b"<html>\n<title> - PREVENTING WASTE, FRAUD, ABUSE, AND MISMANAGEMENT IN HOMELAND SECURITY--A GAO HIGH-RISK LIST REVIEW</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n                  PREVENTING WASTE, FRAUD, ABUSE, AND \n    MISMANAGEMENT IN HOMELAND SECURITY--A GAO HIGH-RISK LIST REVIEW\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                              MAY 7, 2014\n\n                               __________\n\n                           Serial No. 113-67\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n      Available via the World Wide Web: http://www.gpo.gov/fdsys/\n                               __________\n\n                         U.S. GOVERNMENT PRINTING OFFICE \n\n89-762 PDF                     WASHINGTON : 2014 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Printing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800 \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n\n\n\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Michael T. McCaul, Texas, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nPeter T. King, New York              Loretta Sanchez, California\nMike Rogers, Alabama                 Sheila Jackson Lee, Texas\nPaul C. Broun, Georgia               Yvette D. Clarke, New York\nCandice S. Miller, Michigan, Vice    Brian Higgins, New York\n    Chair                            Cedric L. Richmond, Louisiana\nPatrick Meehan, Pennsylvania         William R. Keating, Massachusetts\nJeff Duncan, South Carolina          Ron Barber, Arizona\nTom Marino, Pennsylvania             Dondald M. Payne, Jr., New Jersey\nJason Chaffetz, Utah                 Beto O'Rourke, Texas\nSteven M. Palazzo, Mississippi       Filemon Vela, Texas\nLou Barletta, Pennsylvania           Eric Swalwell, California\nRichard Hudson, North Carolina       Vacancy\nSteve Daines, Montana                Vacancy\nSusan W. Brooks, Indiana\nScott Perry, Pennsylvania\nMark Sanford, South Carolina\nVacancy\n                   Brendan P. Shields, Staff Director\n          Michael Geffroy, Deputy Staff Director/Chief Counsel\n                    Michael S. Twinchek, Chief Clerk\n                I. Lanier Avant, Minority Staff Director\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Michael T. McCaul, a Representative in Congress \n  From the State of Texas, and Chairman, Committee on Homeland \n  Security:\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     2\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Ranking Member, Committee on \n  Homeland Security:\n  Oral Statement.................................................     3\n  Prepared Statement.............................................     4\n\n                               Witnesses\n\nMr. Alejandro N. Mayorkas, Deputy Secretary, U.S. Department of \n  Homeland Security:\n  Oral Statement.................................................     6\n  Prepared Statement.............................................     6\nMr. Gene L. Dodaro, Comptroller General of the United States, \n  Government Accountability Office:\n  Oral Statement.................................................    13\n  Prepared Statement.............................................    14\nMr. John Roth, Inspector General, U.S. Department of Homeland \n  Security:\n  Oral Statement.................................................    28\n  Prepared Statement.............................................    29\n\n                                Appendix\n\nQuestions From Chairman Michael T. McCaul for Alejandro N. \n  Mayorkas.......................................................    55\nQuestion From Honorable Patrick Meehan for Alejandro N. Mayorkas.    58\nQuestions From Honorable Tom Marino for Alejandro N. Mayorkas....    59\nQuestion From Chairman Michael T. McCaul and Ranking Member \n  Bennie G. Thompson for Gene L. Dodaro..........................    61\nQuestion From Honorable Yvette D. Clarke for Gene L. Dodaro......    62\nQuestion From Chairman Michael T. McCaul for Gene L. Dodaro......    62\nQuestion From Honorable Jeff Duncan for Gene L. Dodaro...........    63\nQuestion From Honorable Tom Marino for Gene L. Dodaro............    65\nQuestions From Chairman Michael T. McCaul for John Roth..........    65\nQuestion From Honorable Jeff Duncan for John Roth................    67\n\n \n     PREVENTING WASTE, FRAUD, ABUSE, AND MISMANAGEMENT IN HOMELAND \n                 SECURITY--A GAO HIGH-RISK LIST REVIEW\n\n                              ----------                              \n\n\n                         Wednesday, May 7, 2014\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n                                                    Washington, DC.\n    The committee met, pursuant to call, at 10:09 a.m., in Room \n311, Cannon House Office Building, Hon. Michael T. McCaul \n[Chairman of the committee] presiding.\n    Present: Representatives McCaul, Broun, Duncan, Hudson, \nSanford, Thompson, Clarke, Richmond, Payne, and O'Rourke.\n    Chairman McCaul. Committee on Homeland Security will come \nto order. Committee is meeting today to examine testimony \nregarding the prevention of waste, fraud, abuse, and \nmismanagement at the Department of Homeland Security. I \nrecognize myself for an opening statement.\n    While the Department of Homeland Security's mission is \ncritical, it is also critical that it keeps its finances in \ncheck because in order to protect the homeland we must maximize \nevery dollar spent. Almost as soon as the Department's \ncreation, the Government Accountability Office placed some of \nDHS's programs on its high-risk list, and today many remain.\n    This list is developed every 2 years by watchdogs at GAO to \nidentify areas in the Federal Government that are high-risk to \nfraud, waste, abuse, and mismanagement, or are in the most need \nof broad reform. It is intended to draw attention to these \nareas to force agency leaders to improve.\n    Unfortunately some of the programs identified include some \nof the Department's core functions such as acquisitions, \nmanagement, financial management, information technology, human \ncapital and management integration, as well as multi-agency \nchallenges such as information sharing and cybersecurity.\n    While the Department has devoted time to addressing GAO's \nhigh-risk areas, these reports continue to show examples of \nprograms ignoring best practices and putting taxpayer dollars \nat risk.\n    Recent GAO findings have identified challenges with the \nArizona Border Surveillance Technology Plan, TSA body scanners, \nmodernization of key border enforcement system known as TECS, \nand the Department's acquisition funding plans.\n    All levels of DHS must be fully committed to make the \nDepartment more efficient and effective. To this end, this \ncommittee has taken action to address specific issues \nhighlighted in GAO's high-risk report.\n    H.R. 3696, the National Cybersecurity and Critical \nInfrastructure Protection Act, and H.R. 4228, the DHS \nAcquisition Accountability and Efficiency Act both passed out \nof this committee unanimously and are important pieces of \nlegislation to increase our Nation's cybersecurity and improve \nthe Department's management of its acquisition programs.\n    Additionally, our recent bipartisan report on the Boston \nbombings highlighted the need for improved information sharing, \nwhich addresses another high-risk item.\n    Finally, while I am encouraged by the steps taken by DHS in \nrecent years to address these issues, including achieving a \nclean audit opinion in 2013, there is clearly much more work to \nbe done. In the short time since they have assumed their new \npositions, Secretary Johnson and Deputy Secretary Mayorkas have \nboth already endeavored to fix the management problems at DHS. \nToday I look forward to hearing from them on their plans to \nimprove the Department.\n    However, assurances from the top and putting plans in place \nonly go so far. It will take time and follow-up and continued \noversight to ensure improved outcomes are sustained over \nmultiple years. To that end I look forward to Comptroller \nGeneral Dodaro and recently-confirmed DHS Inspector General \nRoth's testimony today. Their recommendations to make DHS a \nmore effective and efficient organization are essential to \nmaking Americans safer.\n    Ultimately every dollar wasted on mismanagement is one less \nthat can go to the men and women protecting our borders, \ntargeting terrorists, securing our airports, and patrolling our \nshores. That is why this hearing and DHS's commitment to \ngetting its house in order is so important.\n    [The statement of Chairman McCaul follows:]\n                Statement of Chairman Michael T. McCaul\n                              May 7, 2014\n    While the Department of Homeland Security's mission is critical, it \nis also critical that it keeps its finances in check, because in order \nto protect the homeland we must maximize every dollar spent.\n    Almost as soon as the Department's creation, the Government \nAccountability Office (GAO) placed some of DHS's programs on its \n``High-Risk List,'' and today, many remain. This list is developed \nevery 2 years by the watchdogs at GAO to identify areas in the Federal \nGovernment that are at high risk to fraud, waste, abuse, and \nmismanagement or are in most need of broad reform, and it is intended \nto draw attention to these areas to force agency leaders to improve.\n    Unfortunately, some of the programs identified include some of the \nDepartment's core functions such as acquisition management, financial \nmanagement, information technology, human capital, and management \nintegration, as well as, multi-agency challenges such as information \nsharing and cybersecurity.\n    While the Department has devoted time to addressing GAO's High-Risk \nareas, these reports continue to show examples of programs ignoring \nbest practices and putting taxpayer dollars at risk. Recent GAO \nfindings have identified challenges with the Arizona Border \nSurveillance Technology Plan, TSA body scanners, modernization of a key \nborder enforcement system known as TECS, and the Department's \nacquisition funding plans. All levels of DHS must be fully committed to \nmaking the Department more efficient and effective.\n    To this end, this committee has taken action to address specific \nissues highlighted in GAO's High-Risk report. H.R. 3696, the National \nCybersecurity and Critical Infrastructure Protection Act, and H.R. \n4228, the DHS Acquisition Accountability and Efficiency Act--both \npassed out of this committee unanimously--are important pieces of \nlegislation to increase our Nation's cybersecurity and improve the \nDepartment's management of its acquisition programs. Additionally, our \nrecent bipartisan report on the Boston bombings highlighted the need \nfor improved information sharing, which addresses another High-Risk \nitem.\n    Finally, while I am encouraged by the steps DHS has taken in recent \nyears to address these issues including achieving a clean audit opinion \nin 2013, there is clearly much more work to be done. In the short time \nsince they've assumed their new positions, Secretary Johnson and Deputy \nSecretary Mayorkas have both already endeavored to fix the management \nproblems at DHS, and today I look forward to hearing more from them on \nhis plan for improving the Department. However, assurances from the top \nand putting plans in place only go so far. It will take time and \nfollow-up and continued oversight to ensure improved outcomes are \nsustained over multiple years.\n    To that end, I look forward to Comptroller General Dodaro and \nrecently confirmed DHS Inspector General Roth's testimony today. Their \nrecommendations to make DHS a more effective and efficient organization \nare essential to making Americans safer. Ultimately, every dollar \nwasted on mismanagement is one less that can go to the men and women \nprotecting our borders, targeting terrorists, securing our airports, \nand patrolling our shores. That's why this hearing, and DHS' commitment \nto getting its house in order, is so important.\n\n    Chairman McCaul. With that the Chairman now recognizes the \nRanking Member, Mr. Thompson.\n    Mr. Thompson. Thank you, Mr. Chairman. I thank you for \nholding today's hearing. I also want to thank the comptroller \ngeneral, deputy secretary, and inspector general for their \ntestimonies today.\n    Today's hearing is to examine the Department of Homeland \nSecurity's management functions deemed high-risk by the \nGovernment Accountability Office, and the steps that the \nDepartment is taking to improve in these areas. At the \nbeginning of each Congress the GAO releases its high-risk \nupdate, which focuses on agencies and programs that are \nvulnerable to waste, fraud, and abuse.\n    Understandably when the Department was formed in 2003 it \nwas placed on the high-risk list because of the challenges \nassociated on transforming 22 legacy agencies into one new \nFederal department. It was also put on the high-risk list \nbecause its failures to effectively do so could present \nNational security risks.\n    Unfortunately, more than a decade after its inception the \nDepartment remains on the high-risk list. One reason is that \nthe Department has struggled to integrate its management \nfunctions across all components. These integration challenges \npresent diverse operational and management problems at the \nDepartment at all levels.\n    There has been general acceptance of the One DHS concept \nadvanced by the last Secretary of Homeland Security. But what \nis needed at this pivotal moment is a leader who will animate \nthat slogan and put structures and procedures in place to fully \nintegrate the Department.\n    Secretary Johnson may well be that leader, but any reforms \nwill be at the mercy of an entrenched and unhappy workforce and \nthe clock. I look forward to working with Secretary Johnson to \nbring about needed reforms.\n    For the first time since its inception, however, the \nDepartment received its first clean audit of all its financial \nstatements for fiscal year 2013. As commendable as this may be, \nwe must not overlook that the independent auditor did find \ncontinued weaknesses in the Department's financial controls.\n    Another challenging area for the Department is its IT \nacquisitions and management. Over the years the Department has \nhad varying success acquiring and implementing information \ntechnology systems. Some systems have performed as promised, \nwhile others have failed to deliver capabilities and mission \nbenefit.\n    There is a need for the Department to strengthen its \ninternal IT governance. GAO has noted that the Department has \nmore work to do to fully address its IT management challenges \nsuch as finalizing policies and procedures associated with its \nnew governance structure.\n    Finally, the Department spends approximately a quarter of \nits annual budget procuring goods and services in support of \nits homeland security missions. Yet since its inception, \nmanaging acquisitions has been a significant challenge for the \nDepartment.\n    The management framework put in place by the prior DHS \nleadership has the potential for improving DHS acquisition \nmanagement in significant ways. That is why I am pleased that \nthis committee was able to come together in a bipartisan \nfashion last week and pass H.R. 4228, the DHS Acquisition \nAccountability and Efficiency Act, which seeks to codify what \nhas been deemed by the comptroller general and other watchdogs \nas successful, and seeks to close other gaps that exist.\n    Mr. Chairman, I look forward to more ways that this \ncommittee can work to help advance the Department and help it \nachieve the goals of being fully integrated with clean \nfinancial audits and internal management and oversight controls \nin its information technology and acquisition departments.\n    Given the pivotal role the Department has in protecting and \npreparing America, management challenges become a distraction \nand have grave consequences for our National security. Hence, \nit is my hope that the Department can continue to progress, and \nwe can see a date when it is not a part of the GAO high-risk \nlist.\n    With that, Mr. Chairman, I yield back. Thank you.\n    [The statement of Ranking Member Thompson follows:]\n             Statement of Ranking Member Bennie G. Thompson\n                              May 7, 2014\n    Today's hearing is to examine the Department of Homeland Security's \nmanagement functions deemed high-risk by the Government Accountability \nOffice and the steps that the Department is taking to improve in these \nareas.\n    At the beginning of each Congress, the GAO releases its ``High-Risk \nUpdate'' which focuses on agencies and programs that are vulnerable to \nwaste, fraud, and abuse. Understandably, when the Department was formed \nin 2003, it was placed on the ``high-risk list'' because of the \nchallenges associated with transforming 22 legacy agencies into one new \nFederal Department. It was also put on the ``high-risk list'' because \nits failure to effectively do so could present National security risks.\n    Unfortunately, more than a decade after its inception, the \nDepartment remains on the ``high-risk list.'' One reason is that the \nDepartment has struggled to integrate its management functions across \nall the components. These integration challenges present diverse \noperational and management problems at the Department at all levels.\n    There has been general acceptance of the ``One DHS'' concept \nadvanced by the last Secretary of Homeland Security but what is needed \nat this pivotal moment is a leader who will animate that slogan and put \nstructures and procedures in place to fully integrate the Department. \nSecretary Johnson may well be that leader but any reforms will be at \nthe mercy of an entrenched and unhappy workforce and the clock. I look \nforward to working with Deputy Secretary Mayorkas and Secretary Johnson \nto bring about needed reforms.\n    For the first time since its inception, the Department received its \nfirst clean audit on all its financial statements for fiscal year 2013. \nAs commendable as this may be, we must not overlook that the \nindependent auditor did find continued weakness in the Department's \nfinancial controls.\n    Another challenging area for the Department is IT acquisitions and \nmanagement. Over the years, the Department has had varying success \nacquiring and implementing information technology systems; some systems \nhave performed as promised while others have failed to deliver \ncapabilities and mission benefits. There is a need for the Department \nto strengthen its internal IT governance. GAO has noted that the \nDepartment has more work to do to fully address its IT management \nchallenges such as finalizing policies and procedures associated with \nits new governance structure.\n    Finally, the Department spends approximately a quarter of its \nannual budget procuring goods and services in support of its homeland \nsecurity missions. Yet, since its inception, managing acquisitions has \nbeen a significant challenge for the Department.\n    The management framework put in place by the Obama administration \nhas the potential for improving DHS acquisitions management in \nsignificant ways. That is why I am pleased that this committee was able \nto come together in a bipartisan fashion last week and passed H.R. \n4228, the ``DHS Acquisition Accountability and Efficiency Act,'' which \nseeks to codify what has been deemed by the Comptroller General and \nother watchdogs as successful and seeks to close other gaps that exist.\n    I look forward to more ways that this committee can work to help \nadvance the Department and help it achieve the goals of being fully \nintegrated, with clean financial audits, and internal management and \noversight controls in its information technology and acquisitions \ndepartments.\n    Given the pivotal role the Department has in protecting and \npreparing America, management challenges become a distraction and have \ngrave consequences for our National security. Hence, it is my hope that \nthe Department can continue to progress and we can see a day when it is \nnot a part of the GAO High-Risk list.\n\n    Chairman McCaul. I thank the Ranking Member. Other Members \nI remind they may submit an opening statement for the record.\n    We are pleased to have here today a distinguished panel of \nwitnesses; first, the Honorable Alejandro Mayorkas, who was \nsworn in as deputy secretary of the Department of Homeland \nSecurity in December 2013.\n    Prior to his appointment he served as director of the \nDepartment's United States Citizenship and Immigration \nServices. He led a workforce of 18,000 employees throughout \nmore than 250 offices world-wide rector of the Department's \nUnited States Citizenship and Immigration Services.\n    Before joining DHS Mr. Mayorkas was a partner at a law \nfirm. In 1998 he was appointed as the United States Attorney \nfor the Central District of California.\n    Thanks for being here today.\n    Next we have the Honorable Gene Dodaro, who became the \neighth comptroller general of the United States, and head of \nthe United States Government Accountability Office.\n    In December 2010, after serving in the capacity of \n``acting'' since March 2008 as comptroller general he has \nhelped oversee the development and issuance of hundreds of \nreports and testimonies each year to various committees and \nindividual Members of Congress. These and other GAO products \nhave led to hearings and legislation, billions of dollars in \ntaxpayer savings, and improvements to a wide range of \nGovernment programs and services.\n    Then last but not least, the Honorable John Roth. Let me \nmention it is Mr. Dodaro's birthday today, and we wish you a \nhappy birthday, as well.\n    Then last, Mr. John Roth, who assumed the post of inspector \ngeneral for the Department of Homeland Security in March 2014. \nPreviously he served as director of the Office of Criminal \nInvestigations at the Food and Drug Administration. Prior to \nthat, he had a long and distinguished record and career with \nthe Department of Justice beginning in 1987 as Assistant U.S. \nAttorney for the Eastern District of Michigan.\n    It is great to see so many brethren DOJ on this panel. \nTheir full written statements will appear on the record. The \nChairman now recognizes Deputy Secretary Mayorkas for 5 \nminutes.\n\n  STATEMENT OF ALEJANDRO N. MAYORKAS, DEPUTY SECRETARY, U.S. \n                DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. Mayorkas. Thank you very much, Mr. Chairman. Mr. \nChairman and distinguished Members of this committee. I very \nmuch appreciate the opportunity to testify before you today. I \nfeel privileged to appear before you as the deputy secretary of \nHomeland Security.\n    I pledged to this committee an open, transparent, and fully \ncooperative Department. We deeply appreciate the work of this \ncommittee and have profound respect for it. Strong oversight \ndrives good Government, and we recognize and appreciate that.\n    I also want to thank my fellow witnesses before you today, \nMr. Dodaro and Mr. Roth, for the work that they perform and \nthat their teams perform. We share a common goal of making the \nDepartment everything that it should be.\n    Mr. Chairman, Ranking Member Thompson, and distinguished \nMembers, I submitted to this committee written testimony, and I \nwill not repeat it now.\n    I do want to underscore one overriding fact, and that is my \nimmense pride in working alongside the men and women of the \nDepartment of Homeland Security. Those incredibly dedicated \nindividuals deserve a Department and deserve management \nfunctions and processes and institutions that bring out the \nbest in them and enable them to do their jobs at the highest \nlevels of excellence to which they aspire.\n    With that I look forward to the opportunity to answer \nwhatever questions you might have. Thank you.\n    [The prepared statement of Mr. Mayorkas follows:]\n              Prepared Statement of Alejandro N. Mayorkas\n                              May 7, 2014\n    Chairman McCaul, Ranking Member Thompson, and distinguished Members \nof the committee, thank you for the opportunity to appear before you as \nthe deputy secretary of Homeland Security to testify on the subject of \nmanagement at this important hearing entitled ``Preventing Waste, \nFraud, Abuse and Mismanagement in Homeland Security--a GAO High-Risk \nList Review.'' I, along with Secretary Johnson, appreciate and welcome \nthe committee's continued focus on this subject and for the oversight \nyou exercise. It is my firmly-held belief that good oversight not only \ndelivers accountability critical to good government, but that it also \ndrives innovation. Thank you, and thank you to the members of your \nstaff.\n    I also wish to express my gratitude to the U.S. Government \nAccountability Office (GAO). Under Comptroller General Gene Dodaro's \nleadership, GAO has spent considerable time and energy providing our \nDepartment with its valued, independent assessment of our work in areas \ncritical to the effective management of our resources and execution of \nour responsibilities. GAO has issued recommendations to our Department \nthat, collectively, help provide a blueprint for success. It is in \nresponse to GAO's independent reviews and recommendations that in \nJanuary 2011 our Department issued the first Integrated Strategy for \nHigh Risk Management, an operational framework to address GAO's \nrecommendations. Since we issued the Integrated Strategy, we have \nupdated it twice yearly to document the progress our Department has \nmade in addressing GAO's recommendations. It pleases me to note that we \nhave come far in the last 5 years; today the Department eagerly engages \nwith GAO about outstanding recommendations. We seek out GAO.\n    Like the responsibility of the GAO to provide its independent \nassessment of the Department's execution of responsibilities, it is the \nduty of the Office of the Inspector General to deliver its own \nindependent and high-quality review of Departmental functions. I am \ngrateful to testify before you today alongside the Department's new \ninspector general, John Roth. I look forward to supporting the work of \nInspector General Roth and to ensuring the Department's transparency \nand full cooperation as he and I work to improve and strengthen the \nDepartment in our respective roles.\n    When I became the deputy secretary of DHS in late December 2013, \nthe first action I took was to schedule a meeting with Comptroller \nGeneral Dodaro. In our meeting I had the opportunity to also meet \nGeorge Scott, the managing director of GAO's Homeland Security and \nJustice team. Mr. Scott and I have met on several occasions since then, \nand he and his team are outstanding in their commitment to improving \nour Department. With Mr. Scott's and his team's independent efforts, \nwith the oversight of GAO and that of this committee, DHS will mature \nand improve.\n    The number of open GAO recommendations to DHS has decreased \nsteadily and, significantly, in GAO's latest High-Risk List update it \nnarrowed the subject from ``Implementing and Transforming DHS'' to \n``Strengthening DHS Management Functions.'' Additionally noteworthy is \nthe fact that GAO stated in that update that our Department's \nIntegrated Strategy, ``if implemented and sustained, provides a path \nfor DHS to be removed from GAO's High-Risk List.'' DHS has made \nsignificant progress.\n    At the same time, DHS has additional work to do. Since I became the \ndeputy secretary I have invested considerable time in working with GAO \nand with my very talented and dedicated DHS colleagues to ensure that \nthis additional work is done as effectively and swiftly as possible. \nEarlier this year, we developed specific action plans to address the 30 \nkey outcomes GAO identified in the areas of management integration, \nhuman capital, information technology, financial management, and \nacquisitions. Our action plans now provide month-to-month goals that \nprovide a better road map to success. Our development of these action \nplans provided us with the opportunity to freshly review our previous \nefforts and, in certain critical areas, to accelerate our time tables \nmaterially.\n   strengthening department of homeland security management functions\n    Before discussing the work that DHS has undertaken to make progress \non key GAO High-Risk List areas, I wish to highlight the actions we \nhave recently taken that speak to our Departmental commitment to sound \nmanagement practices. On April 22, 2014, the Secretary sent a \nmemorandum to Department leadership entitled, ``Strengthening \nDepartmental Unity of Effort.'' The purpose of this effort is to \ncapitalize on the many strengths of the Department, starting with the \nprofessionalism, skill, and dedication of its people and the rich \nhistory and tradition of its components, while identifying ways to \nenhance the cohesion of the Department as a whole. The Secretary's \nguidance is targeted at improvements to four main lines of effort: \nInclusive senior leader discussion and decision-making forums that \nprovide an environment of trust and transparency; strengthened \nfundamental and critical management processes for investment (including \nrequirements, budget, and acquisition processes) that look at cross-\ncutting issues across the Department; focused, collaborative \nDepartmental strategy, planning, and analytic capability that support \nmore effective DHS-wide decision-making and operations; and, enhanced \ncoordinated operations to harness the significant resources of the \nDepartment more effectively. Many of the elements of this effort are \ndescribed below, as they cut across the several management areas \ndiscussed in GAO's High-Risk List.\n    GAO's High-Risk List focus on ``Strengthening DHS Management \nFunctions'' identified the need to achieve progress in key management \nareas, including human capital management, financial management, \nacquisitions, information technology, and management integration. The \nDepartment's Integrated Strategy for High-Risk Management provides the \nframework for our efforts to address GAO's recommendations and \nintegrate and strengthen our management infrastructure across the \nDepartment; our monthly action plans help ensure that we have goals and \ntime lines to help us deliver success in timely fashion. I would like \nto share with you our efforts in each key area of focus.\nHuman Capital Management\n    The Department of Homeland Security's greatest asset is its \ndedicated and talented workforce. GAO has identified areas in which the \nDepartment must mature its human capital systems to ensure that its \nworkforce is properly equipped and supported to achieve the \nDepartment's challenging missions. The Department, in turn, has \naccelerated time lines in its monthly action plans to achieve success \nin this critical area.\n    The low employee morale in several parts of the Department is an \narea of particular focus. Under the direction of Secretary Johnson, I \nam taking a series of steps to address the root causes of the low \nmorale and to deliver for the workforce the Department it deserves. I \nhave formed a steering committee comprised of personnel from each of \nthe Department's component agencies and from Department headquarters to \nfocus on, among other things, the following areas that the workforce \nhas identified in the Federal Employee Viewpoint Survey and in other \nfeedback vehicles as ones in which the Department can improve:\n  <bullet> The hiring and promotion process. DHS employees have \n        expressed concerns that the hiring and promotion process is \n        sometimes opaque. The Department can build greater employee \n        confidence in the process through greater transparency and \n        communication and by setting clear hiring and promotion \n        standards.\n  <bullet> Training and professional development. DHS employees have \n        expressed a desire for enhanced training opportunities to \n        ensure they are equipped to perform their jobs at the highest \n        levels of excellence. They also have sought professional \n        development opportunities that will enable them to achieve the \n        promotions or new opportunities to which they aspire.\n  <bullet> Rewards and recognition. DHS employees perform extraordinary \n        acts of patriotism and courage each and every day throughout \n        the Nation and the world. They deserve to be recognized, \n        rewarded, and championed for their achievements. The Department \n        is reintroducing the Secretary's annual awards to recognize \n        outstanding individual and team achievements from across the \n        Department. In addition, the Department will institutionalize \n        the practice of regularly championing its workforce and \n        rewarding them when appropriate.\n  <bullet> Performance management. Performance management is a critical \n        tool in promoting priorities and values and driving \n        accountability. The steering committee will focus on ensuring \n        that each component and office in the Department has a \n        performance management system that reflects the appropriate \n        measures of success and drives each employee to achieve that \n        success.\nFinancial Management\n    In fiscal year 2013, DHS achieved an historic unqualified clean \naudit opinion of all five financial statements, a confirmation of DHS's \non-going commitment to sound financial management practices. This \nbenchmark represented a huge accomplishment for the many DHS employees \nwho work every day to increase transparency and accountability for the \ntaxpayer resources entrusted to the Department. Americans have the \nright to expect that we will be responsible stewards of every homeland \nsecurity dollar with which we are entrusted.\n    The Department expects to sustain this progress and receive its \nsecond clean audit opinion for fiscal year 2014. In the past 4 years, \nDHS has also eliminated 10 audit qualifications, reduced Department-\nwide material weaknesses in internal controls over financial reporting \nfrom 10 to 4, and significantly reduced the number of component \nconditions contributing to material weaknesses from 25 to 2. The \nDepartment is executing a multi-year plan to achieve an unqualified \nclean opinion for internal control of financial reporting by fiscal \nyear 2016.\n    Financial system modernization is a priority area for the \nDepartment. DHS is executing specific modernization efforts in order to \nmeet the Department's mission while minimizing and eliminating spending \nin duplicative systems. The current strategy conforms to guidance from \nthe Office of Management and Budget to use shared services where \npossible and to split modernization projects into smaller, simpler \nsegments with clear deliverables. One of our challenges in the shared \nservices domain is that no one Federal agency has sufficient capacity \nto house all of the Department's financial management data. As a \nresult, we are evaluating the capabilities of the Federal agencies who \noffer shared services arrangements. The DHS Chief Financial Officer has \nestablished enterprise-wide standards for each component to follow and \nhas prioritized a deployment strategy based on those components with \nthe highest business needs.\nAcquisitions Management\n    The strategic decisions of the Department's senior leadership are \nonly as good as the processes that support and give effect to those \ndecisions in investments and in the conduct of operations. \nHistorically, DHS has generally developed and executed component-\ncentric requirements, which has resulted in inefficient use of limited \nresources. Much work has been done to date in the areas of joint \nrequirements analysis, program and budget review, and acquisition \noversight, including an effort over the past 4 years by the DHS \nManagement Directorate to improve the Department's overall acquisitions \nprocess and reform even the earliest phase of the investment life cycle \nwhere requirements are first conceived and developed. The Secretary's \nApril 22, 2014 memorandum on ``Strengthening Departmental Unity of \nEffort'' focuses and reinforces existing structures and creates new \ncapability, where needed, as identified in the recent Integrated \nInvestment Life Cycle Management (IILCM) pilot study and other process \nanalyses that examined the linkages between these inter-related \nplanning processes and operations. These analyses underscored the need \nto further strengthen all elements of the process, particularly the up-\nfront development of strategy, planning, and joint requirements, and to \nensure through collaborative, inclusive senior leadership dialogue and \ndecision that they function in a way that considers DHS-wide missions \nand functions, rather than focusing on those of an individual \ncomponent.\n    As an example, I am leading the Deputies Management Action Group in \nan expedited review to provide strategic alternatives for enhancing the \ncurrent DHS joint requirements process. This review will include \noptions for developing and facilitating a DHS component-driven, joint \nrequirements process, including a program for oversight of a \ndevelopment test and evaluation capability, to identify priority gaps \nand overlaps in Departmental capability needs, provide feasible \ntechnical alternatives to meet capability needs, and recommend to me \nthe creation of joint programs and joint acquisitions to meet \nDepartment-wide mission needs. This enhanced process will be used in \nexpanding the mission portfolios studied in the IILCM pilot, which \nincluded Cybersecurity, Biodefense, and Screening and Vetting, to \ninclude Border Security and Air Domain.\n    DHS recently announced two important decisions that speak to our \ncommitment to responsible and cost-effective acquisitions. First, DHS \ncancelled the BioWatch acquisition of autonomous detection technology \n(also known as Gen-3). Currently deployed in more than 30 metropolitan \nareas across the country, BioWatch provides public health officials \nwith a warning of a biological agent release before potentially exposed \nindividuals develop symptoms of illness. While autonomous detection is \nan important capability, the Gen-3 acquisition did not reflect the best \nuse of resources in our current fiscal environment. DHS remains \ncommitted to the BioWatch program and will ensure that current BioWatch \noperations continue as part of our layered approach to biodefense. \nSecond, DHS is putting on hold a FEMA Logistics Supply Chain Management \nSystem contract until further review. FEMA's Logistics Supply Chain \nManagement System was developed to provide full disaster supply chain \nmanagement capability and visibility to FEMA and its partners. The \nDepartment has determined that the program has not met all of its \noperational requirements and that it needs to be reviewed in the \ncontext of broader logistical operations. That review is underway, \nwhich will include a third-party evaluation of the most cost-effective \nmanner. These decisions are in line with the Department's focus on \nefficiency, ensuring that we continue to pursue cost-effective \nacquisition without compromising our security. The Secretary and I will \ncontinue to hold our acquisition programs accountable to ensure they \nare responsible and cost-effective.\n    Additionally, the DHS Chief Financial Officer has strengthened and \nenhanced the Department's programming and budgeting process by \nincorporating the results of strategic analysis and joint requirements \nplanning into portfolios for review by issue teams. Using this \napproach, substantive, large-scale alternative choices will be \npresented to the Deputies Management Action Group as part of the annual \nbudget development. This review process will also include the \nDepartment's existing programmatic and budgetary structure, not just \nnew investments. It will include the ability for DHS to project the \nimpact of current decisions on resource issues such as staffing, \ncapital acquisitions, operations and maintenance, and similar issues \nthat impact the Department's future ability to fulfill its mission \nresponsibilities. As its first task, the Deputies Management Action \nGroup will focus this enhanced programming and budgeting process on the \ndevelopment of options for the fiscal year 2016 budget request.\n    In the oversight phase, we will continue to leverage the Component \nAcquisition Executive structure and enhanced business intelligence to \nproactively identify performance problems with existing programs \nthroughout their life cycle. While there is work to be done to sustain \nour progress, we are encouraged by an Office of the Inspector General \nreport that stated that DHS has significantly strengthened our \nacquisition management oversight.\n    We have also made significant progress in strengthening the \ndocument review process. In 2013, the under secretary for management \nissued a decision memorandum stating that no new program can proceed \nwithout the approved acquisition documentation, including life-cycle \ncost estimates, mission needs statements, test and evaluation plans, \nand operational requirements documents.\n    To ensure we have an adequately staffed and trained acquisition \nworkforce, the Department has engaged on multiple fronts to enhance \nacquisition staffing and training. The DHS Acquisition Professional \nCareer Program (APCP) is sponsored by the chief procurement officer and \nprovides a steady pipeline of entry-level contracting and procurement \ntalent to the components. APCP interns are hired into career ladder \npositions and engage in a 3-year program where they receive quality \ntraining and rotate between components to gain valuable on-the-job \ntraining. In fiscal year 2013 alone, 63 interns graduated and have been \nplaced in components. Thus far in fiscal year 2014, an additional 60 \ninterns have been placed.\n    The Department's Homeland Security Acquisition Institute continues \nto serve as the principal training academy for the DHS acquisition \nworkforce. In fiscal year 2013, over 9,400 DHS acquisition \nprofessionals completed classroom or on-line training courses \ncontributing to the issuance of over 3,200 acquisition certifications. \nThus far in fiscal year 2014, an additional 1,300 acquisition \ncertifications have been issued. To date, DHS has issued 10,732 \ncertifications across nine acquisition disciplines, including \nContracting, Program Management, Systems Engineering, Test and \nEvaluation, Cost Estimating, Life Cycle Logistics Management, Program \nFinancial Management, Ordering Official, and Contracting Officer's \nRepresentative.\n    DHS continues to support small businesses around the country. In \nrecognition of its performance, the Department has received an ``A'' \nrating for 5 consecutive years from the Small Business Administration \nin the areas of prime contracting, small business subcontracting, and a \nwritten progress plan.\nInformation Technology Management\n    In the Information Technology (IT) area, DHS has made substantial \nprogress to drive efficiencies through consolidation of data centers. \nTo date, 18 primary data centers have been consolidated, with an \nadditional two consolidations scheduled for completion in fiscal year \n2014. Migrations from commercial data centers resulted in annual cost \nsavings of 43%, and migrations from Federal data centers resulted in an \naverage annual cost savings of 12% for similar capabilities.\n    Recognizing that information technology is constantly improving and \nchanging and that our own IT organization has matured, we are working \nto increase the integration of previously fragmented Departmental \noversight reviews into a defined, efficient governance process that is \ntailored to the size and criticality of each program. This will result \nin improved project tracking and oversight and will also help DHS meet \nour IT-related mission needs.\n    Security of internal IT systems and networks also remains a \npriority. DHS continues to enhance the IT security of the Department's \ninternal systems and networks through periodic upgrades to software. In \naddition, IT staff performs independent validation and verification of \nimplemented corrective actions to address material weaknesses related \nto financial systems security. All components are implementing a \ndesktop image based on the United States Government Configuration \nBaseline (USGCB) settings.\nManagement Integration\n    Management Integration refers to the development and implementation \nof consistent and consolidated processes within and across the \nmanagement functional areas discussed above. From individual \nperformance evaluations to the Department's most costly investment \ndecisions, we have the obligation to operate efficiently and in a \nmanner that best enables us to meet our mission.\n    The Management Integration area has made substantial progress in \nthe past 3 years, reflected by the fact that both DHS and GAO agree \nthat the majority of the outcomes in the Management Integration area \nare fully addressed. DHS has made considerable progress towards \nintegrating management across the enterprise. As an example, we have \nstrengthened the delegations of authority to clarify the roles of and \nenhance oversight between Headquarters and components, and we have \nimplemented the pilot phase of the IILCM to ensure we base investment \ndecisions on closing capability gaps and meeting mission goals and \noutcomes. Based on the lessons learned from the pilot, the Secretary \nhas determined, through the Unity of Effort initiative, to focus \nimmediate attention on further maturing the Strategy and Capabilities & \nRequirements phases.\n    Secretary Johnson and I are committed to integrating all phases of \nour investment life cycle as we prepare for the fiscal year 2016 budget \nsubmission. Advancing the IILCM framework, which is a principal tenet \nof the Department's overall integration strategy, continues to be a \nmajor initiative that builds on the progress we have made. In the near \nfuture, as I referenced above, I will oversee a re-constituted Joint \nRequirements Council as we evaluate fiscal year 2016 resource \nallocation plans and attempt to harmonize and unify requirements across \nthe DHS enterprise.\n    The Secretary and I are capitalizing on these previous efforts and \nbroadening them in our ``Strengthening Departmental Unity of Effort'' \ninitiative. This effort focuses on improving our planning, programming, \nbudgeting, and execution processes through strengthened Departmental \nstructures and increased capability. In making these changes, we will \nhave better traceability between strategic objectives, budgeting, \nacquisition decisions, operational planning, and mission execution to \nimprove Departmental cohesiveness and operational effectiveness.\n    We are in the final stages of evolving our business intelligence \ncapability by consolidating management data systems onto a common \nplatform. This effort allows for more current and integrated data \nacross all lines of business, both at headquarters and into DHS's many \ncomponents.\n                     other dhs high-risk list areas\n    We recognize the critical role that strengthened management \nfunctions have in the Department's ability to achieve success. GAO has \nidentified other areas of Department responsibilities that also play an \nintegral role in our mission delivery and, while these non-management \nareas are not the focus of this hearing, I hope it will be beneficial \nto this committee for me to provide a brief overview of our work in a \nfew of these areas.\nEstablishing Effective Mechanisms for Sharing and Managing Terrorism-\n        Related Information to Protect the Homeland\n    DHS is a key participant in the Federal Information Sharing \nEnvironment and continues to develop policies and technical solutions \nacross Sensitive but Unclassified, Secret, and Top Secret/Sensitive \nCompartmented Information networks that enhance safeguarding and \nsharing of information with a wide variety of Federal, State, local, \nand private-sector stakeholders. In January 2013 and immediately \nfollowing the release of the National Strategy for Information Sharing \nand Safeguarding, the Department issued the DHS Information Sharing and \nSafeguarding Strategy focused on goals to share, safeguard, manage, and \ngovern risk, and measure performance. Through a detailed Implementation \nPlan, the Department has identified key priority objectives with \nsynchronized milestones to effectively execute the Strategy, and has \nprepared an Implementation Guide that defines the processes to identify \ngaps, root causes, performance measures, risks, and resourcing for its \ntop information-sharing and safeguarding initiatives.\nNational Flood Insurance Program\n    The National Flood Insurance Program (NFIP) serves as the \nfoundation for National efforts to reduce the loss of life and property \nfrom flood disasters. NFIP remains on the High-Risk List largely \nbecause it does not generate sufficient revenues to repay the billions \nof dollars borrowed from the U.S. Department of the Treasury to cover \nclaims from the 2005 and 2012 hurricanes or from future catastrophic \nlosses. The lack of sufficient revenues has highlighted structural \nweaknesses in how the program is funded, including statutorily-mandated \nsubsidies.\n    DHS and FEMA have been working with GAO to address the challenges \nidentified in GAO's recommendations to improve management and \noperations. FEMA changed the process for Write Your Own (WYO) company \nperformance under the WYO Financial Control plan, implemented \nprocedures to select statistically representative samples of all claims \nfor conducting claims re-inspections, and requested an independent \naudit of the NFIP's financial statements. FEMA's focus on implementing \nGAO recommendations in areas including Strategic Planning, Management \nand Oversight of the NFIP, and modernizing the NFIP IT system, have \nresulted in the closure of many of GAO's recommendations. We are \nactively engaged on those GAO recommendations that remain open.\n    With the passage of the Biggert-Waters Flood Insurance Act of 2012 \nand the Homeowners Flood Insurance Affordability Act of 2014, the NFIP \nnow has authority to phase in actuarial rates for some policies and \ncharge policyholders a surcharge, which will improve the financial and \noperational position of the program over time; however, as a result, \npolicyholders will not pay actuarial rates. Specifically, these two \nlaws raise the statutory limit on annual rate increases, mandate \npremium increases for certain subsidized policies, establish a reserve \nfund that will allow the NFIP to build surplus capital to pay losses in \na greater-than-average loss year, and mandate a $25 annual surcharge \nfor most policyholders and a $250 annual surcharge for non-residential \nproperties and residential properties that are not a primary residence, \nuntil actuarial rates are reached.\nProtecting the Federal Government's Information Systems and the \n        Nation's Cyber Critical Infrastructures\n    I appreciate GAO's continued engagement on Federal agency \ncybersecurity and the cybersecurity of critical infrastructure. Since \n2009, the Department has managed this area actively, and each \nsubsequent update to the GAO High-Risk List has recognized DHS efforts. \nThe Department works closely with the White House and interagency \npartners to ensure a whole-of-Government approach to cybersecurity. At \nthe same time, DHS is committed to working with Congress as it explores \nlegislative proposals.\n    DHS directly supports Federal civilian departments and agencies in \ndeveloping capabilities that will improve their own cybersecurity \nposture through the Continuous Diagnostics and Mitigation (CDM) \nprogram. One hundred eight departments and agencies are currently \ncovered by Memoranda of Agreement with the CDM program, encompassing \nover 97 percent of all Federal civilian personnel. In fiscal year 2014, \nDHS issued the first delivery order for CDM sensors and awarded a \ncontract for the CDM dashboard.\n    The National Cybersecurity Protection System (NCPS), a key \ncomponent of which is referred to as EINSTEIN, is an integrated \nintrusion detection, analytics, information sharing, and intrusion-\nprevention system designed to support DHS responsibilities for \nprotecting Federal civilian agency networks. These current \ncapabilities, and future capabilities such as CDM, are used by the \nDepartment's National Cybersecurity and Communications Integration \nCenter, in concert with its analysis, warning, and incident response \ncapabilities, to protect Federal civilian agencies and assist them when \nincidents occur. In July 2013, NCPS's EINSTEIN 3 Accelerated (E3A) \nbecame operational and provided services to the first Federal agency. \nWith the adoption of E3A, DHS will assume an active role in defending \n.gov network traffic and significantly reduce the threat vectors \navailable to malicious actors seeking to harm Federal networks. NCPS \ncontinues to expand intrusion prevention, information sharing, and \ncyber analytic capabilities at Federal agencies, marking a critical \nshift from a passive to an active role in cyber defense and the \ndelivery of enterprise cybersecurity services to decision makers across \ncybersecurity communities.\n    With respect to critical infrastructure, the Department continues \nto grow the critical infrastructure Cyber Information Sharing and \nCollaboration Program, which is a unique voluntary environment for \npublic-private information sharing and collaboration. In addition, we \nrecently launched the Critical Infrastructure Cyber Community or C3 \n(``C Cubed'') Voluntary Program to assist critical infrastructure \nowners and operators as they build cybersecurity into their risk \nmanagement approaches. Much work remains to be completed and we are \ncommitted to actively managing this High-Risk area.\n    When I met with Comptroller General Dodaro, we agreed to develop a \nset of detailed criteria that GAO and the Department can use to \nstrengthen the Nation's cybersecurity and critical infrastructure \nresilience. As part of that process, I will receive monthly status \nupdates from DHS components that we will share with GAO.\n                               conclusion\n    It is our fundamental responsibility to manage the Department of \nHomeland Security effectively and efficiently. Sound management is \ncritical to our ability to execute our mission successfully, and it is \nincumbent upon us as guardians of the public trust to be careful and \nscrupulous in our expenditure of public funds. You have my commitment \nthat I will continue to focus intensely on strengthening the \nDepartment's management functions, and that I will work closely with \nthis committee and with GAO to achieve that goal.\n    Thank you for the opportunity and the privilege to appear before \nyou.\n\n    Chairman McCaul. Thank you, Deputy Secretary. The Chairman \nnow recognizes Mr. Dodaro for an opening statement.\n\nSTATEMENT OF GENE L. DODARO, COMPTROLLER GENERAL OF THE UNITED \n            STATES, GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Dodaro. Thank you very much, Mr. Chairman. Good morning \nto you, Ranking Member Thompson, distinguished Members of the \ncommittee. I appreciate the opportunity to be here today to \ndiscuss GAO's designations and high-risk areas regarding the \nDepartment of Homeland Security.\n    With regard to the management functions that we initially \nplaced on the list in 2003, I am pleased to report that the \nDepartment is well on its way to satisfying two of the five \ncriteria for coming off the list.\n    One is leadership commitment, and I am very satisfied with \nthe deputy secretary and the Secretary's engagement on this \nissue. I believe that we have an open, constructive dialogue, \nwhich is the first step toward resolving some of these \nproblems.\n    They also have a pretty good integrated plan for coming off \nthe high-risk list. However, they still need to demonstrate the \ncapacity to make the changes, to have a monitoring effort to \nmake sure that the changes are implemented properly. Most \nimportantly and lastly is they need to demonstrate progress in \nmaking sure that they have actually fixed some of the \nunderlying problems that have plagued them in the past.\n    With regard to the acquisition area, for example, they have \ndesignated acquisition components at the component level and \norganized some centers to bring together some core expertise to \nhelp in the acquisitions area. But they need to have governance \nmechanisms in place to look at the entire acquisition portfolio \nand set priorities across the Department. Then to make sure \nthat individual acquisitions operate effectively and are more \nconsistently meeting the Department's policies.\n    For example, 46 percent of the major acquisitions do not \nhave approved baseline cost. About 77 percent do not have yet \napproved life-cycle cost estimates. So I believe the H.R. 4228 \nthat this committee passed is a very important contribution \nstep forward to putting disciplined acquisition policies in \nplace and having more transparency and accountability for the \nDepartment.\n    With regard to financial management, they have received the \nclean opinion that both the Chairman and Ranking Member \nrecognized this morning for fiscal year 2013 financial \nstatements. However, to meet our list to get off the list they \nneed to sustain the clean opinion.\n    They need to get a clean opinion on internal controls, \nwhich they are not able to do at this point because of a number \nof material weaknesses in their systems. They also need to \neffectively put in modern financial management systems in the \ncomponents, particularly the Coast Guard, FEMA, ICE, and \nCustoms and Border Patrol.\n    With regard to human capital management they have put \ntogether a plan to guide them in this area. But they must \naddress the root causes that are at the heart of the employee \nmorale issues that have plagued the Department for a number of \nyears. Also to focus on processes to identify skill gaps and to \nremedy those skill gaps across the Department.\n    In the IT area we are pleased they have had an enterprise \narchitecture in place, which is a good first step. But they \nneed to finalize their policy governance structure for IT \ninvestments, and to expand that policy to cover all 13 \nportfolios. Right now they have it only covering five of 13. \nThey need to fix their information security weaknesses, which \nare a major control problem for the Department.\n    Now with regard to other areas we have on the high-risk \nlist--cybersecurity and critical infrastructure protection that \nDHS is part of, National Flood Insurance Program, and \ninformation sharing in the terrorist information sharing--I \nwould be happy to answer any questions on those areas at the \nappropriate time.\n    I would just say with regard to cybersecurity there has \nbeen a lot of attention to this area, but more needs to be \ndone. I am very supportive of the H.R. 3696 legislation that \nyou have initiated.\n    I think the Department has been given responsibility for \ncybersecurity across the Federal Government without the \nauthority. That authority should be codified and put into law. \nAlso giving them additional guidance in the critical \ninfrastructure protection area and additional codification is a \nreally good step forward.\n    So I commend this committee both for the acquisition \nlegislation and the cybersecurity and critical infrastructure \nlegislation. So, I would be happy to answer questions at the \nappropriate point in time. I again very much appreciate the \nopportunity to be here today to discuss our efforts to help the \nDepartment reach its full potential.\n    [The prepared statement of Mr. Dodaro follows:]\n                  Prepared Statement of Gene L. Dodaro\n                              May 7, 2014\n    Chairman McCaul, Ranking Member Thompson, and Members of the \ncommittee: I am pleased to be here today to discuss our work on the \nDepartment of Homeland Security's (DHS) on-going efforts to improve the \nefficiency of its operations and unity of the Department, with a \nparticular focus on DHS's progress and remaining challenges addressing \nGAO's high-risk designations. In the 11 years since the Department's \ncreation, DHS has implemented key homeland security operations, \nachieved important goals and milestones, and grown to more than 240,000 \nemployees and approximately $60 billion in budget authority. During \nthat time, our work has identified several areas where DHS needs to \naddress gaps and weaknesses in its current operational and \nimplementation efforts, as well as strengthen the efficiency and \neffectiveness of those efforts. Since 2003, we have made approximately \n2,100 recommendations to DHS to strengthen program management, \nperformance measurement efforts, and management processes, among other \nthings. DHS has implemented more than 65 percent of these \nrecommendations and has actions under way to address others.\n    We also report regularly to the Congress on Government operations \nthat we identified as high-risk because of their greater vulnerability \nto fraud, waste, abuse, and mismanagement, or the need for \ntransformation to address economy, efficiency, or effectiveness \nchallenges. DHS has sole or critical responsibility for four GAO high-\nrisk areas--(1) Strengthening DHS Management Functions, (2) National \nFlood Insurance Program (NFIP), (3) Protecting the Federal Government's \nInformation Systems and the Nation's Cyber Critical Infrastructures, \nand (4) Establishing Effective Mechanisms for Sharing and Managing \nTerrorism-Related Information to Protect the Homeland. DHS has made \nprogress addressing areas we have identified as high-risk, but needs to \ncontinue to strengthen its efforts in order to more efficiently and \neffectively achieve its homeland security missions. In particular:\n  <bullet> In 2003, we designated implementing and transforming DHS as \n        high-risk because DHS had to transform 22 agencies--several \n        with major management challenges--into one department, and \n        failure to address associated risks could have serious \n        consequences for U.S. National and economic security.\\1\\ While \n        challenges remain across its missions, DHS has made \n        considerable progress in transforming its original component \n        agencies into a single department. As a result, in our 2013 \n        high-risk update, we narrowed the scope of the high-risk area \n        to focus on strengthening DHS management functions (human \n        capital, acquisition, financial management, and information \n        technology [IT]).\\2\\\n---------------------------------------------------------------------------\n    \\1\\ GAO, High-Risk Series: An Update, GAO-03-119 (Washington, DC: \nJanuary 2003).\n    \\2\\ GAO, High-Risk Series: An Update, GAO-13-283 (Washington, DC: \nFebruary 2013). For additional information, see our high-risk list key \nissues page at http://www.gao.gov/highrisk/overview.\n---------------------------------------------------------------------------\n  <bullet> In 2006, we added the NFIP--a key component of the Federal \n        Government's efforts to limit the damage and financial impact \n        of floods--to the GAO high-risk list because the program faced \n        significant on-going financial and management challenges.\\3\\ In \n        particular, the NFIP, which is managed by DHS's Federal \n        Emergency Management Agency (FEMA), is unlikely to generate \n        sufficient revenue to cover future catastrophic losses or repay \n        billions of dollars borrowed from the Department of the \n        Treasury to cover insurance claims from previous disasters.\n---------------------------------------------------------------------------\n    \\3\\ GAO, GAO's High-Risk Program, GAO-06-497T (Washington, DC: Mar. \n15, 2006).\n---------------------------------------------------------------------------\n  <bullet> In 1997, we designated Federal information security as a \n        Government-wide high-risk area, and we expanded the area in \n        2003 to include systems supporting critical infrastructure such \n        as power distribution, communications, banking and finance, \n        water supply, National defense, and emergency services.\\4\\ The \n        effective security of these systems and the data they contain \n        is essential to National security, economic well-being, and \n        public health and safety. DHS is responsible for securing its \n        own information systems and data and also plays a pivotal role \n        in Government-wide cybersecurity efforts.\n---------------------------------------------------------------------------\n    \\4\\ GAO-03-119.\n---------------------------------------------------------------------------\n  <bullet> In 2005, we designated the sharing of terrorism-related \n        information as high-risk because of the significant challenges \n        the Federal Government faces in sharing this information in a \n        timely, accurate, and useful manner.\\5\\ The sharing of \n        terrorism-related information is a Government-wide effort that \n        involves numerous Federal departments and agencies. DHS plays a \n        critical role in this sharing given its homeland security \n        missions and responsibilities.\n---------------------------------------------------------------------------\n    \\5\\ GAO, High-Risk Series: An Update, GAO-05-207 (Washington, DC: \nJan. 1, 2005).\n---------------------------------------------------------------------------\n    In November 2000, we published our criteria for removing areas from \nthe high-risk list.\\6\\ Specifically, agencies must have (1) a \ndemonstrated strong commitment and top leadership support to address \nthe risks; (2) a corrective action plan that identifies the root \ncauses, identifies effective solutions, and provides for substantially \ncompleting corrective measures in the near term, including but not \nlimited to steps necessary to implement solutions we recommended; (3) \nthe capacity (that is, the people and other resources) to resolve the \nrisks; (4) a program instituted to monitor and independently validate \nthe effectiveness and sustainability of corrective measures; and (5) \nthe ability to demonstrate progress in implementing corrective \nmeasures. When legislative, administration, and agency actions, \nincluding those in response to our recommendations, result in \nsignificant progress toward resolving a high-risk problem, we remove \nthe high-risk area.\n---------------------------------------------------------------------------\n    \\6\\ GAO, Determining Performance and Accountability Challenges and \nHigh Risks, GAO-01-159SP (Washington, DC: Nov. 1, 2000).\n---------------------------------------------------------------------------\n    My testimony today discusses our observations on DHS's progress and \nwork remaining in addressing: (1) High-risk areas for which DHS has \nsole responsibility, and (2) high-risk areas for which DHS has \ncritical, but shared, responsibility.\n    This statement is based on GAO's 2013 high-risk update as well as \nreports and testimonies we issued from March 2013 through April \n2014.\\7\\ For the past products, among other things, we analyzed DHS \nstrategies and other documents related to the Department's efforts to \naddress its high-risk areas; reviewed our past reports issued since DHS \nbegan its operations in March 2003; and interviewed DHS officials. More \ndetailed information on the scope and methodology of our prior work can \nbe found within each specific report. This statement is also based on \nanalyses from our on-going assessment of DHS's efforts to address its \nhigh-risk areas since February 2013. We expect to report final results \nfrom this work in our 2015 high-risk update. For our analyses, among \nother things, we analyzed DHS documentation, such as Departmental \nguidance, and met with DHS officials, including the deputy secretary \nand under secretary for management, to discuss DHS's efforts to address \nits high-risk areas. With respect to the Strengthening DHS Management \nFunctions high-risk area, on May 1, 2014, DHS provided us with an \nupdated version of its Integrated Strategy for High-Risk Management. We \nplan to analyze this update as part of our on-going assessment of DHS's \nprogress in addressing this high-risk area.\n---------------------------------------------------------------------------\n    \\7\\ GAO-13-283.\n---------------------------------------------------------------------------\n    We conducted the work on which this statement is based in \naccordance with generally accepted Government auditing standards. Those \nstandards require that we plan and perform the audit to obtain \nsufficient, appropriate evidence to provide a reasonable basis for our \nfindings and conclusions based on our audit objectives. We believe that \nthe evidence obtained provides a reasonable basis for our findings and \nconclusions based on our audit objectives.\n         high-risk areas for which dhs has sole responsibility\n    DHS has made progress in addressing high-risk areas for which it \nhas sole responsibility, but significant work remains.\nStrengthening DHS Management Functions\n    DHS has made important progress in implementing, transforming, \nstrengthening, and integrating its management functions in human \ncapital, acquisition, financial management, and IT. This has included \ntaking numerous actions specifically designed to address our criteria \nfor removing areas from the high-risk list. However, as we reported in \nour February 2013 high-risk update, this area remains high-risk because \nthe Department has significant work ahead.\\8\\ As shown in Table 1, DHS \nhas met two of our criteria for removal from the high-risk list \n(leadership commitment and a corrective action plan), and has partially \nmet the remaining three criteria (a framework to monitor progress; \ncapacity; and demonstrated, sustained progress).\n---------------------------------------------------------------------------\n    \\8\\ GAO-13-283.\n\n TABLE 1.--ASSESSMENT OF DEPARTMENT OF HOMELAND SECURITY (DHS) PROGRESS\nIN ADDRESSING THE STRENGTHENING DHS MANAGEMENT FUNCTIONS HIGH-RISK AREA,\n                             AS OF MAY 2014\n------------------------------------------------------------------------\n Criterion for Removal From the                Partially Met    Not Met\n         High-Risk List             Met \\1\\         \\2\\           \\3\\\n------------------------------------------------------------------------\nLeadership commitment...........  X            .............  ..........\nCorrective action plan..........  X            .............  ..........\nCapacity........................  ...........  X              ..........\nFramework to monitor progress...  ...........  X              ..........\nDemonstrated, sustained progress  ...........  X              ..........\n                                 ---------------------------------------\n      Total.....................  2            3              0\n------------------------------------------------------------------------\nSource: GAO analysis of DHS documents, interviews, and prior GAO\n  reports.\n\\1\\ ``Met'': There are no significant actions that need to be taken to\n  further address this criterion.\n\\2\\ ``Partially met'': Some but not all actions necessary to generally\n  meet the criterion have been taken.\n\\3\\ ``Not met'': Few, if any, actions toward meeting the criterion have\n  been taken.\n\n    Leadership commitment (met).--The Secretary and deputy secretary of \nHomeland Security, the under secretary for management at DHS, and other \nsenior officials have continued to demonstrate commitment and top \nleadership support for addressing the Department's management \nchallenges. They have also taken actions to institutionalize this \ncommitment to help ensure the long-term success of the Department's \nefforts. For example, in May 2012, the Secretary of Homeland Security \nmodified the delegations of authority between the Management \nDirectorate and its counterparts at the component level to clarify and \nstrengthen the authorities of the under secretary for management across \nthe Department.\n    In addition, in April 2014, the Secretary of Homeland Security \nissued a memorandum committing to improving DHS's planning, \nprogramming, budgeting, and execution processes through strengthened \nDepartmental structures and increased capability. This memorandum \nidentified several initial areas of focus intended to build \norganizational capacity.\\9\\ Senior DHS officials have also routinely \nmet with us over the past 5 years to discuss the Department's plans and \nprogress in addressing this high-risk area, during which we provided \nspecific feedback on the Department's efforts. According to these \nofficials, and as demonstrated through their progress, the Department \nis committed to demonstrating measurable, sustained progress in \naddressing this high-risk area. It will be important for DHS to \nmaintain its current level of top leadership support and sustained \ncommitment to ensure continued progress in successfully executing its \ncorrective actions through completion.\n---------------------------------------------------------------------------\n    \\9\\ DHS, Secretary of Homeland Security, Strengthening Departmental \nUnity of Effort, Memorandum for DHS Leadership (Washington, DC: April \n22, 2014).\n---------------------------------------------------------------------------\n    Corrective action plan (met).--DHS established a plan for \naddressing this high-risk area. In a September 2010 letter to DHS, we \nidentified and DHS agreed to achieve 31 actions and outcomes that are \ncritical to addressing the challenges within the Department's \nmanagement areas and in integrating those functions across the \nDepartment. In January 2011, DHS issued its initial Integrated Strategy \nfor High-Risk Management, which included key management initiatives and \nrelated corrective action plans for addressing its management \nchallenges and the outcomes we identified. DHS provided updates of its \nprogress in implementing these initiatives and corrective actions in \nits later versions of the strategy. In March 2014, we made updates to \nthe actions and outcomes in collaboration with DHS to reduce overlap \nand ensure their continued relevance and appropriateness. These updates \nresulted in a reduction from 31 to 30 total actions and outcomes.\n    DHS's strategy and approach to continuously refining actionable \nsteps to implementing the outcomes, if implemented effectively and \nsustained, provide a path for DHS to be removed from GAO's high-risk \nlist.\n    Capacity (partially met).--In May 2014, DHS identified that it had \nresources needed to implement 7 of the 11 initiatives the Department \nhad under way to address the actions and outcomes, but did not identify \nsufficient resource needs for the 4 remaining initiatives. In our \nanalysis of DHS's June 2013 update, which similarly did not identify \nsufficient resource needs for all initiatives, we found that this \nabsence of complete resource information made it difficult to fully \nassess the extent to which DHS has the capacity to implement its \ninitiatives.\n    In addition, our prior work has identified specific capacity gaps \nthat could undermine achievement of management outcomes. For example, \nin September 2012, we reported that 51 of 62 acquisition programs faced \nworkforce shortfalls in program management, cost estimating, \nengineering, and other areas, increasing the likelihood that the \nprograms will perform poorly in the future.\\10\\ Since that time, DHS \nhas appointed component acquisition executives at the components and \nmade progress in filling staff positions. In April 2014, however, we \nreported that DHS needed to increase its cost-estimating capacity, and \nthat the Department had not approved baselines for 21 of 46 major \nacquisition programs.\\11\\ These baselines--which establish cost, \nschedule, and capability parameters--are necessary to accurately assess \nprogram performance.\n---------------------------------------------------------------------------\n    \\10\\ GAO, Homeland Security: DHS Requires More Disciplined \nInvestment Management to Help Meet Mission Needs, GAO-12-833 \n(Washington, DC: Sept. 18, 2012).\n    \\11\\ GAO, Homeland Security Acquisitions: DHS Could Better Manage \nIts Portfolio to Address Funding Gaps and Improve Communications with \nCongress, GAO-14-332 (Washington, DC: Apr. 17, 2014).\n---------------------------------------------------------------------------\n    DHS needs to continue to identify resources for the remaining \ninitiatives; determine that sufficient resources and staff are \ncommitted to initiatives; work to mitigate shortfalls and prioritize \ninitiatives, as needed; and communicate to senior leadership critical \nresource gaps.\n    Framework to monitor progress (partially met).--DHS established a \nframework for monitoring its progress in implementing the corrective \nactions it identified for addressing the 30 actions and outcomes. In \nthe June 2012 update to the Integrated Strategy for High-Risk \nManagement, DHS included, for the first time, performance measures to \ntrack its progress in implementing all of its key management \ninitiatives. DHS continued to include performance measures in its May \n2014 update.\n    Additionally, in March 2014, the deputy secretary began meeting \nmonthly with the DHS management team to discuss DHS's progress in \nstrengthening its management functions. According to senior DHS \nofficials, as part of these meetings, attendees discuss a report that \nsenior DHS officials update each month, which identifies corrective \nactions for each outcome, as well as projected and actual completion \ndates.\n    However, there are opportunities for DHS to strengthen this \nframework. For example, as we reported in September 2013, DHS \ncomponents need to develop performance and functionality targets for \nassessing their proposed financial systems.\\12\\ This would include \nhaving an independent validation and verification program in place to \nensure the modernized financial systems meet expected targets. Moving \nforward, DHS will need to closely track and independently validate the \neffectiveness and sustainability of its corrective actions and make \nmid-course adjustments, as needed.\n---------------------------------------------------------------------------\n    \\12\\ GAO, DHS Financial Management: Additional Efforts Needed to \nResolve Deficiencies in Internal Controls and Financial Management \nSystems, GAO-13-561 (Washington, DC: Sept. 30, 2013).\n---------------------------------------------------------------------------\n    Demonstrated, sustained progress (partially met).--Key to \naddressing the Department's management challenges is DHS demonstrating \nthe ability to achieve sustained progress across the 30 actions and \noutcomes we identified and DHS agreed were needed to address the high-\nrisk area. These actions and outcomes include, among others, validating \nrequired acquisition documents in accordance with a Department-\napproved, knowledge-based acquisition process, and sustaining clean \naudit opinions for at least 2 consecutive years on Department-wide \nfinancial statements and internal controls. As illustrated by the \nexamples below, DHS has made important progress in implementing \ncorrective actions across its management functions, but it has not \ndemonstrated sustainable, measurable progress in addressing key \nchallenges that remain within these functions and in the integration of \nthose functions.\\13\\\n---------------------------------------------------------------------------\n    \\13\\ For our assessments of DHS's progress in addressing the 30 \noutcomes, ``fully addressed'' means the outcome is fully addressed; \n``mostly addressed'' means progress is significant and a small amount \nof work remains; ``partially addressed'' means progress is measurable, \nbut significant work remains; and ``initiated'' means activities have \nbeen initiated to address outcomes, but it is too early to report \nprogress.\n---------------------------------------------------------------------------\n    Human capital management.--DHS has mostly addressed 1 of the 7 \nhuman capital management outcomes and partially addressed the remaining \n6. For example, as we reported in December 2012, DHS has developed and \ndemonstrated progress in implementing a strategic human capital \nplan.\\14\\ This plan, among other things, is integrated with broader \norganizational strategic planning, and mostly addresses this outcome. \nHowever, DHS needs to improve other aspects of its human capital \nmanagement.\n---------------------------------------------------------------------------\n    \\14\\ GAO, DHS Strategic Workforce Planning: Oversight of \nDepartment-wide Efforts Should Be Strengthened, GAO-13-65 (Washington, \nDC: Dec. 3, 2012). For example:\n---------------------------------------------------------------------------\n  <bullet> As we reported in December 2013, the Office of Personnel \n        Management's 2013 Federal Employee Viewpoint Survey data showed \n        that DHS employee satisfaction was 36th of 37 Federal agencies \n        and had decreased 7 percentage points since 2011, which is more \n        than the Government-wide decrease of 4 percentage points over \n        the same time period.\\15\\ As a result, the gap between average \n        DHS employee satisfaction and the Government-wide average \n        widened to 7 percentage points.\\16\\ Accordingly, DHS has \n        considerable work ahead to improve its employee morale.\n---------------------------------------------------------------------------\n    \\15\\ The Federal Employee Viewpoint Survey measures employees' \nperceptions of whether and to what extent conditions characterizing \nsuccessful organizations are present in their agencies.\n    \\16\\ GAO, Department of Homeland Security: DHS's Efforts to Improve \nEmployee Morale and Fill Senior Leadership Vacancies, GAO-14-228T \n(Washington, DC: Dec. 12, 2013).\n---------------------------------------------------------------------------\n  <bullet> Further, according to senior DHS officials, the Department \n        has efforts under way intended to link workforce planning \n        efforts to strategic and program-specific planning efforts to \n        identify current and future human capital needs, including the \n        knowledge, skills, and abilities needed for the Department to \n        meet its goals and objectives. According to these officials, \n        the Department is in the process of finalizing competency gap \n        assessments to identify potential skills gaps within its \n        components that collectively encompass almost half of the \n        Department's workforce. These assessments focus on occupations \n        DHS identifies as critical to its mission, including emergency \n        management specialists and cyber-focused IT management \n        personnel. DHS plans to analyze the results of these \n        assessments and develop plans to address any gaps the \n        assessments identify by the end of fiscal year 2014. This is a \n        positive step, as identifying skills gaps could help the \n        Department to better identify current and future human capital \n        needs and ensure the Department possesses the knowledge, \n        skills, and abilities needed to meet its goals and objectives. \n        Given that DHS is finalizing these assessments, it is too early \n        to assess their effectiveness.\n    Acquisition management.--DHS has mostly addressed one of the five \nacquisition management outcomes, partially addressed one, and initiated \nactivities to address the remaining three. DHS has made the most \nprogress in increasing component-level acquisition capability by, for \nexample, establishing a component acquisition executive in each DHS \ncomponent to provide oversight and support programs within its \nportfolio. DHS has also taken steps to enhance its acquisition \nworkforce by establishing centers of excellence for cost estimating, \nsystems engineering, and other disciplines to promote best practices \nand provide technical guidance. However, DHS needs to improve its \nacquisition management. For example:\n  <bullet> DHS initiated a governance body in 2013 to review and \n        validate acquisition programs' requirements and identify and \n        eliminate any unintended redundancies, but it considered trade-\n        offs only across acquisition programs within the Department's \n        cybersecurity portfolio. DHS acknowledged that the Department \n        has no formal structure in place to consider trade-offs DHS-\n        wide, but DHS anticipates chartering such a body by the end of \n        May 2014.\n  <bullet> DHS also has initiated efforts to validate required \n        acquisition documents in accordance with a knowledge-based \n        acquisition process, but this remains a major challenge for the \n        Department. A knowledge-based approach provides developers with \n        information needed to make sound investment decisions, and it \n        would help DHS address significant challenges we have \n        identified across its acquisition programs.\\17\\ DHS's \n        acquisition policy largely reflects key acquisition management \n        practices, but the Department has not implemented it \n        consistently. In March 2014, we reported that the \n        Transportation Security Administration does not collect or \n        analyze available information that could be used to enhance the \n        effectiveness of its advanced imaging technology.\\18\\ In March \n        2014, we also found that U.S. Customs and Border Protection \n        (CBP) did not fully follow DHS policy regarding testing for the \n        integrated fixed towers being deployed on the Arizona \n        border.\\19\\ As a result, DHS does not have complete information \n        on how the towers will operate once they are fully deployed.\n---------------------------------------------------------------------------\n    \\17\\ In our past work examining weapon acquisition issues and best \npractices for product development, we have found that leading \ncommercial firms pursue an acquisition approach that is anchored in \nknowledge, whereby high levels of product knowledge are demonstrated by \ncritical points in the acquisition process.\n    \\18\\ GAO, Advanced Imaging Technology: TSA Needs Additional \nInformation Before Procuring Next-Generation Systems, GAO-14-357 \n(Washington, DC: March 31, 2014).\n    \\19\\ GAO, Arizona Border Surveillance Technology Plan: Additional \nActions Needed to Strengthen Management and Assess Effectiveness, GAO-\n14-368 (Washington, DC: Mar. 3, 2014).\n---------------------------------------------------------------------------\n  <bullet> Finally, DHS does not have the acquisition management tools \n        in place to consistently demonstrate whether its major \n        acquisition programs are on track to achieve their cost, \n        schedule, and capability goals. About half of major programs \n        lack an approved baseline, and 77 percent lack approved life-\n        cycle cost estimates. DHS stated in its 2014 update that it \n        will take time to demonstrate substantive progress in this \n        area. We have recently initiated two reviews to examine DHS's \n        progress in these high-risk areas. In addition, the House \n        Homeland Security committee recently introduced a DHS \n        acquisition reform bill that reinforces the importance of key \n        acquisition management practices, such as establishing cost, \n        schedule, and capability parameters, and includes requirements \n        to better identify and address poor-performing acquisition \n        programs, which could aid the Department in addressing its \n        acquisition management challenges.\n    Financial management.--DHS has made progress toward improving its \nfinancial management and has fully addressed 1 of 8 high-risk financial \nmanagement outcomes--ensuring its financial statements are accurate and \nreliable.\\20\\ However, a significant amount of work remains to be \ncompleted on the other 7 outcomes related to DHS's financial \nstatements, internal control over financial reporting, and modernizing \nfinancial management systems.\n---------------------------------------------------------------------------\n    \\20\\ The financial management outcomes have twice been revised \nsince September 2010 when they were initially established. The most \nrecent revision occurred in March 2014 when GAO and DHS agreed to \nrevise the outcomes to clarify certain requirements and eliminate \noverlap among the outcomes and between the outcomes and GAO's high-risk \nremoval criteria.\n---------------------------------------------------------------------------\n  <bullet> DHS produced accurate and reliable financial statements for \n        the first time in fiscal year 2013, in part through \n        management's commitment to improving its financial management \n        process. As of May 2014, DHS is working toward sustaining this \n        key achievement.\n  <bullet> DHS has also made some progress toward implementing \n        effective internal control over financial reporting, in part by \n        implementing a corrective action planning process aimed at \n        addressing internal control weaknesses. For example, the \n        Department took corrective actions to reduce the material \n        weakness in environmental and other liabilities to a \n        significant deficiency.\\21\\ However, DHS needs to eliminate all \n        material weaknesses at the Department level before its \n        financial auditor can assert that the controls are effective. \n        For example, one of the material weaknesses involves \n        deficiencies in property, plant, and equipment. DHS plans to \n        achieve this outcome for fiscal year 2016. To meet another \n        outcome, DHS needs to sustain these efforts for 2 years.\n---------------------------------------------------------------------------\n    \\21\\ Environmental liabilities consist of environmental \nremediation, clean-up, and decommissioning. A significant deficiency is \na deficiency, or combination of deficiencies, in internal control \nimportant enough to merit attention by those charged with governance. A \nmaterial weakness is a significant deficiency, or a combination of \nsignificant deficiencies, in internal control such that there is a \nreasonable possibility that a material misstatement of the entity's \nfinancial statements will not be prevented, or detected and corrected, \non a timely basis.\n---------------------------------------------------------------------------\n  <bullet> DHS also needs to effectively manage the modernization of \n        financial management systems at the U.S. Coast Guard (USCG), \n        U.S. Immigration and Customs Enforcement (ICE), and the Federal \n        Emergency Management Agency (FEMA). Both USCG and ICE have made \n        some progress toward modernizing their systems and foresee \n        moving to a Federal shared service provider and completing \n        their efforts in the latter part of 2016 and 2017.\\22\\ Because \n        of critical stability issues with its legacy financial system \n        that were resolved in May 2013, FEMA postponed its \n        modernization efforts and has not restarted them.\n---------------------------------------------------------------------------\n    \\22\\ A shared service provider is a third-party entity that manages \nand distributes software-based services and solutions to customers \nacross a wide area network from a central data center.\n---------------------------------------------------------------------------\n    IT Management.--DHS has fully addressed 1 of the 6 IT management \noutcomes and partially addressed the remaining 5. In particular, the \nDepartment has strengthened its enterprise architecture program (or \nblueprint) to guide IT acquisitions by, among other things, largely \naddressing our prior recommendations aimed at adding needed \narchitectural depth and breadth, thus fully addressing this outcome. \nHowever, the Department needs to continue to demonstrate progress in \nstrengthening other core IT management areas. For example,\n  <bullet> While the Department is taking the necessary steps to \n        enhance its IT security program, such as finalizing its annual \n        Information Security Performance Plan, further work will be \n        needed for DHS to eliminate the Department's current material \n        weakness in its information security. It will be important for \n        the Department to fully implement its plan, since DHS's \n        financial statement auditor reported in December 2013 that \n        flaws in the security controls such as access controls, \n        contingency planning, and segregation of duties were a material \n        weakness for financial reporting purposes.\n  <bullet> While important steps have been taken to define IT \n        investment management processes generally consistent with best \n        practices, work is needed to demonstrate progress in \n        implementing these processes across DHS's 13 IT investment \n        portfolios.\\23\\ In July 2012, we recommended that DHS finalize \n        the policies and procedures associated with its new tiered IT \n        governance structure and continue to implement key processes \n        supporting this structure.\\24\\ DHS agreed with these \n        recommendations; however, as of April 2014, the Department had \n        not finalized the key IT governance directive, and the draft \n        structure has been implemented across only 5 of the 13 \n        investment portfolios. \\25\\\n---------------------------------------------------------------------------\n    \\23\\ The 13 portfolios are intelligence, domain awareness, \nsecuring, screening, law enforcement, information sharing and \nsafeguarding, continuity-of-operations planning, benefits \nadministration, incident management, enterprise business services, \nenterprise financial management, enterprise IT services, and enterprise \nhuman capital.\n    \\24\\ GAO, Information Technology: DHS Needs to Further Define and \nImplement Its New Governance Process,GAO-12-818 (Washington, DC: July \n25, 2012).\n    \\25\\ The draft structure has been implemented across the following \nfive portfolios: Intelligence, screening, information sharing and \nsafeguarding, enterprise IT services, and enterprise human capital.\n---------------------------------------------------------------------------\n    Fully addressing these actions would also help DHS to address key \n        IT operations efficiency initiatives, as well as to more \n        systematically identify other opportunities for savings. For \n        example, as part of the Office of Management and Budget's data \n        center consolidation initiative, we reported that DHS planned \n        to consolidate from 101 data centers to 37 data centers by \n        December 2015.\\26\\ Further, DHS officials told us that the \n        Department had achieved actual cost savings totaling about $140 \n        million in fiscal years 2011 through 2013, and that it \n        estimates total consolidation cost savings of approximately \n        $650 million through fiscal year 2019.\n---------------------------------------------------------------------------\n    \\26\\ GAO, Data Center Consolidation: Agencies Making Progress on \nEfforts, but Inventories and Plans Need to Be Completed, GAO-12-742 \n(Washington, DC: July 19, 2012).\n---------------------------------------------------------------------------\n  <bullet> DHS has also made progress in establishing and implementing \n        sound IT system acquisition processes, but continued efforts \n        are needed to ensure that the Department's major IT acquisition \n        programs are applying these processes and obtaining more \n        predictable outcomes. In 2013, DHS's Office of the Chief \n        Information Officer led an assessment of its major IT programs \n        (against industry best practices in key IT system acquisition \n        process areas) to determine its capability strengths and \n        weaknesses, and has work under way to track programs' progress \n        in addressing identified capability gaps, such as requirements \n        management and risk analysis. While this gap analysis and \n        approach for tracking implementation of corrective actions are \n        important steps, DHS will need to show that these actions are \n        resulting in better, more predictable outcomes for its major IT \n        system acquisitions. Demonstrated progress in closing these \n        gaps is especially important in light of our recent reports on \n        major DHS IT programs experiencing significant challenges \n        largely because of system acquisition process shortfalls, \n        including DHS's major border security system modernization, \n        known as TECS-Mod.\\27\\\n---------------------------------------------------------------------------\n    \\27\\ GAO, Border Security: DHS's Efforts to Modernize Key \nEnforcement Systems Could be Strengthened, GAO-14-62 (Washington, DC: \nDec. 5, 2013).\n---------------------------------------------------------------------------\n    Management integration.--DHS has made substantial progress \nintegrating its management functions, fully addressing 3 of the 4 \noutcomes we identified as key to the Department's management \nintegration efforts. For example, DHS issued a comprehensive plan to \nguide its management integration efforts--the Integrated Strategy for \nHigh-Risk Management--in January 2011, and has generally improved upon \nthis plan with each update. In addition, in April 2014, the Secretary \nof Homeland Security issued a memorandum committing to improving DHS's \nplanning, programming, budgeting, and execution processes through \nstrengthened Departmental structures and increased capability.\\28\\ To \nachieve the last and most significant outcome--implement actions and \noutcomes in each management area to develop consistent or consolidated \nprocesses and systems within and across its management functional \nareas--DHS needs to continue to demonstrate sustainable progress \nintegrating its management functions within and across the Department \nand its components and take additional actions to further and more \neffectively integrate the Department.\n---------------------------------------------------------------------------\n    \\28\\ DHS, Secretary of Homeland Security, Strengthening \nDepartmental Unity of Effort, Memorandum for DHS Leadership \n(Washington, DC: April 22, 2014).\n---------------------------------------------------------------------------\n    For example, recognizing the need to better integrate its lines of \nbusiness, in February 2013, the Secretary of Homeland Security signed a \npolicy directive establishing the principles of the Integrated \nInvestment Life-Cycle Management to guide planning, executing, and \nmanaging critical investments Department-wide. DHS's June 2013 \nIntegrated Strategy for High-Risk Management identified that Integrated \nInvestment Life-Cycle Management will require significant changes to \nDHS planning, executing, and managing critical investments. At that \ntime, DHS was piloting elements of the framework to inform a portion of \nthe fiscal year 2015 budget. DHS's May 2014 strategy update states that \nthe Department plans to receive an independent analysis of the pilots \nin May 2014. Given that these efforts are under way, it is too early to \nassess their impact.\n    As we reported in March 2013, to more fully address the \nStrengthening DHS Management Functions high-risk area, DHS needs to \ncontinue implementing its Integrated Strategy for High-Risk Management \nand show measurable, sustainable progress in implementing its key \nmanagement initiatives and corrective actions and achieving \noutcomes.\\29\\ In doing so, it will be important for DHS to:\n---------------------------------------------------------------------------\n    \\29\\ GAO, High-Risk Series, Government-wide 2013 Update and \nProgress Made by the Department of Homeland Security, GAO-13-444T \n(Washington, DC: March 21, 2013).\n---------------------------------------------------------------------------\n  <bullet> maintain its current level of top leadership support and \n        sustained commitment to ensure continued progress in executing \n        its corrective actions through completion;\n  <bullet> continue to implement its plan for addressing this high-risk \n        area and periodically report its progress to Congress and GAO;\n  <bullet> monitor the effectiveness of its efforts to establish \n        reliable resource estimates at the Department and component \n        levels, address and work to mitigate any resource gaps, and \n        prioritize initiatives as needed to ensure it has the capacity \n        to implement and sustain its corrective actions;\n  <bullet> closely track and independently validate the effectiveness \n        and sustainability of its corrective actions and make midcourse \n        adjustments, as needed; and\n  <bullet> make continued progress in addressing the 30 actions and \n        outcomes--for the majority of which significant work remains--\n        and demonstrate that systems, personnel, and policies are in \n        place to ensure that progress can be sustained over time.\\30\\\n---------------------------------------------------------------------------\n    \\30\\ GAO-13-444T.\n---------------------------------------------------------------------------\n    We will continue to monitor DHS's efforts in this high-risk area to \ndetermine if the actions and outcomes are achieved and sustained.\nNational Flood Insurance Program\n    FEMA has made progress in all of the areas required for removal of \nthe NFIP from the high-risk list, but needs to initiate or complete \nadditional actions; also, recent legislation has created challenges for \nFEMA in addressing the financial exposure created by the program. FEMA \nleadership has displayed a commitment to addressing these challenges \nand has made progress in a number of areas, such as financial reporting \nand continuity planning. While FEMA has plans for addressing and \ntracking progress on our specific recommendations, it has yet to \naddress many of them. For example, FEMA has not completed actions in \ncertain areas, such as modernizing its claims and policy management \nsystem and overseeing compensation of insurers that sell NFIP policies. \nCompleting such actions will likely help improve the financial \nstability and operations of the program. Table 2 summarizes DHS's \nprogress in addressing the NFIP high-risk area.\n\n   TABLE 2.--ASSESSMENT OF DEPARTMENT OF HOMELAND SECURITY PROGRESS IN\n  ADDRESSING THE NATIONAL FLOOD INSURANCE PROGRAM HIGH-RISK AREA, AS OF\n                                MAY 2014\n------------------------------------------------------------------------\n Criterion for Removal From the                Partially Met    Not Met\n         High-Risk List             Met \\1\\         \\2\\           \\3\\\n------------------------------------------------------------------------\nLeadership commitment...........  ...........  X              ..........\nCorrective action plan..........  ...........  X              ..........\nCapacity........................  ...........  X              ..........\nFramework to monitor progress...  ...........  X              ..........\nDemonstrated, sustained progress  ...........  X              ..........\n                                 ---------------------------------------\n      Total.....................  0            5              0\n------------------------------------------------------------------------\nSource: GAO analysis of Federal Emergency Management Agency documents,\n  interviews, and prior GAO reports.\n\\1\\ ``Met'': There are no significant actions that need to be taken to\n  further address this criterion.\n\\2\\ ``Partially met'': Some but not all actions necessary to generally\n  meet the criterion have been taken.\n\\3\\ ``Not met'': Few, if any, actions toward meeting the criterion have\n  been taken.\n\n    Leadership commitment (partially met). FEMA officials responsible \nfor the NFIP have shown a commitment to taking a number of actions to \nimplement our recommendations, which are designed to improve both the \nfinancial stability and operations of the program. For example, they \nhave indicated a commitment to implementing our recommendations and \nhave been proactive in clarifying and taking the actions needed to do \nso. In addition, FEMA officials have met with us to discuss outstanding \nrecommendations, the actions they have taken to address them, and \nadditional actions they could take. Further, a DHS official said that \nFEMA holds regular meetings to discuss the status of open \nrecommendations.\n    Recent legislative changes, however, have presented challenges for \nFEMA in addressing the financial exposure created by the NFIP. For \nexample, in July 2012, the Biggert-Waters Flood Insurance Reform Act of \n2012 (Biggert-Waters Act) was enacted, containing provisions to help \nstrengthen the future financial solvency and administrative efficiency \nof NFIP, including phasing out almost all discounted insurance premiums \n(commonly referred to as subsidized premiums).\\31\\ In July 2013, we \nreported that FEMA was starting to implement some of the required \nchanges.\\32\\ However, on March 21, 2014, the Homeowner Flood Insurance \nAffordability Act of 2014 (2014 Act) was enacted, reinstating certain \npremium subsidies and restoring grandfathered rates removed by the \nBiggert-Waters Act.\\33\\ The 2014 Act addresses affordability concerns \nfor certain property owners, but may also increase NFIP's long-term \nfinancial burden on taxpayers.\\34\\\n---------------------------------------------------------------------------\n    \\31\\ Pub. L. No. 112-141, Div. F, Title II, Subtit. A, 126 Stat. \n405, 916 (July 6, 2012).\n    \\32\\ GAO, Flood Insurance: More Information Needed on Subsidized \nProperties, GAO-13-607 (Washington, DC: July 3, 2013).\n    \\33\\ Pub. L. No. 113-89, 128 Stat. 1020 (Mar. 21, 2014).\n    \\34\\ GAO, Flood Insurance: Strategies for Increasing Private Sector \nInvolvement, GAO-14-127 (Washington, DC: Jan. 22, 2014).\n---------------------------------------------------------------------------\n    Corrective action plan (partially met).--While FEMA developed \ncorrective action plans for implementing the recommendations in \nindividual GAO reports, it has not developed a comprehensive plan to \naddress the issues that have placed the NFIP on GAO's high-risk list. \nWhile addressing our recommendations is part of such a plan, a \ncomprehensive plan also defines the root causes, identifies effective \nsolutions, and provides for substantially completing corrective \nmeasures near term. According to a DHS official, the individual action \nplans collectively represent their plan for addressing these issues, as \nthe recommendations cover steps needed to improve the program's \nfinancial stability as well as its administration. The official added \nthat DHS has developed more comprehensive plans for other high-risk \nareas, which have been helpful, and could consider doing so for the \nNFIP, but such plans require a lot of work. Such a plan could help FEMA \nensure that all important issues, and all aspects of those issues, are \naddressed. For example, while our recommendations regarding the NFIP's \nfinancial stability have focused on the extent of subsidized rates and \nthe rate-setting process, financial stability could include other \nimportant areas, such as debt management. As of December 2013, FEMA \nowed the Treasury $24 billion--primarily to pay claims associated with \nSuperstorm Sandy (2012) and Hurricane Katrina (2005)--and had not made \na principal payment since 2010.\n    Capacity (partially met).--FEMA faces several challenges in \nimproving the program's financial stability and operations. First, \nrecent legislative changes permit certain premium subsidies and restore \ngrandfathered rates removed by the Biggert-Waters Act. These \nprovisions, along with others, may weaken the potential for improved \nfinancial soundness of the NFIP program. Second, while FEMA is \nestablishing a reserve fund as required by the Biggert-Waters Act, it \nis unlikely to initially meet the act's annual targets for building up \nthe reserve, partly because of statutory limitations on annual premium \nincreases. Third, while FEMA has begun taking some actions to improve \nits administration of the NFIP, it is unclear how the resources \nrequired to implement both the Biggert-Waters Act and the 2014 Act will \naffect its ability to continue and complete these efforts. For example, \nthe Acts require FEMA to complete multiple studies and take a number of \nactions within the next several years, which will require resources \nFEMA would normally have committed to other efforts.\n    Monitoring Progress (partially met).--FEMA has a process in place \nto monitor progress in taking actions to implement our recommendations \nrelated to the NFIP. For example, the status of efforts to address the \nrecommendations is regularly discussed both within the Flood Insurance \nand Mitigation Administration, which administers the NFIP, and at the \nDHS level, according to a DHS official. However, it does not have a \nspecific process for independently validating the effectiveness or \nsustainability of those actions. Instead, according to a DHS official, \nonce a recommendation related to the NFIP is implemented, the effects \nof the actions taken to do so are not tracked separately, but are \nevaluated as part of regular reviews of the effectiveness of the entire \nprogram. Broader monitoring of the effectiveness and sustainability of \nits actions would help ensure that appropriate corrective actions are \nbeing taken.\n    Demonstrated, sustained progress (partially met).--FEMA has begun \nto take actions to improve the program's financial stability, such as \ninitiating actions to improve the accuracy of full-risk rates.\\35\\ \nHowever, these efforts are not complete, and FEMA does not have some \ninformation, such as the number and location of existing grandfathered \nproperties and information necessary to appropriately revise premium \nrates for previously subsidized properties.\\36\\ Similarly, FEMA has \ntaken a number of actions to improve areas of the program's operations, \nsuch as financial reporting and continuity planning.\\37\\ However, some \nimportant actions, such as modernizing its policy and claims management \nsystem and ensuring the reasonableness of compensation to insurance \ncompanies that sell and service most NFIP policies, remain to be \ncompleted.\\38\\ Sustained progress will be needed for FEMA to address \nthe financial and operational issues facing NFIP.\n---------------------------------------------------------------------------\n    \\35\\ GAO, Flood Insurance: FEMA's Rate-Setting Process Warrants \nAttention, GAO-09-12 (Washington, DC: Oct. 31, 2008).\n    \\36\\ GAO-13-607.\n    \\37\\ GAO, FEMA: Action Needed to Improve Administration of the \nNational Flood Insurance Program, GAO-11-297 (Washington, DC: June 9, \n2011).\n    \\38\\ GAO, Flood Insurance: Opportunities Exist to Improve Oversight \nof the WYO Program, GAO-09-455 (Washington, DC: Aug. 21, 2009) and GAO-\n11-297.\n---------------------------------------------------------------------------\n   government-wide high-risk areas in which dhs plays a critical role\n    Progress has been made in the Government-wide high-risk areas in \nwhich DHS plays a critical role, but significant work remains.\nInformation Security and Cyber Critical Infrastructure Protection\n    As we reported in our February 2013 high-risk update, the White \nHouse and Federal agencies, including DHS, have taken a variety of \nactions that were intended to enhance Federal and critical \ninfrastructure cybersecurity. For example, the Government issued \nnumerous strategy-related documents over the past decade and \nestablished agency performance goals and a mechanism to monitor \nperformance in three cross-agency priority areas of strong \nauthentication, Trusted Internet Connections, and continuous \nmonitoring.\\39\\\n---------------------------------------------------------------------------\n    \\39\\ Strong authentication involves increasing the use of Federal \nsmartcard credentials such as Personal Identity Verification and Common \nAccess Cards that provide multi-factor authentication and digital \nsignature and encryption capabilities, authorizing users to access \nFederal information systems with a higher level of assurance. Trusted \nInternet Connections is an initiative to consolidate external \ntelecommunication connections and ensure a set of baseline security \ncapabilities for situational awareness and enhanced monitoring. \nContinuous monitoring of Federal information systems includes \ntransforming the otherwise static security control assessment and \nauthorization process into a dynamic risk mitigation program that \nprovides essential, near-real-time security status and remediation, \nincreasing visibility into system operations and helping security \npersonnel make risk management decisions based on increased situational \nawareness.\n---------------------------------------------------------------------------\n    In addition, since the February 2013 high-risk update, the \nadministration has continued its cyber-related efforts. In February \n2013, the President issued Presidential Policy Directive 21 on critical \ninfrastructure security and resilience \\40\\ and Executive Order 13636 \non improving critical infrastructure cybersecurity.\\41\\ These documents \nassign specific actions to particular individuals and agencies with \nspecific time frames for completion.\n---------------------------------------------------------------------------\n    \\40\\ The White House, Presidential Policy Directive/PPD-21, \nCritical Infrastructure Security and Resilience (Feb. 12, 2013).\n    \\41\\ Exec. Order No. 13,636, 78 Fed. Reg. 11,739 (Feb. 19, 2013).\n---------------------------------------------------------------------------\n    However, more efforts are needed by Federal organizations, \nincluding the White House, DHS, and other agencies, to address a number \nof areas. To illustrate the scope and persistence of this challenge, in \nfiscal year 2013, inspectors general at 21 of the 24 agencies cited \ninformation security as a major management challenge for their \nagencies,\\42\\ and 18 agencies reported that information security \ncontrol deficiencies were either a material weakness or a significant \ndeficiency in internal controls over financial reporting in fiscal year \n2013.\\43\\\n---------------------------------------------------------------------------\n    \\42\\ The 24 major departments and agencies are the Departments of \nAgriculture, Commerce, Defense, Education, Energy, Health and Human \nServices, Homeland Security, Housing and Urban Development, the \nInterior, Justice, Labor, State, Transportation, the Treasury, and \nVeterans Affairs; the Environmental Protection Agency, General Services \nAdministration, National Aeronautics and Space Administration, National \nScience Foundation, Nuclear Regulatory Commission, Office of Personnel \nManagement, Small Business Administration, Social Security \nAdministration, and U.S. Agency for International Development.\n    \\43\\ A control deficiency exists when the design or operation of a \ncontrol does not allow management or employees, in the normal course of \nperforming their assigned functions, to prevent or detect and correct \nmisstatements on a timely basis.\n---------------------------------------------------------------------------\n            DHS's Role in Federal Information Security and Cyber \n                    Critical Infrastructure Protection\n    In addition to having responsibilities for securing its own \ninformation systems and data, DHS plays a pivotal role in Government-\nwide cybersecurity efforts. In particular, in July 2010, the Director \nof the Office of Management and Budget (OMB) and the White House \nCybersecurity Coordinator issued a joint memorandum that transferred \nseveral key OMB responsibilities under the Federal Information Security \nManagement Act of 2002 (FISMA) to DHS.\\44\\ Specifically, DHS is to \nexercise primary responsibility within the Executive branch for \noverseeing and assisting with the operational aspects of cybersecurity \nfor Federal systems that fall within the scope of FISMA.\n---------------------------------------------------------------------------\n    \\44\\ See Pub. L. No. 107-347, Dec. 17, 2002; 44 U.S.C. 3541, et \nseq.\n---------------------------------------------------------------------------\n    We agree that DHS should play a role in the operational aspects of \nFederal cybersecurity. We suggested in February 2013 that Congress \nconsider legislation that would clarify roles and responsibilities for \nimplementing and overseeing Federal information security programs and \nfor protecting the Nation's critical cyber assets.\\45\\\n---------------------------------------------------------------------------\n    \\45\\ GAO, Cybersecurity: National Strategy, Roles, and \nResponsibilities Need to Be Better Defined and More Effectively \nImplemented, GAO-13-187 (Washington, DC: Feb. 14, 2013).\n---------------------------------------------------------------------------\n    Regarding cyber critical infrastructure protection, a fundamental \ncomponent of DHS's efforts is its partnership approach, whereby it \nengages in partnerships among Government and industry stakeholders. \nSuch an approach is essential because the majority of critical \ninfrastructure in the United States is owned and operated by the \nprivate sector. In 2006, DHS issued the National Infrastructure \nProtection Plan. The plan, subsequently updated several times, provides \nthe overarching approach for integrating the Nation's critical \ninfrastructure protection and resilience activities into a single \nNational effort.\\46\\ Congress is considering several bills that would \naddress cyber information sharing and the cybersecurity posture of the \nFederal Government and the Nation. For example, H.R. 3696, the National \nCybersecurity and Critical Infrastructure Protection Act of 2014, would \naddress DHS's role and responsibilities in protecting Federal civilian \ninformation systems and critical infrastructure from cyber threats.\\47\\\n---------------------------------------------------------------------------\n    \\46\\ See, most recently, Department of Homeland Security, NIPP \n2013: Partnering for Critical Infrastructure Security and Resilience.\n    \\47\\ H.R. 3696, 113th Cong. (2013).\n---------------------------------------------------------------------------\n    Specific laws, Executive Orders, and directives have further guided \nDHS's role in cyber critical infrastructure protection. For example, \nExecutive Order 13636 directs DHS to, among other things, establish a \nvoluntary program to support the adoption of a cybersecurity framework \nby private-sector partners;\\48\\ coordinate the establishment of a set \nof incentives designed to promote participation in the voluntary \nprogram; and incorporate privacy and civil liberties protections into \nevery initiative called for by the Executive Order.\n---------------------------------------------------------------------------\n    \\48\\ As required by Executive Order 13636, the National Institute \nof Standards and Technology (NIST) issued the first version of the \ncybersecurity framework in February 2014. See NIST, Framework for \nImproving Critical Infrastructure Cybersecurity, Version 1.0 (Feb. 12, \n2014).\n---------------------------------------------------------------------------\n            Securing Federal Systems\n    In carrying out its role in overseeing and assisting Federal \nagencies in implementing information security requirements, DHS has \nbegun performing several activities. These include:\n  <bullet> conducting ``CyberStat'' reviews, which are intended to hold \n        agencies accountable and offer assistance in improving their \n        information security posture;\n  <bullet> holding interviews with agency chief information officers \n        and chief information security officers on security status and \n        issues;\n  <bullet> establishing a program to enable Federal agencies to expand \n        their continuous diagnostics and mitigation capabilities; and,\n  <bullet> refining performance metrics that agencies use for FISMA \n        reporting purposes.\n    In February 2014, as part of our continued dialogue with DHS \nregarding progress and what remains to be accomplished in this high-\nrisk area, we identified and communicated to DHS actions critical to \naddressing its efforts to oversee and assist agencies in improving \ninformation security practices.\\49\\ This included the following:\n---------------------------------------------------------------------------\n    \\49\\ We provided DHS detail on the actions that need to be taken \nand outcomes that need to be achieved to address the Federal \ninformation security and cyber critical infrastructure protection high-\nrisk area. The information we provided DHS was based on our full body \nof work in this area.\n---------------------------------------------------------------------------\n  <bullet> Expand CyberStat reviews to all major Federal agencies.--DHS \n        has conducted CyberStat sessions with several of the 24 major \n        Federal agencies. According to DHS officials, the current \n        approach focuses on providing CyberStat reviews for the lowest-\n        performing agencies. However, expanding the reviews to include \n        all 24 agencies could lead to an improved security posture.\n  <bullet> Enhance FISMA reporting metrics.--In September 2013, we \n        reported that the metrics issued by DHS for gauging the \n        implementation of priority security goals and other important \n        controls did not address key security activities and did not \n        always include performance targets.\\50\\ We recommended that OMB \n        and DHS collaborate to develop improved metrics, and the \n        agencies stated that they plan to implement the recommendation \n        by September 2014.\n---------------------------------------------------------------------------\n    \\50\\ GAO, Federal Information Security: Mixed Progress in \nImplementing Program Components; Improved Metrics Needed to Measure \nEffectiveness, GAO-13-776 (Washington, DC: Sept. 26, 2013).\n---------------------------------------------------------------------------\n  <bullet> Develop a strategic implementation plan.--DHS's Office of \n        Inspector General reported in June 2013 that the Department had \n        not developed a strategic implementation plan describing its \n        cybersecurity responsibilities and a clear plan of action for \n        fulfilling them. According to DHS officials, it has developed \n        this plan and is awaiting closure of the inspector general \n        recommendation. We will review the status of this plan as part \n        of our on-going review of this high-risk area.\n  <bullet> Continue to develop continuous diagnostics and mitigation \n        capabilities and assist agencies in developing and acquiring \n        them.--This effort is intended to protect networks and enhance \n        an agency's ability to see and counteract day-to-day cyber \n        threats.\n    The successful implementation of these actions should result in \noutcomes such as enhanced DHS oversight and assistance through \nCyberStat, improved metrics and other outcomes, improved situational \nawareness, and enhanced capabilities for assisting agencies in \nresponding to cyber incidents. In conjunction with needed actions by \nFederal agencies, this could contribute to improved information \nsecurity Government-wide.\n            Protecting Cyber Critical Infrastructure\n    DHS, in conjunction with other Executive branch entities, has taken \nsteps to enhance the protection of cyber critical infrastructure. For \nexample, according to DHS, it has:\n  <bullet> expanded the capacity of its National Cybersecurity and \n        Communications Integration Center to facilitate coordination \n        and information sharing among Federal and private-sector \n        stakeholders;\n  <bullet> established the Information Sharing Working Group and a \n        mechanism for creating cyber threat reports that can be shared \n        with private-sector partners; and,\n  <bullet> set up a voluntary program to encourage critical \n        infrastructure owners and operators to use the cybersecurity \n        framework developed by the National Institute of Standards and \n        Technology, as required by Executive Order 13636.\n    In February 2014, we identified and communicated to DHS actions \ncritical to addressing cyber critical infrastructure protection, \nincluding the following:\n  <bullet> expand the Enhanced Cybersecurity Services program, which is \n        intended to provide Classified cyber threat and technical \n        information to eligible critical infrastructure entities, to \n        all critical infrastructure sectors as required by Executive \n        Order 13636;\n  <bullet> enhance coordination efforts with private-sector entities to \n        facilitate improvements to the cybersecurity of critical \n        infrastructure; and,\n  <bullet> identify a set of incentives designed to promote \n        implementation of the NIST cybersecurity framework.\n    Completing these efforts could assist in achieving a flow of timely \nand actionable cybersecurity threat and incident information among \nFederal stakeholders and critical infrastructure entities, adoption of \nthe cybersecurity framework by infrastructure owners and operators, and \neffective implementation of security controls over a significant \nportion of critical cyber assets. As we reported in March 2014, more \nneeds to be done to accelerate the progress made in bolstering the \ncybersecurity posture of the Nation and Federal Government. The \nadministration and Executive branch agencies need to implement the \nhundreds of recommendations made by GAO and agency inspectors general \nto address cyber challenges, resolve known deficiencies, and fully \nimplement effective information security programs. Until then, a broad \narray of Federal assets and operations will remain at risk of fraud, \nmisuse, and disruption, and the Nation's most critical Federal and \nprivate-sector infrastructure systems will remain at increased risk of \nattack from our adversaries.\\51\\\n---------------------------------------------------------------------------\n    \\51\\ GAO, Government Efficiency and Effectiveness: Views on the \nProgress and Plans for Addressing Government-wide Management \nChallenges, GAO-14-436T (Washington, DC: March 12, 2014).\n---------------------------------------------------------------------------\nEnhancing the Sharing of Terrorism-Related Information\n    DHS has made significant progress in enhancing the sharing of \ninformation on terrorist threats and in supporting Government-wide \nefforts to improve such sharing.\\52\\ Our work on assessing the high-\nrisk area on sharing terrorism-related information has primarily \nfocused on Federal efforts to implement the Information Sharing \nEnvironment, as called for in the Intelligence Reform and Terrorism \nPrevention Act of 2004.\\53\\ The Information Sharing Environment is a \nGovernment-wide effort to improve the sharing of terrorism-related \ninformation across Federal agencies and with State, local, territorial, \nTribal, private-sector, and foreign partners. When assessing progress, \nwe review the activities of both the program manager for the \nInformation Sharing Environment--a position established under the 2004 \nAct with responsibility for information sharing across the Government--\nas well as efforts of DHS and other key entities, including the \nDepartments of Justice, State, and Defense, and the Office of the \nDirector of National Intelligence.\\54\\ Accordingly, DHS itself is not \non the high-risk list nor can DHS's efforts fully resolve the high-risk \nissue. Nevertheless, DHS plays a critical role in Government-wide \nsharing given its homeland security missions and responsibilities.\n---------------------------------------------------------------------------\n    \\52\\ Terrorism-related information includes homeland security, \nterrorism, and weapons of mass destruction information. See 6 U.S.C. \x06\x06 \n482(f)(1), 485(a)(1), (5)-(6).\n    \\53\\ See Pub. L. No. 108-458, \x06 1016, 118 Stat. 3638, 3664-70 \n(2004) (codified as amended at 6 U.S.C. \x06 485).\n    \\54\\ The Office of the Director of National Intelligence was \nestablished in 2004 to manage the efforts of the intelligence \ncommunity. See 50 U.S.C. \x06 3023. Its mission is to lead intelligence \nintegration and forge an intelligence community that delivers the most \ninsightful intelligence possible.\n---------------------------------------------------------------------------\n    Overall, the Federal Government has made progress in addressing the \nterrorism-related information-sharing high-risk area. As we reported in \nour February 2013 update, the Federal Government is committed to \nestablishing effective mechanisms for managing and sharing terrorism-\nrelated information, and has developed a National strategy, \nimplementation plans, and methods to assess progress and results. While \nprogress has been made, the Government needs to take additional action \nto mitigate the potential risks from gaps in sharing information, such \nas ensuring that it is leveraging individual agency initiatives to \nbenefit all partners and continuing work to develop metrics that \nmeasure the homeland security results achieved from improved sharing. \nWe are currently conducting work with the program manager and key \nentities to determine their progress in meeting the criteria since the \n2013 high-risk report.\nDHS's Role in the Sharing of Terrorism-Related Information\n    Separately, in response to requests from this committee and other \nCongressional committees, we have assessed or are currently assessing \nDHS's specific efforts to enhance the sharing of terrorism-related \ninformation. As discussed below, this work includes DHS efforts to: (1) \nSupport State and major urban area fusion centers,\\55\\ (2) coordinate \nwith other Federal agencies that support task forces and other centers \nin the field that share information on threats as part of their \nactivities, (3) achieve its own information-sharing mission, and (4) \nshare information related to the Department's intelligence analysis \nefforts.\n---------------------------------------------------------------------------\n    \\55\\ In general, fusion centers are collaborative efforts of two or \nmore agencies that provide resources, expertise, and information to the \ncenter with the goal of maximizing their ability to detect, prevent, \ninvestigate, and respond to criminal and terrorist activity. See 6 \nU.S.C. \n\x06 124h(j)(1). There are 78 fusion centers in the United States.\n---------------------------------------------------------------------------\n    Fusion centers.--A major focus of the high-risk area and \nInformation Sharing Environment has been to improve the sharing of \nterrorism-related information among the Federal Government and State \nand local security partners, which is done in part through State and \nmajor urban area fusion centers. DHS is the Federal lead for supporting \nthese centers and has made significant strides. For example, DHS has \ndeployed personnel to centers to serve as liaisons to the Department \nand help centers develop capabilities (such as the ability to analyze \nand disseminate information), provided grant funding to support center \nactivities, provided access to networks disseminating Classified and \nUnclassified information, and helped centers identify and share reports \non terrorism-related suspicious activities. DHS has been very \nresponsive to a recommendation in our 2010 report that calls for \nestablishing metrics to determine what return the Federal Government is \ngetting for its investments in centers.\\56\\ We have an on-going review \nof DHS's efforts to assess center capabilities, manage Federal grant \nfunding, and determine the contributions centers make to enhance \nhomeland security, and expect to issue a report later this year.\n---------------------------------------------------------------------------\n    \\56\\ GAO, Information Sharing: Federal Agencies Are Helping Fusion \nCenters Build and Sustain Capabilities and Protect Privacy, but Could \nBetter Measure Results, GAO-10-972 (Washington, DC: Sept. 29, 2010).\n---------------------------------------------------------------------------\n    Field-based entities that share information.--DHS is also taking \nsteps to measure the extent to which fusion centers are coordinating \nand sharing information with other field-based task forces and \ncenters--such as Federal Bureau of Investigation Joint Terrorism Task \nForces--and assess opportunities to improve coordination.\\57\\ In April \n2013, we reported that fusion centers and other field-based entities \nhad overlapping activities, but the agencies that support them had not \nheld the entities accountable for coordinating and collaborating or \nassessed opportunities to enhance coordination, and recommended that \nthe agencies develop mechanisms to do so.\\58\\ In response, DHS began \ntracking collaboration mechanisms, such as which fusion centers have \nrepresentatives from the other entities on their executive boards, are \ncolocated with other entities, and issue products jointly developed \nwith other entities.\n---------------------------------------------------------------------------\n    \\57\\ The five types of entities we reviewed are State and major \nurban area fusion centers, Joint Terrorism Task Forces, Field \nIntelligence Groups, Regional Information Sharing Systems Centers, and \nHigh-Intensity Drug Trafficking Area Investigative Support Centers. \nDHS, the Department of Justice, and the Office of National Drug Control \nPolicy oversee or otherwise support these entities.\n    \\58\\ GAO, Information Sharing: Agencies Could Better Coordinate to \nReduce Overlap in Field-Based Activities, GAO-13-471 (Washington, DC: \nApr. 12, 2013).\n---------------------------------------------------------------------------\n    DHS's efforts can help avoid unnecessary overlap in activities, \nwhich in turn can help entities leverage scarce resources. To fully \naddress our recommendation, however, the other Federal agencies must \ntake steps to better hold their respective field entities accountable \nfor such collaboration. In addition, these agencies must work with DHS \nto collectively assess Nation-wide any opportunities for field entities \nto further implement collaboration mechanisms.\n    DHS information-sharing mission.--In September 2012, we reported \nthat DHS had made progress in achieving its own information-sharing \nmission, but could take additional steps to improve its efforts.\\59\\ \nSpecifically, DHS had demonstrated leadership commitment by \nestablishing a governance board to serve as the decision-making body \nfor DHS information-sharing issues. The board has enhanced \ncollaboration among DHS components and identified a list of key \ninformation-sharing initiatives to pursue, among other things. We \nfound, however, that 5 of DHS's top 8 priority initiatives faced \nfunding shortfalls. We also reported that DHS had taken steps to track \nits information-sharing efforts, but had not fully assessed how such \nefforts had improved sharing. We recommended that DHS: (1) Revise its \npolicies and guidance to include processes for identifying information-\nsharing gaps; analyzing root causes of those gaps, and identifying, \nassessing, and mitigating risks of removing incomplete initiatives from \nits list, and (2) better track and assess the progress of key \ninitiatives and the Department's overall progress in achieving its \ninformation-sharing vision. DHS has since taken actions--such as \nissuing revised guidance and developing new performance measures--to \naddress all of these recommendations.\n---------------------------------------------------------------------------\n    \\59\\ GAO, Information Sharing: DHS Has Demonstrated Leadership and \nProgress, but Additional Actions Could Help Sustain and Strengthen \nEfforts, GAO-12-809 (Washington, DC: Sept. 18, 2012).\n---------------------------------------------------------------------------\n    Sharing intelligence analysis. We are finalizing a report on DHS's \nintelligence analysis capabilities, which are a key part of the \nDepartment's efforts in securing the Nation. Within DHS, the Office of \nIntelligence and Analysis has a lead role for intelligence analysis, \nbut other operational components--such as CBP and ICE--also perform \ntheir own analysis activities and are part of the DHS Intelligence \nEnterprise. Our report, expected to be issued later this month, will \naddress: (1) The extent to which the intelligence analysis activities \nof the enterprise are integrated to support Departmental strategic \nintelligence priorities, and are unnecessarily overlapping or \nduplicative; (2) the extent to which Office of Intelligence and \nAnalysis customers report that they find products and other analytic \nservices to be useful, and what steps, if any, the office has taken to \naddress any concerns customers report; and (3) challenges the Office of \nIntelligence and Analysis has faced in maintaining a skilled analytic \nworkforce and steps it has taken to address these challenges. We are \nplanning to make recommendations to help DHS enhance its intelligence \nanalysis capabilities and related sharing of this information.\\60\\\n---------------------------------------------------------------------------\n    \\60\\ The Office of Intelligence and Analysis' five customer groups \nare: (1) DHS leadership; (2) DHS operational components; (3) \nintelligence community members; (4) State, local, Tribal, and \nterritorial partners; and (5) private critical infrastructure sectors.\n---------------------------------------------------------------------------\n    Overall, DHS's continued progress in enhancing the sharing of \nterrorism-related information and responding to our findings and \nrecommendations will be critical to supporting Government-wide sharing \nand related efforts to secure the homeland.\n    Chairman McCaul, Ranking Member Thompson, and Members of the \ncommittee, this completes my prepared statement. I would be happy to \nrespond to any questions you may have at this time.\n\n    Chairman McCaul. Well, thank you, sir. We thank you for \nyour comments as well.\n    Chairman now recognizes Mr. Roth.\n\n STATEMENT OF JOHN ROTH, INSPECTOR GENERAL, U.S. DEPARTMENT OF \n                       HOMELAND SECURITY\n\n    Mr. Roth. Good morning, Chairman McCaul, Ranking Member \nThompson, and Members of the committee. Thank you for inviting \nme here today to discuss some of the high-risk areas that DHS \nfaces.\n    My testimony here today will focus on acquisition \nmanagement. In particular, as our work has shown, DHS is not as \neffective and efficient as it could be in this area. We find \nthat it stems from three main areas.\n    First, DHS's unique mission requires complicated \nacquisitions. Whether it is acquiring a fleet of helicopters, \nbuilding a border fence over hundreds of miles of varied \nterrain, integrating and managing systems from diverse legacy \nagencies, or purchasing technologically-complex airport \nscreening machines are, under the best of circumstances, high-\nrisk acquisitions.\n    Second, DHS, as has been noted this morning, is working \ntowards a transparent acquisition governance process, which if \nit is fully followed would lead to better and smarter \nacquisitions. Unfortunately, the DHS components engaged in the \nacquisitions often do not follow the DHS procurement policies, \nand DHS lacks a means to enforce compliance.\n    Third, components acquisition decisions often work against \nthe Department's stated goal of One DHS. DHS components, in a \nword, operate in a vacuum. They fail to take into account other \ncomponents' needs or they fail to leverage other assets or \nother acquisitions that are already underway.\n    We have done a number of audits that give examples of this. \nThose are in my written testimony. But I would like just to \ntalk about one single audit that we did with regard to using \nacquisitions to have One DHS.\n    DHS's stated goal is to ensure interoperability of \ncommunications. We want to make sure that the first responders \nand other law enforcement agencies--agents, particularly within \nDHS, can talk to each other through a common channel in the \nevent of a terrorist event or a crisis of some sort.\n    DHS has about 123,000 radio field users within eight \ndifferent components, and DHS has invested about $430 million \nin equipment, infrastructure, and other resources to ensure \ninteroperability.\n    We conducted an audit in late 2012 and asked 479 DHS field \nradio users to access and use the specified channel to \ncommunicate. Out of those 479 people we asked to do so, only a \nsingle user could use the common channel.\n    In other words, DHS had a failure rate of 99.8 percent. \nSeventy-two percent of the users didn't even realize that there \nwas--didn't even know the existence of a common channel. The \nremainder just couldn't find it. Of the radios we examined only \n20 percent of them were properly set up to use the common \nchannel.\n    This test happened 11 years after 9/11. Without an \neffective governing structure DHS cannot achieve its goal of a \nDepartment-wide radio interoperability. As we sit here today \nthe Department's plans to do so are still a work in progress.\n    In closing I would like to note that DHS has taken steps to \nimplement our recommendations and to progress towards a unity \nof effort. However, the Department is persistently challenged \nin acting in an integrated single entity.\n    This concludes my prepared statement. I am happy to take \nquestions from the committee. Thank you.\n    [The prepared statement of Mr. Roth follows:]\n                    Prepared Statement of John Roth\n                              May 7, 2014\n    Good morning Chairman McCaul, Ranking Member Thompson, and Members \nof the committee. Thank you for inviting me here today to discuss high-\nrisk areas at DHS identified by GAO.\n    In its report, High-risk Series: An Update (GAO-13-283, February \n2013), GAO identified high-risk areas in the Federal Government, \nincluding areas of particular concern at DHS. My testimony today will \nfocus on some high-risk areas that we also identified in our December \n2013 report, Major Management and Performance Challenges Facing the \nDepartment of Homeland Security (OIG-14-17), particularly in managing \nacquisitions.\n    Our work has shown that DHS' management of its acquisitions is not \nas effective and efficient as it could be. This problem stems from \nthree main issues:\n  <bullet> First, DHS' unique mission requires multi-faceted and \n        sophisticated acquisitions. Whether acquiring a fleet of \n        helicopters, building a border fence over hundreds of miles of \n        varied terrain, or integrating and managing systems from \n        diverse legacy agencies, DHS' requirements increase the \n        complexity and risk of its acquisitions.\n  <bullet> Second, DHS is working toward a transparent, authoritative \n        governing process--the Acquisition Life-cycle Framework (ALF)--\n        which, if fully implemented, would lead to better oversight and \n        guidance of acquisitions. Unfortunately, DHS components often \n        do not follow this governing process (or any other) in carrying \n        out their acquisitions, and DHS has had difficulty enforcing \n        compliance.\n  <bullet> Third, the components' acquisition decisions often work \n        counter to the Department's stated goal of ``One DHS.'' In \n        planning and managing acquisitions, components often operate in \n        a vacuum; they fail to take into account the needs of other \n        components or they fail to leverage other assets or \n        acquisitions already underway.\n    We have made recommendations to improve the efficiency and \neffectiveness of DHS' programs and operations, and DHS has taken some \nsteps to implement our recommendations. However, the Department \ncontinues to struggle with acting as an integrated, single entity to \naccomplish its mission.\n                           nature of the risk\n    Acquisition management at DHS is inherently complex and high-risk. \nIt is further challenged by the magnitude and diversity of the \nDepartment's procurements. In fiscal year 2013, DHS' Major Acquisition \nOversight List included 123 programs; 88 (72 percent) of the programs \nwere Level 1 or Level 2. Level 1 and Level 2 programs have life-cycle \ncosts of $300 million or more or have special Departmental interest. \nSome examples of Level 1 and Level 2 acquisitions include:\n  <bullet> The United States Coast Guard's HC-144A Maritime Patrol \n        Aircraft, a twin engine turboprop airplane designed for \n        superior situational awareness, a reduced workload, and \n        increased crew safety. Life-cycle cost estimate--$24.9 billion;\n  <bullet> U.S. Customs and Border Protection's (CBP) Automated \n        Commercial Environment, a system to enable CBP to interact, \n        manage, and oversee import and export data, and manage \n        custodial revenue and enforcement systems. Life-cycle cost \n        estimate--$4.5 billion;\n  <bullet> TSA's Screening Partnership Program, procures screening \n        services from private companies at TSA airports. Life-cycle \n        cost estimate--$2.4 billion;\n  <bullet> CBP's Mission Support Facilities to develop, plan, execute, \n        and sustain facilities and infrastructure inventory to support \n        CBP's Mission Support Offices Nation-wide. Facilities include \n        administrative offices, training centers, laboratories, and \n        warehouses. Life-cycle cost estimate--$2 billion;\n  <bullet> CBP's Integrated Fixed Towers, a system for automated, \n        persistent wide area surveillance to detect, track, identify, \n        and classify illegal entries. Life-cycle cost estimate--$842 \n        million.\n          combating the risk: acquisition management framework\n    Effective acquisition management requires careful planning and \noversight of processes, solid internal controls, and compliance with \nlaws and regulations. Acquisitions must be planned and managed through \ntheir entire life cycle to ensure that they are procured, deployed, and \nused efficiently and effectively.\n    DHS has developed a comprehensive acquisition framework of \npolicies, procedures, and entities to streamline its acquisition \npractices and ensure that procured goods and services meet mission \nneeds cost-efficiently. This system should lead to informed investment \ndecisions on goods and services that fulfill DHS' mission.\nAcquisition Phases\n    DHS has adopted the Acquisition Life-Cycle Framework (ALF), \ncomposed of the following four phases, to determine whether to proceed \nwith an acquisition:\n    1. Need--identify the need that the acquisition will address;\n    2. Analyze/Select--analyze the alternatives to satisfy the need and \n        select the best option;\n    3. Obtain--develop, test, and evaluate the selected option and \n        determine whether to approve production; and\n    4. Produce/Deploy/Support--produce and deploy the selected option \n        and support it throughout the operational life cycle.\n    Each phase of the ALF leads to an ``Acquisition Decision Event'' \n(ADE), a predetermined point at which the acquisition is reviewed \nbefore it can move to the next phase. The reviews are intended to \nensure alignment of needs with DHS' strategic direction and adequate \nplanning for upcoming phases.\n    The figure below shows the four phases of the ALF and each ADE. \n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    \nADE-0 Identify the need\nADE-1 Validate the need\nADE-2A Approve the program\nADE-2B Approve projects within the program\nADE-2C Approve low rate initial production\nADE-3 Approve full rate production and deployment\nADE 4* Project transition--a milestone unique to the Coast Guard, \nauthorizes the project to move to sustainment\n\n    The ALF is a rigorous, disciplined process designed to result in \ncost-efficient acquisitions that can meet the Department's needs and \nhelp accomplish its mission.\nAcquisition Entities, Policies, and Procedures\n    DHS' Office of Program Accountability and Risk Management (PARM) \nadministers the ALF and oversees all major DHS acquisitions. PARM \nreports directly to the under secretary for management and manages and \nimplements the Department's Acquisition Management Directive. PARM is \nalso responsible for independently assessing major investment programs \nand monitoring programs between formal reviews to identify issues.\n    DHS has established the following mechanisms to govern \nacquisitions:\n  <bullet> The Acquisition Review Board (ARB).--A cross-component board \n        composed of senior-level decisionmakers. The ARB determines \n        whether a proposed acquisition meets requirements and can \n        proceed to the next phase and eventual production and \n        deployment. Before every ADE, components must submit \n        acquisition documents to the ARB for review, including a \n        mission needs statement, capability development plan, and an \n        acquisition plan.\n  <bullet> Quarterly Program Accountability Report.--Provides a \n        comprehensive, high-level analysis of a program's vital signs \n        provided to DHS leadership, component acquisition executives, \n        and program managers.\n  <bullet> A Joint Requirements Council.--Reviews high-dollar \n        acquisitions and recommends savings opportunities to the ARB.\n  <bullet> Centers of Excellence.--Two have been set up under PARM: \n        Program Management Center of Excellence and Cost Estimating & \n        Analysis Center of Excellence. Leadership staff and subject-\n        matter experts at the centers provide proven practices, \n        guidance, and counsel on program management and cost estimating \n        and analysis.\n  <bullet> The Decision Support Tool.--A web-based central dashboard to \n        assess and track the health of major acquisition projects, \n        programs, and portfolios. The Department's goal is to improve \n        program accountability and make sound strategic decisions \n        throughout the life-cycle of major acquisitions.\n  <bullet> Comprehensive Acquisition Status Report.--Provides \n        information on the status of major acquisitions. Reports \n        include information such as the current acquisition phase, the \n        date of last review, life-cycle cost estimate, and key events \n        and milestones.\n  failing to follow the framework results in problematic acquisitions\n    However, as our work has shown, this process is not always \nfollowed. Several of our audits have highlighted DHS' challenge in \nestablishing an overarching structure that fully integrates the \ncomponents into overall governance, unified decision making, and \ncollective analysis.\nCBP's Acquisition of H-60 Helicopters\n    In May 2013, we issued DHS' H-60 Helicopter Programs (Revised) \n(OIG-13-89), which illustrates the risks of deviating from the ALF. \nAlthough the Department had some processes and procedures to govern its \naviation assets and provide oversight, the acquisition was not fully \ncoordinated and acquisition costs, schedules, and performance were not \ncontrolled.\n    CBP did not take into account guidance from the DHS Office of the \nChief Procurement Officer (OCPO) in its H-60 acquisition planning. In \n2007, CBP's Office of Air and Marine submitted its Congressionally-\nmandated acquisition plan, which outlined how its aviation assets and \nacquisitions would support its mission. CBP leadership approved the \nplan to acquire 38 new and converted medium-lift helicopters and \nsubmitted it to the DHS OCPO.\n    On March 3, 2008, OCPO expressed its concerns about the program in \na memo to CBP. According to OCPO, CBP needed to address substantive \nissues in the acquisition plan. CBP should have had two separate H-60 \nplans, and both should move independently through the acquisition \nreview process, including ARB review. OCPO was also concerned that \nCBP--\n  <bullet> Had not clearly defined the acquisition's period of \n        performance;\n  <bullet> Did not have a complete life-cycle cost estimate;\n  <bullet> Had not completed a cost-benefit analysis to compare \n        upgrading its existing fleet to purchasing new helicopters; and\n  <bullet> Had not used various contracting best practices.\n    Just 3 days after receiving the memo from OCPO, CBP nevertheless \ncontinued with the H-60 acquisition by signing an agreement with the \nU.S. Army.\n    In March 2010, the ARB concluded that both CBP and the Coast Guard \nwere pursuing H-60 conversions and directed the Coast Guard to \ncollaborate with CBP, report on possible helicopter program synergies, \nand present a joint review within 75 days. The Coast Guard was not able \nto complete the review because CBP did not provide the needed \ninformation.\n    Subsequent attempts to push the acquisition into the ALF failed.\n    We recommended that DHS direct CBP to apply all ALF requirements to \nall its aviation-related acquisitions. DHS concurred with this \nrecommendation, and CBP was directed to submit its plans to acquire \naviation assets to PARM. According to DHS, the ARB would review and \ndecide on CBP's aviation programs and projects as they progressed \nthrough the ALF.\nInformation Technology Investments\n    In August 2012, we issued CBP Acquisition of Aviation Management \nTracking System (Revised) (OIG-12-104). We reported that although CBP \nhad a joint strategy to unify its aviation logistics and maintenance \nsystem with those of the Coast Guard, it planned to purchase a new, \nseparate system. This system would not be coordinated with the Coast \nGuard's already operational system. We concluded that the acquisition \ndid not comply with the Secretary's efforts to improve coordination and \nefficiencies among DHS components. Acquiring the new system would also \nbe a continuation of components' past practices of obtaining disparate \nsystems that cannot share information. If CBP instead transitioned to \nthe Coast Guard's system, it would improve tracking of aviation \nmanagement and cost less than purchasing a new system.\nDHS Governance of Aviation Assets\n    DHS historically has had little formal structure to govern the \nDepartment's aviation assets and no specific senior official to provide \nexpert independent guidance on aviation issues to DHS senior \nmanagement. The Department has intermittently issued policies and \nestablished various entities to oversee its aviation assets and \noperations, but it has not sustained these efforts. For example, DHS \nset up an Aviation Management Council in 2005, but oversight was \ninconsistent, and the council stopped meeting in 2007. In 2009, \nDepartment-level oversight of DHS' aviation assets resumed. An Aviation \nIssue Team led by the Office of Program Analysis and Evaluation \nreviewed potentially co-locating component aviation facilities, finding \ncommonality in component aviation assets, and combining component \naviation-related information technology systems.\n    In 2011, the deputy secretary established an Aviation Working \nGroup, but the group did not have a charter, defined roles and \nresponsibilities, or an independent aviation expert. It collected data \non CBP and USCG missions, aircraft inventories, flight hours, and \naviation resources; reviewed components' funding plans and \nopportunities for joint acquisitions; and considered an organizational \nstructure for a Department-wide aviation office. However, according to \nsenior officials, without an authoritative expert, DHS was relying on \nunverified information from components to make aviation-related \ndecisions.\n    In addition to challenges in establishing a structure to govern \naviation assets, DHS has had difficulty bringing aviation-related \nacquisitions into the ALF. For example, CBP's Strategic Air and Marine \nPlan (STAMP) has an estimated life-cycle cost of about $1.5 billion. \nSTAMP encompasses all of CBP's aviation-related acquisitions used to \ndetect, interdict, and prevent acts of terrorism near and across or \nacross U.S. borders. CBP does not believe that STAMP should be subject \nto the ALF because the program existed before DHS established the \nframework. We contend (and have recommended) that individual programs \nand projects under STAMP should go through the ALF separately.\nUnmanned Aircraft\n    In CBP's Use of Unmanned Aircraft Systems in the Nation's Border \nSecurity (OIG-12-85, May 2012), we reported that CBP had not adequately \nplanned the resources needed to support its unmanned aircraft. CBP's \nplans to use the unmanned aircraft did not include processes to ensure \nthat: (1) Each launch and recovery site had the required operational \nequipment; (2) stakeholders submitted mission requests; (3) mission \nrequests were prioritized; and (4) it obtained reimbursement for \nmissions flown on stakeholders' behalf. Because these were not \nincluded, CBP risked having invested substantial resources in a program \nthat underutilized resources and limited its ability to achieve its \nmission goals. Specifically, our audit showed that CBP had not achieved \nits scheduled or desired levels of flight hours for the unmanned \naircraft. We estimated that 7 unmanned aircraft should support 10,662 \nflight hours per year to meet the minimum capability and 13,328 flight \nhours to meet desired capability. However, staffing and equipment \nshortages, coupled with FAA and other restrictions, limited actual \nflight hours to 3,909--37 percent of the unmanned aircraft's mission \navailability threshold and 29 percent of its mission availability \nobjective.\nCBP's Advanced Training Center Acquisition\n    In February 2014, we issued U.S. Customs and Border Protection's \nAdvanced Training Center Acquisition (OIG-14-47). We reported that CBP \ndid not effectively oversee and manage the fourth phase of the \nacquisition of its Advanced Training Center. Although not subject to \nthe ALF, CBP did not comply with Federal and Departmental regulations \ngoverning acquisitions. CBP did not develop and execute the $55.7 \nmillion agreement with its service provider, the U.S. Army Corps of \nEngineers, according to Federal, Departmental, and component \nrequirements. In particular, CBP did not develop, review, or approve a \nrequired independent Government cost estimate and acquisition plan \nprior to entering into the agreement. Key documentation supporting the \nagreement with the Corps of Engineers was either missing or incomplete. \nCBP also approved millions of dollars worth of contract modifications \nto the agreement without first ensuring the need and reasonableness of \nthe modifications. In addition, CBP improperly used reimbursable work \nauthorizations to transfer money for this project, as well as other \nconstruction projects. During our audit, CBP began taking action to \nensure future compliance with all statutory requirements; CBP concurred \nwith all our recommendations.\nTSA's Advanced Imaging Technology\n    We issued Transportation Security Administration's Deployment and \nUse of Advanced Imaging Technology (Revised) (OIG-13-120) in March \n2014. We reported that the Transportation Security Administration (TSA) \ndid not develop a comprehensive deployment strategy for using advanced \nimaging technology (AIT) units--procured at a cost of nearly $150 \nmillion--at airports. Because TSA did not have reliable data to \ndetermine whether the units were effectively deployed, TSA decision \nmakers could not implement efficiency improvements.\n    This occurred because TSA did not have a policy or process \nrequiring program offices to prepare strategic acquisition or \ndeployment plans for new technology that aligned with the overall goals \nof the Passenger Screening Program.\n    The AIT units did not undergo a stand-alone acquisition review, but \nwere instead reviewed as part of the Passenger Screening Program. \nBecause the AIT units met the Level 1 acquisition threshold, they \nshould have gone through all the steps required for that level. TSA \nshould also have developed a deployment strategy for the AIT units, but \nit only developed a deployment schedule.\n    Without documented, approved, and comprehensive plans, as well as \naccurate data on the use of AIT, TSA continued to screen the majority \nof passengers with walkthrough metal detectors. This potentially \nreduced AIT's security benefits, and TSA may have used resources \ninefficiently to purchase and deploy AIT units that were underused.\n            failing to use acquisitions to forge ``one dhs''\n    In addition to failing to manage high-risk acquisitions through a \ngoverning process, DHS acquisitions often miss opportunities to ensure \nDHS acts in a concerted and efficient manner. DHS has struggled to \nbecome fully integrated. With 22 components and a range of missions, \ncooperation, and coordination continue to be a challenge. The \nDepartment's structure sometimes leads to ``stovepiping''--components \noperating independently and management often not cooperating and \nsharing information to benefit ``One DHS.'' In an April 2014 memorandum \nfor DHS leadership, the Secretary reiterated the need to strengthen the \nDepartment's ``unity of effort.''\n    During our recent audits, we identified several programs in which \nthere was little or no cross-component coordination and communication \nand weak Department-level authority. These led to cost inefficiencies \nand ineffective program management. Therefore, we made recommendations \nto enhance collaboration to improve both efficiency and effectiveness \nand prevent waste and abuse.\nDHS Radio Equipment Program\n    DHS manages about 197,000 pieces of radio equipment and 3,500 \ninfrastructure sites, with a reported value of more than $1 billion. We \nissued a pair of reports that highlighted the problematic nature of \nsome of the acquisition processes for communications equipment.\n    In one of our audits, DHS' Oversight of Interoperable \nCommunications (OIG-13-06, November 2012), we tested DHS radios to \ndetermine whether DHS components could talk to each other in the event \nof a terrorist event or other emergency. They could not. Only 1 of 479 \nradio users we tested--or less than one-quarter of 1 percent--could \naccess and use the specified common channel to communicate. Further, of \nthe 382 radios tested, only 20 percent (78) contained all the correct \nprogram settings for the common channel. In other words, DHS components \ncould not talk to each other using $430 million worth of radios \npurchased nearly a decade after the 9/11 Commission highlighted the \nproblem. They could not do so because DHS did not establish an \neffective governing structure with the authority and responsibility to \nensure it achieved Department-wide, interoperable radio communications. \nWe also reported that without an effective governing structure and a \nconcerted effort to attain interoperability, the Department's progress \nwould remain limited.\n    DHS' plans to achieve interoperability are still in progress. The \nDepartment has drafted, but not finalized, a DHS Communications \nInteroperability Plan; it has extended the date of signature from April \nto September of this year.\n    In August 2013, we issued DHS Needs to Manage Its Radio \nCommunication Program Better (OIG-13-113). We reported that without \nsound investment decisions on radio equipment and supporting \ninfrastructure, DHS could not effectively manage its radio \ncommunication program. DHS had not implemented a governance structure \nwith authority to establish policy, budget and allocate resources, and \nhold components accountable for managing radio programs and related \ninventory. Components were still independently managing their current \nradio programs with no formal coordination with the Department. They \nused different systems to record and manage personal property inventory \ndata, including radio equipment. The components' inventory data also \nindicated they did not record radio equipment consistently in personal \nproperty systems. As a result, DHS was making management and investment \ndecisions for the radio communication program using inconsistent, \nincomplete, and inaccurate real and personal property data.\n    We concluded that a Department-wide inventory would help DHS \nprioritize its needs, plan its investments, and help plan future \nacquisitions and manage communication networks. DHS also needs a strong \ngovernance structure over its radio communication program. Thus, we \nrecommended that the Department develop a single portfolio for radio \nequipment and infrastructure and establish a Department-level point of \naccountability. In response to our recommendations, DHS said that \nbecause of budget constraints, it would include a time line and \nresources for portfolio management in its fiscal year 2016 Resource \nAllocation Plan. The Department was collecting data to develop a single \nprofile of assets, infrastructure, and services; reviewing existing \npolicies and procedures; and planning to revise its personal property \nmanual by June 30, 2014.\nCross-Border Tunnel Program\n    In our audit of CBP's and U.S. Immigration and Customs \nEnforcement's (ICE) efforts to monitor and detect illegal cross-border \ntunnels (CBP's Strategy to Address Illicit Cross-Border Tunnels, OIG-\n12-132, September 2012), we reported that although CBP is creating a \nprogram to address capability gaps in countering the cross-border \ntunnel threat, it had not demonstrated how its detection strategy would \nconsider ICE's needs.\n    CBP and ICE need coordination and oversight in developing these \ntechnologies because the Border Patrol's mission objective is to \nprevent illegal traffic from crossing the border while ICE's objective \nis to investigate and dismantle criminal organizations.\n    Without taking into account both components' needs, the Department \nrisks not being able to disrupt criminal organizations that engage in \ncross-border smuggling. We made recommendations to improve \nconsideration of CBP's and ICE's needs and to improve DHS' coordination \nand oversight of counter-tunnel efforts.\n    CBP took action on our recommendations, including formation of an \nIntegrated Product Team, which includes relevant stakeholders. It also \nplanned to draft required acquisition planning documents and submit the \nprogram to the ARB.\nAviation\n    Our audit of CBP's H-60 helicopter program showed that CBP did not \nproperly oversee and manage the conversion and modification of its H-60 \nhelicopters, which affected the cost-effectiveness and timely delivery \nof the converted and modified \nH-60s. We noted that increased cooperation between CBP and the Coast \nGuard in managing the conversion and modification of its H-60 \nhelicopters would reduce redundancies and potentially save millions of \ndollars. Specifically, if CBP were to complete the conversions and \nmodifications at a Coast Guard facility, it would save about $126 \nmillion and H-60s would fly 7 years sooner. The Department's own \nindependent study confirmed that CBP would realize substantial savings \nby using the Coast Guard facility. Specifically, DHS estimated CBP \ncould save at least $36 million and as much as $132 million in the cost \nof conversion alone. According to DHS, it could not be more precise \nbecause CBP did not provide sufficient data.\n    Mr. Chairman, this concludes my prepared statement. I welcome any \nquestions you or other Members of the committee may have.\n                                Appendix\nMajor Management and Performance Challenges Facing the Department of \nHomeland Security, OIG-14-17, December 2013\nIndependent Auditors' Report on DHS' FY 2013 Financial Statements and \nInternal Control over Financial Reporting, OIG-14-18, December 2013\nDHS' H-60 Helicopter Programs (Revised), OIG-13-89, May 2013\nU.S. Customs and Border Protection's Management of the Purchase and \nStorage of Steel in Support of the Secure Border Initiative, OIG-12-05, \nNovember 2011\nTransportation Security Administration's Deployment and Use of Advanced \nImaging Technology, OIG-13-120, March 2014\nDHS Needs to Manage Its Radio Communication Program Better, OIG-13-113, \nAugust 2013\nUnited States Customs and Border Protection's Radiation Portal Monitors \nat Seaports, OIG-13-26, January 2013\nDHS' Oversight of Interoperable Communications, OIG-13-06, November \n2012\nCBP's Strategy to Address Illicit Cross-Border Tunnels, OIG-12-132, \nSeptember 2012\nCBP's Use of Unmanned Aircraft Systems in the Nation's Border Security, \nOIG-12-85, May 2012\nUnclassified Summary of Information Handling and Sharing Prior to the \nApril 15, 2013 Boston Marathon Bombings, April 10, 2014\nDHS Uses Social Media to Enhance Information Sharing and Mission \nOperations, But Additional Oversight and Guidance Is Needed, OIG-13-\n115, September 2013\nDHS Can Make Improvements to Secure Industrial Control Systems, OIG-13-\n39, February 2013\nCBP's and USCG's Controls Over Exports Related to Foreign Military \nSales, OIG-13-118, September 2013\nU.S. Customs and Border Protection Has Taken Steps to Address Insider \nThreat but Challenges Remain, OIG-13-118, Redacted, September 2013\nDHS Needs to Strengthen Information Technology Continuity and \nContingency Planning Capabilities, OIG-13-110, Redacted, August 2013\nDHS Can Take Actions to Address its Additional Cybersecurity \nResponsibilities, OIG-13-95, June 2013\nDHS' Efforts to Coordinate the Activities of Federal Cyber Operations \nCenters, OIG-14-02, October 2013\nHomeland Security Information Network Improvements and Challenges, OIG-\n13-98, June 2013\n\n    Chairman McCaul. Thank you, Mr. Roth.\n    The Chair now recognizes himself for 5 minutes.\n    Mr. Mayorkas, let me first commend you for the clean audit, \nfor getting more items off the high-risk list, for your efforts \nin DHS acquisition. The memo that came out recently by you and \nthe Secretary actually mirrors our legislation that we passed \nunanimously out of committee. So I do commend you for that.\n    But I do have to raise an issue that happened last Thursday \nwhen the Secretary of Homeland Security placed the former \nacting inspector general, Mr. Edwards, under leave after a \nSenate report came out alleging among other things that Mr. \nEdwards intentionally changed and withheld information in some \nIG reports to accommodate the administration's political \nappointees, and that he sought outside legal advice, \ncompromising the IG's independence.\n    Now, I don't know if these allegations are accurate. But if \nthey are, this is the internal watchdog. This is sort-of like \nthe old adage the fox guarding the henhouse.\n    I know you are concerned about this, as I am. But can you \ntell me, has the Department launched an investigation into \nthese allegations?\n    Mr. Mayorkas. Thank you very much, Mr. Chairman. I would \nlike to make two points in response to your very important \nquestion, one specific to the announcement to which you refer \nlast Thursday.\n    That is that the Secretary took swift and strong action in \nplacing the former inspector general on administrative leave, \nand made the very important point that as additional facts are \nlearned, appropriate action will be taken. So this is a matter \nthat is under process. I don't think it would be appropriate \nfor me to speak in more depth about a personnel matter.\n    The overarching point that I would like to make is the \nfollowing, and it is a very simple but a very important \nmessage. That is that the highest degree of ethics and \nintegrity are conditions of employment in the Department of \nHomeland Security.\n    Chairman McCaul. So after this came out the Secretary \nplaced him on administrative leave and the inspector general \nhas been tasked to investigate the current inspector general, \nwho is with us today. Is that correct or not?\n    Mr. Mayorkas. I am actually not certain as to who is \nconducting that investigation, Mr. Chairman. Perhaps my \ncolleagues here know.\n    Chairman McCaul. Leads me to my next question. Mr. Roth, \nare you investigating these allegations?\n    Mr. Roth. We are not. What we have is within the Inspector \nGeneral Act a process by which allegations against either the \ninspector general or people within reporting to the inspector \ngeneral, allegations with regard to misconduct get \ninvestigated.\n    There is the entity called the Committee of IGs for \nIntegrity and Efficiency that has a special investigative \ncommittee. They have received a complaint--a series of \ncomplaints really, with regard to the former acting inspector \ngeneral.\n    That has now been farmed out to a different inspector \ngeneral to ensure objectivity and you know to ensure that it is \nan independent and objective review of that. My understanding \nis that that investigation is being conducted by the inspector \ngeneral from the Department of Transportation.\n    Chairman McCaul. Because these allegations are so serious \nthe decision was made not to go with the IG within DHS, but \nrather farm it out to the IG at the Department of \nTransportation.\n    Mr. Roth. That is correct. Again, we followed the Inspector \nGeneral Act, which basically dictates how these things should \nwork.\n    Chairman McCaul. I mean does it concern you about these \nallegations involving allegations out of Cartagena with the \nSecret Service, or a report for $650,000 that was never \ndisclosed on accountability and risk management?\n    Mr. Roth. It deeply concerns me. Essentially the morning \nafter I read the report I ordered that those reports be taken \ndown from our public website.\n    I have tasked a senior lawyer from our Office of General \nCounsel, that is our Office of General Counsel, not the \nDepartment's Office of General Counsel, to conduct an internal \ninvestigation to talk to the career auditors who actually \nresearched and wrote those reports to find out exactly what was \nchanged, why it was changed, to restore those reports to its \noriginal condition and then repost it and report the results of \nit, not only to the committee but to the public.\n    Chairman McCaul. Well, we look forward to hearing the \nresults of that investigation. I also appreciate your testimony \nabout the lack of interoperability at a 99.8 percent failure \nrate, which is astounding to me.\n    The final question to Mr. Dodaro, and that is you mentioned \ninformation sharing with respect to terrorism threats and \ncybersecurity, two issues very important to me and to this \ncommittee. After the Boston report have you done an analysis of \nthe failure of information sharing?\n    Mr. Dodaro. No, we have not been asked to take a look at \nthat particular situation.\n    Chairman McCaul. But you still mention that is high-risk in \nthe DHS list.\n    Mr. Dodaro. Oh yes, definitely. It looks at not only DHS \nbut the five other--or four other agencies that are involved. \nIt is a Government-wide high-risk designation in terms of \ninformation sharing.\n    DHS is an important part of it. But we do look at the \nprogram manager at the DNI, the Director for National \nIntelligence, as well as the coordination with the Treasury and \nJustice and DHS.\n    Chairman McCaul. Of course we know the inspector generals \nfor the ICE and Department of Justice and DHS all came out with \ntheir report, which was, I think, a very candid assessment \nabout what happened that day and what failed that day.\n    With that, the Chairman now recognizes the Ranking Member.\n    Mr. Thompson. Thank you, Mr. Chairman.\n    Following that line of questions from the Chairman, Mr. \nDodaro, do you foresee any time in the near future that DHS \nwill get off the high-risk list?\n    Mr. Dodaro. I think there is ample opportunity for \ncontinued progress. They need to meet the criteria for coming \noff the list, particularly getting another year of a clean \nopinion on the financial statements, but also on internal \ncontrols.\n    There is a statutory requirement that they have an opinion \non internal controls, which is rather unique in the Federal \nGovernment, but nonetheless it is there and their current time \nframe for doing that and modernizing their financial systems is \n2016 and beyond.\n    They need to also demonstrate that they need to--that they \ncan bring some of these acquisitions in within budget, \nscheduled on time and deliver a functionality that was \noriginally intended by those acquisitions.\n    So you know those are only two areas. I mean there are \nmilestones within the other ones as well. So I think it is \nachievable in a relatively short-term, but it is going to take \na while to actually produce these results.\n    I am committed to working with the Department \nconstructively. But I am not going to take anything off the \nhigh-risk list until the problems have been resolved.\n    Mr. Thompson. Well, you referenced some material weaknesses \nwithin Coast Guard, FEMA, ICE, and CBP. What has been the \nresponse from those agencies when you shared those weaknesses \nwith them?\n    Mr. Dodaro. They have listened to what we have had to say. \nBut there needs to be agreement not only in the Department--\nwithin the components, excuse me, but also at the Department-\nwide level.\n    I mean part of the time that has been lost there in the \nfinancial management systems, which is what I was specifically \ntalking about, is the Department pursued two efforts at least \nto have a Department-wide financial management system. Both of \nthose efforts failed. Now they have tried to have a component-\noriented approach to doing this, which can work, but it needs \nto have Department leadership.\n    So we are going to be looking more carefully at this \nfinancial management modernization effort that they have under \nway. But it is still in its early stages. FEMA is the one that \nis furthest behind.\n    Mr. Thompson. To the extent, Mr. Roth, you kind-of \nhighlighted some of this in terms of the acquisitions and other \nthings we have experienced within DHS. Explain what--you said \nthat somehow DHS is in charge but that the components don't \nfollow the regulations.\n    I think you were saying we have DHS up here and we have got \nthese other people under here and the people down here kind-of \ndo what they want to do. The people up top just kind-of observe \nthem. So, who is really in charge?\n    Mr. Roth. That is exactly the issue that we see. I mean \nright now the Department has something called the Acquisition \nLife-Cycle Framework, which is a, sort-of a framework that is \nthere to ensure that acquisitions are well thought-out, that \nthere are trigger points for review by high-level Department \nofficials to ensure that we are spending money in the right \nway.\n    It is a good program. It is run by the under secretary for \nmanagement in a group called the Program Accountability and \nRisk Management Section within the under secretary's office. It \nworks when it is used because it is deliberate. It is \nobjective. It allows money to be spent in the right way.\n    The difficulty is it was only set up in 2011. So you have \nsome of these very high-dollar acquisitions.\n    For example, the Customs' Air and Marine program, basically \nthe ships and the helicopters and the airplanes that Customs \npurchases, all high-risk acquisitions, all big-dollar \nacquisitions, something like $1.5 billion life-cycle costs for \nthese things, are not part of that system because they pre-\nexisted.\n    What we believe ought to happen is that the leadership, the \nSecretary and the deputy secretary need to, candidly, be firmer \nwith the components to ensure that these kinds of acquisitions \nget forced into the framework that DHS has set up.\n    Mr. Thompson. I yield back.\n    Chairman McCaul. Chairman recognizes Dr. Broun from \nGeorgia.\n    Mr. Broun. Thank you, Mr. Chairman.\n    Let me wish Mr. Dodaro a happy birthday myself too. So I \nhope you have a great day, sir. It is a great way to spend it \nis with us.\n    Mr. Dodaro. Well, I am ending it on the Senate.\n    Mr. Broun. Well, I wish you well over there too. I think we \nare nicer than they are over there.\n    But my first question to you guys is that we have, as \nMembers of this committee, struggled with the jurisdiction \nissues. It seems to me that when any entity has multiple bosses \nthen they have absolutely nobody in charge and no true boss.\n    I am concerned about where we are going. We look at the \nhigh-risk issues and what is happening with acquisition and \nwith cybersecurity and with all the other areas that you all \nhave brought forward as being problem areas.\n    I will start with Mr. Dodaro. Would you comment as to the \nissue of jurisdiction? Is this--is jurisdictional problems part \nof why the DHS is struggling so much and has all these high-\nrisk areas? If so, what would you recommend? How would you \nrecommend to rectify that?\n    Mr. Dodaro. I don't believe jurisdictional issues are a \nfactor in these high-risk designations, particularly with \nmanagement functions within the Department. I think it is just \na matter of the Department having to get the processes in place \nand execute properly.\n    I mean in many cases they have the right policies in place. \nThey are just not executing them appropriately. It is just a \nmatter of the Department having to work more to provide \nguidance to the components and use the power of the purse, if \nyou will, to not let them spend money unless they have approved \nbaselines for acquisitions and they have done proper testing.\n    I mean they shouldn't be able to move forward without that. \nI mean the prescription for success in this area is very clear \nin following best practices. But they are just not following \nit.\n    You could--you know, the jurisdictional issues I don't \nbelieve are at play here. It is just a manner of good \nmanagement and follow-through and discipline.\n    Mr. Broun. So this is a management problem then within the \nDepartment itself?\n    Mr. Dodaro. Yes, for the management areas on the high-risk \nlist definitely.\n    Mr. Broun. How far up the chain does that go as far as \nmanagement problems?\n    Mr. Dodaro. Well, I think it goes to the highest levels in \nthe----\n    Mr. Broun. As far as the Secretary?\n    Mr. Dodaro. Yes. I think everybody has to be engaged. I \nthink the Secretary's memo that he just announced in April to \nhave more integrated planning and budgeting and requirements \nmanagement and putting structures in place in the environment \nthat work effectively would be a great step forward if they can \nget that done.\n    Now, in the other areas in the cybersecurity and the \ninformation-sharing area, those are Government-wide high-risk \nareas. So the Department itself can't address those issues.\n    Theirs were I don't think jurisdictional issues at play, \nbut it requires broader oversight by the Congress because it is \na Government-wide area. Those areas I think some joint hearings \nand some other efforts with other committees that have \nresponsibility, and the House and Senate working together would \nbe helpful, particularly in passing legislation, which we have \ncalled for to clarify DHS's role and responsibilities as it \nrelates to Federal oversight of computer security and critical \ninfrastructure protection.\n    There I think you need more parts of the Congress working \ntogether to help DHS get the proper authorities in place.\n    Mr. Broun. Well, you say it is a Government-wide problem \nand overall in some of those areas. But that is not an excuse \nthough that one department, DHS, which we have jurisdiction \nover shouldn't be solving that problem. Is that correct?\n    Mr. Dodaro. Oh, that is absolutely correct. We have been \nlooking at whether DHS even within the Department is sharing \ninformation. We have a report that will be coming out soon on \nthe Office of Intelligence Analysis as to whether or not DHS, \nwithin its own organization, is sharing information properly. \nThat is exactly right, Congressman Broun.\n    Mr. Broun. Mr. Roth, do you have any comment on acquisition \njust very quickly? I have got 30 seconds left to my time. So if \nyou would be expeditious in your answer.\n    Mr. Roth. I think Mr. Dodaro summed it up. We know what to \ndo. We know the process that can be used to make smarter, \nbetter acquisitions. The question is forcing the components to \nfollow that process.\n    Mr. Broun. This is a long-standing problem. This is not \njust with this current Secretary or the past Secretary. It has \nbeen really ever since it has been stood up is my \nunderstanding. Is that correct?\n    Mr. Roth. That is correct. Again, this process was only \nstood up in 2011 to try to integrate everything under the under \nsecretary.\n    Mr. Broun. Very good. Thank you, Mr. Chairman. My time is \nexpired.\n    Chairman McCaul. Thank you. Just to follow up my \ncolleague's comments, when we are talking about jurisdiction \nthough in the Congress, not within the Department but within \nthe Congress, when the Secretary has to report to over 100 \ncommittees and subcommittees, doesn't that detract from the \ncore mission of protecting the American people, Mr. Dodaro?\n    Mr. Dodaro. Well, we have not looked at that issue. But it \nis not uncommon in many departments and agencies for the \nDepartment of Defense, for example, to have multiple committees \nto report to.\n    I think early on, and I am going back to the creation of \nthe Department, there wasn't enough transparency in working \nwith the Congress and having open communication. That I think \nfostered a set of relationships that have to be overcome, and \nare being overcome over a period of time.\n    So I think if there was more transparency and the \nDepartment was actually producing the plans, the jurisdictional \nissues wouldn't be as acute as they have been because of that I \nwould say getting off on the wrong foot in its relationship \nwith the Congress.\n    Chairman McCaul. Well, again, this is not an issue I fault \nthe Department on. I actually fault the Congress on this one \nbecause we can't pass any legislation without multiple \nreferrals to multiple committees.\n    It becomes dysfunctional within the Congress. Then it takes \ntime and attention away from senior leadership that need to be \ndoing their job to report to over 100 committees and \nsubcommittees. The Aspen Institute came out with a report \ntalking about it.\n    We need to--it was one of the top recommendations of the 9/\n11 Commission was to have the DHS report to a single oversight \ncommittee. That recommendation has never been followed by \nCongress. I think we need to change that.\n    I am a little disappointed in the answer. I think Mr. \nMayorkas may disagree with you on that. Do you?\n    Mr. Mayorkas. Mr. Chairman, I think the Secretary has \naddressed you and other Members of the Congress expressing his \ndeep concern with respect to the jurisdictional issue and the \nposition it places the Department in.\n    Chairman McCaul. It detracts from the core mission. With \nthat, the Chairman now recognizes Mr. Richmond from Louisiana.\n    Mr. Richmond. Thank you, Mr. Chairman.\n    Mr. Dodaro, now I want to talk about the National Flood \nInsurance Program. I see that you have made several comments or \nrecommendations regarding it. Do you have any concerns that \ntheir current capacity or these notations that you made will \naffect their implementation of the new Homeowner Flood \nInsurance Affordability Act?\n    Mr. Dodaro. I think there are a number of recommendations \nthat we have made, for example in modernizing their claims \nmanagement system that need to be put in place. The \nimplementation of the Act will be a new challenge for them that \ncould detract from some of the implementation of these \nrecommendations.\n    But I think it is very important for them to continue their \nefforts to modernize the claims system and oversee the \ncontractors that write the policies for the Flood Insurance \nProgram.\n    Mr. Richmond. Well, that is exactly where I wanted to go \nbecause you used the term the reasonableness of compensation to \nthe insurance companies that sell and service most of the NFIP \npolicies. Do we think their compensation is on the unreasonable \nside in terms of high or low? Or is it something that we need \nto look into?\n    Mr. Dodaro. You definitely need to look into that issue. I \nmean I think that that is an important question and that is \nsomething that we think requires more oversight and whether or \nnot the compensation is appropriate.\n    Mr. Richmond. Our numbers, and I don't know if your numbers \nwould say the same things, in that through the life of the \nFlood Insurance Program that the amount of money in premiums \nthat have gone in almost equals the amount of money that is \ngoing out, except that you have all the administrative expenses \nthat any insurance company would have.\n    But everywhere we can reduce those administrative costs or \nthe costs that the insurance companies are charging for either \nservicing or the commissions that they receive, we make the \nprogram more stable. We can directly save the taxpayers money \non those. Have you looked at----\n    Mr. Dodaro. Yes. I think the administrative costs need to \nbe under constant review to make sure that they are at the \nminimum necessary to operate the program. However, the premiums \nin our opinion have not been sufficient to cover the costs of \nthe programs.\n    I mean currently the National Flood Insurance Program owes \nthe Treasury $24 billion and hasn't made a principal payment \nsince 2010 on that issue. So it is not really actuarially sound \ngoing into the future. So that is one of the reasons it is on \nthe high-risk list.\n    Mr. Richmond. Right. I don't think that we will ever get to \nactuarially sound and maintain a sense of affordability for the \n5 million homeowners who participate in the program.\n    But I think the goal should be that where we can save money \nwe should save money. Where we can be more efficient we should \nbe more efficient. So that is my concern when we talk about the \nefficiency of the management of the program and making sure \nthat the people who service the program are being as efficient, \nand we are very diligent in terms of what we are paying them.\n    So the other thing you mentioned was the debt management \nand how that could offer us some cost savings.\n    Mr. Dodaro. Well, I think it is important that they figure \nout how to both build a reserve for the future potential cost, \nbut also how to figure out how to repay the Treasury Department \nfor the amount of money that they owe. That is going to be a \ntall order for them given the current statutory framework on \nwhich they have to operate under.\n    So I think additional action will be needed by the Congress \nto help them in order to put the program on a firmer financial \nfooting.\n    Mr. Richmond. Then I guess we can have the whole \nphilosophical debate. But we have to get it on firm financial \nfooting. But actuarial rates is probably not the way to do it \nconsidering that many of these homes were built before there \nwas a requirement for flood insurance. To go back and change it \nin our area we saw rates increasing from $500 and $600 to \n$10,000 a year, which will cause another mortgage collapse and \nall of those things.\n    Mr. Dodaro. So I agree with you. I think--I mean there has \nto be a balance between affordability and fiscal responsibility \nand accountability and in this case transparency because if the \nhomeowners aren't paying for the insurance that means the \ngeneral taxpayers are. It is not really clear what the \nsubsidies are. I am particularly concerned about the future.\n    We have put also on the high-risk list limiting the Federal \nGovernment's exposure by better managing climate change risks. \nWith the potential for climate change and other additional \nissues in the offing, I mean this program is one that requires \nI think constant scrutiny and more transparency about who is \npaying for what in the program.\n    But I agree with you, affordability has to be a policy \npriority.\n    Mr. Richmond. Mr. Chairman, I see my time is expired. I was \njust going to ask Mr. Mayorkas if he had a response. I am not \nrequiring one.\n    Mr. Mayorkas. I do not. I do not, Mr. Congressman.\n    Mr. Richmond. Thank you, Mr. Chairman. Yield back.\n    Mr. Mayorkas. Mr. Chairman, may I make a point if I may, \neven though there is no question pending to me I feel compelled \nto share something with the committee because my colleagues \nhave expressed concern that components do not necessarily \nfollow the direction that a best practice would require to \naddress a management challenge.\n    I think it is very important to communicate to this \ncommittee very clearly to ensure that there is no misimpression \nthat the components are willfully disobeying guidance. It is \nnot an issue of that. But it is rather an issue of putting the \nstructures and the mechanisms in place to drive everyone in the \nsame direction and to ensure a disciplined and rigorous \nadherence to best practices. It is really a matter of \naccountability.\n    I know there was a reference made that we don't have \nappropriate accountability mechanisms in place, and I would \nrespectfully disagree with that. Quite frankly, if there is a \nfailure of a component to adhere to a best practice in the \nservice of addressing a management challenge, I am ultimately \naccountable for that.\n    Of course the Secretary is. But I am overseeing the \nmanagement of the Department on behalf of the Secretary, and \nthat accountability regime rests with me.\n    Chairman McCaul. Well, I appreciate you taking \nresponsibility for that. I hope to see some good results.\n    Chairman recognizes Mr. Duncan.\n    Mr. Duncan. Thank you, Chairman, for this valuable hearing \ntoday. I want to thank the panelists for the comments that they \nmade about H.R. 4228 and the acquisition reform bill.\n    You know the goal is to improve discipline accountability \nand transparency and acquisition program management and a lot \nof things that I am hearing on all the topics today come down \nto just those basic disciplines of doing best practices and all \nof the acquisition reform.\n    So I heard Secretary--I mean Comptroller Dodaro say this. \nBut deputy secretary, have you had a chance to review H.R. \n4228?\n    Mr. Mayorkas. I have, sir.\n    Mr. Duncan. Okay. Do you believe it will aid DHS in \naddressing acquisition management challenges?\n    Mr. Mayorkas. I do, sir. I should inform you and this \ncommittee that in reviewing the proposed legislation that this \ncommittee passed I have drawn some practices that we should \nadopt and not await the passage of the legislation.\n    Mr. Duncan. Thank you. I agree. Whether we have to have \nCongressional legislation passed or not it is the right thing \nfor the Department to do. I think the Secretary agrees with us \nas well. So thanks for saying that.\n    With the most recent GAO high-risk report citing the \nDepartment's continued management challenges, and with our \ncountry being $17.5 trillion in debt, do you think it is wise \nfor DHS to continue to spend scarce spending on unnecessary \ngreen initiatives and costly renovations on a project such as \nSt. Elizabeth's that won't be complete until 2026, and will \ncost the American taxpayer about $4.5 billion or more, deputy \nsecretary?\n    Mr. Mayorkas. Mr. Congressman, as a general principle of \ncourse no expenditure of funds should be permitted that does \nnot yield an effective and efficient delivery of service on \nbehalf of the American people.\n    The Secretary is reviewing the St. Elizabeths project, and \nwe are as a Department with all components involved taking a \nlook at what our resource investment should be in light of the \ncost and our current budget environment. It was as recently as \nyesterday that all the components met with the Secretary and me \non that very subject.\n    Mr. Duncan. Well, I think that is great. I appreciate the \nSecretary reviewing that. I just don't believe that--you know \nin a utopian society rainwater flush toilets are awesome.\n    But when you are $17.5 trillion in debt and you are \naccountable to every taxpayer dollar, I think you need to start \nquestioning that and maybe the use of the hardest wood from \nBrazil for the decking when you could use a composite material \nthat will last just as long and save the taxpayer dollars. So I \nappreciate your efforts and I look forward to that.\n    I ask the comptroller general about St. Elizabeths and the \ncost overruns. I know GAO has looked at that. Do you care to \ncomment on saving taxpayer dollars and that?\n    Mr. Dodaro. Well, certainly we support the effort to do any \nprogram activity at the least cost possible. We are currently \nlooking at the St. Elizabeths situation and we will be happy to \nshare our report with this committee as soon as it is complete.\n    Mr. Duncan. We look forward to that as well.\n    So deputy secretary, given the large number of programs \nstill lacking Department-approved documents and experiencing \ncost overruns and schedule delays, what do you believe is the \nbiggest challenge with regard to the high-risk list, the \nbiggest challenge in doing effective oversight of DHS major \nacquisition programs?\n    Throw out some challenges that you have got. There might be \nanother nugget in there that we can pursue from the \nCongressional side.\n    Mr. Mayorkas. Thank you, Mr. Congressman. I think that my \ncolleagues Mr. Dodaro and Mr. Roth have identified issues with \nrespect to our acquisition program.\n    The Secretary, through the Unity of Effort memorandum that \nhe issued, to which the Chairman referenced, puts in place a \nstructure to drive better acquisition oversight and management. \nI lead under the Unity of Effort, a paradigm, I lead the \ndeputy's Management Action Group where we are all--components \nand headquarters--together in ensuring that capabilities are \nidentified, the needs are properly identified.\n    The gaps are therefore disclosed. We don't close those gaps \nwithout establishing effective requirements, understanding our \nbudget constraints, being effective and efficient in the use of \nour money, and ensuring that the delivery of service takes all \nof those factors into account.\n    Mr. Duncan. I am about out of time. I will say that \nhearings like this are refreshing.\n    What I am hearing from all the gentlemen is that it seems \nthat the Department is moving in the right direction. I would \nattribute the Chairman's leadership and this committee for \nhelping nudge the Department in the right direction with regard \nto acquisition management and addressing a lot of the concerns \nthat were brought about by the gentleman from Louisiana and the \ngentleman from Georgia.\n    So I want to applaud the Department for continuing to move \nin that direction. I can tell you we are going to be right \nbehind you to make sure that the trend continues.\n    With that, Chairman, I yield back.\n    Chairman McCaul. We also commend your leadership as \nChairman of the Oversight Subcommittee. You have done a \nfantastic job.\n    Chairman recognizes Mr. O'Rourke from Texas.\n    Mr. O'Rourke. Thank you, Mr. Chairman. I would like to \npresent the panel with two current acquisition projects and \nthen get your comments.\n    The first is one that we had a hearing on within the last \nmonth, the Arizona Border Surveillance Technology Plan, which \nessentially would spend between $500 million to $700 million to \nput a series of fixed towers along the Arizona-Mexico border \nwith a high-tech surveillance system there, obviously to try to \napprehend people who might cross into the country illegally.\n    This is on the heels of the failed SBInet program that \nspent a billion dollars and achieved almost nothing at great \ntaxpayer cost and Government waste. In that hearing we learned \nfrom someone on your team at the GAO that there were several \nsignificant findings that the GAO had made, including no clear \nmetrics and no clear life-cycle costs for that program. So that \nis one that comes to mind.\n    The second in El Paso, Texas is a half-mile stretch of \ncurrently unfenced border between El Paso and Juarez, an area \nwhere in the last 4 years without there being a fence total \ncrossings have dropped year after year and they are at a \nfraction of what they were even 4 or 5 years ago.\n    It is also a very historical crossing point. DonJuan De \nOnate in the 16th Century crossed there.\n    The sensitivity is so great that not only have I but the \nother Congressman representing the area, one of our U.S. \nSenators, the city council, the State senators, the State \ndelegation have all pleaded with CBP not to construct that wall \nthere at a cost of $5.5 million. But we were told by the acting \ncommissioner at the time that the wheel is already in motion \nand it is too hard to stop this.\n    So with those two examples my question is: When is it an \nappropriate time to put on the brakes? I would think that those \nmajor findings that the GAO made after the failure of SBInet we \nshould stop before proceeding with this Arizona Border \nSurveillance Technology Initiative.\n    The $5.5 million in El Paso may not sound like a lot, but \n$5.5 million here, $5.5 million there soon it adds up and \nbecomes real money. So I would like to get your thoughts on how \nwe get greater control on spending when there are findings, \nwhen there are concerns raised by this committee or the GAO, \nwhen it might be appropriate to pause and rethink some of those \nprojects.\n    Mr. Mayorkas, we will start with you.\n    Mr. Mayorkas. Thank you very much, Congressman. I have, in \nthe short time that I have been in office I have visited the \nTexas-Mexico border as well as the Arizona-Mexico border. I \nwill tell you that visiting--there is no substitute for \nvisiting the border because one understands first-hand the \nchallenges that it presents.\n    The lesson that I learned there is certainly it is not a \none-size-fits-all model. There have to be different \ntechnological and operational solutions to address the very \ndifferent and very diverse challenges that the Southwest Border \npresents.\n    You ask a very fact-specific question, which is: When is it \nright to pull out of a project when the project isn't going \nwell? I think that----\n    Mr. O'Rourke. Not just pausing the project. We could use \nArizona--the border surveillance plan there. Would it not make \nsense for DHS to stop spending until those GAO concerns are \nresolved?\n    Mr. Mayorkas. Congressman, as a general matter I find it \nuntenable to continue to pour money into a project when one \ndoesn't have a level of confidence in the effectiveness and \nefficiency of the undertaking. So that is a general principle.\n    In fact we have executed on that general principle over the \nlast few months. We have paused. We have suspended discrete \nprojects because we have not had confidence in the stability of \nthe undertaking.\n    So there is no shyness. There is no hesitation to do that \nin order to make sure that we do not develop something that is \nineffective by the time it is deployed----\n    Mr. O'Rourke. Right.\n    Mr. Mayorkas [continuing]. And we create more work for our \noversight----\n    Mr. O'Rourke. Sorry to interrupt, but I have little time \nleft. You have paused in other projects. Will you pause in this \nproject?\n    Mr. Mayorkas. I--as I sit here today, Mr. Congressman, I am \nnot aware of a reason why the Integrated Fixed Towers Project \nshould be paused. I will tell you that is----\n    Mr. O'Rourke. I gave you two.\n    Mr. Mayorkas. I will have to look into the second one, \nwhich is the wall that----\n    Mr. O'Rourke. I gave you two reasons on that Arizona Border \nSurveillance. No life-cycle costs and no clear metrics for what \nthat is supposed to achieve after spending up to $700 million.\n    Could I hear from Mr. Dodaro on this and Mr. Roth if there \nis time?\n    Mr. Dodaro. Yes. Our report focused on the fact their cost \nestimates and the schedule estimates weren't complete or \nreliable. There was limited testing planned on there as well as \nthe fact that there weren't metrics tying it to the particular \nproblem.\n    The Department agreed with most of the recommendations. \nExcept I was disappointed they didn't agree to do more testing \non this. I think this is important given the past history and \nsome of those other activities.\n    So I think it is important that these issues be addressed \nbefore they proceed into full-scale production.\n    Mr. O'Rourke. If the Chairman will allow, I would love to \nhear from Mr. Roth on this, if you have any comments.\n    Mr. Roth. Yes. The entire life-cycle--acquisition life-\ncycle framework requires in fact certain stopping points where \nan examination is done by independent senior leadership to \nensure that it should go forward in a timely way or in a \nrational way.\n    So there are stop points all the way along, and it is \nperfectly appropriate during an acquisition to hold off and \naddress concerns.\n    Mr. O'Rourke. Okay. Thank you.\n    Thank you, Mr. Chairman.\n    Chairman McCaul. Chairman recognizes Mr. Sanford from South \nCarolina.\n    Mr. Sanford. I thank the Chairman. I apologize for getting \nhere late. So I did not get to hear the entirety of your \ntestimony. I was caught up in another meeting.\n    But I jotted in a note in looking at preliminary brief. \nThere was a GAO report that said, DHS could better manage its \nportfolio, address funding gaps and improve communication with \nCongress.\n    One of the findings was basically that there was a gap \nbetween acquisition of programs and the overall Homeland \nSecurity strategy. That at several different junctures this gap \nwas seen between acquisition and strategy.\n    I have got a quote here. I am beginning to lose my \neyesight. But it says ``GAO goes on to say in its report that \nnone of the reports that DHS put out consistently identified \nhow individual acquisition programs would help DHS to achieve \nits goals.'' Then there is some more verbiage from there.\n    So I guess I would turn to the GAO, to you, Mr. Dodaro. \nThoughts on that? What else did you see with regard to this gap \nbetween a time strategy and individual acquisition programs?\n    Mr. Dodaro. There really are two types of gaps. One is the \none that you mentioned. But the second is a funding gap issue \nin terms of whether or not you have enough money there. I \nmentioned earlier in my opening statement that of the major \nacquisitions, 46% don't have approved baseline costs and 77% \ndon't have life-cycle costs.\n    Now, even with that limitation the Department undertook an \neffort a year or 2 ago to identify what the gap would be if all \nthese acquisitions would cost certain amount of money and the \nDepartment had certain amount of resources. They have figured \nthat there was 30% gap between what these acquisitions will \ncost and what they were likely going to have money for, which \nmeans they need to set priorities.\n    Of course in setting priorities you have to go with what \nyour overall strategies are and what kind of priorities are in \nyour strategy. So they need a governance structure at the \nDepartment to set these priorities across the Department \nbecause they are not going to have, you know, enough money to \nbe able to deal with these issues.\n    This is a similar issue we brought to the Department of \nDefense's attention. It will particularly be true if \nsequestration resumes in 2016 through 2022.\n    So it is very important that they deal with this. I know \nthey have some plans to do it. But they are in the very early \nstages.\n    Mr. Sanford. Couldn't it be said of pretty much any \nGovernment agency that there is always a gap between what they \nwould like to have and what they would get? I mean so isn't \nthat----\n    Mr. Dodaro. Well----\n    Mr. Sanford. I mean it may----\n    Mr. Dodaro. Well, but----\n    Mr. Sanford [continuing]. The issue within Homeland \nSecurity or DOD, but----\n    Mr. Dodaro. Right.\n    Mr. Sanford [continuing]. That seems to be a consistent \nrefrain.\n    Mr. Dodaro. Well, there is a difference between what you--\nhow much money you are going to have and what you would like to \nhave a lot of money, as opposed to how many projects you have \nalready started down the road that you are not going to be able \nto complete.\n    That is a different situation. I am saying in that case \nthey are spending money to get these projects up and running, \nand they are not going to have enough to finish, the money, so \nthat those projects that aren't finished will be not optimal \nuse of the taxpayers' money.\n    As opposed to, we are not going to have this amount of \nmoney, here is the priority we want to do. We need to stop this \nacquisition or we need to redirect our funds to other areas.\n    So it is very important to do that, particularly given the \nrather poor track record that they have in delivering their \nacquisitions with functionality, within cost and on time.\n    Mr. Sanford. If you were just waving a magic wand and as \nyou look at this agency in particular, are there other things \nthat perhaps didn't make your report but things that entered \nyour mind? Or that you all evaluated but found too \ncontroversial and maybe left off, where you would say this is \nan area of opportunity that Homeland Security ought to look at \nin terms of better optimizing taxpayer dollar in maybe a way \nthat they aren't?\n    Mr. Dodaro. No. I think our report is pretty complete. I \nmean we put everything out there that we have identified.\n    Since the Department has been created we have made over \n2,000 recommendations to the Department. About 65% of them they \nhave implemented. They have efforts underway in other areas to \nimplement.\n    So we--I think we have been pretty thorough in pointing out \nall the major areas that need attention.\n    Mr. Sanford. I suspect you might have a counterpoint to \nsome of this and I therefore would offer the floor to you in \nthe few seconds that I have got left.\n    Mr. Mayorkas. Congressman, I think I actually will not have \na counterpoint. I think, quite frankly, that the work of Mr. \nDodaro and his team has helped make us better, and identified \ngaps that we need to fill. I think I can say the same for the \nwork of Mr. Roth and his team.\n    You used the word opportunity. Fortunately I am an optimist \nand so I look at the challenges we have as opportunities, \nopportunities to be better.\n    Mr. Dodaro referred to the fact that a governance structure \npresents some hope, some cause for optimism, but it is at the \nnascent stage. That is true.\n    Both the Secretary and I are new. The Secretary has put in \nplace a governance structure and we will drive to achieve its \naspiration.\n    Mr. Sanford. I burned through my time. Thank you, Mr. \nChairman. Yield back.\n    Chairman McCaul. Chairman recognizes Mr. Payne.\n    Mr. Payne. Thank you, Mr. Chairman.\n    Mr. Roth, you know the findings in the November 2012 IG \nreport on interoperable communications at DHS are very \nconcerning. I have introduced legislation to DHS Interoperable \nCommunications Act that aims to address the problems, you know, \nrelated to the Government structure and strategy identified in \nthe report.\n    In your testimony you mentioned that the Department has \ndeveloped but not finalized DHS Communications and \nInteroperability Plan. Have you seen drafts of this plan?\n    Mr. Roth. I have.\n    Mr. Payne. Okay. What do you think to this point?\n    Mr. Roth. We made our primary recommendation after doing \nthe audit that had the 99.8% failure rate, was that there ought \nto be an interagency structure that had an individual or group \nwith true power to be able to require the components to get \ninteroperable systems.\n    The Department, inexplicably in my mind, non-concurred with \nthat, and instead went forward with what we consider to be a \nlesser proposal requiring essentially cooperation among the \ncomponents.\n    We think that is the wrong way to go. We think showing \nstrong leadership is the way to go, and essentially forcing \ncompliance by the components.\n    Mr. Payne. Yes. Well, you know it is clear based on \ninformation I have that this legislation, you know, is crucial \nto finally get Department-wide interoperability.\n    I was shocked to hear that in your testimony, you know in \nyour test case, only 1 out of 479 first responders were able to \nget on a common channel. You know 1 out of 479.\n    What is it going to take to achieve interoperability? As \nyou say, the Department is obviously not following \nrecommendations that have been made. That you say have decided \nto go with a lesser plan. What is it going to take to get to \ninteroperability?\n    Mr. Roth. Well, certainly hearings like this I think \nhighlight the problem. Accountability by this committee and \nother committees and the American people to ensure that the \npurposes behind DHS, which was to have all these disparate \nagencies under one roof so they could in fact talk to each \nother is a good thing.\n    But again, it is a promise that has not yet been kept.\n    Mr. Payne. Okay. You said many didn't even know that the \ncommon channel existed. Is it going to take more training or as \nyou said more hearings like this and a concerted effort on us \nto push them in that direction?\n    Mr. Roth. To be fair, this test took place in 2012 before \nthe current administration within DHS was appointed. We are \nhearing good things from the Secretary and the deputy secretary \nwith regard to unity of effort.\n    I am optimistic that we can get there. But I am frankly \nconcerned that as we speak today a Secret Service agent in New \nYork can't get on his radio and talk to a Federal Protective \nService officer in New York or a CBP officer in El Paso can't \ntalk to a Homeland Security Investigations Agent in the same \ncity.\n    Mr. Payne. Okay.\n    Thank you, Mr. Chairman. I yield back.\n    Chairman McCaul. Let me just state for the record, Mr. \nPayne, your bill on interoperability will be part of our mark-\nup in May coming up soon. So we thank you for that.\n    Chairman now recognizes the gentlelady from New York, Ms. \nClarke.\n    Ms. Clarke. Thank you, Mr. Chairman. Thank you, Ranking \nMember.\n    My first question is to you, Mr. Mayorkas. I want to talk \nabout the Department's transition to a large portion of its \ninformation technology to the cloud, and a couple of questions \nwith regard to that.\n    Does the CIO work with the Department cybersecurity and \nprivacy experts to ensure that proper protections are in place \nfor cloud-based technologies? How does this improve efficiency?\n    Do you anticipate this move to the cloud resulting in cost \nsavings? What steps are being taken to ensure that the private \ncloud utilized by the Department is secure?\n    Mr. Mayorkas. Thank you very much, Congresswoman, for the \nquestion. The answer is yes.\n    The head of information technology, Luke McCormack, does \nwork very closely with our NPPD, our directorate, and Susanne \nSpaulding. It is made to ensure that the use of the cloud \npasses cyber-hygiene, if you will.\n    What the cloud provides is the ability for the Department \nto essentially pull on an as-needed basis certain technological \ncapabilities. So with that nimbleness and surgical use of IT \nnot only do we gain effectiveness, but we also gain cost \nsavings.\n    Ms. Clarke. Well, there has been a lot of talk here on the \nHill. We have turned our attention to immigration reform and \nproposals such as the DREAM Act may create a pathway for many \nmillions of youngsters becoming American citizens. This could \ncreate a major influx of applications coming to the USCIS \nsystem.\n    Would the limitations of current paper-based system that I \nam sure you know all too well, how will USCIS handle this \nincreased caseload? Are there any activities underway at the \nheadquarters level to address this impending issue?\n    Mr. Mayorkas. Thank you very much for that question, \nCongresswoman. We of course remain committed to comprehensive \nimmigration reform. I think there are two streams of activity \nthat are responsive to your question.\n    One is to develop the technological capabilities to accept \na large influx of new applicants in an electronic or on-line \nenvironment. That effort is under way. It is a very significant \nand challenging effort, but we are making progress in it. It is \ncalled transformation to move from a paper-based agency to an \non-line environment on the one hand.\n    On the other hand, U.S. Citizenship and Immigration \nServices, which I was very proud to be a part of for 4 years, \nis extraordinarily adept at handling surges in the number of \nindividuals coming before it. It has exhibited that nimbleness \nand that adeptness in the last 2 years in taking on a huge \nsurge in previously unanticipated applicants.\n    Ms. Clarke. So you believe that the transformative nature \nof the new technologies that you are currently sort-of testing \nwould be able to manage potentially, you know, tens of \nthousands if not millions of individuals seeking to apply for--\nthrough for immigration reform and the personnel commensurate \nwith that is sort-of trained and gearing up as well?\n    Mr. Mayorkas. Congresswoman, the goal of transformation is \nto be able to do that. We are working towards that. It is a \nchallenging undertaking, but we are working towards that on the \none hand.\n    On the other hand, to be able to address an increase in \napplications of, for example, 11.5 million people, there is an \ninfrastructure that needs to be built. We have communicated \nvery clearly to the bipartisan committee that passed the Senate \nbill last year.\n    They understood and legislated accordingly that there needs \nto be some ramp-up time so that the agency could in fact build \nthe infrastructure to take on that significant new workload. \nBut not just personnel, but facilities, IT infrastructure and \nthe like, but we are prepared with time and funding to meet \nthat challenge.\n    Ms. Clarke. Very well. Then I just wanted to quickly--my \ntime is winding down--talk about disciplinary practices. There \nare a lot of folks who believe that there are some--it is \ninequitable and oftentimes arbitrary.\n    For example, there is no Department-wide standard for \npenalties. The same offense can engender different results \nwithout any sound reason for this discrepancy.\n    Would you agree that the Department could benefit from \nstandardized disciplinary processes? How not having these \nprocesses in place can have an impact on low morale, for \ninstance?\n    Is a Department-wide standard for penalties under \nconsideration? If not, why?\n    Mr. Mayorkas. That is a very interesting question, \nCongresswoman. When I was the director of U.S. Citizenship and \nImmigration Services, we actually had that infirmity within the \nagency that we did not have really a cohesive and consistent \ndiscipline regime, and we implemented one during the course of \nmy tenure.\n    Whether there should be a Department-wide standard is a \nquestion that I would actually like to give thought to because \nI will tell you that there are different dynamics at play \nwithin each component of the Department. There are different \nunions, union leadership, union relationships.\n    I think at a general level my immediate reaction is that we \nshould have standardized processes and we should have \nconsistency in the response--in the disciplinary response to \nsimilar behaviors. I would like to actually give further study, \nand quite frankly speak with my colleagues here to my left with \nrespect to your question.\n    Ms. Clarke. My time is run out, but if the Chairman gives \nanother round, we will----\n    Chairman McCaul. Well, if you would like to hear other \nwitnesses----\n    Ms. Clarke. Oh, certainly.\n    Chairman McCaul. This is our final round.\n    Ms. Clarke. Okay. Thank you, Mr. Chairman.\n    Well then, gentlemen, would you please give me your opinion \non these disciplinary actions?\n    Mr. Roth. Thank you. We have not done an audit with regard \nto this except with the Secret Service, which did not have a \ntable of penalties. We found that that was a problematic issue \nwith regard to some of the issues that occurred in the Secret \nService.\n    I think I would join Mr. Mayorkas in indicating that that \nis a broader issue that we would probably need to study in a \nmore thoughtful way.\n    Mr. Dodaro. Yes. We have looked recently at TSA employee \nmisconduct issues and how that is handled. I would be happy to \nprovide that for the record and any other thoughts that we have \non this matter.\n    Ms. Clarke. Very well. I appreciate that, gentlemen. Thank \nyou all for your testimony here today.\n    Thank you, Mr. Chairman. I yield back.\n    Chairman McCaul. Thank you. I want to thank the witnesses.\n    Chairman recognizes the Ranking Member.\n    Mr. Thompson. I just want to thank the Chairman for this \nhearing and the witnesses for their candid comments in response \nto the questions.\n    The thing that continues to bother me, though, is we put \nthe Department of Homeland Security under one roof. But it just \nappears that there are some outliers within the Department that \ncontinue to do as they please.\n    We have reports after reports that continue to highlight \nthose do-as-you-please efforts that cost money. What I have \ntaken away is that you continue to highlight it, but somehow it \ndoesn't get implemented.\n    I guess I am struggling for--can you, each one of you \nwitnesses provide us in writing what you think it would take \nfor the Department to run seamlessly, all the components within \nDHS using one standard for procurement and other things?\n    Right now procurement, personnel, a lot of issues continue \nto be different. I think if we have One DHS, if we have this \nnow Unity of Effort approach, how can we actually accomplish \nthat if we still have Coast Guard, FEMA, CBP, ICE kind-of doing \nwhat they want to do? I am just kind-of concerned about that, \nthat we should just have a standard system.\n    Now, obviously there are some exceptions. But I think those \nexceptions can be noted. But I would like to see something from \nour witnesses since they have been so good that could help give \nthis committee some direction on how we can come up with one \nsystem, whether it is IT system or whatever, in those \ncategories that have been outlined.\n    I yield back.\n    Chairman McCaul. I concur with the Ranking Member. We would \nlike to see that, if you could respond maybe in writing after \nthe hearing.\n    I know Ms. Clarke and I have worked on the iCloud concept \nin terms of bringing the One DHS together. I think that is an \ninteresting concept as well.\n    I did have one last question for Mr. Roth. The Secret \nService has mentioned, know you are reviewing your \npredecessor's report, the allegations involving drunkenness \nduring Presidential protection. Very serious concern on the \npart of this committee that that conduct is still on-going \nwithin Secret Service.\n    I know you are reviewing those currently. When do you \nanticipate that your report will come out?\n    Mr. Roth. We are looking at the current reports. We are not \nengaged in a further audit or inspection of that. But what we \nare doing is in light of the Senate subcommittee's report we \nare looking to ensure that any of the conclusions within the \nreport were untainted by any sort-of political or other \nimproper considerations.\n    We are doing that as expeditiously as possible, but we want \nto get it right. I am hopeful in the next few weeks we will be \nable to get it out. But right now I can't give you----\n    Chairman McCaul. Will you be providing any guidance to the \ndirector of the Secret Service in terms of--you mentioned there \nare no real sort of disciplinary procedures in place.\n    Mr. Roth. At the time of our audit there were no \ndisciplinary procedures. There were no tables of penalties. \nThat has been fixed.\n    In the series of audits we did, we did a look-back to see \nwhat the internal investigation looked like. We also did what \nwas known as the so-called culture report.\n    In the culture report we had a series of recommendations \nthat we asked the Secret Service to do. They are in the process \nof complying with each of those. I am happy to give a interim \nreport as to, sort-of, how they are doing with regard to \nresponding to our recommendations.\n    Chairman McCaul. I would appreciate that. Protecting the \nPresident is one of the highest duties----\n    Mr. Roth. Yes.\n    Chairman McCaul [continuing]. Within the Department.\n    So we thank the witnesses for testifying here today. The \nrecord will be open for 10 days. You may have additional \nquestions. With that, without objection, committee stands \nadjourned.\n    [Whereupon, at 11:31 a.m., the committee was adjourned.]\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n  Questions From Chairman Michael T. McCaul for Alejandro N. Mayorkas\n    Question 1. According to a December 2013 GAO report, CBP and ICE \ncontinue to struggle with large portions of their TECS modernization \nwhich could result in cost overruns and delay its 2015 deployment \ndeadline. TECS is critical to the Department's border security and law \nenforcement missions. Describe the management direction you are \nproviding this project and please give the committee an update on the \nTECS modernization efforts and whether or not ICE and CBP will deliver \nits planned functionality by 2015 as originally scheduled.\n    Answer. DHS has a tiered governance structure that includes \noversight at the senior leadership level, the component level, and the \nprogram level. At the highest level, the Department is actively \nmonitoring both programs by way of Executive Steering Committee (ESC) \nmeetings made up of senior-level executives, including Headquarters and \nComponent Chief Information Officers, Chief Acquisition Executives, and \nChief Financial Officers. Executive Steering Committees are decision-\nmaking bodies that provide governance and oversight for all of the \nDepartment's IT Major investments.\n    Currently, due to the program's high risk, the U.S. Immigration and \nCustoms Enforcement (ICE) TECS Modernization has a monthly ESC meeting \nand bi-weekly deep-dive meetings with the Department's Chief \nInformation Officer and management acquisition team. The U.S. Customs \nand Border Protection (CBP) TECS Modernization has bi-monthly ESC \nmeetings.\n    The CBP TECS Modernization has been deploying modernized \nfunctionality incrementally since 2009 and is on track to deliver the \nmajority of modernized capability by September 2015, as originally \nplanned. This program has multiple releases of which 80% have been \ndelivered. The remaining 20% will be delivered on schedule by September \n2015.\n    The ICE TECS Modernization is in the technical evaluation phase of \nprocuring an application vendor, with an anticipated award in September \n2014. The program is currently a high-risk program due to its schedule \nand cost risks. Mitigation plans are in place to address the program \nrisks. The program meets regularly with Headquarters leadership to \nreview status and progress toward milestone events. The program is \nengaged with the CBP parallel effort to execute the coordinated \nstrategy for both agencies to obtain mainframe independence from the \nshared legacy TECS system.\n    Question 2a. Does DHS believe that they are full partners in the \nFirstNet effort?\n    Answer. Yes, DHS is a full partner and one of three permanent board \nmembers in the FirstNet effort. The Department appreciates the \nimportance of the FirstNet network to the overall security and \nresilience of our Nation's public safety communications infrastructure.\n    Question 2b. What is DHS doing to support FirstNet?\n    Answer. DHS is taking an active role in supporting FirstNet by \nproviding the following products and services:\n  <bullet> FirstNet Consultation Preparation Workshops.--DHS has \n        delivered on-site workshops in 54 of 56 States/Territories to \n        help prepare for the FirstNet consultation process. The \n        remaining two States/Territories will be completed this year.\n  <bullet> Broadband Tools.--DHS has developed a mobile data survey \n        tool to help States determine the current use of commercial and \n        private data systems within their jurisdiction that is being \n        leveraged by FirstNet.\n  <bullet> FirstNet Coordination.--In early 2013, FirstNet asked DHS to \n        participate with the National Telecommunications and \n        Information Administration and FirstNet staff to coordinate \n        outreach and data collection with public safety efforts. Since \n        that time, DHS has participated in weekly calls, as well as \n        periodic strategic planning meetings with FirstNet Board \n        members and staff.\n  <bullet> Federal Broadband Coordination.--The Emergency \n        Communications Preparedness Center, which is a DHS-led Federal \n        coordination committee to improve emergency communications \n        interoperability, has been leveraged by FirstNet for Federal \n        outreach and planning.\n  <bullet> Tribal Coordination.--DHS provided Tribal subject matter \n        expertise to assist FirstNet in establishing its Tribal Working \n        Group, as well as facilitating meetings with key Tribal \n        representatives.\n  <bullet> Cyber and Physical Risk Assessment.--DHS identified possible \n        threats to and vulnerabilities of cyber infrastructure in the \n        Nation-wide Public Safety Broadband Network that could threaten \n        the network's reliability and security.\n  <bullet> Public Safety Broadband Requirements.--DHS helped develop \n        first responders requirements for the Nation-wide public safety \n        broadband network.\n  <bullet> 700 MHz Demonstration Network.--DHS helped create a 700 MHz \n        Demonstration Network at the National Institute for Standards \n        and Technology Boulder Labs to assist with performance, \n        conformance, and interoperability testing of infrastructure, \n        devices, and applications. This public safety demonstration \n        network and environment for testing allows public safety to \n        better understand the new capabilities and challenges created \n        by broadband technologies.\n  <bullet> Modeling and Analysis for Public Safety Broadband.--DHS is \n        conducting modeling and simulation research on the deployment \n        of a Nation-wide public safety broadband network. This research \n        will provide FirstNet with insight needed to make more informed \n        procurement-related decisions.\n    Question 3. The Office of Program Accountability and Risk \nManagement (PARM) is responsible for DHS' overall acquisition \nmanagement across the Department, and has work under way to implement \nan Acquisition Life-Cycle framework for major acquisitions. Among other \nthings, this framework outlines key decision events over the life of a \nprogram. This ``waterfall'' approach may be fine for most types of \nacquisitions; but for IT acquisitions, it promotes longer time frames \nfor delivering capabilities (often 5-7 years) and increased risk of \ncost, schedule, and performance issues. The Office of the Chief \nInformation Officer (OCIO) is responsible for IT investment governance, \nincluding IT systems development. OCIO has work under way to modify, \nfinalize, and implement systems acquisition policies and processes in \nline with an incremental development approach, which calls for breaking \nprograms into smaller increments and delivering capabilities in 6-12 \nmonth releases. It will be important for PARM and OCIO to collaborate \non a way forward to define roles and responsibilities, and modify the \nAcquisition Framework as needed to accommodate an incremental \ndevelopment approach to IT. How efficiently and effectively do DHS's \nacquisition and IT governance processes work in concert with one \nanother to ensure that major IT investments are delivered within cost \nand schedule, and meet mission needs?\n    Answer. DHS's integrated acquisition and IT governance processes \nwork together in an efficient and effective manner. Management \nDirective 102-01 establishes the Department's acquisition governance \nframework for both IT and non-IT programs. The Management Directorate's \nOffice of Program Accountability and Risk Management coordinates \neffective integration and collaboration across the Department's lines \nof business, including the Office of the Chief Information Officer, to \nimplement acquisition oversight.\n    Further, the Secretary's ``Strengthening Unity of Effort'' \ninitiative is enhancing the coordination of Departmental planning, \nprogramming, budgeting, and execution processes through strengthened \nrequirements processes and decision-making.\n    Question 4a. Component agencies of DHS are increasingly using the \nGovernment Printing Office (GPO) for the production of secure \ncredentials. Some have expressed concern that component agencies are \ninappropriately using Title 44 of the United States Code as a means to \nenter into sole-source agreements with GPO to circumvent the normal \nfair and open competitive procurement process.\n    Is there any formal or informal guidance from DHS to component \nagencies on the use of the GPO versus open competition?\n    Answer. DHS follows the requirements of Federal Acquisition \nRegulation 8.802, which requires printing to be done by or through GPO \nunless an exception applies. DHS utilizes a form (DHS 500-7) for its \ncomponents to use to obtain printing services through the designated \ncentral printing authority or to seek a waiver. There is no additional \nacquisition guidance regarding printing.\n    Question 4b. What is the opinion of DHS Office of General Counsel \non Title 44 of the United States Code and FAR 48 Subpart 8.8 as it \nrelates to public printing services and use of GPO for secure \ncredentials?\n    Answer. The Department recognizes the statutory and regulatory \nrequirements related to the Government Printing Office.\n    Question 4c. What risk/security analysis has been done to make sure \nthat secure credentials being used by DHS are durable, secure, and \nvirtually counterfeit-proof?\n    Answer. A risk/security analysis of the secure credentials used by \nDHS was conducted by the General Services Administration (GSA), as the \nexecutive agent for acquisition of Homeland Security Presidential \nDirective--12 products and services. GSA ensures that secure \ncredentials meet the standards of the National Institute of Standards \nand Technology (NIST).\n    To further deter counterfeiting of the secure credentials being \nused by DHS, the Department has gone beyond the NIST requirements by \nrequiring visual security features with micro-text bands, the use of \ntransparent and gradient effects, optically variable ink, and \nholographic images in the security laminate.\n    Question 4d. What alternatives analysis or analysis of alternatives \n(including cost and security analysis) has been done to support secure \ncredential programs?\n    Answer. During an analysis of alternatives conducted by the DHS \nOffice of the Chief Security Officer, it was determined that GPO met \nstandards for secure credentials. GPO delivered added value with strict \nadherence to a secure Government supply chain requirement and smart \ncard product manufacturing. GPO also demonstrated oversight of security \nin the transportation of raw materials and finished goods, and the \nphysical security of the card manufacturer's plant and information \ntechnology systems.\n    Question 4e. How much has DHS obligated and expended in fiscal year \n2010-fiscal year 2013 for secure credentials printed by GPO? How much \ndoes DHS plan to spend on secure credentials in fiscal year 2014?\n    Answer. DHS has obligated and expended a total of $7,494,875 \nbetween fiscal year 2010-fiscal year 2013. The breakdown per fiscal \nyear is as follows:\nFiscal year 2010: $1,769,962.00\nFiscal year 2011: $1,891,963.00\nFiscal year 2012: $2,432,350.00\nFiscal year 2013: $1,400,600.00\nFiscal year 2014 Plan: $2,491,125.00.\n    Question 5a. According to news reports from early April, top hiring \nofficials at CBP broke Federal civil service laws when they tried to \nhire three politically connected but unqualified candidates who were \nfavored by the agency's then-commissioner Alan Bersin. Shortly before \narriving at CBP, Mr. Bersin allegedly gave the human resources staff \nthree names and told them he wanted to hire the individuals as \npolitical appointees. However, the slots for those jobs, known as \nSchedule C positions, were filled. The staff then attempted to hire \nthem into open civil service positions at the GS-13 level, as \nmanagement and policy analysts.\n    Who were the people seeking career positions in these reported \ncases? Are they employed by CBP currently? If so, under what hiring \nauthorities?\n    Answer. The Office of Special Counsel (OSC) has released a press \nstatement regarding its complaint for disciplinary action before the \nMerit Systems Protection Board (MSPB), filed against Katherine Coffman. \nThe OSC has not yet made the complaint a public document and DHS is not \na party to the litigation. Further, in accordance with DHS practice, \nand per OSC preference, DHS does not comment on pending litigation. DHS \ndoes not wish to impede the current adjudication of this case by \nreleasing specific information relevant to the MSPB proceeding, or by \nproviding opinions regarding any specific allegations or evidence that \nmay be contained within the complaint as described in the public press \nstatement. Therefore, in this and subsequent responses, DHS will only \nanswer as to matters not at issue in the litigation.\n    Question 5b. Who within the DHS Office of the Chief Human Capital \nOfficer rejected most of the career conversion requests and approved \nthe one OPM later rejected? Please provide necessary documents asking \nfor and rejecting these personnel actions.\n    Answer. Please see above.\n    Question 5c. Since Ms. Katherine Coffman is in the position to hire \nindividuals across CBP, does she assert inappropriate influence over \nthe career civil service hiring process? Did she or does she seek to \nhire others who fit ``political criteria'' favored by her or Mr. \nBersin?\n    Answer. Please see above.\n    Question 5d. What was the role of the Office of the White House \nLiaison at DHS in these career conversions? Is the Office of the White \nHouse Liaison involved in interviewing or vetting other career \ncandidates for Federal employment?\n    Answer. DHS has inquired of the relevant individuals and reviewed \nthe relevant files and has no reason to believe the Office of the White \nHouse Liaison was involved in the attempted conversion from political \nappointments to career appointments for the three individuals whom it \nis alleged Mr. Bersin wanted to hire at CBP.\n    I am informed it is not.\n    Question 5e. Since January 21, 2009, how many political appointees \nhave been converted to career employees? If any, please identify them \nalong with their titles and the office in which they are working.\n    Answer. Prior to January 2010, Federal agencies had to seek OPM's \napproval of conversions to competitive service positions only during \nPresidential election years. As a result, DHS did not maintain DHS-wide \nrecords specific to such conversions and cannot readily access this \ninformation for the time period between January 21, 2009 and December \n31, 2009.\n    Beginning on January 1, 2010, OPM required agencies to seek prior \napproval from OPM before appointing a current or recent political \nappointee to a competitive or non-political excepted service position \nat any level under the provisions of title 5, United States Code. OPM \nprovided DHS with information based on OPM's records which establish \nthat since January 2009, six political appointees have been converted \nto career positions.\n    In 2009, an individual was appointed to a GS-14 policy analyst \nposition in the Office of Civil Rights & Civil Liberties. In 2011, an \nindividual was appointed to a Senior Executive Service position in the \nOffice of Science and Technology. In 2012, an individual was appointed \nto a Senior Executive Service position in the Federal Emergency \nManagement Agency and another individual was appointed to a GS-13 \nexternal affairs specialist position, also in FEMA. In 2013, two \nindividuals were appointed to two different Senior Executive Services \npositions; one in the United States Coast Guard and another in the \nOffice of the General Counsel.\n    Question 5f. Given the allegations in this matter, do you have \nconfidence in Mr. Bersin as a senior leader of DHS? Have you considered \nputting Mr. Bersin or Ms. Coffman on administrative leave while these \nallegations are fully investigated by the Office of Special Counsel and \nthe Merit Systems Protections Board?\n    Answer. Yes, the leadership of the Department has full confidence \nin Mr. Bersin.\n    Neither the Office of the Special Counsel (OSC) nor the Merit \nSystems Protection Board (MSPB) has suggested such an action, and DHS \nhas determined not to take such action at this time.\n    The current posture of the proceedings is that the OSC has \ncompleted its investigation and filed complaints seeking disciplinary \naction against three CBP career officials. The MSPB has jurisdiction \nover the complaints. DHS is not aware that OSC or the MSPB will conduct \nany further investigation.\n    Question From Honorable Patrick Meehan for Alejandro N. Mayorkas\n    Question. I submitted a question for the record following Secretary \nJohnson's first appearance before the committee that remains unanswered \nregarding EAGLE II, an information technology multiple-award contract \nvehicle potentially worth $22 billion over 5 to 7 years. It is my \nunderstanding that companies were notified of additional awards being \nmade in early May on highly protested functional category one of the \nvehicle. The announcement appears to cut both ways--more vendors means \nmore competition, but also more proposals to evaluate thus slowing down \nthe acquisition selection process.\n    What information have you received about this procurement and what \nis your impression of how this acquisition was conducted? How is DHS \ngoing to make sure that programs actually use this vehicle and that \nproposals received per task order will be evaluated in a timely manner?\n    Answer. As Deputy Secretary, I was not personally involved in this \nprocurement and therefore have only had access to publicly-available \ninformation in accordance with Federal regulation. I have been made \naware of the award information and am informed that the procurement was \nconducted in an open and transparent manner, employing Federal \nprocurement best practices and in accordance with the Federal \nAcquisition Regulation. Like its predecessor, EAGLE II attracted \nsignificant interest from industry.\n    I am further informed that, since the EAGLE II competition received \na robust industry response, completing a fair and detailed evaluation \nof each of the proposals required a significant amount of time and \nresources. Protests are part of the procurement process for these large \ncompetitions. The DHS personnel responsible for the EAGLE II \nprocurement participated transparently and professionally in the \nprotest process to ensure all companies had an opportunity to have \ntheir concerns addressed in an impartial forum.\n    To date, several protests have been dismissed and contract awards \nhave been made to large, small, service-disabled veteran-owned, \nHUBZone, and 8(a) American companies. Task orders have already been \nplaced by several DHS components. Task Order awards to date include 18 \nawards made to various small business totaling $16.5 million with a \ntotal value of $63.8 million if all option periods are exercised.\n    The Office of the Chief Procurement Officer is monitoring EAGLE II \nspending. DHS continues to increase its use of strategic sourcing \nvehicles such as EAGLE II because they provide a streamlined and \nefficient process for obtaining services and result in cost savings for \nthe programs. It is the Department's policy that the EAGLE II contracts \nbe used unless there is an alternative that will yield a lower price or \nbetter support the DHS small business program.\n    To streamline task order competitions and evaluations, DHS offers \ntraining on the use of EAGLE II for all components and has generated an \nordering guide that includes guidance, templates, and points of contact \nfor users. This guidance ensures that task order proposals are \nevaluated promptly and accurately. DHS has a task order ombudsman \navailable to assist any EAGLE II contractor that becomes concerned that \na task order proposal evaluation has been delayed.\n     Questions From Honorable Tom Marino for Alejandro N. Mayorkas\n    Question 1a. What percentage of NFIP claims from Superstorm Sandy \ncontained fraudulent losses? Can you quantify that with a dollar \namount?\n    Answer. FEMA takes seriously its responsibility to be a good \nsteward of Federal funds, which include not only tax dollars but also \nflood insurance premiums. Reducing, investigating, and ultimately \neliminating waste, fraud, and abuse is an important part of that \nresponsibility. When FEMA becomes aware of evidence of potential fraud \non the part of NFIP policyholders, building repair contractors, or \nothers, the FEMA Office of Chief Counsel and the Office of the Chief \nSecurity Officer's FEMA Fraud Unit work with the Office of the \nInspector General to investigate. While the FEMA Fraud Unit and the \nOffice of the Inspector General work closely in developing cases, FEMA \nis typically not informed of results as a matter of practice, since the \nissue at hand may be a criminal matter.\n    While legally distinct from fraud, FEMA also tracks improper \npayments pursuant to the Improper Payments Act. The tracking does not \ndifferentiate underpayments, overpayments, or fraud. The results are as \nfollows:\n\n------------------------------------------------------------------------\n                                                             Improper\n                       Fiscal Year                         Payment Rate\n------------------------------------------------------------------------\n2008....................................................           6.38%\n2009....................................................           2.22%\n2010....................................................           1.21%\n2011....................................................           0.75%\n2012....................................................           0.02%\n------------------------------------------------------------------------\n\n    No, for the same reason explained in the answer above: FEMA is \ntypically not informed of investigative results as a matter of \npractice, since the issue at hand may be a criminal matter.\n    Question 1b. What is the policy for ensuring that claims are \nlegitimate before releasing funds for rebuilding?\n    Answer. There are a number of checks involved in the claims \nhandling process. After a claim is filed, the NFIP insurer assigns an \nindependent adjuster, who is certified as an NFIP adjuster and has \nknowledge of the coverage and exclusions under the Standard Flood \nInsurance Policy. The independent adjuster will inspect the insured \nproperty, preferably together with the insured to validate that the \nadjuster reviews all of the components of the property that the insured \nbelieves had been damaged by flood. The adjuster describes the claim \nprocess to the policyholder and provides a copy of the NFIP Flood \nInsurance Claims Handbook, which is a tool developed by FEMA to explain \nthe claims process to policyholders after a loss. During this \ninspection, the adjuster measures, photographs, and notes elements of \nflood damage. The adjuster then prepares a detailed room-by-room, line-\nby-line estimate of the damage caused by flood. A report documenting \nthe observed damage is then provided for review by the insurer, which \nis responsible for identifying covered losses and making payment. \nUnless there is an express written waiver, within 60 days after the \nloss the insured is required to provide a proof of loss, which is the \ninsured's sworn statement of the amount being claimed.\n    Question 1c. Additionally, what tools does the agency have to \n``claw-back'' funds released to homeowners who submitted fraudulent \nclaims?\n    Answer. All forms of the Standard Flood Insurance Policy (``SFIP'') \nhave provisions governing improper activities by the insured and void \nthe policy in the event of fraud or misrepresentation. If the policy is \nvoid, the NFIP is authorized to recoup payments and can do so through a \nDebt Collection action or affirmative litigation. In addition, the \nUnited States has available civil and criminal remedies, including the \nFalse Claims Act, to recoup fraudulently-claimed funds and to seek \ncivil and criminal penalties. The DHS Office of Inspector General and \nother Federal law enforcement, including a FEMA Fraud unit, are \navailable to investigate allegations of fraud, and FEMA also will work \nwith State and local law enforcement in appropriate circumstances to \ninvestigate and prosecute fraud.\n    Question 2. DHS is over 10 years old and it seems that we are only \nnow getting to understand what a ``high-risk'' program is. This is \nunacceptably long. What took so long and what assurances can you give \nthat we won't have more oversight failures going forward?\n    Answer. DHS has a clear understanding of its ``high-risk'' \nprograms, as defined on a biennial basis by the Government \nAccountability Office (GAO) through publication of its GAO High-Risk \nList. We work closely with GAO to address the areas where DHS remains \non the High-Risk List. When I became deputy secretary of DHS in late \nDecember 2013, the first action I took was to schedule a meeting with \nGAO Comptroller General Dodaro. DHS and GAO meet regularly to discuss \nprogress on our High-Risk designation, and I have been able to \nparticipate in several of those productive meetings.\n    In 2011, DHS published the Integrated Strategy for High-Risk \nManagement (Strategy), to address our High-Risk designation. DHS \ncontinues to make progress towards High-Risk List removal and publishes \nan updated Strategy on a semiannual basis. Of note is the fact that GAO \nhas stated in its most recent High-Risk List update that our \nDepartment's Strategy, ``if implemented and sustained, provides a path \nfor DHS to be removed from GAO's High-Risk List.'' Further, earlier \nthis year we developed specific action plans to address the 30 key \noutcomes GAO identified as part of the management High-Risk area. Our \naction plans provide month-to-month goals that offer a road map to \nsuccess. Our development of these action plans provided us with the \nopportunity to freshly review our previous efforts and, in certain \ncritical areas, to accelerate our time tables materially.\n    Question 3. Many of the DHS operating agencies like CBP, TSA, and \nthe Coast Guard came with internal inspection capabilities when DHS was \ncreated. Yet it appears the senior levels have been slow to organize \nDepartment-wide oversight. It appears that these agencies are not a \n``part of the whole'' from the management perspective. When will DHS-\nwide management controls be in place?\n    Answer. To further Department-wide management integration, \nSecretary Johnson directed the ``Strengthening Departmental Unity of \nEffort'' initiative in April 2014. In this initiative, the Secretary \ndirects specific activities across four main lines of effort: Inclusive \nsenior leader discussion and decision-making forums that provide an \nenvironment of trust and transparency; strengthened management \nprocesses for investment, including requirements, budget, and \nacquisition processes, that look at cross-cutting issues across the \nDepartment; focused, collaborative Departmental strategy, planning, and \nanalytic capability that supports more effective DHS-wide decision-\nmaking and operations; and enhanced coordinated operations to harness \nthe significant resources of the Department more effectively. The goal \nis better understanding of the broad and complex DHS mission space and \nempowering DHS components to effectively execute their operations.\n    To that end, the Secretary, in a June 26, 2014 memorandum to DHS \nleadership, established the DHS Joint Requirements Council to ``look at \ncross-component requirements and develop recommendations for \ninvestment, as well as changes to training organization, laws, and \noperational processes and procedures.'' This component-led, component-\ndriven body will be organized around the five DHS primary mission areas \nand begin to tackle issues involving information-based screening and \nvetting; chemical, biological, radiological, and nuclear surveillance \nand detection; aviation commonality; cybersecurity; and information \nsharing with potential impacts beginning as early as the DHS budget \nsubmission to OMB this September. Other unity-of-effort initiative \npieces, including strengthened budget and acquisition process, will \nalso lead to greater management control.\n    Question 4. Referring to your technology programs across DHS, there \nis strong criticism from the private-sector suppliers that DHS fails to \nprovide multi-year plans that would guide private R&D investment. Why \ncan't DHS seem to get forward planning for major programs right?\n    Answer. A primary challenge in developing and executing optimal \nmulti-year plans to guide private R&D investment is the reality of \nfiscal uncertainty: The Department is not assured of sustained funding \nstreams for long-term efforts.\n    DHS has worked hard to create a sustainable process to validate \nDepartment-wide requirements across the DHS primary mission areas to \ninform investment decisions and drive acquisitions. The Secretary's \nJune 26, 2014 memorandum to DHS leadership establishing a DHS Joint \nRequirements Council to ``look at cross-component requirements and \ndevelop recommendations for investment, as well as changes to training \norganization, laws, and operational processes and procedures'' will \nhelp us to achieve that goal. By studying requirements across \ncomponents and developing ``joint'' solutions from a range of potential \nalternative capabilities, the Department should be able to more \npredictably interface with the private sector earlier in order to \nbetter partner to meet the challenges faced by the Nation in securing \nthe homeland.\n    Further, the Department's increased focus on looking at full life-\ncycle program costs across the entire 5-year Homeland Security budget \nshould increase awareness and reduce uncertainty for our private \nindustry partners. To this end, newly-confirmed Under Secretary for \nScience and Technology Dr. Reginald Brothers has also prioritized \ndevelopment of an updated Science and Technology Directorate (S&T) \nStrategic Plan complemented by technology roadmaps in S&T's major \ninvestment areas. These types of products are fundamental for \ncommunicating S&T's direction and vision to industry in order to better \nalign and incentivize private R&D investment in DHS and Homeland \nSecurity Enterprise needs and priorities. Moving forward, S&T's \nStrategic Plan and roadmaps, along with a revamped approach to creating \nand sharing project requirements, will help strengthen and energize the \nDepartment's and S&T's partnership with the Homeland Security \nIndustrial Base.\n Question From Chairman Michael T. McCaul and Ranking Member Bennie G. \n                      Thompson for Gene L. Dodaro\n    Question. Please provide us in writing what you think it would take \nfor the Department of Homeland Security (DHS) to run seamlessly, all \nthe components within the Department using one standard for procurement \nand other things.\n    Answer. DHS could enhance its overall efficiency and effectiveness \nby continuing to implement and strengthen key management initiatives, \nincluding fully achieving key management outcomes that we and DHS have \nagreed are necessary for addressing our designation of DHS management \nfunctions as high-risk. Achieving some of these outcomes will entail \nimplementing Department-wide standards, such as standards pertaining to \ninformation technology (IT) and acquisition management.\n    Specifically, DHS needs to demonstrate continued progress in \nimplementing and strengthening key management initiatives and \naddressing corrective actions and outcomes in human capital management, \nacquisition management, financial management, and IT. This includes \ntaking steps to implement certain common standards Department-wide. For \nexample,\n  <bullet> As we reported in May 2014, DHS's acquisition policy largely \n        reflects key acquisition management practices, but the \n        Department has not implemented the policy consistently.\\1\\ For \n        example, in March 2014, we found that the Transportation \n        Security Administration (TSA) does not collect or analyze \n        available information that could be used to enhance the \n        effectiveness of its advanced imaging technology.\\2\\ In March \n        2014, we also found that U.S. Customs and Border Protection \n        (CBP) had not fully followed DHS policy regarding testing for \n        the integrated fixed towers being deployed on the Arizona \n        border.\\3\\ We recommended that CBP revise its testing plan in \n        accordance with DHS acquisition guidance, among other things. \n        DHS did not concur with our recommendation and stated that the \n        existing test plan will provide much, if not all, of the \n        insight contemplated by the intent of the recommendation. We \n        continue to believe that revising the test plan to include more \n        robust testing to determine operational effectiveness and \n        suitability could better position CBP to evaluate integrated \n        fixed-tower capabilities before moving to full production for \n        the system, help provide CBP with information on the extent to \n        which the towers satisfy the Border Patrol's user requirements, \n        and help reduce potential program risks.\n---------------------------------------------------------------------------\n    \\1\\ GAO, Department of Homeland Security: Progress Made; \nSignificant Work Remains in Addressing High-Risk Areas, GAO-14-532T \n(Washington, DC: May 7, 2014).\n    \\2\\ GAO, Advanced Imaging Technology: TSA Needs Additional \nInformation Before Procuring Next-Generation Systems, GAO-14-357 \n(Washington, DC: Mar. 31, 2014).\n    \\3\\ GAO, Arizona Border Surveillance Technology Plan: Additional \nActions Needed to Strengthen Management and Assess Effectiveness, GAO-\n14-368 (Washington, DC: Mar. 3, 2014). Integrated fixed towers are to \nconsist of surveillance equipment (for example, ground surveillance \nradars and surveillance cameras) mounted on fixed, that is, stationary \ntowers, and power generation and communication equipment to support the \ntowers.\n---------------------------------------------------------------------------\n  <bullet> In May 2014, we also reported that work is needed to \n        demonstrate progress in implementing IT investment management \n        processes across DHS's 13 IT investment portfolios.\\4\\ In July \n        2012, we recommended that DHS finalize the policies and \n        procedures associated with its new tiered IT governance \n        structure and continue to implement key processes supporting \n        this structure.\\5\\ DHS agreed with these recommendations; \n        however, as of April 2014, the Department had not finalized the \n        key IT governance directive, and the draft structure had been \n        implemented across only 5 of the 13 investment portfolios.\\6\\\n---------------------------------------------------------------------------\n    \\4\\ GAO-14-532T.\n    \\5\\ GAO, Information Technology: DHS Needs to Further Define and \nImplement Its New Governance Process, GAO-12-818 (Washington, DC: July \n25, 2012).\n    \\6\\ The draft structure had been implemented across the following \nfive portfolios: Intelligence, screening, information sharing and \nsafeguarding, enterprise IT services, and enterprise human capital.\n---------------------------------------------------------------------------\n    More uniformly implementing these common standards across the \nDepartment and showing measurable, sustainable progress in implementing \nother key management initiatives can help DHS more fully address GAO's \nhigh-risk designation. We are continuing to review DHS's progress in \nthese areas and will update our assessment of DHS's efforts to address \nour high-risk designation early next year.\n      Question From Honorable Yvette D. Clarke for Gene L. Dodaro\n    Question. Some individuals believe that DHS disciplinary practices \nare inequitable and oftentimes arbitrary. For example, there is no \nDepartment-wide standard for penalties, and the same offense can \nengender different results without any sound reason for this \ndiscrepancy. Would you agree that the Department could benefit from \nstandardized disciplinary processes? Does not having these processes in \nplace have an impact on low morale, for instance? If not, why?\n    Answer. We have not specifically assessed the standardization of \ndisciplinary practices at DHS, but our work has found that TSA could \nstrengthen its monitoring of allegations of employee misconduct.\n    In July 2013, we found that TSA could strengthen its monitoring of \nallegations of employee misconduct.\\7\\ Specifically, we found that:\n---------------------------------------------------------------------------\n    \\7\\ GAO, Transportation Security: TSA Could Strengthen Monitoring \nof Allegations of Employee Misconduct, GAO-13-624 (Washington, DC: July \n30, 2013).\n---------------------------------------------------------------------------\n  <bullet> According to TSA employee misconduct data that we analyzed, \n        TSA investigated and adjudicated approximately 9,600 cases of \n        employee misconduct from fiscal years 2010 through 2012. While \n        TSA had taken steps to help manage the investigations and \n        adjudication process, such as providing training to TSA staff \n        at airports, we found that additional procedures could help TSA \n        better monitor the investigations and adjudications process. \n        For example, TSA did not have a process for conducting reviews \n        of misconduct cases to verify that TSA staff at airports were \n        complying with policies and procedures for adjudicating \n        employee misconduct. We concluded that without a review \n        process, it is difficult to determine the extent to which \n        deficiencies, if any, exist in the adjudications process.\n  <bullet> Further, we found that TSA did not record all misconduct \n        case outcomes, including outcomes in cases that resulted in \n        corrective action or no penalty, in its centralized case \n        management system because the agency had not issued guidance \n        requiring the recording of all outcomes. We concluded that \n        issuing guidance to TSA staff at airports about recording all \n        case outcomes in the database would emphasize management's view \n        of the importance of staff including such information to \n        provide a more complete record of adjudication decisions.\n  <bullet> We recommended, among other things, that TSA establish a \n        process to conduct reviews of misconduct cases to verify that \n        TSA staff at airports are complying with policies and \n        procedures for adjudicating employee misconduct, and develop \n        and issue guidance to the field clarifying the need for TSA \n        officials at airports to record all misconduct case outcomes in \n        the centralized case management system. DHS concurred with the \n        recommendations, and TSA is taking actions in response, such as \n        increased auditing of disciplinary records to help ensure that \n        airport staff are complying with policies and procedures for \n        adjudicating employee misconduct.\n      Question From Chairman Michael T. McCaul for Gene L. Dodaro\n    Question. Please elaborate on your comments regarding Congressional \ncommittees with a jurisdiction on homeland security issues. \nSpecifically, to what extent have repetitive or redundant hearings and \nbriefings (i.e., those involving substantially the same subject matter \nbut provided separately to more than one committee) led to \ninefficiencies and inhibited progress by the Department to address \nitems on the High-Risk List? Have these particular hearings and \nbriefings increased over time, in comparison to previous Congresses? \nDoes the fact that multiple components at the Department lacking \nauthorizations (which have not been enacted due to jurisdictional \nbattles) have any effect on the ability of these components and DHS \nHeadquarters to enact necessary reforms, since potential necessary \nauthorities are not codified?\n    Answer. GAO has not analyzed the impact of hearings and briefings \non DHS's ability to address items on GAO's high-risk list, trends in \nthe number of DHS-related hearings and briefings, or the potential \neffects of the lack of authorizing legislation on DHS's ability to \ncarry out necessary reforms. In December 2002, we did report that the \ncreation of DHS had raised questions regarding how the Congress could \nbest meet its oversight responsibilities, and that DHS would be \noverseen by numerous Congressional committees.\\8\\ At the time we \nobserved that the Congress may wish to explore ways to facilitate \nconducting its responsibilities in a more consolidated and integrated \nmanner, and noted that whether the Congress did so could have an impact \non the effective implementation and oversight of DHS.\n---------------------------------------------------------------------------\n    \\8\\ GAO, Homeland Security: Management Challenges Facing Federal \nLeadership, GAO-03-260 (Washington, DC: Dec. 20, 2002).\n---------------------------------------------------------------------------\n    In 2003 we designated implementing and transforming the Department \nof Homeland Security as high-risk because DHS had to transform 22 \nagencies--several with major management challenges--into one \ndepartment, and failure to address associated risks could have serious \nconsequences for U.S. National and economic security.\\9\\ It is \nnoteworthy to recognize, however, that since 2003, DHS has made \nconsiderable progress in transforming its original component agencies \ninto a single department. As a result, in our 2013 high-risk update, we \nnarrowed the scope of the high-risk area to focus on strengthening DHS \nmanagement functions.\\10\\\n---------------------------------------------------------------------------\n    \\9\\ GAO, High-Risk Series: An Update, GAO-03-119 (Washington, DC: \nJan. 1, 2003).\n    \\10\\ GAO, High-Risk Series: An Update, GAO-13-283 (Washington, DC: \nFeb. 14, 2013).\n---------------------------------------------------------------------------\n    DHS remains on the high-risk list because the Department has not \nmade sufficient progress addressing GAO's high-risk removal criteria, \nsuch as having a framework to monitor progress, capacity (having \nsufficient resources), and demonstrating clear, sustained progress. \nSpecifically, our work at DHS has found that the Department has made \nprogress strengthening its management functions, including developing \npolicies that provide a framework for addressing management challenges. \nHowever, we have found in our past work that DHS does not always adhere \nto its own policies. For example, DHS's acquisition policy largely \nreflects key acquisition management practices, but in September 2012, \nwe found that the Department has not implemented the practices \nconsistently. Further, we found that DHS has made progress in \ninitiating efforts to validate required acquisition documents.\\11\\ \nHowever, the Department does not have the acquisition management tools \nin place to consistently demonstrate whether its major acquisition \nprograms are on track to achieve their cost, schedule, and capability \ngoals. Accordingly, about half of DHS's major programs lack an approved \nbaseline, and 77 percent lack approved life-cycle cost estimates.\n---------------------------------------------------------------------------\n    \\11\\ GAO, Homeland Security: DHS Requires More Disciplined \nInvestment Management to Help Meet Mission Needs, GAO-12-833 \n(Washington, DC: Sept. 18, 2012).\n---------------------------------------------------------------------------\n         Question From Honorable Jeff Duncan for Gene L. Dodaro\n    Question. The Office of Program Accountability and Risk Management \n(PARM) is responsible for DHS's overall acquisition management across \nthe Department, and has work underway to implement an Acquisition Life \nCycle framework for major acquisitions. Among other things, this \nframework outlines key decision events over the life of a program. This \n``waterfall'' approach may be fine for most types of acquisitions; but \nfor IT acquisitions, it promotes longer time frames for delivering \ncapabilities (often 5-7 years) and increased risk of cost, schedule, \nand performance issues. The Office of the Chief Information Officer \n(OCIO) is responsible for IT investment governance, including IT \nsystems development. OCIO has work underway to modify, finalize, and \nimplement systems acquisition policies and processes in line with an \nincremental development approach, which calls for breaking programs \ninto smaller increments and delivering capabilities in 6-12 month \nreleases. It will be important for PARM and OCIO to collaborate on a \nway forward to define roles and responsibilities, and modify the \nAcquisition Framework as needed to accommodate an incremental \ndevelopment approach to IT. How efficiently and effectively do DHS's \nacquisition and IT governance processes work in concert with one \nanother to ensure that major IT investments are delivered within cost \nand schedule, and meet mission needs?\n    Answer. We have found in our prior work that DHS has not yet fully \nestablished or finalized its acquisition and IT governance processes; \nhowever, we found that these processes, as defined and implemented thus \nfar, may be leading to slowed IT development work, as well as \nineffective or redundant executive oversight reviews. For example:\n  <bullet> Slowed IT development work.--In our May 2014 report on \n        agencies' IT incremental development policies and approaches, \n        we found that DHS OCIO officials had cited inefficient \n        governance and oversight processes as one common factor, among \n        others, inhibiting incremental development during a 6-month \n        period.\\12\\ To illustrate, those officials said that it can \n        take up to 2 months to schedule a meeting with DHS review \n        boards prior to releasing functionality. However, we also \n        reported that a Program Accountability and Risk Management \n        (PARM) official disagreed with that statement, maintaining that \n        DHS's acquisition review boards perform reviews very quickly, \n        and that any delays in completing these reviews are \n        attributable to investments being unprepared. Further, DHS OCIO \n        officials suggested that oversight of programs using an Agile \n        development methodology should be performed at the lowest \n        practicable level of the organization.\\13\\ Regardless of the \n        cause, these inefficiencies are hampering DHS's ability to \n        deploy IT capabilities in 6-month increments. Accordingly, we \n        recommended that DHS consider factors that either enable or \n        inhibit incremental development when updating the Department's \n        policies governing incremental IT development. DHS concurred \n        with our recommendation and stated that it plans to include \n        strategies in its guidance to minimize factors identified as \n        inhibiting incremental development. It will be important for \n        DHS's OCIO and PARM offices to work collaboratively to \n        effectively address this recommendation.\n---------------------------------------------------------------------------\n    \\12\\ GAO, Information Technology: Agencies Need to Establish and \nImplement Incremental Development Policies, GAO-14-361 (Washington, DC: \nMay 1, 2014).\n    \\13\\ Agile development calls for the delivery of software in small, \nshort increments rather than in the typically long, sequential phases \nof a traditional waterfall approach. More a philosophy than a \nmethodology, Agile emphasizes early and continuous software delivery, \nas well as using collaborative teams and measuring progress with \nworking software. The Agile approach was first articulated in a 2001 \ndocument called the Agile Manifesto, which is still used today. The \nmanifesto has four values: (1) Individuals and interactions over \nprocesses and tools, (2) working software over comprehensive \ndocumentation, (3) customer collaboration over contract negotiation, \nand (4) responding to change over following a plan.\n---------------------------------------------------------------------------\n  <bullet> Ineffective or redundant executive oversight reviews.--In \n        December 2013, we reported on the effectiveness of the \n        executive governance and oversight of the Department's two TECS \n        modernization (TECS Mod) border security programs.\\14\\ While we \n        found that OCIO and PARM had taken actions to oversee the two \n        programs, the lack of complete, timely, and accurate data had \n        affected their ability to make informed and timely decisions, \n        thus limiting their effectiveness in several cases. For \n        example, we found that OCIO had rated one of the programs as \n        moderately low-risk in its most recent program health \n        assessment, based partially on U.S. Customs and Border \n        Protection's use of earned value management. However, the \n        program manager told us that the other program was not using \n        this management technique. In addition, PARM had rated the \n        other program as low-risk in its most recent Quarterly Program \n        Accountability Report based in part on outdated cost and \n        schedule estimates. Accordingly, we made a recommendation to \n        improve the data used by these governing bodies for major IT \n        acquisition programs. DHS concurred and stated that it has \n        taken steps to ensure that the data used by the IT program \n        acquisition programs are accurate and complete, such as \n        implementing a decision support tool. However, we identified \n        instances where DHS governance and oversight bodies were acting \n        on information that was not complete, timely, or accurate, \n        despite the presence of such a tool.\n---------------------------------------------------------------------------\n    \\14\\ GAO, Border Security: DHS's Efforts to Modernize Key \nEnforcement Systems Could Be Strengthened, GAO-14-62 (Washington, DC: \nDec. 5, 2013).\n---------------------------------------------------------------------------\n    In addition, while both PARM and OCIO have responsibility for \n        ensuring that IT system acquisition programs are on track, it \n        is not always clear whether these roles are distinct. Our \n        December 2013 review also showed overlap in the program \n        assessments conducted by PARM and OCIO--in particular, with \n        regard to risk and requirements management, and cost and \n        schedule performance. We recently initiated a review to, among \n        other things, assess PARM's coordination efforts with DHS \n        components (including OCIO) to conduct oversight of major \n        acquisitions.\n    Additionally, as we testified in May 2014, the Department has yet \nto finalize its key IT governance directive, and the draft structure \nhas been implemented across only 5 of the 13 IT investment \nportfolios.\\15\\ It will be critical for DHS to complete these actions \nin order to ensure that all IT investments are appropriately aligned \nwith the Department's enterprise architecture (i.e., to avoid acquiring \nduplicative or overlapping systems), adequately overseen to ensure that \nkey IT management controls (e.g., requirements management) are being \nproperly implemented and monitored, and delivered as planned. Because \nboth PARM and OCIO play important roles in ensuring that IT investments \nare effectively acquired and implemented, these two organizations will \nneed to work closely together to ensure that IT projects are delivered \nincrementally and often and that DHS finalizes the IT governance \ndirective.\n---------------------------------------------------------------------------\n    \\15\\ GAO, Department of Homeland Security: Progress Made; \nSignificant Work Remains in Addressing High-Risk Areas, GAO-14-532T \n(Washington, DC: May 7, 2014).\n---------------------------------------------------------------------------\n         Question From Honorable Tom Marino for Gene L. Dodaro\n    Question. In your testimony you mention that the National Flood \nInsurance Program (NFIP) has not made a single payment on the principal \nborrowed from the Department of the Treasury since 2010. Under current \nlaw, could you estimate when the NFIP would, or could, fully repay the \namount owed to the Treasury?\n    Answer. We have not made our own estimates of how long the Federal \nEmergency Management Agency (FEMA) would need to repay the $24 billion \nit has borrowed from Treasury for the NFIP. Nevertheless, information \nfrom a report we issued in April 2014 provides some insight into FEMA's \nprospects for repayment.\\16\\ In that report, we noted that the Biggert-\nWaters Flood Insurance Reform Act of 2012 (Biggert-Waters Act) requires \nFEMA to issue a report to Congress setting forth options to repay \nFEMA's total debt to Treasury within 10 years.\\17\\ Although the report \nwas due in January 2013, FEMA has not yet issued such a report. FEMA \nofficials told us that before the enactment of the Homeowner Flood \nInsurance Affordability Act of 2014 (2014 Act), they had conducted \npreliminary analysis assessing FEMA's repayment ability under scenarios \nthat use different assumptions about future NFIP losses.\\18\\ The \nofficials said the assessment showed that, under FEMA's planned \nimplementation of the Biggert-Waters Act, the agency would not reach \nthe 10-year repayment goal under any of the scenarios. Implementation \nof the 2014 Act may further reduce the likelihood of repayment within \n10 years because the Act reduces future program premium revenue by \nreinstating subsidized and grandfathered rates the Biggert-Waters Act \nhad eliminated.\n---------------------------------------------------------------------------\n    \\16\\ GAO, Economic Development: Overview of GAO's Past Work on the \nNational Flood Insurance Program, GAO-14-297R (Washington, DC: Apr. 9, \n2014).\n    \\17\\ Pub. L. No. 112-141, \x06 100213(b), 126 Stat. 405, 924.\n    \\18\\ See Pub. L. No. 113-89, 128 Stat. 1020.\n---------------------------------------------------------------------------\n    Our April 2014 report also noted that, according to FEMA officials, \nin some years the agency has not had sufficient funds to make principal \npayments and, in other years, could have made principal payments but \nchose to preserve its cash balances to help avoid the need for future \nborrowing. A key factor affecting FEMA's future borrowing needs and \nability to repay its debt is future losses. However, the frequency and \nseverity of future flood losses are difficult to predict.\n        Questions From Chairman Michael T. McCaul for John Roth\n    Question 1. In your testimony, you highlighted a November 2012 \naudit where the Department of Homeland Security (DHS) Office of \nInspector General (OIG) tested DHS radios to determine whether DHS \ncomponents could talk to each other in the event of a terrorist event \nor other emergency. Only 1 of 479 radio users tested--or less than one-\nquarter of 1 percent--could access and use the specified common channel \nto communicate. Further, of the 382 radios tested, only 20 percent (78) \ncontained all the correct program settings for the common channel. You \ntestified that the reason the response rate was so low was that DHS did \nnot establish an effective governing structure with the authority and \nresponsibility to ensure it achieved Department-wide, interoperable \nradio communications. What is needed for DHS to establish an effective \ngoverning structure to solve this problem? What progress has DHS made \nsince the report in ensuring operators know how to properly use their \nradio?\n    Answer. According to the Office of Management and Budget, an \neffective governing structure includes clearly-defined areas of \nresponsibility, appropriately delegated authority, and a suitable \nhierarchy for reporting. DHS created working groups, committees, and \noffices to explore Department-wide communication issues, including \ninteroperability. However, none had the authority to implement and \nenforce their recommendations. DHS must establish a structure that has \nactual authority to enforce recommendations.\n    DHS prepared a draft DHS Communications Interoperability Plan \n(DCIP). As of today, the DCIP is still in draft. According to the DCIP, \nas we pointed out in our report, governance is the critical foundation \nof all efforts to address communication interoperability. Also \naccording to the DCIP, existing agreements governing interoperability \ndo not sufficiently support DHS' current needs. The Joint Wireless \nProgram Management Office (JWPMO) and the One DHS Emergency \nCommunications Committee are coordinating to determine appropriate \nroles and responsibilities. According to DHS, on March 17, 2013, the \nDCIP was briefed to the One DHS Emergency Communications Committee. It \nwas approved and signed by the Assistant Secretary for the National \nProtection and Programs Directorate; however, the DCIP is on hold, \npending a review of the Tactical Communications Executive Steering \nCommittee (TacCom ESC) and the outcome of H.R. 4289, the Department of \nHomeland Security Interoperable Communications Act. Wording in H.R. \n4289 may lead to a redefinition of interoperability and reassignment of \ninteroperable responsibilities. The estimated date of DCIP signature \nhas been extended from April 14, 2014, to the end of fiscal year 2014 \n(September 30, 2014). This will allow time for the TacCom ESC meeting \nto be scheduled and completed, as well as allow time for any requested, \nadditional follow-up briefings.\n    Historically, the JWPMO and its predecessor organizations have not \nhad success in achieving interoperability.\n    Question 2. It appears that the technology is available to achieve \ninteroperable communications. Does DHS have the proper infrastructure \nto use their IT network as a way to connect radios and other devices, \nsuch as smartphones, in both a command center and an operational \nenvironment?\n    Answer. DHS does not currently have the IT infrastructure to \nsupport a broadband network in the operational environment. We have not \ndone any work specifically looking at this capability, but the \navailable body of knowledge provides the following insights.\n  <bullet> A broadband network could improve incident response, by \n        providing video and data not currently available on Land Mobile \n        Radio (LMR) systems; Nation-wide access; and interoperability.\n    <bullet> The Government Accountability Office (GAO) and public \n            safety organizations and officials indicate that mission-\n            critical voice communication will not likely be available \n            on broadband networks for many years.\n    <bullet> There is disagreement among industry experts about how \n            soon mission-critical voice capability could be available--\n            some industry experts predict voice capabilities will be \n            available within a few years, while others project it will \n            not be available for at least a decade.\n    <bullet> Long-term Evolution (LTE), the Federal Communications \n            Commission standard for public safety broadband \n            communication, is not currently designed to support \n            mission-critical voice communication, such as push-to-talk.\n    <bullet> GAO has reported other communication limitations \n            associated with broadband networks, such as limited network \n            access inside large buildings or underground.\n    <bullet> GAO has reported that any new broadband network could \n            require up to 10 times the number of towers as current LMR \n            systems because, as a cellular network, broadband would use \n            a series of lower power towers to transmit signals and \n            reduce interference.\n    <bullet> Additional towers for the broadband network would also \n            need to be hardened to withstand disasters, such as \n            hurricanes.\n    <bullet> GAO has reported that a broadband network would \n            supplement, rather than replace, LMR systems for the \n            foreseeable future. Also, until there is mission-critical \n            voice communication, a public safety broadband network will \n            not resolve interoperability issues exacerbated by past \n            emergency responses.\n  <bullet> DHS approved its TacNet program in March 2011 and directed \n        establishment of the JWPMO to coordinate the program.\n    <bullet> TacNet, a new DHS acquisition program, seeks to leverage \n            public safety broadband and commercial networks to develop \n            a single network capable of supporting voice, video, and \n            data capabilities through DHS subscriptions to LTE public \n            safety and commercial broadband networks.\n    <bullet> In collaboration with the JWPMO, the DHS Science & \n            Technology Directorate plans to award $7.5 million in \n            contracts this fiscal year for a technology demonstrator \n            program that will offer mission-critical voice capabilities \n            and accommodate DHS video and data needs on a broadband, \n            LTE network.\n    <bullet> DHS plans to limit upgrading and modernizing its current \n            LMR systems, based on DHS priorities and mission-critical \n            needs, to address equipment obsolescence, Federal \n            narrowband and security requirements, and interoperability \n            standards.\n    <bullet> DHS has estimated that full modernization of its legacy \n            radio systems to meet these requirements would cost about \n            $3.2 billion. In March 2012, DHS awarded a $3 billion \n            Department-wide contract to acquire equipment and services \n            needed to maintain, upgrade, and modernize its legacy LMR \n            system.\n           Question From Honorable Jeff Duncan for John Roth\n    Question. According to an AP news report in 2012, Suzanne Barr, a \nsenior Obama administration political appointee at Immigration and \nCustoms Enforcement (ICE), resigned amid allegations of inappropriate \nsexual behavior and cultivating a ``frat house'' atmosphere at ICE. \nPrior to her resignation, Suzanne Barr was serving as chief of staff to \nformer ICE Director John Morton. It appears that an OIG investigation \nwas started, but did not continue after Barr resigned. As the newly-\nconfirmed DHS inspector general, please explain to the committee what \nbecame of this investigation and why it appears that the investigation \ndid not continue.\n    Answer. The Office of Investigations, Office of Inspector General, \ndid not open an investigation into allegations of misconduct by Suzanne \nBarr in 2012. We conducted a preliminary inquiry as we were made aware \nof the allegations. We established there was an on-going Title VII \ncivil suit filed by an Immigration and Customs Enforcement special \nagent in charge in New York City claiming harassment and retaliation. \nThis litigation overlapped with the allegations we were aware of. \nAdditionally, Suzanne Barr resigned in September 2012. Any Office of \nInspector General administrative investigation would have been rendered \nmoot as she was no longer a DHS employee.\n    With regards to an allegation we received in November 2011, in \nDecember 2011 the Office of Inspector General issued a Report of \nInvestigation to then-Immigration and Customs Enforcement Director John \nMorton. The investigation was initiated based on a referral from \nImmigration and Customs Enforcement, Office of Professional \nResponsibility alleging that Suzanne Barr and Tracey Bardoff, assistant \ndirector, Immigration and Customs Enforcement misused Government funds \nto pay for their July 20, 2011 official travel to Mexico City, Mexico \nand a subsequent personal trip to Cancun, Mexico on July 22, 2011. The \nallegation further stated neither attended the official meetings in \nMexico City, Mexico. The investigation developed no evidence that \neither Barr or Bardoff misused Government funds.\n\n                                 [all]\n\x1a\n</pre></body></html>\n"