \nFEMA's legacy systems were not able to effectively support disaster \nresponse functions in a timely and effective manner. As a result, FEMA \npersonnel were using paper forms and relying on manual data entry to \nprocess grants. These manual work-arounds may suffice during minor \nevents; however, they may not sustain the increased workload and level \nof information sharing required to support major disasters. We \nrecommended the FEMA CIO establish a consolidated modernization \napproach for FEMA's mission-critical IT systems, to include DHS plans \nfor integrated asset management, financial, and acquisition solutions. \nAs of December 2012, FEMA had included modernization plans in its 2012 \nIT Strategic Operations Plan; however, the recommendation remains open \nuntil the OCIO develops a modernization approach for FEMA's mission-\ncritical IT systems.\n---------------------------------------------------------------------------\n    \\13\\ Federal Emergency Management Agency Faces Challenges in \nModernizing Information Technology (OIG-11-69).\n---------------------------------------------------------------------------\n    The United States Citizenship and Immigration Services (USCIS) \nfaces similar challenges to establish an IT environment that can \neffectively support its mission needs. We reported in November 2011 \nthat USCIS continued to rely on paper-based processes to support its \nmission, which made it difficult for USCIS to process immigration \nbenefits efficiently, combat identity fraud, and provide other \nGovernment agencies with the information required to identify criminals \nand possible terrorists quickly.\\14\\ On any given day, USCIS processes \n30,000 applications for immigration benefits. Yet, USCIS provides \nnearly all of its services using paper forms: Customers submit paper \napplication forms; USCIS adjudications officers determine whether an \napplicant is eligible for benefits by reviewing the paper \ndocumentation; and USCIS issues paper evidence of benefits. USCIS staff \nalso must use automated and manual methods to conduct background checks \non applicants. An enterprise-wide transformation program is under way \nto transition the agency from a paper-based operational environment to \nan account-based environment using electronic adjudication. However, \nimplementation of the transformation has been delayed repeatedly over \nthe past 8 years. We recommended that the Office of Transformation \nCoordination complete business and technology process documentation to \nprovide the detail necessary to implement the transformation program \neffectively. Since that time, USCIS provided process documentation in \nJuly 2012 and the recommendation was closed.\n---------------------------------------------------------------------------\n    \\14\\ U.S. Citizenship and Immigration Services' Progress in \nTransformation (OIG-12-12).\n---------------------------------------------------------------------------\nBetter IT Governance Needed for IT Modernization Efforts\n    Components implementing transformation efforts are hindered by \ninsufficient governance and decision-making mechanisms to effectively \ndirect agency-wide transformation program activities. In our March 2011 \nreport, we found that the USSS did not implement an effective IT \ngovernance approach for its Information Integration and Transformation \nProgram, which had an estimated cost of $1.5 billion.\\15\\ Specifically, \nthe agency did not have a formal Department-level IT governance \nmechanism to provide integrated feedback and direction for the \ntransformation program effort. Without a formal mechanism for \nintegrated governance, the USSS reached out individually to DHS offices \nand received conflicting advice and did not sufficiently consider DHS \nenterprise-wide solutions. We recommended that the deputy director, \nUSSS formalize an Executive Steering Committee and ensure that the \nInformation Integration and Transformation Program is in alignment with \nthe USSS and DHS strategic goals and objectives. Since that time, the \nUSSS has provided updates on its ongoing efforts to implement an \nExecutive Steering Committee which includes USSS Senior Management and \nDHS members from the offices of the CIO, the chief procurement officer, \nand the Acquisition, Planning, and Management Directorate.\n---------------------------------------------------------------------------\n    \\15\\ U.S. Secret Service's Information Technology Modernization \nEffort (OIG-11-56).\n---------------------------------------------------------------------------\n    Likewise, our April 2011 review of USCIS Transformation concluded \nthat USCIS' transformation governance structure did not promote timely \nand effective decision making.\\16\\ Specifically, the governance \nstructure was overly complex and required too many formal meetings and \ncheckpoints for review, hindering decision making. We recommended that \nthe chief, Office of Transformation Coordination revise its current \ngovernance structure to enable more streamlined program decision \nmaking. Since that time, USCIS has continued to revise its governance \nstructure to include a Transformation Executive Steering Committee and \na Product Management Team.\n---------------------------------------------------------------------------\n    \\16\\ U.S. Citizenship and Immigration Services' Progress in \nTransformation (OIG-12-12).\n---------------------------------------------------------------------------\n    Mr. Chairman, this concludes my prepared statement. I appreciate \nyour time and attention and welcome any questions from you or Members \nof the subcommittee.\n\n    Mr. Duncan. Thank you, Mr. Edwards.\n    Thanks to everyone for their testimony. I will now \nrecognize myself for 5 minutes of questions.\n    First thing I want to point out is in the GAO report, Mr. \nPowner. I was looking at the primary causes for cost and \nschedule shortfalls and inaccurate preliminary cost and \nschedule estimates. What attributed to that? Had they changed \nthe needs? Did they not think through the whole IT process \nappropriately? I ask that question in light of going out to St. \nElizabeths and the cost overruns there.\n    Mr. Powner. A couple things. One is when you look--when we \nlook at cost and schedule estimating, requirements is a big \narea. So if you look at requirements many times, as I know \nRanking Member Barber, you mentioned about getting the user \nrequirements up front with systems like SBInet. So, getting the \nrequirements nailed down that definitely affects your cost and \nschedule estimate up front.\n    Also, we look at the complexity where if you have \ninterdependencies from other systems, and some of these \nprojects have you know various components that need to work \ntogether. We look for critical pass and how they manage that. \nIt is a very disciplined process when you look at the \ncomplexity involved with some of these acquisitions, Mr. \nChairman. We find holes in that discipline when it comes to \nboth the cost and schedule estimating.\n    But again, requirements is key, making sure you have--\nbecause if you don't have the requirements up front, you could \nhave discipline processes. You are still going to have a poor \nestimate.\n    Mr. Duncan. Well, I have never built a house, but I was a \nbanker for 8\\1/2\\ years, and financed a lot of them, and saw a \nlot of wives and husbands make changes to the house as it was \nbeing built. When you change the priorities going forward in \nany kind of project you are going to run into cost overrun. So, \nyou have got changes in agency priorities. Can you elaborate?\n    Mr. Powner. There are--again, several of those systems, \nthese are the 21 systems that were not within 10 percent of \ncost and schedule estimates. So we saw that again. This is tied \nto requirements too. There is a link to requirements. But we \nsaw some of these systems.\n    There was a change in priorities for the agency. So, for \ninstance, when you start looking at you know a good example--I \nmean this wasn't, but if you go back to like our US-VISIT work, \nyou know one time you are focused on exit and entry, you are \nfocused on a biometric. Then all of a sudden we start going \nwith a smaller focus.\n    One of the things I would like to highlight when you look \nat these priorities is it is very important to go smaller; \nsmaller increments on these projects because Mr. Edwards \nmentioned many times--many of the past problems had been they \ntried to do so much all at once. If you look at the corrective \naction plans currently in DHS's statement, there is typically \ndeliverables within 12 months. So we want to see more of that \nincremental approach to things because then it is more \nmanageable. Then that way we can stick to the priorities if it \nis smaller.\n    Mr. Duncan. Thank you for your work on that. I am going to \nshift to yours in just a minute because the TECS system is \nsomething I am very, very interested in, Traveler Enforcement, \nand how we are screening the folks that are coming into this \ncountry, the databases we are building on each of those \nindividuals, but how that information is shared between the \nfront-line people that are doing visa applications or screening \nwith the State and ICE and also there at the border, \nparticularly airports, coming into this country.\n    So, I will ask Ms. Graves, how did--or how will modernizing \nthe TECS system benefit those ICE agents? How does ICE \ncoordinate with the CBP in that effort?\n    Ms. Graves. Well, luckily, sir, there is a joint program \noffice effort that works together with ICE and CBP that looks \nat the case management aspect of the TECS Modernization, which \nis the ICE piece of equation, as well as the modernization of \nhow the derogatory databases are pulled together to provide \nthat data to the front-line officers for their adjudication and \nfor their identification of possible entrants into the country \nthat have derogatory information against them.\n    Some of the modernizations that are going on in the TECS--\nin the TECS Modernization program are going to provide some \nadditional functionality, and particularly there are going to \nbe some improvements made that are going to help with the \nefficiencies of the front-line officers. Those include the fact \nthat when the primary adjudication is done that that \naffirmation is going to be packaged and passed in an automated \nfashion to the secondary adjudicator.\n    That adjudicator will be able not only to have that \nimmediately available, but be able to build upon that by adding \nadditional datasets from the Department of Agriculture, from \nother areas that were not included in the first primary \nscreening.\n    So, that would streamline the process. The secondary \nadjudicator wouldn't be starting over. It also feeds directly \ninto once the adjudication is made into the case management \naspect within ICE so that if there is a derogatory finding that \nwould be the--would enter into the case management process.\n    Both of those systems are being modernized in an integrated \nfashion. The expectation is to exit the mainframe technology \nwith both of those systems being off the mainframe technology \nin concert in 2015.\n    Mr. Duncan. Yes. I have been down to Nogales to the vehicle \ncrossing there and stood in the phone booth-type apparatus \nwhere the Customs and Border Patrol Agents are screening those \ncars and the occupants. I want to make sure, and I know you do \nas well, but that the information they have on those occupants \nas they scan their ID cards or their passports is accurate and \nwe know that they have got every--every bit of information, \neven if it is derogatory towards apprehending illegals or \nterrorists or others that are coming into this country.\n    I think the American people would want us to make sure that \nthose Border Patrol agents have up-to-date and complete \ninformation on suspected terrorists that might be coming in, or \nother individuals. So I am looking forward to seeing how TECS \nModernization goes forward. I appreciate your testimony.\n    With that I will yield to Mr. Barber, the Ranking Member.\n    Mr. Barber. Well, thank you, Mr. Chairman. I wanted to ask \nMs. Graves a question related to lessons learned and how we \nmight improve processes going forward.\n    As you know, I noted that we, unfortunately prohibited the \nend-users or the Border Patrol agents from having impact on the \ninitial SBInet effort. So, given that experience, and knowing \nthat we spent a billion dollars that really didn't get us too \nfar, what plans is the Department or steps the Department \ntaking to include the end-users fairly early on in the future \ndevelopment of IT? Can you elaborate on what you are doing to \nchange that approach?\n    Ms. Graves. Yes, absolutely. I am pleased to be able to \ntell you that--I will use the ACE program as an example. We met \nlast week and what we are doing in implementing the Agile \nmethodology, the Agile development methodology for IT is we are \ncreating user stories. The source of that user story, Mr. \nPowner spoke about requirements. But in the Agile methodology \nthe requirements are actually drafted into these user stories \nthat are actually developed in concert with the embedded \noperational entities that will work with the program throughout \nits development cycle.\n    These users are developing along with the developers. They \nare sitting with the developer. They are talking through the \nuse cases. They are testing at appropriate times when \nfunctionality is actually delivered. They are providing \nimmediate feedback, which is continuously incorporated into the \ndevelopment cycle so that they are constantly at the table.\n    There is no separation of church and state. There is no \nindication that there is going to be a quick conversation with \na user base and then you develop over in the corner and you \ncome back later on and you find that you really haven't hit the \nmark. It is a continuous process. It is continuous integration, \ncontinuous user stories. What they also do by having the users \nat the table is to understand how those priorities change.\n    We talked about one of the things that drives cost overruns \nin the changing requirement landscape and the shift in \npriorities. With the users constantly at the table we have the \nopportunity to have the business mission side of the equation \nadjudicate what is going to be the next user story that is \nactually developed. In that case it allows us to shift or \ntransfer workload accordingly, driven by the business \nimperative.\n    Mr. Barber. I appreciate the steps. Hopefully they will \nensure that we go forward with a full understanding of what the \nend-users need and can actually help us design.\n    This is a question specific to one of the--Ms. Graves, for \nyou, specific to one of the 21 projects that are problematic. I \nam focusing here on the National Cybersecurity Protection \nSystem. This committee, the overall Committee on Homeland \nSecurity, I know the Chairman and I am also very concerned \nabout where we are going with this.\n    The President issued an Executive Order recently putting \nsome priority on this for DHS. But, this is one of the 21 that \nis not doing so well. What steps are being taken subsequent to \nthe President's Executive Order to give priority to the \ncybersecurity IT system?\n    Ms. Graves. We have an executive steering committee. As I \nspoke earlier about our tiered governance process, we have an \nexecutive steering committee which has actually got the \nleadership of NPPD, the component that owns that system at the \ntable.\n    Also, there has a lot of what I would consider to be \nstakeholder involvement from the ISPs, the internet service \nproviders out in the commercial sector because that particular \nsystem has to be developed in concert with them. There has to \nbe a full understanding of the requirements base as well as the \nexpectation of what the capability is going to be at the end of \ndelivery.\n    So, I think what we are going through now is that ESC is \nlooking at those requirements bases and they are making the \nappropriate adjustments along with the ISPs. Some of the \nconversations for the ISPs are on-going and still have to be \nconcluded. So I would put for the record that we could come \nback and speak to that when that has occurred.\n    Mr. Barber. You just have a few seconds left, but I just \nwant to elaborate on that question as we look at sequestration \nand what is happening to the Department's budget. How are you \ngoing to--or how are you prioritizing projects, given what you \nare facing with sequestration?\n    Ms. Graves. With sequestration the Department will \nprioritize the requirements based on the Secretary's goal \npriorities. That of course, as she has stated repeatedly in \npublic forums is front-line mission. Many of those front-line \nmissions are the ones that we have discussed today.\n    So I have no doubt that those will be prioritized. It \nreally is about the law enforcement officer on the ground and \nabout fully outfitting that officer with the communications \ncapability and the IT information capability in order to \neffectively do their job.\n    Mr. Barber. Thank you, Mr. Chairman.\n    Mr. Duncan. Thank you.\n    The Chairman now recognizes the gentleman from Big Sky \nCountry, Mr. Daines, for questioning.\n    [Off mike.]\n    Mr. Daines. We will try this one. That is better.\n    There has been a lot of discussion here about cost and \nschedule, which I completely appreciate and respect. I spent 28 \nyears in the private sector, in fact 12 years of a cloud \ncomputing company delivering projects. So I have seen it from \nboth sides.\n    There has been--you know the discussion has been on cost \nand on schedule, an important role certainly of the CIO of an \norganization in project management and delivery. But a project \nis still a means to a greater end. I would--as a taxpayer and \nrepresentative of taxpayers of America, there has been \ninvestments made. But I want to talk to you about the return on \nthat investment, assuming for a moment that we do hit projects \non schedule and at or below budget.\n    Let me talk, Ms. Graves, about the two or three best \nexamples where we have really seen a return on investment for \nthe taxpayer on completed projects.\n    Ms. Graves. Again, I will go back to--I will start with ACE \nand then I will segue into a couple of the other programs that \nwe have talked about today.\n    Particularly for ACE what we have seen in terms of real \nmetrics and measurable outcomes that are associated with the \nimprovements that have been made in that program would include \nfaster border crossings. The ACE truck manifest capability \ntoday provides 30 percent faster processing time. Industry cash \nsavings, of course here with ACE we are dealing primarily with \nthe trade community.\n    So today ACE provides for monthly interest-free duty \npayments accounting for over 60 percent of all duty and fee \npayments. So that is a savings to the trade industry. Single \nwindow of capability for the ACE partners in trade to come into \nthe system and get all of the services that are provided by the \nunified system. So, those are just a few with ACE.\n    When we look at CIS transformation what we are talking \nabout there is an instantaneous improvement with the ability to \ndo automated benefits approaches. In the sense of the customer, \nthe person asking for adjudication of either benefits or \ncitizenship, it provides an automatic account setup.\n    It provides an ability to take what they input into that \nautomated account setup in terms of their name, date of birth, \nother personal information. That information will flow to other \ntransactions that they might have with CIS in the future, which \nmakes it more customer-friendly. It allows them to look up the \nstatus of their application. It also provides a customer \ninterface that is--has been--the tires have been kicked, it is \nvery user-friendly.\n    CIS has proved the outcome as being positive by actually \ngoing back to the users that have used the new automated system \nand asking them to complete a survey. That survey has indicated \na 94 percent positive response saying that this is much better \nthan what they have had to deal with in the past.\n    Mr. Daines. I am glad to hear there is metrics there. What \nwas the total investment on ACE, roughly?\n    Ms. Graves. I think it is about--hold on just a moment, \nsir, I might have that. If I don't, I will get it back for the \nrecord. But I think it is about $1.2 billion to date----\n    Mr. Daines. With $1.2 billion, are you able to quantify any \nspecific monetary savings for that investment?\n    Ms. Graves. I don't have that information readily \navailable. But I can certainly get that back for the record.\n    Mr. Daines. I would appreciate just looking--and I realize \nthat there may be some more qualitative kind of savings versus \nquantitative because you talk about customer satisfaction. But \nI think it is just helpful as we think about the investment \naround what is quantifiable in terms of return, you know from a \ndollar viewpoint. I would appreciate seeing that information.\n    Ms. Graves. Yes, sir.\n    Mr. Daines. Any other positive benefits that you maybe \ncould comment on relating to the adoption of cloud computing, \nor move to that platform?\n    Ms. Graves. I am smiling because this is kind of the \nwheelhouse of the OCIO. So I am very happy to talk about that.\n    We have established at DHS two secure data centers, and we \nare consolidating 42 separate data centers into those. We have \ncompleted 18 at this point. The way that we are doing that is \nwe have adopted a methodology where establishing cloud services \nand particularly platform-as-a-service, software-as-a-service \nwithin those two data centers so that we can migrate our \ncomponents to those. I will give you two recent examples.\n    One, we are in the midst of our enterprise consolidation of \nour email systems and we have moved four of our primary \ncomponents onto that system at this point in time. We have \n109,000 users with approximately another 120 to go. In that \nprocess we have saved--we established a service that is \nessentially $7.00 a mailbox.\n    That has been benchmarked against external companies that \nare providing the same type of service. But in fact, ours is \nenhanced because of the security requirements of DHS. But we \nbenchmarked that against Google and against Microsoft, et \ncetera. From the posture that our components had that have \nalready moved in, we have documented the savings and I can \nprovide those to you in, again, in a question for the record.\n    Also we have--I will give you an example of FEMA. We went \nfrom $24 a mailbox down to $7.00. So these are really \nquantifiable savings that we can talk about. We have 12 of \nthese enterprise cloud services, each one of which has its \nstory attached to it.\n    Mr. Daines. Okay. I yield back.\n    Mr. Duncan. Thank you.\n    The Chairman will recognize Mr. Payne, from New Jersey.\n    Mr. Payne. Thank you, Mr. Chairman. Good afternoon.\n    Mr. Powner and Ms. Graves, I represent the 10th District in \nNew Jersey, which encompasses the Port of Newark and Port of \nElizabeth, which makes up the New York-New Jersey port system.\n    So as you know--as you can imagine, I am very concerned \nabout the safety of the port and whether we are doing \neverything we can to make sure that our ports have the most up-\nto-date technologies and IT systems that ensures the CBP, as \nwell as local law enforcement, have the tools to be able to do \ntheir jobs efficiently and effectively to prevent illegal and \ndangerous materials from coming into our country, all the while \nexpediting the flow of commerce.\n    The--a system is being developed with the goal to \nstreamline port entry and for legitimate trade, but also to \nensure our safety and our ports. Could you explain the advances \nin the ACE technology? I know you alluded to some of it this \nmorning, Ms. Graves. Include how these advances will achieve \nthe goal or streamline trade protecting our ports.\n    Ms. Graves. Certainly. The key here is to provide a \nplatform that allows us to operate in the information-sharing \nenvironment. It is the whole reason why DHS was warned in the \nfirst place, because the failure to share certain information \nmay have resulted in 9/11.\n    When we look across the landscape of what is being provided \nby ACE, they are pulling information from not only within DHS \nbut also from cargo manifests, from the screening that gets \ndone at the ports themselves. If you are familiar with NIIS, \nwhich is the actual screening for rad/nuclear and other \nexplosive materials, that gets done at each port.\n    All of that information feeds into the commercial \nenvironment, the automated commercial environment. What it \nallows the individual officers to do is truly develop a risk \nprofile. So the more information that they have on individual \ncompanies with the longevity of how they have dealt with them \nin the past and the myriad of information that they have \ncollected on those companies, as trade moves in and out of the \nport they have a profile of individual transactions.\n    That helps them develop that risk-based approach to where \nthey should spend their time, their officers' eyes on the prize \nin terms of that risk-based analysis. It allows them to develop \na set of trusted partners, trusted shippers, and then \nconcentrate on the area where there is not as much information \nor where there may be some derogatory information that would \nyou know be better--time would be better spent there to try to \nprevent anything from happening.\n    Mr. Payne. Okay. Where do the shortfalls in implementing \nACE continue to exist?\n    Ms. Graves. At this point in time we are in a pilot stage \nof doing the first few sprints in the Agile methodology. I \nthink what this will do is it will solve some of the problems \nthat we talked about at the very beginning. The ability is to \nbe flexible in terms of the changing requirements.\n    One of the things that I believe got ACE into trouble in \nthe first place was the changing priorities of the trade \norganization, some legislative changes that required that the \nsystem be updated and configured in a different fashion to \nsupport those changing legislative requirements. In this \nmethodology I believe we will be able to address those more \neffectively.\n    Mr. Payne. Okay. Well I will--in the interest of time I \nwill yield back.\n    Mr. Duncan. Thank the gentleman for yielding back.\n    The Chairman will now recognize Mr. O'Rourke from Texas.\n    Mr. O'Rourke. I wanted to follow up on some of the \nquestions asked and comments made about return on investment. I \nknow, Mr. Powner, in your testimony you pointed to arrests made \nand entry denied as return on the investment made in I believe \nthe Century program.\n    What about--and Ms. Graves, you talked about in terms of \nACE getting more efficiencies in crossings--in legitimate \ncrossings. That is the subject I am really interested in, how \nwe increase throughput of legitimate trade, people, and \nprivately-owned vehicles at our crossings. Do you have any \nspecific measures for what these investments turned into?\n    Because we know in El Paso, and I think those of us who are \ninterested in trade in this country understand that the more we \nget through our ports of entry, the more jobs we create here. \nThere is a number that we can ascribe to that return. Can you \ndo that against the investment that you have made in these \ndifferent platforms and softwares and programs and technologies \nthat have been adopted?\n    Ms. Graves. Yes, we do have performance measures that are \nin place for each one of these programs. If they are \nspecifically designed the way you described, I will have to go \nback and look. I can certainly do that for the record.\n    But to the point of the streamlining and the reduction in \nthe process time and things of that nature, as--you know as \nworking in the finance arena I believe you could quantify those \nback to dollars. I will check into that.\n    Mr. Powner. If I could add, the discussion about return on \ninvestment, we focus a lot on cost and schedule and stuff. This \nis exactly the right focus that is needed. So if you look at \nthe--we spent--DHS spends $4 billion annually on 68 systems. \nCBP, ICE, and CIS, there is 32 investments about $2 billion. \nOkay, 32 investments, $2 billion; that is a lot of money for 32 \nsystems.\n    I think the key question for DHS is those 32 systems, what \nare we getting in 2013 for a $2 billion investment in those \nthree organizations? Or for these 68 systems that we spent $4 \nbillion on, what are we getting?\n    Mr. O'Rourke. Right.\n    Mr. Powner. Two-thousand thirteen. What did we get last \nyear?\n    So, some of the documentation goes to OMB to justify the \ninvestments. There is some pretty good data in there and some \nmetrics that DHS provides--that I provided in my oral statement \non the US-VISIT application. But I think one of the things is \nDHS moves towards its incremental development. It is great that \nwe are going incremental, but the bottom line is if we are \ngoing to spend $2 billion on 32, what are we getting in 2013, \nwhat is the plan in 2014?\n    Then there is follow up that in fact that functionality was \ndelivered. Very few Federal agencies and departments--we call \nthat like an integrated deployment plan or an integrated \nrelease plan. That would be very valuable for this committee if \nyou had something like that. I think they have it by system. I \ndon't think they have it for the collection of systems.\n    Ms. Graves. Right----\n    Mr. O'Rourke. Yes. I was also looking at the numbers \nrelated to ELIS or E-L-I-S. The over $700 million spent and \nprocessed through that system I think 16,000 applicants, and \nrealized it is not fully implemented yet, but that you know \nobviously should concern all of us. I am glad that the Ranking \nMember mentioned SBInet and some of the boondoggles that DHS \nhas been involved in, in the past.\n    So, my question for the inspector general, or GAO, for Ms. \nGraves, is--when do you know when it is time to pull the plug \non something and when you are not achieving that return that \nwarrants additional money spent, especially in a time of tight \nbudgets? Especially when we can't get enough CBP officers \nmanning our ports of entry in El Paso?\n    Mr. Edwards. Well, basically it is the triple constraint. \nIf you have the scope and schedule and cost, and if the scope \ndeviates, naturally the cost and the schedule is going to \ndeviate.\n    What DHS in the past has been doing was this big-bang \napproach, and not having a complete cost for the--lifetime \ncosts for the systems in place. But in the last few years, with \nRafael Borras now, the Secretary and Deputy Lute, they have not \nlooked at IT just as IT, but looked--have a holistic approach.\n    The IT piece and the acquisition; they want to create a \ngroup program called Accountability and Risk Management. Every \nIT requisition or request needs to go through this review \nboard. They need to come prepared with the entire life-cycle \ncost of what it takes, and did they really meet that or not.\n    So they have a good process in place. It is going to take \nsome time for them to get where they need to be.\n    Mr. O'Rourke. I yield back.\n    Mr. Duncan. Thank you.\n    Thank you. Unfortunately we do have another vote series, \nabout 10 minutes left on the clock.\n    So, Mr. Edwards, I thought you were going to get through \nthe whole hearing without having to answer a question, but you \ngot in there at the end.\n    So I want to thank the witnesses for your valuable \ntestimony, and the Members for their questions today. It is a \nlearning process for this committee on how IT is being \nintegrated for the Department. We want to see some successes \nthere because it is very important to the safety and security \nof this Nation.\n    Mr. Daines asked some questions that weren't answered. So \nif you could provide those in writing. The Members of the \ncommittee may have additional questions for the witnesses, and \nwe will ask you to respond of these questions in writing.\n    Without objection, the committee will be adjourned. Thank \nyou.\n    [Whereupon, at 3:53 p.m., the subcommittee was adjourned.]\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n       Questions From Chairman Jeff Duncan for Margaret H. Graves\n    Question 1. What additional authorities could help the DHS CIO \nensure border security and immigration IT programs are delivered on \ntime, on budget, and meet/exceed capabilities?\n    Answer. Response was not received at the time of publication.\n    Question 2. What steps has DHS taken to ensure that legacy border \nand immigration IT systems can effectively share data and ``speak to \none another''? What concerns, if any, do you have on information \nsharing between legacy systems and how might these concerns impact \nborder and immigration officers in the field?\n    Answer. Response was not received at the time of publication.\n    Question 3. CBP's Northern Border Remote Video Surveillance System \nwas delayed by 2 months. How did this affect our security along the \nNorthern Border? What is the current status of the program?\n    Answer. Response was not received at the time of publication.\n    Question 4. The DRO Modernization effort is supposed to make \ndetention and removal more efficient. What does this mean in plain \nEnglish? Should the American people be prepared for a higher number of \ndetainee releases once this effort is completed in the future?\n    Answer. Response was not received at the time of publication.\n    Question 5. What is the status of IT efforts associated with the \nSecure Communities program? What have been the key IT challenges as the \nprogram has been deployed across the Nation? Are State and local \ninfrastructures capable of properly supporting the program?\n    Answer. Response was not received at the time of publication.\n     Question From Honorable Richard Hudson for Margaret H. Graves\n    Question. We frequently read about the inability of newly-deployed \nsystems to communicate with one another and their predecessors once \ndeployed. What is DHS doing to ensure that systems like TECS, a system \nof records that include temporary and permanent enforcement, \ninspection, and operational records relevant to the antiterrorism and \nlaw enforcement mission of numerous Federal agencies, will be able to \ninterface with the existing systems at DHS as well as other Federal, \nState, and local agencies?\n    Answer. Response was not received at the time of publication.\n      Question From Honorable Beto O'Rourke for Margaret H. Graves\n    Question. Although we recognize that RFID requirements for \npassports involves addressing globally-accepted standards, I understand \nthat Ready Lanes used at our ports of entry to increase inspection \nefficiencies cannot use readers to scan RFID-enabled passports. The \npassport card, the laser visa/border crossing card, and the permanent \nresident card, however, all can be scanned at out ports of entry.\n    What is being done to better coordinate technology acquisition when \nused across multiple agency platforms?\n    How do we best address these inefficiencies?\n    How is CBP educating the public on the benefits of a U.S. passport \ncard versus a regular passport book for admissions?\n    Answer. Response was not received at the time of publication.\n        Questions From Chairman Jeff Duncan for David A. Powner\n    Question 1. What grade (A,B,C,D,F) would you give CBP, ICE, and \nUSCIS in their development and implementation of major IT programs \nbased on their ability to meet mission needs, cost, and schedule?\n    How would you rate DHS's performance in delivering IT systems \nagainst other Federal agencies?\n    Answer. Response was not received at the time of publication.\n    Question 2. Do DHS and its components (CBP, ICE, USCIS) have a \nshared vision and strategy for its IT programs?\n    If not, what impact does this have on their success?\n    Answer. Response was not received at the time of publication.\n    Question 3. IT management was highlighted in GAO's recently-issued \n``High-Risk List''. According to GAO, the Department still has only \npartially addressed 4 of 6 IT management outcomes. Is DHS heading in \nthe right direction to fix these deficiencies?\n    Why hasn't more progress been made on these outcomes?\n    Answer. Response was not received at the time of publication.\n       Question From Honorable Richard Hudson for David A. Powner\n    Question. We frequently read about the inability of newly-deployed \nsystems to communicate with one another and their predecessors once \ndeployed. What is DHS doing to ensure that systems like TECS, a system \nof records that include temporary and permanent enforcement, \ninspection, and operational records relevant to the antiterrorism and \nlaw enforcement mission of numerous Federal agencies, will be able to \ninterface with the existing systems at DHS as well as other Federal, \nState, and local agencies?\n    Answer. Response was not received at the time of publication.\n       Questions From Chairman Jeff Duncan for Charles K. Edwards\n    Question 1. What grade (A,B,C,D,F) would you give CBP, ICE, and \nUSCIS in their development and implementation of major IT programs \nbased on their ability to meet mission needs, cost, and schedule?\n    How would you rate DHS's performance in delivering IT systems \nagainst other Federal agencies?\n    Answer. Response was not received at the time of publication.\n    Question 2. What steps does DHS need to take to ensure IT programs \nsupporting our border agents and immigration officers are efficient and \neffective moving forward?\n    Answer. Response was not received at the time of publication.\n\n                                 <all>\n\x1a\n</pre></body></html>\n"