Information Technology: OMB and Department of Homeland Security  
Investment Reviews (10-FEB-04, GAO-04-323).			 
                                                                 
In July 2002, the Office of Management and Budget (OMB) issued	 
two memorandums directing agencies expected to be part of the	 
Department of Homeland Security (DHS) to temporarily cease	 
funding for new information technology (IT) infrastructure and	 
business systems investments and submit information to OMB on	 
current or planned investments in these areas. GAO was asked to  
(1) explain OMB's implementation of these memorandums, (2)	 
identify any resulting changes to applicable IT investments, and 
(3) ascertain if DHS has initiated its own investment management 
reviews and, if so, what the results of these reviews have been. 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-04-323 					        
    ACCNO:   A09487						        
  TITLE:     Information Technology: OMB and Department of Homeland   
Security Investment Reviews					 
     DATE:   02/10/2004 
  SUBJECT:   ADP procurement					 
	     Cost control					 
	     Federal agency reorganization			 
	     Information resources management			 
	     Information technology				 
	     Investments					 
	     Planning programming budgeting			 
	     Strategic information systems planning		 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-04-323

United States General Accounting Office

GAO

                       Report to Congressional Requesters

February 2004

                                  INFORMATION
                                   TECHNOLOGY

           OMB and Department of Homeland Security Investment Reviews

                                       a

GAO-04-323

Highlights of GAO-04-323, a report to the Chairman, House Committee on
Government Reform and Chairman, Subcommittee on Technology, Information
Policy, Intergovernmental Relations and the Census

In July 2002, the Office of Management and Budget (OMB) issued two
memorandums directing agencies expected to be part of the Department of
Homeland Security (DHS) to temporarily cease funding for new information
technology (IT) infrastructure and business systems investments and submit
information to OMB on current or planned investments in these areas (see
figure below for a timeline).

GAO was asked to (1) explain OMB's implementation of these memorandums,
(2) identify any resulting changes to applicable IT investments, and (3)
ascertain if DHS has initiated its own investment management reviews and,
if so, what the results of these reviews have been.

GAO is making recommendations to DHS to (1) report savings resulting from
its consolidation and integration of systems and (2) develop a schedule
for reviews of IT investments subject to departmental oversight. In
commenting on a draft of the report, OMB representatives stated that they
generally agreed with our findings and DHS officials stated that it was
factually accurate.

February 2004

INFORMATION TECHNOLOGY

OMB and Department of Homeland Security Investment Reviews

The July 2002 memorandums established an investment review group cochaired
by OMB and the Office of Homeland Security to review submitted investments
and estimated that millions of dollars potentially could be saved as a
result of consolidating and integrating component agency investments. The
investment review group relied on an informal, undocumented process to
fulfill its responsibilities. Nevertheless, according to OMB and DHS IT
officials, the review group both reviewed five component agency
investments that were submitted and addressed long-term IT strategic
issues related to the transition to the new department.

OMB and DHS IT officials cited some changes to agency IT infrastructure
and business systems investments because of the July memorandums. In
addition, DHS IT officials cited other benefits that resulted from the
memorandums. However, it is not known whether, or the extent to which,
savings have resulted from the memorandums. In particular, OMB did not
track savings associated with the July memorandums because, according to
OMB IT staff, anticipated budgetary savings had not occurred at the time
the review group was in place. DHS's chief information officer stated that
the department plans to track savings related to the consolidation and
integration of systems and has established a mechanism for doing so.
However, until such savings are identified, tracked, and reported it will
remain unknown whether the July memorandums and the subsequent
establishment of DHS have achieved the potential economies identified by
OMB.

Once DHS became operational and the investment review group no longer
existed, the department established its own IT investment management
process, which is still evolving. As part of this process, between May
2003 and late January 2004, the DHS's highest level investment management
board performed reviews of nine investments that had reached key decision
points. Even with this progress, the department has identified about 100
IT programs that are eligible for review by its two top department-level
boards. However, DHS has not established a process to ensure that key
reviews of such IT investments are performed in a timely manner.

Timeline of Events Related to the OMB Memorandums and the Establishment of
DHS

www.gao.gov/cgi-bin/getrpt?GAO-04-323.

To view the full product, including the scope

and methodology, click on the link above. For more information, contact
David Powner at (202) 512-9286 or [email protected].

Source: GAO.

Contents

  Letter

Results in Brief
Background
Implementation of OMB's July 2002 Memorandums
Some Changes Were Made to Component Agency IT Infrastructure

and Business Systems Investments DHS Has Initiated Reviews of Component
Agency IT Investments,

but Its Processes Are Still Evolving Conclusions Recommendations for
Executive Action Agency Comments

1 3 4 9

11

15 20 21 21

  Appendix

         Appendix I: DHS Department-Level Investment Management Boards
Tables       Table 1: Summary of Changes to Component Agencies' IT      
                                     Investments                           12 
                       Table 2: Summary of IRB Control Reviews             18 
Figures Figure 1: Timeline of Events Related to the OMB Memorandums and    
                                                  the Establishment of DHS  8
                       Figure 2: DHS Investment Review Process             17 

Contents

Abbreviations

ACE Automated Commercial Environment
CAPPS II Computer Assisted Passenger Prescreening System
CIO chief information officer
DHS Department of Homeland Security
IRB Investment Review Board
IT information technology
OMB Office of Management and Budget
US-VISIT United States Visitor and Immigrant Status Indicator

Technology

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

A

United States General Accounting Office Washington, D.C. 20548

February 10, 2004

The Honorable Tom Davis
Chairman, Committee on Government Reform
House of Representatives

The Honorable Adam H. Putman

Chairman, Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census Committee on Government Reform
House of Representatives

The Homeland Security Act of 2002 (P.L. 107-296), which was enacted in
November 2002, brought together 22 diverse agencies and created a new
cabinet-level department-the Department of Homeland Security (DHS)- to
help prevent terrorist attacks in the United States, reduce the
vulnerability of the United States to terrorist attacks, and minimize the
damage and assist in recovery from attacks that do occur. The new DHS
presents both information technology (IT) challenges and opportunities.
For example, DHS (1) faces considerable challenges in integrating the many
systems and processes that provide management with information necessary
for decision making and (2) offers opportunities to identify and eliminate
redundant investments and achieve more efficiencies in IT investments.

To begin to tackle these issues even before the department was formed, the
Office of Management and Budget (OMB) in July 2002 issued two memorandums
directing federal agencies1 that were expected to be part of the new
department to temporarily cease funding for new IT infrastructure and
business systems investments and submit information to OMB on

1The entities that were affected by one or both of the July 2002
memorandums were the Department of Agriculture's Animal and Plant Health
Inspection Service, the Federal Emergency Management Agency, the
Department of Justice's Immigration and Naturalization Service, the
Department of Transportation's Transportation Security Administration and
Coast Guard, and the Department of the Treasury's Secret Service and
Customs Service. Each of these entities was transferred at least in part
to DHS, and will be referred to as component agencies for purposes of this
report.

current or planned investments in these areas.2 These memorandums also
established an investment review group,3 co-chaired by OMB and the Office
of Homeland Security, to review investments that met the criteria in the
July memorandums. In October 2002, we testified that it was too early to
assess the impact of OMB's action because agency submissions were still
being evaluated.4

Since DHS has now been established, you requested that we follow up on our
prior testimony and (1) explain how OMB implemented the July 2002
memorandums; (2) identify what, if any, changes to agency IT investments
resulted from the July memorandums and the Homeland Security IT Investment
Review Group's evaluations (hereafter called the review group); and (3)
ascertain whether DHS has initiated its own investment management reviews
and, if so, what the results of these reviews have been. To address the
first objective, we sought available documentation on the criteria and
process used by the investment review group to make decisions. Likewise
for the second objective, we sought documentation from OMB and applicable
DHS component agencies on decisions made by the investment review group
and on changes to IT investments that resulted from the July 2002
memorandums. However, according to OMB and DHS IT officials, the processes
used and decisions made by the review group and the DHS component agencies
were not documented. As a result, we largely relied upon interviews with
applicable OMB and DHS IT officials-including representatives from OMB's
Office of Information and Regulatory Affairs, the DHS chief information
officer (who is also the former Office of Homeland Security co-chair of
the investment review group), and DHS component agency IT officials-to
address the first two

2According to OMB representatives, the July 2002 memorandums stopped being
applicable once DHS became operational in March 2003.

3The July 2002 memorandums created two investment review groups, the (1)
Homeland Security IT Investment Review Group, which was to review IT
infrastructure investments, and (2) Business Systems IT Review Group,
which was to review business systems investments. However, according to an
OMB IT representative and the Office of Homeland Security co-chair of
these groups, because the membership was largely the same (they generally
comprised the chief information officers of the component agencies
expected to be part of DHS although some chief financial officers were
also represented), they acted as a single entity. Accordingly, we refer to
these groups as the Homeland Security IT Investment Review Group for
purposes of this report.

4U.S. General Accounting Office, Homeland Security: OMB's Temporary
Cessation of Information Technology Funding for New Investments,
GAO-03-186T (Washington, D.C.: Oct. 1, 2002).

objectives. To address the third objective, we reviewed DHS's IT
investment management review policies and documentation of DHS reviews
performed of component agency IT investments. This documentation included
decision memorandums issued by its highest level investment management
board on the results of its reviews. We also interviewed the DHS chief
information officer (CIO), chief technology officer, and the coordinator
of the DHS investment review process. We performed our work at OMB and DHS
in Washington, D.C., between July 2003 and January 2004, in accordance
with generally accepted government auditing standards.

Results in Brief	The Homeland Security IT Investment Review Group relied
on an informal and undocumented process to fulfill its responsibilities
under the July 2002 memorandums. Nevertheless, according to OMB and DHS IT
officials, the review group both reviewed the few component agency
investments that were submitted for approval and addressed long-term
issues related to the transition to the new department. In particular, OMB
IT representatives stated that when the establishment of DHS became closer
in time the investment review group shifted its focus to IT strategic
issues related to the transition to the proposed department.

OMB and DHS IT officials cited some changes to agency IT infrastructure
and business systems investments because of the July memorandums. The
component agencies submitted five requests to the review group, which
recommended their approval but with conditions. An example of a request
that was recommended for approval was the Secret Service's request to
procure search engine software. According to Secret Service, OMB, and DHS
IT officials, this request was recommended for approval with the condition
that the contractual document allow other component agencies to use the
search engine. Four component agencies also reported other changes,
including putting planned enhancements on hold, as a result of the July
memorandums. However, it is not known whether, or the extent to which,
savings have resulted from the memorandums. In particular, OMB did not
track the savings associated with the July memorandums because, according
to OMB IT staff, budgetary savings had not occurred at the time that the
review group was in place. Until savings resulting from the consolidation
and integration of systems and services are identified, tracked, and
reported it will remain unknown whether OMB's July memorandums and the
subsequent establishment of DHS have achieved the potential economies
identified by OMB in the memorandums.

Once DHS became operational and the investment review group no longer
existed, the department established its own IT investment management
process, which is still evolving. As part of this process, DHS's CIO
reported that he approved the department's IT portfolio for the fiscal
year 2005 budget cycle. In addition, between May 2003 and late January
2004, the department's highest level investment management board had
performed control reviews5 on nine investments that had reached certain
key decision points. In each of these cases the project was allowed to
proceed but additional documentation was required and/or conditions set.
Although DHS is making progress in reviewing component agency projects,
the department has identified about 100 IT programs that are eligible for
review by its two top-level departmental investment management boards.
According to IT officials, DHS is having difficulty in bringing all of
these programs before the boards in a timely manner. Moreover, DHS has not
established a process to ensure that key reviews of component agency IT
investments subject to departmental reviews are performed in a timely
manner, although it has begun to collect information on the priorities and
schedules of its top-level investments as a first step.

We are making recommendations to DHS that it report the savings that
result from its consolidation and integration of systems and services and
develop a control review schedule for IT investments subject to
departmental oversight.

We received oral comments on a draft of this report from OMB and DHS
representatives, who stated that they generally agreed with our findings
and that it was factually accurate, respectively.

Background	With the terrorist attacks of September 11, 2001, the threat of
terrorism rose to the top of the country's national security and law
enforcement agendas. In response to these growing threats, the Congress
passed and the President signed the Homeland Security Act of 2002, which
created DHS. We have previously identified IT management as critical to
the

5During the control phase of the IT investment management process, the
organization ensures that, as projects develop and as funds are spent, the
project is continuing to meet mission needs at the expected levels of cost
and risk.

transformation of the new department.6 Not only does DHS face considerable
challenges in integrating the many systems and processes that provide
management with information for decision making, but it must sufficiently
identify its future needs in order to build effective systems that can
support the national homeland security strategy in the coming years. To
jump start this planning process and also begin to identify opportunities
for improved effectiveness and economy, OMB issued two memorandums in July
2002 to selected agencies telling them to "cease temporarily" and report
on new IT infrastructure and business systems investments above $500,000.

    Mission, Organization, and Role of IT in DHS

On March 1, 2003, DHS assumed operational control of nearly 180,000
employees from 22 incoming agencies and offices. In establishing the new
department, the Congress articulated a seven-point mission for DHS:

o  Prevent terrorist attacks within the United States.

o  Reduce the vulnerability of the United States to terrorism.

o  Minimize the damage and assist in the recovery from terrorist attacks.

o 	Carry out all functions of entities transferred to the department,
including by acting as a focal point regarding natural and man-made crises
and emergency planning.

o 	Ensure that the functions of the agencies within the department that
are not directly related to securing the homeland are not diminished or
neglected.

o 	Ensure that the overall economic security of the United States is not
diminished by efforts aimed at securing the homeland.

o 	Monitor connections between illegal drug trafficking and terrorism,
coordinate efforts to sever such connections, and otherwise contribute to
efforts to interdict illegal drug trafficking.

6U.S. General Accounting Office, Major Management Challenges and Program
Risks: Department of Homeland Security, GAO-03-102 (Washington, D.C.:
January 2003).

To help DHS accomplish its mission, the Homeland Security Act of 2002
establishes four mission-related directorates, the (1) Border and
Transportation Security directorate, (2) Emergency Preparedness and
Response directorate, (3) Science and Technology directorate, and (4)
Information Analysis and Infrastructure Protection directorate. In
addition to these directorates, the U.S. Secret Service and the U.S. Coast
Guard remain intact as distinct entities within DHS; Immigration and
Naturalization Service adjudications and benefits programs report directly
to the deputy secretary as the Bureau of Citizenship and Immigration
Services, and the Management directorate is responsible for budget, human
capital, and other general management issues.7

According to the most recent President's budget, DHS expects to make about
$4 billion in IT investments in fiscal year 2004-the third largest IT
investment budget in the federal govenment.8 In addition, as we have
testified, information management and technology are among the critical
success factors that the new department should emphasize in its initial
implementation phase.9 For example, DHS currently has several ongoing IT
projects that are critical to the effective implementation of its mission,
such as the

o 	Integrated Surveillance Intelligence System, which is to provide "24 by
7" border coverage through ground-based sensors, fixed cameras, and
computer-aided detection capabilities;

o 	Student Exchange Visitor Information System, which is expected to
manage information about nonimmigrant foreign students and exchange
visitors from schools and exchange programs;

7DHS's Office of the CIO is part of the Management directorate.

8Office of Management and Budget, Budget of the U.S. Government, Fiscal
Year 2005, Report on IT Spending for the Federal Government for Fiscal
Years 2003, 2004, and 2005. We did not verify these data.

9U.S. General Accounting Office, Homeland Security: Proposal for Cabinet
Agency Has Merit, But Implementation Will be Pivotal to Success,
GAO-02-886T (Washington, D.C.: June 25, 2002).

o 	Automated Commercial Environment project, which is to be a new trade
processing system;10 and

o 	United States Visitor and Immigrant Status Indicator Technology
(US-VISIT), a governmentwide program intended to improve the nation's
capacity for collecting information on foreign nationals who travel to the
United States, as well as control the pre-entry, entry, status, and exit
of these travelers.11

Moreover, as all of the programs and agencies are brought together in the
new department, it will be an enormous undertaking to integrate their
diverse communication and information systems. Among the IT challenges
that the new department will have to face and overcome are developing,
maintaining, and implementing an enterprise architecture,12 and
establishing and enforcing a disciplined IT investment management process
(which includes establishing an effective selection, control, and
evaluation process).13 The department's ability to overcome these
challenges is complicated by the IT management problems that its major
components had when they transferred to DHS. Specifically, as we
previously reported, we still have numerous outstanding IT management
recommendations that require action at component agencies, such as the
Customs Service and the Coast Guard.14

10We have previously issued reports on this initiative. For example, see
U.S. General Accounting Office, Customs Service Modernization: Automated
Commercial Environment Progressing, but Further Acquisition Management
Improvements Needed, GAO-03-406 (Washington, D.C.: Feb. 28, 2003).

11We have previously issued reports on this initiative. For example, see
U.S. General Accounting Office, Homeland Security: Risks Facing Key Border
and Transportation Security Program Need to Be Addressed, GAO-03-1083
(Washington, D.C.: Sept. 19, 2003).

12An enterprise architecture is a blueprint for institutional
modernization and evolution that consists of models describing how an
entity operates today and how it intends to operate in the future, along
with a plan for how it intends to transition to this future state.

13We have issued guidance to agencies related to enterprise architecture,
IT investment management, and other management issues. For example, see
U.S. General Accounting Office, Information Technology: A Framework for
Assessing and Improving Enterprise Architecture Management (Version 1.1),
GAO-03-584G (Washington, D.C.: Apr. 1, 2003) and Information Technology
Investment Management: A Framework for Assessing and Improving Process
Maturity, GAO/AIMD-10.1.23, Exposure Draft (Washington, D.C.: May 2000).

14U.S. General Accounting Office, Homeland Security: Information
Technology Funding and Associated Management Issues, GAO-03-250
(Washington, D.C.: Dec. 13, 2002).

    OMB's July 2002 Memorandums on IT Infrastructure and Business Systems
    Investments

Figure 1 illustrates the timing of OMB's July 2002 memorandums. These
memorandums instructed selected agencies to (1) cease temporarily new IT
infrastructure and business systems (i.e., financial management,
procurement, and human resources systems) investments above $500,000
pending a review of the investment plans of all proposed DHS component
agencies; (2) identify and submit to OMB information on any current or
planned spending on these types of initiatives; and (3) participate in
applicable IT investment review groups co-chaired by OMB and the Office of
Homeland Security.

Figure 1: Timeline of Events Related to the OMB Memorandums and the
Establishment of DHS

According to OMB, its goal in issuing these memorandums was to seek
opportunities for improved effectiveness and economy. In addition,
according to officials from OMB's Office of Information and Regulatory
Affairs, another purpose was to obtain an inventory of current and planned
IT infrastructure and business systems investments for organizations to be
moved to DHS, which was expected to help in the administration's
transition planning.

Although OMB directed selected agencies to temporarily cease these
investments, it did not necessarily mean that work was to be stopped on
all IT infrastructure and business systems projects at the applicable
agencies. First, the memorandums only pertained to funding for new
development efforts and not to existing systems in a "steady state" using
operations and maintenance funding. Second, the cessation did not apply if
funds pertaining to a development or acquisition contract had already been
obligated. Third, agencies could request an expedited review to obtain the

approval to proceed if they had an emergency or critical need. The
following are examples of how OMB's direction to temporarily cease IT
investments would apply in certain circumstances.

o 	If an agency had an existing procurement system in a steady state in
which no major modifications or modernization efforts were planned, there
would have been no effect on the funding of this system.

o 	If an agency had an ongoing contract with available obligations for the
development of a financial management system, there would have been no
effect on this contract, but new obligations for development or
modernization efforts would have been required to be approved by the
review group.

o 	If an agency wanted to award a contract over $500,000 for a new or
modernized IT infrastructure item such as a local area network, it would
have been required to obtain approval from the investment review group
before proceeding.

Our testimony of October 2002, stated that it was not possible to assess
the full effect of the July memorandums on the selected agencies at that
time.15 Except for emergency requests, according to representatives from
OMB's Office of Information and Regulatory Affairs, the review group had
not taken any action at the time of our review on the agencies'
submissions in response to the July memorandums because neither they nor
OMB had completed their reviews of these documents.

  Implementation of OMB's July 2002 Memorandums

The July memorandums called on the Homeland Security IT Investment Review
Group to assess individual IT investments as part of considering whether
to consolidate or integrate component agency efforts. In fulfilling this
role, the review group relied on an informal process, which was not
documented. Although the review group reviewed the few investments that
component agencies submitted, according to OMB and DHS IT officials, the
group generally addressed broader issues related to the transition to the
new department. In particular, these officials noted that the review group
concentrated on longer term IT strategic issues, such as those related to

15GAO-03-186T.

the development of an enterprise architecture, associated with the
transition to the proposed department.

The investment review group was tasked with (1) reviewing component agency
IT investment submissions that met the criteria in the memorandums, and
(2) making recommendations related to these submissions, including looking
for opportunities to consolidate and integrate component agency
investments. According to OMB IT representatives, the group generally met
once a week but did not have a documented process for performing reviews
of the few component agency investments that were submitted for review.
These officials reported that in the review process that was implemented,
(1) agencies requested approval of selected IT investments, (2) OMB and
the investment review group reviewed the agency submission, and (3) the
review group made a recommendation. Once this recommendation was made, the
normal budget execution process was implemented. Moreover, according to
these representatives, the investment review group used the principles
contained in section 300 of OMB Circular A-11 and section 8(b) of OMB
Circular A-130 as the criteria for evaluating submitted investments.16 In
addition, in commenting on a draft of this report, representatives from
OMB's Office of Information and Regulatory Affairs and Office of the
General Counsel stated that although the activities of the Homeland
Security IT Investment Review Group were generally conducted on an
informal basis, the group relied on the already-existing processes
documented in these circulars to fulfill its responsibilities.

According to OMB IT representatives, when the establishment of DHS became
closer in time, the focus of the review group shifted from reviewing
individual investments to addressing the IT strategic issues involved with
establishing the department. In particular, according to DHS officials,
the review group created six working groups to address, respectively,
business architecture, networks, information security, Web management,
directory services (e.g., e-mail capability), and technical reference
model issues. In addition, according to these officials, the investment
review group took

16These circulars instruct agencies to develop, implement, and use capital
programming processes that, for example: (1) evaluate and select capital
asset investments that will support core mission functions and demonstrate
projected returns on investments that are clearly equal to or better than
alternative uses of public resources, (2) ensure that improvements to
existing and planned information systems do not unnecessarily duplicate IT
capabilities within the same agency, and (3) institute performance
measures and management processes that monitor and compare actual
performance with planned results.

into account transition work being performed by other entities. For
example, the review group worked with a liaison from the Chief Financial
Officers Council, which was looking at financial management system matters
related to the new department.

  Some Changes Were Made to Component Agency IT Infrastructure and Business
  Systems Investments

The July 2002 memorandums resulted in some changes to agency IT
infrastructure and business systems investments. Specifically, according
to OMB and DHS IT officials, the review group recommended approval with
conditions the five IT investments submitted to it and four component
agencies reported that they changed other initiatives as a result of the
memorandums. However, it is not known whether, or the extent to which,
savings have resulted from the memorandums. In particular, OMB did not
track the savings associated with the July memorandums because, according
to OMB IT representatives, budgetary savings had not occurred when the
review group was in place. Nevertheless, OMB and DHS IT officials cited
other benefits that resulted from the memorandums, such as the
identification of ongoing component agency efforts or resources that were
important to the operation of the department at its inception.

Four component agencies submitted five IT investment requests to be
reviewed by the review group. According to OMB and DHS IT officials, all
of these requests were recommended for approval with conditions. In
addition, four component agencies reported that on their own initiative
that they terminated, delayed, or changed other initiatives as a result of
the July memorandums. (See table 1.)

       Table 1: Summary of Changes to Component Agencies' IT Investments

Component 	Reported investment request/decision by the Investment decision
reported by the Homeland Security IT Investment Review Group component
agency

agencya

Animal and Plant  Did not request any o  Stopped expansion and maintenance 
                         decisions.                              of the Plant 
Health Inspection                     Protection and Quarantine Small Site 
                                                                         Data 
        Service                             Communications Infrastructure.    
                                          o  Put on hold further development  
                                                        of the                
                                              Automated Target System. Future 
                                                                 enhancements 
                                             to this system are still on hold 
                                                             pending DHS-wide 
                                                      decisions.              

Coast Guard	Submitted an emergency request to proceed with a licensing Did
not report any other changes as a result of the agreement with Microsoft.
This was recommended for approval July memorandums. with the condition
that the agreement be expanded to include other DHS entities. (According
to Coast Guard IT officials, the licensing agreement was not expanded to
include other DHS entities, but they could not explain why the review
group's condition was not met.)b

Customs Service	Submitted a nonemergency request to procure a new e-mail
Did not report any other changes as a result of the system. The review
group agreed with the procurement of a July memorandums. new e-mail system
but recommended a different technical solution. As of early January 2004,
this solution had not yet been implemented.

Federal Emergency Management Agency Did not request any decisions.  o 
Terminated a planned correspondence tracking

                                       c

system.

o  Terminated a planned personnel resources information system.

o  Integrated five infrastructure projects into ongoing DHS initiatives.

o  Scaled back its enterprise resource planning project pending DHS-wide
decisions.

o  Scaled back planned upgrades to its financial management system pending
DHS-wide decisions.

(Continued From Previous Page)

Component 	Reported investment request/decision by the Investment decision
reported by the Homeland Security IT Investment Review Group component
agency

agencya

Immigration and Naturalization Service

Did not request any decisions.  o  Put on hold planned enhancements to its
core financial management system pending DHSwide decisions. These
enhancements are still on hold.

o  Put on hold a planned replacement of its Correspondence Control and
Task Tracking System, which remains on hold.

o  Put on hold planned enhancements to Atlas, an initiative to upgrade its
IT infrastructure, pending DHS-wide decisions. These enhancements are
still on hold.

Secret Service	Submitted an emergency request to procure a search engine
Did not report any other changes as a result of the that would conduct
database searches across the agency. This July memorandums. request was
recommended for approval with the condition that the procurement include
other DHS entities.

Transportation Security Administration

o  Submitted an emergency request to proceed with a task order for a
managed services contract, which was recommended for approval with the
condition that the contract be expanded to include other DHS entities.

o  Submitted a nonemergency request to procure network infrastructures at
airports. This request was recommended for approval with the condition
that the agency use, to the extent possible, the existing airport
infrastructure capabilities of the Customs Service and the Immigration and
Naturalization Service. The Transportation Security Administration was
also directed to work with these agencies when a need for network
infrastructure is identified at specific airports.

Delayed the agency's plans for "back office" systems, such as human
resources and payroll systems. According to the Transportation Security
Administration's CIO, a final decision on these efforts is awaiting
DHS-wide decisions.

Source: OMB, DHS, and component agency IT officials.

aFor the purposes of this table, we used the names of the component
agencies that were employed at the time of the July 2002 memorandums. Some
of these names changed after DHS was established.

bAccording to the DHS CIO, this lack of compliance with the investment
review group's condition was mitigated by the later implementation of a
DHS-wide Microsoft enterprise license.

cThe Federal Emergency Management Agency reported that this project was
terminated, in part, because of the July 2002 memorandums.

The July memorandums stated that initial estimates indicated that
potential savings of between $100 million and $200 million (IT
infrastructure) and $65 million and $85 million (business systems) could
be achieved over a 2year period17 as a result of consolidating and
integrating component agency investments. OMB reported to congressional
committees that these estimates were based primarily on best practices in
the federal government and private industry. However, an OMB IT
representative stated that these estimates were a rough approximation and
that no documentation existed to support how they were derived.

The July memorandums also stated that the review group would track these
savings. Moreover, OMB reported to congressional committees that this
tracking would include a breakout of the savings, the cause of the
savings, and the time period in which the savings would be generated.
However, a tracking process was not established because, according to an
OMB IT representative, no budgetary savings had occurred at the time that
the investment review group was in place since no investment was
terminated by the group. According to this representative, OMB still
believes that budgetary savings will occur and expects that DHS will track
these savings. Moreover, this representative stated that OMB will be
actively working with DHS as part of its budgetary and management
processes to ensure that such savings occur.

DHS's CIO agreed that savings are expected to result from the department's
consolidation and integration of systems. Moreover, he stated that DHS
will be tracking such savings and has established a mechanism for doing
so. Specifically, the CIO pointed to DHS's establishment of IT commodity
councils-groups that are responsible for a collection of related materials
or services-that would perform this function. According to the Director of
Strategic Sourcing and Acquisition Systems, the councils have established
project teams that are responsible for tracking savings. According to this
official, each project is in the process of developing their project
plans, departmental requirements, and savings targets. Until savings
resulting from the consolidation and integration of systems and services
are identified, tracked, and reported, it will remain unknown whether
OMB's July memorandums and the subsequent establishment of DHS have
achieved the potential economies identified by OMB. In addition, DHS IT
officials stated that they were not aware of any plans to report budgetary

17OMB did not specify the 2 years. The DHS CIO believes that the OMB
savings estimates are achievable, but are not likely to be realized in the
first 2 years of DHS's establishment.

savings resulting from the consolidation and integration of systems to
applicable congressional committees. Such savings information is an
important element for the Congress to consider when deliberating DHS
budget requests and overseeing its IT management. Moreover, the Chairman
of the House Committee on Government Reform has previously expressed
concern that there has been a tremendous push for additional IT spending
at DHS component agencies without ensuring appropriate management or
accountability.

Although budgetary savings have not yet been identified, DHS IT officials,
including the CIO, cited other benefits to the July memorandums. In
particular, DHS IT officials estimated that several million dollars in
costs have been avoided as a result of the Secret Service decision. (A
Secret Service IT official provided an explanation of how this estimate
was derived, but we could not validate this amount because it was not
clearly supported by the documentation provided.) In addition, the CIO
stated that the investment review group evolved into the department's CIO
Council, which is responsible for developing, promulgating, implementing,
and managing a vision and direction for information resources and
telecommunications management. Further, the DHS chief technology officer
reported that the review group provided the new department with a head
start on day one operations by, for example, deciding to use the
Immigration and Naturalization Service's network backbone for the
department. Finally, these and DHS component agency IT officials stated
that the memorandums facilitated the department's long-term IT planning
efforts, including the development of an enterprise architecture.18

  DHS Has Initiated Reviews of Component Agency IT Investments, but Its
  Processes Are Still Evolving

Once DHS became operational and the investment review group established by
the July memorandums no longer existed, the department established an IT
investment management process that includes departmental reviews of
component agency IT investments meeting certain criteria. As part of the
selection phase19 of this process, DHS's CIO reported that he approved the
department's IT portfolio as part of the fiscal year 2005 budget cycle. In
addition, as of January 26, 2004, the department's

18In September 2003, DHS completed the first version of its target
enterprise architecture.

19During the selection phase of an IT investment management process, the
organization (1) selects projects that will best support its mission needs
and (2) identifies and analyzes each project's risks and returns before
committing significant funds.

highest level investment management board had performed control reviews20
of nine investments that had reached key decision points. In each of these
cases, the project was allowed to proceed although additional
documentation was required and/or conditions were set. Finally, the
department's investment management process is still evolving as the
department attempts to deal with a large number of IT investments eligible
for departmental reviews.

In May 2003, DHS issued an investment review management directive and IT
capital planning and investment control guide, which provide the
department's entities with requirements and guidance on documentation and
review of IT investments. In particular, the management directive
establishes four levels of investments, the top three of which are subject
to review by department-level boards-the Investment Review Board (IRB),
Management Review Council, and Enterprise Architecture Board. Appendix I
provides a description of these department-level boards and the
investments that they are responsible for. The directive also establishes
a five-phase acquisition process that calls for these investments to be
reviewed at key decision points, such as program authorization. In
addition, the IT capital planning and investment control guide lays out a
process for selecting, controlling, and managing investments. Figure 2
provides an overview of the review process outlined in the management
directive and capital planning and investment control guide.

20During the control phase of the IT investment management process, the
organization ensures that, as projects develop and as funds are spent, the
project is continuing to meet mission needs at the expected levels of cost
and risk.

Figure 2: DHS Investment Review Process

As part of the selection phase of its capital planning and investment
control process, DHS reviewed component agency IT investments for its
fiscal year 2005 budget submission. Specifically, according to DHS IT
officials, (1) the CIO approved the department's IT portfolio and (2) all
of the major IT systems submitted to OMB for the fiscal year 2005 budget
were assessed and scored by an investment review team.21

In addition, beginning in May 2003, DHS's top-level board (the IRB) began
reviewing the department's highest priority projects. As of January 26,
2004, the department had performed 12 control reviews of nine investments.
Table 2 summarizes the results of these reviews.

21The investment review team was made up of representatives from the
offices of the CIO, chief financial officer, and the chief procurement
officer, as well as several component agencies.

Table 2: Summary of IRB Control Reviewsa

Sponsoring                                                    
component entity      IT investment             Decision          Comments 
Border and            Automated Commercial                    
Transportation        Environment (ACE)                       
Security                                                      
Directorate                                                   

Two reviews of this program were held. First, on September 25, 2003, the
IRB designated this investment as a DHS level I investment and approved
its strategic direction. The IRB also decided to reconvene when a DHS
review team assessing the ACE program documentation had completed its
review. Second, on November 20, 2003, the IRB agreed with the findings of
this review team and directed that the team's recommendations be
implemented. The IRB also authorized the approval of the program's fiscal
year 2004 expenditure plan.

In both reviews, the IRB directed the sponsor to submit additional
documentation. In addition, in the second review the IRB stated that DHS's
Planning Analysis and Evaluation office would hold working group meetings
with ACE program staff to review the department's comments and develop an
oversight action plan.

Border and United States Visitor and Transportation Immigrant Status
Indicator Security Technology (US-VISIT) Directorate Three reviews on this
program were held. First, on May 30, 2003, US-VISIT was approved to
continue work but did not receive approval to enter into the capability
development and demonstration acquisition phase. Second, on September 8,
2003, DHS stated that US-VISIT had not satisfied the exit criteria for
increment 1 and 2. Nevertheless, because of its importance to improving
security, US-VISIT was allowed to continue the design and deployment of
its first increment and planning for future increments concurrent with it
working on satisfying the DHS requirements set forth in the decision
memorandum. Third, the IRB reviewed US-VISIT on November 25, 2003, but the
decision memorandum was not available as of January 26, 2004. At the time
of the first review, the sponsor was provided with exit criteria and dates
for submission of documentation, such as the configuration management plan
and life-cycle cost estimate, which constitutes the exit criteria for the
next acquisition phase.

     Border and   Computer Assisted Designated as a DHS  Stated that program  
                                    level I investment,     must provide      
                  Passenger            approved its       updated information 
Transportation Prescreening           strategic        prior to requesting 
                                      direction, and    
                                    authorized the      the next key decision 
      Security    System (CAPPS II) program to proceed     point approval and 
                                    with the            
                                    capability               required that it 
    Directorate                     development and     address various areas 
                                    demonstration                          of 
                                          phase.          concern, such as    
                                                              ensuring        
                                                         interoperability of  
                                                           data transfer,     
                                                        addressing privacy    
                                                        and policy issues,    
                                                           and identifying    
                                                          industry savings    
                                                         associated with the  
                                                              project.        

(Continued From Previous Page)

Sponsoring
component entity IT investment Decision Comments

                   Immigration       Designated as a DHS    Required that the 
Citizenship and Services       level I investment and  sponsor (1) develop 
                                                                            a 
                                  provided interim       transition plan that 
     Immigration   Modernization  approval to commence   is approved by the   
                                  the                    
Services Bureau                capability development DHS CIO; (2) develop 
                                  and demonstration           a plan to       
                                          phase.            accelerate the    
                                                            development of    
                                                         paperless processes  
                                                            and electronic    
                                                          archives; and (3)   
                                                            submit systems    
                                                         documentation, such  
                                                             as a mission     
                                                         needs statement and  
                                                               test and       
                                                           evaluation plan.   

Coast Guard	Integrated Deepwater Designated as a DHS level I investment
and Systems Program approved its strategic direction.

Established an oversight process in which (1) DHS's Planning Analysis and
Evaluation office is to establish a reporting system to capture
key/critical program/platform activities and attend Deepwater program
reviews, (2) the IRB deferred decisions on Key Decision Points related to
specific asset/capability types to the Coast Guard Acquisition Executive,
and (3) the IRB is to be briefed annually on the program.

Management  Consolidated IT Designated as a DHS level Directed the sponsor 
               Security        I investment and              to submit a      
Directorate     Program     provided interim approval    mission needs     
                               to commence the           statement and other  
                               capability development    planning documents,  
                               and demonstration             including a      
                                        phase.            program management  
                                                               plan and       
                                                                  operational 
                                                                 requirements 
                                                                document, the 
                                                              successful      
                                                         completion of which  
                                                         constitutes the exit 
                                                         criteria for the     
                                                         next                 
                                                          acquisition phase.  

Management Homeland Secure Data Decision memorandum was not available as
Directorate Network of January 26, 2004.

Management  Resource Management   Approved mission   Decision memorandum   
                                    needs statement and included exit         
               Transformation         authorized the    criteria for the next 
Directorate Program                program's entry   acquisition phase,    
                                         into the       
                                    concept &                     such as the 
                                    technology          successful completion 
                                    development phase.                   of a 
                                                        risk management plan  
                                                        and test and          
                                                        evaluation plan, the  
                                                             successful       
                                                          completion of which 
                                                         constitutes the exit 
                                                        criteria for the next 
                                                        acquisition phase.    

Science and Wireless Public Designated as a DHS level     Directed the     
                   Safety      I investment and           sponsor to submit a 
Technology   Interoperable    approved its strategic      mission needs    
                                       direction.         statement and other 
Directorate  Communications                            planning documents, 
                       Program                            the successful      
                                                          completion of which 
                                                          constitute the exit 
                                                          criteria for the    
                                                          next acquisition    
                                                          phase               
                                                          and required that a 
                                                            review team be    
                                                          established to      
                                                          study funding       
                                                          issues.             

Source: DHS.

aAccording to DHS IT officials, the Enterprise Architecture Board approved
each of these projects' presentations to the IRB prior to their
submission.

Although DHS is making progress in reviewing component agency projects,
its investment management process continues to evolve. In particular, as
of January 2, 2004, the department had identified about 100 IT programs22
that were eligible for review by its two top-level departmental boards
and, according to IT officials, is having difficulty in bringing all of
these programs before the boards in a timely manner. Moreover, DHS has not
established a process to ensure that control reviews of component agency
IT investments are performed in a timely manner. Specifically, although
DHS's capital planning and investment control guide states that the Office
of the CIO will maintain a control review schedule for all initiatives in
the department's IT investment portfolio, as of January 2, 2004, this
schedule has not been developed. According to the DHS IRB coordinator and
IT officials, DHS has requested information from its component entities
related to the schedules and priorities of its level 1, or top-level,
investments. These officials stated that such information can then be used
to develop a master milestone calendar for control reviews.23 Control
review schedules, or master milestone calendars, are important to ensure
that DHS is reviewing its highest priority IT investments in a timely
manner so as to be able to affect changes to component agency approaches
or even terminate a poorly managed or strategically unnecessary
investment, if appropriate.

DHS's CIO also stated that the department's CIO Council is developing a
peer review process for major IT projects that is expected to include
defining a life-cycle management process and a quarterly reporting
process. The CIO stated that the new process is expected to be instituted
by the end of March 2004.

Conclusions	OMB took a prudent step in issuing its July memorandums
directing federal agencies that were expected to be part of the new
department to temporarily cease funding for new IT infrastructure and
business systems investments in anticipation of the establishment of DHS.
Although documentation of the implementation of the memorandums was
lacking,

22As of January 2, 2004, DHS was still in the process of finalizing its
list of level 1, level 2, and level 3 IT investments.

23The DHS IRB coordinator and IT officials stated that after the level 1
investment process is stabilized, they intend to implement a comparable
process for level 2 investments; however, they did not yet know how level
3 investments were going to be addressed. Level 1, 2, and 3 investments
are subject to review by department-level boards.

OMB and DHS IT officials outlined an approach that included both reviewing
specific IT investments and the beginning of planning for the transition
to the new department. Further, DHS component agencies identified actions
that they took, such as putting initiatives on hold, and other benefits
that resulted from the memorandums. Nevertheless, according to OMB IT
representatives, budgetary savings as a result of the July memorandums had
not occurred at the time that the review group was in place. Although DHS
has begun to establish a mechanism to track such savings in the future,
until savings resulting from the consolidation and integration of systems
and services are identified, tracked, and reported, it will remain unknown
whether OMB's July memorandums and the subsequent establishment of DHS
have achieved the millions of dollars in potential economies identified by
OMB. The Congress would benefit from such information in its deliberations
on the department's budget and in its oversight of DHS's management of IT.
Finally, DHS has begun to perform high-level oversight of component agency
IT investments, although much remains to be accomplished and the process
for this oversight is still evolving. Accordingly, DHS continues to face
challenges in providing robust and constructive oversight of component
agency IT investments. A significant challenge remaining is determining
the current status and upcoming major milestones of IT investments subject
to departmental review in order to schedule timely control reviews.

  Recommendations for Executive Action

To demonstrate its progress in consolidating and integrating its systems
and services, we recommend that the Secretary of Homeland Security direct
the Chief Information Officer to periodically report to appropriate
congressional committees, the budgetary savings that have resulted from
the department's IT consolidation and integration efforts, including a
breakout of the savings, the cause of the savings, and the time period in
which the savings have been, or will be, generated.

To ensure that IT investments subject to departmental review undergo
timely control reviews, we recommend that the Secretary of Homeland
Security direct the Chief Information Officer to develop a control review
schedule for IT investments subject to departmental oversight (i.e., level
1, 2, and 3 investments).

Agency Comments	We received oral comments on a draft of this report from
OMB and DHS. Representatives from OMB's Office of Information and
Regulatory Affairs

and Office of the General Counsel generally agreed with the findings of
the report. These representatives also provided a technical comment that
we included in the report, as appropriate. In addition, DHS's Office of
the CIO capital planning and investment control officials stated that the
report was factually accurate.

As agreed with your offices, unless you publicly announce the contents of
this report earlier, we plan no further distribution until 30 days from
the
report date. At that time, we will send copies of this report to the
Secretary
of Homeland Security and the Director, Office of Management and Budget.
Copies will also be available at no charge on the GAO Web site at
www.gao.gov.

If you have any questions on matters discussed in this report, please
contact me at (202) 512-9286 or Linda J. Lambert, Assistant Director, at
(202) 512-9556. We can also be reached by e-mail at [email protected] and
[email protected], respectively. Another key contributor to this report was
Niti Bery.

David A. Powner
Director, Information Technology

Management Issues

Appendix I

DHS Department-Level Investment Management Boards

Types of

investments Investment threshold level Board Membership reviewed and
criteria Other comments

Investment  o  Deputy Secretary (Chair)
Review
Boarda  o  Under Secretary of Management

(Vice-Chair)

o  Under Secretary, Border and Transportation Security

o  Under Secretary, Emergency Preparedness and Response

o  Under Secretary, Science and Technology

o  Under Secretary, Information Analysis and Infrastructure Protection

o  Deputy Chief of Staff for Policy

o  Chief Information Officer (CIO)

o  Chief Financial Officer

o  Chief Procurement Officer

o  Privacy Officer

o  General Counsel

All capital assets Level 1 investments:
meeting the
investment  o  Contract costs exceeds $50 million
threshold criteria

o  Importance to DHS strategic and performance plans

o  High development, operating, or maintenance cost

o  High risk

o  High return

o  Significance in resource administration

o  For IT investments only:

o  life-cycle costs exceed $200 million

                                   Appendix I
                        DHS Department-Level Investment
                               Management Boards

                         (Continued From Previous Page)

Types of

investments Investment threshold level Board Membership reviewed and
criteria Other comments

Management  o CIO All capital assets Review meeting the Councila  o  Chief
Financial Officer investment

threshold criteria

o  Chief Procurement Officer Level 2 investments:

o  Contract cost $5-$50 million

o  Affects more than one DHS component

o  Significant program or policy implication

o  High executive visibility

o  For IT investments only:

o  life-cycle costs of $20-$200 million

o  financial system with operational cost exceeding $500,000

o  was major in fiscal year 2004 budget submission

o  is E-government related

o  is directly tied to the top two layers of the Federal Enterprise
Architecture business reference model

o  is an integral part of the DHS modernization blueprint (enterprise
architecture)

o  affects more than one component entity through the sharing of data or
facilities, and/or affects the sharing of facilities, data, and/or
information with state and local governments

o  common administrative services for which a single, DHS-wide solution
may be possible or for which a joint DHS team has been established or
planned

o  new technology initiatives

o  sensitive initiatives

                                   Appendix I
                        DHS Department-Level Investment
                               Management Boards

                         (Continued From Previous Page)

Types of

investments Investment threshold level Board Membership reviewed and
criteria Other comments

                                             IT        o  Annual                    
 Enterprise        o  CIO (Chair)        investments costs of $1-$5 This board also
                                                        million     
Architecture                             meeting the                    reviews all 
                                                                        level 1 and 
             o  Chief Financial Officer              o  Life-cycle             2 IT 
Board     designee                    investment     costs of    investments and 
                                                     $5-$20 million 
                                         threshold                       makes      
                                         criteria                   
                                                     o                              
                o  Chief Procurement                 E-government   recommendations 
                       Officer                       transformation to
                                                     focus          
                      designee                            area      the Investment  
                                                                    Review Board    
                                                                    and             
                o  Business unit and                                     Management 
                       program                                               Review 
                   representatives                                      Council     
             o  Information officers in                             
                         the                                        
             directorates/organizational                            
                      elements                                      

Source: DHS.

aDHS also plans to employ a Joint Requirements Council to serve as a
working group to make recommendations to the Investment Review Board and
Management Review Council on cross-cutting IT investments. The Joint
Requirements Council, whose membership includes the Chief Technology
Officer, Director of Strategic Sourcing and chief operating officers of
DHS's component entities, met for the first time on January 7, 2004.

GAO's Mission	The General Accounting Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

  Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through the Internet. GAO's Web site (www.gao.gov) contains abstracts
and fulltext files of current reports and testimony and an expanding
archive of older products. The Web site features a search engine to help
you locate documents using key words and phrases. You can print these
documents in their entirety, including charts and other graphics.

Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document files.
To have GAO e-mail this list to you every afternoon, go to www.gao.gov and
select "Subscribe to e-mail alerts" under the "Order GAO Products"
heading.

Order by Mail or Phone	The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:

U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C.
20548

To order by Phone: 	Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

To Report Fraud, 	Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm

  Waste, and Abuse in E-mail: [email protected]

Federal Programs Automated answering system: (800) 424-5454 or (202)
512-7470

Public Affairs	Jeff Nelligan, Managing Director, [email protected] (202)
512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149
Washington, D.C. 20548

                               Presorted Standard
                              Postage & Fees Paid
                                      GAO
                                Permit No. GI00

United States
General Accounting Office
Washington, D.C. 20548-0001

Official Business
Penalty for Private Use $300

Address Service Requested
*** End of document. ***