Homeland Security: US-VISIT Has Not Fully Met Expectations and
Longstanding Program Management Challenges Need to Be Addressed
(16-FEB-07, GAO-07-499T).
The Department of Homeland Security (DHS) is investing billions
of dollars in its U.S. Visitor and Immigrant Status Indicator
Technology (US-VISIT) program to collect, maintain, and share
information on selected foreign nationals who enter and exit the
United States. The program uses biometric identifiers (digital
fingerscans and photographs) to screen people against watch lists
and to verify that a visitor is the person who was issued a visa
or other travel document. The program is also to biometrically
confirm the individual's departure. For over 3 years, GAO has
reported on US-VISIT capability deployments and shortfalls, as
well as fundamental limitations in DHS's efforts to define and
justify US-VISIT's future direction and to cost-effectively
manage the delivery of program capabilities on time and within
budget. GAO was asked to testify on (1) the status of the
program's implementation and (2) the program's progress in
addressing longstanding management weaknesses. Given where
US-VISIT is today and the challenges and uncertainties associated
with where it is going, GAO believes that DHS is long overdue in
demonstrating that it is pursuing the right US-VISIT solution and
that it is managing US-VISIT the right way.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-07-499T
ACCNO: A66009
TITLE: Homeland Security: US-VISIT Has Not Fully Met
Expectations and Longstanding Program Management Challenges Need
to Be Addressed
DATE: 02/16/2007
SUBJECT: Accountability
Biometrics
Border security
Cost effectiveness analysis
Homeland security
Immigration information systems
Internal controls
Program evaluation
Program management
Strategic planning
Program implementation
DHS Visitor and Immigrant Status
Indicator Technology Program
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-07-499T
* [1]Background
* [2]Management and Implementation of US-VISIT
* [3]Overview of Ports of Entry
* [4]US-VISIT Operations and Processing at Ports of Entry
* [5]DHS Has Delivered Some, But Not All, US-VISIT Capabilities
* [6]US-VISIT Entry Capabilities Are Operating at Most Ports of E
* [7]US-VISIT Is Unable to Implement a Biometric Exit Capability
* [8]DHS Continues to Face Longstanding US-VISIT Management Chall
* [9]DHS Has Not Defined and Developed US-VISIT Within a DHS-wide
* [10]DHS Has Not Economically Justified US-VISIT Increments or As
* [11]DHS Did Not Economically Justify Its Proposed
Incremental In
* [12]DHS Did Not Adequately Assess the Impact of Entry
Capabiliti
* [13]US-VISIT Did Not Adequately Evaluate Exit Capability
Impacts
* [14]DHS Has Not Adequately Justified Increases in, and
Disclosed
* [15]DHS Has Not Fully Implemented Key US-VISIT Acquisition and F
* [16]DHS Has Yet to Establish Effective Program Accountability Me
* [17]Contact and Acknowledgement
* [18]PDF6-Ordering Information.pdf
* [19]Order by Mail or Phone
Mr. Chairman and Members of the Subcommittee,
We appreciate the opportunity to participate in the Subcommittee's hearing
on the United States Visitor and Immigrant Status Indicator Technology
(US-VISIT). US-VISIT is multibillion-dollar program of the Department of
Homeland Security (DHS) that is intended to achieve a daunting set of
goals: to enhance the security of our citizens and visitors and ensure the
integrity of the U.S. immigration system while facilitating legitimate
trade and travel and protecting individuals' privacy. To achieve these
goals, US-VISIT is to record selected travelers'^1 entry and exit to and
from the United States at over 300 ports of entry (POEs) around the
country, verify their identity, and determine their compliance with the
terms of their admission and stay.
Since fiscal year 2002, the House and Senate Appropriations Committees
have provided valuable oversight and direction for US-VISIT as the
Congress directed DHS to submit annual expenditure plans that had to meet
certain conditions, and directed GAO to review these plans. Our reviews
have produced five reports, including the latest on the fiscal year 2006
expenditure plan,^2 which we issued earlier this week. These reports and
our recent reports to the House Committee on Homeland Security on US-VISIT
contract and financial management^3 and US-VISIT operations at land POEs^4
have identified fundamental challenges that the DHS continues to face in
meeting program expectations (i.e., delivering program capabilities and
benefits on time and within cost). In light of these challenges, we
continue to believe that the program carries an appreciable level of risk
and must be managed effectively if it is to be successful.
^1 US-VISIT applies to foreign travelers that enter the United States
under a nonimmigrant visa or are traveling from a country that has a visa
waiver agreement with the United States under the Visa Waiver Program. The
Visa Waiver Program enables foreign nationals of certain countries to
travel to the United States for tourism or business for stays of 90 days
or less without obtaining a visa.
^2 GAO, Information Technology: Homeland Security Needs to Improve Entry
Exit System Expenditure Planning, GAO-03-563 (Washington, D.C.: June 9,
2003); GAO, Homeland Security: Risks Facing Key Border and Transportation
Security Program Need to Be Addressed, GAO-03-1083 (Washington, D.C.:
Sept. 19, 2003); GAO, Homeland Security: First Phase of Visitor and
Immigration Status Program Operating, but Improvements Needed, GAO-04-586
(Washington, D.C.: May 11, 2004); GAO, Homeland Security: Some Progress
Made, but Many Challenges Remain on U.S. Visitor and Immigrant Status
Indicator Technology Program, GAO-05-202 (Washington, D.C.: Feb. 23,
2005); and GAO, Homeland Security: Planned Expenditures for U.S. Visitor
and Immigrant Status Program Need to Be Adequately Defined and Justified,
GAO-07-278 (Washington, D.C.: Feb. 14, 2007)
^3 GAO, Homeland Security: Contract Management and Oversight for Visitor
and Immigrant Status Program Need to Be Strengthened, GAO-06-404
(Washington, D.C.: June 9, 2006).
Our testimony today draws on this body of completed work to provide a
snapshot of what US-VISIT capabilities have and have not been delivered,
what work has recently begun to enhance already delivered capabilities,
and the range of longstanding challenges that hamper DHS efforts to
establish and live up to program expectations and commitments. All the
work on which this testimony is based was performed in accordance with
generally accepted government auditing standards.
In summary, after spending almost 4 years and more than $1 billion, DHS is
operating US-VISIT entry capabilities at most POEs, has conducted various
exit demonstration projects at a small number of POEs, and has begun to
work to move from 2 to10 fingerprint biometric capabilities and expand
electronic information sharing with stakeholders. Of particular note is
the fact that a US-VISIT biometric-based entry screening capability is
operating at 115 airports, 14 seaports, and 154 land POEs. However, a
biometric exit capability is not. According to program officials, this is
due to a number of factors. For example, at this time the only proven
technology available for biometric land exit verification would
necessitate mirroring the processes currently in use for entry at these
POEs, which would create costly staffing demands and infrastructure
requirements, and introduce potential trade, commerce, and environmental
impacts. Further, a pilot project to examine an alternative technology at
land POEs did not produce a viable solution.
Where US-VISIT stands today owes largely to the manner in which it has
been managed. In this regard, we have reported a range of program
management weaknesses related to ensuring that the program, as defined, is
the right thing to do and that it is done the right way. To be the right
thing to do, the program needs to fit properly within DHS's strategic
plans and related operational and technology blueprints, and it needs to
produce benefits in excess of costs over its useful life. Relatedly,
program impacts and options need to be considered and addressed. To be
done the right way, critical acquisition management processes need to be
established and followed to ensure that program capabilities and expected
mission outcomes are delivered on time and within budget. These processes
include effective project planning, requirements management, contract
tracking and oversight, test management, and financial management. As we
have reported for several years, DHS has yet to adequately do these
things. While program officials have stated that all the areas are being
addressed, progress has been slow. Given that significant enhancements to
existing program capabilities are envisioned and underway, it is critical
for the department to expeditiously address the management challenges and
weaknesses that we have identified. Until it does, the risk of US-VISIT
continuing to fall short of expectations is increased.
^4 GAO, Border Security, US-VISIT Program Faces Strategic, Operational,
and Technological Challenges at Land Ports of Entry, GAO-07-248
(Washington, D.C.: December 6, 2006).
Background
US-VISIT is a governmentwide program intended to enhance the security of
U.S. citizens and visitors, facilitate legitimate travel and trade, ensure
the integrity of the U.S. immigration system, and protect the privacy of
our visitors. To achieve its goals, US-VISIT is to collect, maintain, and
share information on certain foreign nationals who enter and exit the
United States; detect fraudulent travel documents, verify traveler
identity, and determine traveler admissibility through the use of
biometrics; facilitate information sharing and coordination within the
immigration and border management community; and identify foreign
nationals who (1) have overstayed or violated the terms of their
admission; (2) may be eligible to receive, extend, or adjust their
immigration status; or (3) should be apprehended or detained by law
enforcement officials. The scope of the program includes the pre-entry,
entry, status, and exit of hundreds of millions of foreign national
travelers who enter and leave the United States at over 300 air, sea, and
land POEs, as well as analytical capabilities spanning this overall
process.
Management and Implementation of US-VISIT
The US-VISIT program office has responsibility for managing the
acquisition, deployment, operation, and sustainment of US-VISIT. Until
recently, the US-VISIT Director (currently Acting Director) reported
directly to the Deputy Secretary for Homeland Security. However, as of
March 31, 2007, the program office will report to the newly established
Under Secretary for the National Protection and Programs Directorate.
Since 2003, DHS has planned to deliver US-VISIT capability in four
increments: Increment 1 (air and sea entry and exit), Increment 2 (air,
sea, and land entry and exit), Increment 3 (land entry), and Increment 4,
which is to define, design, build, and implement more strategic program
capability, and which program officials stated will consist of a series of
incremental releases or mission capability enhancements that will support
business outcomes. In Increments 1 through 3, the program has built
interfaces among existing ("legacy") systems, enhanced the capabilities of
these systems, and deployed these capabilities to air, sea, and land POEs.
These first three increments have been largely acquired and implemented
through existing system contracts and task orders.
Through fiscal year 2007, about $1.7 billion has been appropriated for the
US-VISIT program. About $162 million of the $362 million appropriated in
fiscal year 2007 funds has been released to the program. The remaining
$200 million is pending the submission of an expenditure plan to the House
and Senate Appropriations Committees. The department has requested $462
million in fiscal year 2008 for the program.
According to program officials, as of January 31, 2007, almost $1.3
billion has been obligated to acquire, develop, deploy, enhance, operate,
and maintain US-VISIT entry capabilities, and to test and evaluate exit
capability options.^5
^5 This includes, for example, computers, printers, digital cameras,
fingerprint scanners, telecommunications upgrades, existing system
enhancements, and facilities modifications.
Overview of Ports of Entry
The United States shares over 7,500 miles of land border with Canada and
Mexico. Customs and Border Protection (CBP) operates 170 land POEs on the
northern border with Canada and the southwest border with Mexico.^6 These
POEs are diverse in nature, with some operating in urban areas, such as
Detroit, Michigan, and others operating in remote areas such as the
northern plains in Montana or along the southwest border. Taken together,
land POEs process the largest number of visitors to the United States each
year (about 79 percent of about 425 million total border crossings during
fiscal year 2004) and process fewer visitors subject to US-VISIT than
other POEs (about 11 percent of about 42 million border crossings
processed via US-VISIT during fiscal year 2004). The volume of visitor
traffic at land POEs in fiscal year 2005 varies widely, with the busiest
four land POEs identified by CBP being San Ysidro, Calexico, and Otay
Mesa, California, and Bridge of the Americas in El Paso, Texas.
US-VISIT Operations and Processing at Ports of Entry
In many cases, the US-VISIT process begins overseas at U.S. consular
offices where biometric information is collected from visa applicants and
checked against a database of known criminals and suspected terrorists.
When a visitor arrives at a U.S. POE, the biometric information is used to
verify that the visitor is the person who was issued the visa or other
travel documents. Ultimately, visitors are to confirm their departure from
the United States by having their visas or passports scanned and
undergoing fingerscanning. (Currently, at a few pilot sites, departing
visitors are asked to undergo these exit procedures.) The exit
confirmation is added to the visitor's travel records to demonstrate
compliance with the terms of admission to the United States.
However, most land border crossers--including U.S. citizens, lawful
permanent residents, and most Canadian and Mexican citizens--are, by
statute or implementing regulation, not required to enroll into
US-VISIT.^7 In fiscal year 2004, for example, U.S. citizens and lawful
permanent residents comprised about 57 percent of land border crossers;
Canadian and Mexican citizens comprised about 41 percent; and less than 2
percent were US-VISIT enrollees. Figure 1 shows the number and percent of
persons processed under US-VISIT as a percentage of all border crossings
at land, air, and sea POEs in fiscal year 2004.
^6 CBP is responsible for, among other things, enforcing U.S. immigration
laws governing the admissibility of foreign nationals entering the United
States by air, sea, and land.
^7 Since the statute governing US-VISIT applies to foreign national
arrival and departure data only, U.S. citizens do not fall within the
scope of the program and therefore are exempt from US-VISIT screening.
Also, in general, regardless of whether they are to be processed into
US-VISIT, Mexican citizens must present either a passport and visa or a
border crossing card (BCC) when seeking admission to the United States,
while Canadian citizens generally do not need such documents. According to
US-VISIT, when Mexicans receive a BCC, the data on the individual entered
into U.S. databases at the time of their visa application are accessible
by US-VISIT--if they are to be processed into it for any reason.
Figure I: Persons Processed Under US-VISIT as a Percentage of All Border
Crossings at Land, Air, and Sea Ports of Entry, Fiscal Year 2004
Note: Persons processed by US-VISIT may include foreign nationals who were
also issued an I-94 valid for multiple entries and who have re-entered
multiple times. I-94s are used to record a foreign national's entry into
the United States. Total entering the U.S. includes U.S. citizens who may
have re-entered the country multiple times and foreign nationals,
including those not issued I-94s, such as Canadian citizens and Mexicans
with BCCs, and those issued multiple entry I-94s who also may have
re-entered multiple times. U.S. citizens do not fall within the statutory
scope of US-VISIT and therefore are exempt from US-VISIT screening.
Foreign nationals subject to US-VISIT who intend to enter the country
encounter different inspection processes depending on their mode of
travel. Those entering the United States at an air or sea POE are to be
processed in the primary inspection area upon arrival. Before they arrive,
these visitors generally are subject to prescreening via passenger
manifests that are forwarded to CBP by commercial air or sea carriers.^8
By contrast, foreign nationals entering the United States at land POEs are
generally not subject to prescreening because they arrive in private
vehicles or on foot and there is no manifest to record their pending
arrival. Thus, when foreign nationals subject to US-VISIT arrive at a land
POE in vehicles, they enter the primary inspection area where CBP
officers--often located in booths--are to visually inspect travel
documents and query the visitors about such matters as their place of
birth and proposed destination. Visitors arriving as pedestrians enter an
equivalent primary inspection area, generally inside a CBP building. If
the CBP officer believes a more detailed inspection is needed or if the
visitors are required to be processed under US-VISIT for the first time,^9
the visitors are to be referred to the secondary inspection area that is
generally inside a facility away from the primary inspection area. The
secondary inspection area generally contains office space, waiting areas,
and space to process visitors, including US-VISIT enrollees. Equipment
used for processing includes a computer, printer, digital camera, and a
two-fingerprint scanner.
DHS Has Delivered Some, But Not All, US-VISIT Capabilities
Under law, DHS was to create an electronic entry and exit system to screen
and monitor the stay of foreign nationals who enter and leave the United
States and implement the system at (1) air and sea POEs by December 31,
2003, (2) the 50 highest-volume land POEs by December 31, 2004, and (3)
the remaining POEs by December 31, 2005.^10 In developing the system, DHS
was to focus particularly on the use of biometric technology^11 and was
also to collect biometric data upon entry and exit for all individuals,
who are required to be processed through US-VISIT.^12 However, after
almost 4 years and more than $1 billion, DHS has implemented entry
capabilities at most POEs but has not implemented exit capabilities.
According to program officials, several factors have affected the
program's ability to develop, implement, and deploy a biometric exit
capability.
^8 Under the Enhanced Border Security and Visa Entry Reform Act of 2002, 8
U.S.C. S 1221, commercial air and sea carriers are to transmit crew and
passenger manifests to appropriate immigration officials before arrival of
an aircraft or vessel in the United States. These manifests are
transmitted to CBP through the Advanced Passenger Information System
(APIS), which helps officers identify (1) those arrivals for which
biometric data are available and (2) foreign nationals who need to be
scrutinized more closely.
^9At land border POEs, the Form I-94 issued to foreign nationals covered
by US-VISIT who are deemed admissible is considered issued for multiple
entries, unless specifically annotated otherwise. A multiple entry I-94
permits them to reenter the country, generally for up to 6 months, without
additional US-VISIT processing during the period covered by the I-94.
US-VISIT Entry Capabilities Are Operating at Most Ports of Entry and Have
Prevented Some from Entering Illegally
The program office has largely met its expectations relative to a
biometric entry capability. For example, on January 5, 2004, it deployed
and began operating most aspects of its planned biometric entry capability
at 115 airports and 14 seaports for selected foreign nationals, including
those from visa waiver countries;^13 as of December 2006, the program
office had deployed and began operating this entry capability in the
secondary inspection areas of 154 of 170 land POEs. According to program
officials, 14 of the remaining 16 POEs have no operational need to deploy
US-VISIT because visitors who are required to be processed through
US-VISIT are, by regulation, not authorized to enter into the United
States at these locations.^14 The other two POEs do not have entry
capability deployed because they do not have the necessary transmission
lines to operate US-VISIT; CBP officers at those sites have continued to
process visitors manually.
^10 8 U.S.C. S1365a; 6 U.S.C.S 251 (transferred Immigration and
Naturalization Service functions to DHS).
^11 Uniting and Strengthening America by Providing Appropriate Tools
Required to Intercept and Obstruct Terrorism (USA PATRIOT Act) Act of
2001, Pub. L. No. 107-56, S 414(b), (Oct. 26, 2001).
^12 Intelligence Reform and Terrorism Prevention Act of 2004, 8 U.S.C.
S1365b.
^13 On September 30, 2004, US-VISIT expanded biometric entry procedures to
include individuals from visa waiver countries applying for admission.
^14 According to CBP, these POEs are classified as Class B ports. Under 8
C.F.R. S100.4 (c) (2), only citizens of the United States, Canada, and
Bermuda, and Lawful Permanent Residents of the United States and certain
holders of border crossing cards may enter through Class B ports.
To the department's credit, the development and deployment of this entry
capability was largely in accordance with legislative time lines and has
occurred during a period of considerable organizational change, starting
with the creation of DHS from 23 separate agencies in early 2003, followed
by the birth of a US-VISIT program office shortly thereafter--which was
only about 5 months before the program had to meet its first legislative
milestone. Compounding these program challenges was the fact that the
systems that were to be used in building and deploying a biometric entry
capability were managed and operated by a number of the separate agencies
that had been merged to form the new department, each of which was
governed by different policies, procedures, and standards.
Moreover, DHS reports that US-VISIT entry capabilities have produced
results. According to US-VISIT's Consolidated Weekly Summary Report, as of
December 28, 2006, there have been more than 5,400 biometric hits in
primary entry, resulting in more than 1,300 people having adverse actions,
such as denial of entry, taken against them. According to the report,
about 4,100 of these hits occurred at air and sea ports of entry and over
1,300 at land ports of entry. Further, the report indicates that more than
1,800 biometric hits have been referred to DHS's immigration enforcement
unit, resulting in 293 arrests. We did not verify the information in the
consolidated report.
Another potential consequence, although difficult to demonstrate, is the
deterrent effect of having an operational entry capability. Although
deterrence is not an expressly stated goal of the program, officials have
cited it as a potential byproduct of having a publicized capability at the
border to screen entry on the basis of identity verification and matching
against watch lists of known and suspected terrorists. Accordingly, the
deterrent potential of the knowledge that unwanted entry may be thwarted
and the perpetrators caught is arguably a layer of security that should
not be overlooked.
Despite these results, US-VISIT's entry capability at land POEs has not
been without operational and system performance problems. During recent
visits to land POEs, we identified some space constraints and other
capacity issues. For example, at the Nogales-Morley Gate POE in Arizona,
where up to 6,000 visitors are processed daily (and up to 10,000 on
holidays), equipment was installed^15 but not used because of CBP concerns
about its ability to carry out the US-VISIT process in a constrained space
while thousands of other people not subject to US-VISIT are processed
through the facility daily.^16 Thus, visitors that are to be processed
into US-VISIT from Morley Gate are directed to return to Mexico (a few
feet away) and to walk approximately 100 yards to the Nogales-DeConcini
POE facility, which has the capability to handle secondary inspections of
this kind. In addition, we found that POEs had experienced system downtime
associated with US-VISIT. In particular, 12 of the 21 land POEs that we
visited stated that they had experienced computer-processing problems that
had an impact on processing times and traveler delays. In June 2006, a CBP
data center official confirmed that POEs had experienced slowdowns
associated with certain US-VISIT data queries.^17 The CBP official also
told us that these computer processing problems have since been identified
and resolved, and that performance had greatly improved. We did not verify
whether the actions taken fully resolved these problems.
US-VISIT Is Unable to Implement a Biometric Exit Capability at Land Ports of
Entry Due to Several Constraints and Testing of Non-biometric Exit Solution Has
Identified Performance Problems
Several logistical, infrastructure, cost, and technological constraints
have precluded DHS from implementing a biometric exit capability at land
POEs. According to program officials, the major constraint at this time is
that the only proven technology available to biometrically verify
individuals upon exit at land POEs would necessitate mirroring the
processes currently in use for entry. Such a process would require CBP
officers to perform the same processes as for entry, including examining
the travel documents of those leaving the country, taking fingerprints,
comparing visitors' facial features to photographs, and, if questions
about identity arise, directing the departing visitor to secondary
inspection for additional questioning. The program office concluded in
January 2005 that a mirror image solution was "an infeasible alternative
for numerous reasons, including but not limited to, the additional
staffing demands, new infrastructure requirements, and potential trade and
commerce impacts."^18
15 Such equipment includes a computer, printer, digital camera, and
fingerprint scanners.
^16CBP based this decision on the high volume of pedestrians entering the
United States through the Morley Gate POE; the fact that, before
deployment, I-94s had not been previously issued at the Morley Gate POE;
and the close proximity of the Morley Gate POE facility to the nearby
DeConcini POE facility, about 100 yards away.
^17CBP officials also dealt with sporadic network outages. In one case, on
December 2, 2005, the entire network went down for 3 hours because of an
accident. According to port officials, visitors seeking entry into the
country at the San Ysidro, California, POE were initially asked to wait
until the systems came back up or return at another time. About an hour
after the outage began, CBP officers began to manually process I-94s for
US-VISIT, in accordance with CBP standard operating procedures, but
without the benefit of a biometric verification of their identity under
US-VISIT.
More specifically, program officials told us that implementing such a
solution could result in delays at land POEs with a heavy daily volume of
visitors, and would require both additional lanes for exiting vehicles and
additional inspection booths and staff (though they had not determined
precisely how many). It is unclear how new vehicle lanes and new
facilities could be built at land POEs where space constraints already
exist, such as those in congested urban areas. For example, San Ysidro,
California, currently has 24 entry lanes, each with its own staffed booth,
and 6 unstaffed exit lanes. Thus, if full biometric exit capability were
implemented using a mirror image approach, San Ysidro's current capacity
of 6 exit lanes would have to be expanded to 24 exit lanes. As shown in
the following photo and confirmed during our site visit to the San Ysidro
POE, the facility is surrounded by dense urban infrastructure, leaving
little, if any, room to expand in place. Some of the 24 entry lanes for
vehicle traffic heading north from Mexico into the United States appear in
the bottom left portion of the photograph, where vehicles are shown
waiting to approach primary inspection at the facility; the six exit lanes
(traffic towards Mexico), which do not have fixed inspection facilities,
are at the upper left.
^18 US-VISIT, Increment 2C Operational Alternatives Assessment--FINAL
(Rosslyn, Va.: Jan. 31, 2005).
Other POE facilities are similarly spatially constrained. For example, the
Nogales-DeConcini, Arizona facility is bordered by
railroad tracks, a parking lot, and industrial or commercial buildings.
Further, CBP has identified space constraints at selecterural POEs, such
as the Thousand Islands Bridge POE at AleBay, New York, which is situated
in what POE officials described as a "geological bowl," with tall rock
outcroppings potentially hindering the ability to expand facilities at the
current location. Officials told us that in order to accommodate existing
and anticipated traffic volume upon entry, they are in the early
stagesplanning to build an entirely new POE on a hill about a half-msouth
of the present facility.
DHS also identified the cost of implementing a biometric exit
capability as a constraint. In 2003, the program office estimated that
it would cost approximately $3 billion to implement US-VISIT eand exit
capability at land POEs where US-VISIT was likely to be installed, and
that such an effort would have a major impact on facility infrastructure
at land POEs. We did not assess the reliabiliof the 2003 estimate, but
would note that while the estimate did separately break out costs for
entry and exit construction, it did factor in the cost for building
additional exit vehicle lanes and booths as well as buildings and other
infrastructure that would berequired to accommodate a mirror image of
entry capabilities. Program officials told us that they did not move ahead
with this option. No subsequent cost estimate updates had been preparedand
DHS's annual budget requests have not included funds to buithe
infrastructure that would be associated with the required facilities.
In light of these various constraints, the program office has tested
nonbiometric technology to record travelers� departure, but testing
showed numerous performance and reliability problems. Because there is at
present no biometric technology that can be used to verify a traveler's
exit from the country at land POEs without also making major and costly
changes to POE infrastructure and facilities, the program office tested
radio frequency identification (RFID) technology as a nonbiometric means
of recording visithey exit. RFID technology can be used to electronically
identify angather information contained on a tag--in this case, a unique
identifying number embedded in a tag on a visitor's arrival/departure
form--which an electronic reader at the POE is to detect.
While RFID technology required few facility and infrastructure
changes, testing and analysis at five land POEs at the northern and
southern borders identified numerous performance and reliabiliproblems,
such as the failure of RFID readers to detect a majority oftravelers' tags
during testing. For example, the program office reported that of 166
vehicles tested during a one-week period at the Blaine-Pacific Highway,
readers correctly identified 14 percent--sizable departure from the target
read rate of 70 percent.^19
^19A US-VISIT program official explained that for vehicles exiting during
RFID testing, one �reasonably expect� a read rate of 70 percent because
vehicles are not required to could stop upon exit. The official also cited
vehicle speed, safety, and awareness (of optimal positioning of the
arrival/departure form; for example, holding the form up to the window
of the vehicle) as factors that affected RFID read rates.
Another problem that arose were "cross-reads," in which multiple RFID
readers installed on poles or structures over roads, called gantries,
picked up information from the same visitor, regardless of whether the
individual was entering or exiting in a vehicle or on foot. Thus,
cross-reads resulted in inaccurate record-keeping. According to a January
2006 corrective-action report, remedying cross-reads would require changes
to equipment and infrastructure on a case-by-case basis at each POE,
because each has a different physical configuration of buildings,
roadways, roofs, gantries, poles, and other surfaces against which the
signals can bounce and cause cross-reads. Each would therefore require a
different physical solution to avoid the signal interference that triggers
cross-reads. Although cost estimates or time lines for such alterations to
facilities and equipment have not been developed, it is possible that
having to alter each POE's physical configuration in some regard and then
test each separately to ensure that cross-reads had been eliminated would
be both time consuming and potentially costly.
Moreover, even if RFID deficiencies were to be fully addressed and
deadlines set, the RFID solution does not meet the legislative requirement
for a biometric exit capability. By design, an RFID tag embedded in an
I-94 arrival/departure form cannot provide the biometric identity-matching
capability that is envisioned as part of a comprehensive entry/exit border
security system that uses biometric identifiers for tracking overstays and
others entering, exiting, and re-entering the country. That is, the RFID
tag in the I-94 form cannot be physically tied to an individual. This
situation means that while a document may be detected as leaving the
country, the person to whom it was issued at time of entry may be
somewhere else. Thus, the technology that had been tested cannot meet a
key program goal--ensuring that visitors who enter the country are the
same ones who leave.
According to program officials, technological advances over the next 5 to
10 years will make it possible to utilize alternative technologies that
provide biometric verification of persons exiting the country without
major changes to facility infrastructure and without requiring those
exiting to stop and/or exit their vehicles, thereby mitigating traffic
backup, congestion, and resulting delays. visitors would have to be
stopped, the prospect of the as-yet-undeveloped biometric verification
technology supports the lonterm US-VISIT vision.^20 However, according to
program officiasuch technology or device currently exists that would not
have a major impact on facilities. The prospects for its development,
manufacture, deployment and reliable utilization are thus uncertaalthough
a prototype device that would permit a fingerprint to read remotely
without requiring the visitor to come to a full stop is under development.
By law, DHS was to have reported to Congress by June 2005 on how
the agency intended to fully implement a biometric entry/exit
program. According to statute, this plan is to include, among other
things, a description of the manner in which the program meetgoals of a
comprehensive entry and exit screening system--including both biometric
entry and exit--and fulfills statutory obligations imposed on the program
by several laws enactedbetween 1996 and 2002.^21 According to program
officials, as of February 2007, this plan has been forwarded to the Office
of Management and Budget (OMB) for review. Until such a plan isfinalized
and issued, DHS is not able to articulate how entry/econcepts--including
any interim nonbiometric solutions--will fitogether, and is not positioned
to identify, prioritize, and allocate resources for an exit capability or
effectively plan for the program'future. Further, given the absence of a
comprehensive entry and exsystem, questions remain about what meaningful
data may be available to other DHS components, such as Immigration and
Customs Enforcement, to ensure that DHS can, from an interioenforcement
perspective, identify and remove foreign nationalcovered by US-VISIT who
may have overstayed their visas. We discuss this point further in the
following section.
^20 US-VISIT, Increment 2C Operational Alternatives Assessment--FINAL
(Rosslyn, Va: Jan. 31, 2005).
^21 8 U.S.C. S1365b(c)(2)(E).
DHS Continues to Face Longstanding US-VISIT Management Challenges and Future
Uncertainties
Our work and other best practice research have shown that applying
disciplined and rigorous management practices improves the likelihood of
delivering expected capabilities on time and within budget. Such practices
and processes include determining how the program fits within the larger
context of an agency's strategic plans and related operational and
technology environments, whether the program will produce benefits in
excess of costs over its useful life, and whether program impacts and
options are being fully identified, considered, and addressed. To further
ensure that programs are managed effectively, it is important that they be
executed in accordance with acquisition and financial management
requirements and best practices, and that progress against program
commitments is defined and measured so that program officials can be held
accountable for results.
For almost 4 years, we have reported on fundamental limitations in DHS's
efforts to define and justify the program's future direction and to
cost-effectively manage the delivery of promised capabilities on time and
within budget. To a large degree, what is operating and what is not
operating today, and what future program changes are underway and yet to
be defined, are affected by these limitations. DHS needs to address these
challenges going forward, and the recommendations that we made over the
last 3 years are aimed at encouraging this. Until these recommendations
are fully implemented, the program will be at greater risk of not
optimally meeting mission needs and falling short of meeting expectations.
DHS Has Not Defined and Developed US-VISIT Within a DHS-wide Operational and
Technological Context
As we previously reported, agency programs need to properly fit within a
common strategic context or frame of reference governing key aspects of
program operations (such as who is to perform what functions, when and
where they are to be performed, what information is to be used to perform
them, and what rules and standards will govern the use of technology to
support them).^22 Without a clear operational context to guide and
constrain both US-VISIT and other border security and immigration
enforcement initiatives, DHS risks investing in programs and systems that
are duplicative, are not interoperable, and do not optimize enterprisewide
mission operations and produce intended outcomes.
For almost 4 years, DHS has continued to pursue US-VISIT (both in terms of
deploying interfaces between and enhancements to existing systems and in
defining a longer-term, strategic US-VISIT solution) without producing the
program's operational context. In September 2003, we reported that DHS had
not defined key aspects of the larger homeland security environment in
which US-VISIT would need to operate. In the absence of a DHS-wide
operational and technological context, program officials were making
assumptions about certain policy and standards decisions that had not been
made, such as whether official travel documents would be required for all
persons who enter and exit the country--including U.S. and Canadian
citizens--and how many fingerprints would be collected for biometric
comparisons. We further reported that if the program office's assumptions
and decisions turned out to be inconsistent with subsequent policy or
standards decisions, it would require US-VISIT rework.
According to the program's Chief Strategist, an immigration and border
management strategic plan was drafted in March 2005 to show how US-VISIT
is aligned with DHS's organizational mission and to define an overall
vision for immigration and border management. According to this official,
the vision provides for an immigration and border management enterprise
that unifies multiple departmental and external stakeholders around common
objectives, strategies, processes, and infrastructures. As of February
2007, about 2 years later, we were told that this strategic plan has not
yet been approved, although the program's Acting Director stated that the
plan is currently with OMB and should be provided to the House and Senate
Appropriations Subcommittees on Homeland Security by March 2007.
^22 GAO, Homeland Security: Risks Facing Border and Transportation
Security Program Need to be Addressed, GAO-03-1083 (Washington, D.C.:
Sept. 19, 2003).
However, at the same time, US-VISIT has not taken steps to ensure that the
direction that it is taking is both operationally and technologically
aligned with DHS's enterprise architecture (EA). As the report that we
issued this week states, the DHS Enterprise Architecture Board, which is
the DHS entity that determines EA compliance, has not reviewed the
US-VISIT architecture compliance for more than 2 years. However, since
August 2004, both US-VISIT and the EA have changed. For example,
additional functionality, such as the interoperability of US-VISIT's
Automated Biometric Information System (IDENT) and the Department of
Justice's Integrated Automated Fingerprint Identification System (IAFIS),
and the expansion of IDENT to collect ten rather than two fingerprints,
has been added. Also, two versions of the DHS EA have been issued since
August 2004.
While the strategic plan has not been approved or disseminated, the
program office has developed a strategic vision and blueprint and begun to
implement it. According to program officials, this future vision is to be
delivered through a number of planned mission capability enhancements. Of
these, the first enhancement is underway and is to provide several new
capabilities, including what the program refers to as "Unique Identity,"
which is to include the migration from the 2-fingerprint to 10-fingerprint
collection at program enrollment. It is also to interoperate US-VISIT's
IDENT system and the Department of Justice's IAFIS system. Currently, the
US-VISIT officials plan to complete Unique Identity in several phases and
have it fully operational by December 2009, although these plans have not
yet approved by DHS.
At this same time, DHS has launched other major border security programs
without adequately defining the relationships to US-VISIT and each other.
For example, the Intelligence Reform and Terrorism Prevention Act of 2004
directs DHS and the Department of State to develop and implement a plan,
no later than June 2009, that requires U.S. citizens and foreign nationals
of Canada, Bermuda, and Mexico to present a passport or other document or
combination of documents deemed sufficient to show identity and
citizenship to enter the United States (this is currently not a
requirement for these individuals entering the United States via sea and
land POEs from most countries within the western hemisphere).^23 This
effort, known as the Western Hemisphere Travel Initiative, was first
announced in 2005. In May 2006, we reported that DHS and the Department of
State had taken some steps to carry out the initiative, but they had a
long way to go to implement their proposed plans.^24 Among other things,
key decisions had yet to be made about what documents other than a
passport would be acceptable when U.S. citizens and citizens of Canada
enter or return to the United States. Further, while DHS and Department of
State had proposed an alternative form of passport, called a PASS card,
that would rely on RFID technology to help DHS process U.S. citizens
re-entering the country, DHS had not made decisions involving a broad set
of considerations that include (1) utilizing security features to protect
personal information, (2) ensuring that proper equipment and facilities
are in place to facilitate crossings at land borders, and (3) enhancing
compatibility with other border crossing technology already in use.
DHS has also initiated another border security program, known as the
Secure Border Initiative (SBI)--a multi-year program to secure the borders
and reduce illegal immigration by installing state-of-the-art surveillance
technologies along the border, increasing border security personnel, and
ensuring information access to DHS personnel at and between POEs. Under
SBI and its component, called SBInet, DHS plans to integrate personnel,
infrastructures, technologies, and rapid response capability into a
comprehensive border protection capability. DHS reports that, among other
things, SBInet is to encompass both the northern and southern land
borders, including the Great Lakes, under a unified border control
strategy whereby CBP is to focus on the interdiction of cross-border
violations between and at the land POEs, funneling traffic to the land
POEs. As part of SBI, DHS also plans to focus on interior
enforcement--disrupting and dismantling cross-border crime into the
interior of the United States while locating and removing aliens who are
present in the United States in violation of law. However, it is unclear
how SBInet will be linked, if at all, to US-VISIT so that the two can
share technology, infrastructure, and data.
^23 Pub. L. No. 108-458, S 7209 (Dec. 17, 2004), as amended, Pub. L. No.
109-295, S 546 (Oct. 4, 2006). In November 2006, DHS and the Department of
State issued a final rule announcing that, beginning on January 23, 2007,
citizens of the United States, Canada, Mexico, and Bermuda are required to
present a passport to enter the United States when arriving by air from
any part of the Western Hemisphere (8 C.F.R. Parts 212 and 235 and 22
C.F.R. Parts 41 and 53). According to DHS, a separate proposed rule
addressing land and sea travel will be published at a later date with
specific requirements for travelers entering the United States through
land and sea border crossings.
^24 GAO, Observations on Efforts to Implement the Western Hemisphere
Travel Initiative on the U.S. Canadian Border, [20]GAO-06-741R
(Washington, D.C.: May 25, 2006).
Clearly defining the dependencies among US-VISIT and programs like the
Western Hemisphere Travel Initiative and SBI is important because there is
commonality among their strategic goals and operational environments. For
example, both US-VISIT and SBI share the goal of securing the POEs.
Moreover, there is overlap in the data that each is to produce and use.
For example, both US-VISIT and the Western Hemisphere Travel Initiative
will require identification data for travelers at POEs.
Despite these dependencies, DHS has yet to define these relationships or
how they will be managed. Further, according to a March 6, 2006 memo from
the DHS Joint Requirements Council, the US-VISIT strategic plan did not
provide evidence of sufficient coordination between the program and the
other entities involved in border security and immigration efforts. The
council's recommendation was that the strategic plan not be approved until
greater coordination between US-VISIT and other components was addressed.
According to the Acting Program Director, a number of efforts are underway
to coordinate with other entities, such as with CBP on RFID, with the
Coast Guard on development of a mobile biometric reader, and with State on
standards for document readers. Without a clear, complete, transparent,
and understood definition of how related programs and initiatives are to
interact, US-VISIT and other border security and immigration enforcement
programs run the risk of being defined and implemented in a way that does
not optimize DHS-wide performance and results.
DHS Has Not Economically Justified US-VISIT Increments or Assessed Their
Operational Impacts
The decision to invest in any system or capability should be based on
reliable analyses of return on investment. That is, an agency should have
reasonable assurance that a proposed program will produce mission value
commensurate with expected costs and risks. According to OMB guidance,
individual increments of major systems should be individually supported by
analyses of benefits, cost, and risk. Thus far, DHS has yet to develop an
adequate basis for knowing whether its incrementally deployed US-VISIT
capabilities represent a good return on investment, particularly in light
of shortfalls in DHS's assessments of the program's operational impacts,
including costs of proposed capabilities. Without this knowledge, DHS will
not know until after the fact whether it is investing wisely or pursuing
cost-effective and affordable solutions.
DHS Did Not Economically Justify Its Proposed Incremental Investments
US-VISIT had not assessed the cost and benefits of its early increments.
For example, we reported in September 2003 that it had not assessed the
costs and benefits of Increment 1. Again, in February 2005, we reported
that although the program office developed a cost-benefit analysis for its
land entry capability, it had not justified the investment because the
treatment of both benefits and costs were unclear and insufficient.
Further, we reported that the cost estimates on which the cost-benefit
analysis was based were of questionable reliability because effective
cost-estimating practices were not followed. Most recently, in February
2006, we reported again that the program office had not justified its
investment in its air and sea exit capability. For example, we reported
that while the cost-benefit analysis explained why the investment was
needed, and considered at least two alternatives to the status quo, which
is consistent with OMB guidance for cost-benefit analyses, it did not
include a complete uncertainty analysis for the three exit alternatives
evaluated. Specifically, it did not include a sensitivity analysis^25 for
the three alternatives, which is a major part of an uncertainty analysis.
A complete analysis of uncertainty is important because it provides
decision makers with a perspective on the potential variability of the
cost and benefit estimates should the facts, circumstances, and
assumptions change. Further, the cost estimate upon which the analysis was
based did not meet key criteria for reliable cost estimating. For example,
it did not include a detailed work breakdown structure, which serves to
organize and define the work to be performed so that associated costs can
be identified and estimated.
^25 A sensitivity analysis is a quantitative assessment of the effect that
a change in a given assumption, such as unit labor cost, will have on net
present value.
Further, as we state in the report that we issued earlier this week, DHS
has devoted considerable time and resources toward establishing an
operational exit capability at land, air, and sea POEs. For example, over
the last 4 years, DHS has committed over $160 million to evaluate and
operate exit pilots at selected air, sea, and land POEs. Notwithstanding
this considerable investment of time and resources, the US-VISIT program
still does not have either an operational exit capability or a viable exit
solution to deploy to all air, sea, and land POEs.
Moreover, US-VISIT exit pilot reports have raised concerns and
limitations. For example, as we previously stated, land exit pilot
experienced several performance problems, such as the failure of RFID
readers to detect a majority of travelers' tags during testing and
cross-reads, in which multiple RFID readers installed on poles or
structures over roads, called gantries, picked up information from the
same visitor.
Notwithstanding these results, we reported earlier this week that the
program office planned to invest another $33.5 million to continue its air
and sea exit pilots. However, neither the fiscal year 2006 expenditure
plan nor other exit-related program documentation adequately defined what
these efforts entail or what they will accomplish. In particular, the plan
and other exit-related documentation merely state that $33.5 million will
be used to continue air and sea exit pilots while a comprehensive exit
solution is developed. They do not adequately describe measurable outcomes
(benefits and results) from the pilot efforts, or related cost, schedule,
and capability commitments that will be met. Further, the plan does not
recognize the challenges revealed from the prior exit efforts, nor does it
show how proposed exit investments address these challenges. In addition,
the plan allocates more funding for continuing the air and sea exit pilots
($33.5 million) than the prior year's plan said would be needed to fully
deploy an operational air and sea exit solution ($32 million). According
to program officials, the air and sea exit pilots are being continued to
maintain a presence intended to provide a deterrent effect at exit
locations, and to gather additional data that could help support planning
for a comprehensive exit solution.
Moreover, US-VISIT reported in August 2006 that it planned to spend an
additional $21.5 million to continue its land exit demonstration project
without adequate justification. However, we reported earlier this week
that these plans lacked adequate justification in light of the problems we
discussed earlier in this statement. Accordingly, program officials told
us that they intend to terminate the land exit project until a
comprehensive exit strategy can be developed. They have also stated that a
small portion of the $21.5 million is to be used to close out the
demonstration project and have requested that the remainder of the money
be reprogrammed to support Unique Identity.
DHS Did Not Adequately Assess the Impact of Entry Capabilities on Land Ports
of Entry Operations and Planned Capability Enhancements Carry Potential Cost
Implications
Knowing how planned US-VISIT capabilities will impact POE operations is
critical to US-VISIT investment decision makers. In May 2004, we reported
that the program had not assessed how deploying entry capabilities at land
POEs would impact the workforce and facilities. We questioned the validity
of the program's assumptions and plans concerning workforce and
facilities, since the program lacked a basis for determining whether its
assumptions were correct and thus whether its plans were adequate.
Subsequently, the program office evaluated the operational performance of
the land entry capability with the stated purpose of determining the
effectiveness of its performance at the 50 busiest land POEs. For this
evaluation, the program office established a baseline for comparing the
average time it takes to issue and process entry/exit forms at 3 of these
50 POEs, and then conducted two evaluations of the processing times at the
three POEs, one after the entry capability was deployed as a pilot, and
another one 3 months later, after the entry capability was deployed to all
50 POEs. The evaluation results showed that the average processing times
decreased for all three sites. Program officials concluded that these
results supported their workforce and facility investment assumptions that
no additional staff was required to support deployment of the entry
capability and that minimal modifications were required at the
facilities.^26
However, the scope of the evaluations was not sufficient to satisfy the
evaluations' stated purpose for assessing the full impact of the entry
capability. For example, the selection of the three sites, according to
program officials, was based on a number of factors, including whether the
sites already had sufficient staff to support the pilot. Selecting sites
based on this factor is problematic because it presupposes that all not
POEs have the staff needed to support the land entry capability. In
addition, evaluation conditions were not always held constant:
specifically, fewer workstations were used to process travelers in
establishing the baseline processing times at two of the POEs than were
used during the pilot evaluations.
Moreover, CBP officials from a land port of entry that was not an
evaluation site (San Ysidro) told us that US-VISIT deployment had not
reduced but actually lengthened processing times. (San Ysidro processes
the highest volume of travelers of all land POEs.) Although these
officials did not provide specific data to support their statement, their
perception nevertheless raises questions about the potential impact of
land entry capabilities on the 47 sites that were not evaluated.
Exacerbating this situation is the fact that DHS plans to introduce
changes and enhancements to US-VISIT at land POEs to verify the identity
of individuals entering the country, including a transition from digitally
scanning 2 fingerprints to 10. While such changes are intended to further
enhance border security, deploying them may have an impact on aging and
spatially-constrained land POEs facilities because they could increase
inspection times and adversely affect POEs operations. Moreover, the
increase from 2 to 10 fingerprints can affect the capacity of the systems
and communications networks processing because of the larger data sets
being processed and transmitted (10 vs 2 fingerprints). This need for
increased capacity will in turn affect program costs.
^26 Specifically, they said minimal modifications to interior workspace
were required to accommodate biometric capture devices and printers and to
install electrical circuits. These officials stated that modifications to
existing officer training and interior space were the only changes needed.
US-VISIT Did Not Adequately Evaluate Exit Capability Impacts on Operations at
Air and Sea Ports of Entry
The impact of planned exit capabilities at air and sea POEs has also not
been adequately analyzed, and is thus not available to inform investment
decisions. In February 2005, we reported that the program office had not
adequately planned for evaluating its exit pilot at air and sea POEs
because the pilot's evaluation scope and timeline were compressed. As a
result, the US-VISIT program office extended the pilot from 5 to 11 POEs
(nine airports and two seaports). Notwithstanding the expanded scope of
the pilot, the exit alternatives were not sufficiently evaluated.
Specifically, the program office evaluated these alternatives against
three criteria,^27 including compliance with the exit process. According
to the exit evaluation plan report, the average compliance rate across all
three alternatives was only 24 percent.^28 The evaluation report cited
several reasons for the low compliance rate, including that compliance
during the pilot was voluntary. As a result, the evaluation report
concluded that national deployment of the exit solution will not meet the
desired compliance rate unless the scope of the exit process is expanded
to incorporate an enforcement mechanism, such as not allowing persons to
reenter the United States if they do not comply with the exit process or
not allowing persons to board a carrier until they are processed by an
airline or the Transportation Security Administration. As of February
2006, program officials had not conducted any formal evaluation of
enforcement mechanisms or their possible effect on compliance and cost,
and according to the Acting Program Director, they do not plan to do so.
DHS Has Not Adequately Justified Increases in, and Disclosed the Scope and
Nature of, Program Management-Related Fiscal Year 2006 Expenditures
Program management is an important and integral aspect of any system
acquisition program. The importance of program management, however, does
not by itself justify any level of investment in such activities. Rather,
investments in program management capabilities should be viewed the same
as investments in any program capability, meaning the scope, nature, size,
and value of the investment should be disclosed and justified in relation
to the size and significance of the acquisition activities being
performed.
^27 The other two evaluation criteria were conduciveness to travel and
cost.
^28 Compliance rates were 23 percent for the kiosk, 36 percent for the
mobile device, and 26 percent for the validator.
As the report that we issued earlier this week states, US-VISIT's planned
investment in program management-related activities has risen steadily
over the last 4 years, while planned investment in development of new
program capabilities has declined. Figure 3 shows the breakdown of planned
expenditures for US-VISIT fiscal year 2002 through 2006 expenditure plans.
Figure 3: US-VISIT Breakdown of Planned Expenditures as a Dollar Amount
for FY2002 Through FY2006
Source: GAO analysis based on US-VISIT data.
Note: According to US-VISIT program officials, actual cost information for
program management and operations cannot be readily provided due to
limitations in their financial management system.
Specifically, the fiscal year 2003 expenditure plan provided $30 million
for program management and operations and about $325 million for new
development efforts, whereas the fiscal year 2006 plan provided $126
million for program management-related functions--an increase of $96
million--and $93 million for new development. This means that the fiscal
year 2006 plan proposed expending $33 million more for program management
and operations than it is for new development.
The increase in planned program management-related expenditures is more
pronounced if it is viewed as a percentage of planned development
expenditures. Figure 4 shows planned US-VISIT expenditures for program
management and operations as a percentage of development for fiscal years
2002 thru 2006.
Figure 4: US-VISIT Planned Expenditures for Program Management and
Operations as a Percentage of Development for FY2002 through FY2006
Source: GAO analysis based on US-VISIT data.
Note: According to US-VISIT program officials, actual cost information for
program management and operations cannot be readily provided due to
limitations in their financial management system.
Specifically, planned program management-related expenditures represented
about 9 percent of planned development in fiscal year 2003, but
represented about 135 percent of fiscal year 2006 development, meaning
that the fiscal year 2006 expenditure plan proposed spending about $1.35
on program management-related activities for each dollar spent on
developing new US-VISIT capability.
Moreover, the fiscal year 2006 expenditure plan did not explain the
reasons for this recent growth or otherwise justify the sizeable proposed
investment in program management and operations on the basis of measurable
and expected value. Further, the plan did not adequately describe the
range of planned program management and operations activities.
Program officials told us that the DHS Acting Undersecretary for
Management raised similar concerns about the large amount of program
management and operations funding in the expenditure plan. In January
2007, DHS submitted a revised expenditure plan to the House and Senate
Appropriations Subcommittees on Homeland Security, at the committee's
direction, to address their concerns. The revised plan allocates some
program management funds to individual increments and to two new
categories--program services and data integrity and biometric support, and
program and project support contractor services. However, the revised plan
still shows a relatively sizeable portion of proposed funding going toward
program management-related activities.
DHS Has Not Fully Implemented Key US-VISIT Acquisition and Financial Management
Controls
Managing major programs like US-VISIT requires applying discipline and
rigor when acquiring and accounting for systems and services. Our work and
other best practice research have shown that applying such rigorous
management practices improves the likelihood of delivering expected
capabilities on time and within budget. In other words, the quality of IT
systems and services is largely governed by the quality of the management
processes involved in acquiring and managing them. Some of these processes
and practices are embodied in the Software Engineering Institute's (SEI)
Capability Maturity Models^(R), which define, among other things
acquisition process management controls that, if implemented effectively,
can greatly increase the chances of acquiring systems that provide
promised capabilities on time and within budget. Other practices are
captured in OMB guidance, which establishes policies for planning,
budgeting, acquisition, and management of federal capital assets.
Over the last several years, we have made numerous recommendations aimed
at strengthening US-VISIT program management controls relative to
acquisition management, including for example configuration management,
security and privacy management, earned value management (EVM), and
contract tracking and oversight.
The program office has taken steps to lay the foundation for establishing
several of these controls. For example, the program adopted the SEI
Capability Maturity Model Integration (CMMI^(R))^29 to guide its efforts
to employ effective acquisition management practices, and approved an
acquisition management process improvement plan dated May 16, 2005. The
goal, as stated in the plan, was to conduct an independent CMMI assessment
in October 2006 to affirm that requisite process controls were in place
and operating.
In September 2005, the program office completed an initial assessment of
13 key acquisition process areas that revealed a number of weaknesses. To
begin addressing these weaknesses, the program office narrowed the scope
of the process improvement activities from 13 to 6 (project planning,
project monitoring and control, requirements development and management,
configuration management, product and process quality assurance, and risk
management) of the CMMI process areas and revised its process improvement
plan in April 2006 to reflect these changes. In May 2006, the program
conducted a second internal assessment of the six key process areas, and
according to the results of this assessment, improvements were made, but
weaknesses remained in all six process areas. For example,
0M a number of key acquisition management documents were not
adequately prepared and processes were not sufficiently defined,
including those related to systems development, budget and
finance, facilities, and strategic planning (e.g., product work
flow among organizational units was unclear and not documented);
and
0M roles, responsibilities, work products, expectations,
resources, and accountability of external stakeholder
organizations were not well-defined.
Notwithstanding these weaknesses, program officials told us that
their self-assessments show that they have made incremental
progress in implementing the 113 practices associated with the six
key processes. (See figure 5 for US-VISIT's progress in
implementing these practices.) However, they also recently decided
to postpone indefinitely the planned October 2006 independent
appraisal. Instead, the program intends to perform quarterly
internal assessments until the results show that they can pass an
independent appraisal. Further, the program has not committed to a
revised target date for having an external appraisal.
Figure 5: US-VISIT Progress in Implementing Key Acquisition
Practices from August 2005 to November 2006
Source: GAO analysis based on US-VISIT data.
The acquisition management weaknesses in the six key process areas
are exacerbated by weaknesses in other areas. For example, we
recently reported^30 that the US-VISIT contract tracking and
oversight process suffers from a number of weaknesses.
Specifically, we reported that the program had not effectively
overseen US-VISIT-related contract work performed on its behalf by
other DHS and non-DHS agencies, and these agencies did not always
establish and implement the full range of controls associated with
effective management of contractor activities. Further, the
program office and other agencies did not implement effective
financial controls.^31 In particular, the program office and other
agencies managing US-VISIT-related work were unable to reliably
report the scope of contracting expenditures. In addition, some
agencies improperly paid and accounted for related invoices,
including making a duplicate payment and making payments for
non-US-VISIT services from funds designated for US-VISIT.
Fully and effectively implementing the above discussed key
acquisition management and related controls takes considerable
time. However, considerable time has elapsed since we first
recommended establishment of these controls and they are not yet
operational and it is unclear when they will be. Therefore, it is
important that these improvement efforts stay on track. Until
these capabilities are in place, the program risks not meeting its
stated goals and commitments.
US-VISIT has not yet implemented other key management practices,
such as developing and implementing a security plan and employing
an EVM system to help manage and control program cost and
schedule. As we previously reported, the program's 2004 security
plan generally satisfied OMB and the National Institute of
Standards and Technology security guidance. Further, the fiscal
year 2006 expenditure plan states that all of the US-VISIT
component systems have been certified and accredited and given
full authority to operate. However, the 2004 security plan
preceded the US-VISIT risk assessment, which was not completed
until December 2005, and the security plan was not updated to
reflect this risk assessment. According to program officials, they
intend to develop a security strategy by the end of 2006 that
reflects the risk assessment. We have ongoing work for the Senate
Committee on Homeland Security and Governmental Affairs to review
the information security controls associated with computer systems
and networks supporting the US-VISIT program.
Regarding EVM,^32 the program is currently relying on the prime
contractor's EVM system to manage the prime contractor's progress
against cost and schedule goals. According to the fiscal year 2006
expenditure plan, the program office has assessed the prime
contractor's EVM system against relevant standards. However, in
reality, this EVM system was self-certified by the prime
contractor in December 2003 as meeting established standards. OMB
requires that agencies verify contractor self-certifications. The
program office has yet to do this, although program officials told
us that they plan to retain the services of another contractor to
perform this validation. This needs to be done quickly. Our review
of the integrated baseline review, which agencies are required by
OMB to complete to ensure that the EVM program baseline is
accurate, showed that it did not address key baseline
considerations, such as cost and schedule risks. Moreover, other
US-VISIT contractors have not been required to use EVM, although
program officials told us that this was to change effective
October 1, 2006.
^29 The CMMI^(R) ranks organizational maturity according to five levels.
Maturity levels 2 through 5 require verifiable existence and use of
certain key process areas.
^30 GAO, Homeland Security: Contract Management and Oversight for Visitor
and Immigrant Status Program Need to Be Strengthened, GAO-06-404
(Washington, D.D.: June 9, 2006).
^31 Financial controls are practices to provide accurate, reliable, and
timely accounting for billings and expenditures.
DHS Has Yet to Establish Effective Program Accountability Mechanisms
To ensure that programs manage their performance effectively, it is
important that they define and measure progress against program
commitments and hold themselves accountable for results. Measurements of
the operational performance, progress, and results are important to
reasonably ensure that problems and shortfalls can be addressed and
resolved in a timely fashion and so that responsible parties can be held
accountable.
^32 EVM is a management tool to help ensure that work performed for a
program or project is consistent with cost and schedule goals.
Thus far, effective performance and accountability mechanisms have yet to
be fully established for US-VISIT. As we reported,^33 CBP officials at 12
of 21 land POE sites that we visited told us about US-VISIT-related
computer slowdowns and freezes that adversely affected visitor processing
and inspection times at 9 of the 12 sites, but noted that these problems
were not always reported to CBP's computer help desk, as required by CBP
guidelines. Although various controls are in place to alert US-VISIT and
CBP officials to problems as they occur, these controls did not alert
officials to all problems (they had been unaware of the problems we
identified before we brought them to their attention). These computer
processing problems have the potential to not only inconvenience travelers
because of the increased time needed to complete the inspection process,
but to compromise security, particularly if CBP officers are unable to
perform biometric checks--one of the critical reasons US-VISIT was
installed at POEs.
In addition, to permit meaningful program oversight, it is important that
expenditure plans describe how well DHS is progressing against the
commitments made in prior expenditure plans. However, US-VISIT's
expenditure plan for fiscal year 2006 (the fifth expenditure plan)
continued a longstanding pattern of not describing progress against
commitments made in previous plans. For example, according to the fiscal
year 2005 expenditure plan, the prime contractor was to begin integrating
the long-term Increment 4 strategy into the interim US-VISIT system's
environment and the overall DHS enterprise architecture, and that US-VISIT
and the prime contractor would work with the stakeholder community to
identify opportunities for delivery of long-term capabilities under
Increment 4. However, the fiscal year 2006 plan does not discuss progress
or accomplishments relative to these commitments.
Additionally, the expenditure plan committed to begin deploying the most
effective exit alternative for capturing biometrics at air and sea POEs
during fiscal year 2005. In contrast, the 2006 expenditure plan states
that the exit pilots will continue throughout fiscal year 2006 and does
not address whether the fiscal year 2005 schedule deployment commitment
was met. Also, the fiscal year 2006 expenditure plan did not address all
performance measures cited in the fiscal year 2005 plan. Specifically, the
2005 plan included 11 measures. In contrast, the 2006 plan listed 7
measures, 4 of which are similar, but not identical to, some of the 11
measures in the 2005 plan. This means that several of the 2005 plan's
measures are not addressed in the 2006 plan. Moreover, even in cases of
similar performance measures, the fiscal year 2006 plan does not
adequately describe progress in meeting commitments. For example, the
fiscal year 2005 expenditure plan cited a performance measurement of
"Pre-entry watch list hits on biometrically enabled visa applications."
The fiscal year 2006 plan cites the performance measure of "Number of
biometric watch list hits for visa applicants processed at consular
offices." According to the latter plan, in fiscal year 2005 there were 897
such hits; however, neither plan cites a performance target against which
to gauge progress, assuming that the two performance measures mean the
same thing. Without such measurements, program performance and
accountability can suffer.
^33 GAO, Border Security, US-VISIT Program Faces Strategic, Operational,
and Technological Challenges at Land Ports of Entry, GAO-07-248
(Washington, D.C.: December 6, 2006).
In closing, we would emphasize that after a considerable investment of
time and resources, US-VISIT has met some fairly demanding legislative
requirements for deployment of entry capabilities at most POEs, and that
this achievement owes largely to the hard work and dedication of
individuals in the US-VISIT program office and the close oversight of the
House and Senate Appropriations Committees. Nevertheless, core
capabilities, such as exit, have not been implemented, and fundamental
questions about the program's future direction and fit within the larger
homeland security context as well as its return on investment remain
unanswered. Moreover, the program is overdue in establishing the means to
ensure that it is pursuing the right US-VISIT solution, and that it is
managing it the right way. The longer the program proceeds without these,
the greater the risk that the program will not optimally support mission
operations and will fall short of commitments. Measuring and disclosing
the extent to which these commitments are being met are also essential to
holding the department accountable. We look forward to continuing to work
constructively with the US-VISIT program to better ensure the program's
success.
Mr. Chairman, this concludes our statement. We would be happy to answer
any questions that you or members of the committee may have at this time.
Contact and Acknowledgement
If you should have any questions about this testimony, please contact
Randolph C. Hite at (202) 512-3439 or [email protected] , or Richard M.
Stana at (202) 512-8777 or [email protected] . Other major contributors
to this testimony included Deborah Davis, David Hinchman, James Houtz,
Sandra Kerr, John Mortin, Freda Paintsil, and Sushmita Srikanth
(310637)
United States Government Accountability Office
GAO
Testimony
Before the Subcommittee on Homeland Security, Committee on Appropriations,
U.S. House of Representatives
For Release on Delivery
Expected at 10:00 a.m. EST Friday, February 16, 2007
HOMELAND SECURITY:
US-VISIT Has Not Fully Met Expectations and Longstanding Program
Management Challenges Need to Be Addressed
Statement of
Randolph C. Hite, Director
Information Technology Architecture and Systems Issues
Richard M. Stana, Director
Homeland Security and Justice Issues
GAO-07-499T
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
GAO's Mission
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail:
[email protected] Automated answering system: (800) 424-5454 or (202)
512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548
Public Affairs
Paul Anderson, Managing Director, [email protected] (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548
www.gao.gov/cgi-bin/getrpt?GAO-07-499T .
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Randy Hite at (202) 512-3439 or
[email protected], or Rich Stana at (202) 512-8777 or [email protected].
Highlights of [30]GAO-07-499T , a report to the Subcommittee on Homeland
Security, Committee on Appropriations, U.S. House of Representatives
February 16, 2007
HOMELAND SECURITY
US-VISIT Has Not Fully Met Expectations and Longstanding Program
Management Challenges Need to Be Addressed
The Department of Homeland Security (DHS) is investing billions of dollars
in its U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT)
program to collect, maintain, and share information on selected foreign
nationals who enter and exit the United States. The program uses biometric
identifiers (digital fingerscans and photographs) to screen people against
watch lists and to verify that a visitor is the person who was issued a
visa or other travel document. The program is also to biometrically
confirm the individual's departure. For over 3 years, GAO has reported on
US-VISIT capability deployments and shortfalls, as well as fundamental
limitations in DHS's efforts to define and justify US-VISIT's future
direction and to cost-effectively manage the delivery of program
capabilities on time and within budget.
GAO was asked to testify on (1) the status of the program's implementation
and (2) the program's progress in addressing longstanding management
weaknesses. Given where US-VISIT is today and the challenges and
uncertainties associated with where it is going, GAO believes that DHS is
long overdue in demonstrating that it is pursuing the right US-VISIT
solution and that it is managing US-VISIT the right way.
After spending almost 4 years and more than $1 billion, DHS has
implemented entry capabilities at most ports of entry; however, it has not
implemented a biometric exit capability or a suitable alternative. As of
December 2006, US-VISIT had deployed and was operating entry capability at
115 airports, 14 seaports, and 154 of 170 land ports of entry. However,
the implementation of a biometric land exit capability is currently not
feasible, according to program officials, because the only proven
technology available would require additional staffing and infrastructure
demands, and cause delays with potential impacts on trade and commerce.
Also, testing and analysis of a non-biometric solution identified numerous
performance and reliability problems, and such an alternative technology
does not meet legislative requirements. DHS believes that advances over
the next 5 to 10 years will allow solutions that do not require major
infrastructure changes, but the prospects for such technology are
uncertain.
DHS continues to face longstanding US-VISIT management challenges and
future uncertainties.
o For almost 4 years, DHS has continued to pursue US-VISIT without
producing the program's operational and technological context.
According to program officials, an immigration and border
management strategic plan was drafted in March 2005 to show how
US-VISIT is aligned with DHS's organizational mission and to
define an overall immigration and border management vision. After
almost 2 years, this plan has not yet been approved, but the
Acting Director said that it is currently with OMB for approval.
At the same time, DHS has launched other major security programs
without defining the relationship between US-VISIT and these
programs.
o DHS has yet to economically justify its investment in US-VISIT
increments or assess their operational impacts. For over 3 years,
we reported that the program did not adequately assess the
increment's costs and benefits because the assessments were
unclear and insufficient, and the cost estimates upon which they
were based did not meet key criteria for reliable cost estimating.
GAO further reported that the program had not assessed the impact
of the entry and exit capabilities on operations and facilities,
in part, because the scope of the evaluations performed were too
limited.
o DHS has not implemented key acquisition and financial management
controls. For example, GAO reported that the program had not
effectively overseen contract work performed on its behalf by
other DHS and non-DHS agencies, and these agencies did not always
establish and implement effective contract oversight activities.
Without these management controls, there is greater risk that US-VISIT
will not produce the right solution, and be managed the right way.
Accordingly, GAO has made numerous recommendations to address these
management challenges.
References
Visible links
20. http://www.gao.gov/cgi-bin/getrpt?GAO-06-741R
30. http://www.gao.gov/cgi-bin/getrpt?GAO-07-499T
*** End of document. ***