Homeland Security: Risks Facing Key Border and Transportation	 
Security Program Need to Be Addressed (18-MAR-04, GAO-04-569T).  
                                                                 
US-VISIT (United States Visitor and Immigrant Status Indicator	 
Technology) is a governmentwide program to enhance national	 
security, facilitate legitimate trade and travel, contribute to  
the integrity of the U.S. immigration system, and adhere to U.S. 
privacy laws and policies by (1) collecting, maintaining, and	 
sharing information on certain foreign nationals who enter and	 
exit the United States; (2) identifying foreign nationals who (1)
have overstayed or violated the terms of their visit; (2) can	 
receive, extend, or adjust their immigration status; or (3)	 
should be apprehended or detained by law enforcement officials;  
(3) detecting fraudulent travel documents, verifying traveler	 
identity, and determining traveler admissibility through the use 
of biometrics; and (4) facilitating information sharing and	 
coordination within the border management community. GAO was	 
asked to testify on its completed work on the nature, status, and
management of the USVISIT program.				 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-04-569T					        
    ACCNO:   A09534						        
  TITLE:     Homeland Security: Risks Facing Key Border and	      
Transportation Security Program Need to Be Addressed		 
     DATE:   03/18/2004 
  SUBJECT:   Identity verification				 
	     Immigration or emigration				 
	     International travel				 
	     Physical security					 
	     Data collection					 
	     Fraud						 
	     Program management 				 
	     Performance measures				 
	     Border control					 
	     Homeland security					 
	     Visas						 
	     Cost estimates					 
	     Program goals or objectives			 
	     DHS Visitor and Immigration Status 		 
	     Indicator Technology Program			 
                                                                 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-04-569T

United States General Accounting Office

GAO Testimony

Before the Subcommittee on Immigration, Border Security, and Claims, House
Committee on the Judiciary

For Release on Delivery

Expected at 10:00 a.m. EST HOMELAND SECURITY

Thursday, March 18, 2004

Risks Facing Key Border and Transportation Security Program Need to Be Addressed

Statement of Randolph C. Hite, Director,
Information Technology Architecture and Systems Issues

GAO-04-569T

Highlights of GAO-04-569T, a testimony before the Subcommittee on
Immigration, Border Security, and Claims, House Committee on the Judiciary

US-VISIT (United States Visitor and Immigrant Status Indicator Technology)
is a governmentwide program to enhance national security, facilitate
legitimate trade and travel, contribute to the integrity of the U.S.
immigration system, and adhere to U.S. privacy laws and policies by

o  	collecting, maintaining, and sharing information on certain foreign
nationals who enter and exit the United States;

o  	identifying foreign nationals who (1) have overstayed or violated the
terms of their visit; (2) can receive, extend, or adjust their immigration
status; or (3) should be apprehended or detained by law enforcement
officials;

o  	detecting fraudulent travel documents, verifying traveler identity,
and determining traveler admissibility through the use of biometrics; and

o  	facilitating information sharing and coordination within the border
management community.

GAO was asked to testify on its completed work on the nature, status, and
management of the US-VISIT program.

March 18, 2004

HOMELAND SECURITY

Risks Facing Key Border and Transportation Security Program Need to Be Addressed

The US-VISIT program is inherently risky, both because of the type of
program it is and because of the way it is being managed.

o  	First, US-VISIT is inherently risky because it is to perform a
critical, multifaceted mission, its scope is large and complex, it must
meet a demanding implementation schedule, and its potential cost is
enormous. That is, one critical aspect of the program's mission is to
prevent the entry of persons who pose a threat to the United States;
failing in this mission could have serious consequences. To carry out this
mission, the program aims to control the pre-entry, entry, status, and
exit of millions of travelers-a large and complex process. In addition,
through legislative mandate, it has challenging milestones (such as the
system being implemented at all U.S. ports of entry by December 31, 2005).
Finally, DHS estimated that the program would cost $7.2 billion through
fiscal year 2014, but this estimate did not include all costs and
underestimated some others. All these factors add risk.

o  	Second, several factors related to the program's management increase
the risk of not delivering mission valued commensurate with costs or not
delivering defined program capabilities on time and within budget. For
example, the program is to rely initially on integrating existing systems
with reported problems that could limit US-VISIT performance. In addition,
the requirements for interim facilities at high-volume land ports of entry
are not only demanding, they are based on assumptions that, if altered,
could significantly affect facility plans. Further, DHS did not define the
benefits versus costs of near-term program increments (that is, the
interim versions of the program that are being pursued while the final
version is being defined). Addressing these issues is the responsibility
of the program office, which however was not adequately staffed, had not
clearly defined roles and responsibilities for its staff, and had not
established key processes for managing the acquisition and deployment of
US-VISIT.

Despite the program management challenges confronting US-VISIT, the first
increment was deployed at the beginning of this year. However, the program
still faces a number of risks, including the ones described above. To
address these, GAO has made a series of recommendations regarding the
planned scope of US-VISIT and its management. Addressing the identified
risks increases the likelihood that the deployment of US-VISIT will be
successful-the predictable outcome of sound management of a welljustified
and designed program.

www.gao.gov/cgi-bin/getrpt?GAO-04-569T.

To view the full product, including the scope and methodology, click on
the link above. For more information, contact Randolph C. Hite at (202)
512-3870 or [email protected].

Mr. Chairman and Members of the Subcommittee:

We appreciate the opportunity to participate in the Subcommittee's hearing
on US-VISIT (the United States Visitor and Immigrant Status Indicator
Technology), a large, complex program that is intended to achieve a
daunting set of goals: it is to enhance homeland security and the
integrity of the U.S. immigration system, and at the same time it is to
facilitate legitimate border crossing and protect privacy. To achieve
these goals, US-VISIT relies on information technology, as well as people,
processes, and facilities.

The genesis of US-VISIT was in 1996, when the Congress passed legislation
that directed the former Immigration and Naturalization Service (INS) to
develop a system to monitor the entry and exit of foreign nationals
visiting this country.1 As a result of this and later related legislative
direction,2 efforts were begun in 2002 to develop the system now known as
US-VISIT. Subsequently, INS was merged into the Department of Homeland
Security (DHS), which is now responsible for developing and implementing
the US-VISIT program.

In the last three appropriations acts governing the development and
implementation of US-VISIT,3 the Congress prohibited the INS, and later
DHS, from obligating funds until the agency submitted to the Senate and
House Committees on Appropriations expenditure plans that met several
conditions, including being reviewed by GAO. We have accordingly issued
two reports on US-VISIT4 and will shortly be issuing a third to the

1Illegal Immigration Reform and Immigrant Responsibility Act of 1996, Pub.
L. 104-208 (Sept. 30, 1996).

2Immigration and Naturalization Service Data Management Improvement Act of
2000, Pub.

L. 106-215 (June 15, 2000); Visa Waiver Permanent Program Act, Pub. L.
106-396 (Oct. 30, 2000). USA PATRIOT ACT, Pub. L. 107-56 (Oct. 26, 2001);
Aviation and Transportation Security Act, Pub. L. 107-71 (Nov. 19, 2001);
Enhanced Border Security and Visa Entry Reform Act of 2002, Pub. L.
107-173 (May 14, 2002).

32002 Supplemental Appropriations Act for Further Recovery from and
Response to Terrorist Attacks on the United States, Pub. L. 107-206 (Aug.
2, 2002); Consolidated Appropriations Resolution, 2003, Pub. L. 108-7
(Feb. 20, 2003); Department of Homeland Security Appropriations Act, 2004
, Pub. L. 108-90 (Oct. 1, 2003).

4U.S. General Accounting Office, Homeland Security: Risks Facing Key
Border and Transportation Security Program Need to Be Addressed,
GAO-03-1083 (Washington, D.C.: Sept. 19, 2003); Information Technology:
Homeland Security Needs to Improve Entry Exit System Expenditure Planning,
GAO-03-563 (Washington, D.C.: June 9, 2003).

  Results in Brief

appropriations committees. All three reports were based on work performed
in accordance with generally accepted government auditing standards. My
testimony today is based on our two published reports and on more current
public information on the program since the reports were issued.

The overall message of our testimony today is that the US-VISIT program is
risky, both because of the type of program it is and because of the way it
is being managed. US-VISIT is a large, complex, and expensive program
aimed at supporting a multifaceted mission-critical area; thus, it is an
intrinsically challenging effort. Several aspects of the program increase
the risk that it will not meet its goals or its cost, schedule, and
performance commitments:

o  	Multifaceted, critical mission. The program aims to prevent the entry
of persons who pose a threat to the United States. Besides this critical
security mission, the program also aims to achieve law enforcement goals
regarding visa violations, while facilitating legitimate trade and travel
and adhering to U.S. privacy laws and policies.

o  	Large and complex scope. Controlling the pre-entry, entry, status, and
exit of millions of travelers is a large and complex process.

o  	Challenging milestones. Progress and current status of the program
make it difficult to satisfy legislatively mandated milestones: for
example, that US-VISIT be implemented at all ports of entry by December
31, 2005.5

o  	Significant potential cost. In February 2003, DHS estimated that the
program would cost $7.2 billion through fiscal year 2014, but this
estimate did not include all costs and underestimated some others.

Additionally, several factors related to the program's management increase
the risk of not achieving program goals or not delivering program
capabilities on time and within budget. Our imminent report for the
appropriations committees will discuss each of these factors, including
why each is still an area of risk. Examples of the factors that we have
reported on are as follows:

5Immigration and Naturalization Service Data Management Improvement Act,
2000, Pub. L. 106-215 (June 15, 2000).

o  	Problems with existing systems. The program is to rely initially on
existing systems with reported problems that could limit US-VISIT
performance.

o  	Program management capability. The program office was not adequately
staffed, roles and responsibilities had not been clearly defined, and
acquisition management processes were not yet established.

o  	Near-term facilities solutions. Interim facility planning for
high-volume land ports of entry must satisfy requirements that are both
demanding and based on assumptions that, if altered, could significantly
affect facility plans.

o  	Mission value of increments. The benefits versus costs were not yet
known of the interim versions (or increments) of the program that are
being implemented while the final version is being developed.

Our experience in reviewing large, complex, information-technology-
dependent programs in other federal agencies has shown that such program
management weaknesses typically result in these programs falling short of
expectations. Accordingly, we have made several recommendations regarding
the US-VISIT program to address these weaknesses and risks.

Background 	The US-VISIT program is a governmentwide endeavor intended to
enhance national security, facilitate legitimate trade and travel,
contribute to the integrity of the U.S. immigration system, and adhere to
U.S. privacy laws and policies by

o  	collecting, maintaining, and sharing information on certain foreign
nationals who enter and exit the United States;

o  	identifying foreign nationals who (1) have overstayed or violated the
terms of their visit; (2) can receive, extend, or adjust their immigration
status; or (3) should be apprehended or detained by law enforcement
officials;

o  	detecting fraudulent travel documents, verifying traveler identity,
and determining traveler admissibility through the use of biometrics; and

o  	facilitating information sharing and coordination within the border
management community.

The program involves interdependencies among people, processes,
technology, and facilities, as shown in figure 1.

Figure 1: People, Processes, Technology, and Facilities Involved in
US-VISIT

Note: GAO analysis based on DHS data.

Within DHS, organizational responsibility for the US-VISIT program lies
with the Border and Transportation Security Directorate. In July 2003, DHS
established a US-VISIT program office with responsibility for managing the
acquisition, deployment, operation, and sustainment of the US-VISIT system
and supporting people (e.g., inspectors), processes (e.g., entry exit
policies and procedures), and facilities (e.g., inspection booths).

DHS plans to deliver US-VISIT capability incrementally. Currently, it has
defined four increments, with Increments 1 through 3 being interim or
temporary solutions, and Increment 4 being the yet-to-be-defined end
vision for US-VISIT. Increments 1 through 3 include the interfacing and
enhancement of existing system capabilities and the deployment of these
capabilities to air, sea, and land ports of entry (POE).

1. 	The first increment includes the electronic collection and matching of
biographic and biometric information at all major air and some sea

POEs for selected foreign travelers with non-immigrant visas.6 Increment 1
entry capability was deployed to 115 airports and 14 seaports on January
5, 2004. Increment 1 exit capability was deployed as a pilot to two POEs
on January 5, 2004-one airport and one

7

seaport.

2. 	The second increment is divided into two parts-2A and 2B. Increment 2A
is to include the capability to process machine-readable visas and other
travel and entry documents that use biometric identifiers at all POEs.
This increment is to be implemented by October 26, 2004. Increment 2B is
to expand the Increment 1 solution for entry to secondary inspection8 at
the 50 highest volume land POEs by December 31, 2004. According to the
US-VISIT Request for Proposal (RFP),9 2B is also to include radio
frequency (RF)10 capability at the 50 busiest land POEs for both entry and
exit processes.

3. 	Increment 3 is to expand the 2B capability to the remaining 115 land
POEs. It is to be implemented by December 31, 2005.

4. 	Increment 4 is the yet-to-be-defined end vision of US-VISIT, which
will likely consist of a series of capability releases.

DHS plans to award a single, indefinite-delivery/indefinite-quantity11
contract to a prime contractor for integrating existing and new business

6Classes of travelers that are not subject to US-VISIT are foreign
nationals admitted on A-1, A-2, C-3 (except for attendants, servants, or
personal employees of accredited officials), G1, G-2, G-3, G-4, NATO-1,
NATO-2, NATO-3, NATO-4, NATO-5, or NATO-6 visas, unless the Secretary of
State and the Secretary of Homeland Security jointly determine that a
class of such aliens should be subject to the rule; children under the age
of 14; and persons over the age of 79.

7The Miami Royal Caribbean seaport and the Baltimore/Washington
International Airport.

8Secondary inspection is used for more detailed inspections that may
include checking more databases, conducting more intensive interviews of
the individual, or both.

9In November 2003, DHS issued as planned a Request for Proposal (RFP) for
a prime contractor for US-VISIT work beyond Increment 2A.

10RF technology would require proximity cards and card readers. RF readers
read the information contained on the card when the card is passed near
the reader, and could be used to verify the identity of the card holder.

11An indefinite-delivery/indefinite-quantity contract provides for an
indefinite quantity, within stated limits, of supplies or services during
a fixed period of time. The government schedules deliveries or performance
by placing orders with the contractor.

processes and technologies. DHS plans to award the contract by May 2004.
According to the RFP, the prime contractor's scope of work is to include,
but is not limited to, Increments 2B, 3, and 4.

By definition, US-VISIT is a risky undertaking because it is to perform a
critical mission, its scope is large and complex, it must meet a demanding
implementation schedule, and its potential cost is enormous.

                             US-VISIT Is Inherently

  Risky

Program Supports Multifaceted, Critical Mission

In announcing the US-VISIT system, the DHS Under Secretary for Border and
Transportation Security stated that the system's goal is to "give America
a 21st Century `smart border'-one that speeds through legitimate trade and
travel, but stops terrorists in their tracks." Achieving these goals is
daunting: the United States shares over 7,500 miles of land border with
Canada and Mexico, and it has approximately 95,000 miles of shoreline and
navigable waterways to protect. In fiscal year 2002, there were about 279
million inspections of foreign nationals at U.S. POEs. In these
circumstances, preventing the entry of persons who pose a threat to the
United States cannot be guaranteed, and the missed entry of just one can
have severe consequences. Relatedly, US-VISIT is to achieve the important
law enforcement goal of identifying those among these millions of visitors
each year who overstay or otherwise violate the terms of their visas.

Complicating achievement of these security and law enforcement goals are
other key US-VISIT goals: facilitating the movement of legitimate trade
and travel through the POEs and providing for enforcement of U.S. privacy
laws and regulations.

Scope Is Large and Complex

US-VISIT is to provide for the interfacing of a number of existing
systems. It is also to support and refine a large and complex
governmentwide process involving multiple departments and agencies. This
process involves the pre-entry, entry, status, and exit of hundreds of
millions of foreign national travelers to and from the United States at
over 300 air, sea, and land POEs.

The interfaced systems included in Increment 1 are

o  	Arrival Departure Information System (ADIS), a database that stores
traveler arrival and departure data received from air and sea carrier
manifests and that provides query and reporting functions;

o  	Advance Passenger Information System (APIS), a system that captures
arrival and departure manifest information provided by air and sea
carriers;

o  	Interagency Border Inspection System (IBIS), a system that maintains
lookout data, interfaces with other agencies' databases, and is currently
used by inspectors at POEs to verify traveler information and modify data;

o  	Automated Biometric Identification System (IDENT), a system that
collects and stores biometric data about foreign visitors;

o  	Student Exchange Visitor Information System (SEVIS), a system that
contains information on foreign students;

o  	Computer Linked Application Information Management System (CLAIMS 3),
a system that contains information on foreign nationals who request
benefits, such as change of status or extension of stay; and

o  	Consular Consolidated Database (CCD), a system that includes
information on whether a visa applicant has previously applied for a visa
or currently has a valid U.S. visa.

Figure 2 shows these systems and their relationships.

Figure 2: Simplified Diagram of US-VISIT Increment 1 Component Systems and
Relationships

1FIN = Fingerprint Identification Number.

In addition to integrating numerous systems, US-VISIT also involves
complex processes governing the stages of a traveler's visit to the United
States: pre-entry, entry, status management, and exit. These processes for
Increment 1 are as follows:

Pre-entry process. Pre-entry processing begins with initial petitions for
visas. When the Department of State issues the travel documentation,
biographic (and in some cases biometric) data are collected and made
available to border management agencies. The biometric data are
transmitted from State to DHS, where the prints are run against the
US-VISIT IDENT biometric database to verify identity and to check the
biometric watchlist. The results of the biometric check are transmitted
back to State.

Commercial air and sea carriers are required by law to transmit crew and
passenger manifests to appropriate immigration officers before arriving in
the United States.12 These manifests are transmitted through APIS. The
APIS lists are run against the biographic lookout system and identify
those arrivals who have biometric data available. In addition, POEs review
the APIS list in order to identify foreign nationals who need to be
scrutinized more closely.

Entry process. When a foreign national arrives at a POE's primary
inspection booth, biographic information, such as name and date of birth,
is displayed on the bottom half of a computer workstation screen, along
with a photograph obtained from State's CCD. The inspector at the booth
scans the foreign national's fingerprints (left and right index fingers)
and takes a digital photograph. This information is forwarded to the IDENT
database, where it is checked against stored fingerprints in the IDENT
lookout database. If the foreign national's fingerprints are already in
IDENT, the system performs a match (a comparison of the fingerprint taken
during the primary inspection to the one on file) to confirm that the
person submitting the fingerprints is the person on file. During this
process, the inspector also questions the foreign national about the
purpose of his or her travel and length of stay.

Status management process. The status management process manages the
foreign national's temporary presence in the United States, including the
adjudication of benefits applications and investigations into possible
violations of immigration regulations. ADIS matches entry and exit
manifest data to ensure that each record showing a foreign national
entering the United States is matched with a record showing the foreign
national exiting the United States. ADIS receives status information from
CLAIMS 3 and SEVIS on foreign nationals.

Exit process. The exit process includes the carriers' submission of
electronic manifest data to IBIS/APIS. This biographic information is
passed to ADIS, where it is matched against entry information. At the two
POEs where the exit pilot is being conducted, foreign nationals use a
selfserve kiosk where they are prompted to scan their travel documentation
and provide their fingerprints (right and left index fingers). This
departure record is then stored in ADIS (along with the person's arrival
record) and

12Enhanced Border Security and Visa Entry Reform Act of 2002, Pub. L.
107-173 (May 14, 2002).

used to verify if a foreign national has complied with the admission terms
of his or her visa.

Milestones Are Challenging

Key US-VISIT milestones are legislatively mandated. For example, the
Immigration and Naturalization Service Data Management Improvement Act of
200013 requires that US-VISIT be implemented at all air and sea POEs by
December 31, 2003; at the 50 highest volume land POEs by December 31,
2004; and at all remaining POEs by December 31, 2005.

Because of limited progress during the 7 years following the legislation
that originated the entry exit system requirement, DHS acknowledged that
it could not complete permanent solutions in these time frames, and thus
it planned to implement interim (temporary) solutions. For example,
Increments 1 through 3 include the interfacing of existing systems and the
design and construction of interim facilities at land POEs. Further, DHS
officials have stated that it will be difficult to develop and implement
even the interim solutions at some of the highest volume land POEs (such
as San Ysidro, California; Otay Mesa, California; and Laredo, Texas) by
December 31, 2004, because even minor changes in the inspection time can
greatly affect the average wait time at these high-volume POEs. Moreover,
achievement of interim solutions is based on assumptions that, if changed,
could significantly affect facility and staffing plans.

Potential Cost Is Significant

Despite DHS's estimate in February 2003, that the total overall cost of
the US-VISIT program would be about $7.2 billion through fiscal year 2014,
the potential governmentwide cost of US-VISIT over just a 10-year period
could be about twice as much. Although the DHS estimate included a wide
range of costs, it omitted some costs and may have understated others. The
estimate included

o  	system investment costs, such as information technology hardware and
communications infrastructure, software enhancements, and interfaces;

o  the cost of facilities and additional inspectors;

o  system and facilities operation and maintenance costs;

13Pub. L. 106-215 (June 15, 2000).

o  the cost of planning, designing, and constructing permanent facilities,

which according to DHS was about $2.9 billion14 (this estimate was based
on the assumptions that (1) no additional traffic lanes would be required
to support the entry processes and (2) exit facilities would mirror entry
facilities-i.e., that a land POE with 10 entry traffic lanes would require
10 exit traffic lanes);

o  	costs to design and construct building space to house additional
computer equipment and inspectors; and

o  costs for highway reconfiguration at land POEs.

However, the estimate did not include the costs to design and construct
interim facilities at land POEs. DHS officials estimated that the cost of
constructing the interim facilities at the 50 highest volume POEs was
about $218 million. Moreover, the estimate is based on assumptions that,
if changed, could significantly affect, for example, land POE facility and
staffing needs.

Finally, although the estimate did include the cost of implementing
biometrics, these costs are understated, because they did not include, for
example, State Department costs. Specifically, in November 2002,15 we
reported that a rough order of magnitude estimate of the cost to implement
visas with biometrics would be between $1.3 billion and $2.9 billion
initially and between $0.7 and $1.5 billion annually thereafter. This
estimate is based on certain assumptions, including that all current
visaissuing embassies and consulates will be equipped to collect
biometrics from visa applicants. Assuming that biometrics are implemented
by December 2004, this means that the recurring cost of having biometric
visas through DHS's fiscal year 2014 life cycle period would be between $7
and $15 billion. In contrast, DHS's estimate for the entire program
through fiscal year 2014 was about $7.2 billion.

14The $2.9 billion is a parametric cost estimate. Parametric cost
estimating is a technique used in the planning, budgeting, and conceptual
stages of projects. This technique expedites the development of order of
magnitude benchmark estimates when discrete estimating techniques are not
possible or would require inordinate amounts of time and resources to
produce similar results. Estimates such as this can vary +-30 to 50
percent.

15U.S. General Accounting Office, Technology Assessment: Using Biometrics
for Border Security, GAO-03-174 (Washington, D.C.: Nov. 15, 2002).

  Management of US-VISIT System Acquisition

Compounding the risk factors inherent in the scale and significance of the
US-VISIT program are a number of others that can be attributed to its
state of management and its acquisition approach. As described in our
September 2003 report on US-VISIT, these include relying on existing
systems to provide the foundation for the first three program increments
(and thus having to accept the performance limitations of these existing
systems), not having mature program management capabilities, not having
fully defined near-term facilities solutions, and not knowing the mission
value that is to be derived from US-VISIT increments. Our recently
completed audit work for the appropriations committees addressed each of
these factors, which our next report will discuss, including why each is
still an area of risk.

Problems with Existing Systems

The system performance of the interim releases of US-VISIT (Increments 1,
2, and 3) will depend largely on the performance of the existing systems
that are to be interfaced to create the overall system. Thus, US-VISIT
system availability and associated downtime, for example, will be
constrained by the availability of the interfaced systems. In this regard,
some of the existing systems have had availability and reliability
problems that could limit US-VISIT performance. Two examples are SEVIS and
CLAIMS 3.

Problems have been identified with the availability and reliability of
SEVIS, the system designed to manage and monitor foreign students in the
United States. For example, in April 2003, the Justice Inspector General
reported that many users had difficulty logging on to the system, and that
as the volume of users grew, the system became increasingly sluggish.16
According to other reports, university representatives complained that it
was taking hours to log on to the system and to enter a single record, or
worse, that the system accepted the record and later deleted it. We are
required to report to the House and Senate Appropriations Committees by
April 1, 2004, on SEVIS performance, among other things. 17

16Statement of Glenn A. Fine, Inspector General, U.S. Department of
Justice, "Implementation of the Student and Exchange Visitor Information
System (SEVIS)" (Apr. 2, 2003).

17H.R. Conf. Rep. No. 108-280, at 32 (2003).

We also reported in May 200118 that CLAIMS 3 was unreliable. This system
contains information on foreign nationals who request benefits and is used
to process benefit applications other than naturalization. Specifically,
we reported that INS officials stated that the system was frequently
unavailable and did not always update and store important case data when
field offices transferred data from the local system to the mainframe
computer.

Program Management Capability

Our experience with major modernization programs, like US-VISIT, shows
that they should be managed formally, which includes establishing a
program office that (1) is adequately staffed (both in numbers and skill
levels), (2) has clearly defined its staff's roles and responsibilities,
and (3) is supported by rigorous and disciplined acquisition management
processes.

DHS established a US-VISIT program office in June 200319 and determined
that this office's staffing needs were, in all, 115 government and 117
contractor personnel to perform key acquisition management functions.
These functions fall into categories described by the Software Engineering
Institute's Software Acquisition Capability Maturity Model (SA-CMM(R)),20
which defines a suite of key acquisition process areas that are necessary
for rigorous and disciplined management of a system acquisition program.
These process areas include acquisition planning, requirements development
and management, project management, solicitation, contract tracking and
oversight, evaluation, and transition to support.

Our latest report stated that the US-VISIT program's staffing levels were
far below its stated needs. Moreover, specific roles and responsibilities
had not been defined beyond general statements. Further, the program had
not yet defined plans and associated time frames for achieving needed
staffing levels and defining roles, responsibilities, and relationships.
According to the Program Director, positions were being filled with
detailees from various DHS component organizations.

18U.S. General Accounting Office, Immigration Benefits: Several Factors
Impede Timeliness of Application Processing, GAO-01-488 (Washington, D.C.:
May 4, 2001).

19The predecessor program office for the entry exit program was
established within the former INS in March 2002.

20Carnegie Mellon Software Engineering Institute, Software Acquisition
Capability Maturity Model, Version 1.03 (March 2002).

Additionally, although the approved program office structure provided for
positions to perform the SA-CMM key process areas (including
acquisition planning, requirements development and management, project
management, and contract tracking and oversight), none of the process
areas were defined and implemented. Until they are, the program office
must rely on the knowledge and skills of its existing staff to execute
these important acquisition functions.

According to the Program Director, needed program staffing and key process
areas were not in place because the program was just getting off the
ground, and it would take considerable time to establish a fully
functioning and mature program management capability. Until the program
office is adequately staffed, positional roles and responsibilities are
clearly defined and understood, and rigorous and disciplined acquisition
process controls are defined, understood, and followed, DHS's efforts to
acquire, deploy, operate, and maintain system capabilities will be at risk
of not producing promised performance levels, functionality, and
associated benefits on time and within budget.

Near-Term Facilities Solutions

Work by the Data Management Improvement Act Task Force has shown that
existing facilities do not adequately support the current entry exit
process at land POEs. In particular, more than 100 land POEs have less
than 50 percent of the required capacity to support current inspection
processes and traffic levels.21 As a result, as part of US-VISIT
(Increment 2), DHS plans to construct interim facilities at about 40 of
the 50 highest volume land POEs by December 31, 2004, and construct
interim facilities at the remaining portion of these 50 POEs by February
2005.

According to DHS officials, the department plans to design and construct
interim facilities to (1) support the US-VISIT inspection process,
technology, and staff requirements and (2) meet current traffic wait time
requirements at each land POE. To plan for the design and construction of
interim facilities that meet these requirements, DHS modeled various
inspection process and facilities scenarios to define what inspection
process to follow and what interim facilities to construct. The modeling
was based on two key assumptions: (1) the current staffing level and (2)
the current number of inspection booths staffed for each POE.

21Data Management Improvement Act Task Force, First Annual Report to
Congress (Washington, D.C.: December 2002).

According to preliminary DHS modeling exercises, small incremental
increases in average inspection times at some high-volume land POEs could
significantly increase average wait times. Moreover, any changes to
decisions about which foreign travelers are subject to US-VISIT could
significantly affect these assumptions and thus near-term facility
requirements.

Mission Value of Increments

OMB Circular Number A-11, part 7, requires that investments in major
systems be implemented incrementally, with each increment delivering
tangible and measurable benefits. Incremental investment involves
justifying investment in each increment on the basis of benefits, costs,
and risks. Although DHS is pursuing US-VISIT incrementally, it has not
defined incremental costs and benefits to justify its proposed investments
in each increment.

In the case of Increment 1, DHS' 2003 expenditure plan stated that this
increment would provide "immediate benefits," but it did not describe
them. Instead, it described capabilities to be provided, such as the
ability to determine whether a foreign national should be admitted and to
perform checks against watch lists. It did not describe in meaningful
terms the benefits that are to result from implementation of these
capabilities (e.g., X percent reduction in inspection times or Y percent
reduction in false positive matches against watch lists).

Also, DHS did not identify the estimated cost of Increment 1. The Program
Director told us that the $375 million requested in the 2003 plan included
not only all the funding required for Increment 1, but also funding for
later increments. However, the plan did not separate the funds by
increment, and program officials did not provide this information.

While DHS developed a benefits and cost analysis for the former entry exit
program in February 2003, this analysis had limitations, such as an
absence of meaningful benefit descriptions. Program officials acknowledged
that this analysis is out of date and is not reflective of current
US-VISIT plans. According to these officials, an updated analysis will be
issued in the very near future.

Without a reliable understanding of whether near-term increments will
produce mission value justifying its costs and whether known risks can be
effectively mitigated, DHS is investing in and implementing near-term
solutions that have not been adequately justified.

To the credit of the hard-working and dedicated staff working on the
program, an initial US-VISIT operating capability was deployed to major
air and selected sea POEs at the beginning of this year. However, the
US-VISIT program still faces the risk factors described in this testimony,
each of which will be discussed in our soon to be released report. To
address these risk factors, our published reports presented several
recommendations regarding the US-VISIT program, including

o  	ensure that future expenditure plans fully disclose US-VISIT system
capabilities, schedule, cost, and benefits to be delivered;

o  	determine whether proposed US-VISIT increments will produce mission
value commensurate with costs and risks;

o  	define performance standards for each increment that are measurable
and reflect the limitations imposed by relying on existing systems;

o  develop a risk management plan and regularly report all high risks;

o  	develop and implement a plan for satisfying key acquisition management
controls and implement these in accordance with Software Engineering
Institute guidance;

o  	ensure that human capital and financial resources are provided to
establish a fully functional and effective US-VISIT program office;

o  define program office positions, roles, and responsibilities; and

o  	develop and implement a human capital strategy for the program office
that provides for staffing positions with individuals who have the
appropriate knowledge, skills, and abilities.

Unless DHS addresses the risk factors described in this testimony,
successful deployment of US-VISIT increments is doubtful, because
achieving success will depend too much on heroic efforts by the people
involved, rather than being the predictable outcome of sound investment
and acquisition management capabilities.

Mr. Chairman, this concludes our statement. We would be happy to answer
any questions that you or members of the committee may have at this time.

Contacts and	If you should have any questions about this testimony, please
contact Randolph C. Hite at (202) 512-3870 or [email protected]. Other major

Acknowledgement 	contributors to this testimony included Barbara Collier,
Deborah Davis, Tamra Goldstein, David Hinchman, and Jessica Waselkow.

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

  GAO's Mission

Obtaining Copies of GAO Reports and Testimony

The General Accounting Office, the audit, evaluation and investigative arm
of Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability of
the federal government for the American people. GAO examines the use of
public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.

The fastest and easiest way to obtain copies of GAO documents at no cost
is through the Internet. GAO's Web site (www.gao.gov) contains abstracts
and fulltext files of current reports and testimony and an expanding
archive of older products. The Web site features a search engine to help
you locate documents using key words and phrases. You can print these
documents in their entirety, including charts and other graphics.

Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document files.
To have GAO e-mail this list to you every afternoon, go to www.gao.gov and
select "Subscribe to e-mail alerts" under the "Order GAO Products"
heading.

Order by Mail or Phone 	The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:

U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C.
20548

To order by Phone: 	Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

To Report Fraud,	Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm

  Waste, and Abuse in E-mail: [email protected]

Federal Programs Automated answering system: (800) 424-5454 or (202)
512-7470

Jeff Nelligan, Managing Director, [email protected] (202) 512-4800

Public Affairs 	U.S. General Accounting Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
*** End of document. ***