Homeland Security: Strategic Solution for US-VISIT Program Needs 
to Be Better Defined, Justified, and Coordinated (29-FEB-08,	 
GAO-08-361).							 
                                                                 
The Department of Homeland Security's (DHS) U.S. Visitor and	 
Immigrant Status Indicator Technology (US-VISIT) program's goals 
are to enhance the security of U.S. citizens and visitors,	 
facilitate legitimate travel and trade, ensure the integrity of  
the U.S. immigration system, and protect the privacy of visitors.
It is to use biometric and biographic information to control and 
monitor the pre-entry, entry, status, and exit of foreign	 
visitors. GAO was asked to determine (1) whether DHS has defined 
and economically justified a strategic solution for meeting	 
US-VISIT goals; (2) the biometric technology options DHS has	 
considered and the basis for the selected options; and (3) DHS's 
efforts to define, manage, and coordinate the relationships	 
between US-VISIT and other immigration and border management	 
programs. To accomplish this, GAO assessed key program		 
documentation against relevant criteria and examined available	 
biometric research.						 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-361 					        
    ACCNO:   A81174						        
  TITLE:     Homeland Security: Strategic Solution for US-VISIT       
Program Needs to Be Better Defined, Justified, and Coordinated	 
     DATE:   02/29/2008 
  SUBJECT:   Biometric identification				 
	     Biometric visas					 
	     Border security					 
	     Fingerprints					 
	     Homeland security					 
	     Identification cards				 
	     Immigrants 					 
	     Immigration					 
	     Immigration and naturalization law 		 
	     Performance measures				 
	     Port security					 
	     Program evaluation 				 
	     Program management 				 
	     Strategic planning 				 
	     Visas						 
	     Program coordination				 
	     Program goals or objectives			 
	     DHS Visitor and Immigrant Status			 
	     Indicator Technology Program			 
                                                                 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-361

   

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to [email protected]. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Chairman and Ranking Member, Committee on Homeland 
Security, House of Representatives: 

GAO: 

February 2008: 

Homeland Security: 

Strategic Solution for US-VISIT Program Needs to Be Better Defined, 
Justified, and Coordinated: 

Homeland Security: 

GAO-08-361: 

GAO Highlights: 

Highlights of GAO-08-361, a report to the Chairman and Ranking Member, 
Committee on Homeland Security, House of Representatives. 

Why GAO Did This Study: 

The Department of Homeland Securityï¿½s (DHS) U.S. Visitor and Immigrant 
Status Indicator Technology (US-VISIT) programï¿½s goals are to enhance 
the security of U.S. citizens and visitors, facilitate legitimate 
travel and trade, ensure the integrity of the U.S. immigration system, 
and protect the privacy of visitors. It is to use biometric and 
biographic information to control and monitor the pre-entry, entry, 
status, and exit of foreign visitors. GAO was asked to determine (1) 
whether DHS has defined and economically justified a strategic solution 
for meeting US-VISIT goals; (2) the biometric technology options DHS 
has considered and the basis for the selected options; and (3) DHSï¿½s 
efforts to define, manage, and coordinate the relationships between US-
VISIT and other immigration and border management programs. To 
accomplish this, GAO assessed key program documentation against 
relevant criteria and examined available biometric research. 

What GAO Found: 

DHS has partially defined a strategic solution for meeting US-VISITï¿½s 
goals. In particular, the US-VISIT program office has defined and begun 
to develop a key capability known as ï¿½Unique Identity,ï¿½ which is to 
establish a single identity for all individuals who interact with any 
immigration and border management organization by capturing the 
individualï¿½s biometrics, including 10 fingerprints and a digital image, 
at the earliest possible interaction. However, the program office has 
yet to define and economically justify a comprehensive strategic 
solution for controlling and monitoring the exit of foreign visitors, 
which is critical to accomplishing the programï¿½s goals. Further, the 
department did not economically justify its ongoing investment in 
Unique Identity in a timely fashion. Specifically, the program office 
did not justify its investment until about 14 months after selecting 
and pursuing an alternative solution and obligating about $65 million. 
The absence of a fully defined strategic solution and timely economic 
justification hinders informed decision making about the best course of 
action for accomplishing strategic program goals and inhibits the 
ability to measure performance and promote accountability. 

DHS considered various biometric technologies, including fingerprints, 
facial, and iris technologies, and continues to use fingerprints as its 
foundational biometric technology. The focus on fingerprint technology 
is appropriate, given the opportunity to leverage existing DHS and 
Federal Bureau of Investigation identification systems and databases 
and to establish a single identity mechanism for all immigration and 
border management programs. In addition, research into fingerprints and 
other forms of biometric identification, such as facial recognition and 
iris scanning, show that fingerprints continue to be the most accurate 
biometric for identification purposes. 

DHS is taking a range of evolving actions, primarily at the department 
level, to coordinate relationships among US-VISIT and other immigration 
and border management programs. Thus far, this evolution has yet to 
progress to the point of reflecting the full scope of key practices 
that GAO has previously identified as essential to enhancing and 
sustaining collaborative efforts that span multiple organizations. To 
its credit, the department has defined common outcomes through its 
strategic plan and enterprise architecture and has taken steps to 
implement other collaboration practices, such as leveraging resources 
across its screening programs and developing screening performance 
indicators. However, the US-VISIT program office has yet to fully 
define its relationships with other immigration and border management 
programs. As a result, the department is at increased risk of 
introducing the inefficiencies and reduced effectiveness that result 
from suboptimizing how these programs collectively support its 
immigration and border management goals and objectives. 

What GAO Recommends: 

GAO is recommending that the Secretary of Homeland Security ensure that 
the strategic solution components are well-defined and economically 
justified before investing large sums of money and that they are 
effectively coordinated with related programs. DHS concurred with GAOï¿½s 
recommendations and stated that it has initiated actions to implement 
them. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-361]. 

For more information, contact Joel C. Willemssen at (202) 512-6222 or 
[email protected]. 

[End of section] 

Contents: 

Letter1: 

Results in Brief: 

Background: 

US-VISIT Strategic Solution Is Not Fully Defined, and No Aspects Were 
Economically Justified Prior to Solution Development: 

DHS Continues to Focus on Fingerprints as Its Primary Biometric 
Technology: 

Efforts to Define, Manage, and Coordinate Relationships among US-VISIT 
and Other Border Security Programs Are Evolving: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Overview of Legislative Underpinnings for the US-VISIT 
Program: 

Appendix III: Overview of Biometric Technologies: 

Appendix IV: Comments from the Department of Homeland Security: 

Appendix V: GAO Contact and Staff Acknowledgments: 

Figures: 

Figure 1: Simplified DHS Organizational Chart: 

Figure 2: Simplified Diagram of US-VISIT Related Systems: 

Figure 3: Simplified Diagram of Enumeration as Used by USCIS: 

Figure 4: Simplified Diagram of iDSM Architecture: 

Figure 5: Simplified Diagram of IOC Architecture: 

Abbreviations: 

ADIS: Arrival Departure Information System: 

APIS: Advance Passenger Information System: 

BioVisa: Biometric Visa Program: 

BCC: Border Crossing Card: 

CBP: U.S. Customs and Border Protection: 

CCD: Consular Consolidated Database: 

CLAIMS 3: Computer Linked Application Information Management System: 

DHS: Department of Homeland Security: 

DOJ: Department of Justice: 

DMIA: Immigration and Naturalization Service Data Management 
Improvement Act of 2000: 

EA: enterprise architecture: 

EAB: Enterprise Architecture Board: 

ESB: Enterprise Service Bus: 

FBI: Federal Bureau of Investigation: 

GES: Global Enrollment System: 

IAFIS: Integrated Automated Fingerprint Identification System: 

ICE: U.S. Immigration and Customs Enforcement: 

iDSM: interim Data Sharing Model: 

IDENT: Automated Biometric Identification System: 

IIRIRA: Illegal Immigration Reform and Immigrant Responsibility Act of 
1996: 

ISRS: Image Storage Retrieval System: 

IT: information technology: 

NIST: National Institute of Standards and Technology: 

POE: port of entry: 

RFID: radio-frequency identification: 

SCO: Screening Coordination Office: 

SBI: Secure Border Initiative: 

SEVIS: Student and Exchange Visitor Information System: 

TECS: Treasury Enforcement Communications Systems: 

US-VISIT: U.S. Visitor and Immigrant Status Indicator Technology: 

USCG: U.S. Coast Guard: 

USCIS: U.S. Citizenship and Immigration Services: 

WHTI: Western Hemisphere Travel Initiative: 

United States Government Accountability Office: 

Washington, DC 20548: 

February 29, 2008: 

The Honorable Bennie G. Thompson: 
Chairman: 
The Honorable Peter T. King: 
Ranking Member: 
Committee on Homeland Security: 
House of Representatives: 

For many years the Congress and the administration have sought better 
ways to record and track the arrival and departure of foreign visitors 
through U.S. air, sea, and land ports of entry (POE). Pursuant to a 
series of statutory mandates,[Footnote 1] the Department of Homeland 
Security (DHS), in concert with the Department of State, established a 
program to use biometric and biographic information to control and 
monitor the pre-entry, entry, status, and exit of foreign 
visitors.[Footnote 2] This program, which is called the U.S. Visitor 
and Immigrant Status Indicator Technology (US-VISIT) program, is 
intended to enhance the security of U.S. citizens and visitors, 
facilitate legitimate travel and trade, ensure the integrity of the 
U.S. immigration system, and protect the privacy of visitors to the 
United States. 

DHS has pursued US-VISIT in a series of four increments, with 
Increments 1 through 3 focusing on the near-term integration of 
existing systems, and Increment 4 intended to be a more strategic 
solution. As of February 2008, Increments 1 through 3 are completed, 
resulting in an entry capability that has been deployed and is 
operating at about 300 air, sea, and land POEs. 

Because of the strategic importance of US-VISIT to our nation's 
evolving immigration and border management process, you asked us to 
determine (1) whether DHS has defined a strategic solution for meeting 
US-VISIT goals and whether the solution has been economically 
justified; (2) the biometric technology options DHS has considered and 
the basis for the selected options; and (3) DHS's efforts to define, 
manage, and coordinate the relationships between US-VISIT and other 
immigration and border management programs. To accomplish our 
objectives, we reviewed key program documentation, including plans and 
analyses, and compared them with relevant criteria. We also examined 
available government research on biometric technology options and 
compared efforts taken to coordinate the efforts of different 
organizational entities involved in US-VISIT with published 
coordination best practices. We conducted our review from January 2007 
through January 2008, in accordance with generally accepted government 
auditing standards. Further details of our objectives, scope, and 
methodology are included in appendix I. 

Results in Brief: 

DHS has partially defined a strategic solution for meeting US-VISIT 
program goals. In particular, the program office has defined and begun 
to develop one of the two key components of its strategic solution 
known as Unique Identity, which is to establish a single identity for 
all individuals who interact with any immigration and border management 
organization by capturing the individual's biometrics, including 10 
fingerprints and a digital image, at the earliest possible interaction. 
However, the program office has yet to define and economically justify 
the second primary component of its strategic solution--exit, which is 
critical to accomplishing the program's goals. Compounding this is the 
lack of timely economic justification for the Unique Identity solution. 
For example, the program office did not economically justify its 
investment in Unique Identity until about 14 months after selecting and 
pursuing an alternative solution and obligating about $65 million. The 
absence of a fully defined strategic solution and timely economic 
justification hinders informed decision making about the best course of 
action for accomplishing strategic program goals and inhibits the 
ability to measure performance and promote accountability. 

DHS considered various biometric technologies, including fingerprints, 
facial, and iris technologies, and continues to use fingerprints as its 
foundational biometric. The focus on fingerprint technology is 
appropriate, given the opportunity to leverage existing DHS and Federal 
Bureau of Investigation (FBI) identification systems and databases, and 
to establish a single identity mechanism for all immigration and border 
management programs. Further, research into fingerprints and other 
forms of biometric identification, such as facial recognition and iris 
scanning, show that fingerprints continue to be the most accurate 
biometric for identification purposes. Going forward, the program 
office is taking steps to permit it to introduce other biometric 
solutions at some future point. 

DHS is taking a range of evolving actions, primarily at the department 
level, to coordinate relationships among US-VISIT and other immigration 
and border management programs, such as the Secure Border Initiative 
(SBI) and the Western Hemisphere Travel Initiative (WHTI). 
Specifically, the department has defined common outcomes through its 
strategic plan and enterprise architecture (EA), and has taken steps to 
implement other collaboration practices, such as leveraging resources 
across its screening programs and developing screening performance 
indicators. However, these actions do not yet reflect the full scope of 
key practices that we have previously identified as essential to 
enhancing and sustaining collaborative efforts that span multiple 
organizations. For example, the US-VISIT program office has yet to 
fully define either its relationships with WHTI and SBInet or its 
approaches relative to addressing outcomes shared by all three 
programs. As a result, the department risks suboptimizing how these 
programs collectively support its immigration and border management 
goals and objectives. 

We are making recommendations to the Secretary of Homeland Security to 
ensure that the strategic solution components are well-defined, 
economically justified before investing large sums of money, and 
effectively coordinated with related programs. In written comments on a 
draft of this report, signed by the Director, Departmental GAO/Office 
of Inspector General Liaison, the department stated that it generally 
agreed with our observations and concurred with our recommendations, 
and that it has initiated actions to implement our recommendations. DHS 
also provided technical comments, which we have incorporated into this 
report as appropriate. 

Background: 

US-VISIT's goals are to (1) enhance the security of U.S. citizens and 
visitors, (2) facilitate legitimate travel and trade, (3) ensure the 
integrity of the U.S. immigration system, and (4) protect the privacy 
of visitors. The program is to achieve these goals by: 

* collecting, maintaining, and sharing information on certain foreign 
nationals who enter and exit the United States; 

* identifying foreign nationals who (1) have overstayed or violated the 
terms of their visit; (2) can receive, extend, or adjust their 
immigration status; or (3) should be apprehended or detained by law 
enforcement officials; 

* detecting fraudulent travel documents, verifying visitor identity, 
and determining visitor admissibility through the use of biometrics 
(digital fingerprints and a digital photograph); and: 

* facilitating information sharing and coordination within the 
immigration and border management community. 

Federal Statutes Provide a Strategic Framework for US-VISIT: 

A series of statutes, dating back to more than a decade ago, have 
provided a framework for the strategic focus of US-VISIT. A brief 
summary of statutes is provided below, and additional detail is 
provided in appendix II. 

The Illegal Immigration Reform and Immigrant Responsibility Act of 1996 
(IIRIRA)[Footnote 3] required the Attorney General to develop an 
automated system to record the departure of every foreign national from 
the United States and then match it to the individual's arrival record. 
Subsequently, section 2 of the Immigration and Naturalization Service 
Data Management Improvement Act (DMIA) of 2000[Footnote 4] amended the 
original entry-exit provisions of the IIRIRA and required the Attorney 
General[Footnote 5] to implement an integrated entry and exit data 
system for foreign nationals.[Footnote 6] More specifically, the act 
required an electronic system that would provide access to and 
integrate foreign national arrival and departure data that are 
authorized or required to be created or collected under law and are in 
an electronic format in Department of Justice (DOJ) or Department of 
State databases, such as those used at POEs and consular offices. The 
system, as described in DMIA, is to compare available arrival records 
with available departure records, allow online search procedures to 
identify foreign nationals who may have overstayed their authorized 
period of admission, and use available data to produce a report of 
arriving and departing foreign nationals. DMIA also required the 
implementation of the system at airports and seaports by December 31, 
2003, at the 50 highest volume land POEs by December 31, 2004, and at 
all remaining POEs by December 31, 2005. 

Subsequent laws added specific biometric requirements to US-VISIT. The 
USA PATRIOT Act,[Footnote 7] as amended, required the development and 
certification of a technology standard by January 26, 2003, including 
appropriate biometric identifiers that can be used to verify the 
identity of persons applying for a U.S. visa or seeking to enter the 
United States pursuant to a visa, for the purposes of conducting 
background checks, confirming identity, and ensuring that a person has 
not received a visa under a different name. The act also required DHS 
and the Department of State to focus on the utilization of biometric 
technology and the development of tamper-resistant documents readable 
at POEs for the integrated entry and exit data system. Additionally, 
the act required that a report be made to the Congress on the 
feasibility of enhancing the FBI's Integrated Automated Fingerprint 
Identification System (IAFIS) database and other identification systems 
in order to better identify aliens who may be wanted in connection with 
criminal investigations prior to the issuance of visas or entry into 
the United States. 

The Visa Waiver Permanent Program Act[Footnote 8] required DHS to 
develop and implement a fully automated system to control entry and 
exit of aliens at airports and seaports who enter the United States 
under the Visa Waiver Program. It also required that, by October 1, 
2002, inspectors at POEs have access to Department of State and DHS 
information to determine whether an alien seeking a waiver under the 
program is eligible to be admitted into the United States or to receive 
a visa. Further, the act required that visa waiver applicants be 
checked against watch list systems and that, by October 1, 2003, aliens 
applying for a visa waiver have a machine-readable passport.[Footnote 
9] The act was subsequently amended to require, not later than August 
3, 2008, an exit system using biometric information and recording the 
departure on a flight leaving the United States of every alien 
participating in the Visa Waiver Program.[Footnote 10] 

The Enhanced Border Security and Visa Entry Reform Act of 2002[Footnote 
11] required DHS, in consultation with the Department of State, to use 
the technology standard, including biometric identifier standards 
developed under the USA PATRIOT Act, at POEs by October 26, 
2005,[Footnote 12] to install equipment and software at all POEs to 
allow biometric comparison and authentication of all U.S. visas and 
other travel and entry documents issued to aliens, and passports with 
biometric identifiers to be issued by Visa Waiver Program participating 
countries.[Footnote 13] 

The Intelligence Reform and Terrorism Prevention Act of 2004[Footnote 
14] required the collection of biometric exit data for all categories 
of individuals required to provide biometric entry data under US- 
VISIT,[Footnote 15] regardless of the POE where they entered the United 
States. The law did not set a deadline for implementation of this 
requirement. The law also required DHS to develop a plan to accelerate 
the full implementation of the program. 

Overview of Program Structure and Organization: 

The US-VISIT program office is responsible for managing the 
acquisition, deployment, operation, and sustainment of US-VISIT. As of 
March 2007, the program office reports directly to the Under Secretary 
for National Protection and Programs. (See fig. 1.) 

Figure 1: Simplified DHS Organizational Chart: 

This figure is a "tree" chart displaying the hierarchy of DHS. The 
Secretary and Deputy Secretary is positioned at the top, and Customs 
and Border Protection, Citizenship and Immigration Services, and 
Federal Emergency Management Agency is at the bottom. 

[See PDF for image] 

Source: GAO analysis of DHS data. 

[End of figure] 

US-VISIT supports a series of homeland security-related mission 
processes that cover hundreds of millions of foreign national travelers 
who enter and leave the United States at about 300 air, sea, and land 
POEs. They are: 

* pre-entry, which is the process to evaluate a traveler's eligibility 
for required travel documents, enroll travelers in automated inspection 
programs, and prescreen travelers entering the United States; 

* entry, which is the process of determining a traveler's admissibility 
to the United States at air, sea, or land POEs; 

* status management, which is the process of managing and monitoring 
the changes and extensions of the visits of lawfully admitted 
nonimmigrant foreign nationals to ensure that they adhere to the terms 
of their admission and to notify appropriate government entities when 
they do not; 

* exit, which is the process of collecting information on persons 
departing the United States; and: 

* analysis, which is the capability to provide for the continuous 
screening against watch lists of individuals enrolled in US-VISIT for 
appropriate reporting and action. 

Overview of Program Status: 

DHS planned to deliver US-VISIT capabilities in a series of four 
increments: Increment 1 (air and sea entry), Increment 2 (air, sea, and 
land entry), Increment 3 (land entry), and Increment 4, which is to be 
a more strategic solution. Increments 1 through 3, which largely 
involved building interfaces among existing ("legacy") systems and 
enhancing the capabilities of these systems and supporting 
infrastructure, have been completed. As a result, a biometrically 
enabled entry capability is operating at about 300 POEs. More 
specifically, on January 5, 2004, the program office began operating 
most aspects of its planned biometric entry capability at 115 airports 
and 14 seaports for certain foreign nationals, including those from 
visa waiver countries.[Footnote 16] As of December 2006, the program 
office was operating this entry capability in the secondary inspection 
areas of 154 of 170 land POEs.[Footnote 17] 

In September 2006, the program office deployed a capability to exchange 
limited information with IAFIS, which is the FBI's automated 10- 
fingerprint matching system. This capability, known as the interim Data 
Sharing Model (iDSM), was initially deployed September 3, 2006, and, 
according to the US-VISIT program office, is operating with the Boston 
Police Department, the Dallas County (TX) Sheriff, the Harris County 
(TX) Sheriff, and the Office of Personnel Management. Within the iDSM, 
IAFIS users have access to DHS biometrically-based information on 
expedited removals and Category 1 Visa Refusals.[Footnote 18] 
Conversely, the Automated Biometric Identification System (IDENT) users 
have access to a limited set of IAFIS data that consists of active 
Wants and Warrants and Known/Suspected Terrorists. 

The key systems that support or are connected to US-VISIT are described 
below. A simplified diagram of the relationships among these systems is 
shown in figure 2. 

* IDENT collects and stores biometric data about foreign visitors, 
including information from the FBI, U.S. Immigration and Customs 
Enforcement (ICE) information on deported felons and sexual 
registrants, and DHS information on previous criminal histories and 
previous IDENT enrollments. 

* IAFIS, which, as mentioned above, is the FBI's automated 10- 
fingerprint matching system and is electronically connected to all 50 
states, as well as some federal agencies. 

* Arrival Departure Information System (ADIS), which stores noncitizen 
traveler arrival and departure data received from air and sea carrier 
manifests and provides query and reporting functions. ADIS matches 
entry, immigration status updates, and departure data to provide 
immigration status, including whether the individual has overstayed 
his/her authorized period of stay. 

* Student and Exchange Visitor Information System (SEVIS), which 
contains data on change of status throughout a foreign student's or 
exchange visitor's stay in the United States. 

* Computer Linked Application Information Management System (CLAIMS 3), 
which includes adjudication results on foreign nationals who request 
immigration benefits such as change of status, extension of stay, or 
adjustment to permanent resident status. 

* Treasury Enforcement Communications Systems (TECS), which maintains 
lookout (i.e., watch list) data, interfaces with other agencies' 
databases, and is currently used by inspectors at POEs to verify 
traveler information and update traveler data. 

* Advance Passenger Information System (APIS), which captures arrival 
and departure manifest information provided by air and sea carriers. 

* Consular Consolidated Database (CCD), which is owned by the 
Department of State and includes information on visa applicants. 

* Image Storage and Retrieval System (ISRS), which stores U.S. 
Citizenship and Immigration Services (USCIS) biometrics data, including 
the photo and fingerprints of individuals who have been issued a 
credential by USCIS. 

* The USCIS Enterprise Service Bus (ESB), which provides network 
connectivity in support of USCIS' "Inter-Country Adoption" program. 

* The Global Enrollment System (GES), which supports the U.S. Customs 
and Border Protection (CBP) programs for expedited processing of 
preapproved, international, and low-risk travelers who voluntarily 
exchange information in return for expedited transit at U.S. borders. 

* The U.S. Coast Guard's (USCG) Mona Pass Proof-of-Concept, which is to 
test the feasibility of deploying a mobile biometrics identification 
capability to a Coast Guard cutter in the Mona Passage.[Footnote 19] 

Figure 2: Simplified Diagram of US-VISIT Related Systems: 

This figure is a flowchart of US-VISIT related systems. 

[See PDF for image] 

Source: GAO analysis of US-VISIT data. 

[End of figure] 

Through fiscal year 2007, DHS had been appropriated about $1.7 billion 
and, as of October 2007, about $1.5 billion had been obligated for the 
US-VISIT program. For fiscal year 2008, the department has been 
appropriated $475 million for the program. 

According to DHS, US-VISIT has produced mission value. For example, as 
of June 15, 2007, the program reported that it had more than 7,600 
biometric hits in primary entry resulting in more than 1,500 people 
having adverse actions, such as denial of entry, taken against them. 
Further, about 14,000 leads were referred to the ICE immigration 
enforcement unit, resulting in 315 arrests.[Footnote 20] Another 
potential consequence is the deterrent effect of having an operational 
entry capability. Although deterrence is difficult to demonstrate, 
officials have cited it as a byproduct of having a publicized 
capability at the border to screen entry on the basis of identity 
verification and matching against watch lists of known and suspected 
terrorists. 

Overview of Biometric Technologies and Systems: 

Biometric technologies measure and analyze human physiological and 
behavioral characteristics. Identifying a person's physiological 
characteristics is based on direct measurement of a part of the body 
(e.g., fingertips, hands, face, eye retinas, and irises). Biometric 
measurements are theoretically effective personal identifiers because 
the characteristics measured (e.g., fingertips, hands, face, eye 
retinas, and irises) are thought to be distinct to each person. 
Therefore, unlike conventional identification methods that use 
something physical (e.g., an identification card), or a piece of 
information (e.g., a password), biometric identifiers are more 
reliable, cannot be forgotten, and are more difficult to lose, steal, 
or guess. 

Biometric identification systems function as pattern recognition 
systems. They use acquisition devices, such as cameras and scanning 
devices, to capture images, recordings, or measurements of an 
individual's characteristics and computer hardware and software to 
extract, encode, store, and compare these characteristics. 

Depending on the application, biometric systems can be used in one of 
two modes: identification or verification. Identification is referred 
to as one-to-many matching because an individual's presented biometric 
is compared against the stored biometric templates[Footnote 21] of all 
individuals enrolled in the system. It is used to establish a person's 
identity--that is, to determine who a person is. Verification--also 
called authentication--is referred to as one-to-one matching because an 
individual's presented biometric is compared against the biometric for 
that person, which was stored in the system during enrollment. It is 
used to verify a person's identity--that is, to authenticate that 
individuals are who they say they are. 

Other DHS Border Security and Immigration Initiatives: 

Besides US-VISIT, DHS has begun to plan and implement several other 
initiatives aimed at better securing our nation's borders and managing 
immigration matters, such as WHTI and SBI. WHTI was established 
pursuant to the Intelligence Reform and Terrorism Prevention Act of 
2004, which required the Secretary of Homeland Security, in 
consultation with the Secretary of State, to develop and implement a 
plan that requires U.S. citizens and foreign nationals of Canada, 
Bermuda, and Mexico to present a passport or other document or 
combination of documents deemed sufficient to show identity and 
citizenship to enter the United States.[Footnote 22] As of January 23, 
2007, citizens of the United States, Canada, Mexico, and Bermuda are 
required to present a passport to enter the United States when arriving 
by air from any part of the western hemisphere. This is currently not a 
requirement for these individuals when entering the United States via 
sea and land POEs from most countries within the western 
hemisphere.[Footnote 23] On June 26, 2007, DHS and the Department of 
State issued a notice of proposed rulemaking for the implementation of 
WHTI at the sea and land environments. According to the proposed rule, 
DHS and the Department of State expect to implement WHTI by the summer 
of 2008.[Footnote 24] We recently issued a report on the status of WHTI 
implementation to the House Homeland Security Committee's Subcommittee 
on Border, Maritime and Global Counterterrorism.[Footnote 25] 

SBI is a multiyear program that is to secure the borders and reduce 
illegal immigration by installing physical infrastructure and 
surveillance technologies along the border, increasing border security 
personnel, and ensuring information access to DHS personnel at and 
between POEs. A major component of SBI is called SBInet, which is to 
integrate personnel, infrastructures, technologies, and rapid response 
capabilities. DHS reports that SBInet is to encompass both the northern 
and southern land borders, including the Great Lakes, under a unified 
border control strategy whereby CBP is to focus on the interdiction of 
cross-border violations between and at the land POEs, funneling traffic 
to the land POEs. As part of SBI, DHS also plans to focus on interior 
enforcement--disrupting and dismantling cross-border crime into the 
interior of the United States while locating and removing aliens who 
are in the United States illegally. We are currently conducting work 
for the House Homeland Security Committee to assess the development and 
deployment of SBInet's command, control, and communications systems, 
and surveillance and detection systems. We are also reviewing DHS's use 
of performance-based services acquisition. 

DHS's Enterprise Architecture Is Evolving and Is an Important Tool for 
Optimizing the Relationships among Related Programs: 

Effective use of an EA is a hallmark of successful private and public 
organizations. Generally speaking, an EA connects an organization's 
strategic plan with program and system solutions by providing the 
operational and technical information needed to guide and constrain 
implementable investments in a consistent, coordinated, and integrated 
fashion. This information consists of snapshots of both the 
enterprise's current ("As Is") environment and its target ("To Be") 
environment. These snapshots consist of "views," which are one or more 
interdependent and interrelated architecture products (e.g., models, 
diagrams, matrices, and text) that provide various representations of 
the enterprise. Managed properly, an EA can clarify and help optimize 
the interdependencies and relationships among an organization's 
business operations and the underlying information technology (IT) 
infrastructure and applications that support those operations. 
Moreover, when an EA is employed in concert with other important 
management controls, such as portfolio-based capital planning and 
investment control practices, it can greatly increase the chances that 
an organization's operational and IT environments will be configured to 
optimize mission performance. Our experience with federal agencies has 
shown that investing in IT without defining the investments in the 
context of an architecture often results in systems that are 
duplicative, not well integrated, and unnecessarily costly to maintain 
and interface.[Footnote 26] 

DHS issued the initial version of its EA in September 2003 and has 
continued to develop it since then, adding more scope and content to 
subsequent versions. In 2007, we reported on the third version of DHS's 
EA, stating that DHS had partially addressed shortcomings that we had 
identified in the previous versions. Since then, the department has 
further developed its architecture and issued an updated version. In 
doing so, it has continued to address our prior findings and 
recommendations. 

Prior GAO Reviews of US-VISIT Have Identified Several Areas for 
Improvement: 

Since 2003, we have issued numerous reports[Footnote 27] highlighting 
fundamental challenges that DHS continues to face in defining the 
program. For example, we reported that DHS was investing in US-VISIT 
without a clearly defined operational context that included explicitly 
defined relationships among related border and immigration enforcement 
initiatives. In the absence of a DHS-wide operational context, program 
officials made assumptions about certain standard issues, such as 
capturing 2 fingerprints rather than 10 to identify foreign nationals 
subject to US-VISIT. 

In December 2006,[Footnote 28] we reported that DHS had launched key 
major border security programs, such as WHTI and SBInet, without 
adequately defining their relationships to US-VISIT. As a result, we 
concluded that DHS faces substantial risk that US-VISIT will not align 
with other immigration and border management initiatives and thus not 
cost effectively meet mission needs. We recommended that DHS determine 
how it expects to align emerging land border security initiatives, such 
as WHTI and SBInet, with US-VISIT, and what facility or facility 
modifications would be needed at land POEs to ensure that technology 
and processes work in harmony. In August 2007,[Footnote 29] we reported 
that US-VISIT's strategic plan did not include any of the key elements 
associated with effective strategic plans. In particular, the plan did 
not explain the relationship between US-VISIT and other border 
management programs, such as WHTI, even though both programs involve 
the entry of certain foreign individuals at POEs. 

Over the last 5 years, we have also reported that DHS had not 
economically justified its investment in US-VISIT increments, including 
exit. For example, we reported in September 2003,[Footnote 30] that DHS 
had not economically justified the initial increment (which was to 
include an exit capability at air and sea POEs) on the basis of 
benefits, costs, and risks. As a result, we recommended that DHS 
determine whether proposed incremental capabilities would produce 
mission value commensurate with program costs and risks. Similarly, in 
February 2006,[Footnote 31] we reported that while DHS had analyzed the 
cost, benefits, and risks for its air and sea exit capability, the 
analyses did not demonstrate that the program was producing or would 
produce mission value commensurate with expected costs and benefits, 
and the costs upon which the analyses were based were not reliable. A 
year later, we reported[Footnote 32] that DHS had not adequately 
defined and justified its past investment in its air and sea exit 
pilots and its land exit demonstration projects. We recommended, among 
other things, that planned expenditures be limited for exit pilots and 
demonstration projects until such investments were economically 
justified. 

US-VISIT Strategic Solution Is Not Fully Defined, and No Aspects Were 
Economically Justified Prior to Solution Development: 

Thus far, DHS has partially defined a US-VISIT strategic solution. On 
the basis of available project documentation, we determined that the 
strategic solution consists of two primary components: (1) Unique 
Identity and (2) exit. Of these, the first is fairly well-defined, the 
second is not. Further, although Unique Identity is defined, it was not 
economically justified in a timely fashion, and thus DHS proceeded with 
its development in the absence of an analytically verifiable basis for 
doing so. The absence of a fully defined strategic solution and timely 
economic justification hinders informed decision making about the best 
course of action for accomplishing strategic program goals and inhibits 
the ability to measure performance and promote accountability. 

The Unique Identity Component of US-VISIT Strategic Solution Has Been 
Defined and Is Under Development: 

One of the two major components of the strategic solution is a project 
known as Unique Identity. The purpose of this project is to develop and 
deploy a capability that establishes a single identity for all 
individuals encountered across the immigration and border mission area. 
This is to be achieved by capturing the individual's biometrics, 
including 10 fingerprints and a digital image, at the earliest possible 
interaction with any immigration and border management entity (e.g., 
when the individual is applying for a visa or immigration benefit). It 
is also to enable an improved process for determining the risk 
associated with allowing entry to an individual or the individual's 
eligibility to receive benefits. 

Unique Identity consists of the development of three capabilities: (1) 
10-print identification, (2) enumeration, and (3) IDENT/IAFIS 
interoperability. These capabilities are to be fully deployed by 2010 
and as of November 7, 2007, the program office reported obligating 
about $65 million, and expending about $22 million,[Footnote 33] to 
develop and deploy Unique Identity. 

Ten-print Identification: 

Ten-print identification is to establish the means for capturing 10 
fingerprints and is to enable the other two Unique Identity components, 
as well as increase the fingerprint matching accuracy in IDENT. 

The first three increments of US-VISIT were deployed using 2-print 
identification and verification capability. In July 2005, DHS announced 
that it intended to biometrically screen foreign visitors to the United 
States based on a fingerprint standard of 10-print flat capture at 
enrollment and fewer than 10 fingerprints for verification thereafter. 
This work was required for POEs and the Department of State posts that 
were participating in the Biometric Visa (BioVisa) program,[Footnote 
34] both of which were collecting 2 fingerprints. Transitioning to 10 
fingerprints also required modifications to IDENT to accept and process 
the larger number of fingerprints. 

US-VISIT and other agencies that either had a need or developed 
guidance for biometrics (e.g., the FBI, Department of State, and the 
National Institute of Standards and Technology [NIST]) established a 
user group and began working with industry to determine whether there 
were 10-print scanners available that met their respective 
requirements, such as maximum size and processing speed. In December 
2005, the user group determined that the 10-print scanners available at 
that time did not meet these requirements, but that such scanners could 
be available within 12 months. In November 2006, the Department of 
State, which was able to employ the already available scanners, began 
to capture 10 fingerprints, as a pilot, during visa issuance in 
overseas embassies and consulates. According to the US-VISIT program 
office, the Department of State has deployed 10-print equipment to all 
of its visa-issuing posts. 

By January 2007, technology improved to the point where US-VISIT was 
able to evaluate vendor proposals for 10-print scanners. That same 
month, the program office awarded contracts to two scanner vendors that 
had developed technically suitable devices. Currently, the program 
office is deploying 10-print scanners on a pilot basis to 10 air 
locations[Footnote 35] that currently use a 2-print scanner and, 
according to a US-VISIT official, it plans to complete this deployment 
and begin evaluating the scanners' performance in March 2008. Full 
deployment to all locations that currently use a 2-print scanner 
(including primary inspection lanes in air and sea POEs and secondary 
inspection lanes in land POEs) is scheduled to be completed by December 
2008. 

Enumeration: 

Enumeration is to associate the biometric and biographical data within 
IDENT and IAFIS with individuals encountered by immigration and border 
management entities and thereby allow for improved risk and eligibility 
determinations for individuals entering the United States or applying 
to receive benefits. When decisions are made concerning entry or 
eligibility, details from these encounters are also to be recorded and 
linked to the individual's record. To accomplish this, a unique 
identifier, referred to as an enumerator,[Footnote 36] is assigned to 
the individual's record, stored within IDENT, and linked to the 
fingerprints and the individual's associated biographic information. 
Upon subsequent interactions, the individual's identity is to be 
biometrically verified and information about the individual, including 
past encounters, is to be available for risk and eligibility decisions. 

Enumeration begins with the person's initial encounter by immigration 
and border management entities. During this encounter, an individual's 
biometrics (i.e., 10 fingerprints and digital image) and limited 
biographical information are captured. Once this information is 
gathered, one of three enumeration services can be provided: identify, 
verify, or retrieve encounter details. These services are described 
here. 

* Identify: IDENT is searched using the biometrics captured from the 
individual during the initial encounter to determine whether biometric 
records are stored in the system. The individual's fingerprints are 
enrolled in IDENT and if no matching biometric record is found, an 
enumerator is assigned. If a biometric record is already stored in 
IDENT, but without an enumerator, one is assigned. IAFIS is then 
searched using the collected biometrics. 

* Verify: If a person has already been enumerated, IDENT and IAFIS are 
searched and the individual's identity is verified against the stored 
biometric records. 

* Retrieve Encounter Details: A request can be submitted for details of 
a particular previous encounter with the individual. Using the 
enumerator, biometric and related biographic information for the 
individual is retrieved and provided to aid the risk or eligibility 
decision. 

The results of these requests are packaged and returned by IDENT, and 
may include a list, and types, of the individual's previous encounters. 

Thus far, enumeration services have been implemented on a pilot basis. 
Specifically, in July 2007, USCIS implemented enumeration services as 
part of its Inter-Country Adoption process, which is to allow USCIS 
adjudicators and other users to store, retrieve, and update centrally 
stored information about inter-country adoption cases. A simplified 
diagram of the enumeration process, as utilized by USCIS, and the types 
of enumeration requests, can be found in figure 3. 

Figure 3: Simplified Diagram of Enumeration as Used by USCIS: 

This figure is a diagram of enumeration as used by USCIS. 

[See PDF for image] 

Source: GAO analysis of US-VISIT data. 

[End of figure] 

USCIS' Inter-Country Adoption Pilot is part of the USCIS transformation 
program, which is to transition USCIS from a form-based to a "person- 
centric," or customer account-based, service provider. Successful 
transition depends on the capability to uniquely identify and validate 
a person's identity in order to track and manage the ongoing 
relationship of the person with USCIS. According to the USCIS Chief 
Information Officer, USCIS plans to eventually associate all of its 
immigration and border management records with the enumerator.[Footnote 
37] 

However, future implementation of enumeration by other DHS 
organizations is uncertain. The US-VISIT Program Director told us that 
the use of enumeration has not been mandated across the department. He 
added that departmentwide use of the capability could be 5 years away, 
but that they are deploying the service to meet USCIS's requirement. 
Because of this, program officials stated that a deployment plan for 
departmentwide use of enumeration does not exist. Instead, they intend 
to provide the capability to DHS entities on an as requested basis. 

IDENT/IAFIS Interoperability: 

The purpose of IDENT/IAFIS interoperability is to enable DHS and the 
FBI to share biometric and related biographic, criminal history, and 
immigration history data. To achieve this interoperability, the program 
office is working with the FBI's Criminal Justice Information Services 
Division, which manages IAFIS. DHS and the FBI plan to deploy IDENT/ 
IAFIS interoperability in three phases, each of which is to build on 
the previous phase and to provide increased information sharing. The 
three phases are iDSM, Initial Operating Capability (IOC), and Full 
Operating Capability. 

* The interim Data Sharing Model is a proof-of-concept for long-term 
information sharing between DHS and the FBI. Under iDSM, as mentioned 
previously, DHS provides the FBI with information on expedited removals 
and Category 1 Visa Refusals, and the FBI provides DHS with information 
on active Wants and Warrants and Known/Suspected Terrorists. These data 
are shared by providing and storing copies of the data (e.g., Visa 
Refusals and Wants and Warrants, respectively) in repositories that are 
outside of the IDENT and IAFIS systems but that are located at the 
other agency's data center. Ownership and control of the agencies' data 
subsets are still maintained by the originating agency. 

To illustrate, copies of DHS fingerprint images and limited biographic 
information, such as name and date/place of birth, are transmitted from 
IDENT to the separate IDENT repository located in the DOJ data center. 
Once the information has been placed within the repository, it is then 
sent to the DOJ/IAFIS shared data fingerprint matchers,[Footnote 38] 
which reside within the IAFIS system. Once the information is in the 
matchers, minutiae are extracted from the fingerprint images and stored 
in the matchers along with the limited biographic information. DOJ/FBI 
shares the IAFIS data with DHS in the same way. 

When users submit a query, both the shared data matchers (which contain 
the copies of the other agency's data) and their own data matchers are 
searched for potential hits. For example, when an IDENT user submits a 
query, both the IDENT shared data matchers that contain copies of the 
FBI's Wants and Warrants and the Known/Suspected Terrorists data, and 
the IDENT matchers that contain DHS's biometric and biographical data 
are searched for biometric matches. (See fig. 4 for a simplified 
diagram of the iDSM architecture.) 

The iDSM was deployed September 3, 2006, and, according to the US-VISIT 
program office, is operating with the Boston Police Department, the 
Dallas County (TX) Sheriff, the Harris County (TX) Sheriff, and the 
Office of Personnel Management. 

Figure 4: Simplified Diagram of iDSM Architecture: 

This figure is a diagram of iDSM architecture. 

[See PDF for image] 

Source: GAO analysis of US-VISIT data. 

[End of figure] 

* Initial Operating Capability is to expand the data sets to be shared 
between IDENT and IAFIS. In addition to the data shared as part of 
iDSM, DHS is to also share its entire recidivist repository, USCIS 
benefits data, credentialing information, additional information from 
the BioVisa and BCC programs, DHS watchlist data, and enrollment/ 
enumeration and encounter data. In turn, the FBI is to share 55 million 
records in the Criminal Master File, as well as latent print data. 

In addition, IOC is to modify the architecture for sharing the expanded 
set of IDENT and IAFIS data. Under IOC, the data shared between IDENT 
and IAFIS as part of iDSM will continue to be shared as it is under the 
iDSM architecture (i.e., copies of the shared data are sent to separate 
repositories and data matchers). In addition, DHS and the FBI are to 
share the additional data sets (e.g., recidivist repository and 
Criminal Master File, respectively) by providing direct access to the 
actual fingerprint data (as opposed to copies in the iDSM architecture) 
stored in each other's fingerprint matchers. Similar to iDSM, all 
respective matchers are to be searched as part of a single query. To 
illustrate, when an IDENT user submits a biometric search query, three 
matchers are searched: (1) the IDENT shared data matchers that contain 
copies of the FBI's Wants and Warrants and the Known/Suspected 
Terrorists data, (2) the IDENT matchers that contain DHS's biometric 
data, and (3) the IAFIS matchers that contain the Criminal Master File 
and latent print data. Similar data matchers are searched for an IAFIS 
user query, except that the IDENT shared database is also searched 
because it includes DHS watchlist data, in addition to the IAFIS shared 
data. According to the US-VISIT Program Director, IOC is planned for 
September 2008. (See fig. 5 for a simplified diagram of the proposed 
IOC architecture.) 

Figure 5: Simplified Diagram of IOC Architecture: 

This figure is a flowchart of IOC architecture. 

[See PDF for image] 

Source: GAO analysis of US-VISIT data. 

[End of figure] 

* Full Operating Capability refers to the end state of interoperability 
between IDENT and IAFIS. It is to provide for interoperability and real-
time data sharing of an expanded set of biographic data for criminal 
and civil searches. However, the exact information to be shared by DHS 
and the FBI has not yet been determined. Full Operating Capability is 
planned for February 2010. 

The Exit Component of US-VISIT Strategic Solution Has Not Been 
Adequately Defined: 

Despite long-standing legislative requirements and a sizeable 
investment of time and resources, DHS has yet to clearly define the 
second major component of its strategic solution--exit. Moreover, while 
DHS has established milestones for several key air exit activities, 
such as fully implementing an air exit capability by the end of 2008, 
the program office has not provided any verifiable analysis and 
documentation that support these milestones, thus calling into question 
their reliability. According to DHS officials, the current state of 
exit capabilities owes largely to the fact that an exit capability is 
more challenging to implement than entry. Without an operationally 
effective exit capability, US-VISIT cannot meet its strategic goals, 
and the integrity of the nation's immigration system is limited. 
Further, the absence of any defined exit solution, including reliable 
milestones, means that this situation is not likely to change in the 
near future. 

As mentioned earlier, the legislative underpinnings for an exit 
capability were established in 1996.[Footnote 39] In response, DHS 
allocated about $260 million for exit-related efforts between 2003 and 
2007, and the program office reports that it expended about $157 
million. In particular, the program office conducted various exit 
pilots and demonstration projects at air, sea, and land POEs. 
Throughout this period, we reported on the limitations in how these 
activities were planned, defined, and justified. Most recently, we 
reported in August 2007[Footnote 40] that the lack of a well-defined 
and justified exit solution risks repeating failed and costly past exit 
efforts. We further reported that no exit program plans were available 
that defined what will be done, by what entities, and at what cost to 
define, acquire, deliver, deploy, and operate this capability, 
including plans describing expected system capabilities, defining 
measurable outcomes (benefits and results), identifying key stakeholder 
(e.g., airlines) roles/responsibilities and buy-in, and coordinating 
and aligning with related programs. 

DHS has recently reaffirmed its commitment to implementing an exit 
solution and reconstituted its efforts. In particular, DHS reports that 
it will focus first on a biometric air exit solution by leveraging 
existing commercial airlines processes. However, the means by which 
this integration is to be accomplished has yet to be defined and 
published. Currently, DHS plans to issue a Notice of Proposed Rule 
Making for establishing a biometric exit verification process at 
commercial international air exit points. 

To date, we have yet to receive further details on the proposed process 
beyond a high-level schedule of key milestones, which includes issuing 
the proposed and final rules by December 2007 and June 2008, 
respectively, and fully implementing the air exit solution by December 
2008. However, these milestones are not supported by the kind of 
verifiable analysis and documentation that is associated with reliably 
derived program schedules, such as (1) decomposition of the program 
into a work breakdown structure; (2) sequencing, integration, and 
resourcing of each work element in the work breakdown structure; and 
(3) identification of the critical path through the schedule of linked 
work elements. As a result, the reliability of the milestones remains 
questionable. Further, the milestones are dependent on several major 
unknowns. For example, until the proposed rule is issued and comments 
are received, DHS will not know the full scope and nature of any 
airline concerns and challenges, which may affect the content of the 
final rule; this final rule will in turn dictate what the airlines will 
be required to do and thus what their respective time lines will be for 
implementing their parts of the exit solution. Exacerbating this lack 
of reliability with the reported air exit milestones is the fact that 
the program office has already missed several near-term milestones. For 
example, it was to complete an alternatives analysis, the business 
requirements, and a concept of operations by August 2007, as planned. 
As of November 2007, the program office reported that these documents 
had yet to be approved. Further, it did not meet the December 2007 date 
for issuing the proposed rule.[Footnote 41] 

With regard to sea and land exit, a strategic solution is even less 
defined and thus more uncertain. While DHS reports that it will develop 
and deploy a sea exit capability that emulates its air exit solution, 
no plans are available that define what entities are to be involved, 
how much the solution will cost, or when it will be deployed. For land, 
DHS has not determined a time frame or cost estimates for even 
initiating a land exit solution. In lieu of deploying this capability, 
DHS plans to initially explore options for expanding the collection of 
biographic data on travelers crossing the borders. Specifically, the 
then-acting US-VISIT Director of Program Integration and Mission 
Services told us that US-VISIT is building relationships with Canada to 
foster future possibilities of sharing border operation information. 
Further, while the Comprehensive Exit Charter notes that, as biometric 
scanning technology develops and becomes more sophisticated, DHS will 
consider land exit options that provide for biometric capture without 
severely impacting the flow of travel across the border, but no further 
details are available. 

The longer the department goes without an exit capability, the more its 
ability to effectively and efficiently perform its border security and 
immigration enforcement missions may suffer. Without exit data, for 
example, DHS cannot ensure the integrity of the immigration system by 
identifying and removing those people who have overstayed their 
original period of admission--a stated goal of US-VISIT. 

DHS Did Not Economically Justify Investing in Unique Identity in a 
Timely Fashion: 

The decision to invest in any system should be based on reliable 
analyses of estimated system costs and expected benefits over the life 
of the investment. Given the importance of these analyses to informing 
the decision-making process, they should be completed prior to 
selecting and investing in a particular solution to ensure that the 
solution selected achieves the expected performance goals with the 
lowest life cycle costs and the least risk. This is consistent with 
Office of Management and Budget guidance, which states that individual 
increments of major systems are to be individually supported by 
analyses of benefits, cost, and risk.[Footnote 42] DHS has also issued 
guidance recognizing the importance of completing such economic 
analyses early in a project's planning stage to support informed 
decision making about what projects should be approved and 
funded.[Footnote 43] 

While DHS developed a cost-benefit analysis for Unique Identity, the 
analysis was completed after system development activities were well 
under way. Specifically, DHS completed an analysis for Unique Identity 
in August 2006, but the analysis did not address the alternative 
solution that DHS ultimately selected and is now being developed. 
Subsequent to the completion of the August 2006 analysis, the program 
office and the FBI elected to pursue a hybrid alternative solution that 
was not included in the initial analysis, in part to address the FBI's 
interest in maintaining control over FBI data to be shared with IDENT. 
According to program officials, when the hybrid solution was developed, 
they considered the degree of technology change required for the hybrid 
and, based on the potential changes, determined that any increased cost 
would be marginal. However, they could not provide any documented 
evidence to support this determination. 

Subsequently, in October 2007, DHS issued a revised analysis that 
included the alternative solution that is being pursued. However, this 
analysis was about 14 months after the initial phase of Unique Identity 
was deployed and after about $65 million was obligated, and $22 million 
was expended. According to program officials, the revised analysis 
confirmed that its costs and benefits were roughly equivalent to the 
original analysis and affirmed the program's decision to select and 
build this alternative. However, program officials agreed that given 
that the solution has been selected and is being developed, the value 
of such an "after-the-fact" analysis in informing investment decision 
making is lost. By following such a practice, DHS did not know whether 
it was pursuing the most cost effective investment option until after 
it had obligated tens of millions of dollars. 

In addition, DHS has yet to finalize a cost-benefit analysis for a 
comprehensive exit solution. According to program officials, the 
department intends to finalize such an analysis for its air exit 
solution as part of the Notice of Proposed Rule Making process. 
However, it is unclear if and when an analysis will be completed for 
the sea and land solutions. 

DHS Continues to Focus on Fingerprints as Its Primary Biometric 
Technology: 

DHS considered various biometric technologies, including fingerprints, 
facial, and iris technologies, and continues to use fingerprints as its 
foundational biometric. According to NIST and DHS, fingerprint 
technology is currently the most accurate form of biometric 
identification for matching one biometric record against many such 
records, which is a key requirement of US-VISIT. Notwithstanding this 
focus on fingerprints, the program office continues to participate in 
and review research efforts examining other forms of biometrics and how 
those technologies might be applied to US-VISIT. In recognition that 
one of these technologies may prove viable, the program office modified 
IDENT to allow an additional mode of biometric comparison if such 
technology becomes feasible. 

DHS Considered Various Biometric Technologies, Focusing on Fingerprints 
as Its Foundational Biometric: 

While DHS has considered various biometric technologies, including 
fingerprints, facial, and iris technologies, it maintains its focus on 
fingerprints as its foundational biometric technology for two primary 
reasons. First, fingerprint technology is currently the most accurate 
form of biometric identification for matching one biometric record 
against many. According to the Chief of NIST's Information Access 
Division, who is responsible for overseeing biometric technology 
research, no biometric technology, other than fingerprints, has been 
demonstrated operationally, or in independent testing, to automatically 
and accurately identify one-to-many matching on US-VISIT sized 
populations. Such matching is performed by IDENT, which contains 
fingerprints collected from a number of sources.[Footnote 44] Second, 
focusing on fingerprint technology provides DHS with access to the 
FBI's biometric database, known as IAFIS. 

However, IDENT's use of a 2-print model--one from the left index finger 
and one from the right index finger--has been identified as a major 
barrier for achieving interoperability with IAFIS, which is a 10-print 
system. Interoperability between IDENT and IAFIS provides DHS and US- 
VISIT access to the largest criminal biometric database in the world, 
the Criminal Master File, which, as mentioned previously, stores over 
50 million sets of 10 rolled fingerprints and corresponding criminal 
history information submitted by law enforcement agencies. IAFIS also 
contains a Civil Subject Index Master File, which stores noncriminal 
fingerprints (e.g., fingerprints of military, government, or authorized 
nongovernment personnel), and an Unsolved Latent File, which contains 
latent fingerprint[Footnote 45] images found at crime scenes. In May 
2007, DHS designated IDENT as the DHS biometric repository and 
committed to moving it to 10 fingerprints in order to enhance US- 
VISIT's ability to identify and verify a person's identity. According 
to NIST officials, this is because a system's accuracy increases as a 
greater number of fingerprints are used. 

The environment in which US-VISIT operates limits the effectiveness of 
other biometric technology options. A program official who works with 
biometrics told us that one of the limitations of capturing high- 
quality photographs for facial recognition is that the POE environment 
cannot be modified to, for example, change the background in the photos 
of individuals. Specifically, a backdrop for taking photos cannot be 
placed in a POE because it will restrict the CBP officers' view of the 
processing area. 

Other Biometric Technologies Remain a Future Option: 

Although DHS is using fingerprints as its primary biometric identifier, 
it has ongoing biometric research efforts. For example, the program 
office works with academic institutions, such as the Center for 
Identification Technology Research at West Virginia University, to 
explore the rapidly growing area of biometric identification 
technology. Further, the program office has contracted with NIST to 
conduct research and analysis on biometric capture devices, systems, 
and procedures in a range of operational environments. In addition, a 
program office representative chairs the DHS Biometrics Coordination 
Group, which facilitates DHS intradepartmental planning and 
coordination for biometrics research, development, testing, and 
evaluation. As part of this, the Research and Development, Testing and 
Evaluation Working Group within the Biometrics Coordination Group 
gathers research and development requirements and shares them with 
other groups, such as the Human Factors Division within the DHS Science 
and Technology Directorate and the National Science and Technology 
Council Subcommittee on Biometrics and Identity Management. 

In addition, program officials stated that US-VISIT is beginning to 
evaluate how to add the capability to process multiple types of 
biometrics--also known as multimodal biometrics--in the next 3-5 years. 
Further, program officials stated that IDENT has been modified to add 
the capacity and capability to eventually receive and match biometric 
data from technologies other than fingerprints, should another type of 
biometric mature to where it can be effectively used. Program officials 
also stated that US-VISIT plans to conduct prototype work on multimodal 
biometric data in order to increase the accuracy and efficiency of 
matches. Additional details about biometric technologies are in 
appendix III. 

Efforts to Define, Manage, and Coordinate Relationships among US-VISIT 
and Other Border Security Programs Are Evolving: 

Because optimizing an organization's ability to achieve its strategic 
goals and outcomes depends in part on its success in managing the 
interdependencies among related programs, it is essential that DHS 
define, manage, and coordinate its border screening programs in a way 
that embodies collaboration practices that our research shows are 
important to maximizing organizational performance and achieving 
organizational goals and outcomes. While DHS has established a few 
mechanisms for defining and managing related immigration and border 
programs, including US-VISIT, WHTI, and SBInet, and begun to implement 
key collaboration practices, these activities are still evolving. Going 
forward, it is important that DHS embrace and maximize the use of key 
organizational collaboration practices to effectively manage the 
relationships among these programs. Absent such collaboration, DHS 
risks potential overlap, duplication, and inconsistency across the 
programs, which could limit effective and efficient organizational 
performance and results. 

As we have previously reported,[Footnote 46] organizational 
collaboration can be viewed as any joint activity that is aimed at 
producing more public value than could be produced when programs or 
organizations act alone. Among other things, our research shows that 
effective collaboration depends on the use of certain collaboration 
practices. These practices include: 

* establishing common outcomes: defining and articulating a shared or 
common outcome(s) or purpose(s) that organizations or programs are 
mutually seeking to achieve and that are consistent with their 
respective goals and missions; 

* establishing mutually reinforcing or joint strategies: creating 
strategies that work in concert with those of their partner 
organizations or programs, or that are joint in nature; 

* leveraging resources: identifying the human, technological, physical, 
and financial resources needed to initiate or sustain the collaborative 
effort; 

* agreeing on roles and responsibilities: working together to define 
and agree on respective roles and responsibilities, including how the 
collaboration efforts will be led; 

* establishing a compatible means to operate across organizational 
boundaries: creating compatible standards, policies, procedures, and 
data systems that will be used in the collaborative effort; and: 

* developing mechanisms to monitor, evaluate, and report on results: 
putting in place the means to monitor, evaluate, and report on the 
collaborative effort to identify areas for improvement. 

Most of these practices are reflected to some degree in department- 
level mechanisms that are in place and are evolving, such as the DHS EA 
and the Screening Coordination Office (SCO). Similarly, limited program-
to-program collaboration efforts are occurring. As these efforts 
continue to evolve, it is important to examine the expanded use of 
these collaboration practices. DHS's implementation of each of the 
practices, along with opportunities for their expanded use, is 
discussed below. 

Establishing a Common Outcome: 

DHS's strategic plan and EA (the department's blueprint for 
implementing its strategic plan), define outcomes for securing our 
nation's border that are shared by US-VISIT, WHTI, and SBInet. In 
particular, one of the goals in the department's strategic plan is to 
detect, deter, and mitigate threats to our homeland, and one of its 
objectives for achieving this goal is to secure our borders against 
terrorists, the means of terrorism, illegal drugs, and other illegal 
activity. US-VISIT, WHTI, and SBInet program documentation explicitly 
link their programs to this common goal and objective. For example, one 
of US-VISIT's goals is to enhance the security of U.S. citizens and 
visitors and one way it seeks to achieve this is by matching foreign 
nationals' biometrics against watch lists, thereby preventing those 
visitors who may pose a threat from entering the country. 

In addition, the EA's draft transition plan groups programs, including 
US-VISIT and WHTI, that have a common purpose (namely, assessing the 
risk and determining the eligibility of persons seeking to enter the 
United States, or obtain a benefit or credential)[Footnote 47] into a 
portfolio of screening programs.[Footnote 48] According to the DHS 
Chief Architect, SBInet will be included in the screening/watchlist 
portfolio and reflected in the department's next EA transition plan. 

Notwithstanding DHS's efforts to link the three programs to common 
strategic outcomes, other shared aspects of the programs are not as 
well-established. For example, the EA does not define how these 
programs are expected to share common services and data. Specifically, 
it does not yet include an inventory of services to be provided by each 
program such as the biometric services that US-VISIT provides in 
support of the department. Similarly, it does not include a complete 
inventory of DHS data assets relevant to the screening 
programs.[Footnote 49] For example, while it identifies and describes 
20 data assets, including IDENT and ADIS, the EA does not include all 
of the biographic data assets that support identity management and 
screening processes, such as SEVIS, which ICE uses to manage and 
monitor the stay of foreign students in the United States. 

Moreover, program-to-program level activities aimed at identifying and 
pursuing common strategic outcomes are not apparent. Specifically, 
while US-VISIT program officials told us that potential relationships 
with other immigration and border management programs, including WHTI 
and SBInet, exist, they have not yet been defined. With regard to WHTI 
in particular, a program official said that the program office intends 
to work with the WHTI program office to implement radio-frequency 
identification (RFID) technology[Footnote 50] for US-VISIT land exit, 
but efforts for accomplishing this have yet to go beyond providing the 
WHTI program office with the results of US-VISIT's land exit RFID 
"proof-of-concept" pilot projects, as well as the associated 
hardware.[Footnote 51] Similarly for SBInet, while the business needs 
assessment for US-VISIT's mobile biometric link project[Footnote 52] 
identifies SBInet as a potential user of this capability, the 
assessment states that SBInet is to develop a solution to enable border 
patrol agents to process biographic and biometric information in remote 
border areas. According to US-VISIT officials, the US-VISIT/SBInet 
relationships have not yet been defined. 

Establishing Mutually Reinforcing or Joint Strategies: 

On July 31, 2006, the DHS Secretary established SCO to, among other 
things, coordinate and integrate the department's screening and 
credentialing efforts and create unified screening standards and 
policies. In July 2007, SCO issued a framework to help ensure the 
integration and alignment of screening programs. In short, the 
framework is to help identify opportunities for convergence and synergy 
among the related programs, as well as improvements in efficiency and 
mission effectiveness by providing a common method or process for the 
collection and use of data across these programs. According to the 
coordination office, the framework will eventually include a transition 
plan, including major activities, milestones, and associated time lines 
and costs. The SCO Associate Director told us that a draft transition 
plan is currently being reviewed within the department. The SCO is also 
the portfolio manager for the EA's screening/watchlist portfolio and, 
as such, works closely with the DHS Enterprise Architecture 
Board[Footnote 53] (EAB) to ensure that its investments (e.g., those 
related to screening activities) are aligned with the EA and that the 
investments' resources are shared and effectively leveraged. However, 
as mentioned above, the EA is still evolving and does not define key 
aspects of the program's relationships and dependencies. Moreover, we 
have previously reported that DHS processes for ensuring that programs 
are aligned with its EA are not grounded in an explicit risk-based 
methodology and associated compliance criteria. 

Leveraging Resources: 

In May 2007, the DHS Chief Information Officer and the SCO Director 
jointly issued a memo that, among other things, directed all programs 
that collect and use fingerprints when determining an individual's 
eligibility for entry or benefits to use US-VISIT's IDENT. In 
particular, programs were directed to provide the US-VISIT program 
office with their respective requirements for biometric vetting and 
storage. In doing so, DHS's aim is to leverage its IDENT resource as a 
shared capability or service for all DHS programs. Nevertheless, it is 
not clear that other opportunities to leverage resources across US- 
VISIT, WHTI, and SBInet are being exploited because doing so depends in 
large part on defining program-to-program relationships and plans for 
implementing SCO's screening framework, which have yet to be fully 
defined. 

Agreeing on Roles and Responsibilities: 

Certain department-level roles and responsibilities have been defined 
and agreed upon. As mentioned above, for example, SCO is responsible 
for coordinating the department's screening and credentialing programs 
and creating unified screening standards and policies, and has 
developed a framework and, according to the SCO Associate Director, a 
draft transition plan for achieving this. Also, the EAB is responsible 
for ensuring that DHS investments are aligned with the department's EA 
and that the investments' resources are shared and leveraged. However, 
as also mentioned above, program-level relationships, which would 
include roles and responsibilities for implementing the framework and 
interacting with related programs, have yet to be defined. 

Establishing Compatible Policies, Procedures, and Other Means to 
Operate Across Organizational Boundaries: 

The department has established several mechanisms for facilitating how 
the US-VISIT, WHTI, and SBInet programs interact and operate with one 
another. For example, the DHS EA serves as a common frame of reference 
for programs to map to in an effort to minimize duplication and promote 
capability, and DHS's process for determining program alignment is 
intended to facilitate this. To illustrate, documentation from US- 
VISIT's most recent EA alignment review shows that the DHS Enterprise 
Architecture Center of Excellence[Footnote 54] raised questions about 
the program's efforts to coordinate capabilities with other DHS 
programs, including SBInet. However, the EA is still evolving as a 
means for managing related programs, such as US-VISIT, WHTI, and 
SBInet. For example, US-VISIT's representation in the EA business 
model--which associates the department's business functions with the 
organizations that support and/or implement them--does not align US- 
VISIT with certain business functions (e.g., verify identity and 
establish identity) that the program office identifies as a critical 
part of its mission. Additionally, the EA does not associate US-VISIT 
with all the data systems that it owns and manages, and it does not 
define all system interfaces for IDENT. For example, the EA identifies 
ADIS and IDENT as being owned by CBP and ICE, respectively, even though 
both systems are owned by the US-VISIT program office. Also, it does 
not identify the interface between IDENT and GES, even though US-VISIT 
officials confirm that the interface exists and is operating. According 
to the DHS Chief Architect, the next version of the EA is to address 
such inaccuracies. 

Another mechanism to support interaction across programs is the SCO, 
which provides a means to coordinate and integrate the department's 
screening and credentialing activities, including a framework that 
provides for having a common method or process for collecting and using 
data. In addition, the coordination office provides other means for 
coordinating screening programs, such as weekly meetings with other 
programs. Specifically, SCO sponsors, and US-VISIT participates in, a 
weekly meeting to discuss WHTI implementation. According to the SCO 
Director, SCO also provides budget formulation and policy development 
advice to screening/watchlist portfolio programs to help limit overlap 
and redundancies and to leverage resources among programs. 

At the program level, the US-VISIT program office has established a 
standard protocol for sending biometric information to and from IDENT 
and has developed interface control agreements to describe how the 
protocol will be used with other organizations. 

Developing Mechanisms to Monitor, Evaluate, and Report on Results: 

SCO, through the EA draft transition plan, has developed performance 
indicators for the screening/watchlist portfolio. Such indicators 
include reducing the number of false positives from screening 
operations and increasing the use of technology to verify legitimacy of 
credentials. However, the data to be collected to implement such 
measures have not been defined. 

Conclusions: 

The success of US-VISIT depends in large part on how well the program 
is defined, economically justified, and coordinated with related 
immigration and border management programs. While DHS has addressed 
each of these areas to some degree, none have been performed in a 
manner that fully reflects relevant federal guidance and related best 
practices, even though the program is now into its sixth year of 
activity, and more than a billion dollars has been invested in it. Of 
particular concern is that, after 5 years and tens of millions of 
dollars, DHS has yet to fully define and economically justify a 
comprehensive exit capability, including a plan describing what the 
capability will be, and how, when, and at what cost it will be 
delivered. Further, the Unique Identity component of the US-VISIT 
solution was not economically justified in a timely fashion to 
determine whether it was the most cost-effective solution before 
committing tens of millions of dollars. Therefore, DHS continues to 
lack a clear and fully defined strategic direction for how it will 
deliver on all its strategic program goals, and it continues to invest 
in the program without first knowing that its decision will produce 
cost effective and affordable results. 

To DHS's credit, it has appropriately selected fingerprints as the 
biometric of choice for US-VISIT. Further, it has taken positive steps 
to coordinate US-VISIT with related immigration and border management 
programs, which provide the department opportunities to better reflect 
important collaboration practices. 

Recommendations for Executive Action: 

To ensure that US-VISIT's strategic solution, including a comprehensive 
exit solution, is better defined, economically justified, and 
coordinated, we recommend that the Secretary of Homeland Security take 
the following two actions: 

* Direct the Undersecretary for National Protection and Programs to 
have the US-VISIT Program Director: 

- develop a plan for a comprehensive exit capability, which includes, 
at a minimum, a description of the capability to be deployed, the cost 
of developing, deploying and operating the capability, identification 
of key stakeholders and their respective roles and responsibilities, 
key milestones, and measurable performance indicators; and: 

- develop an analysis of costs, benefits, and risks for proposed exit 
solutions before large sums of money are committed on those solutions, 
and use the analysis in selecting the final solution. 

* Direct the appropriate DHS parties involved in defining, managing, 
and coordinating relationships across the department's border and 
immigration management programs to address the program collaboration 
shortcomings identified in this report, such as fully defining the 
relationships between US-VISIT and other immigration and border 
management programs and, in doing so, to employ the collaboration 
practices discussed in this report. 

Agency Comments and Our Evaluation: 

In written comments on a draft of this report, signed by the Director, 
Departmental GAO/Office of Inspector General Liaison and reprinted in 
appendix IV, the department stated that it generally agreed with our 
observations and concurred with our recommendations. 

In addition, the department stated that it has initiated actions to 
implement our recommendations. With respect to our recommendation to 
develop a plan and cost-benefit analysis for a comprehensive exit 
capability, DHS stated that the department remains committed to 
deploying an air exit solution by December 2008 and has completed a 
cost-benefit analysis for air and sea exit implementation. It is 
important that this cost-benefit analysis be used in selecting the 
final exit solution to ensure that the solution selected achieves the 
expected performance goals with the lowest life cycle costs and the 
least risk. 

Regarding our recommendation to define, manage, and coordinate 
relationships across the department's border and immigration management 
programs, DHS stated that US-VISIT, along with appropriate parties, is 
developing and implementing an internal DHS governance board, which 
will include senior executives from programs such as WHTI and SBI, and 
which will provide a forum for collaboration and communication about 
the program. DHS also noted that, as part of its strategic planning 
efforts, US-VISIT solicits input from stakeholders such as DHS 
headquarters, CBP, ICE, and other federal agencies. DHS also stated 
that US-VISIT is integrally involved in departmental working groups on 
WHTI, SBI, and other immigration reform efforts. We support DHS's 
efforts in this area and emphasize the need for DHS to continue to 
implement the collaboration practices discussed in this report. 

DHS also provided technical comments, which we have incorporated into 
this report as appropriate. 

As we agreed with your office, unless you publicly announce the 
contents of this report earlier, we plan no further distribution of it 
until 30 days from the date of this letter. We will then send copies of 
this report to the Chairmen and Ranking Members of the Senate and House 
Appropriations Committees and other Senate and House committees and 
subcommittees that have authorization and oversight responsibilities 
for homeland security. We will also send copies to the Secretary of 
Homeland Security and the Director of the Office of Management and 
Budget. We will also make copies available to others upon request. In 
addition, this report will be available at no charge on the GAO Web 
site at [hyperlink, http://www.gao.gov]. 

Should you or your offices have any questions on matters discussed in 
this report, please contact me at (202) 512-6222 or at 
[email protected]. Contact points for our Offices of Congressional 
Relations and Public Affairs may be found on the last page of this 
report. Key contributors to this report are listed in appendix V. 

Signed by: 

Joel C. Willemssen: 

Managing Director, Information Technology Issues: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

Our objectives were to determine: (1) whether the Department of 
Homeland Security (DHS) has defined a strategic solution for meeting 
U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) goals 
and whether the solution has been economically justified; (2) the 
biometric technology options DHS has considered and the basis for the 
selected options; and (3) DHS's efforts to define, manage, and 
coordinate the relationships between US-VISIT and other immigration and 
border management programs. 

To determine whether DHS has defined a strategic solution, we reviewed 
key program documentation, such as the US-VISIT strategic plan and 
implementation blueprint, program master schedule, program road map, 
Unique Identity project documentation (e.g., concept of operations, 
business requirements, system architectures, work breakdown structures, 
and project plans), and a high-level schedule for air exit. In doing 
so, we focused on determining such key factors as what program 
activities were planned, when and how they were to be accomplished, 
what resources were needed to accomplish them, and how they related to 
the program's strategic goals. We also interviewed program office 
officials and the Under Secretary for National Protection and Programs 
Directorate to obtain their views on the nature, content, and timing of 
the strategic solution. In cases where we were told of US-VISIT 
activities and capabilities that were not included in program 
documentation, we sought clarifications and plans for providing missing 
information. We also met with representatives from the U.S. Citizenship 
and Immigration Services (USCIS) to understand how that agency was 
implementing enumeration services. 

To determine whether the strategic solution had been economically 
justified, we requested documentation of any economic analyses that had 
been developed. We received and reviewed the Unique Identity cost- 
benefit analysis, dated August 2006, and compared it with key Office of 
Management and Budget criteria.[Footnote 55] However, a new analysis 
was completed in October 2007 and provided to us on November 30, 2007. 
We did not evaluate this analysis because it was not germane to the 
findings of this report. However, we interviewed program officials to 
understand the purpose and timing of this revised cost-benefit 
analysis. 

To examine the biometric technology options DHS has considered and the 
basis for its selected option, we reviewed documentation from DHS, US- 
VISIT, National Institute of Standards and Technology (NIST), and the 
Department of Justice. In particular, we reviewed the Homeland Security 
Council's National Strategy for Homeland Security, DHS's Biometric 
Coordination Group charter, US-VISIT's Unique Identity Concept of 
Operations, NIST's 2003 Fingerprint Vendor Technology Evaluation, and a 
2003 report to the Congress on the "Use of Technology Standards and 
Interoperable Databases With Machine-Readable, Tamper-Resistant Travel 
Documents," which was submitted by NIST, the Attorney General, and the 
Secretary of State. We also reviewed the Department of Justice's 
Inspector General's "Follow-up Review of the Federal Bureau of 
Investigation's Progress Toward Biometric Interoperability Between the 
Integrated Automated Fingerprint Identification System and the 
Automated Biometric Identification System." To understand how the 
information in these documents pertained to the program's biometric 
development efforts, we interviewed knowledgeable officials from the 
program office, DHS's Science & Technology Directorate, USCIS, and 
NIST. We also reviewed our past work on the use of biometrics in border 
security.[Footnote 56] Finally, we analyzed relevant laws related to 
the requirements for US-VISIT's use of biometrics, including the 
Uniting and Strengthening America by Providing Appropriate Tools 
Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT 
Act) and Enhanced Border Security and Visa Entry Reform Act of 2002. 

To identify DHS's efforts to define, manage, and coordinate the 
relationship between US-VISIT and other immigration and border 
management programs, we identified department and program-level efforts 
taken to coordinate US-VISIT with these programs. In particular, we 
reviewed the latest version of the DHS enterprise architecture[Footnote 
57] to determine the extent to which it identifies the relationships 
between these programs and interviewed DHS's Chief Architect to 
determine how the architecture is used to manage these relationships. 
We also reviewed DHS strategic planning documents, as well as DHS's 
Screening Coordination Office's Credentialing Framework. We interviewed 
representatives of the Screening Coordination Office to determine what 
actions are being taken to coordinate screening programs. 

We then compared actions taken with selected key practices that our 
research has found can enhance and sustain agencies' collaborative 
efforts,[Footnote 58] focusing on those practices that were 
particularly relevant and applicable to our objective. These practices 
include the following: 

* establishing common outcomes; 

* establishing mutually reinforcing or joint strategies; 

* leveraging resources; 

* agreeing on roles and responsibilities; 

* establishing a compatible means to operate across organizational 
boundaries; and: 

* developing mechanisms to monitor, evaluate, and report on results. 

To assess data reliability, we reviewed quality and access controls of 
the systems used to generate the data. We also reviewed related program 
documentation to substantiate data provided in interviews with 
knowledgeable agency officials. We have also made appropriate 
attribution indicating the data's sources. When we found data to be 
unreliable or did not assess the data's reliability, we annotated the 
data as such. 

We conducted our work at DHS headquarters offices in Washington, D.C., 
the US-VISIT Program Office in Rosslyn, Virginia, and NIST headquarters 
offices in Gaithersburg, Maryland. Our work was conducted from January 
2007 through January 2008 in accordance with generally accepted 
government auditing standards. 

[End of section] 

Appendix II: Overview of Legislative Underpinnings for the US-VISIT 
Program: 

A series of federal statutes have provided a framework for the 
strategic focus of the US-VISIT program. The first of these statutes 
dates back to more than a decade ago, and the latest law was passed in 
2007. The statutes are summarized here. 

The Illegal Immigration Reform and Immigrant Responsibility Act of 
1996[Footnote 59] required the development of an automated entry and 
exit control system to collect a record of departure for every alien 
departing the United States and then match the record of departure with 
the record of the alien's arrival in the United States; make it 
possible, through online searching procedures, to identify 
nonimmigrants who remain in the country beyond the authorized period; 
and integrate the overstay information into appropriate databases of 
the former Immigration and Naturalization Service[Footnote 60] and the 
Department of State, including those used at air, sea, and land ports 
of entry (POE) and at consular offices. The system was to be developed 
by September 30, 1998; however, the act was amended to change this 
deadline to October 15, 1998,[Footnote 61] and was amended again to 
change the deadline for land border POEs and seaports to March 30, 
2001.[Footnote 62] 

The Immigration and Naturalization Service Data Management Improvement 
Act of 2000[Footnote 63] replaced the 1996 statute in its entirety. 
Specifically, the act required an electronic system that would provide 
access to and integrate alien arrival and departure data that are 
authorized or required to be created or collected under law, are in an 
electronic format, and are in a database of the Department of Justice 
or the Department of State, including those created or used at POEs and 
at consular offices. The act specifically provided that it not be 
construed to permit the imposition of any new documentary or data 
collection requirements on any person for the purpose of satisfying its 
provisions, but it further provided that it also not be construed to 
reduce or curtail any authority of the Attorney General (now Secretary 
of Homeland Security)[Footnote 64] or Secretary of State under any 
other provision of law. The integrated entry and exit data system was 
to be implemented at airports and seaports by December 31, 2003, at the 
50 busiest land POEs by December 31, 2004, and at all remaining POEs by 
December 31, 2005. 

The act also required that the system use available data to produce an 
annual report of arriving and departing aliens by country of 
nationality, classification as an immigrant or nonimmigrant, and 
timeliness of departure from the United States. The system was to match 
an alien's available arrival data with the alien's available departure 
data, assist in the identification of possible overstays, and use 
available alien arrival and departure data for annual reports to the 
Congress. These reports were to include the number of aliens for whom 
departure data was collected during the reporting period, with an 
accounting by country of nationality; the number of departing aliens 
whose departure data was successfully matched to the alien's arrival 
data, with an accounting by country of nationality and classification 
as an immigrant or nonimmigrant; the number of aliens who arrived 
pursuant to a nonimmigrant visa, or as a visitor under the Visa Waiver 
Program, for whom no matching departure data have been obtained as of 
the end of the alien's authorized period of stay, with an accounting by 
country of nationality and date of arrival in the United States; and 
the number of identified overstays, with an accounting by country of 
nationality. 

The USA PATRIOT Act of 2001[Footnote 65] provided that, in developing 
the integrated entry and exit data system, the Secretary of Homeland 
Security and Secretary of State were to focus particularly on the 
utilization of biometric technology and the development of tamper- 
resistant documents readable at POEs. It also required that the system 
be able to interface with law enforcement databases for use by federal 
law enforcement to identify and detain individuals who pose a threat to 
the national security of the United States. 

The USA PATRIOT Act also required by October 26, 2003, the development 
and certification of a technology standard, including appropriate 
biometric identifier standards, that could be used to verify the 
identity of persons applying for a U.S. visa or persons seeking to 
enter the United States pursuant to a visa for the purposes of 
conducting background checks, confirming identity, and ensuring that a 
person has not received a visa under a different name. This technology 
standard was to be the technological basis for a cross-agency, cross- 
platform electronic system that is a cost-effective, efficient, fully 
interoperable means to share law enforcement and intelligence 
information necessary to confirm the identity of persons applying for a 
U.S. visa or persons seeking to enter the United States pursuant to a 
visa. This electronic system was to be readily and easily accessible to 
consular officers, border inspection agents, and law enforcement and 
intelligence officers responsible for investigation or identification 
of aliens admitted to the United States pursuant to a visa. Every 2 
years beginning on April 26, 2003, the Secretary of Homeland Security 
and the Secretary of State were to jointly report to the Congress on 
the development, implementation, efficacy, and privacy implications of 
the technology standard and electronic database system. 

The Visa Waiver Permanent Program Act[Footnote 66] required DHS to 
develop and implement a fully automated system to control entry and 
exit of aliens at airports and seaports who enter the United States 
under the Visa Waiver Program. The act also required that, by October 
1, 2002, inspectors at the POEs have access to Department of State and 
DHS information to determine whether an alien is eligible to be 
admitted into the United States or to receive a visa. Further, the act 
required that visa waiver applicants be checked against watch list 
systems, and, that by October 1, 2003, aliens applying for a visa 
waiver have a machine-readable passport.[Footnote 67] The act was 
subsequently amended to require, not later than August 3, 2008, an exit 
system using biometric information and recording the departure on a 
flight leaving the United States of every alien participating in the 
Visa Waiver Program.[Footnote 68] 

The Enhanced Border Security and Visa Entry Reform Act of 2002[Footnote 
69] required that, in developing the integrated entry and exit data 
system for the POEs, the Secretary of Homeland Security and Secretary 
of State implement, fund, and use the technology standard required by 
the USA PATRIOT Act at U.S. POEs and at consular posts abroad. The act 
amended the USA PATRIOT Act to move up the date for the development and 
certification of the technology standard to January 26, 2003, and moved 
up the date for the biannual reports to the Congress on the technology 
standard to October 26, 2002. The 2002 act also required the Secretary 
of Homeland Security and Secretary of State to establish a database 
containing the arrival and departure data from machine-readable visas, 
passports, and other travel and entry documents possessed by aliens and 
make interoperable all security databases relevant to making 
determinations of admissibility under section 212 of the Immigration 
and Nationality Act. In implementing these requirements, DHS and the 
Department of State were to utilize technologies that facilitate the 
lawful and efficient cross-border movement of commerce and persons 
without compromising the safety and security of the United States and 
were to consider implementing a North American National Security 
Program, for which other provisions in the act called for a feasibility 
study. 

The act, as amended, also established a number of requirements 
regarding biometric travel and entry documents. It required that, not 
later than October 26, 2004, the Secretary of Homeland Security and the 
Secretary of State issue to aliens only machine-readable, tamper- 
resistant visas and other travel and entry documents that use biometric 
identifiers and that they jointly establish document authentication 
standards and biometric identifiers standards to be employed on such 
visas and other travel and entry documents from among those biometric 
identifiers recognized by domestic and international standards 
organizations. It also required by October 26, 2004 (amended to October 
26, 2005), the installation at all U.S. POEs equipment and software to 
allow biometric comparison and authentication of all U.S. visas and 
other travel and entry documents issued to aliens and passports issued 
by visa waiver participants. Such biometric data readers and scanners 
were to be those that domestic and international standards 
organizations determine to be highly accurate when used to verify 
identity, that can read the biometric identifiers used under the act, 
and that can authenticate the document presented to verify identity. 
These systems also were to utilize the technology standard established 
pursuant to the USA PATRIOT Act. 

The Intelligence Reform and Terrorism Prevention Act of 2004[Footnote 
70] described the program as an "automated biometric entry and exit 
data system" and required DHS to develop a plan to accelerate the full 
implementation of the program and to report to the Congress on this 
plan by June 15, 2005. The report was to provide several types of 
information about the implementation of US-VISIT,[Footnote 71] 
including a "listing of ports of entry and other Department of Homeland 
Security and Department of State locations with biometric exit data 
systems in use." The report also was to provide a description of the 
manner in which the US-VISIT program "meets the goals of a 
comprehensive entry and exit screening system, including both entry and 
exit biometrics;" and fulfills the statutory obligations imposed on the 
program by several laws enacted between 1996 and 2002. The act provided 
that US-VISIT "shall include a requirement for the collection of 
biometric exit data for all categories of individuals who are required 
to provide biometric entry data, regardless of the port of entry where 
such categories of individuals entered the United States." 

The provisions in the 2004 act also addressed other areas related to US-
VISIT, such as the integration and interoperability of databases and 
data systems that process or contain information on aliens and federal 
law enforcement and intelligence information relevant to visa issuance 
and admissibility of aliens and maintenance of the accuracy and 
integrity of the US-VISIT data system. It further addressed using US- 
VISIT to track and facilitate the processing of immigration benefits 
using biometric identifiers; the goals of the program (e.g., serving as 
a vital counterterrorism tool, screening visitors efficiently and in a 
welcoming manner, integrating relevant databases and plans for database 
modifications to address volume increase and database usage, and 
providing inspectors and related personnel with adequate real-time 
information); and training, education, and outreach on US-VISIT, low- 
risk visitor programs, and immigration law. Finally, it addressed 
annual compliance reports by DHS, the Department of State, the 
Department of Justice, and any other department or agency subject to 
the requirements of the new provisions; and development and 
implementation of a registered traveler program. 

[End of section] 

Appendix III: Overview of Biometric Technologies: 

Biometric identification systems are human characteristic pattern 
recognition systems. While the biometric technologies used in these 
systems vary in complexity, capabilities, and performance, the 
technologies all share several elements. They use acquisition devices, 
such as cameras and scanning devices, to capture images, recordings, or 
measurements of an individual's characteristics and computer hardware 
and software to extract, encode, store, and compare these 
characteristics. Because the process is automated, biometric comparison 
is generally very fast, in most cases taking only a few seconds in real 
time. 

Depending on the application, biometric systems can be used in one of 
two modes: identification or verification. Identification is referred 
to as one-to-many matching because an individual's presented biometric 
is compared against the stored biometric templates[Footnote 72] of all 
individuals enrolled in the system. Verification--also called 
authentication--is referred to as one-to-one matching because an 
individual's presented biometric is compared against the biometric for 
that person, which was stored in the system during enrollment. 

How Biometrics Work: 

Biometric technologies are available today and are being used for a 
variety of applications, such as access control, criminal 
identification, and border security. While several biometric 
technologies are in use or being proposed, the more common technologies 
and the ones that the US-VISIT program office considered for its 
strategic solution are fingerprint recognition, facial recognition, and 
iris recognition. 

When used for personal identification, biometric technologies measure 
and analyze human physiological and behavioral characteristics. 
Identifying a person's physiological characteristics is based on direct 
measurement of a part of the body, such as fingertips, faces, and 
irises. The corresponding biometric technologies are fingerprint, 
facial, and iris recognition. Identifying a person's behavioral 
characteristics is based on data derived from actions, such as speech 
and signature, the corresponding biometrics being speaker recognition 
and signature recognition. 

Biometrics are theoretically effective personal identifiers because the 
characteristics they measure are thought to be distinct to each person. 
Unlike conventional identification methods that use something you have, 
such as an identification card to gain access to a building, or 
something you know, such as a password to log on to a computer system, 
these characteristics are intrinsic to who you are. Because they are 
inherent in an individual, they are more reliable, cannot be forgotten, 
and are less easily lost, stolen, or guessed. 

Although biometric technologies measure different characteristics in 
substantially different ways, all biometric systems involve similar 
processes that can be divided into two distinct stages: enrollment and 
identification or verification. No match is ever perfect in either an 
identification or a verification system because every time a biometric 
is captured, the template is likely to be unique. Therefore, biometric 
systems can be configured to make a match or no-match decision, based 
on a predefined number, referred to as a threshold, which establishes 
the acceptable degree of similarity between the trial template and the 
enrolled reference template. After the comparison, a score representing 
the degree of similarity is generated, and this score is compared with 
the threshold to make a match or no-match decision. For algorithms for 
which the similarity between two templates is calculated, a score 
exceeding the threshold is considered a match. For algorithms for which 
the difference between two templates is calculated, a score below the 
threshold is considered a match. Depending on the setting of the 
threshold in identification systems, several reference templates can be 
considered matches to the trial template, with the better scores 
corresponding to better matches. 

Types of Biometric Technologies: 

As mentioned above, the three biometric technologies that the US-VISIT 
program office considered for its strategic solution are fingerprint 
recognition, facial recognition, and iris recognition. These three 
technologies are discussed in the sections that follow. 

Fingerprint Recognition: 

Fingerprint recognition technology[Footnote 73] extracts features from 
impressions made by the distinct ridges on the fingertips. The 
fingerprints can be either flat or rolled. A flat print captures only 
an impression of the central area between the fingertip and the first 
knuckle; a rolled print captures ridges on both sides of the finger. An 
image of the fingerprint is captured by a scanner, enhanced, and 
converted into a template. Scanner technologies can be optical, 
silicon, or ultrasound technologies, with optical being the most 
commonly used. During enhancement, the definition of the ridges is 
augmented to offset such things as dirt, cuts, scars, and creases or 
dry, wet, or worn fingerprints. Template size ranges from 250 bytes up 
to 1,000 bytes, depending on which vendor's proprietary algorithm the 
system uses. Approximately 80 percent of vendors base their algorithms 
on the extraction of minutiae points relating to breaks in the ridges 
of the fingertips. Other algorithms are based on extracting ridge 
patterns. 

Facial Recognition: 

Facial recognition technology identifies people by analyzing features 
of the face not easily altered--the upper outlines of the eye sockets, 
the areas around the cheekbones, and the sides of the mouth. The 
technology is typically used to compare a live facial scan to a stored 
template, but it can also be used in comparing static images such as 
digitized passport photographs. Facial recognition can be used in both 
identification and verification systems. In addition, because facial 
images can be captured from video cameras, facial recognition is the 
only biometric that can be used for surveillance purposes. 

Iris Recognition: 

Iris recognition technology focuses on the distinctly colored ring 
surrounding the pupil of the eye. Made from elastic connective tissue, 
the iris is a very rich source of biometric data, having approximately 
266 distinctive characteristics. Formed during the eighth month of 
gestation, these characteristics reportedly remain stable throughout a 
person's lifetime, except in cases of injury. Iris recognition systems 
use a small, high-quality camera to capture a black-and-white, high- 
resolution image of the iris. They then define the boundaries of the 
iris, establish a coordinate system over the iris, and define the zones 
for analysis within the coordinate system. The visible characteristics 
within the zones are then converted into a 512-byte template that is 
used to identify or verify the identity of an individual. 

Using Biometrics to Enroll Individuals: 

In enrollment, a biometric system is trained to identify a specific 
person. The person first provides an identifier, such as an 
identification document. That person then presents the biometric (e.g., 
fingertips, face, or iris) to an acquisition device, and the biometric 
is linked to his or her identity. Depending on the technology, the 
biometric sample may be collected as an image, a recording, or a record 
of related dynamic measurements. Template size also varies, depending 
on the vendor and the technology, and can be stored remotely in a 
central database or within a biometric reader device itself; their 
small size also allows for storage on smart cards or tokens. 

Minute changes in positioning, distance, pressure, environment, and 
other factors influence the generation of a template, making each 
template likely to be unique, each time an individual's biometric data 
are captured and a new template is generated. Consequently, depending 
on the biometric system, a person may need to present biometric data 
several times in order to enroll. The reference template may then 
either represent an amalgam of the captured data or several enrollment 
templates may be stored. The quality of the template or templates is 
critical in the overall success of the biometric application. Because 
biometric features can change over time, people may have to reenroll to 
update their reference template. Some technologies can update the 
reference template during matching operations. 

The enrollment process also depends on the quality of the identifier 
the enrollee presents. The reference template is linked to the identity 
specified on the identification document. If the identification 
document does not specify the individual's true identity, the reference 
template will be linked to a false identity. 

Using Biometrics to Identify Individuals: 

In identification systems, the purpose is to identify who the person 
is. To find a match, the trial template is compared against the stored 
reference templates of all individuals enrolled in the system. 
Identification systems are referred to as one-to-many matching because 
an individual's biometric is compared against multiple biometric 
templates in the system's database. 

There are two types of identification systems: positive and negative. 
Positive identification systems are designed to ensure that an 
individual's biometric is enrolled in the database. The anticipated 
result of a search is a match. A typical positive identification system 
controls access to a secure building or secure computers by checking 
anyone who seeks access against a database of enrolled employees. The 
goal is to determine whether a person seeking access can be identified 
as having been enrolled in the system. 

Negative identification systems are designed to ensure that a person's 
biometric information is not present in a database. The anticipated 
result of a search is a nonmatch. Comparing a person's biometric 
information against a database of all who are registered in a public 
benefits program, for example, can ensure that this person is not 
"double dipping" by using fraudulent documentation to register under 
multiple identities. 

Another type of negative identification system is a surveillance system 
that uses a watch list. Such systems are designed to identify people on 
the watch list and alert authorities for appropriate action. For all 
other people, the system is to check that they are not on the watch 
list and allow them normal passage. The people whose biometrics are in 
the database in these systems may not have provided them voluntarily. 
For instance, for a surveillance system, the biometrics may be faces 
captured from mug shots provided by a law enforcement agency. 

Using Biometrics to Verify Individuals: 

In verification systems, the purpose is to verify that a person is who 
he or she claims to be (i.e., the person who enrolled). After the 
individual provides the identifier he or she used to enroll, the 
biometric is presented, which the biometric system captures, generating 
a trial template that is based on the vendor's algorithm. The system 
then compares the trial biometric template with this person's reference 
template, which was stored in the system during enrollment, to 
determine whether the individual's trial and stored templates match. 

Verification is often referred to as one-to-one matching. Verification 
systems can contain databases ranging from dozens to millions of 
enrolled templates but are always predicated on matching an 
individual's presented biometric against his or her reference template. 
Nearly all verification systems can render a match or no-match decision 
in less than a second. An example of a verification application is a 
system that requires employees to authenticate their claimed identities 
before granting them access to secure buildings or to computers. 

US-VISIT functions both as an identification system and a verification 
system. In the case of identification, US-VISIT serves as a negative 
identification system by utilizing watchlist information, such as the 
Federal Bureau of Investigation's Criminal Master File, to identify 
individuals that should be denied entry into the United States and 
possibly apprehended or detained by law enforcement officials. In the 
case of verification, US-VISIT is used to verify the identities of 
travelers who have been enrolled in the system. 

[End of section] 

Appendix IV: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

Homeland Security: 

February 19, 2008: 

Mr. Randolph Hite: 
Director, Information Technology Architecture And Systems Issues: 
U.S. Government Accountability Office: 
Washington, DC 20548: 

Dear Mr. Hite: 

Thank you for the opportunity to review the draft report, Homeland 
Security: Strategic Solution for US-Visit Program Needs to Be Better 
Defined, Justified, and Coordinated (GAO-08-361). 

US-VISIT generally agrees with the GAO's observations contained in the 
draft report and has initiated actions to address the recommendations. 
In addition, US-VISIT has provided specific substantive and technical 
comments on the draft report. 

Recommendation 1: The Undersecretary for National Protection and 
Programs direct the US-VISIT Program Director to 

* Develop a plan for a comprehensive exit capability, which includes, 
at a minimum, a description of the capability to be deployed, the cost 
of developing, deploying and operating the capability, identification 
of key stakeholders and their respective roles and responsibilities, 
key milestones, and measurable performance indicators. 

* Develop an analysis of costs, benefits, and risks for proposed exit 
solutions before large sums of money are committed on those solutions, 
and use the analysis in selecting the final solution. 

Response: 

US-VISIT concurs with this recommendation. 

* US-VISIT continues to refine the definition of a DHS-wide solution 
for establishing an exit capability at air and sea environments. In 
November 2007 the then-Acting Under Secretary for National Protection 
and Programs convened a Departmental planning session to ensure a 
coordinated approach to implementing air and sea exit operations by 
December 2008. 

* DHS is proposing to establish an exit system at all air and sea ports 
of departure in the United States. This rule proposes to require aliens 
subject to US-VISIT biometric requirements upon entering the United 
States to also provide biometric identifiers prior to departing the 
United States from air or sea ports of departure. DHS is working 
aggressively on getting the Notice of Proposed Rule Making published, 
with plans to implement the procedures by the end of 2008. 

* In conjunction with the Notice of Proposed Rule Making, US-VISIT has 
completed a cost benefit analysis for air and sea exit implementation. 

* In addition, US-VISIT is developing a revised strategic plan that 
recognizes its evolving role in DHS and the National Protection and 
Programs Directorate (NPPD) and that is fully compliant with the 
requirements of the Government Performance and Results Act. The 
emphasis of the Strategic Plan is to align the mission and be results 
oriented so that the program can measure, achieve, and control the 
program resources and projects. 

Recommendation 2: The Secretary of Homeland Security direct the 
appropriate DHS parties involved in defining, managing, and 
coordinating relationships across the department 's border and 
immigration management programs to address the program collaboration 
shortcomings identified in this report, such as fully defining the 
relationships between US-VISIT and other immigration and border 
management programs, and in doing so, to employ the collaboration 
practices discussed in this report. 

Response: 

US-VISIT concurs with the recommendation. 

* US-VISIT, along with the appropriate parties, is developing and 
implementing an internal to DHS governance board, which will include 
senior executives from DHS headquarters and operational componentsï¿½many 
of whom control and operate border protection programs, such as the 
Western Hemisphere Travel Initiative (WHTI) and the Secure Border 
Initiative (SBI). This board will provide a forum for collaboration and 
communication about the program. 

* US-VISIT is continually redefining, managing, and coordinating 
relationships with other immigration and border management programs, as 
appropriate. As part of its strategic planning, US-VISIT solicits input 
from four groups of critically important stakeholders: (1) DHS 
headquarters, including the office of the Chief Information Officer, 
the Screening Coordination Office, and the Office of Policy; (2) DHS 
component organizations, including U.S. Customs and Border Protection 
and U.S. Immigration and Customs Enforcement; (3) other Federal 
agencies, including the Department of Defense, the Federal Bureau of 
Investigation, the Department of State, and the National Institute of 
Standards and Technology; and (4) affected non- Government 
organizations, including the Travel Industry Association and the 
American Immigration Lawyers Association. US-VISIT is also integrally 
involved in Departmental working groups on WHTI, SBI, and immigration 
reform efforts. 

We again thank you for the opportunity to comment and for the 
professionalism of the GAO team that worked on this engagement. 

Sincerely, 

Signed by: 

Steven J. Pecinovsky: 
Director: 
Departmental GAO/OIG Liaison Office: 

[End of section] 

Appendix V: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Joel C. Willemssen, (202) 512-6222, or [email protected]: 

Staff Acknowledgments: 

In addition to the individual named above, Deborah Davis, Assistant 
Director; Harold Brumm; Neil Doherty; Kory Godfrey; Matthew Grote; 
Joshua Hammerstein; Dave Hinchman; Sandra Kerr; Kaelin Kuhn; Nicholas 
Marinos; Madhav Panwar; Sushmita Srikanth; Amos Tevelow; Jessica 
Waselkow; and Eric Winter made key contributions to this report. 

[End of section] 

Footnotes: 

[1] Applicable statutes are described in detail in appendix II. 

[2] Prior to the creation of DHS in 2002, the Immigration and 
Naturalization Service of the Department of Justice performed this 
mission. 

[3] Pub. L. No. 104-208, div. C, sec. 110 (Sept. 30, 1996). 

[4] 8 U.S.C. ï¿½ 1365a. 

[5] Effective March 1, 2003, the Immigration and Naturalization Service 
became part of DHS. 

[6] On April 29, 2003, the Secretary of DHS renamed the entry-exit 
system the US-VISIT system. 

[7] 8 U.S.C. ï¿½ 1379. USA PATRIOT Act stands for the Uniting and 
Strengthening America by Providing Appropriate Tools Required to 
Intercept and Obstruct Terrorism Act of 2001. As applicable here, the 
Act's requirements for the Immigration and Naturalization Service were 
taken over by DHS. 

[8] Pub. L. No. 106-396 (Oct. 30, 2000). 

[9] Between October 1, 2003, and September 30, 2007, the Secretary of 
State could waive the requirement for machine-readable passports if the 
country (1) was making progress toward ensuring that machine-readable 
passports are generally available to its nationals and (2) it has taken 
appropriate measures to protect against misuse of passports it issued 
that do not meet the requirements. 

[10] 8 U.S.C. ï¿½ 1187(i). 

[11] Pub. L. No. 107-173 (May 14, 2002). 

[12] Pub. L. No. 108-299 (Aug. 9, 2004) extended the deadline from 
October 26, 2004, to October 26, 2005. 

[13] Countries participating in the Visa Waiver Program are Andorra, 
Australia, Austria, Belgium, Brunei, Denmark, Finland, France, Germany, 
Iceland, Ireland, Italy, Japan, Liechtenstein, Luxembourg, Monaco, The 
Netherlands, New Zealand, Norway, Portugal, San Marino, Singapore, 
Slovenia, Spain, Sweden, Switzerland, and the United Kingdom. 

[14] Pub. L. No. 108-458, ï¿½ 7208 (Dec. 17, 2004). 

[15] US-VISIT currently applies to a certain group of foreign 
nationals--nonimmigrants from countries whose residents are required to 
obtain nonimmigrant visas before entering the United States and 
residents of certain countries who are exempt from U.S. visa 
requirements when they apply for admission to the United States for up 
to 90 days for tourism or business purposes under the Visa Waiver 
Program. US-VISIT also applies to (1) Mexican nonimmigrants traveling 
with a Border Crossing Card (BCC), who wish to remain in the United 
States longer than 30 days or who declare that they intend to travel 
more than 25 miles into the country from the border and (2) Canadians 
traveling to the United States for certain specialized reasons. See 8 
C.F.R. ï¿½ 235.1(f). 

[16] On September 30, 2004, US-VISIT expanded biometric entry 
procedures to include individuals from visa waiver countries applying 
for admission. 

[17] According to program officials, 14 of the remaining 16 POEs have 
no operational need to deploy US-VISIT because visitors subject to US- 
VISIT are, by regulation, not authorized to enter into the United 
States at these locations. The other two POEs do not have the necessary 
transmission lines to operate US-VISIT, and thus they process visitors 
manually. 

[18] Under section 212 of the Immigration and Nationality Act (INA), as 
amended, an alien (nonimmigrant) is inadmissible if he/she does not 
have a valid passport, nonimmigrant visa, or border crossing 
identification card at the time of application for admission. 8 U.S.C. 
ï¿½ 1182(a)(7)(B). Under the INA's expedited removal process, if an alien 
is inadmissible under section 212, the inspection officer may order the 
alien removed from the United States, without further hearing or 
review, unless the alien can demonstrate a credible fear of returning 
to his/her home country. 8 U.S.C. ï¿½ 1225(b)(1)(A). Category 1 Visa 
Refusals include all the permanent ineligibilities for entry into the 
United States based on national security concerns, criminal activity, 
and the threat of spreading contagious disease. 

[19] The Mona Passage is located between the Dominican Republic and 
Puerto Rico. The objective of this effort is to demonstrate the 
feasibility of using biometric data (fingerprints) to identify and 
support prosecution of interdicted individuals. Interdicted individuals 
are enrolled in US-VISIT's IDENT database and are biometrically checked 
against known and suspected terrorists, aggravated felons, previous 
deportees, and recidivists. 

[20] We did not verify this information. 

[21] After a biometric system extracts the features of an individual's 
body part, it uses an algorithm to encode the features and store the 
information in a biometric template that can be used for future 
comparison. 

[22] Pub. L. No. 108-458, ï¿½ 7209 (Dec. 17, 2004), as amended by Pub. L. 
No. 109-295, ï¿½ 546 (Oct. 4, 2006) and Pub. L. No. 110-161, div. E, ï¿½ 
545 (Dec. 26, 2007). 

[23] In November 2006, DHS and the Department of State issued a final 
rule announcing that, beginning on January 23, 2007, citizens of the 
United States, Canada, Mexico, and Bermuda are required to present a 
passport to enter the United States when arriving by air from any part 
of the western hemisphere. 71 Fed. Reg. 68,412 (Nov. 24, 2006). (To be 
codified at 8 C.F.R. Parts 212 and 235 and 22 C.F.R. Parts 41 and 53.) 

[24] Since the date of the proposed rule, the Department of Homeland 
Security Appropriations Act, 2008, was enacted, which extended the WHTI 
implementation deadline. Pub. L. No. 110-161, div. E ï¿½ 545 (Dec. 26, 
2007). Specifically, the implementation shall not be earlier than the 
date that is the later of 3 months after the Secretaries of State and 
Homeland Security certify that certain criteria have been met, or June 
1, 2009. 

[25] GAO, Observations on Implementing the Western Hemisphere Travel 
Initiative, GAO-08-274R (Washington, D.C.: Dec. 20, 2007). 

[26] See, for example, GAO, Homeland Security: Efforts Under Way to 
Develop Enterprise Architecture, but Much Work Remains, GAO-04-777 
(Washington, D.C.: Aug. 6, 2004); GAO, DOD Business Systems 
Modernization: Limited Progress in Development of Business Enterprise 
Architecture and Oversight of Information Technology Investments, GAO- 
04-731R (Washington, D.C.: May 17, 2004); GAO, Information Technology: 
Architecture Needed to Guide NASA's Financial Management Modernization, 
GAO-04-43 (Washington, D.C.: Nov. 21, 2003); GAO, DOD Business Systems 
Modernization: Important Progress Made to Develop Business Enterprise 
Architecture, but Much Work Remains, GAO-03-1018 (Washington, D.C.: 
Sept. 19, 2003); GAO, Business Systems Modernization: Summary of GAO's 
Assessment of the Department of Defense's Initial Business Enterprise 
Architecture, GAO-03-877R (Washington, D.C.: July 7, 2003); GAO, 
Information Technology: DLA Should Strengthen Business Systems 
Modernization Architecture and Investment Activities, GAO-01-631 
(Washington, D.C.: June 29, 2001); and GAO, Information Technology: INS 
Needs to Better Manage the Development of Its Enterprise Architecture, 
GAO/AIMD-00-212 (Washington, D.C.: Aug. 1, 2000). 

[27] GAO, Information Technology: Homeland Security Needs to Improve 
Entry Exit System Expenditure Planning, GAO-03-563 (Washington, D.C.: 
June 9, 2003); GAO, Homeland Security: Risks Facing Key Border and 
Transportation Security Program Need to Be Addressed, GAO-03-1083 
(Washington, D.C.: Sept. 19, 2003); GAO-04-586; GAO, Homeland Security: 
Some Progress Made, but Many Challenges Remain on U.S. Visitor and 
Immigrant Status Indicator Technology Program, GAO-05-202 (Washington, 
D.C.: Feb. 23, 2005); GAO, Homeland Security: Recommendations to 
Improve Management of Key Border Security Program Need to Be 
Implemented, GAO-06-296 (Washington, D.C.: Feb. 14, 2006); GAO, Border 
Security: US-VISIT Program Faces Strategic, Operational, and 
Technological Challenges at Land Ports of Entry, GAO-07-248 
(Washington, D.C.: Dec. 6, 2006); GAO, Homeland Security: Planned 
Expenditures for U.S. Visitor and Immigrant Status Program Need to Be 
Adequately Defined and Justified, GAO-07-278 (Washington, D.C.: Feb. 
14, 2007); GAO, Homeland Security: U.S. Visitor and Immigrant Status 
Program's Long-standing Lack of Strategic Direction and Management 
Controls Need to Be Addressed, GAO-07-1065 (Washington, D.C.: Aug. 31, 
2007). 

[28] GAO-07-248. 

[29] GAO-07-1065. 

[30] GAO-03-1083. 

[31] GAO-06-296. 

[32] GAO-07-278. 

[33] Since 2006, we have reported that the system that US-VISIT uses to 
manage its finances, ICE's Federal Management System has reliability 
issues. Although many issues are no longer considered material 
weaknesses, independent auditors are still unable to express an opinion 
on DHS's balance sheets as of September 30, 2007. 

[34] Section 303 of the Enhanced Border Security and Visa Entry Reform 
Act of 2002 (Pub. L. No. 107-173) requires that no later than October 
26, 2004, the Department of State issue visas that use biometric 
identifiers. Pub. L. No. 108-299 (Aug. 9, 2004) extended the deadline 
from October 26, 2004 to October 26, 2005. 

[35] The 10 planned locations are Washington Dulles International 
Airport (Chantilly, VA), John F. Kennedy International Airport (New 
York, NY), Detroit Metropolitan Wayne County Airport (Detroit, MI), 
William B. Hartsfield International Airport (Atlanta, GA), Chicago 
O'Hare International Airport (Chicago, IL), General Edward Lawrence 
Logan International Airport (Boston, MA), Orlando International Airport 
(Orlando, FL), San Francisco International Airport (San Francisco, CA), 
Miami International Airport (Miami, FL), and Houston International 
Airport (Houston, TX). 

[36] The enumerator is an alphanumerical identifier that is to link 
disparate records pertaining to an individual, such that these records 
can be linked and accurately retrieved, regardless of location, 
platform or issuing entity. It can be used for identification purposes 
within DHS and by other immigration and border management 
organizations. 

[37] Although US-VISIT plans to have enumeration search and link to 
information found in IAFIS, the USCIS Chief Information Officer stated 
that, initially, USCIS will not search IAFIS information when making a 
request because of fees charged by the FBI for accessing IAFIS, noting 
that USCIS already had an interface to IAFIS. According to the same 
official, USCIS plans to make use of IDENT/IAFIS interoperability once 
it is deployed. 

[38] A fingerprint matcher is an automated identification system that 
searches against databases that store minutiae information for 
fingerprint images. A minutiae point is a break in a fingertip ridge in 
a fingerprint image. A typical fingerprint image may produce between 15 
and 50 minutiae, depending on the portion of the image captured. These 
minutiae are used in matching with other fingerprints. 

[39] Specifically, the IIRIRA required the development of an automated 
system to record and then match the departure of every foreign national 
from the United States to the individual's arrival record. 
Subsequently, the Immigration and Naturalization Service Data 
Management Improvement Act of 2000 amended the IIRIRA and required an 
electronic system to record the entry and exit of certain foreign 
nationals, and the Intelligence Reform and Terrorism Prevention Act of 
2004 specifically required that US-VISIT include the collection of 
biometric exit data for all individuals for which entry data was 
available. 

[40] GAO-07-1065. 

[41] In its technical comments on a draft of this report, DHS stated 
that it had developed a project management plan. 

[42] Office of Management and Budget, Planning, Budgeting, Acquisition 
and Management of Capital Assets, Circular A-11, Part 7 (Washington, 
D.C.: June 21, 2005). 

[43] Department of Homeland Security, Capital Planning and Investment 
Control: Cost-Benefit Analysis (CBA) Guidebook (February 2006). 

[44] Includes data such as: FBI information on all known and suspected 
terrorists, selected wanted persons (foreign-born, unknown place of 
birth, previously arrested by DHS), and previous criminal histories for 
high-risk countries; DHS ICE information on deported felons and 
registered sex offenders; and DHS information on previous criminal 
histories and previous IDENT enrollments. 

[45] A latent print is fingerprint "image" left on a surface that was 
touched by an individual. The transferred impression is left by the 
surface contact with the friction ridges, usually caused by the oily 
residues produced by the sweat glands in the finger. 

[46] GAO, Results-Oriented Government: Practices That Can Help Enhance 
and Sustain Collaboration among Federal Agencies, GAO-06-15 
(Washington, D.C.: Oct. 21, 2005). 

[47] A credential is a certified document showing that a person has a 
certain privilege, right, or status. 

[48] Portfolios are groupings of related investments, projects, 
systems, and services. 

[49] A data asset is a managed container for data such as a database, 
Web site, document repository, or directory. 

[50] RFID technology can be used to electronically identify and gather 
information contained on a tag. 

[51] US-VISIT utilized RFID technology embedded in a tag on a visitor's 
arrival/departure form--which an electronic reader at the POE was 
intended to detect. For the implementation of WHTI in the land 
environment, DHS anticipates that RFID infrastructure will be rolled 
out to cover the top 39 POEs (in terms of number of travelers). 

[52] This project is to enable IDENT backend services, such as IDENT 
watch list checks and enrollment in US-VISIT, to customers with mobile 
capability requirements. 

[53] The DHS EAB acts as the Executive Steering Committee for DHS IT 
programs and has the primary responsibility to oversee the department's 
EA.  

[54] The DHS Enterprise Architecture Center of Excellence is 
responsible for conducting reviews of program alignment, technology 
insertions, service insertions and other decision requests to ensure 
alignment with the department's enterprise architecture. It is composed 
of members from the components including CBP and US-VISIT as well as 
specialty reviewers such as the Privacy Office. 

[55] Office of Management and Budget, Guidelines and Discount Rates for 
Benefits-Cost Analysis of Federal Programs, Circular A-94 (Washington, 
D.C.: Oct. 29, 1992). 

[56] GAO, Technology Assessment: Using Biometrics for Border Security, 
GAO-03-174 (Washington, D.C.: Nov. 15, 2002). 

[57] Homeland Security EA 2007. 

[58] GAO-06-15. 

[59] Pub. L. No. 104-208, div. C, sec. 110 (Sept. 30, 1996). 

[60] Effective March 1, 2003, the Immigration and Naturalization 
Service became part of DHS. 

[61] Pub. L. No. 105-259 (Oct. 15, 1998). 

[62] Pub. L. No. 105-277 (Oct. 21, 1998). 

[63] Pub. L. No. 106-215 (June 15, 2000). 

[64] The Homeland Security Act of 2002 transferred the border patrol, 
detention and removal, intelligence, investigations, and inspections 
programs previously under the Department of Justice's Commissioner of 
Immigration and Naturalization to DHS's Under Secretary for Border and 
Transportation Security. 6 U.S.C. ï¿½ 251. 

[65] Pub. L. No. 107-56 (Oct. 26, 2001). 

[66] Pub. L. No. 106-396 (Oct. 30, 2000). 

[67] Between October 1, 2003, and September 30, 2007, the Secretary of 
State could waive the requirement for machine readable passports if the 
country (1) was making progress toward ensuring that machine-readable 
passports are generally available to its nationals and (2) it has taken 
appropriate measures to protect against misuse of passports it issued 
that do not meet the requirements. 

[68] 8 U.S.C. ï¿½ 1187(i). 

[69] Pub. L. No. 107-173 (May 14, 2002). 

[70] Pub. L. No. 108-458 (Dec. 17, 2004). 

[71] On April 29, 2003, the Secretary of DHS renamed the entry exit 
system the US-VISIT system. 

[72] After a biometric system extracts the features of an individual's 
body part, it uses an algorithm to encode the features and store the 
information in a biometric template that can be used for future 
comparison. 

[73] Fingerprint recognition is one of the best known and most widely 
used biometric technologies. Automated systems have been commercially 
available since the early 1970s, and there are currently more than 75 
fingerprint recognition technology companies. Until recently, it was 
used primarily in law enforcement applications. 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability.  

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates."  

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:  

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548:  

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061:  

To Report Fraud, Waste, and Abuse in Federal Programs:  

Contact:  

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: [email protected]: 
Automated answering system: (800) 424-5454 or (202) 512-7470:  

Congressional Relations:  

Ralph Dawn, Managing Director, [email protected]: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548:  

Public Affairs: 

Chuck Young, Managing Director, [email protected]: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: 

*** End of document. ***