[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
PREVENTING WASTE, FRAUD, ABUSE, AND
MISMANAGEMENT IN HOMELAND SECURITY--A GAO HIGH-RISK LIST REVIEW
=======================================================================
HEARING
before the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
__________
MAY 7, 2014
__________
Serial No. 113-67
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PRINTING OFFICE
89-762 PDF WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Paul C. Broun, Georgia Yvette D. Clarke, New York
Candice S. Miller, Michigan, Vice Brian Higgins, New York
Chair Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania William R. Keating, Massachusetts
Jeff Duncan, South Carolina Ron Barber, Arizona
Tom Marino, Pennsylvania Dondald M. Payne, Jr., New Jersey
Jason Chaffetz, Utah Beto O'Rourke, Texas
Steven M. Palazzo, Mississippi Filemon Vela, Texas
Lou Barletta, Pennsylvania Eric Swalwell, California
Richard Hudson, North Carolina Vacancy
Steve Daines, Montana Vacancy
Susan W. Brooks, Indiana
Scott Perry, Pennsylvania
Mark Sanford, South Carolina
Vacancy
Brendan P. Shields, Staff Director
Michael Geffroy, Deputy Staff Director/Chief Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable Michael T. McCaul, a Representative in Congress
From the State of Texas, and Chairman, Committee on Homeland
Security:
Oral Statement................................................. 1
Prepared Statement............................................. 2
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Oral Statement................................................. 3
Prepared Statement............................................. 4
Witnesses
Mr. Alejandro N. Mayorkas, Deputy Secretary, U.S. Department of
Homeland Security:
Oral Statement................................................. 6
Prepared Statement............................................. 6
Mr. Gene L. Dodaro, Comptroller General of the United States,
Government Accountability Office:
Oral Statement................................................. 13
Prepared Statement............................................. 14
Mr. John Roth, Inspector General, U.S. Department of Homeland
Security:
Oral Statement................................................. 28
Prepared Statement............................................. 29
Appendix
Questions From Chairman Michael T. McCaul for Alejandro N.
Mayorkas....................................................... 55
Question From Honorable Patrick Meehan for Alejandro N. Mayorkas. 58
Questions From Honorable Tom Marino for Alejandro N. Mayorkas.... 59
Question From Chairman Michael T. McCaul and Ranking Member
Bennie G. Thompson for Gene L. Dodaro.......................... 61
Question From Honorable Yvette D. Clarke for Gene L. Dodaro...... 62
Question From Chairman Michael T. McCaul for Gene L. Dodaro...... 62
Question From Honorable Jeff Duncan for Gene L. Dodaro........... 63
Question From Honorable Tom Marino for Gene L. Dodaro............ 65
Questions From Chairman Michael T. McCaul for John Roth.......... 65
Question From Honorable Jeff Duncan for John Roth................ 67
PREVENTING WASTE, FRAUD, ABUSE, AND MISMANAGEMENT IN HOMELAND
SECURITY--A GAO HIGH-RISK LIST REVIEW
----------
Wednesday, May 7, 2014
U.S. House of Representatives,
Committee on Homeland Security,
Washington, DC.
The committee met, pursuant to call, at 10:09 a.m., in Room
311, Cannon House Office Building, Hon. Michael T. McCaul
[Chairman of the committee] presiding.
Present: Representatives McCaul, Broun, Duncan, Hudson,
Sanford, Thompson, Clarke, Richmond, Payne, and O'Rourke.
Chairman McCaul. Committee on Homeland Security will come
to order. Committee is meeting today to examine testimony
regarding the prevention of waste, fraud, abuse, and
mismanagement at the Department of Homeland Security. I
recognize myself for an opening statement.
While the Department of Homeland Security's mission is
critical, it is also critical that it keeps its finances in
check because in order to protect the homeland we must maximize
every dollar spent. Almost as soon as the Department's
creation, the Government Accountability Office placed some of
DHS's programs on its high-risk list, and today many remain.
This list is developed every 2 years by watchdogs at GAO to
identify areas in the Federal Government that are high-risk to
fraud, waste, abuse, and mismanagement, or are in the most need
of broad reform. It is intended to draw attention to these
areas to force agency leaders to improve.
Unfortunately some of the programs identified include some
of the Department's core functions such as acquisitions,
management, financial management, information technology, human
capital and management integration, as well as multi-agency
challenges such as information sharing and cybersecurity.
While the Department has devoted time to addressing GAO's
high-risk areas, these reports continue to show examples of
programs ignoring best practices and putting taxpayer dollars
at risk.
Recent GAO findings have identified challenges with the
Arizona Border Surveillance Technology Plan, TSA body scanners,
modernization of key border enforcement system known as TECS,
and the Department's acquisition funding plans.
All levels of DHS must be fully committed to make the
Department more efficient and effective. To this end, this
committee has taken action to address specific issues
highlighted in GAO's high-risk report.
H.R. 3696, the National Cybersecurity and Critical
Infrastructure Protection Act, and H.R. 4228, the DHS
Acquisition Accountability and Efficiency Act both passed out
of this committee unanimously and are important pieces of
legislation to increase our Nation's cybersecurity and improve
the Department's management of its acquisition programs.
Additionally, our recent bipartisan report on the Boston
bombings highlighted the need for improved information sharing,
which addresses another high-risk item.
Finally, while I am encouraged by the steps taken by DHS in
recent years to address these issues, including achieving a
clean audit opinion in 2013, there is clearly much more work to
be done. In the short time since they have assumed their new
positions, Secretary Johnson and Deputy Secretary Mayorkas have
both already endeavored to fix the management problems at DHS.
Today I look forward to hearing from them on their plans to
improve the Department.
However, assurances from the top and putting plans in place
only go so far. It will take time and follow-up and continued
oversight to ensure improved outcomes are sustained over
multiple years. To that end I look forward to Comptroller
General Dodaro and recently-confirmed DHS Inspector General
Roth's testimony today. Their recommendations to make DHS a
more effective and efficient organization are essential to
making Americans safer.
Ultimately every dollar wasted on mismanagement is one less
that can go to the men and women protecting our borders,
targeting terrorists, securing our airports, and patrolling our
shores. That is why this hearing and DHS's commitment to
getting its house in order is so important.
[The statement of Chairman McCaul follows:]
Statement of Chairman Michael T. McCaul
May 7, 2014
While the Department of Homeland Security's mission is critical, it
is also critical that it keeps its finances in check, because in order
to protect the homeland we must maximize every dollar spent.
Almost as soon as the Department's creation, the Government
Accountability Office (GAO) placed some of DHS's programs on its
``High-Risk List,'' and today, many remain. This list is developed
every 2 years by the watchdogs at GAO to identify areas in the Federal
Government that are at high risk to fraud, waste, abuse, and
mismanagement or are in most need of broad reform, and it is intended
to draw attention to these areas to force agency leaders to improve.
Unfortunately, some of the programs identified include some of the
Department's core functions such as acquisition management, financial
management, information technology, human capital, and management
integration, as well as, multi-agency challenges such as information
sharing and cybersecurity.
While the Department has devoted time to addressing GAO's High-Risk
areas, these reports continue to show examples of programs ignoring
best practices and putting taxpayer dollars at risk. Recent GAO
findings have identified challenges with the Arizona Border
Surveillance Technology Plan, TSA body scanners, modernization of a key
border enforcement system known as TECS, and the Department's
acquisition funding plans. All levels of DHS must be fully committed to
making the Department more efficient and effective.
To this end, this committee has taken action to address specific
issues highlighted in GAO's High-Risk report. H.R. 3696, the National
Cybersecurity and Critical Infrastructure Protection Act, and H.R.
4228, the DHS Acquisition Accountability and Efficiency Act--both
passed out of this committee unanimously--are important pieces of
legislation to increase our Nation's cybersecurity and improve the
Department's management of its acquisition programs. Additionally, our
recent bipartisan report on the Boston bombings highlighted the need
for improved information sharing, which addresses another High-Risk
item.
Finally, while I am encouraged by the steps DHS has taken in recent
years to address these issues including achieving a clean audit opinion
in 2013, there is clearly much more work to be done. In the short time
since they've assumed their new positions, Secretary Johnson and Deputy
Secretary Mayorkas have both already endeavored to fix the management
problems at DHS, and today I look forward to hearing more from them on
his plan for improving the Department. However, assurances from the top
and putting plans in place only go so far. It will take time and
follow-up and continued oversight to ensure improved outcomes are
sustained over multiple years.
To that end, I look forward to Comptroller General Dodaro and
recently confirmed DHS Inspector General Roth's testimony today. Their
recommendations to make DHS a more effective and efficient organization
are essential to making Americans safer. Ultimately, every dollar
wasted on mismanagement is one less that can go to the men and women
protecting our borders, targeting terrorists, securing our airports,
and patrolling our shores. That's why this hearing, and DHS' commitment
to getting its house in order, is so important.
Chairman McCaul. With that the Chairman now recognizes the
Ranking Member, Mr. Thompson.
Mr. Thompson. Thank you, Mr. Chairman. I thank you for
holding today's hearing. I also want to thank the comptroller
general, deputy secretary, and inspector general for their
testimonies today.
Today's hearing is to examine the Department of Homeland
Security's management functions deemed high-risk by the
Government Accountability Office, and the steps that the
Department is taking to improve in these areas. At the
beginning of each Congress the GAO releases its high-risk
update, which focuses on agencies and programs that are
vulnerable to waste, fraud, and abuse.
Understandably when the Department was formed in 2003 it
was placed on the high-risk list because of the challenges
associated on transforming 22 legacy agencies into one new
Federal department. It was also put on the high-risk list
because its failures to effectively do so could present
National security risks.
Unfortunately, more than a decade after its inception the
Department remains on the high-risk list. One reason is that
the Department has struggled to integrate its management
functions across all components. These integration challenges
present diverse operational and management problems at the
Department at all levels.
There has been general acceptance of the One DHS concept
advanced by the last Secretary of Homeland Security. But what
is needed at this pivotal moment is a leader who will animate
that slogan and put structures and procedures in place to fully
integrate the Department.
Secretary Johnson may well be that leader, but any reforms
will be at the mercy of an entrenched and unhappy workforce and
the clock. I look forward to working with Secretary Johnson to
bring about needed reforms.
For the first time since its inception, however, the
Department received its first clean audit of all its financial
statements for fiscal year 2013. As commendable as this may be,
we must not overlook that the independent auditor did find
continued weaknesses in the Department's financial controls.
Another challenging area for the Department is its IT
acquisitions and management. Over the years the Department has
had varying success acquiring and implementing information
technology systems. Some systems have performed as promised,
while others have failed to deliver capabilities and mission
benefit.
There is a need for the Department to strengthen its
internal IT governance. GAO has noted that the Department has
more work to do to fully address its IT management challenges
such as finalizing policies and procedures associated with its
new governance structure.
Finally, the Department spends approximately a quarter of
its annual budget procuring goods and services in support of
its homeland security missions. Yet since its inception,
managing acquisitions has been a significant challenge for the
Department.
The management framework put in place by the prior DHS
leadership has the potential for improving DHS acquisition
management in significant ways. That is why I am pleased that
this committee was able to come together in a bipartisan
fashion last week and pass H.R. 4228, the DHS Acquisition
Accountability and Efficiency Act, which seeks to codify what
has been deemed by the comptroller general and other watchdogs
as successful, and seeks to close other gaps that exist.
Mr. Chairman, I look forward to more ways that this
committee can work to help advance the Department and help it
achieve the goals of being fully integrated with clean
financial audits and internal management and oversight controls
in its information technology and acquisition departments.
Given the pivotal role the Department has in protecting and
preparing America, management challenges become a distraction
and have grave consequences for our National security. Hence,
it is my hope that the Department can continue to progress, and
we can see a date when it is not a part of the GAO high-risk
list.
With that, Mr. Chairman, I yield back. Thank you.
[The statement of Ranking Member Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
May 7, 2014
Today's hearing is to examine the Department of Homeland Security's
management functions deemed high-risk by the Government Accountability
Office and the steps that the Department is taking to improve in these
areas.
At the beginning of each Congress, the GAO releases its ``High-Risk
Update'' which focuses on agencies and programs that are vulnerable to
waste, fraud, and abuse. Understandably, when the Department was formed
in 2003, it was placed on the ``high-risk list'' because of the
challenges associated with transforming 22 legacy agencies into one new
Federal Department. It was also put on the ``high-risk list'' because
its failure to effectively do so could present National security risks.
Unfortunately, more than a decade after its inception, the
Department remains on the ``high-risk list.'' One reason is that the
Department has struggled to integrate its management functions across
all the components. These integration challenges present diverse
operational and management problems at the Department at all levels.
There has been general acceptance of the ``One DHS'' concept
advanced by the last Secretary of Homeland Security but what is needed
at this pivotal moment is a leader who will animate that slogan and put
structures and procedures in place to fully integrate the Department.
Secretary Johnson may well be that leader but any reforms will be at
the mercy of an entrenched and unhappy workforce and the clock. I look
forward to working with Deputy Secretary Mayorkas and Secretary Johnson
to bring about needed reforms.
For the first time since its inception, the Department received its
first clean audit on all its financial statements for fiscal year 2013.
As commendable as this may be, we must not overlook that the
independent auditor did find continued weakness in the Department's
financial controls.
Another challenging area for the Department is IT acquisitions and
management. Over the years, the Department has had varying success
acquiring and implementing information technology systems; some systems
have performed as promised while others have failed to deliver
capabilities and mission benefits. There is a need for the Department
to strengthen its internal IT governance. GAO has noted that the
Department has more work to do to fully address its IT management
challenges such as finalizing policies and procedures associated with
its new governance structure.
Finally, the Department spends approximately a quarter of its
annual budget procuring goods and services in support of its homeland
security missions. Yet, since its inception, managing acquisitions has
been a significant challenge for the Department.
The management framework put in place by the Obama administration
has the potential for improving DHS acquisitions management in
significant ways. That is why I am pleased that this committee was able
to come together in a bipartisan fashion last week and passed H.R.
4228, the ``DHS Acquisition Accountability and Efficiency Act,'' which
seeks to codify what has been deemed by the Comptroller General and
other watchdogs as successful and seeks to close other gaps that exist.
I look forward to more ways that this committee can work to help
advance the Department and help it achieve the goals of being fully
integrated, with clean financial audits, and internal management and
oversight controls in its information technology and acquisitions
departments.
Given the pivotal role the Department has in protecting and
preparing America, management challenges become a distraction and have
grave consequences for our National security. Hence, it is my hope that
the Department can continue to progress and we can see a day when it is
not a part of the GAO High-Risk list.
Chairman McCaul. I thank the Ranking Member. Other Members
I remind they may submit an opening statement for the record.
We are pleased to have here today a distinguished panel of
witnesses; first, the Honorable Alejandro Mayorkas, who was
sworn in as deputy secretary of the Department of Homeland
Security in December 2013.
Prior to his appointment he served as director of the
Department's United States Citizenship and Immigration
Services. He led a workforce of 18,000 employees throughout
more than 250 offices world-wide rector of the Department's
United States Citizenship and Immigration Services.
Before joining DHS Mr. Mayorkas was a partner at a law
firm. In 1998 he was appointed as the United States Attorney
for the Central District of California.
Thanks for being here today.
Next we have the Honorable Gene Dodaro, who became the
eighth comptroller general of the United States, and head of
the United States Government Accountability Office.
In December 2010, after serving in the capacity of
``acting'' since March 2008 as comptroller general he has
helped oversee the development and issuance of hundreds of
reports and testimonies each year to various committees and
individual Members of Congress. These and other GAO products
have led to hearings and legislation, billions of dollars in
taxpayer savings, and improvements to a wide range of
Government programs and services.
Then last but not least, the Honorable John Roth. Let me
mention it is Mr. Dodaro's birthday today, and we wish you a
happy birthday, as well.
Then last, Mr. John Roth, who assumed the post of inspector
general for the Department of Homeland Security in March 2014.
Previously he served as director of the Office of Criminal
Investigations at the Food and Drug Administration. Prior to
that, he had a long and distinguished record and career with
the Department of Justice beginning in 1987 as Assistant U.S.
Attorney for the Eastern District of Michigan.
It is great to see so many brethren DOJ on this panel.
Their full written statements will appear on the record. The
Chairman now recognizes Deputy Secretary Mayorkas for 5
minutes.
STATEMENT OF ALEJANDRO N. MAYORKAS, DEPUTY SECRETARY, U.S.
DEPARTMENT OF HOMELAND SECURITY
Mr. Mayorkas. Thank you very much, Mr. Chairman. Mr.
Chairman and distinguished Members of this committee. I very
much appreciate the opportunity to testify before you today. I
feel privileged to appear before you as the deputy secretary of
Homeland Security.
I pledged to this committee an open, transparent, and fully
cooperative Department. We deeply appreciate the work of this
committee and have profound respect for it. Strong oversight
drives good Government, and we recognize and appreciate that.
I also want to thank my fellow witnesses before you today,
Mr. Dodaro and Mr. Roth, for the work that they perform and
that their teams perform. We share a common goal of making the
Department everything that it should be.
Mr. Chairman, Ranking Member Thompson, and distinguished
Members, I submitted to this committee written testimony, and I
will not repeat it now.
I do want to underscore one overriding fact, and that is my
immense pride in working alongside the men and women of the
Department of Homeland Security. Those incredibly dedicated
individuals deserve a Department and deserve management
functions and processes and institutions that bring out the
best in them and enable them to do their jobs at the highest
levels of excellence to which they aspire.
With that I look forward to the opportunity to answer
whatever questions you might have. Thank you.
[The prepared statement of Mr. Mayorkas follows:]
Prepared Statement of Alejandro N. Mayorkas
May 7, 2014
Chairman McCaul, Ranking Member Thompson, and distinguished Members
of the committee, thank you for the opportunity to appear before you as
the deputy secretary of Homeland Security to testify on the subject of
management at this important hearing entitled ``Preventing Waste,
Fraud, Abuse and Mismanagement in Homeland Security--a GAO High-Risk
List Review.'' I, along with Secretary Johnson, appreciate and welcome
the committee's continued focus on this subject and for the oversight
you exercise. It is my firmly-held belief that good oversight not only
delivers accountability critical to good government, but that it also
drives innovation. Thank you, and thank you to the members of your
staff.
I also wish to express my gratitude to the U.S. Government
Accountability Office (GAO). Under Comptroller General Gene Dodaro's
leadership, GAO has spent considerable time and energy providing our
Department with its valued, independent assessment of our work in areas
critical to the effective management of our resources and execution of
our responsibilities. GAO has issued recommendations to our Department
that, collectively, help provide a blueprint for success. It is in
response to GAO's independent reviews and recommendations that in
January 2011 our Department issued the first Integrated Strategy for
High Risk Management, an operational framework to address GAO's
recommendations. Since we issued the Integrated Strategy, we have
updated it twice yearly to document the progress our Department has
made in addressing GAO's recommendations. It pleases me to note that we
have come far in the last 5 years; today the Department eagerly engages
with GAO about outstanding recommendations. We seek out GAO.
Like the responsibility of the GAO to provide its independent
assessment of the Department's execution of responsibilities, it is the
duty of the Office of the Inspector General to deliver its own
independent and high-quality review of Departmental functions. I am
grateful to testify before you today alongside the Department's new
inspector general, John Roth. I look forward to supporting the work of
Inspector General Roth and to ensuring the Department's transparency
and full cooperation as he and I work to improve and strengthen the
Department in our respective roles.
When I became the deputy secretary of DHS in late December 2013,
the first action I took was to schedule a meeting with Comptroller
General Dodaro. In our meeting I had the opportunity to also meet
George Scott, the managing director of GAO's Homeland Security and
Justice team. Mr. Scott and I have met on several occasions since then,
and he and his team are outstanding in their commitment to improving
our Department. With Mr. Scott's and his team's independent efforts,
with the oversight of GAO and that of this committee, DHS will mature
and improve.
The number of open GAO recommendations to DHS has decreased
steadily and, significantly, in GAO's latest High-Risk List update it
narrowed the subject from ``Implementing and Transforming DHS'' to
``Strengthening DHS Management Functions.'' Additionally noteworthy is
the fact that GAO stated in that update that our Department's
Integrated Strategy, ``if implemented and sustained, provides a path
for DHS to be removed from GAO's High-Risk List.'' DHS has made
significant progress.
At the same time, DHS has additional work to do. Since I became the
deputy secretary I have invested considerable time in working with GAO
and with my very talented and dedicated DHS colleagues to ensure that
this additional work is done as effectively and swiftly as possible.
Earlier this year, we developed specific action plans to address the 30
key outcomes GAO identified in the areas of management integration,
human capital, information technology, financial management, and
acquisitions. Our action plans now provide month-to-month goals that
provide a better road map to success. Our development of these action
plans provided us with the opportunity to freshly review our previous
efforts and, in certain critical areas, to accelerate our time tables
materially.
strengthening department of homeland security management functions
Before discussing the work that DHS has undertaken to make progress
on key GAO High-Risk List areas, I wish to highlight the actions we
have recently taken that speak to our Departmental commitment to sound
management practices. On April 22, 2014, the Secretary sent a
memorandum to Department leadership entitled, ``Strengthening
Departmental Unity of Effort.'' The purpose of this effort is to
capitalize on the many strengths of the Department, starting with the
professionalism, skill, and dedication of its people and the rich
history and tradition of its components, while identifying ways to
enhance the cohesion of the Department as a whole. The Secretary's
guidance is targeted at improvements to four main lines of effort:
Inclusive senior leader discussion and decision-making forums that
provide an environment of trust and transparency; strengthened
fundamental and critical management processes for investment (including
requirements, budget, and acquisition processes) that look at cross-
cutting issues across the Department; focused, collaborative
Departmental strategy, planning, and analytic capability that support
more effective DHS-wide decision-making and operations; and, enhanced
coordinated operations to harness the significant resources of the
Department more effectively. Many of the elements of this effort are
described below, as they cut across the several management areas
discussed in GAO's High-Risk List.
GAO's High-Risk List focus on ``Strengthening DHS Management
Functions'' identified the need to achieve progress in key management
areas, including human capital management, financial management,
acquisitions, information technology, and management integration. The
Department's Integrated Strategy for High-Risk Management provides the
framework for our efforts to address GAO's recommendations and
integrate and strengthen our management infrastructure across the
Department; our monthly action plans help ensure that we have goals and
time lines to help us deliver success in timely fashion. I would like
to share with you our efforts in each key area of focus.
Human Capital Management
The Department of Homeland Security's greatest asset is its
dedicated and talented workforce. GAO has identified areas in which the
Department must mature its human capital systems to ensure that its
workforce is properly equipped and supported to achieve the
Department's challenging missions. The Department, in turn, has
accelerated time lines in its monthly action plans to achieve success
in this critical area.
The low employee morale in several parts of the Department is an
area of particular focus. Under the direction of Secretary Johnson, I
am taking a series of steps to address the root causes of the low
morale and to deliver for the workforce the Department it deserves. I
have formed a steering committee comprised of personnel from each of
the Department's component agencies and from Department headquarters to
focus on, among other things, the following areas that the workforce
has identified in the Federal Employee Viewpoint Survey and in other
feedback vehicles as ones in which the Department can improve:
The hiring and promotion process. DHS employees have
expressed concerns that the hiring and promotion process is
sometimes opaque. The Department can build greater employee
confidence in the process through greater transparency and
communication and by setting clear hiring and promotion
standards.
Training and professional development. DHS employees have
expressed a desire for enhanced training opportunities to
ensure they are equipped to perform their jobs at the highest
levels of excellence. They also have sought professional
development opportunities that will enable them to achieve the
promotions or new opportunities to which they aspire.
Rewards and recognition. DHS employees perform extraordinary
acts of patriotism and courage each and every day throughout
the Nation and the world. They deserve to be recognized,
rewarded, and championed for their achievements. The Department
is reintroducing the Secretary's annual awards to recognize
outstanding individual and team achievements from across the
Department. In addition, the Department will institutionalize
the practice of regularly championing its workforce and
rewarding them when appropriate.
Performance management. Performance management is a critical
tool in promoting priorities and values and driving
accountability. The steering committee will focus on ensuring
that each component and office in the Department has a
performance management system that reflects the appropriate
measures of success and drives each employee to achieve that
success.
Financial Management
In fiscal year 2013, DHS achieved an historic unqualified clean
audit opinion of all five financial statements, a confirmation of DHS's
on-going commitment to sound financial management practices. This
benchmark represented a huge accomplishment for the many DHS employees
who work every day to increase transparency and accountability for the
taxpayer resources entrusted to the Department. Americans have the
right to expect that we will be responsible stewards of every homeland
security dollar with which we are entrusted.
The Department expects to sustain this progress and receive its
second clean audit opinion for fiscal year 2014. In the past 4 years,
DHS has also eliminated 10 audit qualifications, reduced Department-
wide material weaknesses in internal controls over financial reporting
from 10 to 4, and significantly reduced the number of component
conditions contributing to material weaknesses from 25 to 2. The
Department is executing a multi-year plan to achieve an unqualified
clean opinion for internal control of financial reporting by fiscal
year 2016.
Financial system modernization is a priority area for the
Department. DHS is executing specific modernization efforts in order to
meet the Department's mission while minimizing and eliminating spending
in duplicative systems. The current strategy conforms to guidance from
the Office of Management and Budget to use shared services where
possible and to split modernization projects into smaller, simpler
segments with clear deliverables. One of our challenges in the shared
services domain is that no one Federal agency has sufficient capacity
to house all of the Department's financial management data. As a
result, we are evaluating the capabilities of the Federal agencies who
offer shared services arrangements. The DHS Chief Financial Officer has
established enterprise-wide standards for each component to follow and
has prioritized a deployment strategy based on those components with
the highest business needs.
Acquisitions Management
The strategic decisions of the Department's senior leadership are
only as good as the processes that support and give effect to those
decisions in investments and in the conduct of operations.
Historically, DHS has generally developed and executed component-
centric requirements, which has resulted in inefficient use of limited
resources. Much work has been done to date in the areas of joint
requirements analysis, program and budget review, and acquisition
oversight, including an effort over the past 4 years by the DHS
Management Directorate to improve the Department's overall acquisitions
process and reform even the earliest phase of the investment life cycle
where requirements are first conceived and developed. The Secretary's
April 22, 2014 memorandum on ``Strengthening Departmental Unity of
Effort'' focuses and reinforces existing structures and creates new
capability, where needed, as identified in the recent Integrated
Investment Life Cycle Management (IILCM) pilot study and other process
analyses that examined the linkages between these inter-related
planning processes and operations. These analyses underscored the need
to further strengthen all elements of the process, particularly the up-
front development of strategy, planning, and joint requirements, and to
ensure through collaborative, inclusive senior leadership dialogue and
decision that they function in a way that considers DHS-wide missions
and functions, rather than focusing on those of an individual
component.
As an example, I am leading the Deputies Management Action Group in
an expedited review to provide strategic alternatives for enhancing the
current DHS joint requirements process. This review will include
options for developing and facilitating a DHS component-driven, joint
requirements process, including a program for oversight of a
development test and evaluation capability, to identify priority gaps
and overlaps in Departmental capability needs, provide feasible
technical alternatives to meet capability needs, and recommend to me
the creation of joint programs and joint acquisitions to meet
Department-wide mission needs. This enhanced process will be used in
expanding the mission portfolios studied in the IILCM pilot, which
included Cybersecurity, Biodefense, and Screening and Vetting, to
include Border Security and Air Domain.
DHS recently announced two important decisions that speak to our
commitment to responsible and cost-effective acquisitions. First, DHS
cancelled the BioWatch acquisition of autonomous detection technology
(also known as Gen-3). Currently deployed in more than 30 metropolitan
areas across the country, BioWatch provides public health officials
with a warning of a biological agent release before potentially exposed
individuals develop symptoms of illness. While autonomous detection is
an important capability, the Gen-3 acquisition did not reflect the best
use of resources in our current fiscal environment. DHS remains
committed to the BioWatch program and will ensure that current BioWatch
operations continue as part of our layered approach to biodefense.
Second, DHS is putting on hold a FEMA Logistics Supply Chain Management
System contract until further review. FEMA's Logistics Supply Chain
Management System was developed to provide full disaster supply chain
management capability and visibility to FEMA and its partners. The
Department has determined that the program has not met all of its
operational requirements and that it needs to be reviewed in the
context of broader logistical operations. That review is underway,
which will include a third-party evaluation of the most cost-effective
manner. These decisions are in line with the Department's focus on
efficiency, ensuring that we continue to pursue cost-effective
acquisition without compromising our security. The Secretary and I will
continue to hold our acquisition programs accountable to ensure they
are responsible and cost-effective.
Additionally, the DHS Chief Financial Officer has strengthened and
enhanced the Department's programming and budgeting process by
incorporating the results of strategic analysis and joint requirements
planning into portfolios for review by issue teams. Using this
approach, substantive, large-scale alternative choices will be
presented to the Deputies Management Action Group as part of the annual
budget development. This review process will also include the
Department's existing programmatic and budgetary structure, not just
new investments. It will include the ability for DHS to project the
impact of current decisions on resource issues such as staffing,
capital acquisitions, operations and maintenance, and similar issues
that impact the Department's future ability to fulfill its mission
responsibilities. As its first task, the Deputies Management Action
Group will focus this enhanced programming and budgeting process on the
development of options for the fiscal year 2016 budget request.
In the oversight phase, we will continue to leverage the Component
Acquisition Executive structure and enhanced business intelligence to
proactively identify performance problems with existing programs
throughout their life cycle. While there is work to be done to sustain
our progress, we are encouraged by an Office of the Inspector General
report that stated that DHS has significantly strengthened our
acquisition management oversight.
We have also made significant progress in strengthening the
document review process. In 2013, the under secretary for management
issued a decision memorandum stating that no new program can proceed
without the approved acquisition documentation, including life-cycle
cost estimates, mission needs statements, test and evaluation plans,
and operational requirements documents.
To ensure we have an adequately staffed and trained acquisition
workforce, the Department has engaged on multiple fronts to enhance
acquisition staffing and training. The DHS Acquisition Professional
Career Program (APCP) is sponsored by the chief procurement officer and
provides a steady pipeline of entry-level contracting and procurement
talent to the components. APCP interns are hired into career ladder
positions and engage in a 3-year program where they receive quality
training and rotate between components to gain valuable on-the-job
training. In fiscal year 2013 alone, 63 interns graduated and have been
placed in components. Thus far in fiscal year 2014, an additional 60
interns have been placed.
The Department's Homeland Security Acquisition Institute continues
to serve as the principal training academy for the DHS acquisition
workforce. In fiscal year 2013, over 9,400 DHS acquisition
professionals completed classroom or on-line training courses
contributing to the issuance of over 3,200 acquisition certifications.
Thus far in fiscal year 2014, an additional 1,300 acquisition
certifications have been issued. To date, DHS has issued 10,732
certifications across nine acquisition disciplines, including
Contracting, Program Management, Systems Engineering, Test and
Evaluation, Cost Estimating, Life Cycle Logistics Management, Program
Financial Management, Ordering Official, and Contracting Officer's
Representative.
DHS continues to support small businesses around the country. In
recognition of its performance, the Department has received an ``A''
rating for 5 consecutive years from the Small Business Administration
in the areas of prime contracting, small business subcontracting, and a
written progress plan.
Information Technology Management
In the Information Technology (IT) area, DHS has made substantial
progress to drive efficiencies through consolidation of data centers.
To date, 18 primary data centers have been consolidated, with an
additional two consolidations scheduled for completion in fiscal year
2014. Migrations from commercial data centers resulted in annual cost
savings of 43%, and migrations from Federal data centers resulted in an
average annual cost savings of 12% for similar capabilities.
Recognizing that information technology is constantly improving and
changing and that our own IT organization has matured, we are working
to increase the integration of previously fragmented Departmental
oversight reviews into a defined, efficient governance process that is
tailored to the size and criticality of each program. This will result
in improved project tracking and oversight and will also help DHS meet
our IT-related mission needs.
Security of internal IT systems and networks also remains a
priority. DHS continues to enhance the IT security of the Department's
internal systems and networks through periodic upgrades to software. In
addition, IT staff performs independent validation and verification of
implemented corrective actions to address material weaknesses related
to financial systems security. All components are implementing a
desktop image based on the United States Government Configuration
Baseline (USGCB) settings.
Management Integration
Management Integration refers to the development and implementation
of consistent and consolidated processes within and across the
management functional areas discussed above. From individual
performance evaluations to the Department's most costly investment
decisions, we have the obligation to operate efficiently and in a
manner that best enables us to meet our mission.
The Management Integration area has made substantial progress in
the past 3 years, reflected by the fact that both DHS and GAO agree
that the majority of the outcomes in the Management Integration area
are fully addressed. DHS has made considerable progress towards
integrating management across the enterprise. As an example, we have
strengthened the delegations of authority to clarify the roles of and
enhance oversight between Headquarters and components, and we have
implemented the pilot phase of the IILCM to ensure we base investment
decisions on closing capability gaps and meeting mission goals and
outcomes. Based on the lessons learned from the pilot, the Secretary
has determined, through the Unity of Effort initiative, to focus
immediate attention on further maturing the Strategy and Capabilities &
Requirements phases.
Secretary Johnson and I are committed to integrating all phases of
our investment life cycle as we prepare for the fiscal year 2016 budget
submission. Advancing the IILCM framework, which is a principal tenet
of the Department's overall integration strategy, continues to be a
major initiative that builds on the progress we have made. In the near
future, as I referenced above, I will oversee a re-constituted Joint
Requirements Council as we evaluate fiscal year 2016 resource
allocation plans and attempt to harmonize and unify requirements across
the DHS enterprise.
The Secretary and I are capitalizing on these previous efforts and
broadening them in our ``Strengthening Departmental Unity of Effort''
initiative. This effort focuses on improving our planning, programming,
budgeting, and execution processes through strengthened Departmental
structures and increased capability. In making these changes, we will
have better traceability between strategic objectives, budgeting,
acquisition decisions, operational planning, and mission execution to
improve Departmental cohesiveness and operational effectiveness.
We are in the final stages of evolving our business intelligence
capability by consolidating management data systems onto a common
platform. This effort allows for more current and integrated data
across all lines of business, both at headquarters and into DHS's many
components.
other dhs high-risk list areas
We recognize the critical role that strengthened management
functions have in the Department's ability to achieve success. GAO has
identified other areas of Department responsibilities that also play an
integral role in our mission delivery and, while these non-management
areas are not the focus of this hearing, I hope it will be beneficial
to this committee for me to provide a brief overview of our work in a
few of these areas.
Establishing Effective Mechanisms for Sharing and Managing Terrorism-
Related Information to Protect the Homeland
DHS is a key participant in the Federal Information Sharing
Environment and continues to develop policies and technical solutions
across Sensitive but Unclassified, Secret, and Top Secret/Sensitive
Compartmented Information networks that enhance safeguarding and
sharing of information with a wide variety of Federal, State, local,
and private-sector stakeholders. In January 2013 and immediately
following the release of the National Strategy for Information Sharing
and Safeguarding, the Department issued the DHS Information Sharing and
Safeguarding Strategy focused on goals to share, safeguard, manage, and
govern risk, and measure performance. Through a detailed Implementation
Plan, the Department has identified key priority objectives with
synchronized milestones to effectively execute the Strategy, and has
prepared an Implementation Guide that defines the processes to identify
gaps, root causes, performance measures, risks, and resourcing for its
top information-sharing and safeguarding initiatives.
National Flood Insurance Program
The National Flood Insurance Program (NFIP) serves as the
foundation for National efforts to reduce the loss of life and property
from flood disasters. NFIP remains on the High-Risk List largely
because it does not generate sufficient revenues to repay the billions
of dollars borrowed from the U.S. Department of the Treasury to cover
claims from the 2005 and 2012 hurricanes or from future catastrophic
losses. The lack of sufficient revenues has highlighted structural
weaknesses in how the program is funded, including statutorily-mandated
subsidies.
DHS and FEMA have been working with GAO to address the challenges
identified in GAO's recommendations to improve management and
operations. FEMA changed the process for Write Your Own (WYO) company
performance under the WYO Financial Control plan, implemented
procedures to select statistically representative samples of all claims
for conducting claims re-inspections, and requested an independent
audit of the NFIP's financial statements. FEMA's focus on implementing
GAO recommendations in areas including Strategic Planning, Management
and Oversight of the NFIP, and modernizing the NFIP IT system, have
resulted in the closure of many of GAO's recommendations. We are
actively engaged on those GAO recommendations that remain open.
With the passage of the Biggert-Waters Flood Insurance Act of 2012
and the Homeowners Flood Insurance Affordability Act of 2014, the NFIP
now has authority to phase in actuarial rates for some policies and
charge policyholders a surcharge, which will improve the financial and
operational position of the program over time; however, as a result,
policyholders will not pay actuarial rates. Specifically, these two
laws raise the statutory limit on annual rate increases, mandate
premium increases for certain subsidized policies, establish a reserve
fund that will allow the NFIP to build surplus capital to pay losses in
a greater-than-average loss year, and mandate a $25 annual surcharge
for most policyholders and a $250 annual surcharge for non-residential
properties and residential properties that are not a primary residence,
until actuarial rates are reached.
Protecting the Federal Government's Information Systems and the
Nation's Cyber Critical Infrastructures
I appreciate GAO's continued engagement on Federal agency
cybersecurity and the cybersecurity of critical infrastructure. Since
2009, the Department has managed this area actively, and each
subsequent update to the GAO High-Risk List has recognized DHS efforts.
The Department works closely with the White House and interagency
partners to ensure a whole-of-Government approach to cybersecurity. At
the same time, DHS is committed to working with Congress as it explores
legislative proposals.
DHS directly supports Federal civilian departments and agencies in
developing capabilities that will improve their own cybersecurity
posture through the Continuous Diagnostics and Mitigation (CDM)
program. One hundred eight departments and agencies are currently
covered by Memoranda of Agreement with the CDM program, encompassing
over 97 percent of all Federal civilian personnel. In fiscal year 2014,
DHS issued the first delivery order for CDM sensors and awarded a
contract for the CDM dashboard.
The National Cybersecurity Protection System (NCPS), a key
component of which is referred to as EINSTEIN, is an integrated
intrusion detection, analytics, information sharing, and intrusion-
prevention system designed to support DHS responsibilities for
protecting Federal civilian agency networks. These current
capabilities, and future capabilities such as CDM, are used by the
Department's National Cybersecurity and Communications Integration
Center, in concert with its analysis, warning, and incident response
capabilities, to protect Federal civilian agencies and assist them when
incidents occur. In July 2013, NCPS's EINSTEIN 3 Accelerated (E3A)
became operational and provided services to the first Federal agency.
With the adoption of E3A, DHS will assume an active role in defending
.gov network traffic and significantly reduce the threat vectors
available to malicious actors seeking to harm Federal networks. NCPS
continues to expand intrusion prevention, information sharing, and
cyber analytic capabilities at Federal agencies, marking a critical
shift from a passive to an active role in cyber defense and the
delivery of enterprise cybersecurity services to decision makers across
cybersecurity communities.
With respect to critical infrastructure, the Department continues
to grow the critical infrastructure Cyber Information Sharing and
Collaboration Program, which is a unique voluntary environment for
public-private information sharing and collaboration. In addition, we
recently launched the Critical Infrastructure Cyber Community or C3
(``C Cubed'') Voluntary Program to assist critical infrastructure
owners and operators as they build cybersecurity into their risk
management approaches. Much work remains to be completed and we are
committed to actively managing this High-Risk area.
When I met with Comptroller General Dodaro, we agreed to develop a
set of detailed criteria that GAO and the Department can use to
strengthen the Nation's cybersecurity and critical infrastructure
resilience. As part of that process, I will receive monthly status
updates from DHS components that we will share with GAO.
conclusion
It is our fundamental responsibility to manage the Department of
Homeland Security effectively and efficiently. Sound management is
critical to our ability to execute our mission successfully, and it is
incumbent upon us as guardians of the public trust to be careful and
scrupulous in our expenditure of public funds. You have my commitment
that I will continue to focus intensely on strengthening the
Department's management functions, and that I will work closely with
this committee and with GAO to achieve that goal.
Thank you for the opportunity and the privilege to appear before
you.
Chairman McCaul. Thank you, Deputy Secretary. The Chairman
now recognizes Mr. Dodaro for an opening statement.
STATEMENT OF GENE L. DODARO, COMPTROLLER GENERAL OF THE UNITED
STATES, GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Dodaro. Thank you very much, Mr. Chairman. Good morning
to you, Ranking Member Thompson, distinguished Members of the
committee. I appreciate the opportunity to be here today to
discuss GAO's designations and high-risk areas regarding the
Department of Homeland Security.
With regard to the management functions that we initially
placed on the list in 2003, I am pleased to report that the
Department is well on its way to satisfying two of the five
criteria for coming off the list.
One is leadership commitment, and I am very satisfied with
the deputy secretary and the Secretary's engagement on this
issue. I believe that we have an open, constructive dialogue,
which is the first step toward resolving some of these
problems.
They also have a pretty good integrated plan for coming off
the high-risk list. However, they still need to demonstrate the
capacity to make the changes, to have a monitoring effort to
make sure that the changes are implemented properly. Most
importantly and lastly is they need to demonstrate progress in
making sure that they have actually fixed some of the
underlying problems that have plagued them in the past.
With regard to the acquisition area, for example, they have
designated acquisition components at the component level and
organized some centers to bring together some core expertise to
help in the acquisitions area. But they need to have governance
mechanisms in place to look at the entire acquisition portfolio
and set priorities across the Department. Then to make sure
that individual acquisitions operate effectively and are more
consistently meeting the Department's policies.
For example, 46 percent of the major acquisitions do not
have approved baseline cost. About 77 percent do not have yet
approved life-cycle cost estimates. So I believe the H.R. 4228
that this committee passed is a very important contribution
step forward to putting disciplined acquisition policies in
place and having more transparency and accountability for the
Department.
With regard to financial management, they have received the
clean opinion that both the Chairman and Ranking Member
recognized this morning for fiscal year 2013 financial
statements. However, to meet our list to get off the list they
need to sustain the clean opinion.
They need to get a clean opinion on internal controls,
which they are not able to do at this point because of a number
of material weaknesses in their systems. They also need to
effectively put in modern financial management systems in the
components, particularly the Coast Guard, FEMA, ICE, and
Customs and Border Patrol.
With regard to human capital management they have put
together a plan to guide them in this area. But they must
address the root causes that are at the heart of the employee
morale issues that have plagued the Department for a number of
years. Also to focus on processes to identify skill gaps and to
remedy those skill gaps across the Department.
In the IT area we are pleased they have had an enterprise
architecture in place, which is a good first step. But they
need to finalize their policy governance structure for IT
investments, and to expand that policy to cover all 13
portfolios. Right now they have it only covering five of 13.
They need to fix their information security weaknesses, which
are a major control problem for the Department.
Now with regard to other areas we have on the high-risk
list--cybersecurity and critical infrastructure protection that
DHS is part of, National Flood Insurance Program, and
information sharing in the terrorist information sharing--I
would be happy to answer any questions on those areas at the
appropriate time.
I would just say with regard to cybersecurity there has
been a lot of attention to this area, but more needs to be
done. I am very supportive of the H.R. 3696 legislation that
you have initiated.
I think the Department has been given responsibility for
cybersecurity across the Federal Government without the
authority. That authority should be codified and put into law.
Also giving them additional guidance in the critical
infrastructure protection area and additional codification is a
really good step forward.
So I commend this committee both for the acquisition
legislation and the cybersecurity and critical infrastructure
legislation. So, I would be happy to answer questions at the
appropriate point in time. I again very much appreciate the
opportunity to be here today to discuss our efforts to help the
Department reach its full potential.
[The prepared statement of Mr. Dodaro follows:]
Prepared Statement of Gene L. Dodaro
May 7, 2014
Chairman McCaul, Ranking Member Thompson, and Members of the
committee: I am pleased to be here today to discuss our work on the
Department of Homeland Security's (DHS) on-going efforts to improve the
efficiency of its operations and unity of the Department, with a
particular focus on DHS's progress and remaining challenges addressing
GAO's high-risk designations. In the 11 years since the Department's
creation, DHS has implemented key homeland security operations,
achieved important goals and milestones, and grown to more than 240,000
employees and approximately $60 billion in budget authority. During
that time, our work has identified several areas where DHS needs to
address gaps and weaknesses in its current operational and
implementation efforts, as well as strengthen the efficiency and
effectiveness of those efforts. Since 2003, we have made approximately
2,100 recommendations to DHS to strengthen program management,
performance measurement efforts, and management processes, among other
things. DHS has implemented more than 65 percent of these
recommendations and has actions under way to address others.
We also report regularly to the Congress on Government operations
that we identified as high-risk because of their greater vulnerability
to fraud, waste, abuse, and mismanagement, or the need for
transformation to address economy, efficiency, or effectiveness
challenges. DHS has sole or critical responsibility for four GAO high-
risk areas--(1) Strengthening DHS Management Functions, (2) National
Flood Insurance Program (NFIP), (3) Protecting the Federal Government's
Information Systems and the Nation's Cyber Critical Infrastructures,
and (4) Establishing Effective Mechanisms for Sharing and Managing
Terrorism-Related Information to Protect the Homeland. DHS has made
progress addressing areas we have identified as high-risk, but needs to
continue to strengthen its efforts in order to more efficiently and
effectively achieve its homeland security missions. In particular:
In 2003, we designated implementing and transforming DHS as
high-risk because DHS had to transform 22 agencies--several
with major management challenges--into one department, and
failure to address associated risks could have serious
consequences for U.S. National and economic security.\1\ While
challenges remain across its missions, DHS has made
considerable progress in transforming its original component
agencies into a single department. As a result, in our 2013
high-risk update, we narrowed the scope of the high-risk area
to focus on strengthening DHS management functions (human
capital, acquisition, financial management, and information
technology [IT]).\2\
---------------------------------------------------------------------------
\1\ GAO, High-Risk Series: An Update, GAO-03-119 (Washington, DC:
January 2003).
\2\ GAO, High-Risk Series: An Update, GAO-13-283 (Washington, DC:
February 2013). For additional information, see our high-risk list key
issues page at http://www.gao.gov/highrisk/overview.
---------------------------------------------------------------------------
In 2006, we added the NFIP--a key component of the Federal
Government's efforts to limit the damage and financial impact
of floods--to the GAO high-risk list because the program faced
significant on-going financial and management challenges.\3\ In
particular, the NFIP, which is managed by DHS's Federal
Emergency Management Agency (FEMA), is unlikely to generate
sufficient revenue to cover future catastrophic losses or repay
billions of dollars borrowed from the Department of the
Treasury to cover insurance claims from previous disasters.
---------------------------------------------------------------------------
\3\ GAO, GAO's High-Risk Program, GAO-06-497T (Washington, DC: Mar.
15, 2006).
---------------------------------------------------------------------------
In 1997, we designated Federal information security as a
Government-wide high-risk area, and we expanded the area in
2003 to include systems supporting critical infrastructure such
as power distribution, communications, banking and finance,
water supply, National defense, and emergency services.\4\ The
effective security of these systems and the data they contain
is essential to National security, economic well-being, and
public health and safety. DHS is responsible for securing its
own information systems and data and also plays a pivotal role
in Government-wide cybersecurity efforts.
---------------------------------------------------------------------------
\4\ GAO-03-119.
---------------------------------------------------------------------------
In 2005, we designated the sharing of terrorism-related
information as high-risk because of the significant challenges
the Federal Government faces in sharing this information in a
timely, accurate, and useful manner.\5\ The sharing of
terrorism-related information is a Government-wide effort that
involves numerous Federal departments and agencies. DHS plays a
critical role in this sharing given its homeland security
missions and responsibilities.
---------------------------------------------------------------------------
\5\ GAO, High-Risk Series: An Update, GAO-05-207 (Washington, DC:
Jan. 1, 2005).
---------------------------------------------------------------------------
In November 2000, we published our criteria for removing areas from
the high-risk list.\6\ Specifically, agencies must have (1) a
demonstrated strong commitment and top leadership support to address
the risks; (2) a corrective action plan that identifies the root
causes, identifies effective solutions, and provides for substantially
completing corrective measures in the near term, including but not
limited to steps necessary to implement solutions we recommended; (3)
the capacity (that is, the people and other resources) to resolve the
risks; (4) a program instituted to monitor and independently validate
the effectiveness and sustainability of corrective measures; and (5)
the ability to demonstrate progress in implementing corrective
measures. When legislative, administration, and agency actions,
including those in response to our recommendations, result in
significant progress toward resolving a high-risk problem, we remove
the high-risk area.
---------------------------------------------------------------------------
\6\ GAO, Determining Performance and Accountability Challenges and
High Risks, GAO-01-159SP (Washington, DC: Nov. 1, 2000).
---------------------------------------------------------------------------
My testimony today discusses our observations on DHS's progress and
work remaining in addressing: (1) High-risk areas for which DHS has
sole responsibility, and (2) high-risk areas for which DHS has
critical, but shared, responsibility.
This statement is based on GAO's 2013 high-risk update as well as
reports and testimonies we issued from March 2013 through April
2014.\7\ For the past products, among other things, we analyzed DHS
strategies and other documents related to the Department's efforts to
address its high-risk areas; reviewed our past reports issued since DHS
began its operations in March 2003; and interviewed DHS officials. More
detailed information on the scope and methodology of our prior work can
be found within each specific report. This statement is also based on
analyses from our on-going assessment of DHS's efforts to address its
high-risk areas since February 2013. We expect to report final results
from this work in our 2015 high-risk update. For our analyses, among
other things, we analyzed DHS documentation, such as Departmental
guidance, and met with DHS officials, including the deputy secretary
and under secretary for management, to discuss DHS's efforts to address
its high-risk areas. With respect to the Strengthening DHS Management
Functions high-risk area, on May 1, 2014, DHS provided us with an
updated version of its Integrated Strategy for High-Risk Management. We
plan to analyze this update as part of our on-going assessment of DHS's
progress in addressing this high-risk area.
---------------------------------------------------------------------------
\7\ GAO-13-283.
---------------------------------------------------------------------------
We conducted the work on which this statement is based in
accordance with generally accepted Government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
high-risk areas for which dhs has sole responsibility
DHS has made progress in addressing high-risk areas for which it
has sole responsibility, but significant work remains.
Strengthening DHS Management Functions
DHS has made important progress in implementing, transforming,
strengthening, and integrating its management functions in human
capital, acquisition, financial management, and IT. This has included
taking numerous actions specifically designed to address our criteria
for removing areas from the high-risk list. However, as we reported in
our February 2013 high-risk update, this area remains high-risk because
the Department has significant work ahead.\8\ As shown in Table 1, DHS
has met two of our criteria for removal from the high-risk list
(leadership commitment and a corrective action plan), and has partially
met the remaining three criteria (a framework to monitor progress;
capacity; and demonstrated, sustained progress).
---------------------------------------------------------------------------
\8\ GAO-13-283.
TABLE 1.--ASSESSMENT OF DEPARTMENT OF HOMELAND SECURITY (DHS) PROGRESS
IN ADDRESSING THE STRENGTHENING DHS MANAGEMENT FUNCTIONS HIGH-RISK AREA,
AS OF MAY 2014
------------------------------------------------------------------------
Criterion for Removal From the Partially Met Not Met
High-Risk List Met \1\ \2\ \3\
------------------------------------------------------------------------
Leadership commitment........... X ............. ..........
Corrective action plan.......... X ............. ..........
Capacity........................ ........... X ..........
Framework to monitor progress... ........... X ..........
Demonstrated, sustained progress ........... X ..........
---------------------------------------
Total..................... 2 3 0
------------------------------------------------------------------------
Source: GAO analysis of DHS documents, interviews, and prior GAO
reports.
\1\ ``Met'': There are no significant actions that need to be taken to
further address this criterion.
\2\ ``Partially met'': Some but not all actions necessary to generally
meet the criterion have been taken.
\3\ ``Not met'': Few, if any, actions toward meeting the criterion have
been taken.
Leadership commitment (met).--The Secretary and deputy secretary of
Homeland Security, the under secretary for management at DHS, and other
senior officials have continued to demonstrate commitment and top
leadership support for addressing the Department's management
challenges. They have also taken actions to institutionalize this
commitment to help ensure the long-term success of the Department's
efforts. For example, in May 2012, the Secretary of Homeland Security
modified the delegations of authority between the Management
Directorate and its counterparts at the component level to clarify and
strengthen the authorities of the under secretary for management across
the Department.
In addition, in April 2014, the Secretary of Homeland Security
issued a memorandum committing to improving DHS's planning,
programming, budgeting, and execution processes through strengthened
Departmental structures and increased capability. This memorandum
identified several initial areas of focus intended to build
organizational capacity.\9\ Senior DHS officials have also routinely
met with us over the past 5 years to discuss the Department's plans and
progress in addressing this high-risk area, during which we provided
specific feedback on the Department's efforts. According to these
officials, and as demonstrated through their progress, the Department
is committed to demonstrating measurable, sustained progress in
addressing this high-risk area. It will be important for DHS to
maintain its current level of top leadership support and sustained
commitment to ensure continued progress in successfully executing its
corrective actions through completion.
---------------------------------------------------------------------------
\9\ DHS, Secretary of Homeland Security, Strengthening Departmental
Unity of Effort, Memorandum for DHS Leadership (Washington, DC: April
22, 2014).
---------------------------------------------------------------------------
Corrective action plan (met).--DHS established a plan for
addressing this high-risk area. In a September 2010 letter to DHS, we
identified and DHS agreed to achieve 31 actions and outcomes that are
critical to addressing the challenges within the Department's
management areas and in integrating those functions across the
Department. In January 2011, DHS issued its initial Integrated Strategy
for High-Risk Management, which included key management initiatives and
related corrective action plans for addressing its management
challenges and the outcomes we identified. DHS provided updates of its
progress in implementing these initiatives and corrective actions in
its later versions of the strategy. In March 2014, we made updates to
the actions and outcomes in collaboration with DHS to reduce overlap
and ensure their continued relevance and appropriateness. These updates
resulted in a reduction from 31 to 30 total actions and outcomes.
DHS's strategy and approach to continuously refining actionable
steps to implementing the outcomes, if implemented effectively and
sustained, provide a path for DHS to be removed from GAO's high-risk
list.
Capacity (partially met).--In May 2014, DHS identified that it had
resources needed to implement 7 of the 11 initiatives the Department
had under way to address the actions and outcomes, but did not identify
sufficient resource needs for the 4 remaining initiatives. In our
analysis of DHS's June 2013 update, which similarly did not identify
sufficient resource needs for all initiatives, we found that this
absence of complete resource information made it difficult to fully
assess the extent to which DHS has the capacity to implement its
initiatives.
In addition, our prior work has identified specific capacity gaps
that could undermine achievement of management outcomes. For example,
in September 2012, we reported that 51 of 62 acquisition programs faced
workforce shortfalls in program management, cost estimating,
engineering, and other areas, increasing the likelihood that the
programs will perform poorly in the future.\10\ Since that time, DHS
has appointed component acquisition executives at the components and
made progress in filling staff positions. In April 2014, however, we
reported that DHS needed to increase its cost-estimating capacity, and
that the Department had not approved baselines for 21 of 46 major
acquisition programs.\11\ These baselines--which establish cost,
schedule, and capability parameters--are necessary to accurately assess
program performance.
---------------------------------------------------------------------------
\10\ GAO, Homeland Security: DHS Requires More Disciplined
Investment Management to Help Meet Mission Needs, GAO-12-833
(Washington, DC: Sept. 18, 2012).
\11\ GAO, Homeland Security Acquisitions: DHS Could Better Manage
Its Portfolio to Address Funding Gaps and Improve Communications with
Congress, GAO-14-332 (Washington, DC: Apr. 17, 2014).
---------------------------------------------------------------------------
DHS needs to continue to identify resources for the remaining
initiatives; determine that sufficient resources and staff are
committed to initiatives; work to mitigate shortfalls and prioritize
initiatives, as needed; and communicate to senior leadership critical
resource gaps.
Framework to monitor progress (partially met).--DHS established a
framework for monitoring its progress in implementing the corrective
actions it identified for addressing the 30 actions and outcomes. In
the June 2012 update to the Integrated Strategy for High-Risk
Management, DHS included, for the first time, performance measures to
track its progress in implementing all of its key management
initiatives. DHS continued to include performance measures in its May
2014 update.
Additionally, in March 2014, the deputy secretary began meeting
monthly with the DHS management team to discuss DHS's progress in
strengthening its management functions. According to senior DHS
officials, as part of these meetings, attendees discuss a report that
senior DHS officials update each month, which identifies corrective
actions for each outcome, as well as projected and actual completion
dates.
However, there are opportunities for DHS to strengthen this
framework. For example, as we reported in September 2013, DHS
components need to develop performance and functionality targets for
assessing their proposed financial systems.\12\ This would include
having an independent validation and verification program in place to
ensure the modernized financial systems meet expected targets. Moving
forward, DHS will need to closely track and independently validate the
effectiveness and sustainability of its corrective actions and make
mid-course adjustments, as needed.
---------------------------------------------------------------------------
\12\ GAO, DHS Financial Management: Additional Efforts Needed to
Resolve Deficiencies in Internal Controls and Financial Management
Systems, GAO-13-561 (Washington, DC: Sept. 30, 2013).
---------------------------------------------------------------------------
Demonstrated, sustained progress (partially met).--Key to
addressing the Department's management challenges is DHS demonstrating
the ability to achieve sustained progress across the 30 actions and
outcomes we identified and DHS agreed were needed to address the high-
risk area. These actions and outcomes include, among others, validating
required acquisition documents in accordance with a Department-
approved, knowledge-based acquisition process, and sustaining clean
audit opinions for at least 2 consecutive years on Department-wide
financial statements and internal controls. As illustrated by the
examples below, DHS has made important progress in implementing
corrective actions across its management functions, but it has not
demonstrated sustainable, measurable progress in addressing key
challenges that remain within these functions and in the integration of
those functions.\13\
---------------------------------------------------------------------------
\13\ For our assessments of DHS's progress in addressing the 30
outcomes, ``fully addressed'' means the outcome is fully addressed;
``mostly addressed'' means progress is significant and a small amount
of work remains; ``partially addressed'' means progress is measurable,
but significant work remains; and ``initiated'' means activities have
been initiated to address outcomes, but it is too early to report
progress.
---------------------------------------------------------------------------
Human capital management.--DHS has mostly addressed 1 of the 7
human capital management outcomes and partially addressed the remaining
6. For example, as we reported in December 2012, DHS has developed and
demonstrated progress in implementing a strategic human capital
plan.\14\ This plan, among other things, is integrated with broader
organizational strategic planning, and mostly addresses this outcome.
However, DHS needs to improve other aspects of its human capital
management.
---------------------------------------------------------------------------
\14\ GAO, DHS Strategic Workforce Planning: Oversight of
Department-wide Efforts Should Be Strengthened, GAO-13-65 (Washington,
DC: Dec. 3, 2012). For example:
---------------------------------------------------------------------------
As we reported in December 2013, the Office of Personnel
Management's 2013 Federal Employee Viewpoint Survey data showed
that DHS employee satisfaction was 36th of 37 Federal agencies
and had decreased 7 percentage points since 2011, which is more
than the Government-wide decrease of 4 percentage points over
the same time period.\15\ As a result, the gap between average
DHS employee satisfaction and the Government-wide average
widened to 7 percentage points.\16\ Accordingly, DHS has
considerable work ahead to improve its employee morale.
---------------------------------------------------------------------------
\15\ The Federal Employee Viewpoint Survey measures employees'
perceptions of whether and to what extent conditions characterizing
successful organizations are present in their agencies.
\16\ GAO, Department of Homeland Security: DHS's Efforts to Improve
Employee Morale and Fill Senior Leadership Vacancies, GAO-14-228T
(Washington, DC: Dec. 12, 2013).
---------------------------------------------------------------------------
Further, according to senior DHS officials, the Department
has efforts under way intended to link workforce planning
efforts to strategic and program-specific planning efforts to
identify current and future human capital needs, including the
knowledge, skills, and abilities needed for the Department to
meet its goals and objectives. According to these officials,
the Department is in the process of finalizing competency gap
assessments to identify potential skills gaps within its
components that collectively encompass almost half of the
Department's workforce. These assessments focus on occupations
DHS identifies as critical to its mission, including emergency
management specialists and cyber-focused IT management
personnel. DHS plans to analyze the results of these
assessments and develop plans to address any gaps the
assessments identify by the end of fiscal year 2014. This is a
positive step, as identifying skills gaps could help the
Department to better identify current and future human capital
needs and ensure the Department possesses the knowledge,
skills, and abilities needed to meet its goals and objectives.
Given that DHS is finalizing these assessments, it is too early
to assess their effectiveness.
Acquisition management.--DHS has mostly addressed one of the five
acquisition management outcomes, partially addressed one, and initiated
activities to address the remaining three. DHS has made the most
progress in increasing component-level acquisition capability by, for
example, establishing a component acquisition executive in each DHS
component to provide oversight and support programs within its
portfolio. DHS has also taken steps to enhance its acquisition
workforce by establishing centers of excellence for cost estimating,
systems engineering, and other disciplines to promote best practices
and provide technical guidance. However, DHS needs to improve its
acquisition management. For example:
DHS initiated a governance body in 2013 to review and
validate acquisition programs' requirements and identify and
eliminate any unintended redundancies, but it considered trade-
offs only across acquisition programs within the Department's
cybersecurity portfolio. DHS acknowledged that the Department
has no formal structure in place to consider trade-offs DHS-
wide, but DHS anticipates chartering such a body by the end of
May 2014.
DHS also has initiated efforts to validate required
acquisition documents in accordance with a knowledge-based
acquisition process, but this remains a major challenge for the
Department. A knowledge-based approach provides developers with
information needed to make sound investment decisions, and it
would help DHS address significant challenges we have
identified across its acquisition programs.\17\ DHS's
acquisition policy largely reflects key acquisition management
practices, but the Department has not implemented it
consistently. In March 2014, we reported that the
Transportation Security Administration does not collect or
analyze available information that could be used to enhance the
effectiveness of its advanced imaging technology.\18\ In March
2014, we also found that U.S. Customs and Border Protection
(CBP) did not fully follow DHS policy regarding testing for the
integrated fixed towers being deployed on the Arizona
border.\19\ As a result, DHS does not have complete information
on how the towers will operate once they are fully deployed.
---------------------------------------------------------------------------
\17\ In our past work examining weapon acquisition issues and best
practices for product development, we have found that leading
commercial firms pursue an acquisition approach that is anchored in
knowledge, whereby high levels of product knowledge are demonstrated by
critical points in the acquisition process.
\18\ GAO, Advanced Imaging Technology: TSA Needs Additional
Information Before Procuring Next-Generation Systems, GAO-14-357
(Washington, DC: March 31, 2014).
\19\ GAO, Arizona Border Surveillance Technology Plan: Additional
Actions Needed to Strengthen Management and Assess Effectiveness, GAO-
14-368 (Washington, DC: Mar. 3, 2014).
---------------------------------------------------------------------------
Finally, DHS does not have the acquisition management tools
in place to consistently demonstrate whether its major
acquisition programs are on track to achieve their cost,
schedule, and capability goals. About half of major programs
lack an approved baseline, and 77 percent lack approved life-
cycle cost estimates. DHS stated in its 2014 update that it
will take time to demonstrate substantive progress in this
area. We have recently initiated two reviews to examine DHS's
progress in these high-risk areas. In addition, the House
Homeland Security committee recently introduced a DHS
acquisition reform bill that reinforces the importance of key
acquisition management practices, such as establishing cost,
schedule, and capability parameters, and includes requirements
to better identify and address poor-performing acquisition
programs, which could aid the Department in addressing its
acquisition management challenges.
Financial management.--DHS has made progress toward improving its
financial management and has fully addressed 1 of 8 high-risk financial
management outcomes--ensuring its financial statements are accurate and
reliable.\20\ However, a significant amount of work remains to be
completed on the other 7 outcomes related to DHS's financial
statements, internal control over financial reporting, and modernizing
financial management systems.
---------------------------------------------------------------------------
\20\ The financial management outcomes have twice been revised
since September 2010 when they were initially established. The most
recent revision occurred in March 2014 when GAO and DHS agreed to
revise the outcomes to clarify certain requirements and eliminate
overlap among the outcomes and between the outcomes and GAO's high-risk
removal criteria.
---------------------------------------------------------------------------
DHS produced accurate and reliable financial statements for
the first time in fiscal year 2013, in part through
management's commitment to improving its financial management
process. As of May 2014, DHS is working toward sustaining this
key achievement.
DHS has also made some progress toward implementing
effective internal control over financial reporting, in part by
implementing a corrective action planning process aimed at
addressing internal control weaknesses. For example, the
Department took corrective actions to reduce the material
weakness in environmental and other liabilities to a
significant deficiency.\21\ However, DHS needs to eliminate all
material weaknesses at the Department level before its
financial auditor can assert that the controls are effective.
For example, one of the material weaknesses involves
deficiencies in property, plant, and equipment. DHS plans to
achieve this outcome for fiscal year 2016. To meet another
outcome, DHS needs to sustain these efforts for 2 years.
---------------------------------------------------------------------------
\21\ Environmental liabilities consist of environmental
remediation, clean-up, and decommissioning. A significant deficiency is
a deficiency, or combination of deficiencies, in internal control
important enough to merit attention by those charged with governance. A
material weakness is a significant deficiency, or a combination of
significant deficiencies, in internal control such that there is a
reasonable possibility that a material misstatement of the entity's
financial statements will not be prevented, or detected and corrected,
on a timely basis.
---------------------------------------------------------------------------
DHS also needs to effectively manage the modernization of
financial management systems at the U.S. Coast Guard (USCG),
U.S. Immigration and Customs Enforcement (ICE), and the Federal
Emergency Management Agency (FEMA). Both USCG and ICE have made
some progress toward modernizing their systems and foresee
moving to a Federal shared service provider and completing
their efforts in the latter part of 2016 and 2017.\22\ Because
of critical stability issues with its legacy financial system
that were resolved in May 2013, FEMA postponed its
modernization efforts and has not restarted them.
---------------------------------------------------------------------------
\22\ A shared service provider is a third-party entity that manages
and distributes software-based services and solutions to customers
across a wide area network from a central data center.
---------------------------------------------------------------------------
IT Management.--DHS has fully addressed 1 of the 6 IT management
outcomes and partially addressed the remaining 5. In particular, the
Department has strengthened its enterprise architecture program (or
blueprint) to guide IT acquisitions by, among other things, largely
addressing our prior recommendations aimed at adding needed
architectural depth and breadth, thus fully addressing this outcome.
However, the Department needs to continue to demonstrate progress in
strengthening other core IT management areas. For example,
While the Department is taking the necessary steps to
enhance its IT security program, such as finalizing its annual
Information Security Performance Plan, further work will be
needed for DHS to eliminate the Department's current material
weakness in its information security. It will be important for
the Department to fully implement its plan, since DHS's
financial statement auditor reported in December 2013 that
flaws in the security controls such as access controls,
contingency planning, and segregation of duties were a material
weakness for financial reporting purposes.
While important steps have been taken to define IT
investment management processes generally consistent with best
practices, work is needed to demonstrate progress in
implementing these processes across DHS's 13 IT investment
portfolios.\23\ In July 2012, we recommended that DHS finalize
the policies and procedures associated with its new tiered IT
governance structure and continue to implement key processes
supporting this structure.\24\ DHS agreed with these
recommendations; however, as of April 2014, the Department had
not finalized the key IT governance directive, and the draft
structure has been implemented across only 5 of the 13
investment portfolios. \25\
---------------------------------------------------------------------------
\23\ The 13 portfolios are intelligence, domain awareness,
securing, screening, law enforcement, information sharing and
safeguarding, continuity-of-operations planning, benefits
administration, incident management, enterprise business services,
enterprise financial management, enterprise IT services, and enterprise
human capital.
\24\ GAO, Information Technology: DHS Needs to Further Define and
Implement Its New Governance Process,GAO-12-818 (Washington, DC: July
25, 2012).
\25\ The draft structure has been implemented across the following
five portfolios: Intelligence, screening, information sharing and
safeguarding, enterprise IT services, and enterprise human capital.
---------------------------------------------------------------------------
Fully addressing these actions would also help DHS to address key
IT operations efficiency initiatives, as well as to more
systematically identify other opportunities for savings. For
example, as part of the Office of Management and Budget's data
center consolidation initiative, we reported that DHS planned
to consolidate from 101 data centers to 37 data centers by
December 2015.\26\ Further, DHS officials told us that the
Department had achieved actual cost savings totaling about $140
million in fiscal years 2011 through 2013, and that it
estimates total consolidation cost savings of approximately
$650 million through fiscal year 2019.
---------------------------------------------------------------------------
\26\ GAO, Data Center Consolidation: Agencies Making Progress on
Efforts, but Inventories and Plans Need to Be Completed, GAO-12-742
(Washington, DC: July 19, 2012).
---------------------------------------------------------------------------
DHS has also made progress in establishing and implementing
sound IT system acquisition processes, but continued efforts
are needed to ensure that the Department's major IT acquisition
programs are applying these processes and obtaining more
predictable outcomes. In 2013, DHS's Office of the Chief
Information Officer led an assessment of its major IT programs
(against industry best practices in key IT system acquisition
process areas) to determine its capability strengths and
weaknesses, and has work under way to track programs' progress
in addressing identified capability gaps, such as requirements
management and risk analysis. While this gap analysis and
approach for tracking implementation of corrective actions are
important steps, DHS will need to show that these actions are
resulting in better, more predictable outcomes for its major IT
system acquisitions. Demonstrated progress in closing these
gaps is especially important in light of our recent reports on
major DHS IT programs experiencing significant challenges
largely because of system acquisition process shortfalls,
including DHS's major border security system modernization,
known as TECS-Mod.\27\
---------------------------------------------------------------------------
\27\ GAO, Border Security: DHS's Efforts to Modernize Key
Enforcement Systems Could be Strengthened, GAO-14-62 (Washington, DC:
Dec. 5, 2013).
---------------------------------------------------------------------------
Management integration.--DHS has made substantial progress
integrating its management functions, fully addressing 3 of the 4
outcomes we identified as key to the Department's management
integration efforts. For example, DHS issued a comprehensive plan to
guide its management integration efforts--the Integrated Strategy for
High-Risk Management--in January 2011, and has generally improved upon
this plan with each update. In addition, in April 2014, the Secretary
of Homeland Security issued a memorandum committing to improving DHS's
planning, programming, budgeting, and execution processes through
strengthened Departmental structures and increased capability.\28\ To
achieve the last and most significant outcome--implement actions and
outcomes in each management area to develop consistent or consolidated
processes and systems within and across its management functional
areas--DHS needs to continue to demonstrate sustainable progress
integrating its management functions within and across the Department
and its components and take additional actions to further and more
effectively integrate the Department.
---------------------------------------------------------------------------
\28\ DHS, Secretary of Homeland Security, Strengthening
Departmental Unity of Effort, Memorandum for DHS Leadership
(Washington, DC: April 22, 2014).
---------------------------------------------------------------------------
For example, recognizing the need to better integrate its lines of
business, in February 2013, the Secretary of Homeland Security signed a
policy directive establishing the principles of the Integrated
Investment Life-Cycle Management to guide planning, executing, and
managing critical investments Department-wide. DHS's June 2013
Integrated Strategy for High-Risk Management identified that Integrated
Investment Life-Cycle Management will require significant changes to
DHS planning, executing, and managing critical investments. At that
time, DHS was piloting elements of the framework to inform a portion of
the fiscal year 2015 budget. DHS's May 2014 strategy update states that
the Department plans to receive an independent analysis of the pilots
in May 2014. Given that these efforts are under way, it is too early to
assess their impact.
As we reported in March 2013, to more fully address the
Strengthening DHS Management Functions high-risk area, DHS needs to
continue implementing its Integrated Strategy for High-Risk Management
and show measurable, sustainable progress in implementing its key
management initiatives and corrective actions and achieving
outcomes.\29\ In doing so, it will be important for DHS to:
---------------------------------------------------------------------------
\29\ GAO, High-Risk Series, Government-wide 2013 Update and
Progress Made by the Department of Homeland Security, GAO-13-444T
(Washington, DC: March 21, 2013).
---------------------------------------------------------------------------
maintain its current level of top leadership support and
sustained commitment to ensure continued progress in executing
its corrective actions through completion;
continue to implement its plan for addressing this high-risk
area and periodically report its progress to Congress and GAO;
monitor the effectiveness of its efforts to establish
reliable resource estimates at the Department and component
levels, address and work to mitigate any resource gaps, and
prioritize initiatives as needed to ensure it has the capacity
to implement and sustain its corrective actions;
closely track and independently validate the effectiveness
and sustainability of its corrective actions and make midcourse
adjustments, as needed; and
make continued progress in addressing the 30 actions and
outcomes--for the majority of which significant work remains--
and demonstrate that systems, personnel, and policies are in
place to ensure that progress can be sustained over time.\30\
---------------------------------------------------------------------------
\30\ GAO-13-444T.
---------------------------------------------------------------------------
We will continue to monitor DHS's efforts in this high-risk area to
determine if the actions and outcomes are achieved and sustained.
National Flood Insurance Program
FEMA has made progress in all of the areas required for removal of
the NFIP from the high-risk list, but needs to initiate or complete
additional actions; also, recent legislation has created challenges for
FEMA in addressing the financial exposure created by the program. FEMA
leadership has displayed a commitment to addressing these challenges
and has made progress in a number of areas, such as financial reporting
and continuity planning. While FEMA has plans for addressing and
tracking progress on our specific recommendations, it has yet to
address many of them. For example, FEMA has not completed actions in
certain areas, such as modernizing its claims and policy management
system and overseeing compensation of insurers that sell NFIP policies.
Completing such actions will likely help improve the financial
stability and operations of the program. Table 2 summarizes DHS's
progress in addressing the NFIP high-risk area.
TABLE 2.--ASSESSMENT OF DEPARTMENT OF HOMELAND SECURITY PROGRESS IN
ADDRESSING THE NATIONAL FLOOD INSURANCE PROGRAM HIGH-RISK AREA, AS OF
MAY 2014
------------------------------------------------------------------------
Criterion for Removal From the Partially Met Not Met
High-Risk List Met \1\ \2\ \3\
------------------------------------------------------------------------
Leadership commitment........... ........... X ..........
Corrective action plan.......... ........... X ..........
Capacity........................ ........... X ..........
Framework to monitor progress... ........... X ..........
Demonstrated, sustained progress ........... X ..........
---------------------------------------
Total..................... 0 5 0
------------------------------------------------------------------------
Source: GAO analysis of Federal Emergency Management Agency documents,
interviews, and prior GAO reports.
\1\ ``Met'': There are no significant actions that need to be taken to
further address this criterion.
\2\ ``Partially met'': Some but not all actions necessary to generally
meet the criterion have been taken.
\3\ ``Not met'': Few, if any, actions toward meeting the criterion have
been taken.
Leadership commitment (partially met). FEMA officials responsible
for the NFIP have shown a commitment to taking a number of actions to
implement our recommendations, which are designed to improve both the
financial stability and operations of the program. For example, they
have indicated a commitment to implementing our recommendations and
have been proactive in clarifying and taking the actions needed to do
so. In addition, FEMA officials have met with us to discuss outstanding
recommendations, the actions they have taken to address them, and
additional actions they could take. Further, a DHS official said that
FEMA holds regular meetings to discuss the status of open
recommendations.
Recent legislative changes, however, have presented challenges for
FEMA in addressing the financial exposure created by the NFIP. For
example, in July 2012, the Biggert-Waters Flood Insurance Reform Act of
2012 (Biggert-Waters Act) was enacted, containing provisions to help
strengthen the future financial solvency and administrative efficiency
of NFIP, including phasing out almost all discounted insurance premiums
(commonly referred to as subsidized premiums).\31\ In July 2013, we
reported that FEMA was starting to implement some of the required
changes.\32\ However, on March 21, 2014, the Homeowner Flood Insurance
Affordability Act of 2014 (2014 Act) was enacted, reinstating certain
premium subsidies and restoring grandfathered rates removed by the
Biggert-Waters Act.\33\ The 2014 Act addresses affordability concerns
for certain property owners, but may also increase NFIP's long-term
financial burden on taxpayers.\34\
---------------------------------------------------------------------------
\31\ Pub. L. No. 112-141, Div. F, Title II, Subtit. A, 126 Stat.
405, 916 (July 6, 2012).
\32\ GAO, Flood Insurance: More Information Needed on Subsidized
Properties, GAO-13-607 (Washington, DC: July 3, 2013).
\33\ Pub. L. No. 113-89, 128 Stat. 1020 (Mar. 21, 2014).
\34\ GAO, Flood Insurance: Strategies for Increasing Private Sector
Involvement, GAO-14-127 (Washington, DC: Jan. 22, 2014).
---------------------------------------------------------------------------
Corrective action plan (partially met).--While FEMA developed
corrective action plans for implementing the recommendations in
individual GAO reports, it has not developed a comprehensive plan to
address the issues that have placed the NFIP on GAO's high-risk list.
While addressing our recommendations is part of such a plan, a
comprehensive plan also defines the root causes, identifies effective
solutions, and provides for substantially completing corrective
measures near term. According to a DHS official, the individual action
plans collectively represent their plan for addressing these issues, as
the recommendations cover steps needed to improve the program's
financial stability as well as its administration. The official added
that DHS has developed more comprehensive plans for other high-risk
areas, which have been helpful, and could consider doing so for the
NFIP, but such plans require a lot of work. Such a plan could help FEMA
ensure that all important issues, and all aspects of those issues, are
addressed. For example, while our recommendations regarding the NFIP's
financial stability have focused on the extent of subsidized rates and
the rate-setting process, financial stability could include other
important areas, such as debt management. As of December 2013, FEMA
owed the Treasury $24 billion--primarily to pay claims associated with
Superstorm Sandy (2012) and Hurricane Katrina (2005)--and had not made
a principal payment since 2010.
Capacity (partially met).--FEMA faces several challenges in
improving the program's financial stability and operations. First,
recent legislative changes permit certain premium subsidies and restore
grandfathered rates removed by the Biggert-Waters Act. These
provisions, along with others, may weaken the potential for improved
financial soundness of the NFIP program. Second, while FEMA is
establishing a reserve fund as required by the Biggert-Waters Act, it
is unlikely to initially meet the act's annual targets for building up
the reserve, partly because of statutory limitations on annual premium
increases. Third, while FEMA has begun taking some actions to improve
its administration of the NFIP, it is unclear how the resources
required to implement both the Biggert-Waters Act and the 2014 Act will
affect its ability to continue and complete these efforts. For example,
the Acts require FEMA to complete multiple studies and take a number of
actions within the next several years, which will require resources
FEMA would normally have committed to other efforts.
Monitoring Progress (partially met).--FEMA has a process in place
to monitor progress in taking actions to implement our recommendations
related to the NFIP. For example, the status of efforts to address the
recommendations is regularly discussed both within the Flood Insurance
and Mitigation Administration, which administers the NFIP, and at the
DHS level, according to a DHS official. However, it does not have a
specific process for independently validating the effectiveness or
sustainability of those actions. Instead, according to a DHS official,
once a recommendation related to the NFIP is implemented, the effects
of the actions taken to do so are not tracked separately, but are
evaluated as part of regular reviews of the effectiveness of the entire
program. Broader monitoring of the effectiveness and sustainability of
its actions would help ensure that appropriate corrective actions are
being taken.
Demonstrated, sustained progress (partially met).--FEMA has begun
to take actions to improve the program's financial stability, such as
initiating actions to improve the accuracy of full-risk rates.\35\
However, these efforts are not complete, and FEMA does not have some
information, such as the number and location of existing grandfathered
properties and information necessary to appropriately revise premium
rates for previously subsidized properties.\36\ Similarly, FEMA has
taken a number of actions to improve areas of the program's operations,
such as financial reporting and continuity planning.\37\ However, some
important actions, such as modernizing its policy and claims management
system and ensuring the reasonableness of compensation to insurance
companies that sell and service most NFIP policies, remain to be
completed.\38\ Sustained progress will be needed for FEMA to address
the financial and operational issues facing NFIP.
---------------------------------------------------------------------------
\35\ GAO, Flood Insurance: FEMA's Rate-Setting Process Warrants
Attention, GAO-09-12 (Washington, DC: Oct. 31, 2008).
\36\ GAO-13-607.
\37\ GAO, FEMA: Action Needed to Improve Administration of the
National Flood Insurance Program, GAO-11-297 (Washington, DC: June 9,
2011).
\38\ GAO, Flood Insurance: Opportunities Exist to Improve Oversight
of the WYO Program, GAO-09-455 (Washington, DC: Aug. 21, 2009) and GAO-
11-297.
---------------------------------------------------------------------------
government-wide high-risk areas in which dhs plays a critical role
Progress has been made in the Government-wide high-risk areas in
which DHS plays a critical role, but significant work remains.
Information Security and Cyber Critical Infrastructure Protection
As we reported in our February 2013 high-risk update, the White
House and Federal agencies, including DHS, have taken a variety of
actions that were intended to enhance Federal and critical
infrastructure cybersecurity. For example, the Government issued
numerous strategy-related documents over the past decade and
established agency performance goals and a mechanism to monitor
performance in three cross-agency priority areas of strong
authentication, Trusted Internet Connections, and continuous
monitoring.\39\
---------------------------------------------------------------------------
\39\ Strong authentication involves increasing the use of Federal
smartcard credentials such as Personal Identity Verification and Common
Access Cards that provide multi-factor authentication and digital
signature and encryption capabilities, authorizing users to access
Federal information systems with a higher level of assurance. Trusted
Internet Connections is an initiative to consolidate external
telecommunication connections and ensure a set of baseline security
capabilities for situational awareness and enhanced monitoring.
Continuous monitoring of Federal information systems includes
transforming the otherwise static security control assessment and
authorization process into a dynamic risk mitigation program that
provides essential, near-real-time security status and remediation,
increasing visibility into system operations and helping security
personnel make risk management decisions based on increased situational
awareness.
---------------------------------------------------------------------------
In addition, since the February 2013 high-risk update, the
administration has continued its cyber-related efforts. In February
2013, the President issued Presidential Policy Directive 21 on critical
infrastructure security and resilience \40\ and Executive Order 13636
on improving critical infrastructure cybersecurity.\41\ These documents
assign specific actions to particular individuals and agencies with
specific time frames for completion.
---------------------------------------------------------------------------
\40\ The White House, Presidential Policy Directive/PPD-21,
Critical Infrastructure Security and Resilience (Feb. 12, 2013).
\41\ Exec. Order No. 13,636, 78 Fed. Reg. 11,739 (Feb. 19, 2013).
---------------------------------------------------------------------------
However, more efforts are needed by Federal organizations,
including the White House, DHS, and other agencies, to address a number
of areas. To illustrate the scope and persistence of this challenge, in
fiscal year 2013, inspectors general at 21 of the 24 agencies cited
information security as a major management challenge for their
agencies,\42\ and 18 agencies reported that information security
control deficiencies were either a material weakness or a significant
deficiency in internal controls over financial reporting in fiscal year
2013.\43\
---------------------------------------------------------------------------
\42\ The 24 major departments and agencies are the Departments of
Agriculture, Commerce, Defense, Education, Energy, Health and Human
Services, Homeland Security, Housing and Urban Development, the
Interior, Justice, Labor, State, Transportation, the Treasury, and
Veterans Affairs; the Environmental Protection Agency, General Services
Administration, National Aeronautics and Space Administration, National
Science Foundation, Nuclear Regulatory Commission, Office of Personnel
Management, Small Business Administration, Social Security
Administration, and U.S. Agency for International Development.
\43\ A control deficiency exists when the design or operation of a
control does not allow management or employees, in the normal course of
performing their assigned functions, to prevent or detect and correct
misstatements on a timely basis.
---------------------------------------------------------------------------
DHS's Role in Federal Information Security and Cyber
Critical Infrastructure Protection
In addition to having responsibilities for securing its own
information systems and data, DHS plays a pivotal role in Government-
wide cybersecurity efforts. In particular, in July 2010, the Director
of the Office of Management and Budget (OMB) and the White House
Cybersecurity Coordinator issued a joint memorandum that transferred
several key OMB responsibilities under the Federal Information Security
Management Act of 2002 (FISMA) to DHS.\44\ Specifically, DHS is to
exercise primary responsibility within the Executive branch for
overseeing and assisting with the operational aspects of cybersecurity
for Federal systems that fall within the scope of FISMA.
---------------------------------------------------------------------------
\44\ See Pub. L. No. 107-347, Dec. 17, 2002; 44 U.S.C. 3541, et
seq.
---------------------------------------------------------------------------
We agree that DHS should play a role in the operational aspects of
Federal cybersecurity. We suggested in February 2013 that Congress
consider legislation that would clarify roles and responsibilities for
implementing and overseeing Federal information security programs and
for protecting the Nation's critical cyber assets.\45\
---------------------------------------------------------------------------
\45\ GAO, Cybersecurity: National Strategy, Roles, and
Responsibilities Need to Be Better Defined and More Effectively
Implemented, GAO-13-187 (Washington, DC: Feb. 14, 2013).
---------------------------------------------------------------------------
Regarding cyber critical infrastructure protection, a fundamental
component of DHS's efforts is its partnership approach, whereby it
engages in partnerships among Government and industry stakeholders.
Such an approach is essential because the majority of critical
infrastructure in the United States is owned and operated by the
private sector. In 2006, DHS issued the National Infrastructure
Protection Plan. The plan, subsequently updated several times, provides
the overarching approach for integrating the Nation's critical
infrastructure protection and resilience activities into a single
National effort.\46\ Congress is considering several bills that would
address cyber information sharing and the cybersecurity posture of the
Federal Government and the Nation. For example, H.R. 3696, the National
Cybersecurity and Critical Infrastructure Protection Act of 2014, would
address DHS's role and responsibilities in protecting Federal civilian
information systems and critical infrastructure from cyber threats.\47\
---------------------------------------------------------------------------
\46\ See, most recently, Department of Homeland Security, NIPP
2013: Partnering for Critical Infrastructure Security and Resilience.
\47\ H.R. 3696, 113th Cong. (2013).
---------------------------------------------------------------------------
Specific laws, Executive Orders, and directives have further guided
DHS's role in cyber critical infrastructure protection. For example,
Executive Order 13636 directs DHS to, among other things, establish a
voluntary program to support the adoption of a cybersecurity framework
by private-sector partners;\48\ coordinate the establishment of a set
of incentives designed to promote participation in the voluntary
program; and incorporate privacy and civil liberties protections into
every initiative called for by the Executive Order.
---------------------------------------------------------------------------
\48\ As required by Executive Order 13636, the National Institute
of Standards and Technology (NIST) issued the first version of the
cybersecurity framework in February 2014. See NIST, Framework for
Improving Critical Infrastructure Cybersecurity, Version 1.0 (Feb. 12,
2014).
---------------------------------------------------------------------------
Securing Federal Systems
In carrying out its role in overseeing and assisting Federal
agencies in implementing information security requirements, DHS has
begun performing several activities. These include:
conducting ``CyberStat'' reviews, which are intended to hold
agencies accountable and offer assistance in improving their
information security posture;
holding interviews with agency chief information officers
and chief information security officers on security status and
issues;
establishing a program to enable Federal agencies to expand
their continuous diagnostics and mitigation capabilities; and,
refining performance metrics that agencies use for FISMA
reporting purposes.
In February 2014, as part of our continued dialogue with DHS
regarding progress and what remains to be accomplished in this high-
risk area, we identified and communicated to DHS actions critical to
addressing its efforts to oversee and assist agencies in improving
information security practices.\49\ This included the following:
---------------------------------------------------------------------------
\49\ We provided DHS detail on the actions that need to be taken
and outcomes that need to be achieved to address the Federal
information security and cyber critical infrastructure protection high-
risk area. The information we provided DHS was based on our full body
of work in this area.
---------------------------------------------------------------------------
Expand CyberStat reviews to all major Federal agencies.--DHS
has conducted CyberStat sessions with several of the 24 major
Federal agencies. According to DHS officials, the current
approach focuses on providing CyberStat reviews for the lowest-
performing agencies. However, expanding the reviews to include
all 24 agencies could lead to an improved security posture.
Enhance FISMA reporting metrics.--In September 2013, we
reported that the metrics issued by DHS for gauging the
implementation of priority security goals and other important
controls did not address key security activities and did not
always include performance targets.\50\ We recommended that OMB
and DHS collaborate to develop improved metrics, and the
agencies stated that they plan to implement the recommendation
by September 2014.
---------------------------------------------------------------------------
\50\ GAO, Federal Information Security: Mixed Progress in
Implementing Program Components; Improved Metrics Needed to Measure
Effectiveness, GAO-13-776 (Washington, DC: Sept. 26, 2013).
---------------------------------------------------------------------------
Develop a strategic implementation plan.--DHS's Office of
Inspector General reported in June 2013 that the Department had
not developed a strategic implementation plan describing its
cybersecurity responsibilities and a clear plan of action for
fulfilling them. According to DHS officials, it has developed
this plan and is awaiting closure of the inspector general
recommendation. We will review the status of this plan as part
of our on-going review of this high-risk area.
Continue to develop continuous diagnostics and mitigation
capabilities and assist agencies in developing and acquiring
them.--This effort is intended to protect networks and enhance
an agency's ability to see and counteract day-to-day cyber
threats.
The successful implementation of these actions should result in
outcomes such as enhanced DHS oversight and assistance through
CyberStat, improved metrics and other outcomes, improved situational
awareness, and enhanced capabilities for assisting agencies in
responding to cyber incidents. In conjunction with needed actions by
Federal agencies, this could contribute to improved information
security Government-wide.
Protecting Cyber Critical Infrastructure
DHS, in conjunction with other Executive branch entities, has taken
steps to enhance the protection of cyber critical infrastructure. For
example, according to DHS, it has:
expanded the capacity of its National Cybersecurity and
Communications Integration Center to facilitate coordination
and information sharing among Federal and private-sector
stakeholders;
established the Information Sharing Working Group and a
mechanism for creating cyber threat reports that can be shared
with private-sector partners; and,
set up a voluntary program to encourage critical
infrastructure owners and operators to use the cybersecurity
framework developed by the National Institute of Standards and
Technology, as required by Executive Order 13636.
In February 2014, we identified and communicated to DHS actions
critical to addressing cyber critical infrastructure protection,
including the following:
expand the Enhanced Cybersecurity Services program, which is
intended to provide Classified cyber threat and technical
information to eligible critical infrastructure entities, to
all critical infrastructure sectors as required by Executive
Order 13636;
enhance coordination efforts with private-sector entities to
facilitate improvements to the cybersecurity of critical
infrastructure; and,
identify a set of incentives designed to promote
implementation of the NIST cybersecurity framework.
Completing these efforts could assist in achieving a flow of timely
and actionable cybersecurity threat and incident information among
Federal stakeholders and critical infrastructure entities, adoption of
the cybersecurity framework by infrastructure owners and operators, and
effective implementation of security controls over a significant
portion of critical cyber assets. As we reported in March 2014, more
needs to be done to accelerate the progress made in bolstering the
cybersecurity posture of the Nation and Federal Government. The
administration and Executive branch agencies need to implement the
hundreds of recommendations made by GAO and agency inspectors general
to address cyber challenges, resolve known deficiencies, and fully
implement effective information security programs. Until then, a broad
array of Federal assets and operations will remain at risk of fraud,
misuse, and disruption, and the Nation's most critical Federal and
private-sector infrastructure systems will remain at increased risk of
attack from our adversaries.\51\
---------------------------------------------------------------------------
\51\ GAO, Government Efficiency and Effectiveness: Views on the
Progress and Plans for Addressing Government-wide Management
Challenges, GAO-14-436T (Washington, DC: March 12, 2014).
---------------------------------------------------------------------------
Enhancing the Sharing of Terrorism-Related Information
DHS has made significant progress in enhancing the sharing of
information on terrorist threats and in supporting Government-wide
efforts to improve such sharing.\52\ Our work on assessing the high-
risk area on sharing terrorism-related information has primarily
focused on Federal efforts to implement the Information Sharing
Environment, as called for in the Intelligence Reform and Terrorism
Prevention Act of 2004.\53\ The Information Sharing Environment is a
Government-wide effort to improve the sharing of terrorism-related
information across Federal agencies and with State, local, territorial,
Tribal, private-sector, and foreign partners. When assessing progress,
we review the activities of both the program manager for the
Information Sharing Environment--a position established under the 2004
Act with responsibility for information sharing across the Government--
as well as efforts of DHS and other key entities, including the
Departments of Justice, State, and Defense, and the Office of the
Director of National Intelligence.\54\ Accordingly, DHS itself is not
on the high-risk list nor can DHS's efforts fully resolve the high-risk
issue. Nevertheless, DHS plays a critical role in Government-wide
sharing given its homeland security missions and responsibilities.
---------------------------------------------------------------------------
\52\ Terrorism-related information includes homeland security,
terrorism, and weapons of mass destruction information. See 6 U.S.C. ��
482(f)(1), 485(a)(1), (5)-(6).
\53\ See Pub. L. No. 108-458, � 1016, 118 Stat. 3638, 3664-70
(2004) (codified as amended at 6 U.S.C. � 485).
\54\ The Office of the Director of National Intelligence was
established in 2004 to manage the efforts of the intelligence
community. See 50 U.S.C. � 3023. Its mission is to lead intelligence
integration and forge an intelligence community that delivers the most
insightful intelligence possible.
---------------------------------------------------------------------------
Overall, the Federal Government has made progress in addressing the
terrorism-related information-sharing high-risk area. As we reported in
our February 2013 update, the Federal Government is committed to
establishing effective mechanisms for managing and sharing terrorism-
related information, and has developed a National strategy,
implementation plans, and methods to assess progress and results. While
progress has been made, the Government needs to take additional action
to mitigate the potential risks from gaps in sharing information, such
as ensuring that it is leveraging individual agency initiatives to
benefit all partners and continuing work to develop metrics that
measure the homeland security results achieved from improved sharing.
We are currently conducting work with the program manager and key
entities to determine their progress in meeting the criteria since the
2013 high-risk report.
DHS's Role in the Sharing of Terrorism-Related Information
Separately, in response to requests from this committee and other
Congressional committees, we have assessed or are currently assessing
DHS's specific efforts to enhance the sharing of terrorism-related
information. As discussed below, this work includes DHS efforts to: (1)
Support State and major urban area fusion centers,\55\ (2) coordinate
with other Federal agencies that support task forces and other centers
in the field that share information on threats as part of their
activities, (3) achieve its own information-sharing mission, and (4)
share information related to the Department's intelligence analysis
efforts.
---------------------------------------------------------------------------
\55\ In general, fusion centers are collaborative efforts of two or
more agencies that provide resources, expertise, and information to the
center with the goal of maximizing their ability to detect, prevent,
investigate, and respond to criminal and terrorist activity. See 6
U.S.C.
� 124h(j)(1). There are 78 fusion centers in the United States.
---------------------------------------------------------------------------
Fusion centers.--A major focus of the high-risk area and
Information Sharing Environment has been to improve the sharing of
terrorism-related information among the Federal Government and State
and local security partners, which is done in part through State and
major urban area fusion centers. DHS is the Federal lead for supporting
these centers and has made significant strides. For example, DHS has
deployed personnel to centers to serve as liaisons to the Department
and help centers develop capabilities (such as the ability to analyze
and disseminate information), provided grant funding to support center
activities, provided access to networks disseminating Classified and
Unclassified information, and helped centers identify and share reports
on terrorism-related suspicious activities. DHS has been very
responsive to a recommendation in our 2010 report that calls for
establishing metrics to determine what return the Federal Government is
getting for its investments in centers.\56\ We have an on-going review
of DHS's efforts to assess center capabilities, manage Federal grant
funding, and determine the contributions centers make to enhance
homeland security, and expect to issue a report later this year.
---------------------------------------------------------------------------
\56\ GAO, Information Sharing: Federal Agencies Are Helping Fusion
Centers Build and Sustain Capabilities and Protect Privacy, but Could
Better Measure Results, GAO-10-972 (Washington, DC: Sept. 29, 2010).
---------------------------------------------------------------------------
Field-based entities that share information.--DHS is also taking
steps to measure the extent to which fusion centers are coordinating
and sharing information with other field-based task forces and
centers--such as Federal Bureau of Investigation Joint Terrorism Task
Forces--and assess opportunities to improve coordination.\57\ In April
2013, we reported that fusion centers and other field-based entities
had overlapping activities, but the agencies that support them had not
held the entities accountable for coordinating and collaborating or
assessed opportunities to enhance coordination, and recommended that
the agencies develop mechanisms to do so.\58\ In response, DHS began
tracking collaboration mechanisms, such as which fusion centers have
representatives from the other entities on their executive boards, are
colocated with other entities, and issue products jointly developed
with other entities.
---------------------------------------------------------------------------
\57\ The five types of entities we reviewed are State and major
urban area fusion centers, Joint Terrorism Task Forces, Field
Intelligence Groups, Regional Information Sharing Systems Centers, and
High-Intensity Drug Trafficking Area Investigative Support Centers.
DHS, the Department of Justice, and the Office of National Drug Control
Policy oversee or otherwise support these entities.
\58\ GAO, Information Sharing: Agencies Could Better Coordinate to
Reduce Overlap in Field-Based Activities, GAO-13-471 (Washington, DC:
Apr. 12, 2013).
---------------------------------------------------------------------------
DHS's efforts can help avoid unnecessary overlap in activities,
which in turn can help entities leverage scarce resources. To fully
address our recommendation, however, the other Federal agencies must
take steps to better hold their respective field entities accountable
for such collaboration. In addition, these agencies must work with DHS
to collectively assess Nation-wide any opportunities for field entities
to further implement collaboration mechanisms.
DHS information-sharing mission.--In September 2012, we reported
that DHS had made progress in achieving its own information-sharing
mission, but could take additional steps to improve its efforts.\59\
Specifically, DHS had demonstrated leadership commitment by
establishing a governance board to serve as the decision-making body
for DHS information-sharing issues. The board has enhanced
collaboration among DHS components and identified a list of key
information-sharing initiatives to pursue, among other things. We
found, however, that 5 of DHS's top 8 priority initiatives faced
funding shortfalls. We also reported that DHS had taken steps to track
its information-sharing efforts, but had not fully assessed how such
efforts had improved sharing. We recommended that DHS: (1) Revise its
policies and guidance to include processes for identifying information-
sharing gaps; analyzing root causes of those gaps, and identifying,
assessing, and mitigating risks of removing incomplete initiatives from
its list, and (2) better track and assess the progress of key
initiatives and the Department's overall progress in achieving its
information-sharing vision. DHS has since taken actions--such as
issuing revised guidance and developing new performance measures--to
address all of these recommendations.
---------------------------------------------------------------------------
\59\ GAO, Information Sharing: DHS Has Demonstrated Leadership and
Progress, but Additional Actions Could Help Sustain and Strengthen
Efforts, GAO-12-809 (Washington, DC: Sept. 18, 2012).
---------------------------------------------------------------------------
Sharing intelligence analysis. We are finalizing a report on DHS's
intelligence analysis capabilities, which are a key part of the
Department's efforts in securing the Nation. Within DHS, the Office of
Intelligence and Analysis has a lead role for intelligence analysis,
but other operational components--such as CBP and ICE--also perform
their own analysis activities and are part of the DHS Intelligence
Enterprise. Our report, expected to be issued later this month, will
address: (1) The extent to which the intelligence analysis activities
of the enterprise are integrated to support Departmental strategic
intelligence priorities, and are unnecessarily overlapping or
duplicative; (2) the extent to which Office of Intelligence and
Analysis customers report that they find products and other analytic
services to be useful, and what steps, if any, the office has taken to
address any concerns customers report; and (3) challenges the Office of
Intelligence and Analysis has faced in maintaining a skilled analytic
workforce and steps it has taken to address these challenges. We are
planning to make recommendations to help DHS enhance its intelligence
analysis capabilities and related sharing of this information.\60\
---------------------------------------------------------------------------
\60\ The Office of Intelligence and Analysis' five customer groups
are: (1) DHS leadership; (2) DHS operational components; (3)
intelligence community members; (4) State, local, Tribal, and
territorial partners; and (5) private critical infrastructure sectors.
---------------------------------------------------------------------------
Overall, DHS's continued progress in enhancing the sharing of
terrorism-related information and responding to our findings and
recommendations will be critical to supporting Government-wide sharing
and related efforts to secure the homeland.
Chairman McCaul, Ranking Member Thompson, and Members of the
committee, this completes my prepared statement. I would be happy to
respond to any questions you may have at this time.
Chairman McCaul. Well, thank you, sir. We thank you for
your comments as well.
Chairman now recognizes Mr. Roth.
STATEMENT OF JOHN ROTH, INSPECTOR GENERAL, U.S. DEPARTMENT OF
HOMELAND SECURITY
Mr. Roth. Good morning, Chairman McCaul, Ranking Member
Thompson, and Members of the committee. Thank you for inviting
me here today to discuss some of the high-risk areas that DHS
faces.
My testimony here today will focus on acquisition
management. In particular, as our work has shown, DHS is not as
effective and efficient as it could be in this area. We find
that it stems from three main areas.
First, DHS's unique mission requires complicated
acquisitions. Whether it is acquiring a fleet of helicopters,
building a border fence over hundreds of miles of varied
terrain, integrating and managing systems from diverse legacy
agencies, or purchasing technologically-complex airport
screening machines are, under the best of circumstances, high-
risk acquisitions.
Second, DHS, as has been noted this morning, is working
towards a transparent acquisition governance process, which if
it is fully followed would lead to better and smarter
acquisitions. Unfortunately, the DHS components engaged in the
acquisitions often do not follow the DHS procurement policies,
and DHS lacks a means to enforce compliance.
Third, components acquisition decisions often work against
the Department's stated goal of One DHS. DHS components, in a
word, operate in a vacuum. They fail to take into account other
components' needs or they fail to leverage other assets or
other acquisitions that are already underway.
We have done a number of audits that give examples of this.
Those are in my written testimony. But I would like just to
talk about one single audit that we did with regard to using
acquisitions to have One DHS.
DHS's stated goal is to ensure interoperability of
communications. We want to make sure that the first responders
and other law enforcement agencies--agents, particularly within
DHS, can talk to each other through a common channel in the
event of a terrorist event or a crisis of some sort.
DHS has about 123,000 radio field users within eight
different components, and DHS has invested about $430 million
in equipment, infrastructure, and other resources to ensure
interoperability.
We conducted an audit in late 2012 and asked 479 DHS field
radio users to access and use the specified channel to
communicate. Out of those 479 people we asked to do so, only a
single user could use the common channel.
In other words, DHS had a failure rate of 99.8 percent.
Seventy-two percent of the users didn't even realize that there
was--didn't even know the existence of a common channel. The
remainder just couldn't find it. Of the radios we examined only
20 percent of them were properly set up to use the common
channel.
This test happened 11 years after 9/11. Without an
effective governing structure DHS cannot achieve its goal of a
Department-wide radio interoperability. As we sit here today
the Department's plans to do so are still a work in progress.
In closing I would like to note that DHS has taken steps to
implement our recommendations and to progress towards a unity
of effort. However, the Department is persistently challenged
in acting in an integrated single entity.
This concludes my prepared statement. I am happy to take
questions from the committee. Thank you.
[The prepared statement of Mr. Roth follows:]
Prepared Statement of John Roth
May 7, 2014
Good morning Chairman McCaul, Ranking Member Thompson, and Members
of the committee. Thank you for inviting me here today to discuss high-
risk areas at DHS identified by GAO.
In its report, High-risk Series: An Update (GAO-13-283, February
2013), GAO identified high-risk areas in the Federal Government,
including areas of particular concern at DHS. My testimony today will
focus on some high-risk areas that we also identified in our December
2013 report, Major Management and Performance Challenges Facing the
Department of Homeland Security (OIG-14-17), particularly in managing
acquisitions.
Our work has shown that DHS' management of its acquisitions is not
as effective and efficient as it could be. This problem stems from
three main issues:
First, DHS' unique mission requires multi-faceted and
sophisticated acquisitions. Whether acquiring a fleet of
helicopters, building a border fence over hundreds of miles of
varied terrain, or integrating and managing systems from
diverse legacy agencies, DHS' requirements increase the
complexity and risk of its acquisitions.
Second, DHS is working toward a transparent, authoritative
governing process--the Acquisition Life-cycle Framework (ALF)--
which, if fully implemented, would lead to better oversight and
guidance of acquisitions. Unfortunately, DHS components often
do not follow this governing process (or any other) in carrying
out their acquisitions, and DHS has had difficulty enforcing
compliance.
Third, the components' acquisition decisions often work
counter to the Department's stated goal of ``One DHS.'' In
planning and managing acquisitions, components often operate in
a vacuum; they fail to take into account the needs of other
components or they fail to leverage other assets or
acquisitions already underway.
We have made recommendations to improve the efficiency and
effectiveness of DHS' programs and operations, and DHS has taken some
steps to implement our recommendations. However, the Department
continues to struggle with acting as an integrated, single entity to
accomplish its mission.
nature of the risk
Acquisition management at DHS is inherently complex and high-risk.
It is further challenged by the magnitude and diversity of the
Department's procurements. In fiscal year 2013, DHS' Major Acquisition
Oversight List included 123 programs; 88 (72 percent) of the programs
were Level 1 or Level 2. Level 1 and Level 2 programs have life-cycle
costs of $300 million or more or have special Departmental interest.
Some examples of Level 1 and Level 2 acquisitions include:
The United States Coast Guard's HC-144A Maritime Patrol
Aircraft, a twin engine turboprop airplane designed for
superior situational awareness, a reduced workload, and
increased crew safety. Life-cycle cost estimate--$24.9 billion;
U.S. Customs and Border Protection's (CBP) Automated
Commercial Environment, a system to enable CBP to interact,
manage, and oversee import and export data, and manage
custodial revenue and enforcement systems. Life-cycle cost
estimate--$4.5 billion;
TSA's Screening Partnership Program, procures screening
services from private companies at TSA airports. Life-cycle
cost estimate--$2.4 billion;
CBP's Mission Support Facilities to develop, plan, execute,
and sustain facilities and infrastructure inventory to support
CBP's Mission Support Offices Nation-wide. Facilities include
administrative offices, training centers, laboratories, and
warehouses. Life-cycle cost estimate--$2 billion;
CBP's Integrated Fixed Towers, a system for automated,
persistent wide area surveillance to detect, track, identify,
and classify illegal entries. Life-cycle cost estimate--$842
million.
combating the risk: acquisition management framework
Effective acquisition management requires careful planning and
oversight of processes, solid internal controls, and compliance with
laws and regulations. Acquisitions must be planned and managed through
their entire life cycle to ensure that they are procured, deployed, and
used efficiently and effectively.
DHS has developed a comprehensive acquisition framework of
policies, procedures, and entities to streamline its acquisition
practices and ensure that procured goods and services meet mission
needs cost-efficiently. This system should lead to informed investment
decisions on goods and services that fulfill DHS' mission.
Acquisition Phases
DHS has adopted the Acquisition Life-Cycle Framework (ALF),
composed of the following four phases, to determine whether to proceed
with an acquisition:
1. Need--identify the need that the acquisition will address;
2. Analyze/Select--analyze the alternatives to satisfy the need and
select the best option;
3. Obtain--develop, test, and evaluate the selected option and
determine whether to approve production; and
4. Produce/Deploy/Support--produce and deploy the selected option
and support it throughout the operational life cycle.
Each phase of the ALF leads to an ``Acquisition Decision Event''
(ADE), a predetermined point at which the acquisition is reviewed
before it can move to the next phase. The reviews are intended to
ensure alignment of needs with DHS' strategic direction and adequate
planning for upcoming phases.
The figure below shows the four phases of the ALF and each ADE.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
ADE-0 Identify the need
ADE-1 Validate the need
ADE-2A Approve the program
ADE-2B Approve projects within the program
ADE-2C Approve low rate initial production
ADE-3 Approve full rate production and deployment
ADE 4* Project transition--a milestone unique to the Coast Guard,
authorizes the project to move to sustainment
The ALF is a rigorous, disciplined process designed to result in
cost-efficient acquisitions that can meet the Department's needs and
help accomplish its mission.
Acquisition Entities, Policies, and Procedures
DHS' Office of Program Accountability and Risk Management (PARM)
administers the ALF and oversees all major DHS acquisitions. PARM
reports directly to the under secretary for management and manages and
implements the Department's Acquisition Management Directive. PARM is
also responsible for independently assessing major investment programs
and monitoring programs between formal reviews to identify issues.
DHS has established the following mechanisms to govern
acquisitions:
The Acquisition Review Board (ARB).--A cross-component board
composed of senior-level decisionmakers. The ARB determines
whether a proposed acquisition meets requirements and can
proceed to the next phase and eventual production and
deployment. Before every ADE, components must submit
acquisition documents to the ARB for review, including a
mission needs statement, capability development plan, and an
acquisition plan.
Quarterly Program Accountability Report.--Provides a
comprehensive, high-level analysis of a program's vital signs
provided to DHS leadership, component acquisition executives,
and program managers.
A Joint Requirements Council.--Reviews high-dollar
acquisitions and recommends savings opportunities to the ARB.
Centers of Excellence.--Two have been set up under PARM:
Program Management Center of Excellence and Cost Estimating &
Analysis Center of Excellence. Leadership staff and subject-
matter experts at the centers provide proven practices,
guidance, and counsel on program management and cost estimating
and analysis.
The Decision Support Tool.--A web-based central dashboard to
assess and track the health of major acquisition projects,
programs, and portfolios. The Department's goal is to improve
program accountability and make sound strategic decisions
throughout the life-cycle of major acquisitions.
Comprehensive Acquisition Status Report.--Provides
information on the status of major acquisitions. Reports
include information such as the current acquisition phase, the
date of last review, life-cycle cost estimate, and key events
and milestones.
failing to follow the framework results in problematic acquisitions
However, as our work has shown, this process is not always
followed. Several of our audits have highlighted DHS' challenge in
establishing an overarching structure that fully integrates the
components into overall governance, unified decision making, and
collective analysis.
CBP's Acquisition of H-60 Helicopters
In May 2013, we issued DHS' H-60 Helicopter Programs (Revised)
(OIG-13-89), which illustrates the risks of deviating from the ALF.
Although the Department had some processes and procedures to govern its
aviation assets and provide oversight, the acquisition was not fully
coordinated and acquisition costs, schedules, and performance were not
controlled.
CBP did not take into account guidance from the DHS Office of the
Chief Procurement Officer (OCPO) in its H-60 acquisition planning. In
2007, CBP's Office of Air and Marine submitted its Congressionally-
mandated acquisition plan, which outlined how its aviation assets and
acquisitions would support its mission. CBP leadership approved the
plan to acquire 38 new and converted medium-lift helicopters and
submitted it to the DHS OCPO.
On March 3, 2008, OCPO expressed its concerns about the program in
a memo to CBP. According to OCPO, CBP needed to address substantive
issues in the acquisition plan. CBP should have had two separate H-60
plans, and both should move independently through the acquisition
review process, including ARB review. OCPO was also concerned that
CBP--
Had not clearly defined the acquisition's period of
performance;
Did not have a complete life-cycle cost estimate;
Had not completed a cost-benefit analysis to compare
upgrading its existing fleet to purchasing new helicopters; and
Had not used various contracting best practices.
Just 3 days after receiving the memo from OCPO, CBP nevertheless
continued with the H-60 acquisition by signing an agreement with the
U.S. Army.
In March 2010, the ARB concluded that both CBP and the Coast Guard
were pursuing H-60 conversions and directed the Coast Guard to
collaborate with CBP, report on possible helicopter program synergies,
and present a joint review within 75 days. The Coast Guard was not able
to complete the review because CBP did not provide the needed
information.
Subsequent attempts to push the acquisition into the ALF failed.
We recommended that DHS direct CBP to apply all ALF requirements to
all its aviation-related acquisitions. DHS concurred with this
recommendation, and CBP was directed to submit its plans to acquire
aviation assets to PARM. According to DHS, the ARB would review and
decide on CBP's aviation programs and projects as they progressed
through the ALF.
Information Technology Investments
In August 2012, we issued CBP Acquisition of Aviation Management
Tracking System (Revised) (OIG-12-104). We reported that although CBP
had a joint strategy to unify its aviation logistics and maintenance
system with those of the Coast Guard, it planned to purchase a new,
separate system. This system would not be coordinated with the Coast
Guard's already operational system. We concluded that the acquisition
did not comply with the Secretary's efforts to improve coordination and
efficiencies among DHS components. Acquiring the new system would also
be a continuation of components' past practices of obtaining disparate
systems that cannot share information. If CBP instead transitioned to
the Coast Guard's system, it would improve tracking of aviation
management and cost less than purchasing a new system.
DHS Governance of Aviation Assets
DHS historically has had little formal structure to govern the
Department's aviation assets and no specific senior official to provide
expert independent guidance on aviation issues to DHS senior
management. The Department has intermittently issued policies and
established various entities to oversee its aviation assets and
operations, but it has not sustained these efforts. For example, DHS
set up an Aviation Management Council in 2005, but oversight was
inconsistent, and the council stopped meeting in 2007. In 2009,
Department-level oversight of DHS' aviation assets resumed. An Aviation
Issue Team led by the Office of Program Analysis and Evaluation
reviewed potentially co-locating component aviation facilities, finding
commonality in component aviation assets, and combining component
aviation-related information technology systems.
In 2011, the deputy secretary established an Aviation Working
Group, but the group did not have a charter, defined roles and
responsibilities, or an independent aviation expert. It collected data
on CBP and USCG missions, aircraft inventories, flight hours, and
aviation resources; reviewed components' funding plans and
opportunities for joint acquisitions; and considered an organizational
structure for a Department-wide aviation office. However, according to
senior officials, without an authoritative expert, DHS was relying on
unverified information from components to make aviation-related
decisions.
In addition to challenges in establishing a structure to govern
aviation assets, DHS has had difficulty bringing aviation-related
acquisitions into the ALF. For example, CBP's Strategic Air and Marine
Plan (STAMP) has an estimated life-cycle cost of about $1.5 billion.
STAMP encompasses all of CBP's aviation-related acquisitions used to
detect, interdict, and prevent acts of terrorism near and across or
across U.S. borders. CBP does not believe that STAMP should be subject
to the ALF because the program existed before DHS established the
framework. We contend (and have recommended) that individual programs
and projects under STAMP should go through the ALF separately.
Unmanned Aircraft
In CBP's Use of Unmanned Aircraft Systems in the Nation's Border
Security (OIG-12-85, May 2012), we reported that CBP had not adequately
planned the resources needed to support its unmanned aircraft. CBP's
plans to use the unmanned aircraft did not include processes to ensure
that: (1) Each launch and recovery site had the required operational
equipment; (2) stakeholders submitted mission requests; (3) mission
requests were prioritized; and (4) it obtained reimbursement for
missions flown on stakeholders' behalf. Because these were not
included, CBP risked having invested substantial resources in a program
that underutilized resources and limited its ability to achieve its
mission goals. Specifically, our audit showed that CBP had not achieved
its scheduled or desired levels of flight hours for the unmanned
aircraft. We estimated that 7 unmanned aircraft should support 10,662
flight hours per year to meet the minimum capability and 13,328 flight
hours to meet desired capability. However, staffing and equipment
shortages, coupled with FAA and other restrictions, limited actual
flight hours to 3,909--37 percent of the unmanned aircraft's mission
availability threshold and 29 percent of its mission availability
objective.
CBP's Advanced Training Center Acquisition
In February 2014, we issued U.S. Customs and Border Protection's
Advanced Training Center Acquisition (OIG-14-47). We reported that CBP
did not effectively oversee and manage the fourth phase of the
acquisition of its Advanced Training Center. Although not subject to
the ALF, CBP did not comply with Federal and Departmental regulations
governing acquisitions. CBP did not develop and execute the $55.7
million agreement with its service provider, the U.S. Army Corps of
Engineers, according to Federal, Departmental, and component
requirements. In particular, CBP did not develop, review, or approve a
required independent Government cost estimate and acquisition plan
prior to entering into the agreement. Key documentation supporting the
agreement with the Corps of Engineers was either missing or incomplete.
CBP also approved millions of dollars worth of contract modifications
to the agreement without first ensuring the need and reasonableness of
the modifications. In addition, CBP improperly used reimbursable work
authorizations to transfer money for this project, as well as other
construction projects. During our audit, CBP began taking action to
ensure future compliance with all statutory requirements; CBP concurred
with all our recommendations.
TSA's Advanced Imaging Technology
We issued Transportation Security Administration's Deployment and
Use of Advanced Imaging Technology (Revised) (OIG-13-120) in March
2014. We reported that the Transportation Security Administration (TSA)
did not develop a comprehensive deployment strategy for using advanced
imaging technology (AIT) units--procured at a cost of nearly $150
million--at airports. Because TSA did not have reliable data to
determine whether the units were effectively deployed, TSA decision
makers could not implement efficiency improvements.
This occurred because TSA did not have a policy or process
requiring program offices to prepare strategic acquisition or
deployment plans for new technology that aligned with the overall goals
of the Passenger Screening Program.
The AIT units did not undergo a stand-alone acquisition review, but
were instead reviewed as part of the Passenger Screening Program.
Because the AIT units met the Level 1 acquisition threshold, they
should have gone through all the steps required for that level. TSA
should also have developed a deployment strategy for the AIT units, but
it only developed a deployment schedule.
Without documented, approved, and comprehensive plans, as well as
accurate data on the use of AIT, TSA continued to screen the majority
of passengers with walkthrough metal detectors. This potentially
reduced AIT's security benefits, and TSA may have used resources
inefficiently to purchase and deploy AIT units that were underused.
failing to use acquisitions to forge ``one dhs''
In addition to failing to manage high-risk acquisitions through a
governing process, DHS acquisitions often miss opportunities to ensure
DHS acts in a concerted and efficient manner. DHS has struggled to
become fully integrated. With 22 components and a range of missions,
cooperation, and coordination continue to be a challenge. The
Department's structure sometimes leads to ``stovepiping''--components
operating independently and management often not cooperating and
sharing information to benefit ``One DHS.'' In an April 2014 memorandum
for DHS leadership, the Secretary reiterated the need to strengthen the
Department's ``unity of effort.''
During our recent audits, we identified several programs in which
there was little or no cross-component coordination and communication
and weak Department-level authority. These led to cost inefficiencies
and ineffective program management. Therefore, we made recommendations
to enhance collaboration to improve both efficiency and effectiveness
and prevent waste and abuse.
DHS Radio Equipment Program
DHS manages about 197,000 pieces of radio equipment and 3,500
infrastructure sites, with a reported value of more than $1 billion. We
issued a pair of reports that highlighted the problematic nature of
some of the acquisition processes for communications equipment.
In one of our audits, DHS' Oversight of Interoperable
Communications (OIG-13-06, November 2012), we tested DHS radios to
determine whether DHS components could talk to each other in the event
of a terrorist event or other emergency. They could not. Only 1 of 479
radio users we tested--or less than one-quarter of 1 percent--could
access and use the specified common channel to communicate. Further, of
the 382 radios tested, only 20 percent (78) contained all the correct
program settings for the common channel. In other words, DHS components
could not talk to each other using $430 million worth of radios
purchased nearly a decade after the 9/11 Commission highlighted the
problem. They could not do so because DHS did not establish an
effective governing structure with the authority and responsibility to
ensure it achieved Department-wide, interoperable radio communications.
We also reported that without an effective governing structure and a
concerted effort to attain interoperability, the Department's progress
would remain limited.
DHS' plans to achieve interoperability are still in progress. The
Department has drafted, but not finalized, a DHS Communications
Interoperability Plan; it has extended the date of signature from April
to September of this year.
In August 2013, we issued DHS Needs to Manage Its Radio
Communication Program Better (OIG-13-113). We reported that without
sound investment decisions on radio equipment and supporting
infrastructure, DHS could not effectively manage its radio
communication program. DHS had not implemented a governance structure
with authority to establish policy, budget and allocate resources, and
hold components accountable for managing radio programs and related
inventory. Components were still independently managing their current
radio programs with no formal coordination with the Department. They
used different systems to record and manage personal property inventory
data, including radio equipment. The components' inventory data also
indicated they did not record radio equipment consistently in personal
property systems. As a result, DHS was making management and investment
decisions for the radio communication program using inconsistent,
incomplete, and inaccurate real and personal property data.
We concluded that a Department-wide inventory would help DHS
prioritize its needs, plan its investments, and help plan future
acquisitions and manage communication networks. DHS also needs a strong
governance structure over its radio communication program. Thus, we
recommended that the Department develop a single portfolio for radio
equipment and infrastructure and establish a Department-level point of
accountability. In response to our recommendations, DHS said that
because of budget constraints, it would include a time line and
resources for portfolio management in its fiscal year 2016 Resource
Allocation Plan. The Department was collecting data to develop a single
profile of assets, infrastructure, and services; reviewing existing
policies and procedures; and planning to revise its personal property
manual by June 30, 2014.
Cross-Border Tunnel Program
In our audit of CBP's and U.S. Immigration and Customs
Enforcement's (ICE) efforts to monitor and detect illegal cross-border
tunnels (CBP's Strategy to Address Illicit Cross-Border Tunnels, OIG-
12-132, September 2012), we reported that although CBP is creating a
program to address capability gaps in countering the cross-border
tunnel threat, it had not demonstrated how its detection strategy would
consider ICE's needs.
CBP and ICE need coordination and oversight in developing these
technologies because the Border Patrol's mission objective is to
prevent illegal traffic from crossing the border while ICE's objective
is to investigate and dismantle criminal organizations.
Without taking into account both components' needs, the Department
risks not being able to disrupt criminal organizations that engage in
cross-border smuggling. We made recommendations to improve
consideration of CBP's and ICE's needs and to improve DHS' coordination
and oversight of counter-tunnel efforts.
CBP took action on our recommendations, including formation of an
Integrated Product Team, which includes relevant stakeholders. It also
planned to draft required acquisition planning documents and submit the
program to the ARB.
Aviation
Our audit of CBP's H-60 helicopter program showed that CBP did not
properly oversee and manage the conversion and modification of its H-60
helicopters, which affected the cost-effectiveness and timely delivery
of the converted and modified
H-60s. We noted that increased cooperation between CBP and the Coast
Guard in managing the conversion and modification of its H-60
helicopters would reduce redundancies and potentially save millions of
dollars. Specifically, if CBP were to complete the conversions and
modifications at a Coast Guard facility, it would save about $126
million and H-60s would fly 7 years sooner. The Department's own
independent study confirmed that CBP would realize substantial savings
by using the Coast Guard facility. Specifically, DHS estimated CBP
could save at least $36 million and as much as $132 million in the cost
of conversion alone. According to DHS, it could not be more precise
because CBP did not provide sufficient data.
Mr. Chairman, this concludes my prepared statement. I welcome any
questions you or other Members of the committee may have.
Appendix
Major Management and Performance Challenges Facing the Department of
Homeland Security, OIG-14-17, December 2013
Independent Auditors' Report on DHS' FY 2013 Financial Statements and
Internal Control over Financial Reporting, OIG-14-18, December 2013
DHS' H-60 Helicopter Programs (Revised), OIG-13-89, May 2013
U.S. Customs and Border Protection's Management of the Purchase and
Storage of Steel in Support of the Secure Border Initiative, OIG-12-05,
November 2011
Transportation Security Administration's Deployment and Use of Advanced
Imaging Technology, OIG-13-120, March 2014
DHS Needs to Manage Its Radio Communication Program Better, OIG-13-113,
August 2013
United States Customs and Border Protection's Radiation Portal Monitors
at Seaports, OIG-13-26, January 2013
DHS' Oversight of Interoperable Communications, OIG-13-06, November
2012
CBP's Strategy to Address Illicit Cross-Border Tunnels, OIG-12-132,
September 2012
CBP's Use of Unmanned Aircraft Systems in the Nation's Border Security,
OIG-12-85, May 2012
Unclassified Summary of Information Handling and Sharing Prior to the
April 15, 2013 Boston Marathon Bombings, April 10, 2014
DHS Uses Social Media to Enhance Information Sharing and Mission
Operations, But Additional Oversight and Guidance Is Needed, OIG-13-
115, September 2013
DHS Can Make Improvements to Secure Industrial Control Systems, OIG-13-
39, February 2013
CBP's and USCG's Controls Over Exports Related to Foreign Military
Sales, OIG-13-118, September 2013
U.S. Customs and Border Protection Has Taken Steps to Address Insider
Threat but Challenges Remain, OIG-13-118, Redacted, September 2013
DHS Needs to Strengthen Information Technology Continuity and
Contingency Planning Capabilities, OIG-13-110, Redacted, August 2013
DHS Can Take Actions to Address its Additional Cybersecurity
Responsibilities, OIG-13-95, June 2013
DHS' Efforts to Coordinate the Activities of Federal Cyber Operations
Centers, OIG-14-02, October 2013
Homeland Security Information Network Improvements and Challenges, OIG-
13-98, June 2013
Chairman McCaul. Thank you, Mr. Roth.
The Chair now recognizes himself for 5 minutes.
Mr. Mayorkas, let me first commend you for the clean audit,
for getting more items off the high-risk list, for your efforts
in DHS acquisition. The memo that came out recently by you and
the Secretary actually mirrors our legislation that we passed
unanimously out of committee. So I do commend you for that.
But I do have to raise an issue that happened last Thursday
when the Secretary of Homeland Security placed the former
acting inspector general, Mr. Edwards, under leave after a
Senate report came out alleging among other things that Mr.
Edwards intentionally changed and withheld information in some
IG reports to accommodate the administration's political
appointees, and that he sought outside legal advice,
compromising the IG's independence.
Now, I don't know if these allegations are accurate. But if
they are, this is the internal watchdog. This is sort-of like
the old adage the fox guarding the henhouse.
I know you are concerned about this, as I am. But can you
tell me, has the Department launched an investigation into
these allegations?
Mr. Mayorkas. Thank you very much, Mr. Chairman. I would
like to make two points in response to your very important
question, one specific to the announcement to which you refer
last Thursday.
That is that the Secretary took swift and strong action in
placing the former inspector general on administrative leave,
and made the very important point that as additional facts are
learned, appropriate action will be taken. So this is a matter
that is under process. I don't think it would be appropriate
for me to speak in more depth about a personnel matter.
The overarching point that I would like to make is the
following, and it is a very simple but a very important
message. That is that the highest degree of ethics and
integrity are conditions of employment in the Department of
Homeland Security.
Chairman McCaul. So after this came out the Secretary
placed him on administrative leave and the inspector general
has been tasked to investigate the current inspector general,
who is with us today. Is that correct or not?
Mr. Mayorkas. I am actually not certain as to who is
conducting that investigation, Mr. Chairman. Perhaps my
colleagues here know.
Chairman McCaul. Leads me to my next question. Mr. Roth,
are you investigating these allegations?
Mr. Roth. We are not. What we have is within the Inspector
General Act a process by which allegations against either the
inspector general or people within reporting to the inspector
general, allegations with regard to misconduct get
investigated.
There is the entity called the Committee of IGs for
Integrity and Efficiency that has a special investigative
committee. They have received a complaint--a series of
complaints really, with regard to the former acting inspector
general.
That has now been farmed out to a different inspector
general to ensure objectivity and you know to ensure that it is
an independent and objective review of that. My understanding
is that that investigation is being conducted by the inspector
general from the Department of Transportation.
Chairman McCaul. Because these allegations are so serious
the decision was made not to go with the IG within DHS, but
rather farm it out to the IG at the Department of
Transportation.
Mr. Roth. That is correct. Again, we followed the Inspector
General Act, which basically dictates how these things should
work.
Chairman McCaul. I mean does it concern you about these
allegations involving allegations out of Cartagena with the
Secret Service, or a report for $650,000 that was never
disclosed on accountability and risk management?
Mr. Roth. It deeply concerns me. Essentially the morning
after I read the report I ordered that those reports be taken
down from our public website.
I have tasked a senior lawyer from our Office of General
Counsel, that is our Office of General Counsel, not the
Department's Office of General Counsel, to conduct an internal
investigation to talk to the career auditors who actually
researched and wrote those reports to find out exactly what was
changed, why it was changed, to restore those reports to its
original condition and then repost it and report the results of
it, not only to the committee but to the public.
Chairman McCaul. Well, we look forward to hearing the
results of that investigation. I also appreciate your testimony
about the lack of interoperability at a 99.8 percent failure
rate, which is astounding to me.
The final question to Mr. Dodaro, and that is you mentioned
information sharing with respect to terrorism threats and
cybersecurity, two issues very important to me and to this
committee. After the Boston report have you done an analysis of
the failure of information sharing?
Mr. Dodaro. No, we have not been asked to take a look at
that particular situation.
Chairman McCaul. But you still mention that is high-risk in
the DHS list.
Mr. Dodaro. Oh yes, definitely. It looks at not only DHS
but the five other--or four other agencies that are involved.
It is a Government-wide high-risk designation in terms of
information sharing.
DHS is an important part of it. But we do look at the
program manager at the DNI, the Director for National
Intelligence, as well as the coordination with the Treasury and
Justice and DHS.
Chairman McCaul. Of course we know the inspector generals
for the ICE and Department of Justice and DHS all came out with
their report, which was, I think, a very candid assessment
about what happened that day and what failed that day.
With that, the Chairman now recognizes the Ranking Member.
Mr. Thompson. Thank you, Mr. Chairman.
Following that line of questions from the Chairman, Mr.
Dodaro, do you foresee any time in the near future that DHS
will get off the high-risk list?
Mr. Dodaro. I think there is ample opportunity for
continued progress. They need to meet the criteria for coming
off the list, particularly getting another year of a clean
opinion on the financial statements, but also on internal
controls.
There is a statutory requirement that they have an opinion
on internal controls, which is rather unique in the Federal
Government, but nonetheless it is there and their current time
frame for doing that and modernizing their financial systems is
2016 and beyond.
They need to also demonstrate that they need to--that they
can bring some of these acquisitions in within budget,
scheduled on time and deliver a functionality that was
originally intended by those acquisitions.
So you know those are only two areas. I mean there are
milestones within the other ones as well. So I think it is
achievable in a relatively short-term, but it is going to take
a while to actually produce these results.
I am committed to working with the Department
constructively. But I am not going to take anything off the
high-risk list until the problems have been resolved.
Mr. Thompson. Well, you referenced some material weaknesses
within Coast Guard, FEMA, ICE, and CBP. What has been the
response from those agencies when you shared those weaknesses
with them?
Mr. Dodaro. They have listened to what we have had to say.
But there needs to be agreement not only in the Department--
within the components, excuse me, but also at the Department-
wide level.
I mean part of the time that has been lost there in the
financial management systems, which is what I was specifically
talking about, is the Department pursued two efforts at least
to have a Department-wide financial management system. Both of
those efforts failed. Now they have tried to have a component-
oriented approach to doing this, which can work, but it needs
to have Department leadership.
So we are going to be looking more carefully at this
financial management modernization effort that they have under
way. But it is still in its early stages. FEMA is the one that
is furthest behind.
Mr. Thompson. To the extent, Mr. Roth, you kind-of
highlighted some of this in terms of the acquisitions and other
things we have experienced within DHS. Explain what--you said
that somehow DHS is in charge but that the components don't
follow the regulations.
I think you were saying we have DHS up here and we have got
these other people under here and the people down here kind-of
do what they want to do. The people up top just kind-of observe
them. So, who is really in charge?
Mr. Roth. That is exactly the issue that we see. I mean
right now the Department has something called the Acquisition
Life-Cycle Framework, which is a, sort-of a framework that is
there to ensure that acquisitions are well thought-out, that
there are trigger points for review by high-level Department
officials to ensure that we are spending money in the right
way.
It is a good program. It is run by the under secretary for
management in a group called the Program Accountability and
Risk Management Section within the under secretary's office. It
works when it is used because it is deliberate. It is
objective. It allows money to be spent in the right way.
The difficulty is it was only set up in 2011. So you have
some of these very high-dollar acquisitions.
For example, the Customs' Air and Marine program, basically
the ships and the helicopters and the airplanes that Customs
purchases, all high-risk acquisitions, all big-dollar
acquisitions, something like $1.5 billion life-cycle costs for
these things, are not part of that system because they pre-
existed.
What we believe ought to happen is that the leadership, the
Secretary and the deputy secretary need to, candidly, be firmer
with the components to ensure that these kinds of acquisitions
get forced into the framework that DHS has set up.
Mr. Thompson. I yield back.
Chairman McCaul. Chairman recognizes Dr. Broun from
Georgia.
Mr. Broun. Thank you, Mr. Chairman.
Let me wish Mr. Dodaro a happy birthday myself too. So I
hope you have a great day, sir. It is a great way to spend it
is with us.
Mr. Dodaro. Well, I am ending it on the Senate.
Mr. Broun. Well, I wish you well over there too. I think we
are nicer than they are over there.
But my first question to you guys is that we have, as
Members of this committee, struggled with the jurisdiction
issues. It seems to me that when any entity has multiple bosses
then they have absolutely nobody in charge and no true boss.
I am concerned about where we are going. We look at the
high-risk issues and what is happening with acquisition and
with cybersecurity and with all the other areas that you all
have brought forward as being problem areas.
I will start with Mr. Dodaro. Would you comment as to the
issue of jurisdiction? Is this--is jurisdictional problems part
of why the DHS is struggling so much and has all these high-
risk areas? If so, what would you recommend? How would you
recommend to rectify that?
Mr. Dodaro. I don't believe jurisdictional issues are a
factor in these high-risk designations, particularly with
management functions within the Department. I think it is just
a matter of the Department having to get the processes in place
and execute properly.
I mean in many cases they have the right policies in place.
They are just not executing them appropriately. It is just a
matter of the Department having to work more to provide
guidance to the components and use the power of the purse, if
you will, to not let them spend money unless they have approved
baselines for acquisitions and they have done proper testing.
I mean they shouldn't be able to move forward without that.
I mean the prescription for success in this area is very clear
in following best practices. But they are just not following
it.
You could--you know, the jurisdictional issues I don't
believe are at play here. It is just a manner of good
management and follow-through and discipline.
Mr. Broun. So this is a management problem then within the
Department itself?
Mr. Dodaro. Yes, for the management areas on the high-risk
list definitely.
Mr. Broun. How far up the chain does that go as far as
management problems?
Mr. Dodaro. Well, I think it goes to the highest levels in
the----
Mr. Broun. As far as the Secretary?
Mr. Dodaro. Yes. I think everybody has to be engaged. I
think the Secretary's memo that he just announced in April to
have more integrated planning and budgeting and requirements
management and putting structures in place in the environment
that work effectively would be a great step forward if they can
get that done.
Now, in the other areas in the cybersecurity and the
information-sharing area, those are Government-wide high-risk
areas. So the Department itself can't address those issues.
Theirs were I don't think jurisdictional issues at play,
but it requires broader oversight by the Congress because it is
a Government-wide area. Those areas I think some joint hearings
and some other efforts with other committees that have
responsibility, and the House and Senate working together would
be helpful, particularly in passing legislation, which we have
called for to clarify DHS's role and responsibilities as it
relates to Federal oversight of computer security and critical
infrastructure protection.
There I think you need more parts of the Congress working
together to help DHS get the proper authorities in place.
Mr. Broun. Well, you say it is a Government-wide problem
and overall in some of those areas. But that is not an excuse
though that one department, DHS, which we have jurisdiction
over shouldn't be solving that problem. Is that correct?
Mr. Dodaro. Oh, that is absolutely correct. We have been
looking at whether DHS even within the Department is sharing
information. We have a report that will be coming out soon on
the Office of Intelligence Analysis as to whether or not DHS,
within its own organization, is sharing information properly.
That is exactly right, Congressman Broun.
Mr. Broun. Mr. Roth, do you have any comment on acquisition
just very quickly? I have got 30 seconds left to my time. So if
you would be expeditious in your answer.
Mr. Roth. I think Mr. Dodaro summed it up. We know what to
do. We know the process that can be used to make smarter,
better acquisitions. The question is forcing the components to
follow that process.
Mr. Broun. This is a long-standing problem. This is not
just with this current Secretary or the past Secretary. It has
been really ever since it has been stood up is my
understanding. Is that correct?
Mr. Roth. That is correct. Again, this process was only
stood up in 2011 to try to integrate everything under the under
secretary.
Mr. Broun. Very good. Thank you, Mr. Chairman. My time is
expired.
Chairman McCaul. Thank you. Just to follow up my
colleague's comments, when we are talking about jurisdiction
though in the Congress, not within the Department but within
the Congress, when the Secretary has to report to over 100
committees and subcommittees, doesn't that detract from the
core mission of protecting the American people, Mr. Dodaro?
Mr. Dodaro. Well, we have not looked at that issue. But it
is not uncommon in many departments and agencies for the
Department of Defense, for example, to have multiple committees
to report to.
I think early on, and I am going back to the creation of
the Department, there wasn't enough transparency in working
with the Congress and having open communication. That I think
fostered a set of relationships that have to be overcome, and
are being overcome over a period of time.
So I think if there was more transparency and the
Department was actually producing the plans, the jurisdictional
issues wouldn't be as acute as they have been because of that I
would say getting off on the wrong foot in its relationship
with the Congress.
Chairman McCaul. Well, again, this is not an issue I fault
the Department on. I actually fault the Congress on this one
because we can't pass any legislation without multiple
referrals to multiple committees.
It becomes dysfunctional within the Congress. Then it takes
time and attention away from senior leadership that need to be
doing their job to report to over 100 committees and
subcommittees. The Aspen Institute came out with a report
talking about it.
We need to--it was one of the top recommendations of the 9/
11 Commission was to have the DHS report to a single oversight
committee. That recommendation has never been followed by
Congress. I think we need to change that.
I am a little disappointed in the answer. I think Mr.
Mayorkas may disagree with you on that. Do you?
Mr. Mayorkas. Mr. Chairman, I think the Secretary has
addressed you and other Members of the Congress expressing his
deep concern with respect to the jurisdictional issue and the
position it places the Department in.
Chairman McCaul. It detracts from the core mission. With
that, the Chairman now recognizes Mr. Richmond from Louisiana.
Mr. Richmond. Thank you, Mr. Chairman.
Mr. Dodaro, now I want to talk about the National Flood
Insurance Program. I see that you have made several comments or
recommendations regarding it. Do you have any concerns that
their current capacity or these notations that you made will
affect their implementation of the new Homeowner Flood
Insurance Affordability Act?
Mr. Dodaro. I think there are a number of recommendations
that we have made, for example in modernizing their claims
management system that need to be put in place. The
implementation of the Act will be a new challenge for them that
could detract from some of the implementation of these
recommendations.
But I think it is very important for them to continue their
efforts to modernize the claims system and oversee the
contractors that write the policies for the Flood Insurance
Program.
Mr. Richmond. Well, that is exactly where I wanted to go
because you used the term the reasonableness of compensation to
the insurance companies that sell and service most of the NFIP
policies. Do we think their compensation is on the unreasonable
side in terms of high or low? Or is it something that we need
to look into?
Mr. Dodaro. You definitely need to look into that issue. I
mean I think that that is an important question and that is
something that we think requires more oversight and whether or
not the compensation is appropriate.
Mr. Richmond. Our numbers, and I don't know if your numbers
would say the same things, in that through the life of the
Flood Insurance Program that the amount of money in premiums
that have gone in almost equals the amount of money that is
going out, except that you have all the administrative expenses
that any insurance company would have.
But everywhere we can reduce those administrative costs or
the costs that the insurance companies are charging for either
servicing or the commissions that they receive, we make the
program more stable. We can directly save the taxpayers money
on those. Have you looked at----
Mr. Dodaro. Yes. I think the administrative costs need to
be under constant review to make sure that they are at the
minimum necessary to operate the program. However, the premiums
in our opinion have not been sufficient to cover the costs of
the programs.
I mean currently the National Flood Insurance Program owes
the Treasury $24 billion and hasn't made a principal payment
since 2010 on that issue. So it is not really actuarially sound
going into the future. So that is one of the reasons it is on
the high-risk list.
Mr. Richmond. Right. I don't think that we will ever get to
actuarially sound and maintain a sense of affordability for the
5 million homeowners who participate in the program.
But I think the goal should be that where we can save money
we should save money. Where we can be more efficient we should
be more efficient. So that is my concern when we talk about the
efficiency of the management of the program and making sure
that the people who service the program are being as efficient,
and we are very diligent in terms of what we are paying them.
So the other thing you mentioned was the debt management
and how that could offer us some cost savings.
Mr. Dodaro. Well, I think it is important that they figure
out how to both build a reserve for the future potential cost,
but also how to figure out how to repay the Treasury Department
for the amount of money that they owe. That is going to be a
tall order for them given the current statutory framework on
which they have to operate under.
So I think additional action will be needed by the Congress
to help them in order to put the program on a firmer financial
footing.
Mr. Richmond. Then I guess we can have the whole
philosophical debate. But we have to get it on firm financial
footing. But actuarial rates is probably not the way to do it
considering that many of these homes were built before there
was a requirement for flood insurance. To go back and change it
in our area we saw rates increasing from $500 and $600 to
$10,000 a year, which will cause another mortgage collapse and
all of those things.
Mr. Dodaro. So I agree with you. I think--I mean there has
to be a balance between affordability and fiscal responsibility
and accountability and in this case transparency because if the
homeowners aren't paying for the insurance that means the
general taxpayers are. It is not really clear what the
subsidies are. I am particularly concerned about the future.
We have put also on the high-risk list limiting the Federal
Government's exposure by better managing climate change risks.
With the potential for climate change and other additional
issues in the offing, I mean this program is one that requires
I think constant scrutiny and more transparency about who is
paying for what in the program.
But I agree with you, affordability has to be a policy
priority.
Mr. Richmond. Mr. Chairman, I see my time is expired. I was
just going to ask Mr. Mayorkas if he had a response. I am not
requiring one.
Mr. Mayorkas. I do not. I do not, Mr. Congressman.
Mr. Richmond. Thank you, Mr. Chairman. Yield back.
Mr. Mayorkas. Mr. Chairman, may I make a point if I may,
even though there is no question pending to me I feel compelled
to share something with the committee because my colleagues
have expressed concern that components do not necessarily
follow the direction that a best practice would require to
address a management challenge.
I think it is very important to communicate to this
committee very clearly to ensure that there is no misimpression
that the components are willfully disobeying guidance. It is
not an issue of that. But it is rather an issue of putting the
structures and the mechanisms in place to drive everyone in the
same direction and to ensure a disciplined and rigorous
adherence to best practices. It is really a matter of
accountability.
I know there was a reference made that we don't have
appropriate accountability mechanisms in place, and I would
respectfully disagree with that. Quite frankly, if there is a
failure of a component to adhere to a best practice in the
service of addressing a management challenge, I am ultimately
accountable for that.
Of course the Secretary is. But I am overseeing the
management of the Department on behalf of the Secretary, and
that accountability regime rests with me.
Chairman McCaul. Well, I appreciate you taking
responsibility for that. I hope to see some good results.
Chairman recognizes Mr. Duncan.
Mr. Duncan. Thank you, Chairman, for this valuable hearing
today. I want to thank the panelists for the comments that they
made about H.R. 4228 and the acquisition reform bill.
You know the goal is to improve discipline accountability
and transparency and acquisition program management and a lot
of things that I am hearing on all the topics today come down
to just those basic disciplines of doing best practices and all
of the acquisition reform.
So I heard Secretary--I mean Comptroller Dodaro say this.
But deputy secretary, have you had a chance to review H.R.
4228?
Mr. Mayorkas. I have, sir.
Mr. Duncan. Okay. Do you believe it will aid DHS in
addressing acquisition management challenges?
Mr. Mayorkas. I do, sir. I should inform you and this
committee that in reviewing the proposed legislation that this
committee passed I have drawn some practices that we should
adopt and not await the passage of the legislation.
Mr. Duncan. Thank you. I agree. Whether we have to have
Congressional legislation passed or not it is the right thing
for the Department to do. I think the Secretary agrees with us
as well. So thanks for saying that.
With the most recent GAO high-risk report citing the
Department's continued management challenges, and with our
country being $17.5 trillion in debt, do you think it is wise
for DHS to continue to spend scarce spending on unnecessary
green initiatives and costly renovations on a project such as
St. Elizabeth's that won't be complete until 2026, and will
cost the American taxpayer about $4.5 billion or more, deputy
secretary?
Mr. Mayorkas. Mr. Congressman, as a general principle of
course no expenditure of funds should be permitted that does
not yield an effective and efficient delivery of service on
behalf of the American people.
The Secretary is reviewing the St. Elizabeths project, and
we are as a Department with all components involved taking a
look at what our resource investment should be in light of the
cost and our current budget environment. It was as recently as
yesterday that all the components met with the Secretary and me
on that very subject.
Mr. Duncan. Well, I think that is great. I appreciate the
Secretary reviewing that. I just don't believe that--you know
in a utopian society rainwater flush toilets are awesome.
But when you are $17.5 trillion in debt and you are
accountable to every taxpayer dollar, I think you need to start
questioning that and maybe the use of the hardest wood from
Brazil for the decking when you could use a composite material
that will last just as long and save the taxpayer dollars. So I
appreciate your efforts and I look forward to that.
I ask the comptroller general about St. Elizabeths and the
cost overruns. I know GAO has looked at that. Do you care to
comment on saving taxpayer dollars and that?
Mr. Dodaro. Well, certainly we support the effort to do any
program activity at the least cost possible. We are currently
looking at the St. Elizabeths situation and we will be happy to
share our report with this committee as soon as it is complete.
Mr. Duncan. We look forward to that as well.
So deputy secretary, given the large number of programs
still lacking Department-approved documents and experiencing
cost overruns and schedule delays, what do you believe is the
biggest challenge with regard to the high-risk list, the
biggest challenge in doing effective oversight of DHS major
acquisition programs?
Throw out some challenges that you have got. There might be
another nugget in there that we can pursue from the
Congressional side.
Mr. Mayorkas. Thank you, Mr. Congressman. I think that my
colleagues Mr. Dodaro and Mr. Roth have identified issues with
respect to our acquisition program.
The Secretary, through the Unity of Effort memorandum that
he issued, to which the Chairman referenced, puts in place a
structure to drive better acquisition oversight and management.
I lead under the Unity of Effort, a paradigm, I lead the
deputy's Management Action Group where we are all--components
and headquarters--together in ensuring that capabilities are
identified, the needs are properly identified.
The gaps are therefore disclosed. We don't close those gaps
without establishing effective requirements, understanding our
budget constraints, being effective and efficient in the use of
our money, and ensuring that the delivery of service takes all
of those factors into account.
Mr. Duncan. I am about out of time. I will say that
hearings like this are refreshing.
What I am hearing from all the gentlemen is that it seems
that the Department is moving in the right direction. I would
attribute the Chairman's leadership and this committee for
helping nudge the Department in the right direction with regard
to acquisition management and addressing a lot of the concerns
that were brought about by the gentleman from Louisiana and the
gentleman from Georgia.
So I want to applaud the Department for continuing to move
in that direction. I can tell you we are going to be right
behind you to make sure that the trend continues.
With that, Chairman, I yield back.
Chairman McCaul. We also commend your leadership as
Chairman of the Oversight Subcommittee. You have done a
fantastic job.
Chairman recognizes Mr. O'Rourke from Texas.
Mr. O'Rourke. Thank you, Mr. Chairman. I would like to
present the panel with two current acquisition projects and
then get your comments.
The first is one that we had a hearing on within the last
month, the Arizona Border Surveillance Technology Plan, which
essentially would spend between $500 million to $700 million to
put a series of fixed towers along the Arizona-Mexico border
with a high-tech surveillance system there, obviously to try to
apprehend people who might cross into the country illegally.
This is on the heels of the failed SBInet program that
spent a billion dollars and achieved almost nothing at great
taxpayer cost and Government waste. In that hearing we learned
from someone on your team at the GAO that there were several
significant findings that the GAO had made, including no clear
metrics and no clear life-cycle costs for that program. So that
is one that comes to mind.
The second in El Paso, Texas is a half-mile stretch of
currently unfenced border between El Paso and Juarez, an area
where in the last 4 years without there being a fence total
crossings have dropped year after year and they are at a
fraction of what they were even 4 or 5 years ago.
It is also a very historical crossing point. DonJuan De
Onate in the 16th Century crossed there.
The sensitivity is so great that not only have I but the
other Congressman representing the area, one of our U.S.
Senators, the city council, the State senators, the State
delegation have all pleaded with CBP not to construct that wall
there at a cost of $5.5 million. But we were told by the acting
commissioner at the time that the wheel is already in motion
and it is too hard to stop this.
So with those two examples my question is: When is it an
appropriate time to put on the brakes? I would think that those
major findings that the GAO made after the failure of SBInet we
should stop before proceeding with this Arizona Border
Surveillance Technology Initiative.
The $5.5 million in El Paso may not sound like a lot, but
$5.5 million here, $5.5 million there soon it adds up and
becomes real money. So I would like to get your thoughts on how
we get greater control on spending when there are findings,
when there are concerns raised by this committee or the GAO,
when it might be appropriate to pause and rethink some of those
projects.
Mr. Mayorkas, we will start with you.
Mr. Mayorkas. Thank you very much, Congressman. I have, in
the short time that I have been in office I have visited the
Texas-Mexico border as well as the Arizona-Mexico border. I
will tell you that visiting--there is no substitute for
visiting the border because one understands first-hand the
challenges that it presents.
The lesson that I learned there is certainly it is not a
one-size-fits-all model. There have to be different
technological and operational solutions to address the very
different and very diverse challenges that the Southwest Border
presents.
You ask a very fact-specific question, which is: When is it
right to pull out of a project when the project isn't going
well? I think that----
Mr. O'Rourke. Not just pausing the project. We could use
Arizona--the border surveillance plan there. Would it not make
sense for DHS to stop spending until those GAO concerns are
resolved?
Mr. Mayorkas. Congressman, as a general matter I find it
untenable to continue to pour money into a project when one
doesn't have a level of confidence in the effectiveness and
efficiency of the undertaking. So that is a general principle.
In fact we have executed on that general principle over the
last few months. We have paused. We have suspended discrete
projects because we have not had confidence in the stability of
the undertaking.
So there is no shyness. There is no hesitation to do that
in order to make sure that we do not develop something that is
ineffective by the time it is deployed----
Mr. O'Rourke. Right.
Mr. Mayorkas [continuing]. And we create more work for our
oversight----
Mr. O'Rourke. Sorry to interrupt, but I have little time
left. You have paused in other projects. Will you pause in this
project?
Mr. Mayorkas. I--as I sit here today, Mr. Congressman, I am
not aware of a reason why the Integrated Fixed Towers Project
should be paused. I will tell you that is----
Mr. O'Rourke. I gave you two.
Mr. Mayorkas. I will have to look into the second one,
which is the wall that----
Mr. O'Rourke. I gave you two reasons on that Arizona Border
Surveillance. No life-cycle costs and no clear metrics for what
that is supposed to achieve after spending up to $700 million.
Could I hear from Mr. Dodaro on this and Mr. Roth if there
is time?
Mr. Dodaro. Yes. Our report focused on the fact their cost
estimates and the schedule estimates weren't complete or
reliable. There was limited testing planned on there as well as
the fact that there weren't metrics tying it to the particular
problem.
The Department agreed with most of the recommendations.
Except I was disappointed they didn't agree to do more testing
on this. I think this is important given the past history and
some of those other activities.
So I think it is important that these issues be addressed
before they proceed into full-scale production.
Mr. O'Rourke. If the Chairman will allow, I would love to
hear from Mr. Roth on this, if you have any comments.
Mr. Roth. Yes. The entire life-cycle--acquisition life-
cycle framework requires in fact certain stopping points where
an examination is done by independent senior leadership to
ensure that it should go forward in a timely way or in a
rational way.
So there are stop points all the way along, and it is
perfectly appropriate during an acquisition to hold off and
address concerns.
Mr. O'Rourke. Okay. Thank you.
Thank you, Mr. Chairman.
Chairman McCaul. Chairman recognizes Mr. Sanford from South
Carolina.
Mr. Sanford. I thank the Chairman. I apologize for getting
here late. So I did not get to hear the entirety of your
testimony. I was caught up in another meeting.
But I jotted in a note in looking at preliminary brief.
There was a GAO report that said, DHS could better manage its
portfolio, address funding gaps and improve communication with
Congress.
One of the findings was basically that there was a gap
between acquisition of programs and the overall Homeland
Security strategy. That at several different junctures this gap
was seen between acquisition and strategy.
I have got a quote here. I am beginning to lose my
eyesight. But it says ``GAO goes on to say in its report that
none of the reports that DHS put out consistently identified
how individual acquisition programs would help DHS to achieve
its goals.'' Then there is some more verbiage from there.
So I guess I would turn to the GAO, to you, Mr. Dodaro.
Thoughts on that? What else did you see with regard to this gap
between a time strategy and individual acquisition programs?
Mr. Dodaro. There really are two types of gaps. One is the
one that you mentioned. But the second is a funding gap issue
in terms of whether or not you have enough money there. I
mentioned earlier in my opening statement that of the major
acquisitions, 46% don't have approved baseline costs and 77%
don't have life-cycle costs.
Now, even with that limitation the Department undertook an
effort a year or 2 ago to identify what the gap would be if all
these acquisitions would cost certain amount of money and the
Department had certain amount of resources. They have figured
that there was 30% gap between what these acquisitions will
cost and what they were likely going to have money for, which
means they need to set priorities.
Of course in setting priorities you have to go with what
your overall strategies are and what kind of priorities are in
your strategy. So they need a governance structure at the
Department to set these priorities across the Department
because they are not going to have, you know, enough money to
be able to deal with these issues.
This is a similar issue we brought to the Department of
Defense's attention. It will particularly be true if
sequestration resumes in 2016 through 2022.
So it is very important that they deal with this. I know
they have some plans to do it. But they are in the very early
stages.
Mr. Sanford. Couldn't it be said of pretty much any
Government agency that there is always a gap between what they
would like to have and what they would get? I mean so isn't
that----
Mr. Dodaro. Well----
Mr. Sanford. I mean it may----
Mr. Dodaro. Well, but----
Mr. Sanford [continuing]. The issue within Homeland
Security or DOD, but----
Mr. Dodaro. Right.
Mr. Sanford [continuing]. That seems to be a consistent
refrain.
Mr. Dodaro. Well, there is a difference between what you--
how much money you are going to have and what you would like to
have a lot of money, as opposed to how many projects you have
already started down the road that you are not going to be able
to complete.
That is a different situation. I am saying in that case
they are spending money to get these projects up and running,
and they are not going to have enough to finish, the money, so
that those projects that aren't finished will be not optimal
use of the taxpayers' money.
As opposed to, we are not going to have this amount of
money, here is the priority we want to do. We need to stop this
acquisition or we need to redirect our funds to other areas.
So it is very important to do that, particularly given the
rather poor track record that they have in delivering their
acquisitions with functionality, within cost and on time.
Mr. Sanford. If you were just waving a magic wand and as
you look at this agency in particular, are there other things
that perhaps didn't make your report but things that entered
your mind? Or that you all evaluated but found too
controversial and maybe left off, where you would say this is
an area of opportunity that Homeland Security ought to look at
in terms of better optimizing taxpayer dollar in maybe a way
that they aren't?
Mr. Dodaro. No. I think our report is pretty complete. I
mean we put everything out there that we have identified.
Since the Department has been created we have made over
2,000 recommendations to the Department. About 65% of them they
have implemented. They have efforts underway in other areas to
implement.
So we--I think we have been pretty thorough in pointing out
all the major areas that need attention.
Mr. Sanford. I suspect you might have a counterpoint to
some of this and I therefore would offer the floor to you in
the few seconds that I have got left.
Mr. Mayorkas. Congressman, I think I actually will not have
a counterpoint. I think, quite frankly, that the work of Mr.
Dodaro and his team has helped make us better, and identified
gaps that we need to fill. I think I can say the same for the
work of Mr. Roth and his team.
You used the word opportunity. Fortunately I am an optimist
and so I look at the challenges we have as opportunities,
opportunities to be better.
Mr. Dodaro referred to the fact that a governance structure
presents some hope, some cause for optimism, but it is at the
nascent stage. That is true.
Both the Secretary and I are new. The Secretary has put in
place a governance structure and we will drive to achieve its
aspiration.
Mr. Sanford. I burned through my time. Thank you, Mr.
Chairman. Yield back.
Chairman McCaul. Chairman recognizes Mr. Payne.
Mr. Payne. Thank you, Mr. Chairman.
Mr. Roth, you know the findings in the November 2012 IG
report on interoperable communications at DHS are very
concerning. I have introduced legislation to DHS Interoperable
Communications Act that aims to address the problems, you know,
related to the Government structure and strategy identified in
the report.
In your testimony you mentioned that the Department has
developed but not finalized DHS Communications and
Interoperability Plan. Have you seen drafts of this plan?
Mr. Roth. I have.
Mr. Payne. Okay. What do you think to this point?
Mr. Roth. We made our primary recommendation after doing
the audit that had the 99.8% failure rate, was that there ought
to be an interagency structure that had an individual or group
with true power to be able to require the components to get
interoperable systems.
The Department, inexplicably in my mind, non-concurred with
that, and instead went forward with what we consider to be a
lesser proposal requiring essentially cooperation among the
components.
We think that is the wrong way to go. We think showing
strong leadership is the way to go, and essentially forcing
compliance by the components.
Mr. Payne. Yes. Well, you know it is clear based on
information I have that this legislation, you know, is crucial
to finally get Department-wide interoperability.
I was shocked to hear that in your testimony, you know in
your test case, only 1 out of 479 first responders were able to
get on a common channel. You know 1 out of 479.
What is it going to take to achieve interoperability? As
you say, the Department is obviously not following
recommendations that have been made. That you say have decided
to go with a lesser plan. What is it going to take to get to
interoperability?
Mr. Roth. Well, certainly hearings like this I think
highlight the problem. Accountability by this committee and
other committees and the American people to ensure that the
purposes behind DHS, which was to have all these disparate
agencies under one roof so they could in fact talk to each
other is a good thing.
But again, it is a promise that has not yet been kept.
Mr. Payne. Okay. You said many didn't even know that the
common channel existed. Is it going to take more training or as
you said more hearings like this and a concerted effort on us
to push them in that direction?
Mr. Roth. To be fair, this test took place in 2012 before
the current administration within DHS was appointed. We are
hearing good things from the Secretary and the deputy secretary
with regard to unity of effort.
I am optimistic that we can get there. But I am frankly
concerned that as we speak today a Secret Service agent in New
York can't get on his radio and talk to a Federal Protective
Service officer in New York or a CBP officer in El Paso can't
talk to a Homeland Security Investigations Agent in the same
city.
Mr. Payne. Okay.
Thank you, Mr. Chairman. I yield back.
Chairman McCaul. Let me just state for the record, Mr.
Payne, your bill on interoperability will be part of our mark-
up in May coming up soon. So we thank you for that.
Chairman now recognizes the gentlelady from New York, Ms.
Clarke.
Ms. Clarke. Thank you, Mr. Chairman. Thank you, Ranking
Member.
My first question is to you, Mr. Mayorkas. I want to talk
about the Department's transition to a large portion of its
information technology to the cloud, and a couple of questions
with regard to that.
Does the CIO work with the Department cybersecurity and
privacy experts to ensure that proper protections are in place
for cloud-based technologies? How does this improve efficiency?
Do you anticipate this move to the cloud resulting in cost
savings? What steps are being taken to ensure that the private
cloud utilized by the Department is secure?
Mr. Mayorkas. Thank you very much, Congresswoman, for the
question. The answer is yes.
The head of information technology, Luke McCormack, does
work very closely with our NPPD, our directorate, and Susanne
Spaulding. It is made to ensure that the use of the cloud
passes cyber-hygiene, if you will.
What the cloud provides is the ability for the Department
to essentially pull on an as-needed basis certain technological
capabilities. So with that nimbleness and surgical use of IT
not only do we gain effectiveness, but we also gain cost
savings.
Ms. Clarke. Well, there has been a lot of talk here on the
Hill. We have turned our attention to immigration reform and
proposals such as the DREAM Act may create a pathway for many
millions of youngsters becoming American citizens. This could
create a major influx of applications coming to the USCIS
system.
Would the limitations of current paper-based system that I
am sure you know all too well, how will USCIS handle this
increased caseload? Are there any activities underway at the
headquarters level to address this impending issue?
Mr. Mayorkas. Thank you very much for that question,
Congresswoman. We of course remain committed to comprehensive
immigration reform. I think there are two streams of activity
that are responsive to your question.
One is to develop the technological capabilities to accept
a large influx of new applicants in an electronic or on-line
environment. That effort is under way. It is a very significant
and challenging effort, but we are making progress in it. It is
called transformation to move from a paper-based agency to an
on-line environment on the one hand.
On the other hand, U.S. Citizenship and Immigration
Services, which I was very proud to be a part of for 4 years,
is extraordinarily adept at handling surges in the number of
individuals coming before it. It has exhibited that nimbleness
and that adeptness in the last 2 years in taking on a huge
surge in previously unanticipated applicants.
Ms. Clarke. So you believe that the transformative nature
of the new technologies that you are currently sort-of testing
would be able to manage potentially, you know, tens of
thousands if not millions of individuals seeking to apply for--
through for immigration reform and the personnel commensurate
with that is sort-of trained and gearing up as well?
Mr. Mayorkas. Congresswoman, the goal of transformation is
to be able to do that. We are working towards that. It is a
challenging undertaking, but we are working towards that on the
one hand.
On the other hand, to be able to address an increase in
applications of, for example, 11.5 million people, there is an
infrastructure that needs to be built. We have communicated
very clearly to the bipartisan committee that passed the Senate
bill last year.
They understood and legislated accordingly that there needs
to be some ramp-up time so that the agency could in fact build
the infrastructure to take on that significant new workload.
But not just personnel, but facilities, IT infrastructure and
the like, but we are prepared with time and funding to meet
that challenge.
Ms. Clarke. Very well. Then I just wanted to quickly--my
time is winding down--talk about disciplinary practices. There
are a lot of folks who believe that there are some--it is
inequitable and oftentimes arbitrary.
For example, there is no Department-wide standard for
penalties. The same offense can engender different results
without any sound reason for this discrepancy.
Would you agree that the Department could benefit from
standardized disciplinary processes? How not having these
processes in place can have an impact on low morale, for
instance?
Is a Department-wide standard for penalties under
consideration? If not, why?
Mr. Mayorkas. That is a very interesting question,
Congresswoman. When I was the director of U.S. Citizenship and
Immigration Services, we actually had that infirmity within the
agency that we did not have really a cohesive and consistent
discipline regime, and we implemented one during the course of
my tenure.
Whether there should be a Department-wide standard is a
question that I would actually like to give thought to because
I will tell you that there are different dynamics at play
within each component of the Department. There are different
unions, union leadership, union relationships.
I think at a general level my immediate reaction is that we
should have standardized processes and we should have
consistency in the response--in the disciplinary response to
similar behaviors. I would like to actually give further study,
and quite frankly speak with my colleagues here to my left with
respect to your question.
Ms. Clarke. My time is run out, but if the Chairman gives
another round, we will----
Chairman McCaul. Well, if you would like to hear other
witnesses----
Ms. Clarke. Oh, certainly.
Chairman McCaul. This is our final round.
Ms. Clarke. Okay. Thank you, Mr. Chairman.
Well then, gentlemen, would you please give me your opinion
on these disciplinary actions?
Mr. Roth. Thank you. We have not done an audit with regard
to this except with the Secret Service, which did not have a
table of penalties. We found that that was a problematic issue
with regard to some of the issues that occurred in the Secret
Service.
I think I would join Mr. Mayorkas in indicating that that
is a broader issue that we would probably need to study in a
more thoughtful way.
Mr. Dodaro. Yes. We have looked recently at TSA employee
misconduct issues and how that is handled. I would be happy to
provide that for the record and any other thoughts that we have
on this matter.
Ms. Clarke. Very well. I appreciate that, gentlemen. Thank
you all for your testimony here today.
Thank you, Mr. Chairman. I yield back.
Chairman McCaul. Thank you. I want to thank the witnesses.
Chairman recognizes the Ranking Member.
Mr. Thompson. I just want to thank the Chairman for this
hearing and the witnesses for their candid comments in response
to the questions.
The thing that continues to bother me, though, is we put
the Department of Homeland Security under one roof. But it just
appears that there are some outliers within the Department that
continue to do as they please.
We have reports after reports that continue to highlight
those do-as-you-please efforts that cost money. What I have
taken away is that you continue to highlight it, but somehow it
doesn't get implemented.
I guess I am struggling for--can you, each one of you
witnesses provide us in writing what you think it would take
for the Department to run seamlessly, all the components within
DHS using one standard for procurement and other things?
Right now procurement, personnel, a lot of issues continue
to be different. I think if we have One DHS, if we have this
now Unity of Effort approach, how can we actually accomplish
that if we still have Coast Guard, FEMA, CBP, ICE kind-of doing
what they want to do? I am just kind-of concerned about that,
that we should just have a standard system.
Now, obviously there are some exceptions. But I think those
exceptions can be noted. But I would like to see something from
our witnesses since they have been so good that could help give
this committee some direction on how we can come up with one
system, whether it is IT system or whatever, in those
categories that have been outlined.
I yield back.
Chairman McCaul. I concur with the Ranking Member. We would
like to see that, if you could respond maybe in writing after
the hearing.
I know Ms. Clarke and I have worked on the iCloud concept
in terms of bringing the One DHS together. I think that is an
interesting concept as well.
I did have one last question for Mr. Roth. The Secret
Service has mentioned, know you are reviewing your
predecessor's report, the allegations involving drunkenness
during Presidential protection. Very serious concern on the
part of this committee that that conduct is still on-going
within Secret Service.
I know you are reviewing those currently. When do you
anticipate that your report will come out?
Mr. Roth. We are looking at the current reports. We are not
engaged in a further audit or inspection of that. But what we
are doing is in light of the Senate subcommittee's report we
are looking to ensure that any of the conclusions within the
report were untainted by any sort-of political or other
improper considerations.
We are doing that as expeditiously as possible, but we want
to get it right. I am hopeful in the next few weeks we will be
able to get it out. But right now I can't give you----
Chairman McCaul. Will you be providing any guidance to the
director of the Secret Service in terms of--you mentioned there
are no real sort of disciplinary procedures in place.
Mr. Roth. At the time of our audit there were no
disciplinary procedures. There were no tables of penalties.
That has been fixed.
In the series of audits we did, we did a look-back to see
what the internal investigation looked like. We also did what
was known as the so-called culture report.
In the culture report we had a series of recommendations
that we asked the Secret Service to do. They are in the process
of complying with each of those. I am happy to give a interim
report as to, sort-of, how they are doing with regard to
responding to our recommendations.
Chairman McCaul. I would appreciate that. Protecting the
President is one of the highest duties----
Mr. Roth. Yes.
Chairman McCaul [continuing]. Within the Department.
So we thank the witnesses for testifying here today. The
record will be open for 10 days. You may have additional
questions. With that, without objection, committee stands
adjourned.
[Whereupon, at 11:31 a.m., the committee was adjourned.]
A P P E N D I X
----------
Questions From Chairman Michael T. McCaul for Alejandro N. Mayorkas
Question 1. According to a December 2013 GAO report, CBP and ICE
continue to struggle with large portions of their TECS modernization
which could result in cost overruns and delay its 2015 deployment
deadline. TECS is critical to the Department's border security and law
enforcement missions. Describe the management direction you are
providing this project and please give the committee an update on the
TECS modernization efforts and whether or not ICE and CBP will deliver
its planned functionality by 2015 as originally scheduled.
Answer. DHS has a tiered governance structure that includes
oversight at the senior leadership level, the component level, and the
program level. At the highest level, the Department is actively
monitoring both programs by way of Executive Steering Committee (ESC)
meetings made up of senior-level executives, including Headquarters and
Component Chief Information Officers, Chief Acquisition Executives, and
Chief Financial Officers. Executive Steering Committees are decision-
making bodies that provide governance and oversight for all of the
Department's IT Major investments.
Currently, due to the program's high risk, the U.S. Immigration and
Customs Enforcement (ICE) TECS Modernization has a monthly ESC meeting
and bi-weekly deep-dive meetings with the Department's Chief
Information Officer and management acquisition team. The U.S. Customs
and Border Protection (CBP) TECS Modernization has bi-monthly ESC
meetings.
The CBP TECS Modernization has been deploying modernized
functionality incrementally since 2009 and is on track to deliver the
majority of modernized capability by September 2015, as originally
planned. This program has multiple releases of which 80% have been
delivered. The remaining 20% will be delivered on schedule by September
2015.
The ICE TECS Modernization is in the technical evaluation phase of
procuring an application vendor, with an anticipated award in September
2014. The program is currently a high-risk program due to its schedule
and cost risks. Mitigation plans are in place to address the program
risks. The program meets regularly with Headquarters leadership to
review status and progress toward milestone events. The program is
engaged with the CBP parallel effort to execute the coordinated
strategy for both agencies to obtain mainframe independence from the
shared legacy TECS system.
Question 2a. Does DHS believe that they are full partners in the
FirstNet effort?
Answer. Yes, DHS is a full partner and one of three permanent board
members in the FirstNet effort. The Department appreciates the
importance of the FirstNet network to the overall security and
resilience of our Nation's public safety communications infrastructure.
Question 2b. What is DHS doing to support FirstNet?
Answer. DHS is taking an active role in supporting FirstNet by
providing the following products and services:
FirstNet Consultation Preparation Workshops.--DHS has
delivered on-site workshops in 54 of 56 States/Territories to
help prepare for the FirstNet consultation process. The
remaining two States/Territories will be completed this year.
Broadband Tools.--DHS has developed a mobile data survey
tool to help States determine the current use of commercial and
private data systems within their jurisdiction that is being
leveraged by FirstNet.
FirstNet Coordination.--In early 2013, FirstNet asked DHS to
participate with the National Telecommunications and
Information Administration and FirstNet staff to coordinate
outreach and data collection with public safety efforts. Since
that time, DHS has participated in weekly calls, as well as
periodic strategic planning meetings with FirstNet Board
members and staff.
Federal Broadband Coordination.--The Emergency
Communications Preparedness Center, which is a DHS-led Federal
coordination committee to improve emergency communications
interoperability, has been leveraged by FirstNet for Federal
outreach and planning.
Tribal Coordination.--DHS provided Tribal subject matter
expertise to assist FirstNet in establishing its Tribal Working
Group, as well as facilitating meetings with key Tribal
representatives.
Cyber and Physical Risk Assessment.--DHS identified possible
threats to and vulnerabilities of cyber infrastructure in the
Nation-wide Public Safety Broadband Network that could threaten
the network's reliability and security.
Public Safety Broadband Requirements.--DHS helped develop
first responders requirements for the Nation-wide public safety
broadband network.
700 MHz Demonstration Network.--DHS helped create a 700 MHz
Demonstration Network at the National Institute for Standards
and Technology Boulder Labs to assist with performance,
conformance, and interoperability testing of infrastructure,
devices, and applications. This public safety demonstration
network and environment for testing allows public safety to
better understand the new capabilities and challenges created
by broadband technologies.
Modeling and Analysis for Public Safety Broadband.--DHS is
conducting modeling and simulation research on the deployment
of a Nation-wide public safety broadband network. This research
will provide FirstNet with insight needed to make more informed
procurement-related decisions.
Question 3. The Office of Program Accountability and Risk
Management (PARM) is responsible for DHS' overall acquisition
management across the Department, and has work under way to implement
an Acquisition Life-Cycle framework for major acquisitions. Among other
things, this framework outlines key decision events over the life of a
program. This ``waterfall'' approach may be fine for most types of
acquisitions; but for IT acquisitions, it promotes longer time frames
for delivering capabilities (often 5-7 years) and increased risk of
cost, schedule, and performance issues. The Office of the Chief
Information Officer (OCIO) is responsible for IT investment governance,
including IT systems development. OCIO has work under way to modify,
finalize, and implement systems acquisition policies and processes in
line with an incremental development approach, which calls for breaking
programs into smaller increments and delivering capabilities in 6-12
month releases. It will be important for PARM and OCIO to collaborate
on a way forward to define roles and responsibilities, and modify the
Acquisition Framework as needed to accommodate an incremental
development approach to IT. How efficiently and effectively do DHS's
acquisition and IT governance processes work in concert with one
another to ensure that major IT investments are delivered within cost
and schedule, and meet mission needs?
Answer. DHS's integrated acquisition and IT governance processes
work together in an efficient and effective manner. Management
Directive 102-01 establishes the Department's acquisition governance
framework for both IT and non-IT programs. The Management Directorate's
Office of Program Accountability and Risk Management coordinates
effective integration and collaboration across the Department's lines
of business, including the Office of the Chief Information Officer, to
implement acquisition oversight.
Further, the Secretary's ``Strengthening Unity of Effort''
initiative is enhancing the coordination of Departmental planning,
programming, budgeting, and execution processes through strengthened
requirements processes and decision-making.
Question 4a. Component agencies of DHS are increasingly using the
Government Printing Office (GPO) for the production of secure
credentials. Some have expressed concern that component agencies are
inappropriately using Title 44 of the United States Code as a means to
enter into sole-source agreements with GPO to circumvent the normal
fair and open competitive procurement process.
Is there any formal or informal guidance from DHS to component
agencies on the use of the GPO versus open competition?
Answer. DHS follows the requirements of Federal Acquisition
Regulation 8.802, which requires printing to be done by or through GPO
unless an exception applies. DHS utilizes a form (DHS 500-7) for its
components to use to obtain printing services through the designated
central printing authority or to seek a waiver. There is no additional
acquisition guidance regarding printing.
Question 4b. What is the opinion of DHS Office of General Counsel
on Title 44 of the United States Code and FAR 48 Subpart 8.8 as it
relates to public printing services and use of GPO for secure
credentials?
Answer. The Department recognizes the statutory and regulatory
requirements related to the Government Printing Office.
Question 4c. What risk/security analysis has been done to make sure
that secure credentials being used by DHS are durable, secure, and
virtually counterfeit-proof?
Answer. A risk/security analysis of the secure credentials used by
DHS was conducted by the General Services Administration (GSA), as the
executive agent for acquisition of Homeland Security Presidential
Directive--12 products and services. GSA ensures that secure
credentials meet the standards of the National Institute of Standards
and Technology (NIST).
To further deter counterfeiting of the secure credentials being
used by DHS, the Department has gone beyond the NIST requirements by
requiring visual security features with micro-text bands, the use of
transparent and gradient effects, optically variable ink, and
holographic images in the security laminate.
Question 4d. What alternatives analysis or analysis of alternatives
(including cost and security analysis) has been done to support secure
credential programs?
Answer. During an analysis of alternatives conducted by the DHS
Office of the Chief Security Officer, it was determined that GPO met
standards for secure credentials. GPO delivered added value with strict
adherence to a secure Government supply chain requirement and smart
card product manufacturing. GPO also demonstrated oversight of security
in the transportation of raw materials and finished goods, and the
physical security of the card manufacturer's plant and information
technology systems.
Question 4e. How much has DHS obligated and expended in fiscal year
2010-fiscal year 2013 for secure credentials printed by GPO? How much
does DHS plan to spend on secure credentials in fiscal year 2014?
Answer. DHS has obligated and expended a total of $7,494,875
between fiscal year 2010-fiscal year 2013. The breakdown per fiscal
year is as follows:
Fiscal year 2010: $1,769,962.00
Fiscal year 2011: $1,891,963.00
Fiscal year 2012: $2,432,350.00
Fiscal year 2013: $1,400,600.00
Fiscal year 2014 Plan: $2,491,125.00.
Question 5a. According to news reports from early April, top hiring
officials at CBP broke Federal civil service laws when they tried to
hire three politically connected but unqualified candidates who were
favored by the agency's then-commissioner Alan Bersin. Shortly before
arriving at CBP, Mr. Bersin allegedly gave the human resources staff
three names and told them he wanted to hire the individuals as
political appointees. However, the slots for those jobs, known as
Schedule C positions, were filled. The staff then attempted to hire
them into open civil service positions at the GS-13 level, as
management and policy analysts.
Who were the people seeking career positions in these reported
cases? Are they employed by CBP currently? If so, under what hiring
authorities?
Answer. The Office of Special Counsel (OSC) has released a press
statement regarding its complaint for disciplinary action before the
Merit Systems Protection Board (MSPB), filed against Katherine Coffman.
The OSC has not yet made the complaint a public document and DHS is not
a party to the litigation. Further, in accordance with DHS practice,
and per OSC preference, DHS does not comment on pending litigation. DHS
does not wish to impede the current adjudication of this case by
releasing specific information relevant to the MSPB proceeding, or by
providing opinions regarding any specific allegations or evidence that
may be contained within the complaint as described in the public press
statement. Therefore, in this and subsequent responses, DHS will only
answer as to matters not at issue in the litigation.
Question 5b. Who within the DHS Office of the Chief Human Capital
Officer rejected most of the career conversion requests and approved
the one OPM later rejected? Please provide necessary documents asking
for and rejecting these personnel actions.
Answer. Please see above.
Question 5c. Since Ms. Katherine Coffman is in the position to hire
individuals across CBP, does she assert inappropriate influence over
the career civil service hiring process? Did she or does she seek to
hire others who fit ``political criteria'' favored by her or Mr.
Bersin?
Answer. Please see above.
Question 5d. What was the role of the Office of the White House
Liaison at DHS in these career conversions? Is the Office of the White
House Liaison involved in interviewing or vetting other career
candidates for Federal employment?
Answer. DHS has inquired of the relevant individuals and reviewed
the relevant files and has no reason to believe the Office of the White
House Liaison was involved in the attempted conversion from political
appointments to career appointments for the three individuals whom it
is alleged Mr. Bersin wanted to hire at CBP.
I am informed it is not.
Question 5e. Since January 21, 2009, how many political appointees
have been converted to career employees? If any, please identify them
along with their titles and the office in which they are working.
Answer. Prior to January 2010, Federal agencies had to seek OPM's
approval of conversions to competitive service positions only during
Presidential election years. As a result, DHS did not maintain DHS-wide
records specific to such conversions and cannot readily access this
information for the time period between January 21, 2009 and December
31, 2009.
Beginning on January 1, 2010, OPM required agencies to seek prior
approval from OPM before appointing a current or recent political
appointee to a competitive or non-political excepted service position
at any level under the provisions of title 5, United States Code. OPM
provided DHS with information based on OPM's records which establish
that since January 2009, six political appointees have been converted
to career positions.
In 2009, an individual was appointed to a GS-14 policy analyst
position in the Office of Civil Rights & Civil Liberties. In 2011, an
individual was appointed to a Senior Executive Service position in the
Office of Science and Technology. In 2012, an individual was appointed
to a Senior Executive Service position in the Federal Emergency
Management Agency and another individual was appointed to a GS-13
external affairs specialist position, also in FEMA. In 2013, two
individuals were appointed to two different Senior Executive Services
positions; one in the United States Coast Guard and another in the
Office of the General Counsel.
Question 5f. Given the allegations in this matter, do you have
confidence in Mr. Bersin as a senior leader of DHS? Have you considered
putting Mr. Bersin or Ms. Coffman on administrative leave while these
allegations are fully investigated by the Office of Special Counsel and
the Merit Systems Protections Board?
Answer. Yes, the leadership of the Department has full confidence
in Mr. Bersin.
Neither the Office of the Special Counsel (OSC) nor the Merit
Systems Protection Board (MSPB) has suggested such an action, and DHS
has determined not to take such action at this time.
The current posture of the proceedings is that the OSC has
completed its investigation and filed complaints seeking disciplinary
action against three CBP career officials. The MSPB has jurisdiction
over the complaints. DHS is not aware that OSC or the MSPB will conduct
any further investigation.
Question From Honorable Patrick Meehan for Alejandro N. Mayorkas
Question. I submitted a question for the record following Secretary
Johnson's first appearance before the committee that remains unanswered
regarding EAGLE II, an information technology multiple-award contract
vehicle potentially worth $22 billion over 5 to 7 years. It is my
understanding that companies were notified of additional awards being
made in early May on highly protested functional category one of the
vehicle. The announcement appears to cut both ways--more vendors means
more competition, but also more proposals to evaluate thus slowing down
the acquisition selection process.
What information have you received about this procurement and what
is your impression of how this acquisition was conducted? How is DHS
going to make sure that programs actually use this vehicle and that
proposals received per task order will be evaluated in a timely manner?
Answer. As Deputy Secretary, I was not personally involved in this
procurement and therefore have only had access to publicly-available
information in accordance with Federal regulation. I have been made
aware of the award information and am informed that the procurement was
conducted in an open and transparent manner, employing Federal
procurement best practices and in accordance with the Federal
Acquisition Regulation. Like its predecessor, EAGLE II attracted
significant interest from industry.
I am further informed that, since the EAGLE II competition received
a robust industry response, completing a fair and detailed evaluation
of each of the proposals required a significant amount of time and
resources. Protests are part of the procurement process for these large
competitions. The DHS personnel responsible for the EAGLE II
procurement participated transparently and professionally in the
protest process to ensure all companies had an opportunity to have
their concerns addressed in an impartial forum.
To date, several protests have been dismissed and contract awards
have been made to large, small, service-disabled veteran-owned,
HUBZone, and 8(a) American companies. Task orders have already been
placed by several DHS components. Task Order awards to date include 18
awards made to various small business totaling $16.5 million with a
total value of $63.8 million if all option periods are exercised.
The Office of the Chief Procurement Officer is monitoring EAGLE II
spending. DHS continues to increase its use of strategic sourcing
vehicles such as EAGLE II because they provide a streamlined and
efficient process for obtaining services and result in cost savings for
the programs. It is the Department's policy that the EAGLE II contracts
be used unless there is an alternative that will yield a lower price or
better support the DHS small business program.
To streamline task order competitions and evaluations, DHS offers
training on the use of EAGLE II for all components and has generated an
ordering guide that includes guidance, templates, and points of contact
for users. This guidance ensures that task order proposals are
evaluated promptly and accurately. DHS has a task order ombudsman
available to assist any EAGLE II contractor that becomes concerned that
a task order proposal evaluation has been delayed.
Questions From Honorable Tom Marino for Alejandro N. Mayorkas
Question 1a. What percentage of NFIP claims from Superstorm Sandy
contained fraudulent losses? Can you quantify that with a dollar
amount?
Answer. FEMA takes seriously its responsibility to be a good
steward of Federal funds, which include not only tax dollars but also
flood insurance premiums. Reducing, investigating, and ultimately
eliminating waste, fraud, and abuse is an important part of that
responsibility. When FEMA becomes aware of evidence of potential fraud
on the part of NFIP policyholders, building repair contractors, or
others, the FEMA Office of Chief Counsel and the Office of the Chief
Security Officer's FEMA Fraud Unit work with the Office of the
Inspector General to investigate. While the FEMA Fraud Unit and the
Office of the Inspector General work closely in developing cases, FEMA
is typically not informed of results as a matter of practice, since the
issue at hand may be a criminal matter.
While legally distinct from fraud, FEMA also tracks improper
payments pursuant to the Improper Payments Act. The tracking does not
differentiate underpayments, overpayments, or fraud. The results are as
follows:
------------------------------------------------------------------------
Improper
Fiscal Year Payment Rate
------------------------------------------------------------------------
2008.................................................... 6.38%
2009.................................................... 2.22%
2010.................................................... 1.21%
2011.................................................... 0.75%
2012.................................................... 0.02%
------------------------------------------------------------------------
No, for the same reason explained in the answer above: FEMA is
typically not informed of investigative results as a matter of
practice, since the issue at hand may be a criminal matter.
Question 1b. What is the policy for ensuring that claims are
legitimate before releasing funds for rebuilding?
Answer. There are a number of checks involved in the claims
handling process. After a claim is filed, the NFIP insurer assigns an
independent adjuster, who is certified as an NFIP adjuster and has
knowledge of the coverage and exclusions under the Standard Flood
Insurance Policy. The independent adjuster will inspect the insured
property, preferably together with the insured to validate that the
adjuster reviews all of the components of the property that the insured
believes had been damaged by flood. The adjuster describes the claim
process to the policyholder and provides a copy of the NFIP Flood
Insurance Claims Handbook, which is a tool developed by FEMA to explain
the claims process to policyholders after a loss. During this
inspection, the adjuster measures, photographs, and notes elements of
flood damage. The adjuster then prepares a detailed room-by-room, line-
by-line estimate of the damage caused by flood. A report documenting
the observed damage is then provided for review by the insurer, which
is responsible for identifying covered losses and making payment.
Unless there is an express written waiver, within 60 days after the
loss the insured is required to provide a proof of loss, which is the
insured's sworn statement of the amount being claimed.
Question 1c. Additionally, what tools does the agency have to
``claw-back'' funds released to homeowners who submitted fraudulent
claims?
Answer. All forms of the Standard Flood Insurance Policy (``SFIP'')
have provisions governing improper activities by the insured and void
the policy in the event of fraud or misrepresentation. If the policy is
void, the NFIP is authorized to recoup payments and can do so through a
Debt Collection action or affirmative litigation. In addition, the
United States has available civil and criminal remedies, including the
False Claims Act, to recoup fraudulently-claimed funds and to seek
civil and criminal penalties. The DHS Office of Inspector General and
other Federal law enforcement, including a FEMA Fraud unit, are
available to investigate allegations of fraud, and FEMA also will work
with State and local law enforcement in appropriate circumstances to
investigate and prosecute fraud.
Question 2. DHS is over 10 years old and it seems that we are only
now getting to understand what a ``high-risk'' program is. This is
unacceptably long. What took so long and what assurances can you give
that we won't have more oversight failures going forward?
Answer. DHS has a clear understanding of its ``high-risk''
programs, as defined on a biennial basis by the Government
Accountability Office (GAO) through publication of its GAO High-Risk
List. We work closely with GAO to address the areas where DHS remains
on the High-Risk List. When I became deputy secretary of DHS in late
December 2013, the first action I took was to schedule a meeting with
GAO Comptroller General Dodaro. DHS and GAO meet regularly to discuss
progress on our High-Risk designation, and I have been able to
participate in several of those productive meetings.
In 2011, DHS published the Integrated Strategy for High-Risk
Management (Strategy), to address our High-Risk designation. DHS
continues to make progress towards High-Risk List removal and publishes
an updated Strategy on a semiannual basis. Of note is the fact that GAO
has stated in its most recent High-Risk List update that our
Department's Strategy, ``if implemented and sustained, provides a path
for DHS to be removed from GAO's High-Risk List.'' Further, earlier
this year we developed specific action plans to address the 30 key
outcomes GAO identified as part of the management High-Risk area. Our
action plans provide month-to-month goals that offer a road map to
success. Our development of these action plans provided us with the
opportunity to freshly review our previous efforts and, in certain
critical areas, to accelerate our time tables materially.
Question 3. Many of the DHS operating agencies like CBP, TSA, and
the Coast Guard came with internal inspection capabilities when DHS was
created. Yet it appears the senior levels have been slow to organize
Department-wide oversight. It appears that these agencies are not a
``part of the whole'' from the management perspective. When will DHS-
wide management controls be in place?
Answer. To further Department-wide management integration,
Secretary Johnson directed the ``Strengthening Departmental Unity of
Effort'' initiative in April 2014. In this initiative, the Secretary
directs specific activities across four main lines of effort: Inclusive
senior leader discussion and decision-making forums that provide an
environment of trust and transparency; strengthened management
processes for investment, including requirements, budget, and
acquisition processes, that look at cross-cutting issues across the
Department; focused, collaborative Departmental strategy, planning, and
analytic capability that supports more effective DHS-wide decision-
making and operations; and enhanced coordinated operations to harness
the significant resources of the Department more effectively. The goal
is better understanding of the broad and complex DHS mission space and
empowering DHS components to effectively execute their operations.
To that end, the Secretary, in a June 26, 2014 memorandum to DHS
leadership, established the DHS Joint Requirements Council to ``look at
cross-component requirements and develop recommendations for
investment, as well as changes to training organization, laws, and
operational processes and procedures.'' This component-led, component-
driven body will be organized around the five DHS primary mission areas
and begin to tackle issues involving information-based screening and
vetting; chemical, biological, radiological, and nuclear surveillance
and detection; aviation commonality; cybersecurity; and information
sharing with potential impacts beginning as early as the DHS budget
submission to OMB this September. Other unity-of-effort initiative
pieces, including strengthened budget and acquisition process, will
also lead to greater management control.
Question 4. Referring to your technology programs across DHS, there
is strong criticism from the private-sector suppliers that DHS fails to
provide multi-year plans that would guide private R&D investment. Why
can't DHS seem to get forward planning for major programs right?
Answer. A primary challenge in developing and executing optimal
multi-year plans to guide private R&D investment is the reality of
fiscal uncertainty: The Department is not assured of sustained funding
streams for long-term efforts.
DHS has worked hard to create a sustainable process to validate
Department-wide requirements across the DHS primary mission areas to
inform investment decisions and drive acquisitions. The Secretary's
June 26, 2014 memorandum to DHS leadership establishing a DHS Joint
Requirements Council to ``look at cross-component requirements and
develop recommendations for investment, as well as changes to training
organization, laws, and operational processes and procedures'' will
help us to achieve that goal. By studying requirements across
components and developing ``joint'' solutions from a range of potential
alternative capabilities, the Department should be able to more
predictably interface with the private sector earlier in order to
better partner to meet the challenges faced by the Nation in securing
the homeland.
Further, the Department's increased focus on looking at full life-
cycle program costs across the entire 5-year Homeland Security budget
should increase awareness and reduce uncertainty for our private
industry partners. To this end, newly-confirmed Under Secretary for
Science and Technology Dr. Reginald Brothers has also prioritized
development of an updated Science and Technology Directorate (S&T)
Strategic Plan complemented by technology roadmaps in S&T's major
investment areas. These types of products are fundamental for
communicating S&T's direction and vision to industry in order to better
align and incentivize private R&D investment in DHS and Homeland
Security Enterprise needs and priorities. Moving forward, S&T's
Strategic Plan and roadmaps, along with a revamped approach to creating
and sharing project requirements, will help strengthen and energize the
Department's and S&T's partnership with the Homeland Security
Industrial Base.
Question From Chairman Michael T. McCaul and Ranking Member Bennie G.
Thompson for Gene L. Dodaro
Question. Please provide us in writing what you think it would take
for the Department of Homeland Security (DHS) to run seamlessly, all
the components within the Department using one standard for procurement
and other things.
Answer. DHS could enhance its overall efficiency and effectiveness
by continuing to implement and strengthen key management initiatives,
including fully achieving key management outcomes that we and DHS have
agreed are necessary for addressing our designation of DHS management
functions as high-risk. Achieving some of these outcomes will entail
implementing Department-wide standards, such as standards pertaining to
information technology (IT) and acquisition management.
Specifically, DHS needs to demonstrate continued progress in
implementing and strengthening key management initiatives and
addressing corrective actions and outcomes in human capital management,
acquisition management, financial management, and IT. This includes
taking steps to implement certain common standards Department-wide. For
example,
As we reported in May 2014, DHS's acquisition policy largely
reflects key acquisition management practices, but the
Department has not implemented the policy consistently.\1\ For
example, in March 2014, we found that the Transportation
Security Administration (TSA) does not collect or analyze
available information that could be used to enhance the
effectiveness of its advanced imaging technology.\2\ In March
2014, we also found that U.S. Customs and Border Protection
(CBP) had not fully followed DHS policy regarding testing for
the integrated fixed towers being deployed on the Arizona
border.\3\ We recommended that CBP revise its testing plan in
accordance with DHS acquisition guidance, among other things.
DHS did not concur with our recommendation and stated that the
existing test plan will provide much, if not all, of the
insight contemplated by the intent of the recommendation. We
continue to believe that revising the test plan to include more
robust testing to determine operational effectiveness and
suitability could better position CBP to evaluate integrated
fixed-tower capabilities before moving to full production for
the system, help provide CBP with information on the extent to
which the towers satisfy the Border Patrol's user requirements,
and help reduce potential program risks.
---------------------------------------------------------------------------
\1\ GAO, Department of Homeland Security: Progress Made;
Significant Work Remains in Addressing High-Risk Areas, GAO-14-532T
(Washington, DC: May 7, 2014).
\2\ GAO, Advanced Imaging Technology: TSA Needs Additional
Information Before Procuring Next-Generation Systems, GAO-14-357
(Washington, DC: Mar. 31, 2014).
\3\ GAO, Arizona Border Surveillance Technology Plan: Additional
Actions Needed to Strengthen Management and Assess Effectiveness, GAO-
14-368 (Washington, DC: Mar. 3, 2014). Integrated fixed towers are to
consist of surveillance equipment (for example, ground surveillance
radars and surveillance cameras) mounted on fixed, that is, stationary
towers, and power generation and communication equipment to support the
towers.
---------------------------------------------------------------------------
In May 2014, we also reported that work is needed to
demonstrate progress in implementing IT investment management
processes across DHS's 13 IT investment portfolios.\4\ In July
2012, we recommended that DHS finalize the policies and
procedures associated with its new tiered IT governance
structure and continue to implement key processes supporting
this structure.\5\ DHS agreed with these recommendations;
however, as of April 2014, the Department had not finalized the
key IT governance directive, and the draft structure had been
implemented across only 5 of the 13 investment portfolios.\6\
---------------------------------------------------------------------------
\4\ GAO-14-532T.
\5\ GAO, Information Technology: DHS Needs to Further Define and
Implement Its New Governance Process, GAO-12-818 (Washington, DC: July
25, 2012).
\6\ The draft structure had been implemented across the following
five portfolios: Intelligence, screening, information sharing and
safeguarding, enterprise IT services, and enterprise human capital.
---------------------------------------------------------------------------
More uniformly implementing these common standards across the
Department and showing measurable, sustainable progress in implementing
other key management initiatives can help DHS more fully address GAO's
high-risk designation. We are continuing to review DHS's progress in
these areas and will update our assessment of DHS's efforts to address
our high-risk designation early next year.
Question From Honorable Yvette D. Clarke for Gene L. Dodaro
Question. Some individuals believe that DHS disciplinary practices
are inequitable and oftentimes arbitrary. For example, there is no
Department-wide standard for penalties, and the same offense can
engender different results without any sound reason for this
discrepancy. Would you agree that the Department could benefit from
standardized disciplinary processes? Does not having these processes in
place have an impact on low morale, for instance? If not, why?
Answer. We have not specifically assessed the standardization of
disciplinary practices at DHS, but our work has found that TSA could
strengthen its monitoring of allegations of employee misconduct.
In July 2013, we found that TSA could strengthen its monitoring of
allegations of employee misconduct.\7\ Specifically, we found that:
---------------------------------------------------------------------------
\7\ GAO, Transportation Security: TSA Could Strengthen Monitoring
of Allegations of Employee Misconduct, GAO-13-624 (Washington, DC: July
30, 2013).
---------------------------------------------------------------------------
According to TSA employee misconduct data that we analyzed,
TSA investigated and adjudicated approximately 9,600 cases of
employee misconduct from fiscal years 2010 through 2012. While
TSA had taken steps to help manage the investigations and
adjudication process, such as providing training to TSA staff
at airports, we found that additional procedures could help TSA
better monitor the investigations and adjudications process.
For example, TSA did not have a process for conducting reviews
of misconduct cases to verify that TSA staff at airports were
complying with policies and procedures for adjudicating
employee misconduct. We concluded that without a review
process, it is difficult to determine the extent to which
deficiencies, if any, exist in the adjudications process.
Further, we found that TSA did not record all misconduct
case outcomes, including outcomes in cases that resulted in
corrective action or no penalty, in its centralized case
management system because the agency had not issued guidance
requiring the recording of all outcomes. We concluded that
issuing guidance to TSA staff at airports about recording all
case outcomes in the database would emphasize management's view
of the importance of staff including such information to
provide a more complete record of adjudication decisions.
We recommended, among other things, that TSA establish a
process to conduct reviews of misconduct cases to verify that
TSA staff at airports are complying with policies and
procedures for adjudicating employee misconduct, and develop
and issue guidance to the field clarifying the need for TSA
officials at airports to record all misconduct case outcomes in
the centralized case management system. DHS concurred with the
recommendations, and TSA is taking actions in response, such as
increased auditing of disciplinary records to help ensure that
airport staff are complying with policies and procedures for
adjudicating employee misconduct.
Question From Chairman Michael T. McCaul for Gene L. Dodaro
Question. Please elaborate on your comments regarding Congressional
committees with a jurisdiction on homeland security issues.
Specifically, to what extent have repetitive or redundant hearings and
briefings (i.e., those involving substantially the same subject matter
but provided separately to more than one committee) led to
inefficiencies and inhibited progress by the Department to address
items on the High-Risk List? Have these particular hearings and
briefings increased over time, in comparison to previous Congresses?
Does the fact that multiple components at the Department lacking
authorizations (which have not been enacted due to jurisdictional
battles) have any effect on the ability of these components and DHS
Headquarters to enact necessary reforms, since potential necessary
authorities are not codified?
Answer. GAO has not analyzed the impact of hearings and briefings
on DHS's ability to address items on GAO's high-risk list, trends in
the number of DHS-related hearings and briefings, or the potential
effects of the lack of authorizing legislation on DHS's ability to
carry out necessary reforms. In December 2002, we did report that the
creation of DHS had raised questions regarding how the Congress could
best meet its oversight responsibilities, and that DHS would be
overseen by numerous Congressional committees.\8\ At the time we
observed that the Congress may wish to explore ways to facilitate
conducting its responsibilities in a more consolidated and integrated
manner, and noted that whether the Congress did so could have an impact
on the effective implementation and oversight of DHS.
---------------------------------------------------------------------------
\8\ GAO, Homeland Security: Management Challenges Facing Federal
Leadership, GAO-03-260 (Washington, DC: Dec. 20, 2002).
---------------------------------------------------------------------------
In 2003 we designated implementing and transforming the Department
of Homeland Security as high-risk because DHS had to transform 22
agencies--several with major management challenges--into one
department, and failure to address associated risks could have serious
consequences for U.S. National and economic security.\9\ It is
noteworthy to recognize, however, that since 2003, DHS has made
considerable progress in transforming its original component agencies
into a single department. As a result, in our 2013 high-risk update, we
narrowed the scope of the high-risk area to focus on strengthening DHS
management functions.\10\
---------------------------------------------------------------------------
\9\ GAO, High-Risk Series: An Update, GAO-03-119 (Washington, DC:
Jan. 1, 2003).
\10\ GAO, High-Risk Series: An Update, GAO-13-283 (Washington, DC:
Feb. 14, 2013).
---------------------------------------------------------------------------
DHS remains on the high-risk list because the Department has not
made sufficient progress addressing GAO's high-risk removal criteria,
such as having a framework to monitor progress, capacity (having
sufficient resources), and demonstrating clear, sustained progress.
Specifically, our work at DHS has found that the Department has made
progress strengthening its management functions, including developing
policies that provide a framework for addressing management challenges.
However, we have found in our past work that DHS does not always adhere
to its own policies. For example, DHS's acquisition policy largely
reflects key acquisition management practices, but in September 2012,
we found that the Department has not implemented the practices
consistently. Further, we found that DHS has made progress in
initiating efforts to validate required acquisition documents.\11\
However, the Department does not have the acquisition management tools
in place to consistently demonstrate whether its major acquisition
programs are on track to achieve their cost, schedule, and capability
goals. Accordingly, about half of DHS's major programs lack an approved
baseline, and 77 percent lack approved life-cycle cost estimates.
---------------------------------------------------------------------------
\11\ GAO, Homeland Security: DHS Requires More Disciplined
Investment Management to Help Meet Mission Needs, GAO-12-833
(Washington, DC: Sept. 18, 2012).
---------------------------------------------------------------------------
Question From Honorable Jeff Duncan for Gene L. Dodaro
Question. The Office of Program Accountability and Risk Management
(PARM) is responsible for DHS's overall acquisition management across
the Department, and has work underway to implement an Acquisition Life
Cycle framework for major acquisitions. Among other things, this
framework outlines key decision events over the life of a program. This
``waterfall'' approach may be fine for most types of acquisitions; but
for IT acquisitions, it promotes longer time frames for delivering
capabilities (often 5-7 years) and increased risk of cost, schedule,
and performance issues. The Office of the Chief Information Officer
(OCIO) is responsible for IT investment governance, including IT
systems development. OCIO has work underway to modify, finalize, and
implement systems acquisition policies and processes in line with an
incremental development approach, which calls for breaking programs
into smaller increments and delivering capabilities in 6-12 month
releases. It will be important for PARM and OCIO to collaborate on a
way forward to define roles and responsibilities, and modify the
Acquisition Framework as needed to accommodate an incremental
development approach to IT. How efficiently and effectively do DHS's
acquisition and IT governance processes work in concert with one
another to ensure that major IT investments are delivered within cost
and schedule, and meet mission needs?
Answer. We have found in our prior work that DHS has not yet fully
established or finalized its acquisition and IT governance processes;
however, we found that these processes, as defined and implemented thus
far, may be leading to slowed IT development work, as well as
ineffective or redundant executive oversight reviews. For example:
Slowed IT development work.--In our May 2014 report on
agencies' IT incremental development policies and approaches,
we found that DHS OCIO officials had cited inefficient
governance and oversight processes as one common factor, among
others, inhibiting incremental development during a 6-month
period.\12\ To illustrate, those officials said that it can
take up to 2 months to schedule a meeting with DHS review
boards prior to releasing functionality. However, we also
reported that a Program Accountability and Risk Management
(PARM) official disagreed with that statement, maintaining that
DHS's acquisition review boards perform reviews very quickly,
and that any delays in completing these reviews are
attributable to investments being unprepared. Further, DHS OCIO
officials suggested that oversight of programs using an Agile
development methodology should be performed at the lowest
practicable level of the organization.\13\ Regardless of the
cause, these inefficiencies are hampering DHS's ability to
deploy IT capabilities in 6-month increments. Accordingly, we
recommended that DHS consider factors that either enable or
inhibit incremental development when updating the Department's
policies governing incremental IT development. DHS concurred
with our recommendation and stated that it plans to include
strategies in its guidance to minimize factors identified as
inhibiting incremental development. It will be important for
DHS's OCIO and PARM offices to work collaboratively to
effectively address this recommendation.
---------------------------------------------------------------------------
\12\ GAO, Information Technology: Agencies Need to Establish and
Implement Incremental Development Policies, GAO-14-361 (Washington, DC:
May 1, 2014).
\13\ Agile development calls for the delivery of software in small,
short increments rather than in the typically long, sequential phases
of a traditional waterfall approach. More a philosophy than a
methodology, Agile emphasizes early and continuous software delivery,
as well as using collaborative teams and measuring progress with
working software. The Agile approach was first articulated in a 2001
document called the Agile Manifesto, which is still used today. The
manifesto has four values: (1) Individuals and interactions over
processes and tools, (2) working software over comprehensive
documentation, (3) customer collaboration over contract negotiation,
and (4) responding to change over following a plan.
---------------------------------------------------------------------------
Ineffective or redundant executive oversight reviews.--In
December 2013, we reported on the effectiveness of the
executive governance and oversight of the Department's two TECS
modernization (TECS Mod) border security programs.\14\ While we
found that OCIO and PARM had taken actions to oversee the two
programs, the lack of complete, timely, and accurate data had
affected their ability to make informed and timely decisions,
thus limiting their effectiveness in several cases. For
example, we found that OCIO had rated one of the programs as
moderately low-risk in its most recent program health
assessment, based partially on U.S. Customs and Border
Protection's use of earned value management. However, the
program manager told us that the other program was not using
this management technique. In addition, PARM had rated the
other program as low-risk in its most recent Quarterly Program
Accountability Report based in part on outdated cost and
schedule estimates. Accordingly, we made a recommendation to
improve the data used by these governing bodies for major IT
acquisition programs. DHS concurred and stated that it has
taken steps to ensure that the data used by the IT program
acquisition programs are accurate and complete, such as
implementing a decision support tool. However, we identified
instances where DHS governance and oversight bodies were acting
on information that was not complete, timely, or accurate,
despite the presence of such a tool.
---------------------------------------------------------------------------
\14\ GAO, Border Security: DHS's Efforts to Modernize Key
Enforcement Systems Could Be Strengthened, GAO-14-62 (Washington, DC:
Dec. 5, 2013).
---------------------------------------------------------------------------
In addition, while both PARM and OCIO have responsibility for
ensuring that IT system acquisition programs are on track, it
is not always clear whether these roles are distinct. Our
December 2013 review also showed overlap in the program
assessments conducted by PARM and OCIO--in particular, with
regard to risk and requirements management, and cost and
schedule performance. We recently initiated a review to, among
other things, assess PARM's coordination efforts with DHS
components (including OCIO) to conduct oversight of major
acquisitions.
Additionally, as we testified in May 2014, the Department has yet
to finalize its key IT governance directive, and the draft structure
has been implemented across only 5 of the 13 IT investment
portfolios.\15\ It will be critical for DHS to complete these actions
in order to ensure that all IT investments are appropriately aligned
with the Department's enterprise architecture (i.e., to avoid acquiring
duplicative or overlapping systems), adequately overseen to ensure that
key IT management controls (e.g., requirements management) are being
properly implemented and monitored, and delivered as planned. Because
both PARM and OCIO play important roles in ensuring that IT investments
are effectively acquired and implemented, these two organizations will
need to work closely together to ensure that IT projects are delivered
incrementally and often and that DHS finalizes the IT governance
directive.
---------------------------------------------------------------------------
\15\ GAO, Department of Homeland Security: Progress Made;
Significant Work Remains in Addressing High-Risk Areas, GAO-14-532T
(Washington, DC: May 7, 2014).
---------------------------------------------------------------------------
Question From Honorable Tom Marino for Gene L. Dodaro
Question. In your testimony you mention that the National Flood
Insurance Program (NFIP) has not made a single payment on the principal
borrowed from the Department of the Treasury since 2010. Under current
law, could you estimate when the NFIP would, or could, fully repay the
amount owed to the Treasury?
Answer. We have not made our own estimates of how long the Federal
Emergency Management Agency (FEMA) would need to repay the $24 billion
it has borrowed from Treasury for the NFIP. Nevertheless, information
from a report we issued in April 2014 provides some insight into FEMA's
prospects for repayment.\16\ In that report, we noted that the Biggert-
Waters Flood Insurance Reform Act of 2012 (Biggert-Waters Act) requires
FEMA to issue a report to Congress setting forth options to repay
FEMA's total debt to Treasury within 10 years.\17\ Although the report
was due in January 2013, FEMA has not yet issued such a report. FEMA
officials told us that before the enactment of the Homeowner Flood
Insurance Affordability Act of 2014 (2014 Act), they had conducted
preliminary analysis assessing FEMA's repayment ability under scenarios
that use different assumptions about future NFIP losses.\18\ The
officials said the assessment showed that, under FEMA's planned
implementation of the Biggert-Waters Act, the agency would not reach
the 10-year repayment goal under any of the scenarios. Implementation
of the 2014 Act may further reduce the likelihood of repayment within
10 years because the Act reduces future program premium revenue by
reinstating subsidized and grandfathered rates the Biggert-Waters Act
had eliminated.
---------------------------------------------------------------------------
\16\ GAO, Economic Development: Overview of GAO's Past Work on the
National Flood Insurance Program, GAO-14-297R (Washington, DC: Apr. 9,
2014).
\17\ Pub. L. No. 112-141, � 100213(b), 126 Stat. 405, 924.
\18\ See Pub. L. No. 113-89, 128 Stat. 1020.
---------------------------------------------------------------------------
Our April 2014 report also noted that, according to FEMA officials,
in some years the agency has not had sufficient funds to make principal
payments and, in other years, could have made principal payments but
chose to preserve its cash balances to help avoid the need for future
borrowing. A key factor affecting FEMA's future borrowing needs and
ability to repay its debt is future losses. However, the frequency and
severity of future flood losses are difficult to predict.
Questions From Chairman Michael T. McCaul for John Roth
Question 1. In your testimony, you highlighted a November 2012
audit where the Department of Homeland Security (DHS) Office of
Inspector General (OIG) tested DHS radios to determine whether DHS
components could talk to each other in the event of a terrorist event
or other emergency. Only 1 of 479 radio users tested--or less than one-
quarter of 1 percent--could access and use the specified common channel
to communicate. Further, of the 382 radios tested, only 20 percent (78)
contained all the correct program settings for the common channel. You
testified that the reason the response rate was so low was that DHS did
not establish an effective governing structure with the authority and
responsibility to ensure it achieved Department-wide, interoperable
radio communications. What is needed for DHS to establish an effective
governing structure to solve this problem? What progress has DHS made
since the report in ensuring operators know how to properly use their
radio?
Answer. According to the Office of Management and Budget, an
effective governing structure includes clearly-defined areas of
responsibility, appropriately delegated authority, and a suitable
hierarchy for reporting. DHS created working groups, committees, and
offices to explore Department-wide communication issues, including
interoperability. However, none had the authority to implement and
enforce their recommendations. DHS must establish a structure that has
actual authority to enforce recommendations.
DHS prepared a draft DHS Communications Interoperability Plan
(DCIP). As of today, the DCIP is still in draft. According to the DCIP,
as we pointed out in our report, governance is the critical foundation
of all efforts to address communication interoperability. Also
according to the DCIP, existing agreements governing interoperability
do not sufficiently support DHS' current needs. The Joint Wireless
Program Management Office (JWPMO) and the One DHS Emergency
Communications Committee are coordinating to determine appropriate
roles and responsibilities. According to DHS, on March 17, 2013, the
DCIP was briefed to the One DHS Emergency Communications Committee. It
was approved and signed by the Assistant Secretary for the National
Protection and Programs Directorate; however, the DCIP is on hold,
pending a review of the Tactical Communications Executive Steering
Committee (TacCom ESC) and the outcome of H.R. 4289, the Department of
Homeland Security Interoperable Communications Act. Wording in H.R.
4289 may lead to a redefinition of interoperability and reassignment of
interoperable responsibilities. The estimated date of DCIP signature
has been extended from April 14, 2014, to the end of fiscal year 2014
(September 30, 2014). This will allow time for the TacCom ESC meeting
to be scheduled and completed, as well as allow time for any requested,
additional follow-up briefings.
Historically, the JWPMO and its predecessor organizations have not
had success in achieving interoperability.
Question 2. It appears that the technology is available to achieve
interoperable communications. Does DHS have the proper infrastructure
to use their IT network as a way to connect radios and other devices,
such as smartphones, in both a command center and an operational
environment?
Answer. DHS does not currently have the IT infrastructure to
support a broadband network in the operational environment. We have not
done any work specifically looking at this capability, but the
available body of knowledge provides the following insights.
A broadband network could improve incident response, by
providing video and data not currently available on Land Mobile
Radio (LMR) systems; Nation-wide access; and interoperability.
The Government Accountability Office (GAO) and public
safety organizations and officials indicate that mission-
critical voice communication will not likely be available
on broadband networks for many years.
There is disagreement among industry experts about how
soon mission-critical voice capability could be available--
some industry experts predict voice capabilities will be
available within a few years, while others project it will
not be available for at least a decade.
Long-term Evolution (LTE), the Federal Communications
Commission standard for public safety broadband
communication, is not currently designed to support
mission-critical voice communication, such as push-to-talk.
GAO has reported other communication limitations
associated with broadband networks, such as limited network
access inside large buildings or underground.
GAO has reported that any new broadband network could
require up to 10 times the number of towers as current LMR
systems because, as a cellular network, broadband would use
a series of lower power towers to transmit signals and
reduce interference.
Additional towers for the broadband network would also
need to be hardened to withstand disasters, such as
hurricanes.
GAO has reported that a broadband network would
supplement, rather than replace, LMR systems for the
foreseeable future. Also, until there is mission-critical
voice communication, a public safety broadband network will
not resolve interoperability issues exacerbated by past
emergency responses.
DHS approved its TacNet program in March 2011 and directed
establishment of the JWPMO to coordinate the program.
TacNet, a new DHS acquisition program, seeks to leverage
public safety broadband and commercial networks to develop
a single network capable of supporting voice, video, and
data capabilities through DHS subscriptions to LTE public
safety and commercial broadband networks.
In collaboration with the JWPMO, the DHS Science &
Technology Directorate plans to award $7.5 million in
contracts this fiscal year for a technology demonstrator
program that will offer mission-critical voice capabilities
and accommodate DHS video and data needs on a broadband,
LTE network.
DHS plans to limit upgrading and modernizing its current
LMR systems, based on DHS priorities and mission-critical
needs, to address equipment obsolescence, Federal
narrowband and security requirements, and interoperability
standards.
DHS has estimated that full modernization of its legacy
radio systems to meet these requirements would cost about
$3.2 billion. In March 2012, DHS awarded a $3 billion
Department-wide contract to acquire equipment and services
needed to maintain, upgrade, and modernize its legacy LMR
system.
Question From Honorable Jeff Duncan for John Roth
Question. According to an AP news report in 2012, Suzanne Barr, a
senior Obama administration political appointee at Immigration and
Customs Enforcement (ICE), resigned amid allegations of inappropriate
sexual behavior and cultivating a ``frat house'' atmosphere at ICE.
Prior to her resignation, Suzanne Barr was serving as chief of staff to
former ICE Director John Morton. It appears that an OIG investigation
was started, but did not continue after Barr resigned. As the newly-
confirmed DHS inspector general, please explain to the committee what
became of this investigation and why it appears that the investigation
did not continue.
Answer. The Office of Investigations, Office of Inspector General,
did not open an investigation into allegations of misconduct by Suzanne
Barr in 2012. We conducted a preliminary inquiry as we were made aware
of the allegations. We established there was an on-going Title VII
civil suit filed by an Immigration and Customs Enforcement special
agent in charge in New York City claiming harassment and retaliation.
This litigation overlapped with the allegations we were aware of.
Additionally, Suzanne Barr resigned in September 2012. Any Office of
Inspector General administrative investigation would have been rendered
moot as she was no longer a DHS employee.
With regards to an allegation we received in November 2011, in
December 2011 the Office of Inspector General issued a Report of
Investigation to then-Immigration and Customs Enforcement Director John
Morton. The investigation was initiated based on a referral from
Immigration and Customs Enforcement, Office of Professional
Responsibility alleging that Suzanne Barr and Tracey Bardoff, assistant
director, Immigration and Customs Enforcement misused Government funds
to pay for their July 20, 2011 official travel to Mexico City, Mexico
and a subsequent personal trip to Cancun, Mexico on July 22, 2011. The
allegation further stated neither attended the official meetings in
Mexico City, Mexico. The investigation developed no evidence that
either Barr or Bardoff misused Government funds.
[all]
�